June 17, 2020//Tony HowlettLast Updated: November 24, 2020
I have written often about the three main principles of sound Third-Party Risk Management (TPRM); they are identify, control and audit. By using these three basic control areas, risk from third parties to organizations can be greatly reduced. Each area has more details to its proper implementation and I will do a deep dive on the third principle, audit, in this article.
Proper audit processes are important to any information security program. User accounts and rights should regularly be audited against employment records. Logs of router, firewall, and Intrusion Detection Systems (IDS) should be reviewed on a regular basis. Not so surprisingly, all of these reviews should be documented. Access to your networks and systems by third parties should be audited as well, even closer than internal employee activities since this type of access represents an outsized risk to your security. The security of vendors and other third parties may not be as high as your companies and unfortunately, if they are connected to your systems, their vulnerabilities become yours. Also, you don’t have as much information about their employees as you have on your own. Data breaches caused by a third party are on the rise and many regulations now require covered entities to document and secure third-party access. For all these reasons, you should keep granular audit records on all third-party access and have a regular process to review them. Only by doing this can you catch a vendor who is breached or who has a malicious current or former.
The following are best practices for auditing your third party access.
For any audit logs to be useful, they need to be as rich and contextual as storage and performance allow. This is especially true of third-party remote access since it’s coming from an external source that is often not easily identifiable. Strange IP addresses could be a remote contractor or a hacker bent on destruction, but it’s hard to tell that from typical firewall or router logs that contain little else. Good third party access logs will contain information such as job or case numbers, authorizer of the access, and other details to help you quickly identify the access event as benign or malicious. Certain Vendor Privileged Access Management (VPAM) systems actually keep detailed keystroke logs or video capture of vendor sessions. This is the ultimate in audit logs, allowing you to see the actual actions of the user on your system. This type of audit information is also highly useful after an incident has happened to do forensics and other investigative activities.
In order for your log audits to be effective and efficient, strive to create a Single Source of Truth (SSOT) for all vendor activity. Whether you use a Syslog server just for this information or one of the VPAM systems mentioned previously, this will allow your reviewers to see the whole story in one place.
Otherwise, you are left to piece together scraps of information from different systems, often with different timestamps or in incompatible formats. Having an SSOT for vendor audit information will allow you to view the whole story of each session in one place and even connect multiple sessions. This is key to being able to “see the forest for the trees” in audit data.
According to M-Trend’s Report, 53% of breaches are reported from a source outside the company. This either means that the audit reviewers are asleep at the wheel, or don’t have the right tools to detect such breaches before they make it outside the company. It is no good having all the technology and logs in the world if you don’t review them on a regular basis. Set up a review schedule and make sure that it is done by auditing your audit from time to time (external auditors will also do this). Implementing real-time notifications and alerts are also a good practice to adhere to. Only by making effective use of your audit logs can you possibly keep an incident from turning into a breach.
Doing audits of third-party access is important, but doing them right makes all the difference. If you have only cursory reviews or only go to your logs when there is an issue, you stand little chance of stopping a breach in progress or before it starts. Get your third party review processes, procedures, and technology up to par, because if you are only using audits sporadically or after an issue crops up, it is probably too late. To learn more about the importance of auditing correctly, check out our blog that highlights how you can survive your next cybersecurity audit.