The challenges of gaining visibility into supply chain risk have been dramatically highlighted over the last year as many in the security community were left scrambling in the wake of events like the SolarWinds Orion hack. These high-profile breaches often leave security practitioners with little early information and big expectations from company leadership for answers about potential impacts. 

Security teams were tasked by boards and executives to quickly enumerate the risk of exposure from the SolarWinds vulnerability to their environments. Many security organizations understood that the impact could be serious even if they did not do business directly with SolarWinds—but without fourth-party visibility, they were hard-pressed to tease out the dotted line connections their ecosystems had to the breached software.

RiskRecon was inspired by these events to broaden the reach of its third-party risk management (TPRM) platform and revolutionize a way to discover and visualize supply chain relationships.

In order to help organizations extend their supply chain visibility beyond their third parties, RiskRecon today released a new feature that automates the discovery of fourth-party technology connections to any given environment. The new feature comes at no additional cost to customers, providing them a way to visualize the complex and dynamic risk relationships that form when third parties engage with a range of other vendors for software, hosting, and other services.

Cybersecurity risk managers have historically struggled to capably track the arms-length relationship of supply chain connections due to many reasons:

  • Organizations may know who their vendors are, but rarely know the full scope of who their vendors' vendors are.
  • Organizations generally have the right to audit their vendors but have no right to audit fourth parties.
  • Even if third parties are inclined to disclose their supply chain, they may not have a mature enough third-party risk management program themselves to fully understand their portfolio
  • The interconnectivity of different third-party and fourth-party relationships is difficult to visualize and it is always changing.
  • Risk can come from internal or external configurations of fourth-party technology—risk analysts need insight into both.

Untitled - cropped design (11)The new supply chain feature leverages two sources of data to map out supply chain relationships. The first is directly-observed data found on internet-facing systems that offer highly accurate evidence of the hosting providers and software utilized by a company. In addition, RiskRecon is now delivering the additional capability to indirectly infer internally deployed technologies from a range of sources such as partnership announcements, job postings, product documentation, and more. For example, if a vendor is hiring 10+ jobs requiring experience with GitHub, then chances are very high that it is a GitHub shop. 

All of this data is easily accessible from a new Supply Chain tab in the RiskRecon dashboard. The new Supply Chain visualizer enables analysts to investigate risk based on filters for key parameters like company, hosting provider, and software. The data is visualized natively on the RiskRecon platform in a clean manner, but it is also available for export so it can be viewed in other tools like GRC systems or business intelligence platforms

This new feature adds tremendous opportunity for RiskRecon customers seeking to level up their TPRM practices. As organizations have matured TPRM beyond running periodic questionnaires across third parties, they've already recognized the value of using passive monitoring to validate the risk levels of vendors and enrich their risk modeling. Layering in supply chain risk further underscores the overall benefit that passive monitoring has for providing real-time visibility to TPRM staff. This kind of visibility simply would not be possible without automated technology.

To learn more about the Supply Chain tab in the RiskRecon platform and how you can get the most out of it, schedule a demo today.