December 3, 2019 • The Recorded Future Team
Editor’s Note: Over the next several weeks, we’ll be sharing excerpts from the newly released second edition of our book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.” Here, we’re looking at the ninth chapter, “Threat Intelligence for Reducing Third-Party Risk.” To read the entire chapter, download your free copy of the handbook.
As the old saying goes, “A chain is no stronger than its weakest link.” Never has that been so true. Today’s supply chains are so tightly integrated that businesses have to consider the security of their partners, vendors, and other third parties when assessing their overall organizational risk profile.
According to research firm ESG, most IT professionals believe that cyber risk management has become more difficult over the last two years. Many directly attribute this challenge to the additional effort required to manage third-party risk. Recent studies from the Ponemon Institute show that 59% of organizations have had a breach that originated from a third party, and only 29% believe their partners would notify them of a compromise. Even more troubling is that less than half (46%) of organizations always audit the security risk of their third parties.
The writing is on the wall: third-party attacks will get worse, they will further complicate cyber risk management, and your partners probably won’t help you address the most critical problems. In this chapter, which has been edited and condensed for clarity, we explore the impact of increasing third-party risk and explain how security intelligence can help turn the tide.
Traditional Risk Assessments Fall Short
Many of the most common third-party risk management practices employed today lag behind security requirements. Static assessments of risk, like financial audits and security certificate verifications, are still important, but they often lack context and timeliness.
Organizations following traditional approaches to managing third-party risk often use these three steps:
- They attempt to understand the organization’s business relationship with a third party and how it exposes the organization to threats.
- Based on that understanding, they identify frameworks to evaluate the third party’s financial health, corporate controls, and IT security and hygiene, as well as how these relate to their organization’s own approach to security.
- Using those frameworks, the organization assesses the third party, determining whether it is compliant with security standards like SOC 2 or FISMA. Sometimes, the company conducts a financial audit of the supplier or partner.
While these steps are essential for evaluating third-party risk, they don’t tell the whole story. The output is static and cannot reflect quickly changing conditions and emerging threats. Often the analysis is too simplistic to produce actionable recommendations. Sometimes the final report is opaque, making it impossible to dig deeper into the methodology behind the analysis. This process leaves decision makers unsure about whether crucial pieces of information might have been overlooked.
3 Things to Look for When Measuring Third-Party Risk
To accurately evaluate third-party risk in real time, you need a solution that offers immediate context on the current threat landscape. Intelligence is one way to obtain that context and determine what shortcomings in the defenses of your partners represent significant risks to your organization. That added context includes not only current risks, but a historical view that can provide even more context to help detect, prevent, and resolve risks.
To help you evaluate third-party risk, a security intelligence solution should offer:
- Automation and machine learning to quickly and comprehensively sort massive amounts of data
- Real-time alerts on threats and changes to risks
- Transparency into the threat environments of your third-party partners
Automation and Machine Learning
To manage risk for your organization, you need access to massive amounts of threat data from the open web, the dark web, technical and news sources, and discussion forums. The same applies to assessing the risks of third parties.
But given the scale of cybersecurity-related content from these sources, totaling billions of facts, you need an intelligence solution that uses automation and artificial intelligence to collect and analyze these details. Your threat intelligence solution should be able to:
- Analyze, classify, and index data points using natural language processing capabilities and multiple machine learning models
- Generate an objective, data-driven risk score using a straightforward mathematical formula
Real-Time Updates to Risk Scores
Static assessments quickly become outdated. Weekly or monthly intelligence reports produced by human analysts provide essential overviews, but often arrive too late to enable effective action.
Risk scoring is much more effective when it updates in real time and draws on a large pool of data. These capabilities make risk scores much more reliable for making immediate assessments and reaching security decisions.
Transparent Risk Assessments
Many risk assessments today rely on vague scoring methods or opaque sourcing, and they can be hard to accept, even if they’re accurate. Too often, organizations fail to act on intelligence because leaders don’t understand it or don’t know the source.
To help security professionals see for themselves why something like an alert on a particular IP address might represent a real risk, a threat intelligence solution should show the risk rules that are triggered by the alert and be transparent about its sources. That extra detail can also eliminate the suspicion that information might have been overlooked. This context allows for faster due diligence and reference checking, including when evaluating static assessments.
Responding to High Third-Party Risk Scores
What do you do when faced with high risk scores for a third party? Not every data breach justifies terminating business with that partner. Just about every organization contends with cyberattacks and unexpected downtime, and partners are no exception. The more important issue is how they (and you) deal with incidents and take steps to reduce future risks.
A change in risk scores can present an opportunity to talk with your business partners about how they approach security. On your end, you can look more closely at whether the risk rules that were triggered will impact your organization’s network. For example, a public partner’s risk score might increase because typosquatting websites that closely resemble legitimate websites operated by the partner were discovered. You can blacklist those sites in your own network to thwart phishing campaigns, and also investigate what steps that partner plans to take to protect its brand identity.
For smart security decisions, not knee-jerk reactions, you need up-to-the-minute context and evidence provided by comprehensive security intelligence.
Get the Threat Intelligence Handbook
Explore the entire ninth chapter of our handbook to see how real-time intelligence enables you to accurately assess risk posed by third parties and keep assessments current as conditions change and new threats emerge. You’ll also find a case study on how a national insurance company gained a threat-centric view of third-party risk and reduced time spent on due diligence and reference checking by 50%.
Read the entire chapter today by downloading your complimentary copy of “The Threat Intelligence Handbook, Moving Toward a Security Intelligence Program.”