Third Party Risk Management for Enterprise Companies
When analyzing the security maturity of large organizations, one of the most important stages of information security management is the identification of threats and risks. In order to be precise in this identification, multiple approaches are used, depending on the level of assessment or the required focus and rigor. In practice, unfortunately only limited and few types of actual engagements are practiced which in turn does not enable the organization to perceive real risk or to prepare its security mitigation strategy in an appropriate way. This results in an increased number of data breaches and successful exploitations by cyber criminals and other parties.
The most common engagement type is the review of known and common threats and vulnerabilities against a known set of assets in an organization, which is usually performed by following best practices from available risk assessment frameworks such as ISO ISO 27001, ISO 27002, ISO 27005 or NIST SP 800-30.
Another review angle focuses on performing a guided audit or test against an organization or a testing object. For example, this approach can include performing an audit and developing process according to ISO 27001 for an organization or verifying the security level of an application according to OWASP ASVS (Open Web Application Security Project – Application Security Verification Standard). When a company wants to simulate a realistic threat against a system and find vulnerabilities, it is suggested to perform penetration testing on an application, network or organization. The result is that the company simulates an attacker of a certain skill level, and aligns hired testers to that same skill set of an attacker in order to discover vulnerabilities or risks.
Classic red teaming also falls under this category by simulating an adversary of a specific skill level with an extended engagement period than in a regular penetration test and wider encompassing rules of engagement which allows for more freedom while testing. While red teaming is very useful in order to detect new avenues of risk, it is expensive and usually provides only a single path that the red team took in order to compromise the organization.
In both cases, the specific focus is on either broad risk assessment and asset discovery, to perform very specific checks and assessing risks for an application or part of the system.
The PreCog Security approach is about leveraging available frameworks, customer resources/infrastructure, and our expertise in order to build a customized risk framework. Our team consists of a diverse lineup of professionals, from C-Level security strategy executives with backgrounds in some of the largest IT enterprises like McAfee and Intel Security to experts with prior industry expertise to academic background experts with PhDs in information security. The diversity of our team enables us to view every security problem or every element of your enterprise from multiple viewpoints and scale our approach from the finest technical detail to c-level and boardroom executive reports.
Our approach for strategic risk assessment and analytical red teaming takes a blended approach with three critical areas and phases:
Phase 1 – Baseline Assessment and Identification (where is the organization now)
Phase 2 – Customized Risk Framework Development (where the organization wants to be)
Phase 3 – Implementation of Risk Framework (how the organization is doing)
Baseline Assessment and Identification
we establish gap analysis in your current approach and available resources and frameworks. Initial security maturity assessment and gap analysis include attack surface discovery. In this phase, we analyze your security maturity, alignment with best practices and identify strategic points for improvement. Based on the findings we define desired level of approach, organizational risk level, and best customized framework for third-party risk assessment.
Deliverable: executive summary report on security maturity and security gap analysis.
Customized Risk Framework Development
a) We define a customized framework in cooperation with you in order to best assess the strategic risks in your organization
b) Instead of focusing on inventorying assets within standard frameworks NIST 800-30 or ISO 27005 or only focusing on the “known-knowns” risks or “unknown-knowns” risks, we focus on the specific “unknown-unknowns“ risks
c) Based on your organization’s risk profile we help you build a process to identify the most threatening vulnerability and within your defined framework.
Deliverable: customized third-party risk assessment framework and process.
Implementation of Risk Assessment Framework
a) PreCog Security team performs all or partial testing and assessments in collaboration with the organization’s security teams.
b) PreCog Security team performs guided reconnaissance as real attackers, where we observe applications within your network through the attacker’s perspective with a goal to find real and exploitable vulnerabilities.
c) Common goal is to optimize for time and find the most pressing and realistic risks and vulnerabilities in the shortest amount of time. Instead of focusing on one type of assessment, we tailor our assessments for the ease and speed of verification.
(ex. Usually, a code review in an application will verify if there is a specific risk or a problem in a shorter time frame, which is more time and cost-effective than trying to develop a PoC exploit to demonstrate a vulnerability.). PreCog Security’s emphasis is on actual, applicable, and realistic risks based on the already established customized risk framework for our client.
Deliverable: executive summary and detailed risk report for a specific organization or system components.