Quantify Third-Party Risk in Real Time With Our New Module

January 23, 2019 • Matt Kodama

At Recorded Future, our mission has been to empower our users to defend themselves against cyber threats at the speed and scale of the internet. Empowerment means giving you the capabilities necessary to understand and manage your own risk environment — and the Recorded Future® Platform helps you measure and understand your own risk environment in real time, with full transparency to original sources of risk data. First-party risk reduction remains our first and foremost goal, and in today’s world, that means managing third-party risk, as well.

Leading companies in every industry today are undergoing digital transformation. They are driving more online and mobile access, more transparency, more interconnection of processes across their businesses, all with faster cycle times. These changes further blur the lines between an organization and its partners, suppliers, vendors, and other third parties. Interconnection creates advantages but also expands attack surfaces. Now more than ever before, the state of our security is only as strong as the weakest link.

That’s why Recorded Future is introducing our new Third-Party Risk module. An add-on to our core platform, Third-Party Risk helps you quantify the threat environments of your business partners. It is a powerful complement to traditional risk management processes focused on compliance frameworks, reviews, and audits. For organizations where risk management and security teams work together to identify and reduce risks, the Third-Party Risk module generates the threat intelligence they need to understand the risks stemming from their third-party associates.

Digital Transformation and Risk

Countless organizations are implementing digital technologies to transform the way they gather, store, and analyze data. More and more data is stored in the cloud, moving data control systems and processes from in-house to third-party providers. In industrial settings, businesses are using internet-connected sensors to gather vast amounts of operational data. Customer service is moving from phone to chat to automated self-service, creating a more robust, data-driven understanding of each customer’s support experience.

This digitization is happening rapidly across sectors, in many cases using solutions that follow security best practices inconsistently, either on the supplier’s or the buyer’s side. Can we be confident that every one of the organizations we work with are as rigorous about their own security as we are?

Managing Third-Party Risk

Traditional approaches to managing third-party risk often involve these three steps:

  1. Attempt to understand your organization’s business relationship with the third party, getting a grasp on the nature and degree of your exposure to risk.
  2. Based on that understanding, identify the right frameworks to evaluate that third party’s financial health, corporate controls, and IT security and hygiene, and how they relate to your organization’s own approach to security.
  3. Use those frameworks to assess the third party, usually with risk reporting or evaluating whether an organization is compliant with security standards like SOC 2 or FISMA, or investigations such as a financial audit.

These remain essential steps in evaluating third-party risk. But they don’t tell the whole story.

What Recorded Future’s Third-Party Risk module does differently is provide transparency into the threat environment of the companies you work with. Being able to quantify risk will help you determine the right course of action from an educated standpoint and ask the right questions when evaluating business partners. We’ll look a little more closely at how this can work in the next section.

Our module does this through key features such as:

  • Intelligence Cards: Tens of thousands of company Intelligence Cards provide an easy-to-read overview of company risk, all in one place and updated in real time.
  • Real-Time Risk Scoring: Risk scores are dynamically determined from real-time data with transparent sourcing and risk rules, allowing security professionals to look at evidence behind triggered risk rules and set up automatic alerts on changes to risk severity.
  • Integration Into the Complete Solution: Access to third-party risk data from directly within our threat intelligence platform makes pivoting into investigations seamless and keeps all of your alerts in one place, making it easy to monitor new and emerging threats.

One of the greatest values provided by the machine learning and automation that drives the Recorded Future platform is the speed of real-time data and updates at scale. Knowing how and when the threat environment changes can mean the difference between knowing you’re exposed to a vulnerability in your supply chain and getting attacked through a vector you weren’t even aware of. Automation expands your ability to monitor the threat landscape without adding more to your workload.

Asking the Right Questions

We believe open communication between different teams is the key to a flourishing security function at any organization. The Third-Party Risk module gives security teams another way to help risk management and procurement teams apply threat intelligence to their work.

This goes beyond the technology risk management capabilities of the core Recorded Future platform. Alongside questions like, “What are my assets, what are their vulnerabilities, and how am I patching them?” security professionals can now also ask the right questions of the third parties they work with and get ahead of threats.

Let’s say a huge set of credentials leaked from a business partner in a new data dump on the dark web. Through alerts set up in the Recorded Future platform, your security analysts are immediately notified about this leak, which might expose your own organization. With this information, your team can immediately take the proper precautions, like resetting passwords and more closely monitoring some accounts. Without alerting through our Third-Party Risk module, your organization may have to wait until your partners choose to disclose the leak before taking action.

As the digital realm expands and our security processes become interdependent on those of our partners, suppliers, and other third parties, evaluating third-party risk through threat intelligence is an increasingly essential part of any threat analysis and risk mitigation program. By integrating third-party risk into our universal threat intelligence platform, Recorded Future provides the most comprehensive solution for threat intelligence teams.

Learn More About Third-Party Risk

ESG took a close look at how companies are managing their third-party risk today and concluded that many of the current processes used are lagging behind security requirements — 44 percent of IT organizations, for example, said that there were insufficient resources available to them for auditing the security of third parties, and 39 percent said that data collection and analysis was also insufficient.

Download this new report from ESG to see why real-time threat intelligence like that offered by the Recorded Future platform is so critical for monitoring third-party risk.