4 min read
“It has gotten to the point, unfortunately, where they are so frequent and common these days, that it’s like, here we go again,” Christopher Sitter says when I asked him about the prospect of a third-party data breach.
Sitter is the senior director of information security at Juniper Networks. He manages all things incident response-related — cyber forensics, electronic discovery, data loss prevention, governance, privacy and security operations. Sitter is no stranger to managing third-party software risk. Attackers have targeted suppliers for years, although according to Sitter, the recent uptick in headline-grabbing breaches has shifted executive and board-level conversations. Instead of cybersecurity leaders reaching out to executives with the hopes of gaining more budget for their programs, executives are now reaching out to security leaders, inquiring if their IT teams are using the latest compromised third-party software.
I spoke with Sitter about the shift in executive focus and the overall increase in the likelihood of a third-party data breach.
Answer: While third-party software breaches are nothing new, the recent uptick has grabbed the public’s attention, which includes executives and board members, because they are feeling the impact. Every time a new breach makes headlines, I receive calls from my family and friends asking if they were affected.
The same goes for executives. Whereas in the past, they may not have always prioritized security compared to other risks, now, every time a third-party software breach occurs, I get a phone call or email from an executive asking if the company is impacted, by how much and what we are doing to reduce the risk of reputational and financial damage. I cherish the outreach because I would rather have engaged executives than otherwise.
It’s no longer, “it’s time to wake up the executives.” It’s now, “the executives are waking us up.”
No one wants to see their name in lights. I wake up, log my kids on for remote learning, and then receive a call from an executive who saw on the news that a major company was impacted by a breach assumed to be executed by nation-state-sponsored actors. That puts everything on high alert. The executive wants to know if we were impacted and what’s our level of risk. That’s the first hour of my day when these breaches happen.
We then spend the next chunk of hours combing through the network, searching for any indicators of compromise (IoCs), identifying companies that have the most access to our sensitive data, connecting with them to see if they were affected, and sometimes helping them perform a forensics investigation to see if they were impacted. We use the opportunity to educate our executives and other suppliers.
Industry newsletter
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
The biggest one is trust. You have to think about how security is set up when you onboard third parties. Most companies throw spreadsheets over the fence to their suppliers and say, ‘please fill this out.’ Based on the supplier’s response, the company then determines how much risk it brings to the table.
The supplier may say it has a certificate that verifies it has security measures in place, although those processes and tools may only apply to a small component of their environment. Seldom does anyone perform an audit to verify the supplier’s responses. Companies are basically trusting the supplier’s word without seeing for themselves. The supplier is also filling out the spreadsheet with moment-in-time information. The environment and risk level can change by the time we receive it.
Plus, few companies provide transparent threat information. They allow you to see their policies and latest assessments, but you cannot actually go in and verify what they say is true. It’s a trust-based paradigm.
First, it’s knowing what attackers would target. In most compromises, it’s usually the people who commonly interact outside the company who are targeted first, such as customer service and sales representatives. Attackers typically gain entry through those targets and then pivot to systems that contain sensitive data, such as email SaaS [software-as-a-service] platforms.
If someone can compromise an email platform where people don’t set up permissions correctly and share high-value content freely, it’s easy to move around freely and collect high-value information. Many companies lack the resources and skills to see everything that’s going on in those kinds of platforms. Yet, they contain a treasure trove of information and data.
You also need to understand the IoCs of third-party software attacks so you can look for behaviors that may indicate malicious activity. Outbound transmission, for example, should be monitored. You want to look for communications that are going somewhere they have never gone before. That’s the biggest red flag. An application that will change or elevate privilege is another one. Security controls typically include some type of behavior analytics that can help flag those kinds of unusual behaviors.
Another good action to take is to shut down things you don’t need — close down redundant solutions. The action may not be popular among your employees, but how often do they need access to their personal email platforms during the day? Should their personal tablets connect to the corporate email platform? Many companies leave those vectors open to please employees, but they are easy places for data to be exfiltrated.