In the wake of the Solarwinds attack, Tom Garrubba, Vice President and CISO, Shared Assessments led an expert panel discussion on establishing third party vulnerability campaigns. Speakers included:
Garrubba directed the dialogue towards three areas of focus. First, panelists defined a vulnerability campaign. Next, the group touched on how vulnerability campaigns help companies prepare for the next attack. Finally, the experts examined how to gain assurance that a third party has addressed a vulnerability. I. Defining a “vendor vulnerability campaign” – what does it do and why do it? Frank Roppelt defined a vendor vulnerability campaign as an effort to develop a deep understanding of how susceptible your third parties are to vulnerabilities and what the corresponding impact would be on your organization. Rocco Grillo characterized a campaign as an overall threat hunting effort with a comprehensive approach. Daniel Cuthbert, having spent the last 20 years on the offense against threats, profiled attackers as having high confidence and an eye “on the soft belly” that is our network of vendors. In a vendor vulnerability campaign, the focus must shift from securing the front door (of your business) to assuring security across the organizations that keep our business running (the outliers, the suppliers, the support services). II. Understanding how a vendor vulnerability campaign can help prepare a company for the next widespread vulnerability Acknowledging the supply chain as a prominent form of business, Grillo said technology is sure to evolve, as will attacks and the regulatory landscape. Lean into the concept of “trust, but verify.” Roppelt described third parties as extensions of your ecosystem: extremely beneficial, but not without risk. In addition to normal due-diligence, it is important to have a process outlined that is ready to be executed at a moment’s notice. Preparation includes building your program with a designated tiger team and identifying the vendors that are your most critical and high risk. Cuthbert assured that when dealing with vendors it is ok to be demanding. It is reasonable to expect that when you buy a product, you can ask is your product secure? Companies need to be demanding, get proof of a secure platform, and secure development practices. When vendors are hesitant to give these answer, it is a red flag. III. Gaining assurance that a third party has addressed a vulnerability Garrubba asked if there is a certain documentation or test to guarantee a third party has addressed for vulnerabilities. All panelists agreed assurance is not a check-the-box exercise and offered specific processes and questions for third party risk programs to protect against vulnerabilities inherited from vendors. Frank Roppelt submitted actions for developing a Risk Culture Approach to apply prior, during and after a third party vulnerability is discovered. Prior
During
After
Rocco Grillo suggested the audience ask themselves these questions as they develop their approach to third party vulnerabilities:
Cuthbert reiterated his stance that understanding is vital – and that third party risk programs should demand more of it from critical vendors by demanding to see:
For a full recording of this webinar and the slide deck, visit our webinar archive page.