Cyber Defense Magazine - Annual RSA Conference 2019 - Print Edition

High-Level Strategies
for Third-Party Risk
Mitigation
By Phil Won, Product Manager, Owl Cyber Defense
High-Level Strategies for Third-Party Risk Mitigation
There are so many technologies and strategies and buzz
words around cybersecurity these days that it can be
difficult to know where to start. It’s hard enough thinking
about the myriad threats that can find their way into
your organization without even broaching the subject
of third-parties and trusted connections. However, there
are a few fundamental, high-level strategies to consider
applying in your third-party risk mitigation plan. They
can be used individually or in tandem to create a strong
cybersecurity framework for your organization.
• Defense in Depth
The primary principle of defense in depth is to build
layers of security into your organization’s digital
architecture, so that if one layer fails, there will be others
to back it up and maintain security. It is essentially a
“fail-safe” strategy that assumes threats will most likely
eventually find a way through one or two layers of
defense (a safe assumption in most cases). There are no
limits to the types of security involved, just those that
best fit your organization. Role-based access controls,
authentication, data encryption/tokenization, firewalls,
data diodes, SIEM, and other technologies can all be
used together to create a sophisticated, hardened
defense.
• Risk-Based Security
Assuming that threats will eventually breach your
network’s defenses (you may be sensing a theme), a riskbased
strategy applies more security resources to your
most sensitive assets while less resources are applied to
the lower risk assets. Risk-based strategies also typically
assume that there is not a way to eliminate risk – there
will be a need for multiple sophisticated connections
to external networks, for a large number of users to
access or collaborate on (sometimes sensitive) data,
legacy or outdated equipment in use, or other complex
issues that complicate traditional security methods.
Over time, larger and higher performing companies
have evolved the idea of a risk-based strategy into
a more comprehensive method of protecting their
organizations known as “zero trust.”
• Zero Trust
A zero-trust strategy assumes that a threat can come
from anywhere inside or outside your organization,
and therefore a continual assessment of every request
or attempt to connect or access networks, devices, or
information is required. This can be highly resource
intensive, and typically requires sophisticated
authentication schemes as well as some sort of SIEM
automation in the form of cloud data collection, systems
monitoring, etc. User and systems data are monitored
continually to develop a baseline of what is considered
“normal” activity, which then allows for alerts if any
abnormal activity occurs. Reducing the number of
your external connections, applying the least privilege
principle, and having dedicated resources to monitor
and calibrate the results are all key to making this
strategy effective, and while it is theoretically a great
strategy for complex, highly-connected organizations,
in practice it is very difficult to fully achieve today.
Phil Won, Product Manager
Phil is a product and technology leader, with years of experience in product
development enabling the merge of business and technology needs of
diverse industries (connected consumer devices, IIOT, automotive, cyber
security and telecom).
He brings strategic and technical proficiency in new product planning,
development, and deployment initiatives. Phil is on the Product
Management team at Owl Cyber Defense. His main product line is OPDS,
focusing on growing existing products and innovating future solutions. Phil
can be reached at pwon@owlcyberdefense.com or our company
website is: www.owlcyberdefense.com – twitter handle:
@owlcyberdefense.com
84 Cyber Defense Magazine - Annual Print Edition 2019