AuditRubric
de-cm-6 high Detect / Continuous Monitoring

External service provider activities and services are monitored to detect potentially adverse events

Your attack surface extends to every SaaS tool, cloud provider, and vendor with access to your data or systems. Supply chain attacks have increased dramatically, and compromised third-party providers have been the source of some of the largest breaches of the past decade. Monitoring what external providers are doing in your environment gives you visibility that vendor trust alone cannot provide.

Estimated effort: 4h
third-partysupply-chainsaas-monitoringcasb

Implementation steps

  1. 1

    Inventory third-party integrations and access

    Build a list of every external service provider with access to your systems, data, or network. Include SaaS applications, managed service providers, contractors with system access, and API integrations. Note what level of access each one has.

  2. 2

    Deploy a CASB or SaaS monitoring tool

    Use a cloud access security broker to monitor what SaaS applications employees are using and what data is being shared with external services. This catches shadow IT and unauthorized data sharing as well as compromise of known services.

    netskopemicrosoft-defender-for-cloud-appszscalerpalo-alto-prisma
  3. 3

    Enable logging for third-party access to your environment

    Ensure that any system or cloud environment accessible to vendors has audit logging enabled for those sessions. Use separate credentials or roles for vendor access so their activity is identifiable in logs.

    aws-cloudtrailoktacyberarkbeyondtrust
  4. 4

    Subscribe to vendor security notifications

    Sign up for security advisories and status pages from your critical providers. When a vendor reports a breach or compromise, you need to know immediately so you can assess your exposure and take action.

Evidence required

Third-party inventory

List of external service providers with access to systems or data, including access type and business purpose.

  • · Vendor inventory spreadsheet or GRC tool record
  • · SaaS application inventory from CASB discovery
  • · Contractor access list from identity provider

CASB or SaaS monitoring configuration

Screenshots or configuration showing a CASB or monitoring tool is active and covering cloud application usage.

  • · Netskope policy configuration
  • · Microsoft Defender for Cloud Apps connected app list
  • · CASB shadow IT discovery report

Vendor access audit logs

Sample audit log showing third-party or vendor access events are being captured and are distinguishable from internal user activity.

  • · AWS CloudTrail logs filtered to vendor IAM role activity
  • · Okta log filtered by external user or service account
  • · Privileged access management session recording reference

Related controls

de-cm-1 high

Networks and network services are monitored to detect adverse events

Continuous Monitoring
de-cm-2 medium

The physical environment is monitored to detect potential cybersecurity events

Continuous Monitoring
de-cm-3 high

Personnel activity and technology usage are monitored to detect potentially adverse events

Continuous Monitoring
de-cm-4 critical

Malicious code is detected

Continuous Monitoring