Microsoft
Getting Up to Speed with Supply Chain Defense
October 12, 2023 | 3 min read
George Aquila
Product Marketing Manager
Security Ratings Services (SRS) are a traditional tool to manage third-party cyber risk but come with limitations. Many of these tools provide less-than-ideal outcomes for modern organizations that often have difficulty allocating resources to effectively reduce third-party cyber risk. We covered many of these limitations in part 1 of this blog series. Thankfully, as the third-party cyber risk landscape has continued to evolve, so too have more modern solutions to address the risk reduction dilemma. Below, we review how BlueVoyant’s Supply Chain Defense (SCD) solution provides a more holistic and effective approach to the challenges that SRS tools are unable to overcome.
1. Curated Findings and Fewer False Positives
To effectively create an accurate mapping of a third-party IT environment, BlueVoyant SCD leverages a comprehensive methodology for “footprinting” (i.e. the mapping of organizations’ externally facing digital infrastructure) and utilizes proprietary and exclusive-use data sources to illuminate vendor ecosystems and provide effective visibility across an organization's extended attack surface. Analysts from BlueVoyant’s Risk Operations Center (ROC) curate and validate these mappings and all identified risks to ensure what is escalated are only confirmed risks. This eliminates blind spots from overlooked vulnerabilities, and drastically reduces the noise of false positives, allowing for more targeted risk management efforts.
2. Quantifiable Risk Reduction
BlueVoyant SCD offers continuous monitoring and dynamic risk assessments so that any changes in the cyber risk posture of an organization’s supply chain are immediately identified and can be addressed. Critical risks are remediated in prioritized order, and afterwards risk tolerances are lowered, so that third parties are constantly addressing even the most minor risks. This also means that over time there is measurable reduction in the number of open risk findings across both critical and non-critical vendors in your ecosystem, eliminating compounded risks and the likelihood of increased “risky” behaviors.
3. Remediation Guidance and Reduced Customer Workload
To help streamline workflows and safeguard customer relationships with their third parties, BlueVoyant SCD leverages its ROC to act as an intermediary and assist in risk remediation. ROC analysts work collaboratively with third parties to provide remediation action plans, ensuring that vulnerabilities are promptly resolved, and checking in on the status of escalations after the fact. This approach not only enhances the rate of remediation and lessens the resource costs of mitigation, but also strengthens relationships with vendors and partners, which ultimately results in safeguarding the customer’s overall supply chain ecosystem.
4. Rapid Zero-Day Vulnerability Response
BlueVoyant SCD takes a unique approach to mitigating zero-days and emerging vulnerabilities. Within an hour of the disclosure of a new zero-day vulnerability, the ROC is able to identify and inform on all instances where the vulnerability is present throughout a customer’s vendor ecosystem. This means that third parties are contacted by the ROC and informed of the presence of risky vulnerabilities and instructed on how to remediate them in as little as 90 minutes.
Each time a vendor is notified of a new emerging vulnerability, ROC analysts will continue to track the progression and extent of the exposure, following up with vendors to make sure that patches are applied in as little time as possible. The combination of advanced analytics, highly efficient analyst action, and close collaboration with vendors ensures organizations receive timely notifications and actionable steps to address these critical vulnerabilities, minimizing the potential impact of zero-day attacks.
5. Tailored Risk Coverage
The BlueVoyant SCD solution tailors risk thresholds and processes based on organizational requirements and the varying criticality of different vendors. This tuning process is determined in partnership with BlueVoyant experts and enables organizations to prioritize resources on the most relevant vulnerabilities and continuously improve their cybersecurity posture over time. Prioritizing the most critically tiered suppliers and then moving on to less critical suppliers allow organizations to allocate their efforts efficiently and effectively, ensuring maximum impact in reducing cyber risks.
For organizations that previously looked to SRS tools to “check a box” in their third-party risk management program compliance, it’s clear that this is no longer possible. An effective approach to third-party cyber risk management is not complete without capabilities like continuous monitoring, direct remediation guidance, and zero-day vulnerability management. BlueVoyant Supply Chain Defense provides a comprehensive solution to not only identify external cyber risks, but also drive measurable risk reduction in an organization’s extended supply chain ecosystem.
Related Reading
Managed Detection and Response
Better Together: The Benefits of Combining MXDR and TPRM
September 24, 2024 | 3 min read
Digital Risk Protection
From Zelle to Your Wallet: The Mechanics of Third-Party Phishing
September 12, 2024 | 3 min read