Enterprises today are embracing digital and analytics transformations as never before. Even those that did not expect to embark upon major IT changes have had to adopt fully remote ways of working due to the COVID-19 pandemic. In fast-moving business environments, companies make many necessary IT changes on the fly, with security waivers and risk-mitigation promissory notes issued almost as readily as authorization-to-operate (ATO) certifications. Cyberattackers and corporate spies are having a field day. They are capitalizing on the disruption, meeting in virtual rooms to engage in advanced persistent mapping of enterprise IT environments and associated vulnerabilities—including the areas of those environments that are reliant on third-party support and capabilities.
As cyber breaches and attacks mount, top managers of corporations in every sector are looking into the sources of their vulnerabilities, including the third parties and supply chains that make their businesses possible. In the wake of high-profile events such as the recent Sunburst malware attack, however, chief information officers (CIOs) and chief information security officers (CISOs) are being deluged with conflicting messages. The Sunburst attack proved that enterprise environments and third-party capabilities are interpenetrated and indistinguishable. Attackers are opportunistic, adapting to whatever foothold they can gain, no matter the source.
This creates a conundrum for CIOs and CISOs; they must now secure their own IT environments while also accounting for the security of the third-party elements of those environments. Third parties must be made to comply, technically and in contract-driven risk-mitigation elements, with security that supports the enterprise’s purposes. To ensure cooperation while providing sufficient protection for all sides, enterprises must, therefore, bring third parties into the inner circle of their security perimeters. Meanwhile, CIOs and CISOs are being told to scrutinize third parties intensively. On the surface, the two mandates are counterposed. But must they be? The short answer is no. The two stances, trust and scrutiny, do not have to be in opposition. In fact, they are most effective when contained in a reciprocal relationship.
The Sunburst attack reveals that certain types of attackers form broad-range alliances to achieve their threat-focused objectives. CIOs and CISOs, together with their third-party colleagues, can and must do likewise. They can work together to set the tough objectives and achieve the security excellence needed to meet the risk-mitigation requirements of the enterprise. Make no mistake, cyberthreats are becoming more perilous the world over. Attackers will have the advantage until enterprises appropriately staff and train their organizations, acquiring needed capabilities and tools. This means working together with their third parties to sustain a united security front.
CISOs and CIOs are aware of more gaps and weaknesses in enterprise cybersecurity than they are comfortable with. In third-party relationships, furthermore, those weak spots are often papered over. But the Sunburst attack has made these spots glaringly obvious. The time has come to openly challenge the status quo in cybersecurity. Companies must link arms with their third parties in the face of the mounting challenges and demand the very best when it comes to security.
Understanding the risks
Recent cyberattacks have made many cybersecurity challenges more apparent. One of the most important revelations is that enterprise security is as dependent on the global cyber ecosystem as it is on the actions of particular institutions. CIOs and CISOs are accustomed to managing their own operations and, ideally, having a strong influence on how the enterprise’s employees and contractors behave.
The truth is that no matter how large an enterprise is, it is one player among millions across the global internet. Its security posture is dependent on every one of its employees, contractors, suppliers, resellers, cloud partners, and sometimes even customers—but also on those same elements belonging to any other company out there, in their own market and in the wider global economy.
An enterprise has its hands full even keeping under control all its direct users. To address vulnerabilities generated across all cyberspace requires a commonly maintained global security defense. That means that enterprises have to communicate openly with their partners and rivals. CISO-to-CISO conversations may feel awkward, but they are now necessary.
Enterprises need to examine operations realistically to determine their most likely forms of attack. New exposures from acquisitions or sales of business units need to be addressed. Attacks can come in the form of advanced persistent threats from nation states, ransomware operations, cyber theft and industrial espionage, or malicious actions by individuals (insider or outsider threats).
The most viable enterprise-security strategies have to address the several dimensions of the threat environment, each of which is subject to change, sometimes dramatically, at any point in time:
- the nature of attackers and their most likely tactics
- the nature of the current and imminent enterprise-security environment
- the nature of the business, including acquisitions, operations, market conditions, partners, and competitors
A company acquiring an overseas asset to improve its market share and positioning may be exposing itself to threats it never before considered. The due-diligence team will have to examine the acquired operation and any of its third parties to determine potential new threats and vulnerabilities. If the acquisition is a defense contractor, for example, the parent company could even be targeted by a nation-state attacker. Once the new acquisition’s systems are connected to the new parent’s corporate network, everything contained within it could be exposed to spying or theft.
Communication and third-party cybersecurity
Two good areas to begin improving defenses are communication and third-party cybersecurity. As with any at-scale improvement, these issues have no simple solution. Many public institutions and private-sector companies have, however, achieved much by tackling these two areas in tandem. Cybersecurity “hygiene”—the care, stringency, and thoroughness with which cyber defenses are maintained—is of critical importance. To maintain a uniformly high level of cybersecurity hygiene across the organization, including for new acquisitions and third parties, transparency and open communication are needed.
Across collective ecosystems, enterprises can achieve both transparency and toughness on cybersecurity hygiene through common work. Attackers are often very capable and motivated in constructing strategic campaigns. To face these very real threats, we, as defenders, must be as capable and as motivated. The following recommendations are based on the insights and experiences of organizations that were successful at reducing third-party cyberrisk.
For companies using third parties
For companies reliant on third-party services and capabilities, such as software development and technology tools, consider taking the following measures and actions, as appropriate:
- Apply role-based access controls to applications, databases, and infrastructures; remove single-user accounts on highly privileged systems (such as network-access systems). To the extent possible, proceed according to zero-trust-based expectations, if not actual zero-trust controls.
- Enforce appropriate risk-based multifactor authentication (MFA) for all privileged role-based access.
- Build use cases in the security-operations center to identify suspicious third-party use cases. These could be “impossible logins”—single-user logins made in a short time period from several geographically distant IP addresses—or “impossible tokens” (SAML tokens valid for 24 hours should be flagged).
- Create incident guides for third-party supply-chain attack scenarios, and conduct tabletop exercises with key software vendors. Establish point-of-contact connections (CISO to CISO are particularly effective), secure channels of communication, and ensure that all staff are aware of procedures for handling incidents.
- Mandate security training and certifications, service-level agreements (SLAs), and escalation protocols in third-party contracts. Surprisingly, many third-party contracts for technology services and capabilities do not specify security requirements, SLAs, or escalations. Work with company-procurement functions to ensure that these elements are included as a matter of course in any relevant vendor contract.
- Assess your tier-2 suppliers (and beyond). Many of these organizations are small and medium-size businesses with limited security and compliance resources. As such, striking a fair balance between assessing their cybersecurity hygiene and overburdening them with information requests will be of critical importance.
- Adopt a third-party risk-management framework that performs an algorithmic risk rating of your suppliers. Regularly evaluating suppliers on a relative risk can help inform strategic decisions on procurement, risk management, and resource allocation.
Striking a fair balance between assessing your tier-2 suppliers’ cybersecurity hygiene and overburdening them with information requests will be of critical importance.
For third-party providers
To serve customers more securely, consider the following action, as appropriate, for third-party providers:
- Conduct security reviews across all products and transparently report to customers on the current state of security, including vulnerabilities.
- As soon as possible, identify and patch product vulnerabilities that might be exploited; communicate those activities to customers.
- Use threat modeling during product development and share results with customers. Build threat models that account for both inside-out and outside-in attack scenarios. Ensure that as much emphasis is put on scenarios covering denial of legitimate service as those covering potential compromised assets.
- Expand existing code-testing capabilities (such as general, static, and dynamic security testing) to include stress-testing on code tampering, degradation of data integrity, and suitability of corporate integration.
- Conduct red-team exercises using attack scenarios on the software supply chain to stress-test the infrastructure-security posture for current products. Tweak the exercises to anticipate different attempts to infiltrate the supply chain.
Legal and other enhancements
Legal avenues are another means of reducing enterprise risk from third-party attacks. Organizations can (and should) contractually require that third parties meet enterprise cybersecurity standards. Third parties should also be contractually obligated to impose the same standards on any subcontractor that could affect enterprise data or systems.
Companies can also contractually require regular technical testing of third parties. This would mean penetration testing and red-team exercises, which many vendors do not yet permit. Yet to improve communications and cybersecurity across the enterprise ecosystem, these tests must become part of the routine. Enterprises need penetration tests and red-team exercises for their own homegrown capabilities to ensure that they are in line with security requirements; the same approach must be required of third parties as well.
A new age of cybersecurity has been defined by more sophisticated cyberattacks, widespread adoption of digital and analytics transformations, and workplace changes, especially work-from-home arrangements. The conditions challenge existing third-party and supply-chain security-management procedures. A radical new approach is needed, one that focuses on robust communication and the complete alignment of third-party cyber protection with the requirements and standards of the enterprise. The new approach goes beyond meeting compliance requirements; its goal is to markedly reduce enterprise-wide risk. The change is significant but necessary because the security environment, as CIOs and CISOs well know, has become much more dangerous.