Threat Intelligence is all the rage, but to actually (and effectively) integrate it into our third-party risk program we need understanding and strategy.
According to Gartner: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
A good third-party risk program needs to incorporate threat intelligence that covers the various industries of their third parties. The detailed threat information can then be used to map out hacker workflows (kill chains) for identified attack scenarios. We use this analysis to identify security controls that can disrupt and stop those attacks both within our company and, critically, across our third-party portfolio.
To implement such a strategy encompasses more than just accumulating information and new tools, we need to do some legwork! We need to understand inherent risk and how that risk impacts our third party’s security. Then we need to do an assessment of our third parties to identify gaps in their security control implementation. Next, we need to prioritize those gaps, not only in relation to each third party, but also across our entire third-party ecosystem. Then of course we need to have a mitigation strategy to secure the gaps we have discovered, and finally we need to continuously monitor and update everything in relationship to the current threat landscape. Whew! That’s a pretty tall order, let’s see if we can break it down into actionable steps.
1. Understanding inherent risk
Threats happen within a particular context that includes the industry the third party is in and the type of business activity that they provide to you. Different categories of attacks occur more frequently depending on the industry. Developing an understanding of whether your third party’s industry is more susceptible to data loss, disruptive, destructive or fraud attacks helps greatly in analyzing the actual risks associated with doing business with them. The same is true of specific types of business activity. For instance, a company that holds 100,000 protected health information records for you poses much more risk if they are breached than a company that just hosts your public facing web pages. Gauging how much network access a third party has to your systems, the type of data they store for you, and how many business-critical applications they host for you is important work that needs to be considered in developing “intelligence” in regard to how we incorporate threat information.
2. Identify the gaps
Another key element to bringing threat information into your third-party risk program is doing the assessments necessary to identify gaps in your third party’s security posture. It is important to employ an assessment that measures a broad range of security controls to understand the coverage and effectiveness of your third party’s cyber security program. At this stage we can take our strategy from “intelligence” to brilliance by also testing the controls against known attack strategies (kill chains) to see which of the critical controls may have a weakness and need some type of mitigation.
3. Prioritize the gaps
To usefully include threat data in our program we need to prioritize the security gaps we found by doing assessments. It is important to know that no system is a 100% secure, so identifying which gaps pose the most risk is critical in working on mitigation plans to fix the gaps. Security control assessments can be combined with our discoveries from analyzing inherent risk to identify security gaps that are in direct relationship to immediate threats and attack scenarios. Prioritization needs to occur not just at the level of one third party’s security posture but across your entire third-party ecosystem.
4. Minding the gaps
Assessments are terrific, but if action isn’t taken on the results then we won’t really make any progress in defending against current threats! Requiring some sort of mitigation of high-risk security gaps in your third parties is the key to lowering the risk they represent to your business. The best way forward is to treat those high-risk gaps as conversation starters, rather than punishment points. The third party may have a compensating control in place, or already have a plan to mitigate the gap. Bringing each gap up for discussion allows for both a fuller understanding of how each area of security is handled by the third party and an opportunity to discuss how to improve the overall security posture of your business relationship. In some cases, the mitigation is for your own business to improve or rely more heavily on its own security controls to compensate for gaps in a third party.
5. Continuous monitoring
Letting stale intelligence dictate our security posture is not particularly clever! It is important to stay up to date with inherent risk and current security gaps in relationship to current threat intelligence. Capturing some sort of current threat feed allows us to stay abreast of changes in attack strategies, number and severity of attacks in our third party’s industries, and new attacks that are having big impacts in the world. Regularly reviewing our third party’s security control’s implementation in relationship to new and changing threats is essential for an effective third party risk management program.
Incorporating current threat intel into these five steps is critical to building and maintaining an effective third-party risk program. In further articles we will address some current threats and break down security control combinations that will keep them at bay.
Third-Party Risk Specialist, CyberGRX