第三方网络安全：新兴趋势与 2024 年的对策

梅丽莎：嗯，我们先从自我介绍开始吧。我是梅丽莎，在Prevailant公司负责业务拓展。今天我们迎来了一位特邀嘉宾——Voodoo Security公司的戴夫·沙克尔福德，同时他也是SANS的高级讲师。欢迎回来，戴夫。

戴夫：嘿，谢谢你的邀请。

梅丽莎：最后但同样重要的是，我们有斯科特·朗。斯科特是我们的产品营销副总裁。他将在本次会议结束时深入探讨我们如何助力完善您的TPR计划。那么，斯科特，你好。

斯科特：你好，艾丽莎。

梅丽莎：嗯，先说几句注意事项。本次网络研讨会正在录制，因此研讨会结束后您很快就能收到录播和幻灯片。最后提醒各位，当前所有参与者均处于静音状态，请通过问答框提交问题。 若您希望匿名提问，在研讨会期间随时可以这样操作。现在就让我们直接进入正题，将话筒交给戴夫。他将分享关于2024年构建第三方网络安全计划的关键准备步骤。戴夫，请开始吧。

Dave: Awesome. Hey, thanks everybody for joining today. Um, I love these beginning of the year webinars, right? I mean, we’re all so fresh hopefully. uh coming out of the holiday season and you know things are just starting to ramp back up. You know, usually there aren’t too many fires to put out and so it allows you to have a little bit of clarity of thought, right, in terms of okay, what went right last year? What went wrong last year? What was a dumpster fire last year? And what do we think is probably going to happen this year? And so I’m not much of one for just sort of wild speculative predictions. Um I just I I I like my predictions to be much more grounded in reality and trending, then um well, let me just pontificate, right? That that’s that’s not what I’m about. Um with this particular topic, there’s no need for speculative pontification whatsoever, my friends, because we’ve seen a lot um over the course of the past several years. Lots of definitive trends, lots of things that have changed, lots of shifting attitudes, lots of concerns, some significant breaches. You name it, we’ve seen it. And so what we’re going to me is, you know, you don’t always want to say, “Oh, well, it’s just more of the same, you know, go back to the, you know, to the same old same old.” That’s not true. We have to evolve. And so, if there’s anything that I’d like to talk about here in some of the discussion today, it’s a bit more of the evolutionary side, right? We have to evolve our programs. We have to change some of the things that we’ve been doing um or not doing, you know, for that matter, and start thinking more seriously about how to get a grip or a grasp on third party cyber security because it’s not going anywhere. It’s only growing. And then the ecosystem of the sort of inter relationships between entities and partners and organizations and customers is just getting bigger and bigger and frankly more complicated. And so waiting does us absolutely no good. So let’s jump right into it. Um you know looking forward in in 2024 I I think well I think it’s always a good time to discuss managing thirdparty risk. I don’t think there’s a bad time for that but I think now’s a great time. to look ahead for the year and especially when you’re formulating the projects for your teams, when you’re starting to talk about, you know, platforms or solutions that might augment or significantly enhance your security programs and the efficacy of those programs. Um, you know, trying to get a handle on reporting both laterally and, you know, sort of upwards and downwards in in sort of the scheme of things. All of that matters. Um, interestingly enough, coming into this, I found myself you know you know little background on Dave, right? So, I I I try desperately, I fail sometimes, but I try to sort of take the second half of December and and do like a big winding down, right? Just kind of the cleaning up uh all the things that are left open, you know, the loose threads, if you will. Uh you know, those kinds of things and and and try to, you know, get a little me time uh in there. And I did get some, but this part this past year was sort of like a race to the finish with scissors in the dark, right? It it really felt that way. right up until the cusp of of sort of the holiday season where everybody magically vanished off into the ether. Um, and and it was kind of interesting as to why. What I found was that there were a lot of organizations that that really wanted to have things like tabletop exercises right before everybody left. This was this is, you know, not necessarily something I see all the time, but all of them every single one of them had major thematic elements that involved third party risk. And so it was a kind of really interesting end to 2023 sitting with lots of executives and different stakeholders and having some of these conversations and what that led me to think about kind of heading here into 2024 is I think this is more top of- mind than it ever has been. So I’m pretty bullish here, right? So I guess it’s you know it’s the positivity coming out here. I think we’ve got a really great opportunity because everyone’s aware that this is something that they need to pay attention to. Everybody’s looking at this as something that is a known challenge and it’s almost sort of like unilaterally a challenge across the organizations out there. It’s it’s you know it’s not something specific to healthcare or finance or manufacturing or or you know the utility sector. It’s it’s everyone. We’ve all got this problem because nobody goes it alone, right? It’s it’s interesting people think hey what you know if I if I said to you hey if you had to name a vertical or an industry that’s likely the most security focused I mean you know and this is just I’m not quizzing everybody here right but if you said okay you know let’s just think logically I mean a lot of people would say well you know financial sector’s got to think about this stuff and that’s fair right I mean it’s the money um you know payment systems those kinds of things but it’s you know you think about things like defense organizations um one of the organizations I did a tabletop with no naming names here obviously but it was a very large defense contractor and so you know I won’t bore everybody with my background but I sp I spent some time in a defense contractor organization I mean like two decades ago pretty long time ago and uh I was absolutely blown blown away by the third party alignment and involvement within that tabletop exercise and and candidly just the sheer number of third parties and partners that this defense organization had and I shouldn’t have been right? I mean you know looking back I you know I probably should have expected these kinds of things but I guess I always think of like you know defense organization right like defense contractor working with military organizations dealing with you know national secrets that kind of stuff that they they would have you know, a pretty tight focus on things and they do, but the third party factor was just it was just wow, mind-blowing. They have I think it was, you know, o over like 1,500 vendors that they work with like that are known like all the time vendors and they had more than that too that they, you know, yeah, we’re still trying to corral some of these. And it was really an interesting conversation because it just shows you the sprawl of this stuff, right? We have so many thirdparty organizations and I mean, as soon as I started ing some of this I didn’t look at anybody in the room and say well so can can we name those and talk about the you know third party risk assessment for all of them because they would have laughed me out of the room right so that the factor of just the the sprawl I think can’t be understated or overstated rather um you know lots of weird compliance stuff that’s starting to come up some of it uh you know sort of still in development some of it pretty you know pretty readily available you know what does this mean for us how do we go about getting thirdparty information? How much do we need to report of that? How does that align with um you know things like insurance coverage? Who who do we report to compliance-wise, regulation wise? There’s there’s question marks all over the place. Um auditors don’t know, financial organizations don’t know, or you know, the accounting teams don’t know, you know, and especially with the require for disclosure with things like the SEC, you know, if you’re a publicly traded company, you’ve got you’ve got very specific requirements now in place to perform this reporting and that complic ates it. It really does. The third party factor complicates it in terms of who to notify, when to notify. We don’t want to go down that road completely here, right? I think that’s something that I’m sure a number of you are probably wrangling yourselves and having those conversations. What’s a material impact? You know, how do you define material um and materiality with regards to that? That’s a big question mark for some. Um you know, what are the requirements to report depending on those outcomes? I don’t know. What if it’s a partner? How do you like you start looking at things through a different lens? But some of the things that haven’t changed, limited operational capacity, limited risk assessment capacity, especially if you’re a large organization. And it’s tough, right? This is this is not an easy problem to solve. And I would never get up in front of you and and claim that it was. I think we can all agree that this is not a simple challenge to to take on, but it’s one we have to take on. Um, you know, there it is. There there’s the reality of things. And so, looking at um a great report by the way from the folks at prevalent they you know their 2023 thirdparty risk management study I mean this is their bread and butter this is what they focus on all the time so it’s always good to listen to you know organizations that have that you know sort of pulse on how organizations are wrangling this stuff and 41% of companies that they talk to uh reported a third party breach. So we are going to talk a little bit about breach uh scenarios and some of the different aspects of this and you know 71% consider this to be one their top concerns. Now, I’ll be honest there. I mean, who’s the 29% that did that didn’t see that as a top concern? I don’t know. Um, you know, and and believe me, uh, that that’s a good question to ask, but 41% reporting one. Okay. I mean, that tells that’s almost half, you know. I mean, that that’s that’s a lot of organizations um that are out there and there’s a lot of confusion in the space and I think there’s I said never a better time than now to start developing, implementing more cohesive, more informed plans that help us try to get a handle on this. And and it’s not as though, you know, most of us are are going to get to the end of the year and say, “Well, we solved this.” I I don’t think that’s realistic. In fact, I don’t know that this is something that is wholly solvable because it’s going to morph. Um and and sadly, the one of the reasons for that is you don’t inherently have control over these third parties. They have their own policies. They have their own controls. They have their own standards and processes and so on. Um, so, you know, you you’ve sort of got this I don’t I don’t want to say, you know, ambiguity that comes into the that comes into the mix, but you’ve got to take people’s word for things where you might not feel as comfortable as you’d like to doing so. And we we’re all in this together. And what you really have to hope is that everybody looks around at the third party ecosystem that they’re aligned with and involved in and we all kind of nod together and say, “All right, you know, this is This is quite frankly um you know it’s a community problem.” It’s not just me, it’s not just you, it’s all of us. So let’s talk about some of these types of incidents that not only did we see last year, but we’re I mean we’re just going to see again this year. Um you know and and this is probably not going to be a big shocker, but you know, service failures um you know, software failures and software breaches. Sadly, the attackers are going into the supply chain more and more so and and the software supply chain is a big factor. We’re going to touch on that here. here in just a minute. And I think we’re going to continue to see that. I don’t think anybody’s going to be surprised if we see software manufacturers experiencing issues. Now, whether those issues ultimately transcend to the customers or whether it’s just a matter of we can’t trust this thing for a minute. Let’s not do that update. Okay, there’s a lot of scenarios that could play out, a lot of use cases that we could derive out of what we’ve seen and probably expect to see. Um, some of the service failures, I mean, I I always used to sort of joke it’s a bad joke. Incidentally, it’s not really a funny joke at all. But it’s like, look, if Microsoft 365 has a failure, I’m not talking about an attack. I’m just talking about a service failure. How many of us are dead in the water um for at least a period of time? And I’ve done a lot of work with business continuity and disaster recovery scenarios. And it’s a good question to ask. What what do we do, right? What are the workarounds? How do we accommodate for that? What’s the likelihood of those types of service failures occurring with vendor X or service provider Y? and and you know again those are things that we’ve consistently seen. So it’s an incident whether it’s an incident that’s related to a cyber attack or not it’s an incident. Um privileges and the use of privileges and the desperate quest for privileges by attackers particularly through accountbased attacks big big big problem for us. And so we’ve always known that privileged user management is a concern right we really need to make sure we know who has privileges where those accounts are how those accounts are being protected. and so on and so on. Um, but especially when you get down to the things like cloud-based scenarios and you’ve got oneoff services that don’t necessarily have uh like central account federation and you got to go set up separate accounts and things. There’s just so many ways that that can sprawl and kind of get away from you and the attackers know it. And so that’s a very easy way for them to get in. In fact, um, a lot of these attacks that we hear about you and we’re not going to talk about too many of them here. In fact, you know, we we’ve done a lot of webinars together. Um, you know, the prevalent team and myself as well as some other great uh presenters that that really focus on that. So there’s a great catalog of these things on the prevalent site that you can go check out, you know, talking specifically about certain breaches and certain attacks, but look at a lot of them. A lot of them, you know, they’re not that complicated. They just come down to hijacking accounts and escalating that. So that’s a big problem. It’s going to continue to be one for not only us, but our partners and third parties. Um malware infections, I mean, sadly, that’s become the norm. I mean, week doesn’t go by that we don’t hear about something like a ransomware infection whether it’s us or or a partner but I mean you know how many of us have either dedicated or semidedicated connections to service providers or vendors for support or you know partners that need access to certain things and if you have some interconnections between other you know other providers or other organizations and they’ve got a malware infection you very well could too especially with the nature of some of the things we’ve seen in recent years. And so I think you know we do have to be focused on that not only for ourselves but for others and a significant malware hijacking scenario, right? Something like a ransomware infection could uh lead to the first bullet point, right? So you could very easily find a software andor service failure resulting from something like that. Unauthorized use um well and not just unauthorized use but unauthorized access, right? Disclosure of data even if it’s accidental could very well be a major factor for us. Um denial of service is always going to be a problem and then of course the whole just nature of breaches and incidents um not only in third parties but fourth level partners you know who are they using as third parties right I always sort of think of the third party ecosystem it’s it’s easy to be you know sort of myopic in the way that we look at these things for ourselves and you do have to to look at you know at your house first right we got to defend our house first and then worry about not everybody else’s, but every single one of your partners has partners. And if one of those fourth parties has a problem, that could lead to your third party having a problem and now you have a problem. And you know, it’s sort of the turtles all the way down discussion. How far does the, you know, does the rabbit hole go? And it’s almost overwhelming to try to get there. And I’m certainly not suggesting that, uh, you know, we’re going to inherently solve that problem quickly, as I mentioned before, but I think we have to start thinking in those terms. We have to are thinking beyond just who’s the sort of first tier out. It’s the second tier and even beyond that could ultimately impact us as well. So, let’s talk let’s get into some of the action on what’s coming and what’s going on in the realm of uh of 2024. And I think this one’s going to be bigger than ever. Um and I’m sad to say that because the attackers have definitely wised up. Um you know, I I I kind of think of this. I mean, how many of you have have gone out to a conference or something And you’ve had uh you know security vendors of all types kind of ranting at you about shifting left, right? And how many of you have gotten completely and totally sick of hearing people talk about shifting left? I get it, right? You get it. We get it. Um shifting left, it means we’re getting earlier in the supply chain, the pipeline, all those things. Um particularly with DevOps and you know, software, you know, pipelines and things. But well, the attackers are doing it too. You know, they’re shifting left. They’re happy to shift left. They’re shifting very far left. In fact, going all the way to things like the code bases and things like packages that are getting downloaded. I mean I run into organizations even now that don’t have a good method to validate and verify things like open source packages that are just getting you know sort of arbitrarily downloaded and and you know packaged up in their container builds. And it’s like okay that sounds great makes your life easy but a ton of those things are malicious and uh you know they’re they’re not getting vetted out in the ether. You got to do some of this yourself. So I think that’s a factor and I think the attackers are certainly going to continue that trend and what this really leads to for us is you know sort of this nature of the software supply chain. Um you know there’s sort of three distinct elements or pieces of this. Um there’s the development side right it’s you know I’m creating a piece of software and for any of you that have development backgrounds or work with developers you know this I don’t need to you know sit here and expl it’s it’s you know it’s it’s code and the code base and it’s testing and it’s fixing and it’s all that kind of fun stuff. Okay, that is one big piece of it. But then there’s distribution and packaging and then there’s also the consumption and installation. Um there’s so many places along that software supply chain where an attacker has the opportunity maybe to gain a foothold or modify or manipulate that software in ways that we might not have anticipated. I mean there’s again there’s a lot of vendors out there that you know don’t do a great job of testing sadly um may not have good strong visibility into their codebase and what’s going on. And we’ve got tons of examples of this. Again, we’ve got some great webinars that have already been done around this. So, you don’t need me to, you know, sort of go through a bunch of different excuse me, examples. But we’ve certainly got a lot of examples of that, but where I I don’t think we’ve seen quite as much emphasis is on the latter two, which is more on the distribution and consumption sides. And distribution, I mean, you know, what if what if software could be modified in transit, right? I mean, think about how much of our software gets just downloaded versus being distributed. I mean, you’re not getting some, you know, USB delivered to you or, you know, the old school days, which, by the way, I just found a bunch bunch of these when I moved recently and I was cleaning up my office and I don’t I was like, why am I holding on to this Windows 2003 server install, you know, CD? I mean, I don’t know, you know, I didn’t keep them. I mean, there was a nostalgic moment there, but you’re not getting things that way anymore, right? You’re not getting it direct. and the manufacturer like that in many cases you’re downloading them and you know hey what if the website’s been compromised what if the you know the distribution site’s been manipulated in some way you start asking these kinds of questions and I think we have to so everything involved in that software supply chain is is sort of open and these are good examples of uh you know just places where we’ve seen this um you know we’ve certainly seen a number of these different situations and like I said we’re not I’m not going to spend a lot of time going through any one or another but these are known campaigns where these things happen. Um, and you know, you’re looking at this and saying, “Okay, you know, certificates were manipulated.” Absolutely. Hey, it looks valid. Seems to, you know, seems to, you know, come out okay, but it wasn’t. The certificate itself was actually manipulated. You don’t see a whole heck of a lot of those incidentally. But that’s that’s a great example of just how good these attackers are getting. Um, you know, certificates are getting manipulated, the infrastructure is being hijacked, code repositories, binaries are being changed. Um, in the case of the Twilio breach was a really interesting one. um that you know the the SDK or the development platform was actually manipulated and changed in such a way that the attackers were able to sort of do their bidding. I mean there’s just so many places where this can all go wrong. And I look at this and go, you know, it’s it’s just going to get worse. The attackers know this. They’re smart. They’re they’re shifting left if you want to think of it that way. But we’re going to see more and more of these kinds of attacks over time. Um I’ll use the example of Move It. I mean, Move It is I I just I feel like I’m piling on them. in some ways. I mean, Progress Software has had a thoroughly bad last 12 to 14 months. Um, and I’m sure everybody here is probably familiar with at least some of this. Um, because it’s just been in the news consistently for I mean quite some time. You know, I’m going back to May of last year, but they were even having some other things going on before that. I mean, it’s just been going on and going on and going on. Um, but there’s, you know, there’s there’s zero days that are actively being exploited in the wild. Um, you know, ransomware gangs are taking advantage of this uh you know and and again we’re talking about um a piece of software and this is why I bring it into the software supply chain I mean probably one of the easiest examples of something like software supply chain would be you know like the uh you know like the classic solar winds or something like that and and I mean that’s always going to be a classic example but move it why this is such an issue and why I want to bring it into the discussion around third parties um versus just having a big completely separate discussion on software supply chain is because move it is invariably used to share data between organizations and entities and so it necessarily enters the conversation for third-party risk because you very very rarely use it wholly for internal reasons or in a vacuum. It’s used to share between parties and so organizations are using each other’s move it transfer enterprise file transfer solutions um which means you can’t trust any of this stuff anymore. It immediately just wedged this element of distrust into uh you know organizations all over the place and patches have been coming out. Attackers keep abusing this stuff and there’s just a lot of factors here that demonstrates not so much that the attackers hijacked say the codebase, right? I don’t think that’s inherently the big discussion here. It’s the fact that it’s really obvious that the team at Progress was doing almost no testing at all. They certainly weren’t doing the level of stress testing needed to try to find some of these bugs before shipping their software. And that’s I mean it’s a common problem. It it’s just you know they they unfortunately became the poster child for it over the course of the last year and these kinds of things are going to continue to happen. And so you know let’s bring it back to the the discussion like because it’s always saying hey what do I do about it? Well look what you need to do first off you need to understand your own software supply chain. I’m not going to lecture everybody on that. You probably know it as well as I do but I think it’s best to look at these services and software that you rely upon. You know, again, going back to some of the the tabletop exercises I just completed recently. Sometimes that’s not that hard. Sometimes it’s almost impossible to get a complete list of this stuff. But you need to have an understanding of where uh number one, you have services and software that you’re using that are critical in nature. Meaning, if they go away, you got problems. If they crash, you got problems. If they don’t function properly, you got problems. And this is a continuity discussion, right? This is a resilience conversation as much so as it is anything else. You know, maybe that’s 20 pieces of software, maybe it’s 50, maybe it’s 100, but those hundred or 50 or what have you, those are absolutely the ones that you need to say, okay, two factors. What do they touch? What kinds of privileges do they have? What do they interact with internally? And number three, how well are these providers and vendors that I’m relying upon to be shipping me trustworthy pieces of software doing their own homework? And uh putting security controls in place. And the problem with this is that you can go and bang on the door and be like, you know, hey, software provider X, I need to know everything about your development pipeline and all the work that you’re doing. And you’re not always going to get great answers or even any answers. Um, you know, some organizations view this as proprietary or, you know, like really important intellectual property and they don’t want to talk about that kind of thing. Um, but I think we need to be talking about these kinds of things. It’s it’s rapid becoming sort of an elephant in the room. Um I think you have to say look you know what are my products that are at risk and what are the mitigation measures? Sure as security advisories I mean they do they do count for something. Um it’s not as though the minute an advisory comes out everybody’s already breached and we just throw our hands up and go ah let’s just go home for the day. Like doesn’t work that way. So you get the security advisories hopefully you know you’ve got that piece of software and you can take some steps to if nothing else like you know do some investigation and monitoring and see what’s going on. Um you should ask the vendors. Yes, I’m being a little cynical here. As I mentioned a moment ago, they don’t inherently always want to talk about this stuff. Um, or and I think this is going to become bigger this year. So, you know, we can kind of chalk this last point up to what I think is going to start emerging as a trend is a software bill of materials or an SBOM. Um, I am bullish on these. I hope every single one of you are as well. I think we need this. And what that means for those of you that might not have a a you know, level of familiarity with Sbombs is that that we’re asking our vendors to give us a list of the components and elements and libraries and packages that are in those pieces of software. I’m not asking for the code, right? I’m not asking for your source code or your intellectual property, but if you’re using log 4j, I kind of want to know about it, you know, I don’t know. Seems seems rational to me. Um, you know, if you’re using particular libraries, I mean, like OpenSSL was the gift that get, you know, kept on giving for years and it turned out we all used OpenSSL. We still do. So, those kind of libraries and packages. I feel like I at least have a right to know that they’re in my house. Um, you know, like it’s it’s it’s a risky appliance that I might want to just keep my eye on. Uh, it could blow up. I don’t know, right? But I want to know at least that it it’s, you know, it’s got a fire hazard associated with it and then maybe, you know, put a little bit of a, you know, additional monitoring around that. So, I think sbombs are probably going to be a bigger factor for us going forward as well. Um, next next trend, um, no question whatsoever this is going to be a big deal. It’s already a big deal, but it’s going to become a bigger deal. And um we are right on the cusp. Um you know, the timing of this webinar is great, but it’s just short of what we were kind of hoping would come out in terms of, you know, sort of finalization of the 2.0 version of NIST CSF. And some of you may rely on NIST CSF, some of you may not. Some of you may be thinking about it, some of you might be just like completely oblivious to it or aloof to it. But a lot of people are starting to use it if not as a a primary framework as something that they can sort of hold up and and have a conversation uh around. And I I think um you know that’s that’s something that helps if nothing else. You know, you may not bring this up in terms of your own internalization and and so forth of security controls and what have you, but I think it gives you a comparison point. I mean, we’ve been looking for this for years. If everybody can at least say, “Hey, where do we stand maturity-wise when within the concept of a framework that we can if nothing else agree it’s not bad right even if it’s not perfect I don’t know if there is a perfect one it’s not bad and it encompasses the things that most of us would want to see within a security program um you know collectively and then of course you’ve got all of your other compliance requirements and regulations and things like that um you know I don’t know I I think this is I think this is giving us hope and I think it’s giving especially organizations that aren’t that mature or really just starting to get their arms around around development of a security uh you know kind of program framework something to work from um you know there’s a lot of metrics there there’s a lot of measurements there and there’s also a lot of comparative points with other like organizations that gives us that capability back to the point um it’s it’s about to it’s about to be released right so the new version of this is sort of on its way and we’ve seen a lot of developments and um we talked about this in a dedicated webinar last year and so there’s a lot more detail in that but some of the big things that we kind of emerge in the comments period and the input period is you know look there there’s there’s some things that I think are going to really help us um you know the creation of an entirely new governing section which is good a lot of that is stuff that they kind of moved out of other sections and just put into its own dedicated section but that is critically important particularly with thirdparty risk because it necessarily involves a widely disperate group of stakeholders in your organization and we need to have that level of interaction and involvement from lots of different teams. So, I think it’s going to be helpful in at least framing that up. A lot more focused on legal and compliance. And some of you are are, you know, kind of going, uh, gosh, legal and compliance, all the fun you can stand. They got to be involved. Maybe not in every conversation, maybe not in every incident. Maybe they’re sort of the dotted line aspects of the response team and everything else, but they’re huge, huge parts of just about every entity. out there today. Um, depends on your organization, depends on your vertical, depends on a lot of factors, where you are geographically, etc. Um, but those are things that need that level of involvement. It just can’t be a bunch of in the trenches technical folks, you know, figuring it all out. There’s legal ramifications, there’s compliance factors, and it all ties into risk. Um, speaking of risk, tons of additional work and focus on thirdparty risk management. And that of course brings us right here. Uh, there’s a lot of that in there. There’s a lot lot of new and modified control elements within CSF 2.0 that really focus explicitly on thirdparty risk and this is nothing uh but good for us because it helps sort of derivate some of the controls that were I mean I don’t want to say nebulous nebulous is maybe not the right word but maybe a little broader than we’d like and it sort of pulls out the third party factor. in those so that we have a little better perspective on some of that right and and so we can say hey look here’s risk management. Here’s where third-party risk management differs slightly and needs a bit of additional emphasis. Lots of focus on continuous improvement and some resilience and other things, but the big things that really come into play, I think, especially in the context of this discussion. Um, you know, it’s it’s it’s most certainly going to be focused on that third party side of things. And so, this is just giving you some of the breakdowns. Um, gaze upon this enormously colorful screenshot as much so you would like to, but realize that you can go get all of this completely for free over on the NIST site. And it is still evolving. Um, in fact, right before I put together all the content for this webinar, I did a gut check just to see if anything dramatic had significantly changed or if there was a big update that would necessitate a new uh screenshot here, but we haven’t seen it yet. It’s coming, though. And so, they’ve essentially guaranteed they’re going to really wrap it all up. Um, you know, and they’ve done a lot of that work towards the end of last year, but they’re going to really wrap it all up. here probably I mean within the next couple of weeks it’s it’s probably imminent. So for those of you that this matters keep checking. For those of you that it doesn’t you should keep checking either you know too is just because it’s it’s interesting and everybody’s going to be talking about it. Go check out this. By the way this is something that is a little bit newer that I thought was kind of useful. Um it allows you to take that um that draft of the 2.0 and sort of do some alignment across um you know some of the previous versions and some of the other aspects that you might already have in place. Actually like a really cool little utility. So, you know, if it’s interesting to you, again, go check it out. But they’re doing everything they can to try to sort of onboard people to a framework like this or to help them update or upgrade their programs um to to, you know, get a get a better trajectory on it. So, cool stuff. Now, I’m going to throw this one last one in. Um and and this was a little bit of a lastm minute edition because, uh you know, as you can see here, even by the date, um you know, this was a New York Times article that just came out two days ago. And And we’ve been talking about this. This is not inherently new, right? So the fact that this is a January 8th article may or may not necessarily make a difference, but it it sort of set off the light bulb for me to think about this in the context of third party risk scenarios. And I mean, I could probably spend the next hour and a half talking about this. I won’t, otherwise Scott would yel me. Um, but the uh the reality here is we’re going to see this stuff manifesting in weird ways. No question we’re going to see this, you know, sort of like deep fake situation rearing its ugly head both for us and our third parties. And there’s so many different ways that this can happen, right? I mean, so the way I see this, um, you know, there’s generation of video, there’s generation of images, and there’s also voice manipulation. So there’s some really solid capabilities out there for attackers to, you know, call up your help desk and sound exactly like Bob from accounting. Um, you know, and they’re doing this And so all of a sudden, you start seeing new opportunities for the attackers to step in and doing crazy things that we’re just not ready for. I mean, I’m just going to call it out. I don’t think I’ve talked to a single one of the security teams that I work with um across all different organizations where they said, “Yeah, yeah, yeah. We got this one unlocked.” Like, “We’re ready for it.” Something pops up and and look, it’s gonna get weird. Um you know, that’s what I always tell people is just, you know, hang on because it’s going to get weird. You’re You’re going to see these kinds of things coming up. You’re going to see the CEO of a Fortune 500 company uh having, you know, compromising position photos posted online that are completely fake. They’re falsified. But in the mind of public opinion, oh my gosh, what a horrible person. Um you’re going to see political tie-ins to these things. You’re going to see weird stuff. And what it does is unfortunately start making you ask, “What the heck can I believe that’s out there?” Um you know, it’s it’s an interesting thing to bring into the discussion um the way you know just to to sort of bring it back to the more practical side of this you know what do you do about this um and and what do you do about it with regards to your third parties you’re going to have your own challenges with this stuff I guarantee it it’s coming but you’re going to have third parties that are trusted you know you’ve got a partner that it’s extraordinarily well known that this is your critical partner you work together maybe you co-manufacture a product together something and they get hit with this reputation goes into play damage control comes into play and now your collateral damage as a result of that. Are you ready for that? Right. I think this is really important to start having those discussions. There’s reputational factors that are going to be ripple effects as a result of some of this weird stuff happening. And so this is just sort of my own mental quick hit checklist like all right look you know you do need to be monitoring. You do need to be tracking places like social media and the reputation factors. You do need to make sure that your communications teams are tied in. Um you know you do need to train employees if they see something weird, you know, I mean, not to use the cliche, but you know, see something, say something. Hey, I saw something out there. Should we be worried about this? Sure, get in front of it. Even if it’s a minor issue, better to know than not know. Um, there are some tools that are starting to emerge for things like deep fake detection. I mean, there’s a whole long really interesting list of this kind of stuff where like if you look at some of the videos, there’s weird smoothing of people’s faces and there’s strange ways that their hands are moving or there’s strange ways that uh you know people’s mouths move when they speak that that just aren’t natural. There are ways to start picking up on this stuff. Um but but most people just aren’t ready for it. And again um you know as security professionals, people that are experts in your field, you’re going to be more attuned to these kinds of things than the general public. The general public’s going to see it one time casually on an Instagram feed and go, “Oh my gosh, company X is junk.” You know, let’s go tell all our friends. Um you know, this is this is absolutely going to start happening. Make sure you got things like real time off. I mean, especially for those uh like voice fakes. Um you know, people calling up and and you know, like your one of your partners calls up and it sounds just like the person you’ve been talking to for the past year and a half, you know, and you’re like, “Ah, you know, Dave, so good to hear from you. What can I do for you today?” Hey, would you mind just clicking this and checking something and telling me? So, social engineering is going to be a big play here. Fascinating stuff. So, just get ready, right? We’re talking 2024. What’s coming up? There you go. That’s what’s coming up. So, How do we prioritize third party risks? You need to think about well, you need to think about what’s the hard and fast versus the nice to have. I can’t answer that for you. I think there’s um you know, sort of a an element of due care and and look, if you’ve got compliance or regulator folks coming to you or you’ve got your insurance carriers coming to you and they say, “Now, we got to have this,” go with that, right? Um go go with that as the starting point for those baselines. But we really need to decide what are the things that we’re going to draw the line on and not um how often do you need to do security reviews. So, is it, you know, I mean, too many organizations, um, you know, and I’m sure some of you have seen this, you’ll resemble this. You sign up with a partner or vendor, you check them, you don’t go back and do it again. It hadn’t been done again. It’s been four and a half years. Um, others, you sort of optimistically say, “We’re going to do an annual review.” And then you maybe do um, you know, so, okay, I’m not throwing stones, especially not in the glass house here, but I think we have to be more sort of cognizant of of, you know, sort of the cadence of these types of reviews. And we also need to get a little tougher on things like remediation and arbitration. In other words, hey, if you’re not, you know, fixing this stuff, especially when it comes to say the software side of things. Um, you know, I I think uh, you know, we have to say, okay, look, if if you can’t prove that this stuff’s been fixed and that you’re doing more uh, you know, like consistent and, you know, uh, more in-depth testing, we’re not going to do business with you anymore. Now, that depends depends. I mean, so I’ll use Move it as a great example. Um, you know, look, if Microsoft has a problem, how many of who can just wash your hands of Microsoft entirely tomorrow? Not a lot of you. I mean, some of you maybe, right? Okay. Uh but not a lot of people can. Whereas, yeah, somebody like a move it, it’s a file transfer platform. Um I’ve heard that there are others. So, you may have, you know, a much lower bar to switch gears and switch vendors in those cases. And I think we need to start getting, you know, I don’t want to say playing hard ball, but let’s let’s get more specific about this stuff. Use risk rankings, right? Um I’m not going to say a lot about this kind of stuff. Uh I know that uh the team at Prevalence is going to be talking about this kind of stuff here just momentarily and they’ll have much better things and more interesting things to say than I do. But you need the wisdom of crowds. You need the reputation. You need that stuff coming in not just from your own spidey sense tingling or not, but from qualified risk assessors that are doing this consistently and holistically in some form or fashion. We’re all going to need this, right? There’s organizations that are using this today to great effect. There’s some that are thinking about it. There’s others that aren’t even on the fence on it. Um, I think this is going to become something we have to really get better at consistently. Um, we’re going to need better governance. So, this is definitely that next step. We’re going to need to start aligning with people in the organization. Start really thinking about how vendor reviews get initiated. Um, you know, what recourse do you have if there’s a breach or vulnerability? You know, do you have contractual terms that facilitate getting money back or changing without any penalties? Um, you know, those are the kinds of things that we need to start talking about. out and again how often are these kinds of things being done? This is a bigger picture thing than just the security team, right? It’s security teams, it’s risk teams, it’s compliance teams, it’s vendor management teams. Um it’s a bunch of different parts of the organization that need to be on the same page to the best degree possible. And we start talking about thirdparty breach scenarios. Um I’ll hit these and I sort of have these aligned with some of the NIST uh 800-61 uh you know R2 elements or categories. You need to make sure you know what’s going on. Um, you know, like what’s the exposure, what’s the recovery plan, what are the next steps, if there’s anything in the contract, you need to talk about that. Um, I would say look, the the first thing though, do you know who to reach out to and who’s the designated party that’s going to do that reaching out to the third party if there’s something that happens um you need to isolate? So, this is where you say, “Hey, look, you know, this is more on the technical side in many cases, but can you do this?” You know, so for for instance, in some you know something like um you know say a uh like a Microsoft situation can you do this um you know can you can you basically say okay we’re going to lock down everything Microsoft right now I most organizations can um but if it’s a if it’s a you know smaller vendor or you know third party or something maybe you can maybe you know if it’s somebody that’s got thirdparty access into your organization do that right so these are again the things that you need to be you need you need to have a game plan you need this I I think of this actually as the break glass so oh we got a problem where are what do we do about it? And it should be a step by step with options, right? So, can we do this? Yes or no, do it. You know, think of it almost as like a flowchart or a tree that helps you start doing that. Um, you know, going down to the next step, remediation. Um, you know, as you’re sort of controlling that blast radius, depends on the type of breach, but you know, if it’s internal or software, you should try to fix it if you can. Uh, but you know, if it’s them and it’s only them, in other words, you’re just the consumer of something that they got a problem on um you need to just find out going back to really the beginning what’s involved, what kind of data is potentially involved, is there a chance for this to sort of come laterally within my organization or not? Um you know, does this unfortunately affect things like your regulatory posture or stance? Am I going to have a compliance issue as a result of this? Uh you know, am I going to have my insurance dropped as a result of this? Those are all things that you need to be thinking of too. And then of course, it’s all about monitoring. And really, that’s a good way to sort of come full circle and say, “Hey, um, you know, for any third party incident, whether it’s a full-blown breach or whether just something that’s affecting you and others, it’s a matter of saying, what does it affect within my organization, if anything, I need to watch that closely. What kinds of remote access are involved? If they are, and again, I need to really watch and say, hey, behaviorally, do do we see anything uh that’s unusual?” And then you need to go back to that thread intel and and reputational tracking to say, are we seeing changes? Right? So, for instance, Has the reputation dropped as a result of one incident? Um, are we also seeing affiliated, you know, fishing emails starting to emanate from that organization’s domain? Are we starting to see other illicit or reputationally shady activities that would impact the reputation one way or another? Like those are the kinds of things that you need to keep track of sort of all the way around. So yeah, check your thread intel, evaluate thirdparty reputation. Um, and I think looking inward, this is really a great goal for 2024. Know where people can get in, right? Know where they can get in. And number I mean, number two, know what your critical software touches so that if it truly does end up having a problem of some sort, you at least have an idea of what the scope of an incident might look like and you know, sort of how far those tendrils may have gotten into your organization as ground zero. Um, you know, that’s really something to think about. And of course, you can look at, you know, privilege user management and behavior monitoring and micro mentation and all those kinds of tools but you know all that aside I don’t want to take this down a very you know sort of technical in the weeds discussion it’s a matter of saying you know where are where are we you know like can we get a grasp on this do you know we know the root cause it came in because vendor X’s software was popped but you know how did they get in have we seen anything unusual around this um have we seen uh you know account abuse or account manipulation um you know what are the privileges is it inter, you know, is it just bad PR? Do we just have to go, “Oh gosh, yeah, let’s let everybody know we’re using this vendor or this service or this piece of software, but we seem fine at the moment.” Um, get your communications plans in place and make sure that, you know, the containment side of things is is, you know, sort of prepared ahead of time. So, to wrap up and I’m going to hand this over to Scott. Um, I I think the the the thing to look at is sure stuff we saw in 2023, we’re absolutely going to see some of that coming in 2024. Um, you know, but we need better intelligence. And we need to make sure that we’ve got emphasis on this from a riskmanagement standpoint um across all levels. It’s not just us. It’s it’s you know it’s executives, it’s the board of directors, um you know, it’s it’s regulatory bodies. It’s our insurance carriers. It’s all of the above. These are all going to be things that we need to be thinking about. And my guess is, you know, if we’re hanging out six, eight, 12 months still talking about these things, some of this is still going to resonate. So with that, I’m gonna stop sharing and I’m gonna hand things over to Scott.

Scott: Awesome. Thanks so much, Dave. I appreciate it. Going to share my uh screen now. I just want to share with everybody a few slides that um I think will be helpful to continue the discussion that that Dave started here. You know, with all that we learned from 2023, whether it be the data breaches and the vulnerabilities of third party attacks and security incidents and supply chain disruptions and all the new compliance regulation stuff came out. I think it’s important put some perspective into it all as as as Dave really suggested and let’s not forget the kind of the fundamental truths that that many of us not all of us perhaps but many of us are kind of operating under as we kind of come into 2024 maybe with a fresh budget maybe with some new priorities and new strategic initiatives uh and more to carry back to what Dave said a few moments ago about the annual um prevalent thirdparty risk management study there were three really interesting conclusions from that study that I wanted to address uh here on the call. First is how manual thirdparty risk really is. And I know you all are feeling this pain much more acutely than I am right now. So please don’t think I’m I’m uh I’m talking at you. But our study said that on just just about 48%. All right, just under 50 half of you are still using spreadsheets at your as your primary method to assess thirdarty risks. Okay, so that includes companies of all sizes, right? Little companies, big compan companies, medium-sized companies, all all around. That’s a problem, right? And that’s probably getting in the way of, you know, the long-term success. And I know you probably tried to get off the spreadsheets and you just can’t because of budget reasons or business process reasons or whatever. I get it. But it’s a barrier. Second, second big challenge we see organizations face in in their third party risk management program planning is not much activity across the entire life cycle of a third party uh relationship. Our study showed that about 20% 20 that’s it of companies are tracking risks that are unique to every stage of that thirdparty vendor and supplier uh life cycle. And frankly I was surprised at that number. I thought it would be even smaller. Uh but look I get it. We do onboarding checks. We do due diligence. We do some ongoing monitoring at the time of the contract review. And then you know maybe organizations without the discipline and the rigor applied to their thirdparty vendor and supplier relationships. Maybe things get a little loose as you get, you know, going on with that relationship. So that’s why that, you know, percentage is is a little bit lower than than what you might think. So a really manual process, um, not every stage is really addressed. And in a third, you probably got a lot of people to deal with. You know, our study showed that in 71% of companies, it’s the information security team that owns third party risk, but 63% of those companies say that the procurement team owns the relationships. So already we have this duality in in the enterprise uh between those who are tasked with ensuring that those third party vendors and suppliers have the right security and data privacy controls in place if there’s going to be some data sharing or some system access or whatever and the procurement team that owns the nuts and the bolts and the contracts and the paper and the signatures and all that other stuff. How do you bridge that gap? Right. So I think how manual it is, how itinerate it is across a life cycle and how complex it is politically for you organizationally, you know, throughout your enterprise are are three ways that organizations are managing their third party risk programs right now and could be better and focus areas as we get into the new year. Look, at the end of the day, what that tells me is three things to be true. Number one is you got to get better data to make better decisions. It has to be more real time. has to be more automated. It can’t be in a spreadsheet and it has to be in a form that you know people throughout the enterprise who aren’t in the security for example need to consume it um and operationalize it. Second uh speaking of other teams getting everybody singing from the same himnil uh in the enterprise knocking down silos between teams maybe discarding tools that only do uh you know part of the part of the solution and not not the entire solution so that you can accomplish the third thing and that’s what you know spreadsheets get in the way of you know not looking at uh risk across the life cycle looks at and you know so many people involved in thirdparty risk creates a challenge for and that is not being able to evolve and scale your program uh over time. So three business objectives and goals that I think every third party risk program needs to align to uh and really that’s that’s what we seek to address with the prevalent thirdparty risk management platform. I think we’re somewhat in the in the market in that we look at each stage and a relationship that you have with a third party vendor or supplier uniquely. Every one of those phases has a unique challenge um a set of risks, data issues, you know, whatever that gets in the way of success. And we’ve delivered very specific capabilities at every stage of that life cycle to help you overcome those barriers, whether it would be getting good um risk rate intelligence on a potential vendor or supplier to make a good decision uh about whether or not they’re not just fit for purpose but fit a fit to your risk profile. Uh during onboarding, integrating a contract life cycle management capabilities um and the ability to have everybody inform on the creation of a vendor profile to do some automated inherent risk scoring to help you determine areas that need a much further dive on due diligence. uh to get some specific answers about about risk areas. Let’s say if they’re a tier one company. Um you know another another uh capability that we deliver is a comprehensive questionnaire library. I think there are 600 different questionnaire templates in our platform sorted by risk domain area so that you can be very surgical about the risks you want to assess those thirdparty vendors and suppliers against. And every one of those multiple different types of domains that we address comes with pre-built remediation recommendations right into the system. So you can suggest those recommendations to the third party vendor supplier make the process smoother, simpler. But it isn’t just about finding a right vendor, getting some onboarding done, some due diligence, some inherent risk rating, and then developing a strategy for maybe this oneoff or once per year assessment process. Kind of tying back to some of the challenges we just talked about a few moments ago, it’s all about continuously monitoring for those risks in between the assessment cycle or getting good intelligence that might trigger another assessment. Uh so um so that’s a piece of it, right? Integrating that level of intelligence, incorporating that into your assessment results so you can have a holistic view of that vendor throughout the life cycle, measuring performance and SLAs’s and then finally getting a good uh disciplined offboarding and termination uh process uh to make sure that when that relationship ends and they all do uh it um is a much more efficient process. in and a less risky process. What we end up delivering to the to uh to organizations is a combination of people, data and platform. That is our solution. If you choose to let us uh do the work of thirdparty risk for you, we can help you manage the life cycle of that vendor. Uh with our our comprehensive managed services, we incorporate, you know, what ends up being hundreds of thousands of individual data sources into our platform to give you good intelligence to make good decisions. And we wholesale platform with good workflow reporting and um management capability uh to help you take advantage of that that uh that relationship life cycle. I mentioned that we have uh lots of different risk areas that manage in the platform. I won’t belabor that so we can open it up for questions. Uh but before we get to questions, you know, it being the start of 2024 or relatively I guess it’s the 10th already. Uh but the start of 2024, if you’re looking for some resources to get started this year, you know, we’ve got three here. I realize you can’t click on the link. We will send you these resources in this deck uh out tomorrow with a recording of the presentation. Look, if you’re just trying to figure out who’s who in the zoo, you know, we’ve got, you know, an industry analyst report from Gartner to help you kind of identify, you know, who’s out there. If you’re ready to start a project and say, hey, you know what? I’m ready to issue an RFP and kind of define a business case and whatnot, we’ve got a kit to help you get started there. You know, it has some pre-populated information in it, some key capabilities and criteria. area, a decision matrix that helps to score different vendors and third party risk uh just to help you get started. And then finally, if you’ve already got a program in place and just trying to make it better this year, uh we’ve got a set of checklists um that you know can help measure your existing processes against what could be industry uh best practice processes. Especially the example I have here is an onboarding and offboarding checklist, which is is quite popular. So anyway, that’s what I wanted to share with you today. Um just the ability to tie kind what some of the biggest trends are and what to look forward to in 2024 with maybe what we can do to help and then a couple of resources to help you uh kind of get started from there. So, Melissa, I’m going to turn it back over to you if you want to kind of turn on questioning and uh and and we’ll go from there.

梅丽莎：太棒了。 谢谢你，斯科特。嗯，是的，我们确实还有几个问题在队列里，所以如果你想临时补充一个，请直接投进问答框。我这就启动最后一次投票，你们屏幕上会弹出窗口。呃，我想问问，你们是否在考虑2024年的TPR和项目计划？请告诉我。 请如实回答。我们确实会跟进核实，绝非戏言。然后戴夫，我把话筒交还给你。你可以浏览问题列表，剩余三分钟时间，请挑选最具价值的问题作答。

戴夫：嗯，当然。我觉得有些问题其实在文字记录里已经回答过了，所以……不过确实有几个问题被遗漏了。但这个——嗯，我认为斯科特和我都能回答，是帕特里克提的。 感谢帕特里克提出这个问题。不过我觉得这是个好问题，也是我经常从客户和行业人士那里听到的疑问：你们是否会对第三方供应商进行风险评级以便后续审查？我认为这其实是我们之前讨论主题的微妙延伸。 当然，供应商风险评级是基本操作。企业会制定风险建议方案，比如"我们应该继续与该供应商合作，要求其改进某些因素，毕竟我们信任他们，他们表现出色"。 诸如此类。但关键在于——当后续情境发生时，是否需要动态调整风险评级？是否持续评估这些因素并进行合理量化？我认为绝对需要。这或许是显而易见的答案，但风险评级本就不该一成不变。组织本身会不断变化。 会不断进行调整。我认为风险评级应具备某种灵活性，尤其要考虑时间因素——对吧？这些工作的时机把握才是关键。若试图用电子表格处理所有这些，确实很困难。斯科特，你对此肯定有见解。

斯科特：没错，绝对如此。我的意思是，风险管理必须持续进行，同时还需影响决策过程。这其实就从我们刚才讨论的固有风险评分开始，对吧？ 根据供应商与受保护数据/系统的交互情况，或其业务关键性等因素，先确定其初始风险等级。这能指导后续评估和监控策略——比如确定与供应商互动的频率和深度。而在这些互动间隙，持续数据流就显得尤为重要，而非依赖电子表格。 正如您所言，尽可能避免使用电子表格。

戴夫：呃，我觉得我们时间不多了。有位听众问到关键绩效指标（KPI）和关键指标/关键结果（KI KRI）的具体示例。其实我建议大家去看看普雷瓦伦团队提供的免费资料，斯科特刚才提到的内容里就有相关案例。 我自己也仔细研究过。嗯，这算推脱责任，但确实是个好方法——坦白说那里有大量优质信息。最后莎拉提出的问题是关于大型组织的复杂性。没错，绝对如此。全球1000强企业？别提了。 确实。这类机构往往规模庞大、体系错综，拥有众多分支机构等复杂架构。 嗯，虽然不能点名具体企业，但我想这个问题应该交回给普雷瓦伦团队处理。他们正服务于类似贵公司的组织，应该能提供相当可靠的指标和成功案例，这些内容既可在他们的内容门户获取，也可以通过直接沟通交流。

梅丽莎：现在正好是整点时间，接下来我们还有场关于KPI和KRI的网络研讨会。虽然不是下周，但就在再下周举行。请大家留意通知。刚才那句宣传简直完美，感谢匿名参与者插入的提示。斯科特，要是你干的就老实承认。不过啊，我真的很感激戴夫今天拨冗参与。 相信在座各位都深有同感。当然斯科特，最后感谢你的真知灼见。嗯...感谢各位参与。若想持续获取资讯，请订阅我们的邮件、添加领英好友，相信很快就能在你们的收件箱里见到我。那么，我们很快再聊。保重。再见各位。