Among the many issues faced in identifying and managing cyber risk, perhaps none is more challenging than the constantly changing cyber environment. Security analysts must stay ahead of rapidly evolving threats, including ransomware, denial of service, account takeover, data exfiltration and more. With increased attack surface infrastructure dynamics and more sophisticated threats, gauging and mitigating first-party risk internally and assessing third-party risk is an incredibly complex and nuanced task. 

For this reason, cybersecurity and risk analysts must take advantage of more accurate, efficient, and actionable tools and intelligence.  

While third-party risk management (TPRM) may at first glance offer insight into third-party cyber risk, it does not offer enough support to analysts facing the demands of the modern cyber landscape. A far better option is to incorporate TPRM within external attack service management (EASM).  

Let’s examine the limitations of TPRM and the advantages of extending supply chain risk intelligence within a modern EASM platform.  

Third-Party Risk Management  

TPRM methods typically provide an initial, often surface-level assessment of risk. This often requires additional, independent technical security review and assessment, which is time-consuming and costly.  

• How it works: TPRM applications support the evaluation of cyber risk by collecting key data from organizations and analysts. This is performed through questions about governance, certification, historical incident information and operational security questions. This information is often cataloged manually in a checklist.  

• Downside: With over a decade of experience in cyber risk, I’ve had to learn the hard way that divulging this information to assess risk opens significant room for human error. Human answers are often biased and information can be covered up or high-level questions can be ambiguous. It’s often better to just gauge risks from objective facts and technical assessment. 

• How it works: Most TPRM offerings include passive and active cyberscanning of internet-facing assets to discover weaknesses that could lead to cyberthreats. The results are represented by snapshots of a single moment in time.  

• Downside: These tools can provide insight into asset health, but they often require considerable time and expertise to interpret. Additionally, because results only represent specific moments, they do not represent the entire attack surface as cyber risk is dynamic and internet-exposed assets and exposures quickly change.  

• How it works: Security and scoring TPRM platforms aim to expand and automate risk assessment by periodically aggregating data sources like cyberscans and threat intelligence.  

• Downside: These evaluations are only as good as the input they receive, and without continuous monitoring, they do not offer an accurate evaluation of an organization’s risk profile. The tools miss newly exposed assets, active attacks and incoming potential threats — leading to incomplete, unverified assessments. A famous example is TPRM Solutions asserting that an outdated Secure Sockets Layer (SSL) certificate poses a significant risk to an organization without any further context or understanding of what the asset is. Further, the risk scoring and findings are frequently inaccurate, irrelevant, or outdated — a complaint frequently expressed publicly on numerous security community sites.  

• How it works: Many TPRM solutions pull threat data and credentials from sources like the dark web.  

• Downside: Often, this data is unsubstantiated or non-actionable. The volume of threat information generated by these dark web scans makes it difficult for analysts to distinguish between critical threats and benign exposures, such as compromised credentials. For example, many stolen credential sets on the dark web are fake, partially fake, or outdated. Testing each set overburdens analysts, making their use significantly less efficient for risk reduction.  

• How it works: Most TPRM solutions provide aggregated data but do not provide actionable insights.  

• Downside: These results in data overload with high noise-to-signal levels — leaving risk analysts with the task of interpreting, further investigating, manually keying, and reprioritizing these findings. This is time-consuming, prone to human error and as a result further impacts the efficiency and results of the risk assessment process.  

External Attack Surface Management  

EASM solutions offer a unified source for continuous monitoring and real-time analysis, equipping security and risk analysts with a more comprehensive view of high-confidence threats and active attacks. Each of the below capabilities of EASM solutions builds upon each other, creating a powerful and integrated approach for risk analysis and threat response inclusive of primary and third-party risk assessment.  

Dynamic Attack Surface Identification: In contrast to TPRM options, EASM solutions continuously identify, catalog and assess internet-facing assets of entities. This not only provides risk assessors and IT security staff a more efficient inventory but also more current and accurate security risk posture insights. This combined with attack surface visualization techniques provides greater insights compared to conventional TPRM capabilities.  

Continuous Exposure Monitoring and In-Depth Findings: Continuous exposure management requires continuous monitoring to enable more efficient threat prioritization processes. This requires active threat and attack detections, as well as commensurate accuracy and depth needed for effective assessment by risk analysts and subsequent triage by security analysts. EASM solutions perform active threat monitoring functions to give the analyst a more timely and clearer picture of imminent threats and active attacks. By providing detailed, validated findings, EASM allows analysts to shorten investigation time and effort.  

Threat Prioritization and Enumeration:  Modern EASM solutions not only categorize threats and assess severity but cross-correlate evidence of active threats across the attack chain stage, from reconnaissance and weaponization to installation and exfiltration. The earlier the stage of threat identification, the greater the opportunity for security operations to proactively remediate exposures before they become incidents. With later-stage threat identification, security teams can apply resources to expedite containing threat propagation and attack impact. The effect of threat categorization, severity and attack stage helps analysts ascertain more insight into an organization’s risk management practices. 

Less Noise and More Actionable Insights: Modern EASM solutions leverage AI and event stream analytics capabilities to detect threat behavior patterns with supporting evidence across business entities and cyberadversary activities. This not only overcomes the high signal-to-noise ratio that analysts contend with conventional TPRMs but also provides analysts with the actionable insights needed to make informed decisions. This enables risk managers to conduct risk assessments more efficiently while enabling security teams to respond to pertinent security issues more efficiently. Since this external threat intelligence covers first-party and third-party entities, sharing actionable insights can truly reduce supply chain risk. 

A more effective risk management strategy is developed with accurate, timely and detailed intelligence. For this reason, a modern EASM solution offers more by incorporating meaningful first-party and third-party cyber risk insights than conventional TPRM solutions. Armed with the right information and data in real-time doesn’t just empower cybersecurity and risk analysts; it improves the efficacy of their risk evaluations, ultimately enhancing the protection and resiliency of the organizations they represent.