You can’t stop what you can’t see: Mitigating third-party vendor risk

Ryan Stolte, CTO at Bay Dynamics

Third-party vendors are a liability for host organizations, often unwittingly creating backdoors and exposing sensitive data. In fact, according to the Ponemon Institute “Aftermath of a Data Breach Study,” 53 percent of organizations felt vulnerable to another breach due to negligent third parties including vendors and outsourcers.

Consider some of the most notorious attacks in the last couple of years—all of which exploited a third-party vendor: The Office of Personnel Management (OPM) breach happened as a result of a hack of the background check vendor Keypoint Government Solutions; Home Depot lost the information of tens of millions of customers’ credit cards when hackers used a third-party vendor’s credentials to sneak onto their network; and the Target attack followed the breach of one of the subcontractors connected to their network.

As enterprise networks become further extended and include a wider net of partners, contractors and third-party vendors, their attack surface grows with it—making it harder for organizations to manage and protect their assets. It’s imperative that organizations find a new way to visualize and understand their network’s traffic and users, and, in turn, the risk to their systems. Finding and remediating is now only one piece to solving the much larger puzzle of pervasive security: It’s time for us to be proactive and foster collaboration among host organizations and third-party vendors. Only then will we create an ecosystem that enables businesses to be aware of their risk and manage it accordingly.

Eyes on the road, hands on the wheel

Recognizing risk is central to securing your ecosystem. Who are your third-party vendors? When and why are they accessing your network? What are they doing once inside? Companies need to have a deep understanding of how their third-party vendors are interacting with their network and sensitive information so that they can identify even the smallest abnormality in behaviors that may lead to a compromise or indicate a breach is in progress. Taking this a step further, companies should create profiles of third-party vendor users that detail their typical activities and behaviors on a day-to-day basis. Having the ability to analyze typical behaviors among users makes it easier to flag anything unusual—like a user uncharacteristically handling sensitive data, communicating with unknown people or servers, or any activity that falls outside that user’s typical behavioral model.

More importantly, for visualization to be optimally effective, this information needs to be surfaced in a digestible and manageable way. Executives and board members should be able to easily leverage the insights gleaned in their decision-making process—allowing for better allocation of time and resources. Depending on what’s found, enterprises should be able to mechanically mitigate simple issues with automated defense measures that nip problems in the bud or easily decide on what manual steps need to be taken to remediate the problem (i.e. confront a user in person). In short, evidence-backed action can only take place when the C-suite is armed with the right insight, which is often easier said than done.

You scratch my back, I scratch yours

Having complete transparency into third-party vendor and enterprise infrastructures, which includes user activity, also fosters better-working relationships between the two parties because it enables self-governance, accountability and collaboration. For example, if it’s noted that a third-party user has done something suspicious, the host organization has the ability to flag the concern and work with the vendor, so that the vendor can address the issue internally before it becomes a real threat. Vendors become accountable and can collaborate to prevent a dangerous breach that could negatively affect them—and the enterprises they service.

We can’t forget that vendors are as vulnerable as the enterprises they work with when it comes to security—exhibit A: the OPM and Keypoint Government Solutions. But, in a functional ecosystem, a collaborative spirit can tame problems for all parties involved. It creates a sense of accountability through open communication. While a zero-trust model may be able to help prevent attacks by distrusting all traffic and activity, it’s not always a viable option—especially in large legacy infrastructures that are hard to segment.

We’re all in it together

Better visibility and understanding of the third-party vendor ecosystem naturally creates more control and self-governance. Too many organizations leave themselves vulnerable and on the defense, rather than proactively negating security risks with action-oriented insights and a collaborative mindset.

Today’s enterprise decision makers, CISOs and board members can and should do something to get ahead of the problem—and that problem, security, requires a joint effort. We need to create a living, breathing ecosystem that fosters continuous communication and visibility. Only then, will we be ahead of the curve and better prepared to stop attackers before it’s too late.