How Data-Driven Third-Party Risk Management Can Mitigate Ransomware Risks

This use case illustrates the value of combined internal controls assessment data and external third-party risk intelligence.
By:
Brad Hibbert
,
Chief Operating Officer & Chief Strategy Officer
April 08, 2024
Share:
Blog Data Driven TPRM 2024 04

In today's rapidly evolving threat landscape, data-driven approaches have become a core requirement for effective third-party risk management strategies. After all, the sheer volume, velocity, and variety of data generated as a result of performing third-party risk assessments, gathering evidence in the form of documentation, and monitoring real-world events can be immensely challenging to manage. A data-driven approach enables scale and supports today’s complex threat environment.

From a TPRM perspective, data-driven methodologies enable organizations to not only expand beyond point-in-time assessments to detect and mitigate threats in real-time but also to arm TPRM professionals with the necessary insights to anticipate and proactively respond to emerging risks.

To illustrate the value of a data-driven approach to third-party risk management, this post examines a fictitious company, FakeCo, that is concerned about the possibility of a third-party ransomware attack. We start by identifying the risk management tools in place at FakeCo, then describe how FakeCo can utilize the combined insights from the tools for better predictive capability around ransomware.

Third-Party Risk Management Tools and Data

FakeCo has implemented several capabilities to assess third-party controls hygiene around ransomware.

Continuous Monitoring

The company has enabled cyber monitoring/scoring to continuously monitor Internet-facing digital assets and the dark web for relevant activities regarding third parties.

  • External vulnerability scanning identifies critical exposures, but also provides insights into the level of security that the company may be applying to their internal infrastructure.
  • Dark web scanning looks for things such as employee passwords available for sale on dark web sites and hacker chatter regarding a third party. Many of these insights are signals or indicators of a compromise.
  • Traffic analysis is used to determine if an IP is hosting command and control activities or if assets are communicating with known command and control servers.

Internal Controls Assessments

An external scan can show whether Internet-facing assets are properly configured and patched, but it often overlooks the most common attack vector for ransomware: insufficient internal training and lack of enforcement of security policies. To gain a more complete picture FakeCo gathers more information regarding people and processes, asking third parties questions such as:

  • Do you have antimalware in your email systems?
  • Are you training users about ransomware, so they don’t click that install button? If so, how often? Can you provide an example?
  • Have employees been trained about phishing and associated spoofing attack vectors?
  • Do your users have administrative rights on the workstations enabling easier ransomware payload delivery?
  • Do you have network segmentation or implement privileged access management tools to eliminate or restrict lateral movement once an attacker has gained a foothold in the organization?

FakeCo understands that to get a full picture of the ransomware exposure the company must also perform annual security assessments where specific controls used to minimize or mitigate ransomware attacks can be tested.

Data-Driven Third-Party Risk Management in Practice

With all assessments (and supporting evidence) and continuous monitoring events normalized into a single third-party risk profile, FakeCo now can analyze the data together. However, automating the analysis is critical. To do so, FakeCo should implement a rule to constantly monitor active risks generated and contextualized from assessments, and/or monitoring activity.

For example, the table below outlines an aggregated ruleset for a ransomware concern. This rule enables an organization to constantly monitor active risks that are automatically generated and contextualized as the result of assessments and/or monitoring activity.

Assessment Controls Corresponding Monitoring Telemetry
  • Insufficient employee cybersecurity training and awareness
  • Lack of multi-factor authentication (MFA) for accessing sensitive systems and data
  • Inadequate patch management practices, leaving systems vulnerable to known exploits
  • Poorly configured or outdated security software and firewalls
  • Absence of robust data backup and recovery procedures
  • Failure to regularly update and maintain antivirus and anti-malware solutions
  • Reliance on legacy systems or unsupported software versions
  • Ineffective access controls, allowing unauthorized users to gain entry to critical systems
  • Weak password policies and password reuse across multiple accounts
  • Lack of network segmentation to isolate critical assets from potential threats
  • Inadequate incident response planning and preparedness measures
  • Failure to conduct regular security assessments and audits to identify vulnerabilities
  • Insufficient monitoring and logging of system and network activity for detecting potential ransomware attacks
  • Validated cyber breach
  • Increase in public domain record exposure
  • Dark web/hacker chatter
  • Exposed credentials
  • Typosquatting

The rule is used to identify related and/or concentration-oriented risks that should be examined to minimize, predict, or mitigate successful ransomware activity. This level of aggregated analysis can help summarize large amounts of data into smaller, more manageable sets. Instead of examining each risk and event separately, an organization can look at the holistic set of ransomware-related risks and activity and set thresholds on risk tolerance.

By harnessing the power of data analytics, machine learning, and artificial intelligence, FakeCo’s rule can identify patterns, anomalies, and potential vulnerabilities more efficiently than traditional, rule-based systems. In this scenario, the rules engine discovers, contextualizes, and monitors these risks continuously. It then initiates immediate response activities if it triggers the risk threshold for ransomware readiness. These activities include sending appropriate notifications, initiating response workflows, or adjusting associated risk scores. It also automatically associates an indicator that highlights each vendor’s status and susceptibility.

Good third-party risk management solutions will offer a library of common response workflows that can be initiated based on an organization’s specific needs. See the example below.

Benefits of a Unified Data-Driven Approach to Third-Party Risk Management

By centrally monitoring, correlating, and analyzing telemetry data from multiple sources, organizations can detect security threats, anomalous activities, or compliance violations more effectively, thereby enhancing their overall security posture. Here are some benefits to expect, and what capabilities to look for, in a data-driven approach to TPRM.

Improved Decision-Making Using a Single Platform

By aggregating and curating all TPRM data sources, decision-makers can access real-time or near real-time data from across their operations. This enables them to make timely and informed decisions based on a holistic understanding of the situation. Look for solutions that deliver a single console to view all data points, events, and activities related to specific risk areas pertinent to the business user of the system. These events can be correlated, and corresponding rules and workflows are initiated enabling signals to be amplified when events are raised contemporaneously.

Predictive Analytics with AI

A data-driven architecture provides the foundation for AI enablement in third-party risk management by ensuring the availability of high-quality, diverse, and voluminous data necessary for training effective AI models. By leveraging comprehensive datasets, AI algorithms can more accurately assess risk, identify patterns, and make informed decisions, leading to more effective risk mitigation strategies and improved decision-making processes.

Data-Driven TPRM vs AI-Driven TPRM, Leveraging AI and Data for TPRM


Look for solutions that offer aggregated telemetry across assessments, millions of events, and thousands of documents. This data can be used to train predictive models in AI systems. By analyzing historical data from multiple sources, AI algorithms can identify patterns and make predictions about future events or trends. This capability is invaluable for proactive decision-making and risk management and can help transform TPRM programs into AI-driven TPRM.

Security and Risk Management Effectiveness

Aggregated TPRM telemetry data plays a crucial role in cybersecurity and risk management. By monitoring and analyzing data from multiple sources, organizations can detect security threats, anomalous activities, or compliance violations more effectively, thereby enhancing their overall security posture. For example, the system can look for gaps in control domains from assessment data and predict downstream events and impacts.

Scalability and Flexibility

Aggregated telemetry analysis provides scalability and flexibility in handling large volumes of data from TPRM’s diverse sources. By adopting a unified approach to data aggregation and analysis organizations can scale their analytics infrastructure to accommodate growing data volumes and diverse data types. This scalability ensures that organizations can derive insights from a wide range of telemetry sources, adapt to changing business requirements, and support innovation in AI and analytics initiatives.

Take the Unified Approach to Third-Party Risk Management

Using a data-driven approach facilitates continuous monitoring and adaptive defenses, empowering your organization to stay ahead of sophisticated adversaries who constantly innovate their tactics. In essence, leveraging data-driven insights is crucial for bolstering resilience, enhancing threat intelligence, and safeguarding digital assets in today's dynamic cybersecurity landscape. From a ransomware perspective, this includes addressing risks and vulnerabilities at multiple levels that require both assessments and monitoring activities.

For more information on how Prevalent leverages the power of AI and analytics for aggregated third-party risk telemetry analysis request a demonstration today.

Tags:
Share:
2014 04 10 Headshot Brad Suit
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer

Brad Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. He comes to Prevalent from BeyondTrust, where he provided leadership as COO and CSO for solutions strategy, product management, development, services and support. He joined BeyondTrust via the company’s acquisition of eEye Digital Security, where he helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies.

Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years Brad has attained many industry certifications to support his management, consulting, and development activities. Brad has his Bachelor of Commerce, Specialization in Management Information Systems and MBA from the University of Ottawa.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo