“It has gotten to the point, unfortunately, where they are so frequent and common these days, that it’s like, here we go again,” Christopher Sitter says when I asked him about the prospect of a third-party data breach.
Sitter is the senior director of information security at Juniper Networks. He manages all things incident response-related — cyber forensics, electronic discovery, data loss prevention, governance, privacy and security operations. Sitter is no stranger to managing third-party software risk. Attackers have targeted suppliers for years, although according to Sitter, the recent uptick in headline-grabbing breaches has shifted executive and board-level conversations. Instead of cybersecurity leaders reaching out to executives with the hopes of gaining more budget for their programs, executives are now reaching out to security leaders, inquiring if their IT teams are using the latest compromised third-party software.
I spoke with Sitter about the shift in executive focus and the overall increase in the likelihood of a third-party data breach.
Register for the webinar
Executives See The Perils of a Third-Party Data Breach
Question: Your point about how executives are now coming to security leaders versus the other way around is interesting. Can you elaborate on the types of conversations you are having?
Answer: While third-party software breaches are nothing new, the recent uptick has grabbed the public’s attention, which includes executives and board members, because they are feeling the impact. Every time a new breach makes headlines, I receive calls from my family and friends asking if they were affected.
The same goes for executives. Whereas in the past, they may not have always prioritized security compared to other risks, now, every time a third-party software breach occurs, I get a phone call or email from an executive asking if the company is impacted, by how much and what we are doing to reduce the risk of reputational and financial damage. I cherish the outreach because I would rather have engaged executives than otherwise.
When a new third-party software breach happens, what does your day look like?
It’s no longer, “it’s time to wake up the executives.” It’s now, “the executives are waking us up.”
No one wants to see their name in lights. I wake up, log my kids on for remote learning, and then receive a call from an executive who saw on the news that a major company was impacted by a breach assumed to be executed by nation-state-sponsored actors. That puts everything on high alert. The executive wants to know if we were impacted and what’s our level of risk. That’s the first hour of my day when these breaches happen.
We then spend the next chunk of hours combing through the network, searching for any indicators of compromise (IoCs), identifying companies that have the most access to our sensitive data, connecting with them to see if they were affected, and sometimes helping them perform a forensics investigation to see if they were impacted. We use the opportunity to educate our executives and other suppliers.
Challenges With Securing Third-Party Software
Some organizations have hundreds of applications and platforms in their environment, most of which were developed by different vendors. What are the security challenges that come with using all of those assets?
The biggest one is trust. You have to think about how security is set up when you onboard third parties. Most companies throw spreadsheets over the fence to their suppliers and say, ‘please fill this out.’ Based on the supplier’s response, the company then determines how much risk it brings to the table.
The supplier may say it has a certificate that verifies it has security measures in place, although those processes and tools may only apply to a small component of their environment. Seldom does anyone perform an audit to verify the supplier’s responses. Companies are basically trusting the supplier’s word without seeing for themselves. The supplier is also filling out the spreadsheet with moment-in-time information. The environment and risk level can change by the time we receive it.
Plus, few companies provide transparent threat information. They allow you to see their policies and latest assessments, but you cannot actually go in and verify what they say is true. It’s a trust-based paradigm.
Knowing the trust-based paradigm isn’t changing any time soon, what can companies do to gain a better understanding of how their suppliers are securing their environment while also protecting their own environment?
First, it’s knowing what attackers would target. In most compromises, it’s usually the people who commonly interact outside the company who are targeted first, such as customer service and sales representatives. Attackers typically gain entry through those targets and then pivot to systems that contain sensitive data, such as email SaaS [software-as-a-service] platforms.
If someone can compromise an email platform where people don’t set up permissions correctly and share high-value content freely, it’s easy to move around freely and collect high-value information. Many companies lack the resources and skills to see everything that’s going on in those kinds of platforms. Yet, they contain a treasure trove of information and data.
You also need to understand the IoCs of third-party software attacks so you can look for behaviors that may indicate malicious activity. Outbound transmission, for example, should be monitored. You want to look for communications that are going somewhere they have never gone before. That’s the biggest red flag. An application that will change or elevate privilege is another one. Security controls typically include some type of behavior analytics that can help flag those kinds of unusual behaviors.
Another good action to take is to shut down things you don’t need — close down redundant solutions. The action may not be popular among your employees, but how often do they need access to their personal email platforms during the day? Should their personal tablets connect to the corporate email platform? Many companies leave those vectors open to please employees, but they are easy places for data to be exfiltrated.
We invite you to join a panel discussion with Sitter, X-Force Red hackers and X-Force incident responders at 11 am EST, April 28, 2021, where we will chat more about the risk of a third-party data breach and other timely security topics. Register for the webinar here.
Associate Partner, X-Force Red
Abby Ross is Associate Partner for X-Force Red, IBM Security's team of veteran hackers. Abby is a seasoned marketing and public relations professional, with ...