Third-party breaches are occurring with increasing frequency. One recent example is the security breach at identity service provider Okta, where a malicious actor leveraged stolen credentials to access the company’s support management system. Okta acts as a broker and intermediary for vast amounts of authentication and authorization sessions for applications used by thousands of customers. Therefore, the number of companies that could be impacted – directly or indirectly – is significant.
How would your company respond if one of your critical vendors experienced a breach?
This post offers suggestions for readying your third-party incident response program and shares five actions to take when one of your vendors is affected by a breach.
First, it’s essential to continually monitor critical third parties for new and emerging cyber threats (as well as for potential operational, financial and reputational risks). While this may seem obvious, is can be a monumental task for organizations with a large vendor ecosystems. Instead of trying to manually stay on top of security news and community postings, look for threat intelligence providers that can automate and scale the monitoring process for you.
Do any of your third-party vendors have access to your infrastructure, users and/or data? If so, then be sure to implement behavioral analysis tools to detect any anomalous activity. Also, stay on top of any software that’s being used, ensuring that it is current and patched to address any vulnerabilities. Microsegmentation and privileged user management tools can also help here.
Communications after a third-party breach or suspected incident are different from in-house incident management communications. Make sure you have vendor contact information readily available, and implement protocols for information gathering and escalation paths for when incidents occur. If the third party is a software or services vendor (see the 2020 SolarWinds breach), then there may be a “waterfall” effect that necessitates communications with customers and other stakeholders.
How much access does the vendor have? This is a critical question when considering containment strategies. For instance, if the vendor has access to your data but not to your infrastructure, then you may be able to simply stop using the service or platform until more is known. However, if the vendor has any level of access to your IT environment, then you should have a plan to immediately quarantine and isolate that access.
When a third-party breach occurs, asking the right questions will help you to efficiently understand and mitigate the impact on your organization. Here are a few recommendations with guidelines for possible responses (to be tailored based on the specifics of the incident):
Webinar: 5 Immediate Actions After a Third-Party Breach
Dave Shackleford, CEO at Voodoo Security and SANS Senior Instructor, shares the most important steps you need to take in the first 24 hours of a third-party security incident, as well as his strategies to prepare your incident response plan now.
Building on the tips above, here is a quick list of what to do if you believe that your organization has been affected by a third-party breach.
Please note: This list is should not be considered comprehensive incident management guidance. Be sure to engage with your security operations center (SOC) team, auditors and other internal parties.
It’s clear that third-party breaches and incidents can have significant downstream implications on your organization’s operations. Be prepared by accounting for third-party risk in your incident response playbook. Know who you will contact, what SLAs are involved, which questions you will ask, and how you will proceed given the answers. Also, since incident response programs are reactive by nature, be sure to implement a proactive third-party risk management program to head-off threats before they impact your organization!
For more information, scroll up to watch my on-demand webinar (also embedded above), and contact Prevalent for a demonstration of its third-party incident response capabilities today.
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024
Follow these seven steps to discover, triage and mitigate the risk of banned software in your...
08/22/2024
Why third-party breaches are on the rise, who is being affected, and what you can do...
07/31/2024