Third party applications and software have become commonplace over the years with the development of SaaS technology that simplifies business operations, manages customer and employee details and even processes financial accounts. These applications are often so integrated into daily life that many are rarely accounted for, bypassing the scrutiny required to prevent a security breach. With the average organization adopting almost 6000 third party SaaS applications, it’s hardly surprising that they have not been more closely monitored.
Exposed to Attack
Traditional third-party risk management is often limited to spreadsheet-based, point-in-time, manual processes. In fact, 82% of organizations still use spreadsheets to log, assess and manage third parties and almost 50% don’t consider it a critical business imperative. A ‘promise’ led belief that third-party vendors are following cybersecurity best practices has led to a lack of diligence that has quickly been exploited by threat actors, resulting in some of the most dramatic cyber attacks we have witnessed this year. Three of the most notable are:
- SolarWinds – Orion has been a dominant software from SolarWinds with clients, which includes over 33,000 companies. The current predicted damage from the supply chain attack is approximately $100 billion. Around 18 products were affected due to the breach and SolarWinds says 18,000 of its clients have been impacted. The list includes 425 companies in Fortune 500 and the top 10 telecom operators in the US.
- Nobellium – The nation-state attack from NOBELIUM, a Russia-sponsored group of hackers, is widely recognized as the most sophisticated in history. The information shared by Microsoft about the activity from NOBELIUM suggests that abuse of the Azure AD trust relationship and the Azure Cloud platform play a central role in the malicious activity.
- Kaseya – The REvil ransomware group exploited a vulnerability resulting in Kaseya temporarily shutting down both their on-prem and cloud servers. Approximately 1,500 companies were affected around the world including a Swedish grocery retailer who was forced to close over 800 stores.
Of the organizations breached within the last 12 months, 74% reported that it was a result of third-party access, enabling threat actors to exploit vulnerabilities in connections and initiate back doors to steal IP, financial information or install malware.
To protect their environments, security teams need to adopt dynamic assessments of all vendors, instead of point-in-time assessments of the top 10-15% of vendors, or those perceived to be the most at risk. In addition, assessing only direct third-party contractors is insufficient, teams must now have visibility into their nth party ecosystem, monitoring these with the same diligence applied to their own organization.
Re-Imagining Third Party Risk Management
Real-time auditing of third-party access using machine-learning enabled risk quantification platforms is the ideal solution to reduce an organization’s risk of attack. Using risk quantification and data science, SAFE delivers this real-time visibility into the likelihood of a third-party enabled breach. Deploying the power of a Bayesian network and combining this with machine learning, SAFE analyzes endpoints, employees, vendor applications and domain vulnerabilities to assess risk and the financial impact of an nth party breach. To achieve this, 5 steps are followed:
- Questionnaire Based Assessments to identify issues that cannot be found via automation
- Automated Outside-In Assessments that continuously identify and monitor security issues across 8 security domains, delivering instant visibility into the cyber health of third-party vendors
- SaaS Configuration Based Assessments using API integrations to detect IT drift and misconfiguration across third-party SaaS platforms
- Endpoint-based Assessments monitoring the endpoints of third-party vendors that connect to your environment
- People Based Assessments that mandate cyber hygiene practices for employees of third-party vendors to ensure their devices are not hacked and passwords are not compromised
The increase in third-party attacks are a stark reminder to organizations that security risks can stem from a variety of vectors. While third-party vendors are an indispensable part of operations for many businesses, without taking appropriate measures to understand their likelihood of a breach, organizations are leaving themselves vulnerable to attack and liable for any customer records exposed. When attackers are becoming increasingly aggressive and sophisticated, isn’t it time you discovered how trustworthy your third-party vendors are?
To find out how Safe Security can support your third-party risk management strategy, contact: [email protected]