What Getting Serious About Third-Party Risk Really Means

Amanda Fina: Okay. Hi. Hello everybody. Amanda Fina: I paused for effect to make sure we’re working here. Amanda Fina: So, sorry if that was a little strange, but welcome everyone. Amanda Fina: I’m Amanda Fina. Amanda Fina: I work in business development here at Prevalent. Amanda Fina: I’m your host today for our exciting webinar with the one and only Dave Shackleford, owner and principal consultant of Buddhist security. Amanda Fina: He is a hot celeb here in the security world. Amanda Fina: We’re very excited to have him and as we already discussed off camera, you know, what a bookshelf. Amanda Fina: It’s just enticing to the eye. Amanda Fina: So, we’re so glad he’s on camera. Amanda Fina: Um, we also have our very own Scott Lang, which has the world behind him and on his shoulders because he’s so important here at Prevalent. Amanda Fina: Uh, he’s the VP of product marketing and he’ll be discussing um some interesting stuff about us towards the end of the session, but we’re going to be talking about getting serious about third party risk and what that really means. Amanda Fina: And I’m for one very excited. Amanda Fina: It’s a hot topic. Amanda Fina: We all want to know what it’s all about. Amanda Fina: So, a couple of key items to go over. Amanda Fina: This is being recorded. Amanda Fina: It’ll come in your inbox tomorrow, but if you’re lucky, you’ll probably get something from myself since you registered or you’re attending live in your inbox today. Amanda Fina: Um, we want you to participate as well, so there’s a Q&A at the bottom. Amanda Fina: Please utilize There’s a chat as well, but Q&A makes it a little bit more easier to go through all those questions that we most likely will go to towards the end. Amanda Fina: We usually save a little bit of a pocket for that. Amanda Fina: So stay tuned. Amanda Fina: Um, I believe that’s it from me. Amanda Fina: I think we have everything. Amanda Fina: You guys are all muted so we can’t hear you, but again, please participate and I’m going to give it over to Dave. Amanda Fina: Dave, welcome. Amanda Fina: Thanks for joining us. Amanda Fina: Take it away. Dave Shackleford: Thanks so much for having me. Dave Shackleford: And hey, thanks everyone for joining today. Dave Shackleford: Um, this is this is a big topic. Dave Shackleford: Um, I probably don’t need to tell you all that, you know, and and this is actually one of those topics where when I was putting together the content for this webcast. Dave Shackleford: Um, I I actually had a conundrum, right? Dave Shackleford: So, you’re thinking to yourself, Dave, a conundrum? Dave Shackleford: What could possibly have gone wrong? Dave Shackleford: Nothing went wrong. Dave Shackleford: The challenge I had was I had too much stuff to talk about. Dave Shackleford: Truthfully, I had so much that I wanted to say on this topic that I said, “Well, I’m just going to shove it all in here and and let the cards fall where they may. Dave Shackleford: So, you guys are probably going to notice that I have squished way too many things across these slides, but that’s here for you. Dave Shackleford: So, you know, I’ll do my best to to crank out all this stuff and talk about it, but because this is such a big and important topic, I really want to get us through and and and kind of talk about what the heck is going on out there in the world. Dave Shackleford: And I think what we’ve seen over the course of about the past 15 years, and it is interesting looking back that long saying, okay, wait a minute, um, you know, when did we start really noticing that we had challenges with our third parties. Dave Shackleford: Well, the true answer to that is forever. Dave Shackleford: I mean, we’ve been connecting to other organizations for many years. Dave Shackleford: We’ve had software in our environments that comes from some other organization for many, many years. Dave Shackleford: Hardware from other organizations. Dave Shackleford: Um, we’ve had consultants and contractors. Dave Shackleford: I mean, the list just goes on and on and on. Dave Shackleford: But in, you know, increasingly since roughly about the mid 2000s, we’re more interconnected and more deeply embedded across this landscape of third parties than we used to be. Dave Shackleford: And so naturally, what that’s led to is this significant growth in things going terribly horribly wrong. Dave Shackleford: And not to, you know, take us down this road of a history lesson. Dave Shackleford: I don’t think anybody necessarily needs that. Dave Shackleford: There’s plenty of great information out online, you know, if you feel like going and digging into this. Dave Shackleford: But I mean, at at the beginning of the 2000s era, the attacks weren’t what they are, right? Dave Shackleford: So, I mean, basically any attacks that were going on were sort of opportunistic. Dave Shackleford: Um, you know, most of them were just people out there kind of joy riding on the internet causing trouble. Dave Shackleford: Uh, but but it really wasn’t focused on access to data or theft of data in a lot of these cases. Dave Shackleford: And that took a significant turn rough, you know, roughly around the mid 2000s. Dave Shackleford: And the attackers that realized, hey, there’s, you know, we’ve got a vested interest in trying to get access to people’s stuff here, um, and maybe maintain access within these environments, try to gain access to data. Dave Shackleford: Well, we can use a lot of different mechanisms to accomplish that. Dave Shackleford: It isn’t just coming in through the front door, which might be your internet DMZ or something. Dave Shackleford: We started realizing, hey, wait a minute, we have all these other avenues coming in. Dave Shackleford: We have supply chain vendors. Dave Shackleford: We have lots of different software packages. Dave Shackleford: And the attackers started going there as well as attacking us, you know, as sort of at that front door as I always call it. Dave Shackleford: So, you know, a while back we realized this is a big issue and it’s only getting bigger. Dave Shackleford: And here we are today in 2021 and I think it’s just absolutely blown up on us. Dave Shackleford: So let’s, you know, let’s just take a look at this and say, “All right, you know, what does that represent to us, my friends? Dave Shackleford: It’s all risk. Dave Shackleford: This is all about risk. Dave Shackleford: It’s all about expanding risk profiles.” Dave Shackleford: And because the attackers are focusing on this, we have to expand the scope of our assessments, supply chain security. Dave Shackleford: Um, and I and I call this supply chain, but I I want that term to be a little bit more sort of open-ended because it’s not just supply chain like we’re buying things from other organiz ations. Dave Shackleford: I mean today that could include cloud service providers. Dave Shackleford: It could include other service brokers. Dave Shackleford: It could include you know traditional off-the-shelf software again hardware you know anything you can imagine but it also could be just connected vendors or connected services coming into our environment um to perform maintenance or for particular types of collaboration. Dave Shackleford: So there’s just so many ways that we could couch that term. Dave Shackleford: I think it’s gotten broader progressively over the past few years and it’s going to continue to grow. Dave Shackleford: I I I think we still don’t know the full spectrum of what that might entail only to say hey look um that is now part of our surface area. Dave Shackleford: We have to look at things that way. Dave Shackleford: We are no longer and you know truthfully we haven’t been for a long time these sort of closed off little enclaves of stuff right? Dave Shackleford: I mean I think we used to like pretending that that was the case this is my data center it is my castle and that’s why we had all those you know frankly kind of uh you know pedantic castle analogies that were thrown around for you know security present ations. Dave Shackleford: You’ve all seen them. Dave Shackleford: Come on now. Dave Shackleford: You know, there’s the mode and the walls. Dave Shackleford: Okay, look, that’s not us. Dave Shackleford: All right, we just haven’t had that going on for so long. Dave Shackleford: There’s so much out there. Dave Shackleford: There’s software compromised, there’s credential theft, there’s um, you know, other organizations being compromised and surfing on in. Dave Shackleford: So, we’ve got to start thinking through this. Dave Shackleford: And there’s so many examples that I really, you know, I kind of struggle said, what am I going to use as examples here? Dave Shackleford: Because I could just I could have a whole presentation on nothing but the examples. Dave Shackleford: But why? Dave Shackleford: Because you could go find plenty of your own. Dave Shackleford: So, I sort of cherrypicked some, you know, and not to name names, but I mean, we’ve seen some big retail breaches over the past decade. Dave Shackleford: Um, you know, and and what we started realizing, especially there was kind of this moment in time where a lot of these breaches were it seemed like they were almost wholly oriented towards things like credit card data. Dave Shackleford: And that made sense, I think. Dave Shackleford: You know, a decade ago that made sense. Dave Shackleford: The attackers were realizing, oh my gosh, I can go get these credit card numbers or, you know, credit card information and I can go sell that in, you know, some sort of black market. Dave Shackleford: Well, that is still going on very much today. Dave Shackleford: But of course, today we also know it’s it’s gone more into you other types of sensitive data and there’s a lot of other value to be had in the attacker community for different data types. Dave Shackleford: But gosh, there was a moment where it just seemed like credit card breach after credit card breach after credit card breach was occurring. Dave Shackleford: And in this first case, you know, this was a dedicated vendor that was providing uh like air conditioning and heating services for these retail establishments. Dave Shackleford: They were breached surprise head on in, gained access. Dave Shackleford: The second one again we saw um you know again stolen credentials from a third party that allowed access into this retailer environment and millions and millions of credit card were stolen. Dave Shackleford: So that happened a while back and I think that raised the profile for us. Dave Shackleford: Those were some of the first cases where we realized we have a problem here. Dave Shackleford: We have such interconnectedness across third parties and vendors that we probably need to take stock of what that means to us and and really re-evaluate what could happen if one of those vendors or those third parties are breached. Dave Shackleford: Now, this was a big one. Dave Shackleford: I mean, this is, you know, 2015, which, you know, today, uh, you know, feels like ancient history, but it’s not. Dave Shackleford: It’s only six years ago, and we should not forget this one because of just how farreaching it was. Dave Shackleford: Um, the US Office of Personnel Management or OPM um had a huge breach again tied to theft of credentials from a third party vendor that they were working with. Dave Shackleford: And the reason this one was such a big deal I mean obviously theft of credentials just doesn’t seem that exciting. Dave Shackleford: I mean yeah okay somebody got credentials but the fact that those credentials provided administrative uh administrative level access and control over parts of the environment in OPM that ultimately led to this data breach that was sort of alarming given that OPM is so tied to law enforcement and military types of organizations that um you know I think it breathes that profile but um it also uh had some ties to nation state activity. Dave Shackleford: And that of course, you know, made everybody stand up and really take notice. Dave Shackleford: But I actually got one of the notifications from this one because I had gone through some federal level background checks to do work with military organizations and law enforcement as a consultant. Dave Shackleford: So when this one came in and actually when I heard about it, I knew it was, you know, it was inevitable that, you know, we’re all going to be getting these notifications. Dave Shackleford: But I mean, I don’t know about you, but uh, you know, things like background checks conducted by US federal a That’s a lot of sensitive data that I just don’t want getting out there and this happens. Dave Shackleford: So, it just, you know, this one was a high point, I think, for us realizing we got to start clamping down on this. Dave Shackleford: Um, I always include the RSA breach from 2011, even though, you know, there will be a point where I’m probably still talking about this and it’s 20 years old, but I don’t think we should ever forget this one because of what it represented. Dave Shackleford: It represents an element of our supply chains that we really relied on as a security mechanism. Dave Shackleford: Many organizations still use RSA tokens and if you compromise those seed files that allow for that uh you know that token code to change everything can go downhill from there and and in fact interesting sort of side point on this for those of you that might have been paying attention um there’s uh there’s actually some very interesting dialogue right now here in 2021 about this breach where people that were at RSA at the time are able to go on the record and talk about it because they had a 10-year uh sort of lockup period where they weren’t allowed to speak about anything that occurred there. Dave Shackleford: And now that has passed and so um actually I can’t remember which month it was, but it was Wired magazine um just maybe a month or two ago this year here in 2021 where they had a whole big interview with the folks that went through this and they give some really insightful details about this breach and how they were trying to track the attackers internally and they knew it was going on and it was this really fascinating kind of against time. Dave Shackleford: I digress. Dave Shackleford: Great story, horrible breach. Dave Shackleford: But again, don’t forget about this one because it showed us something we were not really thinking about. Dave Shackleford: Oh, you know, everyone’s carrying around these tokens. Dave Shackleford: But if that token vendor is compromised, so many other cascading series of failures could then ensue. Dave Shackleford: And in fact, some did. Dave Shackleford: So, another really interesting one that again, I I think kind of lends itself into what we’re talking about these days. Dave Shackleford: And what we’re talking about these days is is solar winds. Dave Shackleford: So, so much has been said about solar winds that I really don’t want to spend a lot of time, you know, sort of just beating this dead horse as we have. Dave Shackleford: I mean, everyone’s talked about solar winds exhaustively since uh this came to light. Dave Shackleford: Um, and that’s been, you know, over half a year now. Dave Shackleford: And so, I think most of you, I’m sure probably all of you are well aware of exactly what went on here. Dave Shackleford: But to me, Solar Winds was actually the tip of the iceberg here. Dave Shackleford: I really feel that way. Dave Shackleford: Because what it showed us was number one just how pervasive some types of software really are across so many different industry segments. Dave Shackleford: I mean solar wind isn’t limited to uh you know government agencies or financial sector organizations or healthcare organizations. Dave Shackleford: Everyone’s out there using Solar Wind software. Dave Shackleford: Number two uh the compromise was at such a deep level within their infrastructure that the software that was compromised was able to you know just right on out for people to install and no one was the wiser. Dave Shackleford: And so, you know, this is one of those cases where you look at the software packages and let’s just say you do have some validation mechanisms. Dave Shackleford: Hey, I’ve downloaded this from our vendor, in this case, Solar Winds. Dave Shackleford: Let me check the hash values on this and make sure that it’s okay. Dave Shackleford: They would have matched because the hash values for said software were performed or created after the compromise had occurred so early in that development cycle. Dave Shackleford: So this is a great example where we stand up and go okay this is bad we have to do something about these you know third party providers and vendors just having this much access to our environments arbitrarily through installation of whatever it is what are they doing to secure us what are they doing to make sure this doesn’t happen again and it it really kind of heightens the scrutiny across the industry I I I will not be the one to say I think Solar Winds was a good thing. Dave Shackleford: It’s not. Dave Shackleford: It’s It’s terrible. Dave Shackleford: But I I think, you know, anybody that hasn’t been living under a rock now realizes just how impacted they can be from things like this occurring. Dave Shackleford: And so we can double down on the scrutiny of our trusted providers and our priority vendors. Dave Shackleford: And that is where I would like to take us right now. Dave Shackleford: So let’s take a look at risk management. Dave Shackleford: Let’s think a little bit about risk management in light of this. Dave Shackleford: And what I always say and and many organizations are are sort of, you know, somewhere along this continuum. Dave Shackleford: You do need to have a third-party assessment practice or program of some type. Dave Shackleford: Um, some organizations tend to treat this a little bit ad hoc. Dave Shackleford: They say, “Well, okay, you know, our vendor management, our procurement teams all over it, right? Dave Shackleford: They’re good. Dave Shackleford: They know what’s going on. Dave Shackleford: They’re checking in. Dave Shackleford: They’ve got a risk questionnaire. Dave Shackleford: We’re solid.” Dave Shackleford: Okay, you know, that’s that’s fine. Dave Shackleford: Um, some organizations I’ve worked with have very little of that and they just don’t have the operational capacity or even dedicated teams internally to be able to focus on some of this stuff. Dave Shackleford: So, you know, again, it’s all over the map as far as this goes. Dave Shackleford: Number two, I’d say some periodic review needs to take place across these high value relationships. Dave Shackleford: And even in large organizations, you can sort of uh narrow down a subset of your thirdparty relationships and services and so forth to the ones that would be most impactful. Dave Shackleford: I think the definition of what comprises uh impactful is changing and I’ll get to that here in just a few minutes. Dave Shackleford: But I think you have to look at that and say, okay, I can’t treat all my third parties equally. Dave Shackleford: There’s just no way, especially if you’re a huge organization that’s global. Dave Shackleford: You’ve got thousands of thirdparty relationships. Dave Shackleford: You can’t just tackle all of those the exact same way. Dave Shackleford: You have to differentiate a bit and that’s important. Dave Shackleford: So again, hold that thought. Dave Shackleford: I’ll come back to it. Dave Shackleford: But you need to have some standards that you’re measuring. Dave Shackleford: Again, some types of controls and then ideally some form of attestation coming from the third parties that at least gives something to you that says hey here’s our approach whether that’s ISO whether that’s uh you know SSA 18 sock reports you know anything that you can get I think is good but even today to this point this is one of the things that’s cropped up even in the last year to two years we’ve started realizing in the security industry that there really isn’t one definitive standard that we should all be adhering to in other words if I say hey what are you getting from all of your vendors what are you getting from all of your third parties that provides you that that you know sort of comfort level that provides you with those attestations of controls and efficacy of controls and what they’re doing etc etc etc. Dave Shackleford: You might get 20 different answers and out of the 20 everyone feels that they’re either good or not good but no one agrees on which one if any should be that standard and so I think that’s a big issue for us. Dave Shackleford: I think there’s still a lot of work to be done uh in the industry and and you know frankly it’s not an easy answer too. Dave Shackleford: uh because that starts to bring in um things like government regulation and requirements and certainly in a global type of environment that’s tough. Dave Shackleford: Um but somebody also has to perform these risk reviews. Dave Shackleford: There’s got to be someone that you know looks at the security requirements that you have versus what these uh providers are coming back with and saying all right you know is it good enough? Dave Shackleford: Yes. Dave Shackleford: No. Dave Shackleford: If the answer is no, what’s the business you know sort of approach here? Dave Shackleford: Do we say yep can’t do business with you or um do you you know have somebody that signs off and says well we’re willing to take that risk. Dave Shackleford: There’s a whole lot of things that can shake out of that but truthfully that that’s just risk management 101 and it’s no different at that stage than it would be for just about any other type of business risk that you would consider. Dave Shackleford: So a lot to look at but it’s got to start with the definition of important vendors and the contacts at those vendors. Dave Shackleford: And so going back to what I said just a moment ago I think we have to start with the emphasis on on criticality and the priority. Dave Shackleford: In other words, if if we don’t have this vendor’s product, what does that do for us, right? Dave Shackleford: You know, so I always give the example here of someone like Microsoft. Dave Shackleford: It is very rare to find any organization out there today, certainly not any enterprise that doesn’t have Microsoft on the critical vendor list for whatever reason that might be. Dave Shackleford: So let’s say you’re using Microsoft Azure for cloud services. Dave Shackleford: Um you’re using Microsoft software for email and other collaboration services. Dave Shackleford: is Microsoft is kind of everywhere. Dave Shackleford: But truthfully, there’s a number of vendors, a number of suppliers just like Microsoft that would also fall into that category. Dave Shackleford: But this will differ, of course, depending on what type of business you’re in or what type of organization you are. Dave Shackleford: So for some organizations, uh, a cloud service like Salesforce would be at the top level of that criticality. Dave Shackleford: For others, doesn’t really matter. Dave Shackleford: We don’t really use Salesforce or any services like that because it’s just not what we do. Dave Shackleford: So this will always differ, but I think you have to have that list as a starting point and there needs to be some contact associated with those vendors, with those third parties that we can coordinate with on a regular basis, certainly at the beginning of the relationship, but then in an ongoing way. Dave Shackleford: One of the worst things that tends to happen when you start these types of relationships, and I’ve seen this time and time and time again in a number of different organizations that I’ve worked with, is, you know, it all it’s great at the beginning. Dave Shackleford: We go do all this diligence, we get paperwork, contracts are signed, legal involved, all that stuff goes on, but then 18 months later, nobody’s revisiting any of that and saying, “Are they really doing what they said they were going to do?” Dave Shackleford: Um, do we have the right contacts and making sure that they’re up to date? Dave Shackleford: And the worst thing to happen, you know, let’s say that you are a Solar Winds customer and you realize, oh my gosh, you know, we have no idea who to get in contact with. Dave Shackleford: We just heard about this on the news. Dave Shackleford: And that in fact did happen to a lot of organizations. Dave Shackleford: When the Solar Winds breach occurred, many had no idea who to contact or what to do about it. Dave Shackleford: And I’m quite sure that Solar Winds was getting just absolutely um just, you know, sort of crushed by the volume of calls and people trying to talk to them about this. Dave Shackleford: But I think at least starting with that in mind, pretty important. Dave Shackleford: You got to have some, you know, sort of protocol for communications and repeat visitation of those security requirements that you’re putting into place. Dave Shackleford: And that’s exactly what you should be looking to build at the beginning. Dave Shackleford: So, some of this will be driven by compliance. Dave Shackleford: In other words, to do business with this type of data, if it’s, you know, the credit card data that we talked about a minute ago or if it’s certainly healthcare information, you know, personal data that falls under privacy regulations, you know, insert, you know, sensitive data type here. Dave Shackleford: We’ve all got some that we’re dealing with these days. Dave Shackleford: But if there’s a compliance factor here, it will help shape what your requirements are and then that naturally transcends to any third parties that you’re working with. Dave Shackleford: So, if I got to have this data maintained in a protected format. Dave Shackleford: It’s got to have encryption or I’ve got to have certain types of access controls in place for uh you know for access to this data. Dave Shackleford: Well, naturally you’re going to take that to third parties that might be somehow affiliated with you in that regard and say can you meet this control because if not in those cases a lot of times you just can’t do business with them. Dave Shackleford: I can’t violate HIPPA uh just because you don’t feel like having good key management practices or something. Dave Shackleford: So you’ve got at least that impetus coming in. Dave Shackleford: But I think it’s also important to push for the right to test and audit some types of security controls within these critical vendors. Dave Shackleford: Now, big companies like, you know, Google and Microsoft and some of the others, they’re not going to let you more than likely come hang out on premises with them and and you know, bring your clipboard. Dave Shackleford: There’s no real clipboards these days, but imagine, right, to check things off and say, “Ah, looking good today, Microsoft.” Dave Shackleford: No, they’re not. Dave Shackleford: They’re going to say, “Well, look, you know, we’re, you know, huge organization.” Dave Shackleford: right? Dave Shackleford: Here’s our information. Dave Shackleford: You can probably take that or leave it. Dave Shackleford: And I think that’s one unfortunate side effect of these large powerful software companies and others sort of dictating the terms of those relationships in their own right. Dave Shackleford: It it’s tough. Dave Shackleford: But you can also subscribe to thirdparty risk assessment uh you know types of organizations and services that evaluate these companies and these products and these services in an ongoing way maybe much more frequently than you can as a you know as a customer or as a partner and you know give you a heads up if things are looking like they’re changing there. Dave Shackleford: So we’ve got a lot of reports coming in of X occurring at this vendor or we’re seeing a lot of uh you know fishing coming from this vendor. Dave Shackleford: You know, who knows what the case might be, but you’ve got to have some way to maybe reassess on a regular basis exactly what those vendors and third parties are doing in their security programs. Dave Shackleford: And if there are changes, I think it’s incumbent upon them to let us know. Dave Shackleford: But sometimes that just doesn’t happen. Dave Shackleford: And so again, you might need to look elsewhere at external third parties that can help. Dave Shackleford: So again, more on that later, but anything you can do to just track this and keep up with it is only going to help. Dave Shackleford: You’ve got to have inventory management. Dave Shackleford: Now, there’s a lot to say about inventory management. Dave Shackleford: Um, and truthfully, I could have an entire webcast on just this topic because it’s just such a big one. Dave Shackleford: And this actually takes me back many, many years ago. Dave Shackleford: So I I teach Burough the Sands Institute as well. Dave Shackleford: I’ve been affiliate with them for a long time and I remember years and years and years ago um and I’ve been doing this for for a long time um when they came up and and Alan Porer who’s the head of research at SANS and really kind of drives everything um you know came to all of the SNS instructors and said we we’ve got to try to help simplify some of these controls frameworks for the community out here because they’re just getting crushed under the weight of these ownorous regulations and things that like nobody’s doing all this. Dave Shackleford: They can’t keep up with it. Dave Shackleford: So lo and behold something known as the sand top 20 was born and this was back in gosh I don’t know 2006 seven don’t don’t hold me to this um because we tried to simplify it and narrow it down to that top 20 and now of course many of you are I’m sure aware that uh this is maintained by the center for internet security and in fact the 20 went just went down to 18 very very recently so that that program is still alive and kicking but the reason I mention it is because one of the very few things in my entire career where I’ve ever found a bunch of security nerds agreeing is on the fact that you need to know what you have running in your environment. Dave Shackleford: And so right at the top of the list of those critical controls, nobody disagreed with critical controls numbers one and two, which was know what you’re running and know what’s running on those systems. Dave Shackleford: Still there today. Dave Shackleford: So yes, you need some type of inventory management and in particular today where we’re starting to realize, oh my gosh, we have so much software, we have so many different platforms, we have so many vendors just lurking in the dark corners of our data centers and cloud data venters by proxy as well. Dave Shackleford: We need to know what this is about. Dave Shackleford: The problem it’s hard. Dave Shackleford: So, okay, I won’t spend any more time on this. Dave Shackleford: I think most of us probably get it today. Dave Shackleford: There needs to be some emphasis on finding what we have and trying to keep up with that progressively over time. Dave Shackleford: Whether it’s scanners, whether it’s hostbased agents, whether it’s, you know, kind of uh, you know, heavyweight CMDBs, configuration management databases, you know, I still run into many a spreadsheet out there, which uh I know for some organizations that’s horrifying. Dave Shackleford: For others, it’s working just great. Dave Shackleford: Whatever. Dave Shackleford: Get try to find your stuff and keep up with it because then at least if there is a breach out in the, you know, universe with one of these software manufacturers, you can you can answer that question. Dave Shackleford: Are we running that anywhere? Dave Shackleford: Do we have that installed anywhere? Dave Shackleford: Well, shadow it being the problem that it is, sometimes even the best intentioned efforts in this regard go astray. Dave Shackleford: You you miss stuff. Dave Shackleford: Things are out there that you don’t know about. Dave Shackleford: Do your best, right? Dave Shackleford: That’s my philosophy. Dave Shackleford: Um, now I also think that there is a governance conversation to be had here. Dave Shackleford: There has to be because you can’t do this in a vacuum. Dave Shackleford: It’s not just IT ops. Dave Shackleford: It’s not just security. Dave Shackleford: It’s not just risk. Dave Shackleford: It’s not just compliance. Dave Shackleford: We’ve got to have business unit stakeholders involved because they’re the ones driving whatever it is that they’re needing to accomplish the goals of the business in the first place. Dave Shackleford: And sometimes I’ve found many cases, especially in big distributed organizations where let’s say that uh business units might have some degree of autonomy, they can kind of go do some of the things that they want to do without always having to come back to sort of the central chain of command and so forth. Dave Shackleford: They can kind of do stuff. Dave Shackleford: Well, if we’re not talking and we’re not collaborating and we’re not at least communicating about what they’re doing and how they’re doing it and when they’re doing it, there’s a very strong likelihood that we’re going to miss out on some of the stuff that uh is running in our environment. Dave Shackleford: So, we do need that governance in place. Dave Shackleford: It needs to be driven from executives and it needs to accommodate every one of the things that you see listed here. Dave Shackleford: So again, business unit management to some degree. Dave Shackleford: We need our legal and human resources teams involved. Dave Shackleford: Certainly human resources comes into play when we’re dealing with our own sensitive data in the organization, whether that’s healthcare information or other personal or sensitive data about our um our you know employees or our contractors. Dave Shackleford: Um but you know they usually have some tie into this as well. Dave Shackleford: Um procurement teams and uh you know vendor management teams definitely need to be a part of this. Dave Shackleford: And then naturally the entire spectrum of it also kind of mixes into this as well but some effort to not necessarily unify everybody’s thinking here but to at least bring us together and be able to uh converse about what the risks are where the risks are and um you know sort of where we’re headed in a supply chain or thirdparty security program those are all important points we need to uh review our access controls and um you know I always actually tell clients of mine when I’m working with them if you haven’t done an access control review recently. Dave Shackleford: You know, why not why not put that on the docket? Dave Shackleford: Um, and believe it or not, sometimes, um, excuse me, this is a, uh, this is a great opportunity for internal audit teams, and I work with a lot of internal audit teams, and and in fact, I’ve had some cases where these internal audit teams said, you know, what what should we put on the, you know, the plan for this next year? Dave Shackleford: And one of the things I ask is, when’s the last time you did an access control review across all of your, uh, you know, major elements in the environment? Dave Shackleford: And that’s remote access coming in through you know VPNs or other collaboration tools it’s supply chain participants how are they getting access into parts of the environment uh you know that they might need to get access to what happens if we have physical access even coming in from some third parties people that are coming into our data centers or into our office environments to do something right all of that needs to be brought um into the access control review model and you know truthfully even things that um you know we’re we’re like uh like expiring. Dave Shackleford: So you have platforms that you know hit end of life, it’s hardware, how do you scrub that stuff before you send it off somewhere else or you know what have you. Dave Shackleford: So there’s a lot of facets to this but if you don’t have a good grasp on what access is available into the infrastructure and what that leads to. Dave Shackleford: So you know for instance if someone has access into an extraordinarily closed part of the environment that you know is really really restricted from everywhere else that’s good. Dave Shackleford: But you look at something like solar winds, this is a sort of that secondary or third uh sort of factor here to say, okay, somebody comes into the environment over here. Dave Shackleford: Where can they go? Dave Shackleford: And in that chain of where they go, is there a possible universe out there where they’re going somewhere that leads to solar winds? Dave Shackleford: I don’t know. Dave Shackleford: You know, that’s something that we should be thinking about. Dave Shackleford: So, and and I’m, you know, I don’t mean to pick on Solar Winds. Dave Shackleford: It’s just, you know, it’s the story of the year or whatever, but you third-party software, thirdparty platforms, administrative access of any type. Dave Shackleford: I think it’s helpful to sort of walk back and say, okay, you know, the the third party that we’re working with, they land here when they log in, but where does here really give them access to beyond that and have we really thought through all those potential avenues where they could, you know, perform lateral movement attacks and things and more of this is better, right? Dave Shackleford: So, definitely something that’s important. Dave Shackleford: This is my classic people, process, and technology. Dave Shackleford: slide. Dave Shackleford: You know, I’ve got to have one in a presentation like this because um you know, we talked a little bit about the people side. Dave Shackleford: You got to have the right stakeholders involved because these are ubiquitous big programs that need to be, you know, sort of tied into a lot of things. Dave Shackleford: Um you know, you’re not going to do this in a silo. Dave Shackleford: You’re not going to do this in in sort of a a closed way. Dave Shackleford: It needs to involve lots of different participants and just about every organization out there. Dave Shackleford: But, you know, technology alone doesn’t get you there, right? Dave Shackleford: So, you can try to lock down this technology or put this type of gateway in place, you know, woohoo, everybody’s got multiffactor. Dave Shackleford: These are all great things by the way, but there needs to be a process around this. Dave Shackleford: So, you know, number one, what’s the process for making sure we maintain all of this technology? Dave Shackleford: Number two, who are the stakeholders that are the owners of those technologies? Dave Shackleford: So, think about this one. Dave Shackleford: I always, you know, again, I’m going to come back to Solar Winds just because um it’s the gift that keeps on giving because of just how impactful it was. Dave Shackleford: But think about all the organizations out there today. Dave Shackleford: Um, and hopefully none of you were in this bucket, but I’m, you know, it wouldn’t surprise me. Dave Shackleford: Um, where Solar Winds, you know, shook out. Dave Shackleford: We saw this thing going down and some organizations probably said, “Who’s the owner of Solar Winds here?” Dave Shackleford: Like, who’s been tracking these guys? Dave Shackleford: Who’s in charge of uh, you know, making sure that we know who to talk to over there and that we have been updating the software? Dave Shackleford: What’s the version that we’re running? Dave Shackleford: Because maybe we’re not even vulnerable because we never updated to that package version that apparent was the bad one. Dave Shackleford: And like you could go down this whole list of questions, but it rolls back up to the people involved and the processes around not only procuring things like software and platforms and apps and so forth, but but also maintaining that and keeping track of this over time. Dave Shackleford: So huge number of elements that have to interrelate and of course in the middle of all that is data because ultimately that’s usually the goal of um most of these attackers and these attacks some way, shape or form. Dave Shackleford: So we know this to today. Dave Shackleford: That’s no surprise. Dave Shackleford: But it’s a very very complex series of interrelated elements that have to be involved when you start talking about third-party and supply chain security all the way around. Dave Shackleford: So, some best practices, right? Dave Shackleford: I’m going to take a few minutes here and just, you know, throw some best practices and some thoughts out there that I think have proven useful and valuable with many organizations I’ve worked with over time in the industry. Dave Shackleford: Number one, it’s it’s people, right? Dave Shackleford: Start with the people. Dave Shackleford: Um, you know, Captain Obvious says you should probably do some background checks on people, you know, certainly that have, you know, access to sensitive parts of your environment or other sensitive assets and systems and services. Dave Shackleford: But, um, here’s something that doesn’t happen almost ever. Dave Shackleford: There should be some reup of those background checks. Dave Shackleford: Now, this is going to blow your minds, but sometimes people go bad later. Dave Shackleford: They may be awesome when you hire them, but things happen. Dave Shackleford: I’ve got a litany of stories in this regard from my own background that I am not going to bore you with in the interest time, but there needs to be some revisitation, at least for very critical or very sensitive roles. Dave Shackleford: And the reason I mention this is not because I’m telling all of you to rush out and talk to your HR teams to find out what they’re doing about uh background checks. Dave Shackleford: That it’s a good thing to do. Dave Shackleford: You know, this also to say, let’s flip that around to the third parties you’re working with. Dave Shackleford: Do you know what they’re doing here? Dave Shackleford: Have they given you some affirmation of how they’re hiring and how they’re maintaining that? Dave Shackleford: Anybody that has access to my envir ment or sens sensitive access to any of my data. Dave Shackleford: I want to know that not only were they good when they got hired. Dave Shackleford: I want to know that there’s some check-in progressively over time to make sure that they haven’t, you know, mysteriously taken a sbatical over to China and when they came back they were different. Dave Shackleford: Yeah, I’m I’m kidding, right? Dave Shackleford: But look, you got to know what’s going on with these scenarios and and you know, maybe that comes down to employment agreements. Dave Shackleford: Um if there’s security requirements or maybe even things like uh um you know, like clearances depending on the type of industry that you’re in. Dave Shackleford: You need to make sure that those are well vetted and that they’re signed off on. Dave Shackleford: And the same thing goes for third parties. Dave Shackleford: So, let’s say that you have very, you know, you work in the uh defense industry or you work in some industry that does require some sort of background checks and clearances. Dave Shackleford: You can’t do any business with third parties that aren’t willing to ascertain um that this is in place for all of their staff dealing with you. Dave Shackleford: So, you’ve got to go through this, you know, sort of series of hoops just to make sure that the people involved in all this are doing what they’re needing to do. Dave Shackleford: Um, I am not going to read all this to you guys. Dave Shackleford: It it’s it’s actually sort of a bunch of stuff I just threw up here and I’ll sum it up. Dave Shackleford: You’re going to need a checklist of questions, right? Dave Shackleford: You’re uh you know, you’re going to need a questionnaire that includes everything, right? Dave Shackleford: Because you’re asking these third parties about their security programs. Dave Shackleford: And I won’t even say that everything on this obnoxious bullet list is that list, right? Dave Shackleford: And there’s probably a lot more that we could include here categorically, but I need to know that they’re resilient. Dave Shackleford: I need to know that they do background checks. Dave Shackleford: I need to know that they protect data. Dave Shackleford: I need to know that they have access controls and authentication and authorization and network security and you know, keep going, right? Dave Shackleford: You could keep going along that list and and how long that is and how in-depth it is is subjective. Dave Shackleford: It’s going to depend on you, your industry, a lot of factors. Dave Shackleford: But I would say look, um, you know, don’t don’t fall into the trap. Dave Shackleford: I’ve seen people do this where you’re like, “Oh my gosh, there’s no way we can give this 7 100 question thing to our vendors. Dave Shackleford: Sure, you can, especially your most critical vendors or third parties. Dave Shackleford: Um, they may push back on you and say, “Yeah, we’re not going to, you know, answer all these questions, but why not try and get as much information as you possibly can.” Dave Shackleford: That’s my take on it. Dave Shackleford: Always start with that in mind and then you can always ratchet it down progressively depending on the circumstances, but make sure you’ve at least got something here and make sure that you should go through and say, “Okay, which of the controls are musthaves? Dave Shackleford: Which are nice to have? Dave Shackleford: what are the answers that we need to feel comfortable. Dave Shackleford: This is risk management again. Dave Shackleford: So this is about having that process for supply chain review and thirdparty review and that needs to be collaborative. Dave Shackleford: Quite frankly, it’s not common to have your procurement teams or your vendor management teams um you know really uh you know as as security experts. Dave Shackleford: So they may be really really good at tracking contracts and setting it all up and asking the questions and sort of pulling it all together. Dave Shackleford: But if somebody comes back with some detailed list of cipher suites that they support for cryptography. Dave Shackleford: They may have to hand that off to somebody that really understands that. Dave Shackleford: So I do think that collaborative effort that ties things together in that regard is going to be helpful. Dave Shackleford: Again, it’s all about governance. Dave Shackleford: Now, software reviews, oh boy. Dave Shackleford: Right. Dave Shackleford: And I know that some of you, I’m sure over the course of the past year, especially with this Solar Winds situation, started really, you know, delving back into this and saying, what are we bringing in here and how are we vetting this? Dave Shackleford: And I think today that you know we have to look back. Dave Shackleford: I mean I I even listed some of the old school ones like you know Heartbleleed and Shell Shock and some of these where we just went oh my gosh there’s all these open source components apparently all vendors use a bunch of open source and their software you know okay well what does that mean for us because we’re the ones that suffer if things go badly and so I think spending a you know a bit of time on this and revisiting this and saying you know do we need to you know sort of run any software that can touch critical infrastructure or data in a closed environment for x period of time to validate that it’s not trying to beacon out to Russia or that it’s not doing unusual things that we wouldn’t have expected. Dave Shackleford: You know, maybe we need to start thinking that way. Dave Shackleford: The challenge takes a ton of time. Dave Shackleford: So, even if you get a gold image from a manufacturer, I think we should still be a little bit more suspicious than we have in the past, but at least start thinking this way and sort of heading down this road. Dave Shackleford: And what you have to do is say, okay, you know, not just the software, but also the you know types of technology services we’re using maybe we really need to rank those right? Dave Shackleford: In other words, if something goes down with uh you know Microsoft Exchange that’s an urgent action priority whereas if something goes down with uh Adobe PDF reader eh okay it’s going to be annoying um but it’s a low priority right? Dave Shackleford: We’re not going to stress out about that. Dave Shackleford: Um you know, if it if it breaks you know now if it’s compromised and it’s across like all of our systems that’s probably an urgent action too but you get the idea you have to have these differentiated you know sort of degrees or levels of sensitivity priority and actionability with regard to all the technologies that we’re using also need to think about the privileges involved so I mean there’s a whole discussion to be had around privileged access and the abuse of privileges and you know same thing goes for insider attacks and not just insiders that are evil and bad like you know maha Dave’s disgruntled Dave just has a lot of access to stuff, but wow, let me click on that link and now I’m an insider because somebody else is using my system and infrastructure to get to things. Dave Shackleford: And so it’s never a bad time in the context of a third party assessment program to go back to the well and say, what are the privileged users in our environment? Dave Shackleford: Who are those users? Dave Shackleford: Do we can do we know who they are? Dave Shackleford: Do we have really good control over their access? Dave Shackleford: Um are we logging and monitoring around that? Dave Shackleford: I mean, anybody that’s a domain admin, you know, of course, but there’s so many others, you know, DevOps engineers, you know, application developers, um, you know, any systems administrators, network engineers, the security team, you know, we have access to a lot and revisiting that privileged approach and so forth, not a bad idea. Dave Shackleford: Now, network isolation definitely something that we’ve been dealing with for years. Dave Shackleford: I mean, today we’re seeing a lot more interest in things like zero trust and micro segmentation and all that stuff. Dave Shackleford: But even if it’s just jump boxes or, you know, proxy hosts. Dave Shackleford: Um, things like thin client approaches with, you know, virtual desktops. Dave Shackleford: We do need to try to drop users and certainly third-party users into environments that are segmented and zoned and controlled. Dave Shackleford: And I know too many organizations out there today that have extraordinarily flat networks. Dave Shackleford: Even now, 2021, you’re thinking there’s no way that organizations are still this flat. Dave Shackleford: They are. Dave Shackleford: And that’s not me pointing fingers. Dave Shackleford: Um, believe me, I do not throw stones in glass house. Dave Shackleford: I get it. Dave Shackleford: It’s tough. Dave Shackleford: Um, network segmentation and isolation has always been a struggle, but this is something that deserves some reconsideration in light of this. Dave Shackleford: So, what do you do now? Dave Shackleford: Right? Dave Shackleford: What do we do with third parties and business units? Dave Shackleford: Start with a thorough review with the procurement team. Dave Shackleford: Who are our critical vendors? Dave Shackleford: How are we revisiting these over the course of, you know, maybe six, 12 months just to make sure things are still on track? Dave Shackleford: How often are we doing these vendor reviews and these supply chain reviews, right? Dave Shackleford: Let’s talk about access. Dave Shackleford: Let’s talk about authentication reviews. Dave Shackleford: It’s again never a bad idea to come back to that. Dave Shackleford: Who can log in? Dave Shackleford: Where can they come from? Dave Shackleford: What are the accounts? Dave Shackleford: What are the privileges involved? Dave Shackleford: And any vendor or third party or partner should definitely have a ratcheted up uh monitoring priority. Dave Shackleford: That’s just common sense uh in my opinion today. Dave Shackleford: Now, this is a great set of recommendations from the folks over at the UK, the National Cyber Security Center. Dave Shackleford: They just, you know, kind of consolidated a lot of the things that I’ve talked about. Dave Shackleford: And so, if looking for sort of like a quick cheat sheet. Dave Shackleford: This is a pretty good one. Dave Shackleford: And so you can go get this for free online. Dave Shackleford: They’ve got it posted. Dave Shackleford: But it’s all about coming back and saying, “Hey, third parties in the supply chain, something that needs attention more than it ever has.” Dave Shackleford: And with that, I’m going to wrap us up. Dave Shackleford: So I, you know, I know this was a lot. Dave Shackleford: Like I said, I I had too much information. Dave Shackleford: I said, I’m putting it in here. Dave Shackleford: We’re rolling because it’s such a critical topic. Dave Shackleford: I I really feel that now is there’s never been a better time than now, especially with this Solar Winds breach right at the top of mind. Dave Shackleford: I mean, you know, most executives are aware of this. Dave Shackleford: Most organizations are aware of this stuff. Dave Shackleford: Let’s use that uh sort of visibility in the industry to revisit all these elements and say, how are we doing here? Dave Shackleford: Right? Dave Shackleford: If we had to grade ourselves, how would things look? Dave Shackleford: Because I know a lot of organizations haven’t been able to keep up with this as much as they would have liked to. Dave Shackleford: And with that, I’m going to hand things over to Scott. Scott Lang: Hey, thanks Dave. Scott Lang: Hope you can hear me this time. Scott Lang: Had some challenge with the mute button there. Scott Lang: Um, hi everybody. Scott Lang: Thank you for uh joining today’s webinar. Scott Lang: Dave, awesome talk as usual discussing some uh some, you know, very hard-hitting, very consequential um, you know, very, you know, comprehensive suggestions on how to address, you know, one of the biggest risks uh, for organizations today from a cyber security perspective. Scott Lang: And that’s, you know, what gets introduced, you know, from a third party. Scott Lang: If you don’t mind, I’ll take a few minutes to explain uh how prevalent makes this process a little bit easier uh but by building off some of the things that uh that Dave mentioned in his presentation. Scott Lang: Next slide, please. Scott Lang: Um you know, everything that Dave talked through uh in in his presentation was all about, you know, the need to uh perform thirdparty risk assessments or to gather information from your third parties. Scott Lang: Um you know, organize it in such a way get a good clear view of you know the security policies, access control and more. Scott Lang: But the challenge is a lot of this is typically being done for a lot of companies um in the use of spreadsheets or flipping spreadsheets back and forth via email um and you know not really being able to maintain some reasonable chain of custody of that information between organizations uh or leverage uh those spreadsheets to then perform some deep analysis, identify risks, do some reporting for all the different stakeholders. Scott Lang: You have to me. Scott Lang: So, you know, super big challenge um in, you know, starting a TPRM program, you know, decision number one, you know, get the heck off spreadsheets. Scott Lang: Second big challenge we see happening amongst or organizations as they start down this path of of a more disciplined or programmatic approach to to third-party risk management is outdated info. Scott Lang: So, you know, when you send out some sort of an assessment perhaps on an annual basis or when there is a an external event that triggers um an analysis or uh or another assessment. Scott Lang: Um you know, a lot of things could happen in between those things. Scott Lang: You know, if you’re only assessing a vendor every year or only maybe sending out assessments when particular events happen, you know, the day after something can happen. Scott Lang: Dave said a few minutes ago that hey, employees are great when you interview them, but the next day they might be, you know, not so great. Scott Lang: Uh same thing with vendors. Scott Lang: You know, they might get breached. Scott Lang: They might have some sort of a financial problem. Scott Lang: They might have a their own supply chain failure that uh in their third party, which is your fourth or endth party. Scott Lang: you know, so outdated info typically is a is a huge concern among among um uh among customers. Scott Lang: And then finally, you know, everybody’s got a hand in thirdparty risk whether you know it or not. Scott Lang: You know, typically the IT or the infosc team, you know, leads a third-party risk management function, but procurement is involved from a sourcing perspective and a contract management perspective and performance and SLA management. Scott Lang: You got risk management that’s trying to pull it all together. Scott Lang: Maybe you got some vendor managers. Scott Lang: You’ve got audit compliance teams that have their particular um uh you know requirements to address from a thirdparty risk management compliance perspective. Scott Lang: So you you get all these different teams involved, not anyone’s really getting their their needs met. Scott Lang: You get all this outdated info you’re having trouble kind of getting your arms around and it’s and it’s done via manual process. Scott Lang: So from my perspective that’s probably some of the biggest challenges as we move to the next slide that really get in the way of you know effectively performing you know third party risk and our foundation. Scott Lang: What we seek to deliver with the prevalent solution um is incrementally to overcome each of those objectives uh uh or objections rather uh this way. Scott Lang: Number one is um you know our solution is is typically quite data driven uh and contextual we incorporate uh data feeds and intelligence from real-time sources from business and cyber sources and financial sources to augment the collection that’s being done in the platform of standardized assessments. Scott Lang: So it is a continuous process not a oneanddone kind of static process. Scott Lang: Um second uh from a unification perspective you know we we are you know amongst a small handful of of providers in the space that bring together both the you know the one-off assessment and uh the continuous monitoring element and then give you some already pre-built intelligence to to help you prioritize the risk that come in from those vendor answers and then give you some prescriptive guidance on remediations or recommendations to reduce that that residual risk over time. Scott Lang: And then finally, most importantly, is the prescriptive nature of of what we offer. Scott Lang: You know, I you know, our entire approach is to be incredibly programmatic. Scott Lang: Step one, step two, step three, and so on. Scott Lang: So that you don’t leave any gaps in the process and you have the opportunity to kind of, you know, um, you know, reduce the amount of time it takes to assess vendors, to get results in, to produce reporting, um, you know, without all the kind of the burdensome overhead that comes with manual methods. Scott Lang: Next slide, please. Scott Lang: You know, our approach um our prescriptive approach anyway uh extends um throughout the entire vendor risk life cycle. Scott Lang: So, you know, another challenge that we didn’t mention on on the slide two slides ago was uh that a lot of companies face when they’re kind of starting a program is they really only look at thirdparty risk when they’re like onboarding a vendor and then maybe on an annual basis when it comes to contract renewals, whatever. Scott Lang: They send out the assessment as necessary and and important to do but these things tend to kind of sit sit on the shelf if you will the virtual shelf um you know you know in between these kind of business impacting events our perspective is to is to you know start at the very beginning there’s a step zero where third party risk should start and then you know there’s a step uh what six seven that uh that that should be considered as well. Scott Lang: It all starts with um getting intelligence into vendors as you’re sourcing and selecting them. Scott Lang: You know you can do this through any mechanism like a like a a vendor exchange, if you will, or or an exchange network that has, you know, libraries of completed uh risk assessments that are all standardized based on standardized questionnaires. Scott Lang: They can help you kind of very quickly visualize, you know, where some of their risks might be in access control and data privacy and some of these areas. Scott Lang: So, your procurement team can make much smarter decisions on, you know, who they want to continue to do business with. Scott Lang: Second, intake and onboarding um is an important piece of it as well because as you onboard a vendor, you know, you’re going to need to execute once again that programmatic process. Scott Lang: Incorporate um the information that that you gather from that from that vendor with a comprehensive profile that give you some good visibility into who that vendor is. Scott Lang: Um you know what geographic considerations are there uh concentration risk issues you know all that stuff kind of gets you know bubbled up a little bit during that phase. Scott Lang: Phase three the magic starts to happen here where we start to score inherent risks. Scott Lang: Um so that informs profile uh tiering and categorization of of vendors which leads into step four which is your full assessment uh process. Scott Lang: I think we’ve got something like 75 different questionnaire templates built into our platform. Scott Lang: Now got some standardized ones like the SIG or the HISAC uh questionnaires based on ISO NIST and others that can help you kind of meet the specific needs for assessment based on what you have to report on and then all with kind of built-in remediation guidance. Scott Lang: Then you get into the continuous um element here where you’re always monitoring for um you know uh changes, cyber, business updates, financial implications, whatever all kind of throughout you know that that that relationship and it can use those results to then validate uh what you learn from executing that assessment there. Scott Lang: In step four, then we talk about measuring SLAs’s and performance. Scott Lang: You know, not every risk presented to your organization is a security risk. Scott Lang: Although security risks are going to obviously take the majority of your time and attention, but you know, whether or not they’re meeting their their service level agreements per the contract uh is an issue to to be resolved. Scott Lang: You know, what’s their vendor performance and delivery, for example, of goods and services if their inputs to yours? Scott Lang: And then finally, something I think that uh a lot of companies overlook is the risk at the offboarding and and uh contract termination phase. Scott Lang: You know, once your relationship comes to an end, how do you securely offboard that vendor or terminate the relationship in such a way that your risk exposure is um you know, reduced you know over time. Scott Lang: Uh you might recall uh last year uh Morgan Stanley was fined I think $60 million for u improper decommissioning of servers that was executed by a third party. Scott Lang: Now um that I think the final judgment was just announced I think maybe yesterday or the day before but um that’s a great offboarding use case. Scott Lang: You know you are you know you’re you’re started to decommission and terminate the usage of certain assets. Scott Lang: there’s a certain checklist and process you’ve got to follow throughout that that area that that third party just didn’t didn’t address. Scott Lang: So that triggered uh a problem and it triggered a a very expensive problem for uh uh for Morgan Stanley now now to deal with and you know our delivery is is multifaceted. Scott Lang: You know we are are anchored on a best practices approach where we could help to do this for you. Scott Lang: Uh everything from onboarding your vendors to offboarding them and everything in between. Scott Lang: clean through managed services uh best practices services underneath and then customer su success throughout the life life cycle. Scott Lang: Next slide please. Scott Lang: You know you’ll see benefits at every stage of that life cycle. Scott Lang: I won’t go through that in great detail here but I think you can see that you know our approach helps different folks throughout the organization. Scott Lang: You know one of the one of the reasons customers choose prevalent is that you know procurement teams can use us, IT security teams can use us, risk vendor management legal, compliance, auditors, whatever, they can use us as well. Scott Lang: We’re a true enterprise system that a lot of different people can utilize if you’re searching for um you know, a solution that helps you have, you know, a definitive set of data to make thirdparty risk management decisions. Scott Lang: Next slide. Scott Lang: Um you know, and and how we deliver this, you know, we mentioned this already, but you know, our global vendor intelligence network is a library of more than 10,000 completed uh and constantly updated uh vendor intelligence profiles. Scott Lang: you know, our vendor risk assessment services can perform the collection and analysis of that information on on your behalf if you’re resource constrained. Scott Lang: And then we’ve got our platform as well. Scott Lang: We’ve got definitive um uh ROI metrics that our customers repeatedly tell us and we’ve helped them save time, made the process faster, and a heck of a lot less painful. Scott Lang: Next slide, please. Scott Lang: Again, you know, our our outcomes for you are to help you get the data you need to make better decisions, uh to help you to improve a team efficiency across your organization and knock down the natural silos that that are are born in a riskmanagement uh environment and then you know be your partner uh to you know walk with you and guide you you know through your journey of of of thirdparty risk. Scott Lang: So again that’s all I wanted to share from my perspective um the whole point there is just to kind of tie to kind of what Dave said you know all of those really important decisions that have to be made from a from a third party risk perspective start getting serious also consider you know how you want to implement this and you know what steps to take to to kind of get started. Scott Lang: So, thanks for your time. Scott Lang: I appreciate it. Scott Lang: Amanda, I think we’re going to pop it back to you. Amanda Fina: Yes. Amanda Fina: Hi, everyone. Amanda Fina: Thanks so much. Amanda Fina: Um, I wanted to just submit a poll. Amanda Fina: I forgot to do it before. Amanda Fina: I apologize. Amanda Fina: Um, so I came last second, but we would just love to hear from you guys if you’re looking to augment or establish a third party risk management program. Amanda Fina: Simple yes or no or not sure will do. Amanda Fina: Um, while I have this up, I have a couple of questions. Amanda Fina: that came through and I’m going to start with this one since Scott you did just speak and the question was you did mention having real time intelligence around vendors can you explain a bit how that works? Scott Lang: Yeah, sure thing. Scott Lang: Uh so um we have a a solution that does continuous monitoring of a vendor cyber information. Scott Lang: So it’s kind of an outside view of um uh you know of a vendor’s cyber posture you know patches uh uh uh open ports uh you know SSL problems you know basically anything from uh you know what can be gathered from an external scan and then that’s augmented with um some you research and intelligence that’s done into like you know dark web special access forums uh credential dumps um and you know a couple of you know think uh areas like that that you know could portend a potential um cyber violation targeting your vendor. Scott Lang: know at at some point in the future. Scott Lang: And then we pump that into our risk register uh where all your assessment results sit and uh they don’t sit side by side. Scott Lang: They sit together uh so that you can validate you know potentially uh you know let’s say the the vendor had a or vendor answered that they have a a very you know sound password management policy in place when they answer their questionnaire. Scott Lang: Well, if you can show that well looks like some of your credentials are for sale out on the dark web. Scott Lang: Something doesn’t jive here. Scott Lang: So you can use that to validate and uh kind of dive into some remediation work from there. Amanda Fina: Perfect. Amanda Fina: Thanks for that response. Amanda Fina: It looks like we have time for about one more question. Amanda Fina: So, this will be for Dave. Amanda Fina: When you speak of prioritizing vendors, should your vendor priorities be based on whether they’re critical to your business operations or based on what level of risk they provide to the business? Dave Shackleford: That’s a great uh that’s a great question. Dave Shackleford: And can can you hear me? Dave Shackleford: Can you guys hear me now? Amanda Fina: Yeah, I can hear you now. Dave Shackleford: Okay. Dave Shackleford: Okay. Dave Shackleford: Sorry. Dave Shackleford: Yeah. Dave Shackleford: Yeah. Dave Shackleford: You know, as as we always are, you know, desperately seeking the mute button. Dave Shackleford: Um but it’s a great question and the answer is yes. Dave Shackleford: Okay. Dave Shackleford: That was my sarcastic answer because it’s tough. Dave Shackleford: It’s a it’s difficult to answer actually because um you know truthfully uh it can be all of those things because number one um you know think about the impact to the organization if a vendor has a problem. Dave Shackleford: That problem can be a lot of things today. Dave Shackleford: So let’s say Microsoft, you’re using Microsoft 365 for all of your collaboration, right? Dave Shackleford: We have our email there, we have SharePoint there, we have uh, you know, storage for everyone. Dave Shackleford: We have all these things. Dave Shackleford: They have a massive denial of service or they just break. Dave Shackleford: Well, now that’s a problem. Dave Shackleford: It doesn’t mean that someone attacked them necessarily. Dave Shackleford: Maybe they just had an outage or something else, but the impact would be unbelievably bad because it affects all of our uh, you know, all of our employees or everyone. Dave Shackleford: So I think That’s one way to look at it. Dave Shackleford: But I think also, you know, you do look at it this other perspective of what does it have access to? Dave Shackleford: It being maybe a software package. Dave Shackleford: I think that’s where the Solar Winds problem was. Dave Shackleford: I mean, let’s be honest. Dave Shackleford: Um, you know, if Solar Winds broke in most environments, it wouldn’t mean you couldn’t sell widgets anymore or that you couldn’t sell insurance or perform banking operations. Dave Shackleford: Yeah, maybe you just don’t have visibility into your network gear for a minute or what have you. Dave Shackleford: But what uh what does it have access to to and the answer is oh my gosh all of our critical infrastructure. Dave Shackleford: So I I think there are kind of numerous perspectives as to what those priorities should be you know what’s the what’s the impact if something happens with that vendor or that product or that service to the business operations but then number two if the vendor’s compromised or if there’s a definitive security challenge what could that lead to subsequently uh and so both of those do factor into that prioritization ranking for sure. Amanda Fina: Perfect. Amanda Fina: Well thank Thank you so much for that response. Amanda Fina: It looks like we’re at the top of the hour. Amanda Fina: So, we have all the time that we used. Amanda Fina: So, thank you guys so much for joining, Dave. Amanda Fina: Pleasure to have you, Scott. Amanda Fina: Always great to see your face. Amanda Fina: And thank you all to join. Amanda Fina: Um really do appreciate your questions and your participation and your attendance. Amanda Fina: So, this will be in your inbox tomorrow or maybe sometime sooner today if you’re lucky. Amanda Fina: And thanks so much. Amanda Fina: We hope to see you at the next one. Amanda Fina: Bye, everybody. Dave Shackleford: Bye now.