Cyber Defense Magazine - Annual RSA Conference 2019 - Print Edition
Cyber Defense Magazine - Electronic Version - Annual RSA Conference 2019 - Print Edition
Cyber Defense Magazine - Electronic Version - Annual RSA Conference 2019 - Print Edition
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
High-Level Strategies<br />
for Third-Party Risk<br />
Mitigation<br />
By Phil Won, Product Manager, Owl <strong>Cyber</strong> <strong>Defense</strong><br />
High-Level Strategies for Third-Party Risk Mitigation<br />
There are so many technologies and strategies and buzz<br />
words around cybersecurity these days that it can be<br />
difficult to know where to start. It’s hard enough thinking<br />
about the myriad threats that can find their way into<br />
your organization without even broaching the subject<br />
of third-parties and trusted connections. However, there<br />
are a few fundamental, high-level strategies to consider<br />
applying in your third-party risk mitigation plan. They<br />
can be used individually or in tandem to create a strong<br />
cybersecurity framework for your organization.<br />
• <strong>Defense</strong> in Depth<br />
The primary principle of defense in depth is to build<br />
layers of security into your organization’s digital<br />
architecture, so that if one layer fails, there will be others<br />
to back it up and maintain security. It is essentially a<br />
“fail-safe” strategy that assumes threats will most likely<br />
eventually find a way through one or two layers of<br />
defense (a safe assumption in most cases). There are no<br />
limits to the types of security involved, just those that<br />
best fit your organization. Role-based access controls,<br />
authentication, data encryption/tokenization, firewalls,<br />
data diodes, SIEM, and other technologies can all be<br />
used together to create a sophisticated, hardened<br />
defense.<br />
• Risk-Based Security<br />
Assuming that threats will eventually breach your<br />
network’s defenses (you may be sensing a theme), a riskbased<br />
strategy applies more security resources to your<br />
most sensitive assets while less resources are applied to<br />
the lower risk assets. Risk-based strategies also typically<br />
assume that there is not a way to eliminate risk – there<br />
will be a need for multiple sophisticated connections<br />
to external networks, for a large number of users to<br />
access or collaborate on (sometimes sensitive) data,<br />
legacy or outdated equipment in use, or other complex<br />
issues that complicate traditional security methods.<br />
Over time, larger and higher performing companies<br />
have evolved the idea of a risk-based strategy into<br />
a more comprehensive method of protecting their<br />
organizations known as “zero trust.”<br />
• Zero Trust<br />
A zero-trust strategy assumes that a threat can come<br />
from anywhere inside or outside your organization,<br />
and therefore a continual assessment of every request<br />
or attempt to connect or access networks, devices, or<br />
information is required. This can be highly resource<br />
intensive, and typically requires sophisticated<br />
authentication schemes as well as some sort of SIEM<br />
automation in the form of cloud data collection, systems<br />
monitoring, etc. User and systems data are monitored<br />
continually to develop a baseline of what is considered<br />
“normal” activity, which then allows for alerts if any<br />
abnormal activity occurs. Reducing the number of<br />
your external connections, applying the least privilege<br />
principle, and having dedicated resources to monitor<br />
and calibrate the results are all key to making this<br />
strategy effective, and while it is theoretically a great<br />
strategy for complex, highly-connected organizations,<br />
in practice it is very difficult to fully achieve today.<br />
Phil Won, Product Manager<br />
Phil is a product and technology leader, with years of experience in product<br />
development enabling the merge of business and technology needs of<br />
diverse industries (connected consumer devices, IIOT, automotive, cyber<br />
security and telecom).<br />
He brings strategic and technical proficiency in new product planning,<br />
development, and deployment initiatives. Phil is on the Product<br />
Management team at Owl <strong>Cyber</strong> <strong>Defense</strong>. His main product line is OPDS,<br />
focusing on growing existing products and innovating future solutions. Phil<br />
can be reached at pwon@owlcyberdefense.com or our company<br />
website is: www.owlcyberdefense.com – twitter handle:<br />
@owlcyberdefense.com<br />
84 <strong>Cyber</strong> <strong>Defense</strong> <strong>Magazine</strong> - <strong>Annual</strong> <strong>Print</strong> <strong>Edition</strong> <strong>2019</strong>