Specialty Podcast: The Future of Ransomware - Proactive Defense in an AI-Driven Threat Landscape

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Brendan Hall (00:09):
Alright, hello and welcome to another Alliant Specialty podcast. My name is Brendan Hall, your cyber host-est with the most-est. I'm joined today by the Chief Marketing Officer from Morphisec, Brad LaPorte. Brad, welcome to the pod.

Brad LaPorte (00:24):
Thank you for having me. It is a pleasure and an honor.

Brendan Hall (00:27):
That's very nice of you to say. We're glad to have you. By way of background, I was introduced to Morphisec two years ago at a golf outing, and I thought, wow, this is interesting. I remember us talking to one of your colleagues going, “How come I haven't heard of you guys before, and how do I help you get more traction or get more notoriety here in our industry?” Because given the way that AI has impacted ransomware and other types of attack vectors, this is something that everybody theoretically should be using, this type of technology, which we'll get into. That's the genesis of why we're here because when I come across companies like yours that I think are really interesting and different, because there's so many of these categories that we see in cybersecurity that are packed with a lot of people trying to do the same thing. How many people are in the identity and access management space? I don't know, but probably way too many. More than we actually need, I can tell you that.

Brad LaPorte (01:18):
350, I think? Yes. It's a lot. It's roughly around 10%.

Brendan Hall (01:24):
If anybody from private equity is listening, definitely some need for consolidation in that area. I guess we'll dive right into it. If you wouldn't mind giving a background about Morphisec, how long you guys been around and at a high level what you do?

Brad LaPorte (01:38):
Yes, absolutely. First things first, we stop ransomware. Using the golfing analogy, it's like going to the driving range, and you're hitting those balls long and hard. We're the net at the end, that safety net. Despite what might be happening and whatever tools that you have or what barriers you have, whether it be endpoint detection response or other endpoint security tools or application control, a lot of these existing tools can be bypassed. We add that extra layer of fortification with that extra safety net across the full spectrum of really advanced techs, especially ransomware, which is our bread and butter. Been around for 11 years and counting. Our technology, think of it like advanced deception, we're constantly morphing the underlying attack surface. Imagine trying to go to that driving range, but you have a bunch of fun house mirrors and all these crazy things moving across to distract you from trying to hit the ball. It's going to be a lot harder to do that, and it's going to drive up costs because that's more balls you're going to have to hit and more attempts. Our customers are 100% protected by ransomware-free guarantee, and we're really successful at what we do. It’s providing an extra layer of protection.

Brendan Hall (02:45):
I want to come back to the ransomware guarantee because I don't think I was specifically aware of that. At a high level, companies have their EDR and MDR tools and services in place, but as you say, they can be bypassed. We're talking about in this case, in many cases, but what’s known as polymorphic ransomware. I always think of one of the Terminator movies where Neil Patrick turned into a silver slithery thing and then reformed as a human being. Can you give us a high level, what is polymorphic ransomware or malware and how does it function?

Brad LaPorte (03:13):
Yes, absolutely. Think of it like malicious software, malware, that constantly changes its code and appearance to avoid detection like traditional security tools I was talking about. So basically, how it works, the code is actually changing, even just modifying it slightly. If you think of traditional viruses that we get, like the flu every year, it's constantly evolving, it's constantly morphing and mutating. Some of these threat actors have been around for 20, 30, 40 years and got really good at doing this. You're modifying it just slightly that it's not being triggered by traditional detection methods. The ultimate goal is to steal data, encrypt those files and disrupt systems all at the same time and walking away with a payout that unfortunately is paid by a lot of insurance premiums. Obviously, that's a frowny face overall.

Brendan Hall (04:04):
If I'm hearing you correctly, the tools that every underwriter wants our clients to have in place, managed detection and response, endpoint detection response, can really only detect things that they already know are bad, right?

Brad LaPorte (04:17):
Yes, it's a little more complex than that. There are behavioral-based detection systems that are getting into AI-based systems and things like that. It's really a race condition. It's machine versus machine right now, and it's model versus model. Those models can be effectively poisoned and circumvented just like anything else. Let's just imagine a billion-dollar security company. You're pumping millions of dollars into the next generation AI tool that's going to stop everything under the sun or at least that's how the marketing works. What happens if that gets poisoned and threat actors are able to do basically a software supply chain attack on that system and circumvent it and get into that backend. Instead of it being X, Y, Z, it's A B, C. Effectively your whole thing that you've made those billions of dollars in, that's not happening. You're able to do this by having polymorphic malware, sometimes walking through the front door through getting account credentials into the privileged access of accessing that system and zero-day vulnerabilities. We saw that with FireEye and SolarWinds over the years and now with other aspects. There are tons of different ways that you can tamper and enter in. From a defender perspective, you have to be able to stop that every single time, and threat actors only have to get in once. That's really the core element, how do you want to hedge your bets? What kind of riders do you want to put on that insurance premium to make sure that you have multiple layers of protection? Having a safety net and that piece of mind, and that's the one value prop that we have. I ask our clients, “What is it about Morphisec that you love the most?” It really comes back to, “I can sleep at night.” I know that I'm not going to get a call at two o'clock in the morning because you guys have our back. That is really something that gives us a lot of pride in what we do, the technology that we do and the solution that we have.

Brendan Hall (06:10):
So thus far, I don't know how far that you turn the clock back on this, but the clients of yours that have deployed your tech alongside their MDR, managed detection response for those who don't know, you guys are undefeated, is that right?

Brad LaPorte (06:24):
That's correct. It's 11 years since we've had our patented technology and implemented it. We're talking millions of endpoints and thousands of customers that we've supported. We stand by that guarantee that we have, and it's really good, really astounding. You have to really pressure test some of the things that are out there, there's some clever marketing. You start digging into and it's the fine print of okay, they have a guarantee that their incident response team will be made available to you if there's a breach. Well, I've already gotten punched in the face, and now these threat actors want millions of dollars from me and now I have to deal with my insurance provider and everything else. Your guarantee really only tells me that your incident response team's available, well how convenient. Or there's other aspects of it have to hit certain thresholds or you have to hit certain things, we don't have that. It's deploy our solution, it works, it's your get out of jail free card. You're not going to be on the front page of the newspaper if you're with us.

Brendan Hall (07:22):
Tell me about the guarantee then. How does this work? You're guaranteeing you deploy our tech, you will not suffer a ransomware event of any kind. God forbid it does happen somehow. Who knows what the next wave of AI-enabled malware will be. Hopefully we'll be out in front of it. You guys probably will be, but is the service free then at that point or how does that work?

Brad LaPorte (07:39):
We will basically cover all the costs that you incurred from the actual software that's there. We'll cover up to a certain amount for the incident response, so pay for that amount in terms of it. Because the odds of it getting through our full spectrum ransomware protection, so having the visibility, having infiltration protection, impact protection and adaptive recovery, being able to roll everything back. We're handling everything across the attack lifecycle or the kill chain, so it's nearly impossible to get in there. We stand behind that. With that, think of it like a money-back guarantee. As well as it's different from contract to contract. That's obviously something you work out with us, but part of it is getting that help from the incident response side.

Brendan Hall (08:25):
Now you bring up a good point, too. You get their service-level agreement from an incident response provider. It's like the fire department, we're in the local area and you call us, we'll be there as soon as we can be. Why not just not have that problem to begin with.

Brad LaPorte (08:38):
We're all about prevention here.

Brendan Hall (08:40):
Because we talk to our insurers all day, every day, currently on the applications that we're filling out. Generally everyone's got some version of the same thing. There is no question about what are you using for anti-ransomware protection. It's just do you have MDR, do you have a managed stock? Is it 24/7? That kind of stuff. Are we having conversations with underwriters? Are they aware of you guys? Are they thinking about adding this to their list of requirements?

Brad LaPorte (09:05):
If they weren't sure before, now they are, so call us up, we're happy to continue that conversation. We offer this as part of our offering. If a company doesn't have cyber insurance today, we have providers and partners that we bring in. We help with reducing the overall cost of the premium because of the controls that we implement. Obviously, that's based on the individual insurer and the way that they do it, but it's proven results that if you implement us, it's going to greatly reduce your cost overall. Not to mention basically avoiding the whole cost that you would've incurred if you didn't have us and you had a ransomware attack. Part of it is trying to push forward that mindset and that paradigm of you need more than just multifactor authentication. You need more than just endpoint detection response and managed detection response. If we had this podcast 10 years ago, EDR wasn't even a thing. We have to constantly evolve, and now everything is shifting towards preemptive and trying to get ahead of this. Now we're seeing vulnerabilities be exploited out in the wild with negative one day, so zero days. Before the defenders are even aware it's an issue, we're already seeing mass exploitation attempts. This is why continuous threat exposure management is so important and how it's revolutionizing the way that we do vulnerability management. This is why we're seeing more approaches into combating ransomware and stopping this threat. Let's put it bluntly, if all these other security tools could stop it, it wouldn't still be an epidemic. Clearly the vaccine is not working. The stats are pretty crazy, and they're just going up. The average ransomware payment soared to $1.1 million right now, which is like a 104% increase. That was Q2 numbers. I'm still calculating Q3 and then up from Q1. One quarter over that, it's already increased that 104% and the media payments like $400,000. Imagine what you could do to invest that $400,000 into your cybersecurity program. There are some things you can't put back in the bag, like data exfiltration, losing your intellectual property, things like GDPR fines and the list goes on.

Brendan Hall (11:16):
The reputational damage, that's a gut feeling, right? There's no number to it. You know you've made a lot of your customers, even your employees feel bad. There's no dollar figure that you can be paid back for, I paid these people so they don't feel bad about my brand anymore. It's potentially the most damaging to have an incident like that. Then you've got the business, all the financial pieces, but the loss of trust from your employees and your constituents, your clients, sometimes you never get that back. It's all about prevention. This is amazing stuff, and I believe so much in what you guys are doing. That's why I wanted to have this conversation today and make more people out there aware of it. If you're looking as part of your security stack, every once in a while you think about your cyber insurance, you're doing tabletops, you're doing risk assessments, your technologies, that really needs to include a tool like Morphisec that is going to demonstrably, if not reduce, if not completely eliminate the risk of ransomware, which is the most prolific threat facing any organization right now. So highly recommend that people get out there. Brad, any closing thoughts before we wrap this up?

Brad LaPorte (12:17):
If you're interested, if this topic is a top priority of yours, reach out to us. We're happy to have a conversation. It literally costs nothing, and it could save you millions of dollars and a lot of heartache. I appreciate the time, appreciate trying to share the message. We as a society need to really re-look at this. We have to go above and beyond the basic controls and minimum requirements that we have and start thinking outside the box of, AI is here, ransomware is not going away. What do we do about it? We need to be more proactive and address this.

Brendan Hall (12:53):
Absolutely. Brad, appreciate the time today. If there's anything we can do on the Alliant side, let us know. Thank you for coming in.

Brad LaPorte (12:59):
Alright, thank you.