Providing a much-needed data boost for organizations seeking to better manage their ever-increasing third-party and fourth-party cyber risk, RiskRecon announced the release of their Risk Search capability. It enables companies to conduct ad hoc searches and custom reporting across their entire third-party portfolio to better understand the risk composition of their digital supply chain in detail.
RiskRecon Risk Search has been in use several months, including those at numerous Fortune 500 and Global 2000 companies. Leveraging the Risk Search module, analysts at these organizations have developed numerous use cases for better understanding and acting on their third- and fourth-party cyber risk. Below are the four critical capabilities of Risk Search:
Dangerous condition hunting. Risk professionals are using the search module to proactively identify third parties and third-party systems operating highly vulnerable software, such as Windows NT, Windows 2000, Drupal 5, and old versions of OpenSSL. Armed with this data, analysts proactively reach out to discuss the critical vulnerabilities with the third-party organizations.
“More often than not, suppliers are unaware of the presence of such dangerous vulnerabilities in their environment. The vulnerabilities commonly exist in systems that are part of shadow IT operations or became part of ‘forgotten-IT’ during an acquisition or personnel change,” said Neal Roylance, Director of Security Research for RiskRecon.
Critical vulnerability triage. Enterprises are exposed to fast-moving threat agents exploiting recently discovered software vulnerabilities, such as the series of events RiskRecon has seen related to Apache Struts and Magento that were primary in the attack chains compromising major corporations. RiskRecon has become a centerpiece for managing third-party exposure to critical vulnerabilities.
Leveraging the Risk Search module, analysts simply search for the vulnerable software across their third-party portfolio, and the results provide them details of the vendors operating the vulnerable software and the specific systems exposed to the risk. Analysts then use the information to center their critical vulnerability exposure management efforts towards those vendors reported to operate the software in their internet surface.
Geolocation awareness. Enterprises are increasingly concerned about geolocation of the systems of their third parties. Companies want a high degree of assurance that their third parties are operating in authorized and appropriate countries. For example, third-party operating systems in an OFAC-sanctioned country could expose them to government penalties.
Additionally, companies that deal in highly sensitive data, such as medical and financial, must ensure that data is hosted in authorized countries to satisfy privacy and compliance with privacy regulations. Risk Analysts can instantly understand the geolocation of third-party systems using the Risk Search module, pinpointing the systems down to the latitude and longitude by hostname and IP address.
Preparation for natural disasters is one of the more creative uses of RiskRecon’s capability to geolocate third-party systems. For example, when hurricane Florence began bearing down on the Eastern shore board of the United States, one analyst ran a custom report to identify vendors with systems potentially in the hurricane’s path.
Fourth-party awareness. A growing number of enterprises is directing attention towards the risk of suppliers used by their third parties (aka fourth parties). Operational failures and security compromises of companies you don’t do business with could impact your suppliers, in turn impacting you.
The Risk Search module makes it easy to identify the vendors to your third parties—your fourth parties. Enterprises leverage this capability to the fourth-party risks of their vendors to ensure they are doing business with reputable hosting parties. It also enables them to see beyond the third-party risk horizon to understand the source and magnitude of dependencies across the broader cyber landscape.
“Managing risk well requires good data, and the third-party risk space has been lacking accurate, objective information for too long,” said Kelly White, Co-founder and CEO of RiskRecon. “The Third-Party Risk Search module arms RiskRecon customers with an expansive set of data that they can use to conduct their own third-party risk searches and reporting. We are really pleased to see the use cases that our customers have developed leveraging this data. We are excited to see what else they develop to better solve their third-party risk.”