Risk Management of Third-Party Vendors: The Devil is in the Details
Originally published in Cyber Defense Magazine on December 10, 2018:
Third-party vendors are critical assets to business practices. However, without the proper risk assessment policies in place, they can also represent some of the largest potential threats to an organization’s security posture. In fact, many of the famous data breaches (e.g., Target in 2013) originated through third-party vendor access. For this reason, security teams must efficiently manage vendor actions and have the proper solutions in place to provide visibility into remote connections. Visibility not only helps maintain a strong security posture but also ensures compliance with security frameworks.
The importance of visibility can be seen when reviewing the results of Operation Eligible Receiver 97. In 1997, the NSA conducted an exercise to test the response capabilities of the Department of Defense information systems in the case of a breach and successfully reached a number of their targets. However, one of the only known successful defense measures came from a marine who used visibility into the network to spot suspicious traffic from remote connections. Following a two year review of the results, recommendations were made for configuration management, patching vulnerabilities, and privileged user management. Though no formal suggestions were codified, the findings can be seen in today’s cybersecurity frameworks and regulations.
Examples from Frameworks
All major security frameworks have specific controls in place for guarding against risk from third-party vendor connections. These frameworks attempt to codify the results of Operation Eligible Receiver. As an example, consider the following HIPAA requirements:
- Access Control (R): Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
- Unique User Identification (R): Assign a unique name and/or number for identifying and tracking user identity.
- Automatic Logoff (A): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Audit Controls (R): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information.
- Mechanism to Authenticate Electronic Protected Health Information (A): Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
- Log-in Monitoring (A): Procedures for monitoring log-in attempts and reporting discrepancies.
- Person or Entity Authentication (R): Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
- Transmission Security (R): Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Additionally, consider financial standards:
FFIEC (II. C. 15(d) Use of Remote Devices)
- Disallow remote access unless a compelling business justification exists.
- Require management approval of employee remote access.
- Regularly review remote access approvals and rescind those that no longer have a compelling business justification.
- Restrict remote access to authorized network areas and applications by using VLANs, permissions, and other techniques
- Log remote access communications (including date, time, user, user location, duration, and activity), analyze logs in a timely manner, and follow up on anomalies.
- Implement robust authentication methods for remote access.
- Use application white-listing.
And also PCI DSS:
PCI DSS (7-9 of 12 Primary Requirements of PCI Data Security Standards)
- Implement Strong Access Control Measures
7.) Restrict access to cardholder data by business need-to-know
8.) Assign a unique ID to each person with computer access
9.) Restrict physical access to cardholder data Ensuring compliance with these frameworks is a great starting point for strengthening security posture. However, many organizations struggle with finding the correct information and providing documentation.
Current Practices for collecting data include month-long audits and spending hours searching through data silos. Many organizations rely on SIEM solutions to collect security metrics but ultimately struggle to find what they are looking for in a timely manner.
For example, consider Log-in Monitoring (A) from HIPAA. In order to collect login information with a SIEM, security teams need to first determine the correct login event codes before writing a query that scans the environment for instances of that specific code. Once the query has run, time needs to be spent searching through results to find the correct metrics. The end result of all this is a list of times when login events occurred along with limited answers to the who, what, when, where, and why questions.
Collecting this information from VPN sessions is an entirely different challenge. To do this, the collection of Syslogs from a firewall needs to be configured. This will collect when sessions were activated and when sessions were ended. However, the details needed for audits such as what machines were accessed, who logged in, and what changes were made remain hidden without the right solution to provide visibility.
An additional problem is reliability. Log monitoring solutions have been known to frequently stop collecting data without warning, leaving organizations with gaps in their historical records. In order to take immediate actions and document compliance appropriately, organizations need access to usable, accessible, and comprehensive security metrics. Additionally, organizations need a historical record of remediation efforts that are more than just a checklist on a piece of paper. With a cyber diagnostics platform, this documentation is readily available.
Moving Beyond Compliance with Cyber Diagnostics
Instead of spending endless hours searching through data to manually track vendor actions or needing to hire additional staff, security teams can leverage cyber diagnostics platforms such as AristotleInsight® to hunt for the information found to be critical during Operation Eligible Receiver 97. AristotleInsight goes beyond traditional solutions by utilizing revolutionary UDAPE® technology for data linking between machines along with a unique Bayesian Inference Engine to reduce false positives and bring actionable items to the attention of security professionals.
Consider the previous example, HIPAA Log-in Monitoring (A). Using AristotleInsight, organizations are able to create a dedicated group for third-party vendors and see which vendors have logged in, which have not, and what actions vendors took while connected. Login attempts and discrepancies are documented and can be collected with the following steps.
1.) Overview with Automated Notifications
Visiting the Access Control tab of the L3 Directional Matrix will display trending data on Failed Logins, Lockouts, Password Resets, RDP Logons, and VPN Logons and gives a history of events.
2.) Tracking Vendor Behavior
Pivoting to the L2 Department Report will show which vendors logged-in and how long their sessions were active for.
3.) Hunting for Valuable Metrics
Lastly, organizations can dive deeper into login information through the L1 Authentication Events Report. This report can show specific events such as logins, logoffs, and failed logins to highlight the details needed during audits. A separate example for access control comes FFIEC, where logging remote access communications (including date, time, user, user location, duration, and activity), analyzing logs in a timely manner, and following up on anomalies is required.
1.) Tracking Vendor Behavior
Again, organizations can view an overview of all remote access by setting up a group in the L2 Department Report for all third-party vendors. (See #2 in the previous example.)
2.) Hunting for Valuable Metrics
Further details can be found in the L1 RDP Session Activity Report. This report can be run for specific users or computers and shows details such as session time, start time, end time, and activity history over a specified time frame. Between the Department Report and RDP Session Activity Report, organizations can gather the usable data needed to spot anomalies and log session time, duration, and activity in a timely manner
Security teams can even specify periods of time where Remote Desktop Connections from vendors are expected and receive immediate alerts when unsanctioned connections are generated. These alerts serve as a red flag to organizations when a thorough investigation into more detailed metrics such as activity length and idle time may be required. Such information enables organizations to audit how vendors (or any remote users) spend their time accessing machines and ensure the correct security practices are in place.
AristotleInsight is an invaluable resource for organizations looking to bridge the gap between security, IT, and management teams. When monitoring third-party vendors, security teams can access details of any unsanctioned activity time, identify potential risks such as newly generated events, and respond in a timely manner. IT teams can view which machines have been accessed, when they were accessed, and if anything has changed. For management teams, AristotleInsight provides understandable metrics to help verify actions when auditing vendors.
AristotleInsight is a big data security analytics solution implementing the UDAPE model. The solution collects, links, and organizes security data in order to establish baselines, conduct user behavior analysis, recognize anomalies, and detect advanced persistent threats.