Outsourcing to third parties isn’t new, especially as businesses expand and look for ways to lower costs. However, large organizations and government agencies continuing to fall victim to vendor breaches begs the question: Why are we still being compromised by third parties? Ahead of this year’s Black Hat USA Conference on July 26-27 at Mandalay Bay, we chatted with Chris Coleman, CEO of LookingGlass Cyber Solutions, which specializes in cybersecurity and threat intelligence solutions, to get some answers.
Why are the “bad guys” targeting third-party vendors and suppliers?
Threat actors are always looking for the easiest, fastest, and most inexpensive way to get what they want. Third-party vendors are low-hanging fruit because they are often small businesses with less advanced security infrastructures. Or, they have access to sensitive information from multiple companies. So why not target one company to get multiple sets of sensitive data, or a smaller organization with potentially less security? It’s much more cost-effective than going after the big business with robust security precautions in place.
How are companies dealing with third-party risk?
Up until the last year or so, most companies have either not focused on third-party risk, or they have approached the issue from a compliance and legal standpoint. By doing so, they’re missing the bigger picture, the information security piece. Sure, you can get an automated scorecard with your vendors’ risk “grade” on it, but all you’re really doing is checking the box. With new federal cyber regulations coming into play, organizations need to take a more proactive approach to managing third-party risk. They need a solution that continuously monitors for risk so that when the bad guys leak your customers’ credentials at 2 in the morning, you have already been handling the situation for a few hours.
So, what is the information security approach to dealing with third-party risk?
The first step to combating third-party risk is understanding where your vendors are already compromised. Before partnering with a third party, you should know about their internal security risks and how they could be exploited. It’s about getting ahead of the bad guys. This is where threat intelligence can help. At the heart of any good cybersecurity solution is threat intelligence because it provides a way for organizations to be continuously updated on their vendors’ security posture.
How does LookingGlass help companies manage their third-party risk?
We’ve said this before, but data is not intelligence. All LookingGlass threat intelligence is human-vetted before it reaches our customers, so they receive the most relevant and actionable intelligence—no false positives. Our infrastructure, people and systems are backed up by our more than 20 years of industry experience, enabling us to give organizations a 360-degree view into their vendors’ risk profile. LookingGlass’ third-party risk-monitoring solution provides a baseline analysis of a vendor’s vulnerabilities, as well as ongoing monitoring and vendor breach notifications. With our continuous monitoring, you immediately know if your vendors’ networks have been compromised or infected by botnets, viruses and so on. We also immediately alert you if any account credentials associated with your business are posted online in a data dump, and we monitor the surface, deep and Darknet for online chatter between threat actor and hacker groups. Managing vendor risk is only one piece of the puzzle. What is needed is a comprehensive program that identifies and manages intelligence, and uses that intelligence to mitigate your own risks. Then, you can work cooperatively with your third-party vendors to protect both your organization and theirs.
