Third Party Cyber Risk Management

Third Party Cyber Risk Management (TPCRM) is incomplete!

by Paresh Borkar

Overview

In this blog article, let us take a look at the current approach to Third Party Cyber Risk Management (TPCRM), what it leaves on the table and what is really desirable.

Most organizations today work closely with their business ecosystem which is key for business continuity. This business ecosystem includes but is not limited to their vendors, partners, suppliers and more. Organizations need to share sensitive information with their business ecosystem partners on a regular basis. While an organization has good control on their security posture, they have limited view of the security posture of their business ecosystem partners. As the saying goes “security is only as strong as the weakest link”. Now you might wonder – don’t we already have solutions to assess third party risks? Yes, we do but these provide a partial picture only.

Current approach to TPCRM

The current approach to third party cyber risk management involves an “outside – in” assessment. Basically it only covers an assessment from an external facing angle. For example it includes: website, external facing applications, external facing IPs/Servers/etc., DNS and so on. While the external aspect is an important one, this view is quite limited. Now you might ponder – why is the external view limited? To answer this, let us first understand the anatomy of a cyber attack.

Anatomy of a cyber attack

The anatomy of a cyber attack is represented in the infographic below

Anatomy of Cyber Attack

It comprises of the following steps:

  • Reconnaissance
  • Attack
  • Exfiltration
  • Obfuscation / Sanitation

In the Reconnaissance step, attackers try to understand your business, associated infrastructure, employees etc. In the attack step, they try to trick key folks in your organization into exposing sensitive information or downloading malicious software (key loggers / malware / ransomware). Once the malicious software is mobilized and operational in the organizational network, attackers attempt to penetrate further and elevate privileges. Once equipped with required privileges and access to data, exfiltration phase begins (or in case of ransomware, the data encryption phase begins). It is important to note in most cases, hackers externally control the malicious software residing inside the organizational network. Last phase is basically to cover the tracks by cleaning evidence related to the attack.

Gaps in current TPCRM

From the above, it is apparent that vulnerabilities inside your organizational network are key for a successful attack. Attackers regularly exploit vulnerabilities to move inside the network (lateral movement) and elevate privileges (privilege escalation) amongst other things. Malware and ransomware routinely leverage known exploits and published vulnerabilities. Unfortunately current approaches to Third Party Cyber Risk Management (TPCRM) severely fall short, as these fail to inspect vulnerabilities in internal systems. These solutions do not provide any means for you to collaborate with your third parties to prioritize and remediate critical issues. Also, current TPCRM solutions fail to provide continuous assurance of the ever changing security posture of your third parties.

What is needed?

A means to have an “inside-out” view of the security posture of your 3rd parties in a non-intrusive continuous manner along with ability to collaborate with them to resolve priority issues. Ideally TPCRM solution should provide for the following:

  • Complete security posture including inside-out view
  • Complete coverage of attack surface of third parties (includes – cloud, container, code, compliance, data center, etc.)
  • Single glass of pane to collaborate with third party to reduce risk exposure
  • Continuous tracking and assurance along with detailed risk scoring

The above will make Third Party Cyber Risk Management operationally effective, automated to verify the ever changing ground truth.

In a following blog article we will see how ThreatWatch helps address the gaps, stay tuned.

 

Comments are closed.