Blog

Third-Party Risk Management — Real-World Solutions

Posted: 26th October 2021
By: THE RECORDED FUTURE TEAM
Third-Party Risk Management — Real-World Solutions

“What are the risks we need to deal with that we can identify now?

In our previous post, we explored the security of partner companies as the central question for third-party risk management (TPRM) in the era of collaboration. True, your business depends on sharing applications and data with the suppliers, contractors, service providers, resellers and other partners who access your information systems. But your security depends on actively monitoring and managing the risk that goes with all that sharing.

If bad actors on the dark web were actively discussing one of your manufacturing partners, wouldn’t you want to know about it? Wouldn’t that make you think twice about letting that partner access your design documents?

Our recent webinar, The Triple Threat to Third-Party Risk Management, emphasizes that the programs and processes you establish with your partners are a good start in managing risk. And it demonstrates how GRCx from NaviLogic integrates risk assessment with Recorded Future’s third-party threat intelligence for risk management and active monitoring. The integrated service lets you keep up with the constant changes in your threat landscape. Here are some of the highlights from the webinar.

TPRM overview

NaviLogic automates the collection of information to optimize governance, risk, and compliance (GRC) using GRCx, a cloud-based, co-managed platform. Within GRCx, NaviLogic’s TPRM application performs services like risk prioritization, assessment and remediation to build a picture of your company’s overall risk profile. The goal of TPRM is to show you how the partner companies that use your information systems may pose risks to your business.

third-party-risk-management-real-world-solutions-1-1.png To add the critical component of active monitoring, GRCx continuously validates answers provided by your partner companies against risk factors provided through Recorded Future’s threat intelligence API. The result is a summary of the risk that your partner companies represent to you.

How Recorded Future actively monitors risk

Recorded Future’s automated analysis, powered by machine learning, watches sources including online forums, code repositories, threat feeds, the dark web, blogs, social media and proprietary feeds in multiple languages. It adds an overlay of human analysis to find trends and build connections, then makes all that intelligence available through an API. Its ability to automatically find and analyze data across such a wide range of sources is an important differentiator between Recorded Future and ordinary security rating services.

In the context of GRCx, Recorded Future is constantly looking for and collecting activity in several categories of risk, any of which could involve your partner companies:

  • Security incidents
  • Exposed credentials
  • Web application security
  • Malicious network activity
  • Vulnerability exposures
  • Typosquats and deceptive URLs
  • Dark web chatter
  • Email security
  • Cyberexploit events

Recorded Future’s threat intelligence evaluates and categorizes that activity against risk rules like these: third-party-risk-management-real-world-solutions-2-1.png

Based on the risk rules that a company’s activity has triggered, Recorded Future generates an intelligence card featuring a risk score (shown in red for the sample company below).

third-party-risk-management-real-world-solutions-3-1.png

It displays a timeline of triggered risk rules along with supporting details. With information that deep, you can authoritatively discuss a given partner's risk profile, both with your internal risk managers and with the partner.

Integration with GRCx

Through an API, GRCx takes the data provided by Recorded Future and displays it on a risk management dashboard as third-party intelligence. As shown below, the risk score and triggered risk rules appear with details inside GRCx.

third-party-risk-management-real-world-solutions-4-1.png

It's an important part of how NaviLogic introduces the dimension of time to your TPRM. It's also an important part of NaviLogic's Triple Threat to TPRM:

  1. Strategic Consulting — Using industry experts to guide your organization on questionnaires, strategy and operations
  2. Single System of Action — Reporting all information and activities in one place, with automated workflows and notifications offering full insight into potential risks from partner companies
  3. Real-Time Intelligence from Recorded Future — Validating, monitoring and examining in real time the analytics behind your risk, and alerting your risk managers

Triple Threat is a combination of tools and services that systematically gives you nearly real-time intelligence. It enables you to focus on and make decisions about risk, then take prompt action based on those decisions.

Next step: GRCx Starter Pack

How much do you know about the risk profile of your top-ten vendors? Or even your top-three vendors? Doesn’t good Governance-Risk-Compliance (GRC) policy dictate that you should know?

NaviLogic has launched its Excite Program, a starter pack for TPRM that fully applies its Triple Threat to 25 vendors of your choice. That includes:

  • GRCx TPRM access for 5 users
  • 25 managed assessments
  • Integrated threat intelligence from Recorded Future
  • Continuous monitoring
  • Monthly consulting meetings
  • Full insight into the potential risks your vendors pose

The Excite Program is designed to enable your risk managers to spend time managing and communicating about risk instead of working on the process of assessing risk.

Remember: The genie of collaboration is not going back into the bottle. But automating TPRM with Recorded Future’s threat intelligence and NaviLogic’s GRCx will help you keep it from endangering your business.