Cyber Insurance

Cyber Insurance Reference Questions & Answers

There are many types of insurance policies that ask questions about cybersecurity. These questions can be tough to answer if you have overlapping products and services. Blumira has captured many cyber insurance application questions and provided suggested answers for Blumira customers and partners to help guide you in your responses.

Note – You must update your answers according to your specific Blumira configuration and the state of your network security.

Remember, when filling out an insurance application:

  • BE HONEST!!!!
  • Your answers need to be technically accurate for the point in time that the application is being filled out.
  • Provide context that could be helpful to the carrier. Try to stay away from one-word answers. Explain what you’re doing -or not doing- and why.
  • Supply additional information for a complete picture of possible risk – If there are two executives that refuse to turn on MFA for their email, disclose that on the application! That way, should they get phished in the future and it leads to a breach, the insurance company was aware of that risk when they agreed to bind your policy


Insurance Application Reference Questions and Suggested Responses


Question: Does the applicant utilize a Security Information and Event Management system (SIEM)?

Suggested Response: Yes. We use Blumira as our SIEM, which collects and analyzes log data for our organization. Blumira provides us with detections across data sent to them and has their own internal detection engineering team that tracks and stays up to date on all new vulnerabilities and methods of detection. If threats are identified, Blumira sends prioritized threat findings/alerts to our helpdesk with case management and playbooks built into each detected event so we always have a guided response. Additionally, Blumira provides the ability to generate reports, automated and ad hoc, for our compliance and internal visibility needs. All data sent to Blumira is kept for 1 year and Blumira’s Security Operations (SecOps) team is available 24/7 for urgent incident response support.

Question: Please provide details on whether you have a Security Operations Center (SOC) that is responsible for event monitoring and detection, and incident response. Please include details on the hours of operation and whether this is an internal function or outsourced to a third party:

SOC Definition: Security Operations Center (SOC) is an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes. SOCs can be internal and run by the organization themselves or outsourced to a third party.

Suggested Response: Blumira provides us with automated security operations via their SIEM platform as well as a 24×7 Security Operations team for event monitoring and detection as well as guided incident response. The Blumira platform analyzes the data it receives and detects threats, operational risks, and suspicious behavior for our organization. The platform also provides remediation process guidance to help us respond to the incidents. The Blumira Customer Success team reviews our security posture with us on an ongoing basis and the Blumira Security Operations (SecOps) team is available 24/7 for urgent incident response support.

Question: Does the applicant have Advanced Threat Protection settings enabled on their network?

Suggested Response: We have Advanced Threat Protection enabled via <insert EDR name> and collect additional EDR-based telemetry via Blumira Agent. This allows us to identify threat behaviors ahead of proper AV signatures and track any potentially negative behaviors by internal IT teams within the organization. We also have our firewall logs sent to Blumira for event monitoring and advanced threat protection.

All data sent to Blumira is kept for 1 year and Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

Note – If you use Blumira’s Dynamic Blocklist feature and have it configured in your firewalls, this would be a good place to mention it for the automated blocking of bad IPs based on numerous threat intelligence feeds.

Question: Do you have inbound and outbound firewall / IPS configurations with log retention?

Suggested Response:

Yes, we send our firewall logs with IPS enabled to Blumira for both directions as well as internally-routed segments that pass through their respective firewalls. Blumira stores these logs for 1 year and performs ongoing threat feed and data analysis on these logs to ensure that threats missed by the IPS are identified. Additionally, we use Blumira to look for large transfers in and out of the environment across the firewall. If necessary, Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

Question: Do you use a network monitoring solution to alert your organization to suspicious activity or malicious behavior on your network and is it monitored 24/7?

Suggested Response:

We use Blumira for all network monitoring to determine if suspicious activity or malicious behavior occurs and they provide 24×7 support for their Security Operations team to our internal IT team. If a high priority alert is triggered, we are called, texted, emailed, and follow remediation guidance provided by Blumira – if additional support is required, we can speak to the Blumira Security Operations team within 1 hour. All data sent to Blumira is kept for 1 year.

Question: Please provide details on how you protect privileged user accounts (e.g. using privileged access management solutions, restricting privileged user accounts to specific devices, enhanced monitoring of accounts for anomalous usage, multi-factor authentication enabled for remote access etc):

Suggested Response: Blumira monitors the modification of all IAM within our environments, e.g., on-prem Active Directory, firewall management, M365, and Azure. Blumira alerts to the creation, modification, and potential attacks against these accounts such as password spraying or brute forcing. Blumira additionally allows us to enable louder alerts such as account lockouts and account reset patterns which our helpdesk uses to support our employees as needed. Lastly, we use Blumira to detect plaintext password files on hosts to ensure that user account passwords are not lost on the host.

All data sent to Blumira is kept for 1 year and Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

Question: Please describe any additional steps your organization takes to detect and prevent ransomware attacks (e.g. segmentation of your network, additional software tools, external security services, etc.)

Suggested Response: A SIEM (Blumira) is in use to collect logs from all production systems, including Windows servers and workstations with Sysmon enabled, WAN firewalls, cloud-hosted Microsoft 365 email, and all other Microsoft 365 apps, and our MFA provider. This combined with their threat feed evaluation allows for us to be aware if a known-bad IP is attempting to attack us and block it by default. If an attacker is able to land within the environment, we use Blumira’s platform to analyze our logs and detect all potential methods of early access. These alerts are sent to our MSP’s technical/security staff who triage and respond to alerts based on their priority level. All data sent to Blumira is kept for 1 year and is available for investigation and reporting. Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

Q: Does the applicant use Endpoint Detection and Response (EDR) or a Next-Generation Antivirus (NGAV) software (e.g., CrowdStrike, Cylance, Carbon Black) to secure all system endpoints?

Suggested response:
We use Blumira’s EDR agent which provides endpoint detection and response for Windows endpoints. The agent sends logs to Blumira’s platform for near real-time detection and the Blumira platform provides playbooks for guided response. The agent also gives us the ability to isolate hosts in order to contain a threat detected on an endpoint. The detections are created and managed by the Blumira SecOps team who are also available 24/7 to help us with critical incidents should the need arise.

Q: Please provide an overview of how your EDR product is monitored and managed (e.g. Internal IT team or outsourced to a third party)

Suggested response:
Using Blumira’s EDR agent, our Windows endpoint logs are sent to Blumira’s detection and response platform which monitors and analyzes logs for suspicious or threat activity.

The platform notifies us when it detects anomalies and we follow playbook instructions on how to respond, including isolating the host if recommended to contain a threat on an endpoint, cutting off access to the rest of the network. Blumira’s incident detection engineers proactively manage detections, updating them to keep us protected from new vulnerabilities and exploits.

Blumira’s 24/7 security operations (SecOps) team provides support for all critical priority issues and helps our IT provider with guided response, security advice, and investigation. If needed, they will work with an incident response team to help resolve any identified issues.

Q: Does the applicant use a 24/7 staffed and managed Endpoint Detection and Response (EDR) for all endpoints? (If yes to EDR, please list provider in the comments)

Suggested response:
We use Blumira’s EDR agent paired with Blumira’s automated detection and response platform to provide coverage for all of our Windows endpoints. Blumira’s SecOps team provides 24/7 support for critical priority issues for guided response. Blumira’s incident detection engineers manage the platform’s detection rules, keeping them up to date to identify the latest vulnerabilities and exploits. Our team is notified of any endpoint threats, and we take action based on provided playbooks to investigate and respond promptly, including isolating the host if recommended to contain a threat on an endpoint, cutting off access to the rest of the network.

Q: Do you use endpoint application isolation and containment technology on all endpoints?
If yes, name your provider:

Suggested response:
We have Blumira’s endpoint agent on all Windows devices. It provides endpoint isolation and containment technology, enabling us to isolate a host and cut off its network access (other than to Blumira, which continues collecting log data from the device for incident response) when Blumira’s platform detects an endpoint threat.