How businesses can vet their cybersecurity vendors

Choosing the right cybersecurity tools is crucial to business security — here's how security teams can vet potential partner vendors in the space

Organisations face a challenge of two fronts when it comes to cybersecurity. On the first, there is a growing number of cyber attacks; on the other, trying to navigate the landscape of cybersecurity tools and find the best fit regarding vendors to work with.

Authentication, particularly, has become a significant issue in cybersecurity because existing methods like passwords and weak multi-factor authentication (MFA) — which rely on magic links, one-time codes, passwords, and push notifications — are insufficient. They are the most prominent way adversaries gain access to a network to take over an account or launch a ransomware attack. Therefore, improving these authentication processes has become an integral part of cybersecurity strategies as it is one of the foundational elements of a zero trust program. If an organisation relies on passwords or phishable MFA, there is not zero trust.

To achieve zero trust, organisations need to move towards more secure authentication processes which are passwordless and truly ‘phishing-resistant’. This is a critical issue, as password-based attacks are still a mainstay for attackers gaining initial access to systems. Unfortunately, the control designed to fix that vulnerability is now vulnerable. Attacks bypassing traditional MFA are widespread. These are not theoretical; they are happening at scale today and are why the US government, amongst others, have mandated the implementation of ‘phishing-resistant’, multi-factor authentication. As a result, finding a tool that can actually prevent this attack vector is vital, but with so many vendors saying the same thing, how can organisations find out which is telling the truth?

Why the time is right for passwordless authenticationConsidering the benefits of a passwordless approach to security.

What staff need to consider

When it comes to cybersecurity, nothing is foolproof, and attacks can’t be eliminated altogether. Here are the steps those with purchasing power should take when effectively vetting cybersecurity vendors.

1. Due dilligence

In the first stage, teams must adopt a mindset of research and come prepared to ask the right questions. Unfortunately, it’s tricky for buyers as they cannot assume that their purchasing vendor is correct in their messaging. Take, for example, authentication vendors. Whilst many say they are phishing-resistant, they often rely on weak MFA, which cyber criminals can easily bypass. To challenge this, organisations should approach vendors with a plan on what they want and ask the following question: will this eliminate the attack MFA vector?  Pay close attention to the architecture they have implemented to thwart proxy-based, “Attacker In the Middle” (AiTM) attacks that steal credentials or session tokens and provide adversaries easy access.

2. Architecture fit

Next comes a step buyers often fail to acknowledge: determining if the vendor’s tool will fit into their existing architecture. Organisations have likely spent a fortune already, so the new tool needs to integrate with and enhance their existing infrastructure. Within the authentication market, the tool should be able to integrate with and incorporate risk signals from tools such as mobile device management, endpoint detection and response, and subscriber identity management tools. The shiny new tool should not operate as an island; it must fit within and work to improve the organisation’s existing processes and overall cybersecurity strategy.

3. RAS

Lastly, teams must use the ‘RAS’ framework: Reliable, Available, and Scalable. Having this structure front of mind provides a set of criteria to determine if the vendor they are vetting is adequate for their needs. Access control, in general, and authentication, in particular, is the proverbial front door that users have to pass through to do work. If the solution does not scale or stops working, then employees, contractors and customers can’t do their job or transact business.

How purple teaming can strengthen business securityDiscussing how a purple team assessment process provides a high-level structured approach to cybersecurity.

What should security teams ask the vendor?

Companies can’t assume that the vendor is telling the truth. Particularly in the authentication market, where there is currently no standardised testing to confirm solutions pass metrics such as ‘phishing resistance’. When talking to a vendor, whilst it may seem simple, the organisation should first ask the vendor: How does the tool prevent social engineering and AiTM attacks?

Whilst some solutions might say passwordless or ‘phishing-resistant’, they could instead simply hide the password so that authentication is more convenient, but the vulnerability remains. The team needs to determine if the solution eliminates passwords from both the authentication flow and account recovery flow, should the user lose their typical login device. And the tool must implement “verifier impersonation protection” to thwart AiTM/proxy-based attacks. Getting the security team to conduct their research beforehand enables them to come prepared to ask detailed questions and can help bypass the buzzwords that vendors use to uncover the truth.

To go a step further, vetting the vendor can allow security teams to learn more about the tool and uncover the truth. The following can provide a good framework for the vetting process:

  • Reference checks: These are low-cost tools companies can use to begin vetting. Whilst vendors are likely to show off their happiest customers, the IT team should be prepared to ask detailed questions with an understanding of the technology behind them.
  • Trial period: This enables the team to determine if the tool will integrate with existing architecture that the organisation has likely invested resources into building and maintaining.
  • Penetration testing: This is valuable but also expensive. It is a security exercise in which experts have the opportunity to find vulnerabilities in the system and put the system to the test.
  • Soc 2 Type 2 audit: This shows that the vendor has taken steps to be secure, providing better assurance in the purchase decision.

Judging the solution

For better or worse, in cybersecurity, good enough isn’t enough. Even if organisations have conducted research, reviewed the tool, and asked the right questions, they must judge whether the solution will stop the most popular authentication attacks and work within their processes.

Fundamentally, no cybersecurity tool will stop all attacks. Still, if an organisation can eliminate a whole class of popular tactics that hackers use to gain initial access, and if the vendor can talk deeply about how they do that, that’s the best way to judge the tool. Organisations can’t handwave the issue of cybersecurity. It is up to their technical teams to read, understand and ask detailed questions to vendors to find the truth and to determine if it is worth investing in the solution.

Patrick McBride is co-founder of Beyond Identity.


How to maximise value from IT vendor collaborationsIn the first of a series exploring the importance of IT partnerships, we explore how to maximise value from vendor collaborations.