depending on where when you're joining us um this is actually a really interesting webinar very very topical um and i think you know the whole breach of the solar winds breach was so far-reaching and so surprising and so sophisticated that it seems like everyone's talking about it and what we wanted to do is provide you a little bit of insight on what servicenow and bitsight can do to help you protect your supply chain against hacks vulnerabilities such as the solarwinds breach um with me today is leslie sloan she's the senior consulting engineer for bitsight and we're not going to take the whole hour but we are going to take you through you know what bitsite is what they do [Music] and then how servicenow vendor risk management and bitsight can work together to help you protect yourself better so leslie without any further ado let me turn it over to you awesome thanks so much teresa go to the next slide there we go so for those that are unfamiliar with bitsight what we do is we collect data from publicly addressable ipspace that is observable and then we evaluate it for conformance to security best practices and then we align those observations to organizations producing a three-digit security rating so that gives you a proxy for the security performance of organizations whether they be your um that's yourself or but most likely and especially in this case your third parties or your vendors that you're working with and solar wind has been in the news for for several weeks now and although the security incident is first hit the news back in december all the details are not yet known or understood what we do know is that a variety of different groups both public and private organizations were attacked based on the software provided by solarwinds and i think and one thing i heard recently was that this is something that we're not going to know how widespread or how pervasive it is for quite some time so even if we think we have our arms around it you know 18 000 customers every day another customer is realizing that they have been a victim of this so this is something that is going to be with us for a while i think i agree i think we're just at the tip of the iceberg and what our understanding is yeah and the sophistication of it was just amazing so solar winds themselves have said that roughly 18 000 customers have installed the software and that there was a back door that the trojans signed the software through their normal update process what this graph represents is the daily scans that bitsites doing for web services the top blue line represents organizations with solar winds orion installed and we see the software being uninstalled and that the oh that overall footprint is being decreased the red line represents the trojan iron version of the sunburst backdoor that's being that that was installed and is running and while there's a sharp decline in the number and that's a good thing what the con what's concerning though is that it hasn't hit zero and that there's lots of organizations that still have the trojanized version that's running in their environment and the question is is this your organization or is this a key third party and what we've learned in a larger context is just how easily solarwinds orion was downloaded and installed in environments that through the the conversations that the bid site leadership is having with many csos from around the world where we're learning that that oftentimes they didn't necessarily have to go through a formal procurement process to install this many times it was in some tests and dev environments but it was introduced into large environments throughout a formal procurement or [Music] a formalized process so that that's one way that had it had such a large install base so the red line is actually showing me the trojanized version and we see that it's going down this is based upon scans that you're pulling in from bibsite right correct so you're really providing people an objective view of what they've got and being able to pinpoint um the software that has been trojanized well not only the turtle's nice but then also just the normal footprint of the regular um view of the web services that we can see of uh solarwinds orion and its ancillary web services um on our next slide that we can go into a little bit about the bid site detection capabilities and what was what's unique about bidsight is as part of our normal data collection methodologies we have these different approaches and many others but what we're doing on a regular daily basis is scanning the internet decoding dns names looking at netflow information and also doing things like firmographic data farming as well as other data collection methodologies and these were already in place prior to the solar wind incident which is what enabled us to react so quickly when this hit the news and what we're able to see is that we utilize this information specifically to understand what is the exposure of customers and then of course their their extended ecosystem of who's using this particular suite of software so it's important to note that this is part of our normal data collection process that's how we pivoted very very very quickly and that's why we're able to have that data for our customers to react and understand what their overall exposure footprint was like yeah and this is why you want to be able to do this on an ongoing basis not absolutely not not a point in time absolutely so one of the things that we did do in reaction to the solar winds incident was to create an attack resource center for our customers this is accessible through our platform uh and what's awesome is through the integration that any of the servicenow customers are using into bid site is that it's quickly accessible through a couple of clicks and they can then very quickly see what is their extended ecosystem uh from a compromised company perspective so what is their overall exposure and they can then utilize our resources that link out to other uh sources to know what whether the current patches what what can they do with this information and they can easily understand how to identify the impacted organizations and then start to take some actions from that yeah so let's let's talk a little bit about what those actions could be so looking at vendorous management as i said earlier bitsight were able to help you protect yourself against some of the supply chain attacks and the reason we can do this is because we provide a formalized program if you have not got a formalized continuous monitoring program in place you are clearly going to be cops be surprised by things as they occur so we first thing we do is we recommend a formalized program the reason that vendor risk management is unique is because we're able to embed these business workflows into everyday tasks so we make it easy for your vendors to be able to respond to questionnaires to document requests to be able to communicate with you to be able to work through issues we consolidate all that information into a single platform we've got third-party users we've got our internal stakeholders all using the same platform storing data in the same place so we're able to pull that information out and display it so you can visualize it in the way that you need to be able to do that so contracts be able to help provide tiering the assessments um content all of it's in one place being able to consolidate that communication and collaboration in the vendor portal makes it easy to be able to track events over time over years um get that audit trail the other thing that we can do is is work with our other applications to be able to connect to the enterprise risk side of the house so regulatory context operational risk business continuity having everything on one platform with that one common data model makes all the difference in the world and then providing that vendor portfolio that vendor portal provides the connectivity between your business and your vendors and makes it easy there are a lot of benefits to this um the most obvious is controlling your risk exposure not on not in a point in time basis but continuously and as we you know we just talked about now with leslie if you were doing something once a month or once every two months you know you would very likely miss those attacks those vulnerabilities those those issues that pop up in between being able to automate workflows servicenow is the workflow company that not only speeds response but it also allows you to be more productive and to use people in in the best ways possible and then increasing performance and productivity doing more with less and then that independent data validation that we get through bitsight combined with the vendor assessments and questionnaire responses that we get from the vendors putting that all together to giving you a 360-degree view of your vendors so the vendor portal is really the key to the whole um solution taking the tiering assessments taking the bit site ratings taking the document requests being able to track your contacts and have a portfolio of contacts that are continuously updated by the vendor so they're always up to date being able to have that issue management to be able to remediate issues quickly is critical and then being able to have notifications and being able to track deadlines is so vital so through the vendor portal we're able to do all of that and then the last thing is being able to integrate with grc so for example through our alerts and through our rules we're able to just we're able to identify if there is an issue that has popped up or for example if you sent out an ad hoc request knowing that there is this attack that is ongoing to all of your vendors to ask them if they have installed the orion software if that comes back with a yes you can also ask if they've been vulnerable if that comes back with a yes then you're able to automatically generate a compliance violation automatically generate a risk automatically send out another assessment or potentially alert internal people to review the vendor status more carefully maybe switch to an alternate vendor for a little while and also correlate that with what bitsite is saying so you want to look at this from both directions from the servicenow vendor risk management perspective being able to do the ad hoc assessments and also from the big site perspective being able to look at those alerts and those scores so leslie can you tell us a little bit more about the bitsite perspective absolutely so for the extraordinary situations uh like i said within bitsite we we have a resource center we've got some tiles the dashboard set up so that you can understand what your exposure is for your vendors and because we have that bi-directional integration set up and we can see what that tiering is between servicenow and bid site once because you've set your tiers and you understand your business criticality of your vendor you can then see what your exposure is and bid site go back into service now uh execute on the the actions that you want to take with that vendor get a sense for for what are the actions that that vendor is taking what are the remediation steps that they are taking really get a sense for what is your risk in terms of that extraordinary event like solarwinds for the more i don't want to say routine but the more frequently occurring type of risk that we see with vendors that's going to be more specific to that one vendor's performance over time and that's where many of the alerts that bitsight customers would be setting based on their risk tolerance in the bidsight platform could then flow through into the servicenow platform and the best way to see that in an aggregate is going to be in this dashboard which is part of the bid site for vendor risk management integration application so here you can see what are the the critical alerts that i have set up based on my risk tolerance for each of my vendors i can then click into any one of them which would then start a workflow process of engaging with them so uh again if we go on to the the next screen we'll see that what that pop out looks like and here if i have named who my vendor contact is this is the action that that comes that i can utilize from that alert and it comes in the form of sending an invitation to your vendor to engage them with the bid site platform you're able to send the invitation right from the servicenow interface again it's using the bid cipher vendor risk management integration app which is available on the servicenow store the the bid site uh team will then engage with your cust with your vendor contact directly so that we can teach them about bid site and we're doing the heavy lifting about what is bidsight what's the platform how do how does your vendor contact use bitsight in order to remediate the issues that you've identified as being below your risk tolerance you then continue using servicenow as part of managing your relationship with the vendor the benefit from that is the difference that we have seen is that we see vendors that are accessing and taking advantage of this are twice as likely to improve their rating and over six months we've seen that rating increased by over 50 points so that's the action that you are taking and the the results that you're gaining from working with your vendor and uh having them engage with the bid site platform is the overall reduction of risk in working with that vendor and an increase of their their bid site rating so leslie i think we have a question um can you see that in the q a panel sure sure so uh the question for the rest of the audience here is does bitsite offer risk quantification in addition to risk rating so let me go back and again so what bitsites doing is we are looking at cybersecurity performance based on uh observations we can see from data that is traversing the publicly routable ip space we have 23 risk vectors that we are applying uh a grade to or 18 of which that have a grade some the other five are informational so i say that that since we're applying a grade to those 18 that is a risk quantification this is all in terms of cyber security performance um and i appreciate that there are other elements to vendor risk management so our focus is only on cyber security uh performance of a vendor over time so you get that as well as the risk rating so i'm hoping that we got their question fully answered yeah and i think you can see on the dashboard that the you know you're you are quantifying this you know for example the the alerts are you're showing that people are going changing from a 530 to a 500 so they're going low their score is decreasing um you know their their um rating is from a c to a d if you think about it from a a to f scale um is decreasing so i think you know you can see on the dashboard that these these various um scores that you're quantifying are changing based upon what you're seeing right so every vendor has both a three-digit rating along with uh 18 risk vectors that have an a to f grade associated to them uh so that would be the the i guess the risk quantification elements to both of them and another question yeah and servicenow has you know it's a we use the servicenow platform so it's very easy if you're using another system to help augment the information that bitsite is providing that we're able to take that in also anything else for this particular slime so no this this is uh the the benefit of working with your vendor is really that uh ideally they're going to take our guidance to heart and improve their security posture and performance over time so going forward what what can you do uh so these are the four steps that we are advocating that what you can do what are the actions you can take so first and foremost understand your organization's exposure to solar winds uh within your organization and then more broadly uh exp to your extended ecosystem and your broader supply chain report those findings to your senior executives and board more than likely they're already asking you or have already asked you they're they're very interested in this information and then three teresa i think this one hits the nail on the head of what we've been talking about all along uh just continually re-evaluating your tprm program uh understanding the uh components of your tiering your contact your contracts your risk assessment your continuous monitoring of third parties that seems to feed right into the wheelhouse of service now um any deeper thoughts there you wanted to add before i go on to the fourth one yeah i mean i think this this is really the key is you and and you know you and i were talking before um i think the the so much like the pandemic the pandemic really exposed a lot of gaps in people's risks programs not just um internally but also their supply chain i think the solar winds hack i think that just there's another nail in the coffin you know people realize now the supply chain is vulnerable they realize the damage that having an attack against the supply chain can have and i think that organizations that have not put the focus on creating a formal third party risk management program and and assessing their vendors tiering their vendors and then continuously monitoring their vendors i think are now their eyes have been opened to the fact that this really is very much can affect the bottom line of their business and the success of their business so you know i guess the basic message here is if you take nothing else away take away the fact that you need to put some kind of formal program that continuously monitors your vendors in place yeah that continuous monitoring um is such a huge impact i've seen so many organizations that you feel like uh we're doing performing very very well and then something changes in their environment and if you are only doing a review on a a periodic basis even if that's once a quarter once a year so much can change in a security performance perspective in a short window of time that can have a dramatic impact on your organization in relationship to your um your performance that you really do want to get a notification as early as you can and that's where that the fourth point of leveraging the bid site vendor access capability to proactively share that data with your vendors and that's part of our subscription that's not an extra cost so this is all part of it and i see we just got in another question um for the rest of the audience the question was uh bits i can monitor only a vendor's internet facing security environment uh they cannot monitor the vendors internal environment that is correct uh bidsight is an external monitoring perspective there are no sensors scanners or monitors within an organization's private network space so external only correct i'm wondering though um i i have heard though don't you don't you have some customers that are actually using bitsight to monitor their own their own external facing sites you're correct uh so organizations use the bite data to for their own security performance management uh or uh the the to monitor their third parties the data itself is what we are observing from outside the organization but that that doesn't necessarily mean that we don't gain insight about what's happening on inside the organization so for example we do get a lot of insights about what's happening inside an organization uh one great example is that we have our own sinkhole infrastructure where we will pick up on malware that is making outbound calls from within from inside an organization's perimeter so if i am picking up on malware calling outbound i know that a piece of unauthorized software has been installed and that means it's evaded being detection being detected by an ids or an ips i know that it has had enough privileges on that endpoint to be installed i know that it has made it through being checked by malware antivirus services i know that it has not been picked up through change management or change monitoring software i know that is is now communicating outbound so it was not picked up on any sort of dlp program so that tells me that that's five or six different uh layers of security that this piece of malware that is now calling outbound that i'm seeing from the outside has missed as part of a security program that tells me a lot about that security environment so even though i see it from the outside i know a lot about the inside and not in a good way he raises concerns absolutely but yeah so i think i mean i think it's safe to say that i mean even even using you know looking at your own self is a great way to use the pit site software but absolutely you know for your third parties is what it was designed for but it's been a lot of valuable information that i can actually provide absolutely so some resources here for organizations to leverage uh so if they are interested in in a deeper design deeper dive on the forensics of what the bitsight team has found with the understanding of the of solar winds really breaking it down and going back through we have a couple of ask me anything webcast they are available they were recorded on bidsite.com uh stephen boyer who is our cto and co-founder walks through those and does a really great deep dive on the forensics of what has been available with the solar winds incident the second piece is the bid site for servicenow integrations i am thrilled to announce we have three not only do we have bid site for vendor risk management we have one for security incident response and now our latest just was published last week for it service management and then finally of course your bid site and servicenow sales teams we are resources here ready to work towards your success uh meeting you where you're at on your journey and then for the student outside you know we have the vrm vendor risk management website that you can go to to find information specifically about vendors management or if you'd like information about more about the overall risk portfolio that we have we have the product page you can go ahead for there leslie mentioned the servicenow store we you know very active community please join the community we'd love to hear from you there and there are a lot of other ask the experts out there on the youtube channel any more questions in the question um pop up there leslie not as of right now all right well then i mean i think you know the bottom line here was formalize the program put something in place and then it's a journey you're not going to overnight develop a very robust program but it's a journey start somewhere begin add to it mature your implementation pull in data like bit site data to give you that subjective um feedback on your vendors get that 360 degree view and then continuously monitor it with servicenow in the fit site thank you so much for joining us leslie i think this has been a great conversation i learned a lot about what bitsight can do for um the solarwinds breach and hopefully you all on the phone also learn something thank you hope i think we have another question yeah that looks like we do so what is the you so for the audience what is the use case in vrm after integrating with bitsight uh so the use case and it is well defined on the store so it's bringing the bit site data into the service now interface so making use of the bid site rating data the uh the data with the risk vector information the alerts of the awesome feature of how we can take different assessments and map the bid site risk vectors to those assessments such that when your vendor answers your assessment and you view those responses in servicenow you can see in context of that assessment what are the bid site risk factors and the grades associated to them so it really makes the job of the vendor risk analyst much easier much more efficient you're seeing that all of this data at the time that you are onboarding or assessing your vendor as well as looking at changes over time so not only at the time of onboarding but continuously monitoring that vendor and uh you you're getting the best of the the workflow processes available within servicenow but utilizing the data that you get from bitsight all in the same interface so one plus one equals what five yes exactly and you know and i really see using the bitsight data in in a couple of different ways i mean i'm i'm a big proponent of you know when you're it that when you're at the evaluation phase of a vendor you should be doing a risk assessment on them to determine whether or not you want to onboard them at all as a vendor as part of that risk assessment you should be looking at the bid site ratings because the vendor is going to give you some information but it's always nice to have that objective view from their from a cyber security standpoint the next part the next point is at the tiering so again you're going to tier your vendors best practice determine this is a tier one vendor or critical vendor or if this is someone who mows your lawn and you really don't need to assess them on a yearly basis at that point the vendor again is going to give you information having that bitsight rating to give you that 360 degree view of that vendor and maybe adjust the tier appropriately is another great use of bitsight and then on a continuous monitoring basis and this is where we try to make it easy so when when you as a customer get that vendor assessment back and you look in that questionnaire and you see the answers the vendor has provided right next to the answer is that snapshot of that bit site rating so you can see the vendor said yes i patch i patch within 48 hours all of my critical vulnerabilities and then you see that this site rating that says that their hygiene has a score of c perhaps and you know somewhere there's a disconnect so now you can go back to that vendor you can have a conversation and find out where that disconnect is you can also look at the vendors that are having consistent problems maybe you've had a few conversations are not improving you're continuously tracking them it's time to look for an alternate vendor you don't want to be caught unawares if for example you're in a pandemic and a vendor is is risky because they're in an area that might get quarantined or they're risky because they may not be able to deliver the goods and services to you that you need to do to be successful in your business so the bits of bit site ratings can give you give you visibility into that also so i really see using it in three different ways to be able to provide value and that's really more questions i don't see anything else in the uh pop up here for the questions so any any last parting words leslie uh just that if anyone uh would like to see this you know live in action uh i again the service now the sales teams the the bid site sales teams we're both enabled to show you this in action would love to to work on your challenges directly with you and meet you where you are on your journey and we have