How to Use Threat Intelligence to Reduce Third-Party Risk

Expand the scope of your TPRM program with these top sources of third-party risk intelligence.
By:
Brad Hibbert
,
Chief Operating Officer & Chief Strategy Officer
June 22, 2023
Share:
Blog threat intelligence 0623

An effective third-party risk management program includes more than just conducting regular internal control-based assessments of vendors and suppliers – it also must incorporate continuous risk insights to fill gaps between those assessments and validate the presence and effectiveness of controls. Yet, for many organizations, third-party risk management (TPRM) is an either-or proposition.

In this post we examine:

  • The top types of threat intelligence – and best sources of data – to include in your TPRM program
  • How using threat intelligence helps to mitigate third-party risk
  • Best practices for optimizing third-party risk intelligence

Top Types and Sources of Third-Party Risk Intelligence

As you consider integrating threat intelligence into your regular vendor security controls assessments, incorporate the following types.

Vendor cyber threat intelligence

Often the most common type of external vendor insights, cyber threat intelligence provides a view into a third party’s security performance, vulnerabilities, and breach history. These insights can help you understand whether the third party has adequate security controls in place.

Common sources for this data includes criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; vulnerability databases; and data breach history databases.

Vendor operational updates

Business news, merger and acquisition (M&A) activity, management and leadership changes, competitive news, and new offerings can tell you if the third party is a well-run organization that has a viable long-term strategy.

You can gather information on these topics from public and private sources of operational information; news feeds; business news databases; and corporate websites.

Vendor financial insights

Information on a vendor’s financial performance, turnover, profit and loss, shareholder funds, credit ratings, payment history, bankruptcies, and investments demonstrate that the third party is a going concern and is financially healthy and can meet its commitments. Poor financial results could signal budget cuts which can impact security operations.

Credit ratings agencies; financial reporting websites; and news outlets are common sources of this information – and much of it is free.

Vendor reputational insights

The old saying goes: You’re only as good as the company you keep. Reputational insights such as adverse media and negative news coverage; regulatory and legal sanctions; state-owned and government-linked enterprise dealings; and working with politically exposed persons can help your company get ahead of potentially damaging relationships.

Sources of reputational information is varied. You can gather it from news coverage; sanctions lists (for example U.S. Department of the Treasury Office of Foreign Assets Control (OFAC), the UK Sanctions List, the EU Consolidated List of Sanctions) and court filings; PEP databases (such as the FFIEC and LexisNexis), and many other outlets.

The downside to continuously monitoring for third-party risks is that there are no one-stop-shops for threat intelligence, so many companies are forced into a somewhat disjointed approach to gathering and analyzing this data.

Executive Brief: How to Get More from Third-Party Risk Scores

Discover how to build a more comprehensive, actionable and cost-effective vendor risk monitoring program.

Read Now
White paper more than score 0623

Four Ways That Threat Intelligence Helps to Mitigate Third-Party Risk

There are four primary ways that external threat intelligence can help to mitigate third-party risk.

1. Validate the effectiveness of vendor-reported internal controls

If a third-party vendor reported in their security assessment or provided evidence in a security certification (such as ISO or SOC 2) that they require a strong password, but external threat intelligence shows that vendor user IDs, passwords or admin credentials are for sale on the Dark Web, then you can reasonably surmise that the vendor’s password policies are not strong enough (or even, perhaps, that their phishing or security awareness programs need to be improved).

2. Obtain an early view into a potential vendor’s risk profile

Threat intelligence can be used to get picture of the risks that a potential vendor introduces to your environment. For example, during the sourcing and selection phase of a third-party vendor or supplier relationship, getting intelligence on prior data breaches, security incidents, compliance problems, sanctions, etc. can inform supplier selection decisions. A vendor with a low security score might not match your organization’s risk tolerance.

3. Fill gaps between regular assessment cadences

If your organization performs an annual security assessment on its third parties, external threat intelligence can fill the gaps between those annual assessments, so you are not missing out on potentially critical threats as they emerge.

4. Perform a baseline check for non-critical vendors

In most organizations, there are a subset of vendors considered critical, and your organization should complete regular comprehensive security assessments of those vendors. However, for vendors considered non-critical or lower tier, sometimes only the basics have to be performed. A profiling and tiering exercise will help you determine how to treat vendors based on whether they are critical to your company’s operations or handle sensitive customer data, for example.

Best Practices for Optimizing Third-Party Risk Intelligence

Centralize for normalization

A common approach is to look at all intel in silos, but doing so negates the benefits of gathering all that information. Instead, centralize all of these sources of threat intel in a single risk register to normalize and transform the data into meaningful results. This approach enables risk quantification and contextualization – such as mappings to various security frameworks and compliance controls – to be added to help prioritize risks and resulting remediation activities. This unified approach also enables correlation with assessment results. This will greatly streamline risk review, analysis, reporting and response initiatives.

Remediation is essential

As we learned in the 2023 Third-Party Risk Management Study, there is a significant gap between the number of companies tracking risks and remediating them. So the value of using risk intelligence in your TPRM program comes down to risk appetite and remediation. If a vendor’s threat to your organization results in a high risk score, then you have to recommend (or require) specific remediations to be implemented in order to continue doing business with them. Or, require specific compensating controls to be put in place. Regardless of the approach, a two-way dialogue is essential to risk reduction.

Next Steps for Third-Party Risk Intelligence in Your TPRM Program

Third-party risk intelligence will become increasingly important in order to keep up with changing regulatory requirements and an evolving threat landscape. For more on how advanced analytics and machine learning can be applied to identify unforeseen risks currently lurking in your supply chains, request a demo today.

Tags:
Share:
2014 04 10 Headshot Brad Suit
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer

Brad Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. He comes to Prevalent from BeyondTrust, where he provided leadership as COO and CSO for solutions strategy, product management, development, services and support. He joined BeyondTrust via the company’s acquisition of eEye Digital Security, where he helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies.

Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years Brad has attained many industry certifications to support his management, consulting, and development activities. Brad has his Bachelor of Commerce, Specialization in Management Information Systems and MBA from the University of Ottawa.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo