You can't stop what you can't see: Mitigating third-party vendor risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/article.php?id=2438

Third-party vendors are a liability for host organizations, often
unwittingly creating backdoors and exposing sensitive data. In fact,
according to the Ponemon Institute “Aftermath of a Data Breach Study,” 53
percent of organizations felt vulnerable to another breach due to negligent
third parties including vendors and outsourcers.

Consider some of the most notorious attacks in the last couple of years—all
of which exploited a third-party vendor: The Office of Personnel Management
(OPM) breach happened as a result of a hack of the background check vendor
Keypoint Government Solutions; Home Depot lost the information of tens of
millions of customers’ credit cards when hackers used a third-party
vendor’s credentials to sneak onto their network; and the Target attack
followed the breach of one of the subcontractors connected to their network.

As enterprise networks become further extended and include a wider net of
partners, contractors and third-party vendors, their attack surface grows
with it—making it harder for organizations to manage and protect their
assets. It’s imperative that organizations find a new way to visualize and
understand their network’s traffic and users, and, in turn, the risk to
their systems. Finding and remediating is now only one piece to solving the
much larger puzzle of pervasive security: It’s time for us to be proactive
and foster collaboration among host organizations and third-party vendors.
Only then will we create an ecosystem that enables businesses to be aware
of their risk and manage it accordingly.

Eyes on the road, hands on the wheel

Recognizing risk is central to securing your ecosystem. Who are your
third-party vendors? When and why are they accessing your network? What are
they doing once inside? Companies need to have a deep understanding of how
their third-party vendors are interacting with their network and sensitive
information so that they can identify even the smallest abnormality in
behaviors that may lead to a compromise or indicate a breach is in
progress. Taking this a step further, companies should create profiles of
third-party vendor users that detail their typical activities and behaviors
on a day-to-day basis. Having the ability to analyze typical behaviors
among users makes it easier to flag anything unusual—like a user
uncharacteristically handling sensitive data, communicating with unknown
people or servers, or any activity that falls outside that user’s typical
behavioral model.

More importantly, for visualization to be optimally effective, this
information needs to be surfaced in a digestible and manageable way.
Executives and board members should be able to easily leverage the insights
gleaned in their decision-making process—allowing for better allocation of
time and resources. Depending on what’s found, enterprises should be able
to mechanically mitigate simple issues with automated defense measures that
nip problems in the bud or easily decide on what manual steps need to be
taken to remediate the problem (i.e. confront a user in person). In short,
evidence-backed action can only take place when the C-suite is armed with
the right insight, which is often easier said than done.
You scratch my back, I scratch yours

Having complete transparency into third-party vendor and enterprise
infrastructures, which includes user activity, also fosters better-working
relationships between the two parties because it enables self-governance,
accountability and collaboration. For example, if it’s noted that a
third-party user has done something suspicious, the host organization has
the ability to flag the concern and work with the vendor, so that the
vendor can address the issue internally before it becomes a real threat.
Vendors become accountable and can collaborate to prevent a dangerous
breach that could negatively affect them—and the enterprises they service.

We can’t forget that vendors are as vulnerable as the enterprises they work
with when it comes to security—exhibit A: the OPM and Keypoint Government
Solutions. But, in a functional ecosystem, a collaborative spirit can tame
problems for all parties involved. It creates a sense of accountability
through open communication. While a zero-trust model may be able to help
prevent attacks by distrusting all traffic and activity, it’s not always a
viable option—especially in large legacy infrastructures that are hard to
segment.

We're all in it together

Better visibility and understanding of the third-party vendor ecosystem
naturally creates more control and self-governance. Too many organizations
leave themselves vulnerable and on the defense, rather than proactively
negating security risks with action-oriented insights and a collaborative
mindset.

Today’s enterprise decision makers, CISOs and board members can and should
do something to get ahead of the problem—and that problem, security,
requires a joint effort. We need to create a living, breathing ecosystem
that fosters continuous communication and visibility. Only then, will we be
ahead of the curve and better prepared to stop attackers before it’s too
late.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.