January 31, 2022

Last Updated on January 13, 2024

Anything web-connected that hackers can use to target your brand is part of your attack surface—and that includes the attack surfaces of your critical vendors. But gaining visibility into your own company’s risk profile is a huge challenge. How do you even begin looking at your partners’ exposures?

On a recent episode of The Virtual CISO Podcast, special guest Steve Ginty, Director of Threat Intelligence at RiskIQ, talked about how attack surface management tools and services can help enterprises proactively analyze cyber risk associated with their vendors’ attack surfaces. Hosting the podcast is John Verry, Pivot Point Security’s CISO and Managing Partner.

Vendor due diligence via attack surface management

Looking at vendor risk is new even for RiskIQ, but it has an offering specifically for that purpose.

Steve describes: “At the beginning of this year, we launched the ability for anybody to come in and look at their supply chain and tell us, ‘Hey, these are my top 25 suppliers that I’m really worried about. Tell me what you know about their attack surfaces and where I should be worried.’”

“We built that for organizations to be able to more easily consume their third-party suppliers’ attack surfaces and to make more better decisions around risk,” continues Steve. “We’ve always been in this supply chain scenario because we can tell you about all your dependencies that we know about that run in your environment. [For example,] we know that you’re reaching out to AWS when you’re building your site or that this data is stored in an S3 bucket or that Akamai happens to be your CDN or what have you, based on the information we’re collecting with our crawling. So, we’ve always been able to help you understand how large of a supplier footprint you’ve had and how that impacts your attack surface.”

Building custom insights

These latest refinements help create discrete insights across vendors’ attack surfaces. Leveraging the RiskIQ platform, you can more quickly find out not just where your biggest risks are, but also what could be a problem for your suppliers.

“Our research team builds these insights, whether it’s the latest vulnerability or whether it’s open-source tools like Cobalt Strike, or whether it’s a misconfigurations, and I can give you that kind of snapshot into not only your environment, but also all of your suppliers.”


What’s Next?

To listen to the complete episode with Steve Ginty, click here: EP#69 – Steve Ginty – Can You Benefit From Attack Surface Management? – Pivot Point Security

Interested in more content on how to drive down vendor security risks? You’ll appreciate this podcast with third-party risk management expert Kevin Hermosura: https://pivotpointsecurity.com/podcasts/the-virtual-ciso-podcast-ep20-kevin-hermosura-faster-better-cheaper-vendor-due-diligence-reviews/

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!