Cymmetria announced that it will offer a $1 million warranty to businesses damaged by attacks that its "cyber deception solution" doesn't catch.
The company's MazeRunner product was built to make it easier to tell when advanced persistent threat (APT) actors have compromised a system. It doesn't fend off attacks from amateur hackers; it plays cat-and-mouse with intelligence agencies, organizations, and other sophisticated attackers. Cymmetria describes the product as using "breadcrumbs" to lead attackers to decoys while monitoring their activity to help defend their real targets.
Now the company is putting its money and its reputation on the line. This warranty is available to all of Cymmetria's enterprise customers--those using the community version of MazeRunner will not be covered--and covers up to $1 million in damages resulting from attacks its tool failed to spot in time. The company said that a "top-tier international insurer" would provide the warranty and that the warranty can be added to new or existing contracts.
Here's what Cymmetria founder and CEO Gadi Evron said about the warranty in a blog post:
After catching four APT attacks, successfully deploying to dozens of customer sites, and with over a thousand users who downloaded our free community edition and sent us feedback, we feel confident enough to say that, if our product doesn’t properly detect activity it should have detected, our customers should be compensated for the damages caused by such a failure. [...] It makes sense that we should be able to give our customers this extra layer of protection. It’s time the security industry started standing behind its promises to customers, and indeed show that it’s putting its money where its mouth is.
Companies have started to put more money on the line to handle their cybersecurity. Many have set up bug bounty programs to convince researchers to reveal any vulnerabilities they discover so they can be fixed instead of exploited, for example, and others have significantly expanded their security teams. Yet security is often reactionary. A business suffers a data breach and then, usually, improves its security to protect its customers from more attacks.
This isn't the case with other forms of protection. Although someone could wait to purchase home insurance until their house burns down, for example, most people would probably recommend getting the insurance before anything ignites. Security companies shouldn't only be brought in to respond to attacks--they should be used to make sure even complicated attacks are rebuffed, or their effects are at least mitigated, the first time around.
Warranties like this could help convince more companies to invest in security before they encounter a problem. It works in other sectors--how many people would spend hundreds or thousands of dollars on consumer electronics if there was no guarantee the products would work, at least for a while? So it might as well be applied here. Security should be active, not reactive, and promises like Cymmetria's could make more companies realize this.