January 23, 2019 • Matt Kodama
At Recorded Future, our mission has been to empower our users to defend themselves against cyber threats at the speed and scale of the internet. Empowerment means giving you the capabilities necessary to understand and manage your own risk environment — and the Recorded Future® Platform helps you measure and understand your own risk environment in real time, with full transparency to original sources of risk data. First-party risk reduction remains our first and foremost goal, and in today’s world, that means managing third-party risk, as well.
Leading companies in every industry today are undergoing digital transformation. They are driving more online and mobile access, more transparency, more interconnection of processes across their businesses, all with faster cycle times. These changes further blur the lines between an organization and its partners, suppliers, vendors, and other third parties. Interconnection creates advantages but also expands attack surfaces. Now more than ever before, the state of our security is only as strong as the weakest link.
That’s why Recorded Future is introducing our new Third-Party Risk module. An add-on to our core platform, Third-Party Risk helps you quantify the threat environments of your business partners. It is a powerful complement to traditional risk management processes focused on compliance frameworks, reviews, and audits. For organizations where risk management and security teams work together to identify and reduce risks, the Third-Party Risk module generates the threat intelligence they need to understand the risks stemming from their third-party associates.
Countless organizations are implementing digital technologies to transform the way they gather, store, and analyze data. More and more data is stored in the cloud, moving data control systems and processes from in-house to third-party providers. In industrial settings, businesses are using internet-connected sensors to gather vast amounts of operational data. Customer service is moving from phone to chat to automated self-service, creating a more robust, data-driven understanding of each customer’s support experience.
This digitization is happening rapidly across sectors, in many cases using solutions that follow security best practices inconsistently, either on the supplier’s or the buyer’s side. Can we be confident that every one of the organizations we work with are as rigorous about their own security as we are?
Traditional approaches to managing third-party risk often involve these three steps:
These remain essential steps in evaluating third-party risk. But they don’t tell the whole story.
What Recorded Future’s Third-Party Risk module does differently is provide transparency into the threat environment of the companies you work with. Being able to quantify risk will help you determine the right course of action from an educated standpoint and ask the right questions when evaluating business partners. We’ll look a little more closely at how this can work in the next section.
Our module does this through key features such as:
One of the greatest values provided by the machine learning and automation that drives the Recorded Future platform is the speed of real-time data and updates at scale. Knowing how and when the threat environment changes can mean the difference between knowing you’re exposed to a vulnerability in your supply chain and getting attacked through a vector you weren’t even aware of. Automation expands your ability to monitor the threat landscape without adding more to your workload.
We believe open communication between different teams is the key to a flourishing security function at any organization. The Third-Party Risk module gives security teams another way to help risk management and procurement teams apply threat intelligence to their work.
This goes beyond the technology risk management capabilities of the core Recorded Future platform. Alongside questions like, “What are my assets, what are their vulnerabilities, and how am I patching them?” security professionals can now also ask the right questions of the third parties they work with and get ahead of threats.
Let’s say a huge set of credentials leaked from a business partner in a new data dump on the dark web. Through alerts set up in the Recorded Future platform, your security analysts are immediately notified about this leak, which might expose your own organization. With this information, your team can immediately take the proper precautions, like resetting passwords and more closely monitoring some accounts. Without alerting through our Third-Party Risk module, your organization may have to wait until your partners choose to disclose the leak before taking action.
As the digital realm expands and our security processes become interdependent on those of our partners, suppliers, and other third parties, evaluating third-party risk through threat intelligence is an increasingly essential part of any threat analysis and risk mitigation program. By integrating third-party risk into our universal threat intelligence platform, Recorded Future provides the most comprehensive solution for threat intelligence teams.
ESG took a close look at how companies are managing their third-party risk today and concluded that many of the current processes used are lagging behind security requirements — 44 percent of IT organizations, for example, said that there were insufficient resources available to them for auditing the security of third parties, and 39 percent said that data collection and analysis was also insufficient.
Download this new report from ESG to see why real-time threat intelligence like that offered by the Recorded Future platform is so critical for monitoring third-party risk.