1 00:00:00,06 --> 00:00:03,00 - [Presenter] Most organizations rely on supply chains 2 00:00:03,00 --> 00:00:05,01 and grant access to third parties 3 00:00:05,01 --> 00:00:08,01 in order to provide their goods or services. 4 00:00:08,01 --> 00:00:10,09 But this supply chain reliance and third-party access 5 00:00:10,09 --> 00:00:13,02 can create a large attack surface 6 00:00:13,02 --> 00:00:15,00 that needs to be protected. 7 00:00:15,00 --> 00:00:16,06 Let's look at steps you can take 8 00:00:16,06 --> 00:00:18,03 to protect your organization 9 00:00:18,03 --> 00:00:21,06 against these supply chain and third-party risks. 10 00:00:21,06 --> 00:00:24,03 The best way to address third-party risks 11 00:00:24,03 --> 00:00:25,06 is to build a formal 12 00:00:25,06 --> 00:00:29,04 third-party risk management program, or TPRM. 13 00:00:29,04 --> 00:00:30,08 I'll give you a quick overview 14 00:00:30,08 --> 00:00:33,06 of what a TPRM might look like. 15 00:00:33,06 --> 00:00:35,04 First, you'll create an inventory 16 00:00:35,04 --> 00:00:37,09 of all your organization's third-party suppliers 17 00:00:37,09 --> 00:00:39,01 and vendors. 18 00:00:39,01 --> 00:00:41,05 You'll need to work with subject matter experts 19 00:00:41,05 --> 00:00:44,01 from across your organization to get this done. 20 00:00:44,01 --> 00:00:46,05 Second, determine which of these suppliers 21 00:00:46,05 --> 00:00:48,09 and vendors are critical to your business. 22 00:00:48,09 --> 00:00:51,00 Next, identify all third parties 23 00:00:51,00 --> 00:00:53,08 who have access to your data or systems. 24 00:00:53,08 --> 00:00:56,09 Then, based on their business criticality and access, 25 00:00:56,09 --> 00:01:00,05 assign risk ratings to each of these third parties. 26 00:01:00,05 --> 00:01:02,05 And finally, use these risk ratings 27 00:01:02,05 --> 00:01:04,09 to prioritize identifying alternatives 28 00:01:04,09 --> 00:01:06,06 to your critical suppliers 29 00:01:06,06 --> 00:01:10,05 and implementing third-party security controls. 30 00:01:10,05 --> 00:01:12,09 Here are some security controls that can help protect 31 00:01:12,09 --> 00:01:16,05 against risks associated with third-party access. 32 00:01:16,05 --> 00:01:18,03 Follow the least privilege principle 33 00:01:18,03 --> 00:01:21,02 to only grant third parties the access they need 34 00:01:21,02 --> 00:01:22,08 to do their job. 35 00:01:22,08 --> 00:01:25,08 Require third parties to use multifactor authentication, 36 00:01:25,08 --> 00:01:29,01 or MFA, when accessing your systems. 37 00:01:29,01 --> 00:01:31,05 Monitor the activity of third parties 38 00:01:31,05 --> 00:01:33,00 when they access your systems 39 00:01:33,00 --> 00:01:36,08 with a secure information event management system, or SIEM, 40 00:01:36,08 --> 00:01:39,01 or other monitoring solution. 41 00:01:39,01 --> 00:01:42,02 Ensure any third-party access is revoked immediately 42 00:01:42,02 --> 00:01:44,03 when no longer needed. 43 00:01:44,03 --> 00:01:46,04 And take steps to verify that third parties 44 00:01:46,04 --> 00:01:48,07 have strong security controls in place, 45 00:01:48,07 --> 00:01:52,02 like reviewing their security certification documentation 46 00:01:52,02 --> 00:01:56,03 or requiring them to complete security questionnaires. 47 00:01:56,03 --> 00:01:58,05 Also, work with your legal team 48 00:01:58,05 --> 00:02:00,03 to require strong security controls 49 00:02:00,03 --> 00:02:02,01 in your contracts with third parties 50 00:02:02,01 --> 00:02:04,02 who have access to your data. 51 00:02:04,02 --> 00:02:08,02 As you can see, building a TPRM can take a lot of effort, 52 00:02:08,02 --> 00:02:10,06 and many organizations choose to outsource some 53 00:02:10,06 --> 00:02:12,02 or all of this work. 54 00:02:12,02 --> 00:02:13,08 But no matter how you tackle it, 55 00:02:13,08 --> 00:02:16,05 a good TPRM is the best way to manage 56 00:02:16,05 --> 00:02:20,06 and reduce many supply chain and third-party risks. 57 00:02:20,06 --> 00:02:23,01 When it comes to your software supply chain, 58 00:02:23,01 --> 00:02:24,05 here are some steps you can take 59 00:02:24,05 --> 00:02:26,04 to reduce the risk of vulnerable 60 00:02:26,04 --> 00:02:28,04 or malicious open-source software 61 00:02:28,04 --> 00:02:31,07 being included in your organization's code. 62 00:02:31,07 --> 00:02:33,00 First, you should conduct 63 00:02:33,00 --> 00:02:35,08 software code inventories or audits. 64 00:02:35,08 --> 00:02:37,00 Work with your developers 65 00:02:37,00 --> 00:02:40,07 to create a software bill of materials, or SBOM. 66 00:02:40,07 --> 00:02:42,03 This is a formal record 67 00:02:42,03 --> 00:02:44,07 that contains the supply chain relationships 68 00:02:44,07 --> 00:02:46,01 of the components used 69 00:02:46,01 --> 00:02:48,05 to build your organization's software. 70 00:02:48,05 --> 00:02:51,06 SBOMs are like the list of ingredients on a food package, 71 00:02:51,06 --> 00:02:54,09 and they can identify where open-source software is used 72 00:02:54,09 --> 00:02:57,00 in your organization's code. 73 00:02:57,00 --> 00:02:59,01 You can find more information about SBOMs, 74 00:02:59,01 --> 00:03:00,09 including how to generate them, 75 00:03:00,09 --> 00:03:02,06 on the National Telecommunications 76 00:03:02,06 --> 00:03:04,09 and Information Administration website 77 00:03:04,09 --> 00:03:09,01 at ntia.gov/sbom. 78 00:03:09,01 --> 00:03:11,06 There are also application security companies 79 00:03:11,06 --> 00:03:13,04 that can analyze your developers' code 80 00:03:13,04 --> 00:03:15,06 to generate SBOMs for you. 81 00:03:15,06 --> 00:03:18,08 Next, review the results of the SBOMs with your developers, 82 00:03:18,08 --> 00:03:21,01 focusing on the open-source software. 83 00:03:21,01 --> 00:03:24,01 Confirm with them that all open-source software components 84 00:03:24,01 --> 00:03:27,06 are still needed and have been updated as much as possible. 85 00:03:27,06 --> 00:03:28,08 And finally, consider 86 00:03:28,08 --> 00:03:31,01 implementing a secure development standard 87 00:03:31,01 --> 00:03:33,04 that restricts the use of open-source software 88 00:03:33,04 --> 00:03:35,07 that hasn't been updated in years. 89 00:03:35,07 --> 00:03:37,07 Supply chain and third-party risks 90 00:03:37,07 --> 00:03:39,05 can be challenging to manage. 91 00:03:39,05 --> 00:03:40,09 Take what you've learned in this video 92 00:03:40,09 --> 00:03:42,08 to start implementing the controls 93 00:03:42,08 --> 00:03:45,00 that will help reduce these risks.