Managing Third-Party Risk in Real Time

January 28, 2019 • Zane Pokorny

Many organizations find themselves faced with the challenge of managing third-party risk, working with business partners, vendors, and suppliers to ensure that they are handling security and managing vulnerabilities at an acceptable level. Traditionally, this has been accomplished through static assessments — snapshots of a security posture at a specific moment in time — done at regular intervals. There are limitations to this approach, since businesses don’t operate in static environments, and things change in real time.

Our guest today is Jon Oltsik, senior principal analyst and ESG fellow at the Enterprise Strategy Group. He’s author of a recently published study, “Third-Party Risk: Why Real-Time Intelligence Matters.”

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 92 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Many organizations find themselves faced with the challenge of managing third-party risk, working with business partners, vendors, and suppliers to ensure that they are handling security and managing vulnerabilities at an acceptable level. Traditionally, this has been accomplished through static assessments — snapshots of a security posture at a specific moment in time — done at regular intervals. There are limitations to this approach, since businesses don’t operate in static environments, and things change in real time.

Our guest today is Jon Oltsik, senior principal analyst and ESG fellow at the Enterprise Strategy Group. He’s author of a recently published study, “Third-Party Risk: Why Real-Time Intelligence Matters.” Stay with us.

Jon Oltsik:

Well, I’ve been in the technology industry for over 30 years. I’ve been in cybersecurity for the last 16 of those years. I started the cybersecurity practice at ESG in 2003, and now I oversee the cybersecurity practice with some colleagues.

Dave Bittner:

What is the range of services that ESG provides?

Jon Oltsik:

We do technical analysis of products, we do market research. We’re very close to the end-user cybersecurity professional community, and then we work with cybersecurity vendors to help them understand the intersection of technology and user requirements.

Dave Bittner:

Let’s dig into the report here. Can you just start off with an overview for us?

Jon Oltsik:

Well, we’ve recently completed some research on cyber risk management at Enterprise Organizations, and coincidentally, Recorded Future was making an announcement in that direction, so we got together.

Dave Bittner:

Let’s start off with some definitions here. What are we talking about when we say “third-party risk?”

Jon Oltsik:

Third-party risk is related to risks associated with third parties that you do business with. So, it could be partners, it could be suppliers, it could be customers, contractors. Typically, you’ve given those entities access to your network, or you may have access to their network. As a function of that, your risk is associated with their risk. So, you have to coordinate and understand what risks they face and what controls they’ve put in place, and then you need to monitor those risks in case things change so that you can make the appropriate risk mitigation strategies.

Dave Bittner:

How have organizations typically gone about that?

Jon Oltsik:

In the past, it was very static. It was really based on things like point-in-time assessments or questionnaires that people filled out. That gave me a good baseline of knowledge. So, I understood where you were at a point in time, but things change rapidly in cybersecurity. Threats change, vulnerabilities change, et cetera. Therefore, if I know how you’re doing on the first of January, I don’t know how you’re doing on the 31st of January, or after that. That’s been a problem in third-party risk management.

Dave Bittner:

How much of managing third-party risk has been related to compliance?

Jon Oltsik:

Some of it is related to compliance. It really depends on the nature of the relationship. Clearly, I want to understand if you, especially if we’re sharing sensitive data and regulated data, I want to understand what you’re doing for compliance, what your audits tell you, and if there are any gaps, that you’ve addressed those gaps. Clearly, that’s a part of it, but it’s also really beyond that. For instance, I just may provide your company with access to mine, so there’s really no compliance relationship involved there. But because you have access to my network, I want to know how you’re managing your users and how they’re authenticated into the network and what you’re doing to protect the assets on your network. It’s sometimes compliance. It’s sometimes beyond that.

Dave Bittner:

One of the things that the report points out is what you describe as a third-party risk management gap and how this has become a boardroom issue.

Jon Oltsik:

It has. In general, cyber risk management has become a boardroom issue because directors and executives recognize the potential damages involved. But when they look at third-party risk management, it’s often done haphazardly. It’s often done with point-in-time assessments. They want real-time metrics. They want to be able to make real-time risk mitigation decisions, and they don’t have either the metrics, the data, or the processes in place to do so.

Dave Bittner:

When we’re talking about this gap, what do we mean there?

Jon Oltsik:

Well, the gap is really fundamental in that cybersecurity professionals have approached risk management from a technical perspective, and with third-party risk management, like I mentioned, from a point-in-time perspective. Like I said, I send you a questionnaire, you fill it out. That gives me some baseline of your risk management position, what you’re doing to mitigate risk, and so on, but it doesn’t give me anything beyond that.

Now, business people want to manage cyber risk the way they manage business risk, which means measuring risk, adjusting to changes in risk, and making decisions on how to mitigate risk. They can’t do that very well if there are third parties that I never assess, if the third parties that I assess are done … If the assessments are done differently based on the different third parties, or if we’re collecting point-in-time data and we don’t have anything up to date. For instance, if one of those third parties is breached, all we know is that they were breached. We don’t have any records of what happened between the time we assess them and when they were breached.

Dave Bittner:

In terms of funding, of people’s ability to pay for keeping an eye on this, where do organizations stand there?

Jon Oltsik:

Those initiatives are fairly well-funded, and actually, the funding is increasing for cyber risk management, really because executives are realizing that they’re not prepared. They’re not getting the information, the timely information that they need to make decisions. So the money is there.

Now, I should say, though, that the executives do want to measure ROI on their cybersecurity spending, and historically, cybersecurity professionals haven’t done a good job there. If I’m the CFO, I want to know, “If I give you a million dollars, Mr. CISO or Ms. CISO, what am I getting for my investment, and what am I sacrificing if you ask for 1.5 million?” Those questions have been really, really hard to answer.

Dave Bittner:

Now, the report contrasts this notion of the static assessments versus real-time assessments. Can you compare for us what’s the difference there?

Jon Oltsik:

Well, the static assessments are point-in-time assessments, and again, those are good for a baseline. There are lots of different ways people do that. A real-time assessment is measuring risk as it changes over time. So, based on new types of attacks by cyber adversaries, based on new vulnerabilities that arise, either software vulnerabilities or configuration vulnerabilities. They could be personnel-related, so is there an insider, a nefarious insider doing something?

There are ways to measure risk, and certainly, I’m doing that if I’m looking at my network activity, my end-point activity, my user activity. I’m doing that. I’m assessing risk all the time. Now, we want to extend that kind of data collection processing and analysis to third parties, and what Recorded Future is providing are exactly those types of metrics.

Dave Bittner:

How does this change things in terms of the types of alerts that you would get?

Jon Oltsik:

If things change … So, if a risk changes … So, for instance, if all of a sudden, there’s a credentials dump on the dark web, so someone starts advertising that they have thousands of credentials, legitimate credentials, for sale from your organization, Recorded Future would see that, and they would alert someone that one of your third-party partners has been breached, or apparently breached, and there’s chatter on the dark web. Well, that gives you the opportunity to then assess the risk to you and work with your third-party partner to mitigate that risk.

Dave Bittner:

Yeah, I mean, it’s interesting to me, it seems as though if you … In my mind, I’m imagining the concentric circle is out from my organization to my third-party providers, and then their providers as well. It seems to me the farther you get out on those circles, you might not even have a good notion of where to look or what questions to ask.

Jon Oltsik:

Therein lies the problem. We want visibility into those relationships. Certainly, there are limitations to what we can do, but for starters, if I have 400 key partners, I’d like visibility into what the risks are in those 400 key partners all the time because, as the security saying goes, the security chain is only as strong as the weakest link. Well, if the weakest link is my partners, it doesn’t really matter how strong my security is if I’ve got an open door because of those partners.

Dave Bittner:

In terms of monitoring this and managing this, how should I go about that? In other words, how do I keep it from being a fire hose of information?

Jon Oltsik:

Well, you can filter on the types of information you want to get. Like we talked about, you want dark web chatter, you want to know about breaches, you may want to know about particular software vulnerabilities that would impact some of your partners. You can filter on what you want to look at. You can adjust the types of alerts, the alerts based on risk scores. So for instance, something with a risk score of 90 or more on a 100 risk score scale, you may want to be alerted on immediately. You want … Maybe something lower, you can threshold to send a note to maybe the risk management team or some of the security team, but not necessarily any kind of alert.

There are ways to filter this, and there are ways … As you gather this information, you do get smarter on what’s a real risk and what’s maybe just noise in the system.

Dave Bittner:

What are your recommendations for folks who are looking to explore this, who want to get started? Maybe they have a tradition of doing static risk assessments and they want to dip their toes into this. How do they prepare themselves? How do they do that research and know what questions to ask to make sure that they’re going to be aligned with a supplier who’s going to provide what they need?

Jon Oltsik:

Well, in the case of Recorded Future, what you’ll see with regard to third-party risk is very familiar. It’s the same type of carding metaphor that you use in Recorded Future. You can set up these cards in Recorded Future. They’ll give you very specific information about threats. Now you can have the same visual image for third parties.

Beyond Recorded Future, I’d say it’s important to assess some of the real-time risk management scoring systems that are out there. Generally, these requests are coming from the executives, not necessarily from the cybersecurity staff. The cybersecurity staff can do themselves a favor by being able to service the requests of the executives. There may be a proactive advantage to going and looking at some of the data that may be provided and understanding how that fits with the metrics and the demands of the executive team.

Dave Bittner:

I think that’s a really interesting insight, the importance of that … I guess you could call it a transition layer, between the folks on the technical side of the house and the folks in the boardroom.

Jon Oltsik:

Yes. I would say that’s a work in progress. Clearly, the boardroom is more engaged than they were in the past, but, I mean, the language barrier, the metrics barrier, the communications between the two, the understanding of what each group needs and what they can comprehend, we’re just beginning to figure that out. These kinds of real-time scoring systems are a good way to bridge that gap.

Dave Bittner:

In terms of measuring success, I mean, how do you know — if you’re implementing a system like this — how do you know you’re getting out of it what you hope to?

Jon Oltsik:

Well, hopefully, you’re seeing less malicious activity on your network and you’re able to really decrease the attack surface so that those things that come in are blatantly obvious and they’re easy to detect and remediate. That’s one thing, but then there are other things like being able to quantify some of the risk. There are good methodologies out there, like FAiR system, where you can quantify risk. You want to be able to adjust your prioritization and mitigation strategy so that you’re not in firefighting mode all the time, that you have a sound methodology for mitigating risk. There are certainly ways to do this, but I’d say the end result will be less frequent attacks and much stronger mean time to detect and mean time to respond to problems.

Dave Bittner:

Having gone through the process of creating this report, what were the major take homes for you? What are the big lessons that you learned here?

Jon Oltsik:

Well, there is an existing cyber risk management gap, and part of that cyber risk management gap is the fact that many organizations just haven’t dedicated the right resources. For instance, 44 percent of those that we surveyed said that their available resources were either completely insufficient on insufficient for third-party security audit processes.

We know that there’s a cybersecurity skills gap. It’s hard enough when you’re doing core cybersecurity activities, but it’s more pervasive when you get a little bit further out … You’re doing things like third-party risk management. The processes are immature. A lot of the assessments are stagnant, point-in-time assessments, and we don’t have the resources to change that; therefore, recruiting third parties to help seems like a pretty sound idea.

I’d say the benefit of what Recorded Future brings is that they have threat analysts looking at their screens. They’re comfortable with them. They’ve been trained on how to use them. They’re learning more every day about how to get value out of them. Now, you have third-party risk as another input there. Hopefully, that means that threat analysts can now internalize that data as well and make intelligent decisions based on that data.

Dave Bittner:

Our thanks to Jon Oltsik from ESG for joining us. You can find his report, “Third-Party Risk: Why Real-Time Intelligence Matters,” on the Recorded Future website.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.