Companies have been brainwashed to solely rely on hiring major auditing companies to help monitor and audit their vendors’ security. Assessments from these traditional auditors are typically an annual point-in-time affair. With technology advancing much more frequently, this outdated annual assessment model just can’t keep up, and today’s leading companies are ditching annual audits in favor of a continuous monitoring model.
Those who haven’t made the jump worry that continuous monitoring will be a daunting, time-consuming undertaking. What may surprise many is that much of the work of continuous monitoring can be done in-house, at low cost and can be automated. To simplify the process, picture continuous monitoring more like the process of buying a house.
When searching for a new property, a lot can be told about the house and neighborhood by simply driving by and doing online searches. In the same vein, continuous monitoring should start with the “curb appeal” before moving to a “home tour.” Following these steps can help make the move to continuous monitoring more manageable and efficient.
Curb Appeal
With a quick glance at important features (exterior conditions, condition of the garden, schools in the area, etc.), curb appeal makes it easy to know if exploring a house further is necessary. Auditing a vendor’s curb appeal consists of looking primarily at publicly available information to assess the security in place.
- Check SSL Certificates. Tools like Qualys’ SSL digger provide a security grade for the vendor’s SSL encryption certificates. Free tools like this give a peek into the vendor’s security practices. A low score here is a sign that they are not even ensuring that basic encryption controls are in place e.g. similar to a house with peeling exterior paint
- Third-party Risk Assessment. A number of organizations, like BitSight or RiskRecon, provide a “credit score” of sorts for vendors so buyers can determine how risky it is to work with them. A low score on both the SSL cert and risk assessment means the vendor’s security program is vaporware and likely not worth proceeding.
- Public Searches. The next step is conducting simple searches and set up alerts. These can notify if a public breach of the vendor occurs, or if they are exposing company secrets in public repositories e.g. GitHub, or if company credentials are exposed on the ‘Have I Been Pwned’ search website. Any of these findings can be a red flag.
- Employee Audit. Most company employees can be found on LinkedIn. It is a good place to discover if the vendor has a Chief Security Officer and what size is their security team. Leadership in that area shows the company has invested in its security program. Alternatively, the head of QA also being responsible for security is telling of the quality of their security program.
These steps can be completed quickly and with minimal cost. Looking at the curb appeal of a vendor is a good way to begin to tell if it can protect your valuable company data, or if you need to find a new vendor. To automate this process, integrate Bitsight, Google Alerts, Qualys scores, etc. with an analytics system, like Domo or ServiceNow, to track in real-time how these vendors are performing.
Take the Tour
For vendors that pass the curb appeal test, the next step is “touring the property.” Deeper due diligence is key to truly protecting an organization against risk. These last four steps offer manageable ways to thoroughly inspect vendor practices.
- Certs and Industry Questionnaires. Look at the vendor’s certs and review any findings; then prepare a questionnaire for the vendor. Using a standard questionnaire like the Shared Assessments SIG rather than a custom questionnaire will allow the vendor to provide answers quickly.
- Penetration Testing. Your vendor should complete independent third-party penetration tests of their platform and provide an executive summary of the results. Penetration tests are expensive (up to $100K), so leverage the vendor’s independent third-party reports as much as possible. Alternatively, you can complete your own.
- Activity Logs. Progressive vendors will allow you to access your customer instance activity logs through an API. Having real-time access to these logs is a key component of your continuous monitoring program. Tools like Splunk can now help find suspicious behavior as they happen.
- Notifications in the Contract. Vendor contracts should state that the vendor is required to disclose any changes that may negatively impact security. This helps encourage vendors to at least maintain the same level of security, even though they are making continuous technology changes.
By implementing these steps, you transition to a continuous monitoring program and your vendor security team now learns about vendor security issues as they happen, as opposed to having to wait a year for the next scheduled annual assessment. Checking curb appeal can be done regularly or ad hoc as needed. Logs can be pulled 24/7 and penetration testing can be done multiple times a year. The days of solely relying on the annual audit are over and following these steps will allow your company to build a continuous monitoring program with as little time and cost investment as possible.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.