2023 年 5 起最严重第三方网络安全事件的教训

Melissa: and um you know a few intros. My name is Melissa. I work here at Prevalent in Business Development. And today we have a returning guest, Dave Shackleford of Voodoo Security. Welcome back, Dave. Dave: Thanks for having me. Melissa: And let me go ahead. I definitely launched the wrong poll. So, excellent. I’m Thank you. That’s a Thank you, boss. He’s watching. Um I have one job, right? But anyway, we also do have Scott. So, answer this one and then I’ll switch and then we’ll answer the second one in a get it. But we have Scott here. He is the VP of product marketing. He’ll dive into how we may be able to mature your TPR and program at the end of this session. So, hello Scott. Scott: Hi, Melissa. Melissa: And as a little bit of housekeeping, this webinar is being recorded, so don’t take notes or anything. You’ll get this and the slideshow shortly after the webinar. Uh lastly, you’re all muted, so just use that Q&A box, you know, for those burning questions. Feel free to ask them anonymously. Um and yeah, I’ll go ahead and hand things over to Dave as he breaks down the lessons from the five worst third party cyber security instance of 2023. Go ahead Dave. Dave: Awesome. Hey, thanks and uh thanks everybody for joining. Dave: You know it’s it’s always fun uh the these sort of endofear looking back looking forward kind of kind of webcasts. Dave: Um you know it’s never a bad idea to take a you know take a pause and look around and say okay you know what happened this year. Dave: Uh I think progressively for any of us that have spent time in the cyber security industry that you know it’s it’s never good right we never get to the end of and go, “Wow, you know, that was a pretty mild one.” Dave: You know, like it doesn’t ever feel like that uh these days, right? Dave: It definitely feels like there’s always been something dramatic or some significant incidents. Dave: And truthfully, what that means for people like me that that sort of want to hang out and talk shop with all of you is uh you know, it’s a tough job to to go back and and sort of parse through all the things that have happened and and pluck out, you know, the top x number and say, “Hey, these were definitely the worst.” Dave: And so, you know, there’s my caveat. Dave: This is somewhat subjective, you know, just sort of based on all the things that we’ve observed, some of the trends that we’ve seen over the course of the past few years, um, etc., etc., right? Dave: So, there there’s my, you know, there’s my disclaimer as we head into this. Dave: And by the way, um, I’m I’m always happy to have anybody chime in if you’re like, “That’s not the worst, Dave.” Dave: This is the worst, right? Dave: We could probably just hang out and talk shop about a lot. Dave: But what I was able to do was pull together some of these different incidents and say, “Hey, you know what?” Dave: Um, there really were some interesting things to take away. Dave: Uh, I think some of these are probably going to be fairly transparent. Dave: Um, it wouldn’t surprise me whatsoever if many of you are dealing with these kinds of things yourselves. Dave: You’re having conversations internally and with peers throughout the industry. Dave: So, it’s not as though any of these are going to be aha moments where you go, “Oh my gosh, never even thought of that, Dave.” Dave: But I think there’s some subtlety to them, too. Dave: I mean, there’s there’s a little bit of nuance to a few of these that you know, we just have to step back and go, well, okay, what, you know, what’s going on? Dave: So, yeah, it’s been a year, right? Dave: And, you know, this is my somewhat snarky, you know, maybe uh, you know, a little bit sarcastic view of the whole thing, but it’s funny. Dave: Um, you know, I I I talk about security all the time. Dave: Um, and and you know, in various ways, and various different topics, and what I’m realizing, I mean, tell me if this is weird, right? Dave: It’s kind of crazy to me. Dave: I mean, ransomware ransomware It just it’s it’s become so common and there’s just so much of it swirling around out there uh you know in the community and in these breaches and things that I I’m you know I put yawn here because not because it’s it’s something we can just go yawn whatever. Dave: Um but I think we’re getting used to hearing about it. Dave: I’m not saying that’s a good thing either. Dave: You know it’s sort of like the you know the news is the same all the time. Dave: Um you know I’ll tell you honestly it’s it’s the way I feel like every year when we get these reports that come out right whether it’s like the Verizon DBIR or some of the other more kind of like well-known and well- reggarded industry reports. Dave: And there’s so much great, you know, data that that’s out there now. Dave: And every year I I sort of have this maybe bizarrely optimistic hope that we’re going to see some definitive changes in the top three to five, right? Dave: The things that have caused the breaches. Dave: What are the things? Dave: And I’ve been wholly and sorely disappointed for the past, you know, I don’t know, decade when I see the list because it’s it’s it’s it’s fishing, right? Dave: Right. Dave: It’s fishing again. Dave: You know, how did this thing happen? Dave: It’s fishing, you know, or or it’s, you know, it’s credential theft or what have you. Dave: So, like, you know, okay. Dave: So, you know, yawn. Dave: Okay. Dave: You know, things like denial of service. Dave: Now, I will say we did see a really interesting denial of service attack earlier this year that didn’t really end up having a lot of impact, but uh it because it kind of got caught by uh like Google and and Amazon and and uh you know, and some of those providers, but it was this really new and very sort of innovative attack against HTTP2 which we had never had never seen before and and so I was like okay well at least that’s I guess that’s kind of interesting I mean they’re innovating a bit out there that’s not good for us incidentally but you know okay but it’s you know it’s it’s like a lot of the same stuff the thing that I have found myself really having much more sort of in-depth and meaningful conversations around uh in a lot of these cases is you know supply chain it’s just there It’s just it’s a it’s a thematic element of so many of these things. Dave: And I did just see Mark’s I just had a comment that came in. Dave: You know, I guess if you were impacted, well, you know, that makes it a top five event for you. Dave: Absolutely. Dave: Right. Dave: Like I said, this is my tongue and cheek. Dave: Look, we we’re allowed to be a little snarky at the end of the year, aren’t we? Dave: Right. Dave: I think we can. Dave: I know everybody’s desperately hoping to uh you know, just you know, shut down the projects for the year. Dave: Uh you know, sail off into holiday seasons and things, keeping the fingers crossed because I mean, everyone knows that attack don’t occur uh during the holiday season. Dave: Of course, right? Dave: That’s of course um but but look, you know, coming back to this supply chain to me um what’s happening with the whole concept of supply chain risk. Dave: This is not a new topic. Dave: We’ve all been, you know, dealing with supply chain risk and thirdparty risk management for years. Dave: You know, whether it was predominantly through a procurement organization or, you know, yeah, your vendor management teams um or or whether it was sort of an ancillary element of just maybe a couple people’s jobs, you know, it’s contract and so forth. Dave: Well, this is not new. Dave: Um, but what is new is the realization that the attackers have caught on to the fact that all of us, every single one of us that are hanging out here right now today are inextricably sort of woven into a variety of different third, fourth, fifth party arrangements and relationships that you can’t extricate yourself from. Dave: Um, you know, there’s no way to just, you know, especially for certain critical providers, certain critical vendors, you know, I’ll give you an example. Dave: The one I always give people when I’m talking about this with clients and with students that I teach at SANS and stuff. Dave: It’s like look, I mean, how many of us right now, now some of you might be able to answer this. Dave: I mean, again, so again, a little thing cheek, but how many of us right now could say, okay, um, Microsoft is shut down, right? Dave: Like m all Microsoft cloud services are toast. Dave: Um, they’re completely offline. Dave: What how many of us could hang out for a period of time, right? Dave: So, so you start thinking about things like that and again you you know some organizations um you know some organizations might not be big Microsoft shops but it’s it’s a good example it’s just a huge provider there uh you know a major element of people’s continuity strategies as much so as their ongoing day-to-day business productivity strategies there’s a lot of things that would go terribly horribly wrong if they were wholly unavailable um you know but but even looking at this through a different lens what happens if somebody like Microsoft that again we’re you know maybe woven into and I’m not trying to pick on Microsoft here by the way right I I don’t have a whole lot to say about them in this discussion per se I’m just using them as an example of a big provider um but if they get compromised and by the way that has happened pretty recently uh pretty nasty one uh incidentally all of us have to look around a little bit and and sort of ask ourselves okay what does this mean for me right I mean what data do they have of mine um how exposed could I be could this have opened the door for other sorts of scenarios internally within the Microsoft ecosystem and infrastructure that we hadn’t necessarily thought through entirely before this and on and on. Dave: And so when you start talking third parties, that’s where again this changes the nature of the risk profiles, right? Dave: We’re a lot of organizations will admit that we’re still not great uh at managing thirdparty risk holistically. Dave: And there’s just so many reasons for this. Dave: I mean, and I, you know, and I’m not a fingerpointer because I I’ve just seen this. Dave: I’ve lived this. Dave: I’ve worn the hats uh that many of you may be wearing. Dave: Okay, whether as a security uh leader or somebody just down in the trenches just fighting the fight. Dave: Uh you know there are a lot of factors for this. Dave: Um you know there too many thirdparty organizations is is right at the top of the list. Dave: I mean I’ve got some clients and this is I’m sure an apt description for a few of you with uh thousands right thousands of third parties. Dave: How in the world do you even hope to keep up with that? Dave: Right? Dave: It’s it’s it’s it’s daunting and uh you know an extraordinarily difficult thing to to get over. Dave: Right? Dave: So that’s number one. Dave: um not enough time, you know, not operational capacity. Dave: This is something we actually talk about at SANS a lot. Dave: Um and I’m sure many of you know I’m a I’m a SAS instructor and course author and stuff too. Dave: So it’s a it’s a pretty well-known hat of mine, but you know, we’re always, you know, because the the job of SANS, we train people, right? Dave: We try to train people to, you know, get their jobs done and get their jobs done more effectively. Dave: And so we’re always mulling this around and asking not only ourselves but the community at large, hey, what’s the, you know, what’s the headache? Dave: You know, what are the big challenges? Dave: And I think every single year the past maybe 10 or 15 20 years running. Dave: I mean, this is a long time. Dave: One of the big things that comes in is we just don’t have enough time to get the job done, right? Dave: I mean, there’s just not enough capacity within a security team um for all the things that we’re now juggling and you’re trying to add more work with regards to thirdparty risk management on top of that. Dave: It it just doesn’t always jive. Dave: Um you don’t have the right types of risk assessment capacity or you can’t get the right information around some of these third parties. Dave: And and that’s a and that’s a problem that you know I know uh you know Scott’s going to probably talk about a little bit at the end here but you know that that’s a problem that unfortunately is not always 100% under your control right because some providers just don’t give you as much information as you want this is an ongoing issue you know we’re not going to necessarily solve all those types of things today um I’m certainly not going to be solving all those types of things today but I think it’s really important that we’re having these discussions and I think what you know we’re starting to come to the conclusion of is that there’s just so many scenarios that are unfolding, the big stories of the years, uh, you know, we’re we’re seeing, and we were doing this last year, right? Dave: I think we’ve talked about this stuff progressively in the last couple of years. Dave: I know I’ve hung out with the prevalent crew and talked about this in the past as well. Dave: And it’s always interesting, like I said, to look back and go, okay, you know, what’s happening? Dave: We’ve had a ton of different incident types this year. Dave: And and this is just a, you know, sort of generic example of stuff. Dave: We’ve had, you know, service failures. Dave: We’ve had some really interesting insider scenarios that have unfolded. Dave: We’ve had, yeah, intellectual property theft all over the place. Dave: Um, you know, major malware infections, all sorts of different intrusions. Dave: Again, denial of service was a big one. Dave: Um, the list goes on and on. Dave: I wasn’t trying to encompass all possible incident types, but what’s interesting is to take this list and say, okay, which of these are directly related to third-party scenarios, right? Dave: Whether it’s them getting breached or us getting breached through them or other factors, uh, you know, you start to sort of look at these classic models of incidents through a little bit of a different lens. Dave: And so, let’s start, right? Dave: Let’s jump into it and get into the first one and I’m I’m pretty sure this one is not going to come as a shock to anybody out there. Dave: Um um and and you know I I found myself I was talking about this uh not not too long ago. Dave: Uh you know there was another um you know sort of discussion panel that that I was on and um and I was chatting with some some fellow folks in the industry and we were talking about this right we were talking about progress software uh and this whole you know continued ongoing sort of nightmare. Dave: Um that is the move it saga and now some of you it’s not going to surprise me and you know I don’t need I don’t need a show of hands here um but some of you might be dealing with this firsthand right we we’ve got thousands of organizations that were using this platform for file sharing and distribution um you know and what you started to see was just this onslaught I don’t think there’s even another way to describe this this sort of onslaught so again I was talking about this recently I’ll get into the meat of this thing here in just one second and I had this sort of moment and I, you know, it’s it’s rare when I have these moments, but I had this moment where I felt like I was picking on them, right? Dave: I mean, it was it was pretty funny for me and I and I didn’t like call it out, make a big deal out of it, but I I sort of, you know, I sort of came to this realization that uh, you know, I was really I was being pretty harsh about this company. Dave: Um, and and I’m sure some of you probably have some opinions. Dave: And what was really interesting about this is, and again, I won’t name names here, but I had uh somebody that I’m connected to over on LinkedIn send me a follow-up. Dave: They were lurking, right? Dave: They didn’t chime in during this uh this session that that I was I was, you know, sort of co-hosting, but they sent me a note afterward and sort of gave me this this, you know, sort of back door, you know, backstage intel um about some of the things there, right? Dave: Like there had been some major leadership changes, all these things that are going on. Dave: And, you know, this person’s somebody that I’ve known in the industry for a long time and and he very clearly said, “Hey, Look, I’m not trying to make excuses for this organization, but it’s always interesting to know a little bit more detail about uh you know, some of the things that that have transpired, right? Dave: Like there’s um you know, like actually like key security leader had passed away. Dave: Like all sorts of crazy things that had gone on that I you know, I didn’t know, but I I hate to say this because it sounds a little bit callous. Dave: Um we’re on the other side of it all, right? Dave: We’re on the other side of it all and reasons are reasons and things happen and you know it and I know it. Dave: we know it. Dave: But, uh, that doesn’t give anybody the excuse to just drop the ball. Dave: And balls were dropped. Dave: I mean, there’s just no way around it. Dave: Um, you know, there’s I mean, we had numerous zero days for this thing, just all over the place. Dave: I mean, if you go back sort of progressively, uh, you know, and look at the timeline of this, I mean, here’s this ransomware gang started abusing this zero day. Dave: Um, and and you know, look, zero days are getting a lot more common. Dave: I don’t want to divert us down that that path here entirely, but um, You know, I remember when I I mean, I started teaching classes for SAS in like 2005. Dave: And I remember looking at my class and going, “Okay, we need to talk about zero days or O days, but you’re not likely to see one anytime soon, right?” Dave: And and back in those days, that was true. Dave: And that’s just not true anymore. Dave: These things are getting dropped. Dave: Um they’re showing up out in the wild. Dave: I can’t remember what the last number was for uh Chrome. Dave: I think it’s up to like 12, 13 or I can’t remember what it was for the year, but I mean, it’s a lot, right? Dave: Like you’re starting to see really nasty stuff hitting all the time. Dave: And sure enough, Um, you know, we started to see patches getting issued and progress to be fair was was, you know, trying to respond to everybody. Dave: Um, they issued a couple more patches in June. Dave: Um, you know, like further vulnerabilities, other types of things that were getting compromised. Dave: Um, you know, there’s legal actions that are going on. Dave: Like this is this is just an unbelievably nasty one. Dave: And, uh, what we’ve actually seen is the fallout of that. Dave: Um, you know, and there’s just I mean, there’s too many examples to even to even cite here, but you know, for example, uh the the government in the state of Maine said, “Yep, we lost uh information about 1.3 million people, right?” Dave: So like, you know, they they were some of the early ones to basically realize this and say, “Yep, absolutely.” Dave: It was leveraged against us. Dave: Um uh there were, you know, a bunch of people that were, you know, like I mean, basically coming in accessing stuff. Dave: I mean, it’s just it’s nasty, right? Dave: Apparently, these same hackers were, you know, they got a they got like I don’t remember how many like hundreds of thousands of government emails uh that they got access to. Dave: Like there’s just so many nasty things that have been going on and it’s just a matter of saying you know okay um you know this is a bad one right so so there you go that’s why this one’s in the list but um you know I I always want to bring it back to like you know what did we take away from this right what are some of the things that we learned from this um to me this is one of the big standouts on software supply chain right and and we’ve had some really juicy nasty software supply chain uh scenarios that have unfolded um you know and I’ve talked about some of these uh in fact here with the team at Prevalent. Dave: In fact, somewhere um I’m sure that’s archived uh on on their site. Dave: We did a really fun one a while back that really delved down specifically into software supply chain and we talked about things like software bill of materials and some of the interesting things that are evolving here in the industry. Dave: Um but I think if we’re sort of bringing this back to home base and saying all right what do I need to take away from this? Dave: I think it’s the importance of number one saying all right um we need to do a better job of knowing what software we’ve got. Dave: I mean, especially if you’re a big organization, it is real easy to lose track. Dave: Um, especially if you’re a fragmented organization where you’ve got different business units, maybe different geographic uh teams that have some autonomy. Dave: They can kind of do what they want uh and do do what they want. Dave: Um, do we have a full inventory of what the software is and and and our dependence on that software? Dave: The software is in a relationship with critical systems and data and who’s got access to it and who manages it. Dave: And and these are all good questions and I know that you know this. Dave: Um the thing that’s that’s really apparent to me though is this sort of dawning sort of sinking feeling that it’s real easy to lose track of this stuff. Dave: Um you know some some folks have a like a CMDB out there. Dave: Some folks have a pretty decent inventory. Dave: I’ve seen some GRC platform tie-ins of just trying to track your software and and you know this goes back to like the you know classic days. Dave: I remember the early days of the um uh the SANS top 20 when we first came up with that. Dave: Of course, now that’s the CIS critical controls. Dave: And everybody agreed the top two things should be know where your stuff is and know what’s running on it, right? Dave: So, it was, you know, assets and then software. Dave: And they’ve stayed at numbers one and two forever and they probably always will be. Dave: It’s hard. Dave: Um, it can be hard, but I think more important than ever to get a sense of this. Dave: And and to me, it’s not so much just to say, “Hey, what’s our software?” Dave: That’s that’s that’s great. Dave: You know, that’s maybe a little cliche, but to me um you know what I would say is look it’s less about just having a full inventory of software yes that’s important it’s more about the prioritization of that software and where it touches your infrastructure and maybe your customers and and this is why I think the move it scenario is so bad because their software was almost invariably used to share things you know both inside and outside the organization which means that you know ransomware dissemination was potentially happening not only to you because you’re the one that sort of maintains and operates the Move It platform, but to anybody that was manifesting or accessing the data that was there. Dave: They could have, you know, easily been gaining access to compromised files and things that were used to then drop command and control and ransomware and everything else. Dave: And so, like, it’s a really interesting one. Dave: Um, not only I mean, look, we could we could talk about the Solar Winds. Dave: I mean, like there’s so many interesting ones that we’ve seen over the course of the past few years. Dave: This is not a new topic to uh to us. Dave: Um, but I think when you see one like this where it’s like, okay, um, you know, good example of this, right? Dave: So, I’ll I’ll equate it to one that I’m sure many of you have, you know, sort of talked about over the past few years, but I I’ll come back to to something like Solar Winds. Dave: Um, Solar Winds was bad. Dave: Okay, agreed. Dave: Nobody’s going to dispute this. Dave: But the one that stood out for me was CASSA, right? Dave: Because what you’ve got is Solar Winds as an incident, you know, scenario there, but then it’s a service partner, right? Dave: So, it’s basically managed services that had tendrils out into a number of other organizations and so you saw this sort of you know chained effect happening that’s exactly the kind of thing that happened with move it because of the nature of the software itself and so I think it’s never a bad time to stand back and and talk to key stakeholders and say all right what do we have what is its priority what is its criticality and you know let’s bring it back to the third party what the heck is going on in their software development environment right um you know I think the time is is now um for organizations to start getting a lot more um you know a lot more strict about demanding some of this stuff from our key partners and our key providers and you’re going to go ask you know your top 20 software solutions for something like an SBOM right a software bill of materials and you’re probably not going to get a lot of them providing that yet but they’re never going to do it if we don’t ask and so I think starting to go down that road is not a bad idea and that’s the big takeaway it’s time is now. Dave: We’ve really got to get a better handle on these software supply chains. Dave: Every one of uses software. Dave: Um the one that really terrifies me the most. Dave: It’s not so much the software that’s in house. Dave: Yeah. Dave: Okay. Dave: We all get that one. Dave: Um to me, it’s the service providers that we rely upon and their software and where are they getting it, right? Dave: Because this, you know, it’s turtles all the way down on this thing and and it can really be very very difficult uh to keep track of. Dave: So, all right, let’s talk Vegas, baby. Dave: Okay, maybe not, right? Dave: Let’s talk about casino breaches. Dave: Um um you know, the the nature of this one. Dave: Um I mean, gosh, there’s so much interesting stuff to talk about here. Dave: Um and and and none of it has anything to do with the fact that it’s casinos inherently. Dave: I mean, I you know, these are huge organizations, right? Dave: There’s they’re huge organizations that have gaming, uh they have hospitality services, um you know, their their resorts, you know, there’s there’s a lot that’s that’s going on with this one. Dave: But the thing that I think makes it interesting um is sort of the, you know, the the tale of two cities, right? Dave: You’ve got sort of the city mouse, country mouse kind of thing going on here. Dave: Um and for any of you that have paid attention to this, um you know, it’s it’s basically like, okay, um you know, what do we what do you do, right? Dave: What do you do when things hit? Dave: Every one of you I’m I’m making a guess here, right? Dave: I’m taking a stab. Dave: Um every one of you has probably been having conversations inter ally. Dave: Um, do you pay or do you not pay? Dave: Um, right. Dave: And we don’t have to we don’t have to have a big debate about that right now, but but it’s like, okay, this this stuff hits um you know, do you pay or do you not pay? Dave: There is maybe I don’t know in the last couple of years nowhere more clear um of of sort of a difference between one that did and one that didn’t tale of two casino organizations. Dave: And so like it was a really interesting thing. Dave: And there’s there’s way too many factors for me to say, hey, that that that’s the only factor here, right?] Dave: So, please don’t take that away. Dave: Um, these ransomware attackers are all over the place, right? Dave: Alfie, uh, scattered spider, they’re they’re very well known. Dave: They’re very well known for, um, like brutal, very high-speed, extraordinarily high impact attacks. Dave: Um, you know, there’s just there’s a whole other like, you know, boat of things that go along with this. Dave: But I I think if you look at the difference between what Caesars did did and what MGM did. Dave: Um, I think the numbers tell that story at least a little bit. Dave: I I don’t think it tells probably the whole story, but I think it probably tells a little bit of that story. Dave: Um, you know, so let let me let me hit some questions. Dave: We got some stuff that came in here. Dave: Um, you know, so the first question came in from Jeffrey. Dave: This happened to Jeffrey. Dave: Uh, when you’re assessing a vendor, um, you know, what docs would you require versus request and consideration of their controls environment which may indicate the level of a resilience of resiliency they have? Dave: Um, you know, ask for sock 2 type 2, you know, ISO 27,0001, um, you know, etc., etc., you know, would you consider these ideal or enough? Dave: That’s a very loaded question, and I know that’s one that Scott’s going to address here a little bit later on, too, and probably has some thoughts on, but I I will tell you, um, you know, what what is enough, right? Dave: What constitutes enough? Dave: I I think I think there’s a really dangerous precedent in saying, hey, as an industry, we’re we’re saying, you know, this is this is good enough, right?] Dave: Um, you know, this is uh you know, this is this is good enough for us. Dave: Um you know, or not. Dave: I I would say um to me uh you know, we’ve got to push for more. Dave: I mean, how many of you have seen sock 2 reports that were pretty, you know, pretty weak sauce? Dave: Uh you know, ISO 27,0001. Dave: I mean, and nothing against the standard. Dave: It’s a really nice solid, you know, robust standard. Dave: Um but I I will tell you, um I’ve read a lot of these types of assessments that feel very much like a checkbox. Dave: exercise. Dave: Uh, you know, there’s no real depth there. Dave: And I think, you know, it it’s incumbent upon us to come up with better ways to facilitate providers creating more thorough and more categorically accurate depictions of their controls than some of these current standards actually lend to us. Dave: I mean, I think if if I were pushing for this, I’d probably push harder for things beyond just a SOCK 2 type two and and an ISO report, but I’m probably not going to get them. Dave: That’s and that’s I guess maybe what I’m saying. Dave: Um it’s it’s tough. Dave: It there there’s no there’s no easy answer to this because this requires sort of an industry level push to facilitate moving in that direction. Dave: All right. Dave: But great question. Dave: Um had another question come in. Dave: Um how is the ESBOM assessment and what elements to look out for that will be pointers to good or bad practices? Dave: Um that’s a bigger discussion than we have time for here unfortunately. Dave: Um but I mean you’re talking software supply chain. Dave: You’re talking about development practices, care and management and you know care and feeding. Dave: of secrets, privilege management that goes into this. Dave: Um, validation and execution of all source code. Dave: Um, you know, that’s a huge huge huge uh factor. Dave: But again, I’m going to I’m going to, you know, give you the recommendation um for the gentleman that asked the question about the ESBOM. Dave: Um, please check the resources page uh on the prevalent site and you can find the previous webinar that we did on this and there’s a bunch of pointers in there and it should be a pretty good starting point for you. Dave: But awesome question. Dave: question uh as well. Dave: So yeah, yeah, lots of factors here. Dave: So many interesting things to look at, but these are hard problems, right? Dave: These are hard problems. Dave: And you know, the unfortunate part about um the unfortunate part about these casino breaches, and I mean, I I I’m not going to get on a soap box here. Dave: You don’t want that. Dave: I don’t want that. Dave: Um the team at Prevalent really probably doesn’t want that. Dave: I don’t know, maybe they do. Dave: I don’t know. Dave: But I, you know, human error. Dave: I mean, we’re back to this. Dave: This goes back to my comment about these, you know, industry reports every year. Dave: It’s like, “Oh, good.” Dave: Yeah. Dave: All right. Dave: It was fishing. Dave: Was it fishing? Dave: It was fishing, right? Dave: It’s sort of the the running joke about it always being DNS. Dave: Uh, when it comes to breaches, it kind of feels like it’s fishing. Dave: In this case, it was uh, you know, it was basically voice fishing, right? Dave: It was fishing. Dave: You know, they called them up. Dave: It’s social engineering. Dave: It’s classic stuff, you know. Dave: I mean, and I don’t I don’t know if the claims that these hackers made that they, you know, 10 minutes was all it took, but they gained access to accounts and um, this thing unfolded na like in a very nasty fashion from there. Dave: They hijacked accounts. Dave: They had access to the infrastructure at Octa as well as within Azure. Dave: Um, they had tons of compromised data. Dave: Uh, there was employee data that was breached. Dave: Um, you know, casinos. Dave: I don’t know if any of you have ever bid visited the MGM or Caesars or these kinds of places. Dave: I mean, I’ve done this just for conferences and things. Dave: Um, you know, they have a ton of data, you know, just to check in in a hotel room, you know, excuse me. Dave: They’ve got they’ve got your information. Dave: So, I mean, it doesn’t mean that you were a gambling person. Dave: You just, you know, just to have any, uh, you know, sort of facility access and things, you’re going to have to have some of the data. Dave: card numbers or you know who knows what. Dave: So yeah, there’s a lot of things that that sort of shook out uh as a result of this and um you know the thing that’s like ah yeah the help desk I mean so this is uh this is a this is a huge one um you know that that I’m like you know just it shouldn’t be this way my friends um um you know it just it just absolutely shouldn’t be um you know this way at all and uh you know but I mean here we are right so I would say look Um I I think I think we the time is right for help desk organizations and and a lot of these help desks we’re talking thirdparty scenarios. Dave: Um there’s two sides of it with uh with this with this um set of breaches, right? Dave: Number one, some of this help desk uh infrastructure and some of the personnel from what everything I’ve read were in fact outsourced organizations. Dave: So you’re dealing with third parties there. Dave: Um which is very common today by the way. Dave: Um the other factor is on the other side of it where numerous third parties I mean um huge Organizations like MGM and Caesars have um you know a huge numbers of partners. Dave: There are things linked all over the place from their infrastructure and into their infrastructure and then out and those uh those parties were all immediately at risk as well. Dave: Um you know the big factors that stood out to me um people’s accounts got hijacked you know like like privileged user accounts got hijacked here that should not have been that easy to hijack right there should have been more validation um you know there should have been some stronger step up controls for privileged users. Dave: Um you know I think I think this is some place where it’s just never a bad idea to come back and say could this happen to us. Dave: Um you know could this potentially occur within our environment? Dave: Um and you know test it yourself. Dave: Uh make sure that there’s absolutely no way that somebody’s getting a password reset or you know or account access simply by calling up somebody and saying yeah you know I need my accounts blocked or something like this and look speaking as somebody that’s and I’m I’m a consultant when I’m not hanging out like this. Dave: Um, you know, I do pentests all the time. Dave: I’ve done a lot of social engineering work. Dave: In fact, I I’m the author of a class on it over at SAND. Dave: So, I can talk about this all day long and I’ve done it myself, right? Dave: And I’ve been sort of sadly not surprised when I’m successful at getting people to do these kinds of things. Dave: But it’s 2023, right? Dave: We’re at the end of 2023 and we’re still dealing with this. Dave: Um, I think it’s it’s a great time to look inwardly and say, let’s let’s figure out, you know, some way to potentially put a stop to this kind of stuff, at least within our own environments, right? Dave: It’s just it’s just absolutely uh you know, it’s it’s time it’s time for that to die. Dave: But again, going back to the to the sort of difference that stood out um you know, the difference that stood out between these two providers, you know, one said, “We’re paying.” Dave: Here’s 15 million bucks. Dave: Thank you. Dave: And they they got out of it from everything we’ve seen. Dave: Um the other said, “Nope, we’re absolutely not paying for it.” Dave: And uh from everything we’re seeing, they’re they’re sunk to the tune of about 100 million so far. Dave: Um and uh you know, it was just it’s just messy. Dave: I mean, you know, I I I never wish this upon anybody, but it is kind of an interesting dichotomy. Dave: Um so, all right, let’s move on. Dave: And I don’t want to pick on these folks either, but wow, what a bad year. Dave: Um they’re having a bad year. Dave: Uh does anybody disagree with this? Dave: I don’t think so. Dave: I don’t think any of you would probably disagree because we’ve seen them in the news way too many times, right? Dave: There have been way too many scenarios that have involved the name Octa. Dave: Um, you know, and it’s like, okay, you know, what’s what’s really happening over here? Dave: Um, and I’ve got a real time update for this one, too. Dave: So, that’s kind of fun as well. Dave: Um, but but you know, you look at this and say, all right, um, you know, what what’s going on over at DOCA? Dave: So, long story short, uh, you know, Octa came out and said, hey, um, you know, we had this breach of our support systems. Dave: And um you know a whole s sort of long and interesting saga related to that. Dave: Um but but they sort of came out and said um you know hey look only a fraction of customers are affected by this stuff. Dave: Coffee break only a fraction of our customers are impacted by this. Dave: Um you know 1% if I’m not mistaken I think they said 1% of our customers uh you know were were affected and um you know unfortunately uh you know lots of other things started to shake out as a result of this. Dave: Now if you go back you know, sort of progressively. Dave: Um, you know, Octa’s had sort of a spotty history. Dave: I mean, I don’t want to take us back into last year. Dave: We’re in this year, right? Dave: Um, but last year, uh, you know, they said, “Hey, we we lost some source code.” Dave: There was another third party breach that came into their network. Dave: So, you’ve already got sort of this, you know, gray area that’s going on with Octa. Dave: And that’s where this whole thing started to unfold. Dave: And, and look, I I’m not a I’m not a betting person myself, but I feel pretty confident in saying that the scenario that happened in 2022 was a direct predecessor to the things that happened here in 2023. Dave: I’m feeling confident in this. Dave: I think there was a lot more going on within Octa that we knew than we knew about. Dave: Um you know, again, who nobody wants to speculate, but it feels feels kind of related, right?] Dave: It feels like probably related. Dave: So, back to the back to the present. Dave: Um you know, they were these guys got hammered. Dave: I mean, there’s just no there’s no question about it. Dave: And you know, they had to come back very recently. Dave: What was it? Dave: You know, just what in the past two weeks I think and say, “Oh, yep.” Dave: We were wrong. Dave: Um, every single one of our customers was impacted, right? Dave: Yeah. Dave: This was like a week ago, right? Dave: A week, week and a half ago, something like that. Dave: But they they had to come out and say, “All right, that 1% that wasn’t right.” Dave: Um, everybody is impacted by this. Dave: And look, I some of you I’m quite sure, again, no need for raising hands here, but some of you are I’m quite sure Octa customers. Dave: It would not surprise me in the least. Dave: They’re a pretty big shop. Dave: Um, you know, likely one of the top identity and access management companies in the world today um for single sign on and federated access and all sorts of things, right? Dave: They got a a pretty big ecosystem of offerings. Dave: Um, but you sort of come back and say, “All right, you know, how did you miss that?” Dave: You know, how how did it go from 1% to everybody, uh, you know, very, very quickly. Dave: And so it’s like, okay, um, you know, there there you go. Dave: Well, the reason that this one follows the the Caesars and MGM is because I think there’s some tie-ins to this, right? Dave: There were some tie-ins to the Octa platform. Dave: Um, there’s there’s there’s a sort of swirling interreationship and juxtaposition between Octa being compromised and accounts being hijacked and compromised within Octa customers. Dave: You know it, I know it. Dave: You know, these things are tied together. Dave: And what that tells you is that there’s definitive levels of targeting going on uh for identity and access management uh vendors because they’re in the middle of everything, right?] Dave: I mean, and I’ I’ve actually been, look, this is not a soap box because, you know, I make tons of predictions that are completely off base. Dave: But, you know, I said this years ago when I started to see people using identity providers, right? Dave: These identity as a service uh infrastructure providers and I’m like, look, they’re in the middle of everything. Dave: You know, if number one, if they have a problem, you have a problem there. Dave: There there you go. Dave: Uh but number two, if they get popped, you might really have a problem. Dave: If they get compromised, I mean, now, you know, the term keys to the kingdom is just massively overused, but this might be it, right? Dave: This might quite literally be it uh as far as things go. Dave: And so I come back to this breach and I say, “All right, um, you know, this one’s this one’s a bad one.” Dave: Um, you know, and and I mean, talk about lessons learned. Dave: Uh, this is a single point of failure. Dave: This is um, and you know, if if I came into your organization as a consultant, and we were talking about, you know, let’s talk about business continuity, disaster recovery, and just resilience all the way around. Dave: And I said, “All right, you know, let’s let’s, you know, let’s let’s brainstorm here.” Dave: Here on the whiteboard, tell me the top 10 technologies that you absolutely have to use every single day to get everybody’s jobs done. Dave: And if you’re using somebody like Octa, they’re in that list. Dave: There’s just no way they’re not. Dave: Um, that puts you in a position, a precarious position as an organization where if they have failure scenarios, you’ve got failure scenarios in a lot of different ways. Dave: I mean, just like, you know, if they’re having a bad day with regards to uh, you know, uptime and availability, you probably got problems, right? Dave: If they’re having a problem with uh, API, is you got problems, right? Dave: There’s just so many ways this whole thing can go wrong. Dave: And I think it’s it, you know, it’s it’s sort of beholden to us to say we got to we got to press these folks. Dave: I mean, hard, you know, if they’re in the middle of every single authentication and authorization transaction that is being performed for all of our critical stakeholders, all of our stakeholders. Dave: Um, I need I need a lot of depth about their security program. Dave: Um, you know, number one, what’s the, you know, single point of failure scenarios, what’s the prioritization of the vendors? Dave: Um, how much access Do they have how much access, you know, could attackers get to and through them? Dave: Um, you know, do we know anything about the reputation? Dave: I mean, like, here’s the interesting thing. Dave: And again, I’m not a I’m not a fingerpointer. Dave: I I just don’t believe in it. Dave: Everybody out here is a target right now. Dave: Um, I I look at this and say, okay, when this stuff happened to them last year, um, yeah, I just saw a comment come in. Dave: Microsoft, another great example of this. Dave: Um, you know, and and again, I I swore I was not going to pick on Microsoft in this one, but it’s like, okay, look, um, they have a big problem. Dave: But I look at this and say, “Okay, h how many people flagged Octa reputationally after last year and said, “We don’t trust them anymore.” Dave: Almost nobody. Dave: I mean, just being candid here, I talked to a lot of clients. Dave: I talked to a lot of people out in the industry that said, “Ah, well, seems like they’ve got it under control.” Dave: I mean, I think I actually heard that from several people like, “Seems like they got it under control.” Dave: They must be doing things right.” Dave: I don’t think they were. Dave: I think there’s probably some big gaps there. Dave: Um and in fact, to come back to my real-time update, because who doesn’t love good real-time updates, right?] Dave: Um, this is happening right now. Dave: Uh, I don’t know if any of you saw this news. Dave: Octa just came out and announced that they are basically shelving all of their product development work in favor of shoring up their security. Dave: Look, any technology vendor that basically comes out publicly and says, “Hey, those product road mapaps we’ve been selling you on, they’re on hold for a minute.” Dave: Um, because we have so many problems in our security space that we’re going to go ahead and try to fix that. Dave: I don’t I get it. Dave: I don’t know that there’s a win here for them. Dave: I I think they’re trying to shore up their reputation. Dave: That would be my guess, right? Dave: Again, I’m speculating here, but that is a massive announcement and that’s happening like right now as we speak. Dave: So, pretty interesting stuff going on. Dave: Um, you know, this is this is a big one and um and I think, you know, we’re going to see a lot more targeting of organizations like that uh in the imminent future. Dave: I don’t think there’s any two ways around it. Dave: Um, this one, you know, this one has the classic feel of, you know, just third party got breached and that was used to gain access to a bunch of sensitive data. Dave: So there’s a lot of similarity there. Dave: I mean the OCTA the breach I think was bigger in scope but the reason this one rankles um you know and for those of you that aren’t based in the UK you might not even know too much about this one but it’s the police force right so one of the world’s largest cities with major banks all sorts of things right their their law enforcement was basically compromised as a result of the supplier that they use for handling uh um here we are again ID cards and access controls, right? Dave: So, there’s that sort of interesting little twist on identity and access management in one form or another that ties right back into it. Dave: So, yeah, you know, again, like I said, to me, this one, you know, it’s it’s a it’s a pretty clear-cut one. Dave: Like, who’s got the personal data, personal data, track them very carefully. Dave: Um, number two, let’s look at the sensitivity of the data. Dave: I mean, this is law enforcement. Dave: I mean, it doesn’t get that that’s pretty sensitive, right?] Dave: That’s a pretty serious thing to be gaining access to. Dave: I mean, everybody data is important, but you know, you start gaining access to military and law enforcement. Dave: Um, things like this, I I just I I firmly came to the conclusion here at the end of 2023 that the time is right to really uh put anybody tied into identity and access management, whether it’s your badging access systems, whether it’s multiffactor, whether it’s uh you know federation and single sign on for cloud services. Dave: Um, you know, any and all those things need to to bump up the priority list right now um you know in terms of criticality and uh and an emphasis on what the vendors should be doing and what those providers should be giving back to us uh as well. Dave: So my final one for the year um this is a big deal um it’s ransomware. Dave: It’s ransomware again but there’s there’s there’s two things here. Dave: So number one uh this is a major medical products manufacturer and service provider. Dave: Um they have tons of commerce systems you know retail systems that are tied into them but like they’re they’re very much a part Henry Shine’s very much a part of a lot of medical supply chains. Dave: Um you know like they’re huge. Dave: They’re a major major major provider. Dave: And so imagine your your doctor’s offices, your dental offices are are you know incapable of doing a lot of the things they need need to do for really important medical procedures. Dave: And it’s it’s a result of Henry Shine being hijacked. Dave: And so to me this one was really bad just because I mean look it it it doesn’t it always feel a little bit bad? Dave: anytime uh you know you’re dealing with the medical space and wow we’ve got some really bad ones. Dave: I mean we just saw what a couple major medical facilities out in the state of California that just got hit. Dave: Um like I mean it’s it’s actually tough to sort of pick and choose when you start talking about medical suppliers and medical facilities. Dave: I mean all of them are bad period. Dave: There is no good one. Dave: Um but when you start looking at the the third-party aspect of this and sort of the inherent nature of how these types of technology providers and suppliers are woven into to how those facilities can, you know, treat people. Dave: Um they, you know, we have to take a look at that one, too. Dave: And this is where, you know, again, we’re moving into the supply chain part of it. Dave: Um here we are, right? Dave: We’re talking about supply chain. Dave: Um the the the other fact that made this one really interesting was um you know, basically that they got re-encrypted. Dave: So they you know, they they got their data back, you know, apparently and then came back. Dave: So October hacked uh you know, compromised uh you know, like locked down um and then uh you know, whatever they went through and there’s a lot of details that are still very murky about this one, but then um you know, again, got taken back back down, right? Dave: So, I I I sort of think, look, let let’s let’s take the ransomware angle a little bit on this one. Dave: Um I I think that if you’re if you’re heavily relying on a provider, right, whoever it is in whatever fashion, um and Henry obviously a big one, um is this something we need to start demanding to know, right?] Dave: What is your corporate policy on ransomware payment. Dave: It may or may not sway you in terms of decision-making. Dave: Um, but you know, do should we know, right? Dave: Like what’s your stance on this? Dave: I I actually think that there’s a there’s a lot of questions on this one. Dave: Um, but you know, you go back, this is another case, right? Dave: We’re talking about thirdparty risk. Dave: We’re talking about reputation. Dave: Huge FTC related consent order with Henry Shine back in 2016. Dave: Um, you know, they had and there were a lot of like EU findings. Dave: Apparently, they were negligent. Dave: They were deficient in a number of ways. Dave: What does that mean for us? Dave: Again, I don’t know, right? Dave: There’s a lot of speculation here. Dave: I don’t have the full details of everything that went on at Henry China, and I don’t know that they’ve necessarily disclosed uh, you know, all of the details about this, and I’m sure many of you are aware. Dave: I mean, this is one of the big drivers behind the uh very recent SEC changes in terms of disclosure and and so forth that are taking place like as we speak. Dave: Um, but you know, there I mean, yes. Dave: are providing updates, but they’re not giving us a whole heck of a lot of detail about like root cause, um, you know, etc. Dave: All they’re really doing is providing updates saying, “We’re working on the problem and we’re looking at getting communications and and e-commerce and so forth back up and running within XYZ period of time, right?” Dave: So, I mean, yes, they’re keeping you informed, but they’re not really telling you um a lot of the details that that I don’t know, I would want to know to see whether or not these um, you know, these folks were going to come back and and Sure enough, they did. Dave: So, to me, that’s a really interesting factor. Dave: You know, you didn’t clean it up. Dave: You thought you did. Dave: You probably told everybody coast is clear. Dave: You’re good. Dave: You’re good to go. Dave: And so, you know, you get, you know, everything back up and running. Dave: You’re hooked back to all of your uh medical offices and so forth. Dave: And then, voila, the attackers are back and now maybe they’ve got more access to things than ever. Dave: So, who knows? Dave: A lot of factors here, a lot of question marks, a lot of interesting things to take away, right? Dave: So, um before I hand it off, Scott, I’m gonna just, you know, hit a couple key things that I always like to sort of wrap up with. Dave: It’s never a bad time to review your third parties, right? Dave: Look at the controls that you need and want to feel comfortable. Dave: Um, you know, define remediation and arbitration processes uh when they don’t have good answers for you. Dave: Um, especially for vendors that you can replace and I’ll, you know, call out Move It. Dave: There’s plenty of file transfer solutions out there, right? Dave: You know, they’re not the only ones. Dave: A little different from somebody like Microsoft. Dave: It’s not that easy to replace them. Dave: Um, what are the kinds of things we should be asking for? Dave: I mean what’s the security of the software uh you know period what’s the ability of developers or providers to you know remediate um how can I validate gold images from you know the the software providers and from anyone that I’m relying upon their platforms and their software I mean this comes back to the software side of things I want to know more about software I mean software could be the the you know the topic of this entire thing believe me and we touched on this a little bit earlier but it’s like all right I want to get a sense of what the software supply chain looks like I want to tie in risk ranking And you know, I you don’t need me to belabor the whole idea of risk rankings, but they change, right? Dave: That’s the big thing that I think is is tough. Dave: Um there’s a lot of point in time stuff that goes on here, right? Dave: You sign up a new vendor, you get their questionnaire, you give them a stamp. Dave: Um you know, and say, okay, you know, they’re risk ranking X. Dave: What about six months from now, right? Dave: What about 12 months from now? Dave: You know, what’s the reputation? Dave: What’s happened in the industry? Dave: Have they had key leadership changes? Dave: Has, you know, You need to know this kind of stuff and you need to know it as as constantly as you can and again that’s very difficult to do because so many of us are uh you know just operationally constrained you know take a look at the procurement team see what kinds of things they’re doing look at contract terms and back to the point I just made um you know review whether or not you need to add different types of contract terms maybe you know things that are requirements around sbombs or things you know related to ransomware response um you know how do you docu ment this stuff. Dave: How often do you go back and review this? Dave: Right? Dave: So, yeah, there’s a lot of factors um you know that that tie into this. Dave: But, you know, I I don’t think again I don’t think it’s a bad time to have conversations about this. Dave: I think we can use some of the lessons learned from others misfortune and you know, challenges uh that are out there to to you know, hopefully improve our own thirdparty risk programs as well. Dave: So, with that, I am going to hand things off to Scott. Dave: Let me just stop my sharing. Dave: here and take it away, my friend. Scott: Thanks very much, Dave. Scott: I appreciate it. Scott: All right, everybody. Scott: Share my screen real quick. Scott: Just a quick confirmation. Scott: Can you see my screen, Dave or Melissa? Dave: Yep. Scott: Awesome. Scott: Uh, all right, guys. Scott: Great uh information today presented by uh by Dave. Scott: There’s so many lessons to be learned from every one of these uh top five breaches. Scott: in 2024. Scott: And it’s crazy the consistency year-over-year that you see in attack patterns and yet the variability in the downstream impacts, you know, based on what those attack patterns are. Scott: And Dave’s right, like it’s easy to kind of uh get real comfortable or used to the constancy of these breach announcements come through and do a little bit of cursory examination in the org or maybe amongst your third parties especially to say, okay, what’s the impact? Scott: and maybe miss the opportunity to catch one um that could be bigger and more impactful than others uh you know that that have been announced and move it is a great great example of that. Scott: I just saw yet another announcement this morning of another company impacted by by movement move it so you know when we talk to customers about their you know thirdparty risk management programs their supply chain risk management programs invariably they will you know mention three big goals and objectives that they want to achieve from it. Scott: Number one is get the data they need to make better decisions. Scott: So that could mean help us decide what the right you know documentation, certifications, reports, attestations, sock twos, ISOerts, whatever that we need to set a baseline to then identify the gaps in what we have to um assess and then fill those gaps you know later on. Scott: Getting good data from the multitude of different uh resources to um uh you know to start the process of of assessing a third party. Scott: A second is knocking down silos that invariably will grow up in an organization that lead to inefficiency. Scott: You know your um IT security team is uh you know seeking you know the SOCK 2 report or an ISOert or needs to do a security at testation of some sort. Scott: The procurement team is interested in well can these guys pay their bills? Scott: Are there reputational concerns we have to be you know aware of? Scott: Where’s their software development labs located? Scott: Um and you know the the you know the theme behind all of that is you know everybody’s looking at a different set of data to try and make a similar type of conclusion. Scott: So our objective is to try and knock that down get everybody kind of singing from the same himnil if you will. Scott: Uh and then the third third big objective companies are are telling us they want to accomplish is to evolve and scale their their programs you know over time as new thirdparty vendors and suppliers come online as old thirdparty vendors and suppliers go offline uh at the end of the contract. Scott: to be able to do that with some elasticity and you know scale up and scale scale down based on what uh what the business needs and you know our view of of thirdparty risk is one that uh transcends the life cycle of the relationship. Scott: So you know what I think is unique about mature thirdparty risk management programs is that they’re more than just seeking out a sock 2 or some sort of a security attestation. Scott: It’s beginning a relationship doing an annual check-in in and you know running some compliance auditing and you know getting a financial report you know whatever but they look at it uh look at thirdparty risk uniquely at every stage of the relationship that you’re in with that that vendor or supplier. Scott: Um from our perspective it starts with setting um you know the right foundation by getting the right intelligence about that you know vendor or supplier uh consolidating that intelligence and then opening that up internally to all the stakeholders that would you know have some sort of a say. Scott: in whether or not this is the right vendor for the organization more so than just a fit for purpose, but is this you know potential vendor supplier a fit for our risk you know risk profile. Scott: Um second when it comes to intake and and and onboarding um you know companies tell us that you know they have very inconsistent contracting processes and very limited integration with a thirdparty risk assessment you know platform. Scott: So from our perspective let’s tie those things together. Scott: and you know give you the ability to build and execute a vendor contract in a system that is native to thirdparty risk so that you have some uh uh consistency across the life cycle of the contract from the beginning to the end. Scott: Uh third scoring inherent uh risk you know a lot of what we see is obviously uh a cyber score is important to understand the security posture of a potential vendor supplier. Scott: We also know there’s a lot of dark magic behind that. Scott: So looking at it more holistically by understanding you know business and operational updates um you know financial uh status you know reputational issues you know compliance findings sanctions you know whatever are all important considerations to make when you’re determining okay what do I have to do with these guys now right so you’ve got some baseline of information okay they’re they’re fed for purpose they they you know um at a surface level anyway match our organization’s risk profile uh we’ve built the right contract terms to you give us the right to audit and more throughout the relationship. Scott: We’ve got a good inherent risk score based on a bunch of different factors that now that can dictate a true and deep uh internal controls assessment across a multitude uh of of different risks. Scott: And what we help to do with that is we give you uh pre-populated remediation guidance for every risk that is elevated as part of that process. Scott: We’ve got something like 600 different Yeah. Scott: 600 different uh assessment templates built in our platform uh to help you have kind of maximum agility as you’re as you’re assessing those particular vendors across security, privacy, compliance, operational, ESG, you know, whatever types of of risks. Scott: And because we know that a lot of what we talked about today would never be caught as part of a risk assessment process in an annual questionnaire and an onboarding process, it requires constant monitoring. Scott: And you know what what we help to deliver is um so we ate and consolidate uh a bunch of different resources and data feeds and intelligence from you know dozens of different sources into one for you so you don’t have to do that and then feed that into a central risk register to help validate uh conclusions from your internal controls assessments and then to give you a bit of a real-time view into kind of what’s happening in the industry and that’s how sometimes these these breaches you know you find out about them you don’t get notified from the vendor in time maybe it hits the media first or maybe you know, a note is or a forum or an onion page or something like that uh becomes available on the dark web to say, “Hey, I’ve got the credentials stolen for this company and this amount of data.” Scott: Oh, wait a minute. Scott: We do business with them. Scott: You know, let’s find out about that. Scott: We help you consolidate that level of insight and then uh give you the the ability to further investigate with your your vendor ecosystem. Scott: Uh monitoring SLAs’s and performance over time, you know, that’s self-explanatory. Scott: And then auto then offboarding and terminating relationships as well. Scott: So often um you know we hear about a former vendor uh or a customer that had a former vendor whose contract expired and yet their data was never destroyed properly or you know final process is not followed up on and uh oh there’s there’s been a data breach and now we’re now liable for that. Scott: So you know how do we uh how do we how do we overcome that? Scott: Um multitude of risk areas addressed by prevalent. Scott: I’m not going to dwell on this. Scott: You guys will get the slide uh you know later on but ultimately at the end of the day what we deliver is a kind of a three-part harmony. Scott: Number one is uh the people and the experts to help us help you assess your third party risks, analyze sock 2 reports, ISO uh at the stations, whatever. Scott: Uh on board and manage the relationship. Scott: Uh we we uh consolidate the intelligence from multiple different sources on those third parties, put it in the platform, build it with workflow, questions, validation, remediation, and more. Scott: So that’s it. Scott: I went a little longer than I hoped I would, but uh I’m flip back. Scott: to you, Melissa, and we’ll open up for questions. Melissa: Awesome. Melissa: Thank you, Scott. Melissa: Uh, now would be a really good time to add any questions. Melissa: I know we have a few going on, but I’m going to launch our final poll. Melissa: You’ll see it pop up. Melissa: There you go. Melissa: Um, you know, I’m curious. Melissa: Do you have any TPR projects on your radar? Melissa: Maybe it’s your 2024 New Year’s resolution. Melissa: You know, essentially, would you like a follow-up from Prevalent to discuss enhancing your TPR program? Melissa: And please be honest, we do follow up with you. Melissa: Um, so let’s see. Melissa: kind of pass things over to Dave. Melissa: I know there are a few questions, but with two minutes left, I’ll let you kind of cherry pick which one’s going to be the best. Dave: Yeah, there’s there’s sort of a theme to these, so I think I can probably hit them pretty well. Dave: Um, you know, the first question that came in from Mark is like, what, you know, what do we do with fourth parties, right? Dave: You know, how how do we how do we guarantee this? Dave: Well, there is no guarantee. Dave: I mean, I think anybody would tell you that there’s there’s no um, you know, there’s no 100% sort of, you know, silver bullet as it were that that’s going to, you know, get information. Dave: Um, the other thing we found, and I hate to say it this way, but I will. Dave: Um, you know, some sometimes these vendors don’t always provide the full story or the full details. Dave: I don’t want to say vendors lie or providers lie. Dave: Um, but they don’t always give all the details we would like. Dave: So, I think you’re always going to be, you know, at least to some degree in that position. Dave: Um, you know, there’s and Chris asked the question, you know, what other audit reports and things like that beyond sock 2? Dave: I mean, I think it depends on the industry, right? Dave: Today, uh, you know, sock stock reports um can be good. Dave: They can be pretty weak. Dave: Um you know, I mean, we’ve got a lot of organizations that uh you know, have high trust reports. Dave: Um you know, like NIST CSF doesn’t really have a formal accreditation or certification yet. Dave: Uh but you know, that’s something that a lot of organizations are starting to ask about. Dave: Um you know, you basically get everything you can sadly. Dave: Uh you know, and different people have different preferences. Dave: I mean PCI has some good. Dave: It really just depends on to some degree the the the industry that the organization is in. Dave: So, um, you know, do your best. Dave: Again, it’s, you know, it’s sort of one of those scenarios where you you sort of, you know, go as as much or not. Dave: You know, Ed’s question, do we trust or not? Dave: You know, I don’t know, Ed. Dave: I think that’s a personal decision, right? Dave: That’s a I think that was probably meant as a as a tongue-in-cheek comment. Dave: Um, we had somebody that asked, you know, hey, what’s the prevalence of of, you know, like somebody insider participating? Dave: I mean, we don’t see a lot of it, and frankly, I think there’s probably cases where they don’t have to disclose that as a as a as a part of the breach or a part of the scenario. Dave: So, my gut tells me it’s probably a lot higher than we know about, but uh it’s a great question and I think it’s something that all of us would probably like to know. Dave: So, I did that was my lightning round. Dave: I think I’m out of time. Dave: Thanks everybody. Melissa: That’s perfect record setting. Melissa: Um well, thank you again Dave. Melissa: I did put my email in the chat if anybody else has questions past the webinar. Melissa: Um thank you of course Scott for your uh piece of the end. Melissa: And thanks you guys for all those questions. Melissa: Um, if you want to stay in that TPRM loop, feel free to ask us on LinkedIn. Melissa: I know we have webinars practically every week now, so maybe I’ll see you at that one. Melissa: And maybe I will even see you in your inboxes. Melissa: Take care everybody. Melissa: Thanks again.