Adam Ely wrote a nice article on Dark Reading (“Tech Insight: What to Do When Your Business Partner Is Breached”) about how to respond when you become aware of a breach of a business partner. He discusses a very broad array of activities and responses you should consider immediately, on-going and post a breach.
One thing that jumped out at me was the brief mention of understanding your organization’s exposure. Adam wrote,
“As you’re starting to piece together what occurred, it’s time to understand your organization’s exposure. You’ll need to fully understand what service the partner provides to your organization, the data it possesses, and how you are connected to each other. A breach of a third-party email provider has a different impact than breach of a two-factor authentication vendor. Understanding the total exposure will help you define the risk associated with the breach, the actions you must take, and how fast you must move.”
“Understand your organization’s exposure” is no small task. In some cases, its too late to mitigate, in others, it could be a massive exposure waiting to be exploited. For example, if the business partner provides a billing service for you, all the records they posses about your customers may already be exposed. In another case of an application development provider, they may have connected access to critical assets in your organization that are now exposed to a new threat. In all cases, it is important to understand how you are connected to each other to monitor and mitigate any further proliferation of the breach.
Understanding the risk from a business partner whose “threat” value must now be seen as heightened post-breach, can be a very big project. Sadly, in many enterprises, even the layer 3 network diagram is not up to date to provide an accurate picture of partner connections, let alone a complete picture of access. And, as Adam points out, time is not on our side in this instance. Quick and effective response to this new threat is critical to limiting the propagation and impact from a partner breach. Understanding “exposure” from this threat is the key to this response.
Risk Analyzer is designed for just this purpose. With a threat in mind, understand the exposure of your network from this threat. Remediation activities like prioritizing vulnerability fixes, mitigation activities like blocking access to some connectivity until resolution is achieved and limiting impacts by actively monitoring (perhaps network recording) all access from the breached partner are all good responses if you understand your exposure. Getting a clear picture of what is exposed is still the first step.
Adam continues to discuss much more than just the technical next steps, including contract negotiation and breach disclosure steps. But heeding his advice to understand your exposure and act fast to limit the impacts are key in handling this situation.