“It has gotten to the point, unfortunately, where they are so frequent and common these days, that it’s like, here we go again,” Christopher Sitter says when I asked him about the prospect of a third-party data breach.

Sitter is the senior director of information security at Juniper Networks. He manages all things incident response-related — cyber forensics, electronic discovery, data loss prevention, governance, privacy and security operations. Sitter is no stranger to managing third-party software risk. Attackers have targeted suppliers for years, although according to Sitter, the recent uptick in headline-grabbing breaches has shifted executive and board-level conversations. Instead of cybersecurity leaders reaching out to executives with the hopes of gaining more budget for their programs, executives are now reaching out to security leaders, inquiring if their IT teams are using the latest compromised third-party software.

I spoke with Sitter about the shift in executive focus and the overall increase in the likelihood of a third-party data breach.

Register for the webinar

Executives See The Perils of a Third-Party Data Breach

Question: Your point about how executives are now coming to security leaders versus the other way around is interesting. Can you elaborate on the types of conversations you are having?

Answer: While third-party software breaches are nothing new, the recent uptick has grabbed the public’s attention, which includes executives and board members, because they are feeling the impact. Every time a new breach makes headlines, I receive calls from my family and friends asking if they were affected.

The same goes for executives. Whereas in the past, they may not have always prioritized security compared to other risks, now, every time a third-party software breach occurs, I get a phone call or email from an executive asking if the company is impacted, by how much and what we are doing to reduce the risk of reputational and financial damage. I cherish the outreach because I would rather have engaged executives than otherwise.

When a new third-party software breach happens, what does your day look like?

It’s no longer, “it’s time to wake up the executives.” It’s now, “the executives are waking us up.”

No one wants to see their name in lights. I wake up, log my kids on for remote learning, and then receive a call from an executive who saw on the news that a major company was impacted by a breach assumed to be executed by nation-state-sponsored actors. That puts everything on high alert. The executive wants to know if we were impacted and what’s our level of risk. That’s the first hour of my day when these breaches happen.

We then spend the next chunk of hours combing through the network, searching for any indicators of compromise (IoCs), identifying companies that have the most access to our sensitive data, connecting with them to see if they were affected, and sometimes helping them perform a forensics investigation to see if they were impacted. We use the opportunity to educate our executives and other suppliers.

Challenges With Securing Third-Party Software

Some organizations have hundreds of applications and platforms in their environment, most of which were developed by different vendors. What are the security challenges that come with using all of those assets?

The biggest one is trust. You have to think about how security is set up when you onboard third parties. Most companies throw spreadsheets over the fence to their suppliers and say, ‘please fill this out.’ Based on the supplier’s response, the company then determines how much risk it brings to the table.

The supplier may say it has a certificate that verifies it has security measures in place, although those processes and tools may only apply to a small component of their environment. Seldom does anyone perform an audit to verify the supplier’s responses. Companies are basically trusting the supplier’s word without seeing for themselves. The supplier is also filling out the spreadsheet with moment-in-time information. The environment and risk level can change by the time we receive it.

Plus, few companies provide transparent threat information. They allow you to see their policies and latest assessments, but you cannot actually go in and verify what they say is true. It’s a trust-based paradigm.

Knowing the trust-based paradigm isn’t changing any time soon, what can companies do to gain a better understanding of how their suppliers are securing their environment while also protecting their own environment?

First, it’s knowing what attackers would target. In most compromises, it’s usually the people who commonly interact outside the company who are targeted first, such as customer service and sales representatives. Attackers typically gain entry through those targets and then pivot to systems that contain sensitive data, such as email SaaS [software-as-a-service] platforms.

If someone can compromise an email platform where people don’t set up permissions correctly and share high-value content freely, it’s easy to move around freely and collect high-value information. Many companies lack the resources and skills to see everything that’s going on in those kinds of platforms. Yet, they contain a treasure trove of information and data.

You also need to understand the IoCs of third-party software attacks so you can look for behaviors that may indicate malicious activity. Outbound transmission, for example, should be monitored. You want to look for communications that are going somewhere they have never gone before. That’s the biggest red flag. An application that will change or elevate privilege is another one. Security controls typically include some type of behavior analytics that can help flag those kinds of unusual behaviors.

Another good action to take is to shut down things you don’t need — close down redundant solutions. The action may not be popular among your employees, but how often do they need access to their personal email platforms during the day? Should their personal tablets connect to the corporate email platform? Many companies leave those vectors open to please employees, but they are easy places for data to be exfiltrated.

We invite you to join a panel discussion with Sitter,  X-Force Red hackers and X-Force incident responders at 11 am EST, April 28, 2021, where we will chat more about the risk of a third-party data breach and other timely security topics. Register for the webinar here.

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…