SlideShare a Scribd company logo

You're Bleeding. Exposing the Attack Surface in your Supply Chain

S
SBWebinars

While companies are stuck knee-deep responding to alarms within the environment, the supply chain is typically overlooked. Yet, a supply chain attack can have deep repercussions on a company - from data theft and brand tarnishing to regulatory fines. As a security professional, you have the responsibility of safeguarding your company’s data and assets. But how can you control an environment that you don’t even have visibility into? In this webinar, we will: Present techniques to unveil your supply chain’s attack surface Pinpoint warning signs of a supply chain breach Provide a practical strategy to increase the cyber resilience of your supply chain

Technology
1 of 37
Download to read offline
You’re Bleeding Exposing the Attack Surface in your Supply Chain
p.3 - Confidential - ABOUT US - Confidential -p.2 Dov Goldman Director of Risk and Compliance, Panorays dov@panorays.com Demi Ben-Ari, Co-founder and VP R&D, Panorays demi@panorays.com
US companies that suffered a data breach via a third party in 2018 61% Source: “Data Risk in the Third-Party Ecosystem,” Ponemon Institute, November 2018
Source: “Data Risk in the Third-Party Ecosystem,” Ponemon Institute, November 2018 37% 43% 2016 2018 Percentage Of Third Parties that Share Organizations' Sensitive Data with their Third Parties
p.3 - Confidential -- Confidential -p.5 • PNI Data Breach – Photo Services Affected – By Thomas George • Geekwire, databreaches.net, Amateurphotographer.co.uk, scmagazine.com A breach to even the smallest 3rd party may cause a cyber typhoon in the industry.
The Return of Supply Chain Attacks
p.3 - Confidential - MAGECART - Confidential -p.7
p.3 - Confidential - Uh-oh, Regulations Ahead - Confidential -p.8 GDPR CCPA DFARS NY DFS
p.3 - Confidential - Polling Question #1 - Confidential -p.9 Do you have a third- party security program in place? 1. Yes 2. No 3. I don’t know
EXPOSING YOUR SUPPLIERS’ ATTACK SURFACE
p.3 - Confidential - What is My Attack Surface - Confidential -p.11 Risk = (Vulnerabilities X Threats X Consequences) PrivacyContent Identity Files Assets Tor VPN HTTPS Encryption 2FA HTTP Filter Patching WAFFirewall SSL / TLS SSH Security Threats Adversaries Vishing Phishing Spying Adware Backdoors Adware Exploit Kits Spyware Viruses Malware Mass Surveillance Spies Nation-States Hackers Hacker Groups Colleagues Cyber Criminals Law Enforcement Ex-Partners Governments Pseudo Anonymity Anonymity
p.3 - Confidential - Polling Question #2 - Confidential -p.12 What methodology do you use to evaluate your suppliers? 1. I don’t evaluate my suppliers at all 2. External view 3. Questionnaires 4. External view & Questionnaires 5. Other
p.3 - Confidential - Why Should You Look at the Perimeter? - Confidential -p.13 “Dirty window was indicative of lack of cleaning and attention to details.” -- TripAdvisor Restaurant Review
p.3 - Confidential - What You Should Be Looking At Supplier Employees IT & Network Application - Confidential -14p. • Vircom
p.3 - Confidential - Application Layer - Confidential -15p. • Outdated and unpatched applications • XSS vulnerabilities • Domain Targeted Attacks • …
p.3 - Confidential - IT & Network Layer - Confidential -16p. • Example: Shodan https://www.shodan.io/
p.3 - Confidential - Human Layer - Confidential -17p. • Example: Have I Been Pwned https://haveibeenpwned
p.3 - Confidential - Inside-Out - Confidential -18p. Regulations and control frameworks to cover: 1. Identify 2. Protect 3. Detect 4. Respond 5. Recover
IS THE ATTACK SURFACE INDEED AN INDICATOR?
p.3 - Confidential - Do You Know Your Assets? The Hacker Does! - Confidential -20p.
p.3 - Confidential - Tell-Tale Signs of a Supply Chain Attack - Confidential -21p. • Organization monitored supplier over time • Exposed the attack surface • Outdated technologies • Untrusted certificates • Mail server misconfigurations • Lack of security controls • Botnet traffic • …. • Measures the company took to avoid a breach
A PRACTICAL STRATEGY TO IMPLEMENT YOUR THIRD PARTY SECURITY PROGRAM
p.3 - Confidential - What are we assessing in our supply chain - Confidential -p.23 ● Choose control frameworks, industry standards and regulatory directives we adhere to ● “Scope” controls relevant to each relationship ● Test our suppliers adherence to the same standards ● Identify issues and request remediations ● Monitor continuously
p.3 - Confidential - Five Steps - Confidential -p.24
SCALING IS KEY
p.3 - Confidential - Polling Question #3 - Confidential -p.26 Which suppliers do you focus on? 1. I don’t evaluate my suppliers 2. I evaluate all suppliers 3. I evaluate only those deemed critical 4. Always the criticals and occasionally the less critical 5. Other
p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.27 Low Risk Medium Risk Critical
p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.28 Low Risk Medium Risk Critical
p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.29 Low Risk Medium Risk Critical
p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.30 Low Risk: Your Controls Medium Risk Critical
p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.31 Low Risk: Your Controls Medium Risk Critical
p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.32 Low Risk: Your Controls Medium Risk: Automation Critical
SUMMARY
p.3 - Confidential - Key Takeaways ● Supply chain security is something you need to consider – today! ● This is a problem you can mitigate ● Build a scalable third party cyber security program ● Consider the attack surface and work towards minimizing it - Confidential -p.34
p.3 - Confidential - About Panorays - Confidential -p.35
p.3 - Confidential - Sign up for a Panorays demo – today! https://www.panorays.com - Confidential -p.36
demi@panorays.com dov@Panorays.com Thank You! If you’d like a copy of this deck, email one of us!

Recommended

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynoteBrian Honan
 
Zafar security cv
Zafar security cvZafar security cv
Zafar security cvzaffar abbasi
 
Account Fraud Situation and Prevention in Rakuten
Account Fraud Situation and Prevention in RakutenAccount Fraud Situation and Prevention in Rakuten
Account Fraud Situation and Prevention in RakutenRakuten Group, Inc.
 
Usable security
Usable securityUsable security
Usable securityRachel Ilan Simpson
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
Why do we need strong passwords?
Why do we need strong passwords?Why do we need strong passwords?
Why do we need strong passwords?MichaelJohnston48
 
Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?Lance Peterman
 
SearchLeeds, James Murray 'Anticipating the future: Voice and visual search'
SearchLeeds, James Murray 'Anticipating the future: Voice and visual search'SearchLeeds, James Murray 'Anticipating the future: Voice and visual search'
SearchLeeds, James Murray 'Anticipating the future: Voice and visual search'Branded3
 

Recommended

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynoteBrian Honan
 
Zafar security cv
Zafar security cvZafar security cv
Zafar security cvzaffar abbasi
 
Account Fraud Situation and Prevention in Rakuten
Account Fraud Situation and Prevention in RakutenAccount Fraud Situation and Prevention in Rakuten
Account Fraud Situation and Prevention in RakutenRakuten Group, Inc.
 
Usable security
Usable securityUsable security
Usable securityRachel Ilan Simpson
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
Why do we need strong passwords?
Why do we need strong passwords?Why do we need strong passwords?
Why do we need strong passwords?MichaelJohnston48
 
Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?Lance Peterman
 
SearchLeeds, James Murray 'Anticipating the future: Voice and visual search'
SearchLeeds, James Murray 'Anticipating the future: Voice and visual search'SearchLeeds, James Murray 'Anticipating the future: Voice and visual search'
SearchLeeds, James Murray 'Anticipating the future: Voice and visual search'Branded3
 
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...Citrin Cooperman
 
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Citrin Cooperman
 
TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...
TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...
TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...TrustArc
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachThe Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachShawn Tuma
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017SurfWatch Labs
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 3)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 3)PACE-IT, Security+ 2.1: Risk Related Concepts (part 3)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 3)Pace IT at Edmonds Community College
 
PA SB DC Cyber Brief
PA SB DC Cyber Brief PA SB DC Cyber Brief
PA SB DC Cyber Brief Scott Zimmerman
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsPhish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsObserveIT
 
BSidesSF talk: Silver lining for security teams in data protection clouds
BSidesSF talk: Silver lining for security teams in data protection cloudsBSidesSF talk: Silver lining for security teams in data protection clouds
BSidesSF talk: Silver lining for security teams in data protection cloudsRafae Bhatti
 
Brown Smith Wallace Cyber Security Infographic
Brown Smith Wallace Cyber Security InfographicBrown Smith Wallace Cyber Security Infographic
Brown Smith Wallace Cyber Security InfographicBrown Smith Wallace
 
The Guide to Managing the Security of Your SaaS and Cloud Providers
The Guide to Managing the Security of Your SaaS and Cloud ProvidersThe Guide to Managing the Security of Your SaaS and Cloud Providers
The Guide to Managing the Security of Your SaaS and Cloud ProvidersDevOps.com
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCordium
 
Fraud Analytics - Discussion
Fraud Analytics - DiscussionFraud Analytics - Discussion
Fraud Analytics - DiscussionAditya Madiraju
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Tackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-managementTackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-managementCharles Steve
 
Plagiarism and paraphrase Tools PPT By Dr krishna Gadasandula
Plagiarism and paraphrase Tools PPT By Dr krishna GadasandulaPlagiarism and paraphrase Tools PPT By Dr krishna Gadasandula
Plagiarism and paraphrase Tools PPT By Dr krishna GadasandulaDr. Krishna Gadasandula
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security reportMarco Antonio Agnese
 
idBUSINESS Red Flag Rules Overview
idBUSINESS Red Flag Rules OverviewidBUSINESS Red Flag Rules Overview
idBUSINESS Red Flag Rules OverviewSteven Lane
 
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...North Texas Chapter of the ISSA
 
Securing Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSecuring Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSBWebinars
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySBWebinars
 

More Related Content

Similar to You're Bleeding. Exposing the Attack Surface in your Supply Chain

MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...Citrin Cooperman
 
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Citrin Cooperman
 
TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...
TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...
TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...TrustArc
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachThe Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachShawn Tuma
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017SurfWatch Labs
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsPhish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsObserveIT
 
BSidesSF talk: Silver lining for security teams in data protection clouds
BSidesSF talk: Silver lining for security teams in data protection cloudsBSidesSF talk: Silver lining for security teams in data protection clouds
BSidesSF talk: Silver lining for security teams in data protection cloudsRafae Bhatti
 
Brown Smith Wallace Cyber Security Infographic
Brown Smith Wallace Cyber Security InfographicBrown Smith Wallace Cyber Security Infographic
Brown Smith Wallace Cyber Security InfographicBrown Smith Wallace
 
The Guide to Managing the Security of Your SaaS and Cloud Providers
The Guide to Managing the Security of Your SaaS and Cloud ProvidersThe Guide to Managing the Security of Your SaaS and Cloud Providers
The Guide to Managing the Security of Your SaaS and Cloud ProvidersDevOps.com
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCordium
 
Fraud Analytics - Discussion
Fraud Analytics - DiscussionFraud Analytics - Discussion
Fraud Analytics - DiscussionAditya Madiraju
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Tackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-managementTackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-managementCharles Steve
 
Plagiarism and paraphrase Tools PPT By Dr krishna Gadasandula
Plagiarism and paraphrase Tools PPT By Dr krishna GadasandulaPlagiarism and paraphrase Tools PPT By Dr krishna Gadasandula
Plagiarism and paraphrase Tools PPT By Dr krishna GadasandulaDr. Krishna Gadasandula
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security reportMarco Antonio Agnese
 
idBUSINESS Red Flag Rules Overview
idBUSINESS Red Flag Rules OverviewidBUSINESS Red Flag Rules Overview
idBUSINESS Red Flag Rules OverviewSteven Lane
 
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...North Texas Chapter of the ISSA
 

Similar to You're Bleeding. Exposing the Attack Surface in your Supply Chain (20)

MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
 
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
Not-For-Profit Cybersecurity and Privacy Disrupters During COVID-19
 
TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...
TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...
TrustArc Webinar: Risk Mitigation - Where to Focus Your Time and How to Repor...
 
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data BreachThe Role of Contracts in Privacy, Cybersecurity, and Data Breach
The Role of Contracts in Privacy, Cybersecurity, and Data Breach
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk management
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 3)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 3)PACE-IT, Security+ 2.1: Risk Related Concepts (part 3)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 3)
 
PA SB DC Cyber Brief
PA SB DC Cyber Brief PA SB DC Cyber Brief
PA SB DC Cyber Brief
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsPhish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
 
BSidesSF talk: Silver lining for security teams in data protection clouds
BSidesSF talk: Silver lining for security teams in data protection cloudsBSidesSF talk: Silver lining for security teams in data protection clouds
BSidesSF talk: Silver lining for security teams in data protection clouds
 
Brown Smith Wallace Cyber Security Infographic
Brown Smith Wallace Cyber Security InfographicBrown Smith Wallace Cyber Security Infographic
Brown Smith Wallace Cyber Security Infographic
 
The Guide to Managing the Security of Your SaaS and Cloud Providers
The Guide to Managing the Security of Your SaaS and Cloud ProvidersThe Guide to Managing the Security of Your SaaS and Cloud Providers
The Guide to Managing the Security of Your SaaS and Cloud Providers
 
Cybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to knowCybersecurity and the regulator, what you need to know
Cybersecurity and the regulator, what you need to know
 
Fraud Analytics - Discussion
Fraud Analytics - DiscussionFraud Analytics - Discussion
Fraud Analytics - Discussion
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
 
Tackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-managementTackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-management
 
Plagiarism and paraphrase Tools PPT By Dr krishna Gadasandula
Plagiarism and paraphrase Tools PPT By Dr krishna GadasandulaPlagiarism and paraphrase Tools PPT By Dr krishna Gadasandula
Plagiarism and paraphrase Tools PPT By Dr krishna Gadasandula
 
2016 trustwave global security report
2016 trustwave global security report2016 trustwave global security report
2016 trustwave global security report
 
idBUSINESS Red Flag Rules Overview
idBUSINESS Red Flag Rules OverviewidBUSINESS Red Flag Rules Overview
idBUSINESS Red Flag Rules Overview
 
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for...
 

More from SBWebinars

Securing Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSecuring Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSBWebinars
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySBWebinars
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSBWebinars
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...SBWebinars
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelSBWebinars
 
The Next Generation of Application Security
The Next Generation of Application SecurityThe Next Generation of Application Security
The Next Generation of Application SecuritySBWebinars
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...SBWebinars
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementSBWebinars
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsHow to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsSBWebinars
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixSBWebinars
 
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...SBWebinars
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementSBWebinars
 
Flow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need ThemFlow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need ThemSBWebinars
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouSBWebinars
 
Take a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation BacklogTake a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation BacklogSBWebinars
 

More from SBWebinars (20)

Securing Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSecuring Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside Out
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
The Next Generation of Application Security
The Next Generation of Application SecurityThe Next Generation of Application Security
The Next Generation of Application Security
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity Management
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsHow to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
 
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
Flow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need ThemFlow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need Them
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for You
 
Take a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation BacklogTake a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation Backlog
 

Recently uploaded

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 

Recently uploaded (20)

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 

You're Bleeding. Exposing the Attack Surface in your Supply Chain

  • 1. You’re Bleeding Exposing the Attack Surface in your Supply Chain
  • 2. p.3 - Confidential - ABOUT US - Confidential -p.2 Dov Goldman Director of Risk and Compliance, Panorays dov@panorays.com Demi Ben-Ari, Co-founder and VP R&D, Panorays demi@panorays.com
  • 3. US companies that suffered a data breach via a third party in 2018 61% Source: “Data Risk in the Third-Party Ecosystem,” Ponemon Institute, November 2018
  • 4. Source: “Data Risk in the Third-Party Ecosystem,” Ponemon Institute, November 2018 37% 43% 2016 2018 Percentage Of Third Parties that Share Organizations' Sensitive Data with their Third Parties
  • 5. p.3 - Confidential -- Confidential -p.5 • PNI Data Breach – Photo Services Affected – By Thomas George • Geekwire, databreaches.net, Amateurphotographer.co.uk, scmagazine.com A breach to even the smallest 3rd party may cause a cyber typhoon in the industry.
  • 6. The Return of Supply Chain Attacks
  • 7. p.3 - Confidential - MAGECART - Confidential -p.7
  • 8. p.3 - Confidential - Uh-oh, Regulations Ahead - Confidential -p.8 GDPR CCPA DFARS NY DFS
  • 9. p.3 - Confidential - Polling Question #1 - Confidential -p.9 Do you have a third- party security program in place? 1. Yes 2. No 3. I don’t know
  • 11. p.3 - Confidential - What is My Attack Surface - Confidential -p.11 Risk = (Vulnerabilities X Threats X Consequences) PrivacyContent Identity Files Assets Tor VPN HTTPS Encryption 2FA HTTP Filter Patching WAFFirewall SSL / TLS SSH Security Threats Adversaries Vishing Phishing Spying Adware Backdoors Adware Exploit Kits Spyware Viruses Malware Mass Surveillance Spies Nation-States Hackers Hacker Groups Colleagues Cyber Criminals Law Enforcement Ex-Partners Governments Pseudo Anonymity Anonymity
  • 12. p.3 - Confidential - Polling Question #2 - Confidential -p.12 What methodology do you use to evaluate your suppliers? 1. I don’t evaluate my suppliers at all 2. External view 3. Questionnaires 4. External view & Questionnaires 5. Other
  • 13. p.3 - Confidential - Why Should You Look at the Perimeter? - Confidential -p.13 “Dirty window was indicative of lack of cleaning and attention to details.” -- TripAdvisor Restaurant Review
  • 14. p.3 - Confidential - What You Should Be Looking At Supplier Employees IT & Network Application - Confidential -14p. • Vircom
  • 15. p.3 - Confidential - Application Layer - Confidential -15p. • Outdated and unpatched applications • XSS vulnerabilities • Domain Targeted Attacks • …
  • 16. p.3 - Confidential - IT & Network Layer - Confidential -16p. • Example: Shodan https://www.shodan.io/
  • 17. p.3 - Confidential - Human Layer - Confidential -17p. • Example: Have I Been Pwned https://haveibeenpwned
  • 18. p.3 - Confidential - Inside-Out - Confidential -18p. Regulations and control frameworks to cover: 1. Identify 2. Protect 3. Detect 4. Respond 5. Recover
  • 19. IS THE ATTACK SURFACE INDEED AN INDICATOR?
  • 20. p.3 - Confidential - Do You Know Your Assets? The Hacker Does! - Confidential -20p.
  • 21. p.3 - Confidential - Tell-Tale Signs of a Supply Chain Attack - Confidential -21p. • Organization monitored supplier over time • Exposed the attack surface • Outdated technologies • Untrusted certificates • Mail server misconfigurations • Lack of security controls • Botnet traffic • …. • Measures the company took to avoid a breach
  • 22. A PRACTICAL STRATEGY TO IMPLEMENT YOUR THIRD PARTY SECURITY PROGRAM
  • 23. p.3 - Confidential - What are we assessing in our supply chain - Confidential -p.23 ● Choose control frameworks, industry standards and regulatory directives we adhere to ● “Scope” controls relevant to each relationship ● Test our suppliers adherence to the same standards ● Identify issues and request remediations ● Monitor continuously
  • 24. p.3 - Confidential - Five Steps - Confidential -p.24
  • 26. p.3 - Confidential - Polling Question #3 - Confidential -p.26 Which suppliers do you focus on? 1. I don’t evaluate my suppliers 2. I evaluate all suppliers 3. I evaluate only those deemed critical 4. Always the criticals and occasionally the less critical 5. Other
  • 27. p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.27 Low Risk Medium Risk Critical
  • 28. p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.28 Low Risk Medium Risk Critical
  • 29. p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.29 Low Risk Medium Risk Critical
  • 30. p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.30 Low Risk: Your Controls Medium Risk Critical
  • 31. p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.31 Low Risk: Your Controls Medium Risk Critical
  • 32. p.3 - Confidential - Scaling a Third Party Cybersecurity Program - Confidential -p.32 Low Risk: Your Controls Medium Risk: Automation Critical
  • 34. p.3 - Confidential - Key Takeaways ● Supply chain security is something you need to consider – today! ● This is a problem you can mitigate ● Build a scalable third party cyber security program ● Consider the attack surface and work towards minimizing it - Confidential -p.34
  • 35. p.3 - Confidential - About Panorays - Confidential -p.35
  • 36. p.3 - Confidential - Sign up for a Panorays demo – today! https://www.panorays.com - Confidential -p.36
  • 37. demi@panorays.com dov@Panorays.com Thank You! If you’d like a copy of this deck, email one of us!