Expert Interview: Continuous Monitoring of Third-Party Vendors

Continuous Monitoring of Third-Party Vendors with Bitsight

ProcessUnity discusses best practices for continuous monitoring of third-party vendor risk with BitSight, a leading provider of cybersecurity ratings. You’ll learn how security ratings streamline the continuous monitoring process in a conversation with Amanda Giroux, Director of Strategic Alliances at ProcessUnity, and David Hawkins, Senior Consulting Engineer at BitSight.  

This is a condensed version of the original podcast. To access the full podcast and learn more about continuous vendor monitoring, click here.  

Amanda: To get us started, I wanted to talk about the importance of continuous assessments and ongoing monitoring in Vendor Risk Management. We say “trust but verify,” meaning you want to look at the information your vendor provides and then verify it against external standards. How does BitSight define continuous monitoring?  

David: Continuous monitoring is the ability to keep an eye on the cyber risk presented by a third party between assessment periods. Typically, when you assess a vendor, you gather a lot of information to shape an understanding of their cyber posture. You want to be able to definitively describe the level of risk present from this assessment.  

Often, we see organizations return an acceptable assessment, then later they have a security incident that wasn’t reflected in the assessment. Essentially, continuous monitoring is about paying attention to the gaps in between assessment periods to stay ahead of any incidents. This is done by drawing on historical data, incident trends and security ratings. 

Amanda: Can you tell us a little bit more about the BitSight rating? How are the ratings calculated?  

David: The first important thing to understand about BitSight ratings is that we’ve been around since 2011, so we’ve been collecting a data on a broad chunk of the internet since then. The majority of our content is coming in from a combination of subscriptions and our internal capabilities.  

When we acquired Anubis Networks, we brought in a platform that allows us to capture compromised systems signals coming out of an organization, such as malware. When those items are detected, BitSight picks it up and alerts the contracting organization.  

When an organization is mapped out by BitSight, we’re looking at all their IPs, their domains and anything related to what we can pick up from a DNS perspective. These are all different ways that we can dynamically detect the organization’s perimeter and attack surface from the outside. Since we’ve been collecting this data since 2011, we have about 40 million companies’ worth of data in that lake.  

The rating is essentially a large collection of information plotted out on a bell curve.  

Amanda: We talk to a lot of customers that are onboarding or reviewing multiple vendors, and they’re relying on assessments alone for their vendor risk analysis. Can you talk about why incorporating continuous monitoring is important for a mature third-party risk management program? How does incorporating security ratings from BitSight help?  

David: Continuous monitoring allows you to gain a much deeper understanding of a vendor’s security posture. Say you get your vendor risk assessment in on a Friday, and then you find out Monday that the organization has fallen victim to a major breach. All the information that you’ve just collected in the vendor assessment isn’t wrong, but it may be obsolete based on the status of that vendor.  

Continuous monitoring is the ability to take a deeper look at a third party. You’ll get a point-in-time rating that can give you a rough idea of their cyber posture today. More importantly, you’ll get a detailed report of past performance for individual risk vectors over a 12-month history.  

So, when you’re doing vendor due diligence and you’re looking to validate vendor responses, you can work with a background knowledge of issues to look for. For example, if a vendor claims to have a patching program that updates desktops on a quarterly basis, you can go in and look at the patching program over time and identify any patterns in how effectively their patching performance works. 

Past performance is a powerful tool for vendor assessments. As you collect more data during the vendor relationship, you can build a knowledge base of performance metrics that indicate if you need to go back and do a reassessment.  

When you add security ratings to your third-party risk management program, you’re gaining a high-level perspective of different vulnerabilities. BitSight ratings allow you to look at assets and their interdependencies, allowing you to get a good picture of the cyber posture without being overly technical in vendor risk assessments.  

To listen to the full podcast, click here. 

How ProcessUnity Cyber Intelligence with BitSight Streamlines Third-Party Risk Management

ProcessUnity Vendor Risk Management seamlessly integrates BitSight’s leading security ratings with ProcessUnity’s Vendor Risk Management platform to provide targeted intelligence for continuous monitoring. To learn more about ProcessUnity Cyber Intelligence with BitSight, visit https://www.processunity.com/vendor-cyber-intelligence-bitsight/