...Weakest Link

A Defining Challenge in Cybersecurity Today

Identifying and tracking the true cyber risk of your supply chain is fast becoming a defining cybersecurity challenge of our time. In fact any statistics you look at will say that a high percentage of Enterprises were financially harmed in 2021 from a cyber event caused by a weakness in their third-party eco-system. The truth is that there is also a weakness in the common way companies deal with Cyber Risk Management of their "external" attack surface.

Most organizations today work closely with their business ecosystem which is key for business continuity. This business ecosystem includes but is not limited to their vendors, partners, suppliers and more. Organizations need to share sensitive information with their business ecosystem partners on a regular basis. While an organization has good control on their security posture, they have limited view of the security posture of their business ecosystem partners.

As the saying goes “security is only as strong as the weakest link”.

Current Approach Falls Short

It is frequently started by the procurement organization or GRC function, when on-boarding third-party partners as part of a checklist. Even best-of-breed, third-party risk scorecard or ratings services, provide just an "outside-in" assessment of the partners risk posture. This is done by looking at what is externally observable and then creating a security profile for that organization and assigning a risk rating or score. For example, it sometimes includes websites, external facing applications, external facing IPs/ Servers/ etc., DNS and so on. While the external aspect is an important one, this view is quite limited.

Does that STOP you from being affected by a weakness in their eco- system?

No, it does not.

Limitations of "Outside-In" View

Unfortunately, this is not effective against today’ s environment, “if" the goal is to proactively reduce the risk of successful cyber attacks on your company. They fall short because they fail to inspect vulnerabilities in internal systems. This approach is based on a combination of point-in-time snapshots of publicly available information and assumptions about a given companies security posture and then updating that info. It does not provide an actual understanding of what risks and exposures exist “inside” their attack surface.

We all understand that vulnerabilities inside the network are key for a successful attack. Attackers regularly exploit vulnerabilities to move laterally inside the network and elevate privileges amongst other things. Malware and ransomware routinely leverage known exploits and published vulnerabilities.

While it’s nice to know in general if a company you are linked to is risky, if you want to mitigate these events it involves comprehensive management of the entire attack surface, including the third, and even fourth-party vendor network. You need visibility to the “true risk” by understanding what’ s going on “inside” their attack surface.

What about vulnerabilities inside your Partners environment?

Have they been attacked and breached?

What are they vulnerable to?

Have they remediated the vulnerability that they were alerted to?

Which of these are likely to impact me?

Limitations of “outside-in” approach

1. Incomplete visibility: Focus on profiling external attack surface provides a partial view of the infrastructure at the very best. Weaknesses within the internal infrastructure that service the application logic and databases not exposed directly via publicly routable IPs cannot be uncovered.

2.?Strong controls: Services in the DMZ are fronted by firewall and load balancers, that will not allow unauthenticated requests to get to the core applications hosted in the DMZ, l imiting visibility to webservers hosting static web content, network devices and HTML based scripting technologies.

3.?Code Obfuscation: Detecting Code security issues need static and dynamic analysis of the code base which isn’t possible looking only at deployed services.

4.?VPN: Business critical services are often not accessible without VPN access. Breach of these services is due to account compromise and / or planting malware on client endpoints with direct access to these critical services and data. An “ outside-in” approach does not have visibility of weaknesses in the internal infrastructure used for lateral movement by attackers nor does it account for poor cyber hygiene of user endpoints that are often the source of attacks.

5.?Cloud data access: Access to data in the cloud is heavily dependent on the way various permissions are granted to roles and services, requiring a deeper cloud audit that can only be done inside the VPC.

6.?False sense of security: A risk score that is computed by an approach that doesn' t factor in the above points gives a false sense of security.

Addressing the core concerns as a step forward....

The third-party risk function has accepted this outside-in approach, in part because of concerns that there might be an operational, legal or contractual burden and in partbecause historically the solution hasn’t been offered. The Threat Worx approach addresses those concerns.

ThreatWorx - next generation, innovative "inside-out" approach

The Threat Worx approach provides a continuous view of the true cyber risk of?your 3rd parties, in a non- intrusive, and safe manner at no cost to the third- party, along withability to collaborate with them to resolve priority issues – And there aren’ t any big issues about legal contracts, on- boarding, privacy or overhead.

Some key highlights of this approach are as follows:

Uses Agent-less and Open-source twigs or SBOMs for asset discovery.

No sharing of credentials with Threat Worx or service owner.

Always-On ML curated vulnerability & threat intelligence for effective prioritization. Covers allcloud, code, corporate deployments.

Partners / vendors can choose the privacy level at which they wish to share this information to you. At the highest level of privacy, only the threats/ vulnerabilities to partner virtual assets are visible to you.

Easy, secure profiling of attack surfaces - Partners / vendors can use Threat Watch' s open source asset discovery CLI - twigs to safely inventory some or all of their attack surface to share with you as virtual assets. This can be anonymized and audited for privacy before sharing. twigs also allows your partners to automate this discovery to keep up with any changes to the attack surfaces.

Early real- time risk assessment - Identify vulnerabilities and threats on partner assets on a continuous basis without scanning as soon as they emerge. AI based correlation and prioritization helps identify the most important threats in your partner ecosystems in real time.

Dashboards and reports - Monitor r isk across all your partners / vendors using global and partner level dashboards. Rank your partners on r isk scores and track their risk over time using summary and detailed risk reports.

Collaboration - Share information on priority threats with your partners. Collaborate with them to remediate threats based on SLAs. Improve their cyber risk posture and in turn secure yours.

VIRTUAL ASSET SUPPORT SPECIFICATIONS

Open Source Technologies Supported - All popular open source languages including Javascript, Ruby, Python, . NET, Java. All popular package dependency / package managers including NPM, Maven, Gradle, etc.

Repositories Supported - Public and private git repositories, Local source code as virtual asset.

Containers Supported - Any docker compatible images and instances.

Cloud Coverage - Continuous vulnerability assessment for AWS, Azure and GCP instances. Agent-less discovery of assets in AWS and Azure.

Compliance - SSL / SSH Audits, CIS benchmarks audits for AWS, Azure, GCP, Docker, L inux and Windows

OS Assets Supported - Popular L inux f lavors including Red Hat, Cent OS, Ubuntu, Debian All supported versions of Microsoft Windows Darwin based Mac OS, OSX Cloud OS images including Amazon Linux, Oracle Linux.

File based asset ingestion - Asset ingestion using SBOM, existing scan reports from Qualys, Tenable, Open VAS etc. Asset ingestion using CSV and JSON f i les Open sourcedependency files from npm, Maven, Gradle and other package management systems.

CMDB integrations - Ingest assets from Service Now CMDB using twigs plugin. Other integrations available upon request.

Code Secrets - Find passwords, keys, and other sensitive information leaks in code Support for dictionary, heuristic and pattern matching, custom regex support.

DAST - Automated OWASP top- 10 vulnerability checks on web applications. Plugins available for DAST tools l ike skipfish, arachni, Zap.

More more information on how painless it is to on board a supply chain partner visit us at threatworx.io