April 13, 2021 By Abby Ross, @HonestAb2 4 min read

“It has gotten to the point, unfortunately, where they are so frequent and common these days, that it’s like, here we go again,” Christopher Sitter says when I asked him about the prospect of a third-party data breach.

Sitter is the senior director of information security at Juniper Networks. He manages all things incident response-related — cyber forensics, electronic discovery, data loss prevention, governance, privacy and security operations. Sitter is no stranger to managing third-party software risk. Attackers have targeted suppliers for years, although according to Sitter, the recent uptick in headline-grabbing breaches has shifted executive and board-level conversations. Instead of cybersecurity leaders reaching out to executives with the hopes of gaining more budget for their programs, executives are now reaching out to security leaders, inquiring if their IT teams are using the latest compromised third-party software.

I spoke with Sitter about the shift in executive focus and the overall increase in the likelihood of a third-party data breach.

Register for the webinar

Executives See The Perils of a Third-Party Data Breach

Question: Your point about how executives are now coming to security leaders versus the other way around is interesting. Can you elaborate on the types of conversations you are having?

Answer: While third-party software breaches are nothing new, the recent uptick has grabbed the public’s attention, which includes executives and board members, because they are feeling the impact. Every time a new breach makes headlines, I receive calls from my family and friends asking if they were affected.

The same goes for executives. Whereas in the past, they may not have always prioritized security compared to other risks, now, every time a third-party software breach occurs, I get a phone call or email from an executive asking if the company is impacted, by how much and what we are doing to reduce the risk of reputational and financial damage. I cherish the outreach because I would rather have engaged executives than otherwise.

When a new third-party software breach happens, what does your day look like?

It’s no longer, “it’s time to wake up the executives.” It’s now, “the executives are waking us up.”

No one wants to see their name in lights. I wake up, log my kids on for remote learning, and then receive a call from an executive who saw on the news that a major company was impacted by a breach assumed to be executed by nation-state-sponsored actors. That puts everything on high alert. The executive wants to know if we were impacted and what’s our level of risk. That’s the first hour of my day when these breaches happen.

We then spend the next chunk of hours combing through the network, searching for any indicators of compromise (IoCs), identifying companies that have the most access to our sensitive data, connecting with them to see if they were affected, and sometimes helping them perform a forensics investigation to see if they were impacted. We use the opportunity to educate our executives and other suppliers.

Challenges With Securing Third-Party Software

Some organizations have hundreds of applications and platforms in their environment, most of which were developed by different vendors. What are the security challenges that come with using all of those assets?

The biggest one is trust. You have to think about how security is set up when you onboard third parties. Most companies throw spreadsheets over the fence to their suppliers and say, ‘please fill this out.’ Based on the supplier’s response, the company then determines how much risk it brings to the table.

The supplier may say it has a certificate that verifies it has security measures in place, although those processes and tools may only apply to a small component of their environment. Seldom does anyone perform an audit to verify the supplier’s responses. Companies are basically trusting the supplier’s word without seeing for themselves. The supplier is also filling out the spreadsheet with moment-in-time information. The environment and risk level can change by the time we receive it.

Plus, few companies provide transparent threat information. They allow you to see their policies and latest assessments, but you cannot actually go in and verify what they say is true. It’s a trust-based paradigm.

Knowing the trust-based paradigm isn’t changing any time soon, what can companies do to gain a better understanding of how their suppliers are securing their environment while also protecting their own environment?

First, it’s knowing what attackers would target. In most compromises, it’s usually the people who commonly interact outside the company who are targeted first, such as customer service and sales representatives. Attackers typically gain entry through those targets and then pivot to systems that contain sensitive data, such as email SaaS [software-as-a-service] platforms.

If someone can compromise an email platform where people don’t set up permissions correctly and share high-value content freely, it’s easy to move around freely and collect high-value information. Many companies lack the resources and skills to see everything that’s going on in those kinds of platforms. Yet, they contain a treasure trove of information and data.

You also need to understand the IoCs of third-party software attacks so you can look for behaviors that may indicate malicious activity. Outbound transmission, for example, should be monitored. You want to look for communications that are going somewhere they have never gone before. That’s the biggest red flag. An application that will change or elevate privilege is another one. Security controls typically include some type of behavior analytics that can help flag those kinds of unusual behaviors.

Another good action to take is to shut down things you don’t need — close down redundant solutions. The action may not be popular among your employees, but how often do they need access to their personal email platforms during the day? Should their personal tablets connect to the corporate email platform? Many companies leave those vectors open to please employees, but they are easy places for data to be exfiltrated.

We invite you to join a panel discussion with Sitter,  X-Force Red hackers and X-Force incident responders at 11 am EST, April 28, 2021, where we will chat more about the risk of a third-party data breach and other timely security topics. Register for the webinar here.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today