How to Solve the Hidden Identity Crisis in Your Supply Chain

Welcome, and thanks everyone for attending our virtual event this morning. I am Colette Babashak. I'm the senior director of product marketing here at SpyCloud. And joining me today for this webinar are my two amazing team members. So first up, we have Alex Greer. Hi, everybody. I'm Alex. I'm the product leader for the SpyCloud console. And also joining us is Leah Stillbrooks. Hi, I'm Leah, senior director of governance risk and information security. I work very closely with our security team here at SpyCloud, that's why I'm here to talk to you about supply chain. Awesome. So excited to have these two experts on the call. So today, we're gonna talk about something that's been hiding in plain sight for most security programs, and that's identity exposure within and across the supply chain. We all talk about vendors. We all assess vendors, but very few teams actually have visibility into whether vendor identities are already compromised. And that's the gap that SpyCloud is here to solve for. So quick housekeeping before we jump in. Feel free to drop questions in the Zoom q and a at any point. Me and the team will be scanning. We'll bring up anything that we can live. And if we don't get to something, no worries. We have plenty of time at the end for q and a to cover your questions. So here's how we're gonna spend our time together today. I'll do a quick overview of SpyCloud and kind of set the stage as to why identity is the missing signal in supply chain risk. We'll dig into the current landscape, what's actually happening with vendors and third parties, not just what shows up in questionnaires. Alex is gonna walk us through a live demonstration of our new supply chain threat protection product. And then Leah is really going to ground this in reality, how this fits into procurement, GRC, ongoing vendor risk programs, and of course, what collaboration looks like with security and other critical teams. We'll then wrap it up with Q and A. Okay. So now for the quick get to know SpyCloud portion if you're new and this is your first time joining. So oops. So sorry. At SpyCloud, our mission is simple. We really exist to disrupt cybercrime. We're an identity threat protection company, which means we focus on stopping attacks that start with stolen identity data, whether it's account takeover, ransomware, or fraud, not after the damage is done, but before attackers can act. And that matters for supply chain risk because attackers don't break in through firewalls anymore. They log in using identities that were already compromised somewhere else. That's why identity sits at the center of everything that we do, protecting your workforce from cyber attacks, safeguarding your consumers' identities, and powering cybercrime investigations. And now, very intentionally, extending that visibility across your supply chain. So this isn't a side use case for SpyCloud. It really is a natural extension of the same identity intelligence our customers already rely on and what we view as a truly complete picture of who and what really makes up your workforce, your employees, contractors, vendors, devices, and applications. So just to shake things up in the morning, we're gonna do a quick poll. And if you're willing to participate, you should see on your screen, we have a question for you. We kind of want to gauge from the audience, what is your number one concern about third party cyber risk today? Is it lack of visibility into vendor security posture? Is it infected credentials that are compromising vendor access? Difficulty detecting breaches at vendor organizations, unable to then enforce security requirements contractually, or you don't know what you don't know? So I'll give everyone a second. I'm seeing early results, and I'll share those with everyone in a second. Okay. There's a close call. Oh, wait. It's shifting. You know what? I won't tease everybody. We'll share it live. So this is kind of what y'all as attendees are seeing. So the results are lack of visibility into vendor security posture is number one with thirty eight percent of y'all. And the second one as a fast follow is infected credentials compromising vendor access. Not that this is a good thing, but this is something that I think Alex and Leah can help uncover for you a little bit with what SpyCloud offers. Okay. So now we're gonna go and really talk about the foundation of everything that you're gonna see today. So SpyCloud recaptures what criminals actually steal. So it's breach credentials, malware logs, phish data directly from the criminal ecosystem. We're not scanning. We're not buying recycled data. We're collecting fresh identity data from the same places attackers use and then making it actionable for you. So why does this matter for supply chain risk? Because vendor identity exposure doesn't show up in your tools. It shows up on the dark net inside malware logs long before an attacker even touches your environment. And if you can't see that, you're flying blind because, y'all, attackers do not care whose badge it is, only that it works. So I'm gonna bother you with one final poll, and we're gonna kind of see what your organization currently does when it comes to assessing third party cyber risk. Are y'all doing annual questionnaires and attestations? Is it continuous monitoring with some automation and tools that you already have? Is it point in time security ratings? Is it ad hoc reviews when issues arise? Or you don't have a formal process? No right or wrong answer. Just want to gauge what everyone's doing. Take a second. Fill out the poll. Okay. There's a good mix of things here. Okay. The numbers keep toggling. Look at all these results. Okay. I'm going end the poll, share with everyone what y'all are choosing. And right now, main ways or one of the main ways that you guys are currently assessing third party cyber risk is annual questions and attestations tied with continuous monitoring with automated tools. Awesome. Okay. So let's get back into our next talk track and talk about why supply chain has quietly become the fastest growing identity risk. So third party involvement in breaches has doubled year over year from fifteen to thirty percent. But that stat alone really doesn't explain why this problem is accelerating. What actually changes the picture is what we're seeing in SpyCloud's recaptured darknet data. So in our twenty twenty five supply chain identity threat index, certain vendor categories were experiencing dramatically higher threat levels. You have IT vendors six times the baseline, telecom providers five times, and then software providers four times the baseline. And these are vendors with the most privileged access to your environment, and they're the ones that attackers are targeting most aggressively. And when one of these vendors gets compromised, it's not just a single account because a single info stealer infection exposes access to an average of around twenty five business applications, including shared applications, admin consoles, and integrations that you're relying on. So this isn't a vendor risk problem. It's that identity connection problem. Attackers really have realized that it's easier to compromise someone you trust than to attack you directly. And the blind spot is that while you're monitoring your employees from these identity threats, you don't have that same visibility when a vendor employee gets compromised. So the question really becomes, if we're monitoring our employees for these threats, why aren't we monitoring the vendors who also have access to our systems? But spoiler alert, that's exactly what we're gonna talk about next. So when we talk about this extended workforce, we're talking about everyone connected to your business. Employees, contractors, suppliers, service providers. Every one of those identities is a potential entry point. So SpyCloud's approach is to strengthen your identity perimeter by illuminating exposures across people, applications, and access paths. And this includes the ones you don't own and don't control. And most importantly, we do this before those exposures turn into account takeover or session hijacking or ransomware. And then that's the shift from reactive vendor risk to proactive identity threat protection. So now that we've laid out this context, I'm gonna hand it over to Alex, and he's gonna show you what this actually looks like in practice with SpyCloud Supply Chain threat protection. Alex? Awesome. Thank you, Colette. So first of all, this is absolutely a natural extension of the monitoring that we provide for devices, applications, and of course, our people. So that's both from a security perspective as we actually work to protect our companies, but it's also a natural extension of Spy Cloud's data. So this is a very exciting product that we're gonna be walking through today. In this product, I wanna be super clear that we have no interest in disparaging brands. What we're really trying to do is build more secure, complementary communities of security professionals so that we can all collectively work to secure our supply chains. And when you see the product, you'll realize that's exactly what it does. Today, as we go through our actual product demo, we will be taking the perspective of a large health care group and see a few different functions and a few different decisions they're making throughout their supply chain and its life cycle with different vendors. So with that, Colette, if you're up for it, I'll start sharing. Everybody, welcome to the supply chain module. Within here, we have essentially two levels that help for us. One, to get visibility across our entire the exposure that we have across our entire supply chain. So all of the companies that we monitor, we can monitor up to a thousand. These can be our vendors or trusted third party partners we're sharing data with, our subsidiaries, maybe our portfolio companies. It's very exhaustive in who we can incorporate into here. And yes, we can monitor up to a thousand. So the key way to understand the data within Supply Chain is at three levels. One, we have signals. And so these are the key data elements that are surfacing the key detections that we have on the dark web. So that could be my infected devices or employees or phish employees, whatever it may be. We bubble these up as signals, and depending on the source that they came from, we use that to produce an index, a proprietary algorithm that basically takes that and then allows for us to have a relative score of it. And then we take that to produce what we call our Identity Threat Index. And so that index itself is the core and anchoring of what we do. And so it allows for us to very quickly say, generally compared to, and in the algorithm this is very important, the size of this company and compare to other companies of similar sizes. What is the relative exposure? And so it comes in green, yellow, and red to make it very simple, but this index is going to be your best friend for at the top level as you're triaging and looking through and monitoring hundreds of companies at a time and in the future, thousands of companies at a time. So that's effectively the anchor here. The other really powerful thing that I'll call it is we do refresh this data daily, and so you're going to be able to see this daily. So with that, I will invite in my partner Leah here. And I'm going to ask Leah, how are you taking advantage of this level of supply chain? Sure. So as I mentioned before, Securian and I work very closely together. So when it comes to, for example, evaluating new vendors and the procurement decisions and stuff, we consult with this information together. We have the same information, it's timely, and we can look at this and put it in our reporting and share that information with management to help them make decisions. We can also look at existing vendors at renewal time. And security would be looking at this daily, letting us know if there's an event happening in real time, but we're also GRC looking at these vendors annually to satisfy our audit requirements. Using this data enhances some of the research that we're doing on our vendors. But like I said, security is looking at this daily. They're able to act on an incident immediately. So in the case that they see an event with a vendor that we would deem risky to us, in that point we can begin our response procedures and we can call in GRC legal and any other management layers we need to respond to the incident. Yeah, absolutely. And this is all of your companies. So I knew in the poll earlier, people were saying that visibility into the exposure of the companies you rely on or partner with today is a bit of an issue. Okay, so this top layer is going to provide that immediately. But Leah and I are going walk through a few different scenarios I'm curious to pick her brain on. And again, Leah, just kind of putting our feet in front of us, we're going to be from the perspective of a health care organization who's making a number of different decisions. This first one's going be about procurement. So as naturally as a health care group, what I am is constantly making a decision as to which sets of functionality make for a a faster patient intake and sharing of data where it needs or need be, all sorts of different systems. So looking for all sorts of efficiencies, right, as a manager of this company. And currently, I'm looking at actually switching out our electronic health care record vendor, because I see new functionality that could help me do precisely that. And because of that, I'm considering bringing them into my supply chain. So this is a procurement procurement And so, Leah, in a little bit, I want to give folks just kind of an orientation of what they're looking at here. And then I'm curious to see how you would actually use some of the data that we have in front of us. But just for folks, again, the three layers of how our data culminates into our index here are all displayed on screen. So that Threat Index, that's your anchor for Supply Chain Threat Protection that allows for you to look at that company and say where they stand relative to companies of the other size. What we have paired with is a timeline that allows for you to track their index over time. We can see the ebbs and flows as they have been more effective and unfortunately less effective over time in addressing the threats that face their enterprise or their company. Now, on the right hand side, you can see the individual breakdown by the source. It's going to show you specifically as it relates to malware or infected devices and applications and employees. What is the relative threat there? As well as, for example, breaches, convoluted list, and phishing. So it's all really powerful information. This view in particular is also going give you those signals that I was talking about earlier, and that can allow you to have very fine grained conversations when you're working with this third party partner. So when we talk about exposure visibility, this is as high fidelity as it gets. Now we And then Alex, quick question for you from the chat. So someone asked, does this show specific employees at the vendor organizations who show specific employees infected? Say if you do business with a large company, but only one or two employees from there have direct access to your systems. Do you mind repeating that question, Colette? I want to make sure I picked up on that. So the question is asking, does this show specific employees at the vendor organizations who are infected? So the example was if you do business with a large company, but only one or two employees for their have direct access to your systems, do they get this visibility on who was actually infected? Great question. No, not at this level. That's not what's provided at this level. What you can see is you can see the summation figures here so that you can have some insight into it. But what you can do, and we're going look at later, is you can actually send them their exposure directly so that they can investigate the issue. And so when we get into that, that's a coming soon feature. But that will allow for that sort of visibility. Great question. Yeah, absolutely. And I think in one of these examples, we'll jump right into that. So the final capabilities in here I just want you all to be aware of, because they're super powerful. We can show you precisely what has recently impacted these companies by the exact family of malware, for example, as well as the specific breach. And we can tell you what number of employees at this company have been impacted. Again, these are the actual figures themselves. Versus showing you individually who these employees are, as we protect the privacy of this partner. Now, within here, you also have password reuse, which is related to your hygiene, and finally, your compromised applications. Taking a second to kind of zoom in on compromised applications. These are the front doors to the digital footprint and ecosystem of these companies. And so as you can imagine, being aware that infected devices have been associated with these primary points of entry across really critical sets of applications is super important and helps you understand often maybe how some of this compromise is going on. So this is a really powerful part of this product, and you do have the direct visibility within here so you could have that conversation. All right. I think folks should be pretty well anchored on how this works. The very final piece, and we'll see this through examples, is you can always change the time here to reflect the data that you care about most. And so you can see that can range all the way from all time to the past seven days. And you can also split by the individual source, and we'll see that maybe in a little bit. But, Leah, you're looking at this data. What conclusions are you drawing? How are you advising management here? Right. So I do want to get a historical perspective on the vendor considering we want to see about their trends over time. I can see there was an incident that happened, but then it looks like that it's been resolved. I would probably drill down in that information, look deeply into the malware, the top compromised applications. I'd bring up the password reuse and then likely have this in a package. Perhaps I'd reach out to the vendor to get more information or perhaps this is all the information we can gather and I would give it to management because then they can make the decision. Do they want to move forward with the risk? Do they want to mitigate risk on our end somehow? Do they want to negotiate risk management and mitigation in the contract? Things like that. We can make a decision. And when you look on the right hand of this curve, this is an all time view. This is overall. Is there any particular pattern in here that kind of sticks out to you? Well, we do see the big spike. And of course the big spike is concerning. Now granted this is happening in January of twenty five, which is about a year ago, but then we see the valley where it's coming down. So it means that there was a response to the issue. So that's why I would gather and want to give this vendor more time to give us more information before we finally make a decision. Yeah, that makes sense. And obviously, having not had this visibility before, you could have kind of rushed in blind when there are definitely some conversations to at least be had. So that's with somebody that we're bringing into our supply chain as this health care organization. But let's look at it from the perspective of a new or an existing vendor. So you can imagine how patients get access to our systems. Incredibly important. So we do leverage a third party patient portal, and we're up for renewal. And what we've heard from our leadership is that we're actually looking at tripling the size of the deal and doing additional data sharing. Because there's all sorts of new opportunity with this vendor. But we're at renewal time. Leah, sort of the same question, how that we're oriented. How would you interpret this data and what else would you like to see? Sure. So similar to the last example, we do see that peak and valley. I would likely drill into just the last twelve months and see if I can get a better shape of what is going on. So, okay, we can see that the primary breach or incident occurred around July of twenty twenty five. Now looking to the right, I'm trying to make a guess what happened? Was it malware? Was it a breach? Was it the combo list? It doesn't look likely that it's phish, but it could be. So I would probably isolate one of those. Let's start with malware since it has the highest score and see if I can drill down to find out what it is. Apologies. Just working with demo environment. Awesome. There you go, Leah. Okay. So then we're looking at July twenty twenty five, and that's actually going down for malware. So it's not likely it was malware. But otherwise, I would work with security team, continue to dig into this information, see if I can isolate what the reason was. And again, bringing up password reuse, looking at that poor hygiene and again, compromised applications. I would also kind of understand the frequency of how many infected devices were belonging to those applications. So, gathering that together, again, I wanna bring this decision before management and allow them to see if they have any mitigating controls on their end that they could implement. And Leah, as you say that, obviously, we're looking at a curve that's gonna drop. Then relative ASIM to or relative flatlining, maybe a possible increase recently. But we do see generally that the underlying signals are going down for this company. I imagine for some folks, there's sort of like two questions in here. One for you, which is how you might interpret these signals when you do see a decrease. And the other is just interpreting this graph, just a call for folks. We absolutely treat more recent data, because it's more indicative of what you're currently susceptible to and being impacted by, as more important than older data. So you will see scores decline over time. There's a decaying function within the algorithm. But just wanted to call that out. But Leah, when you see that there's a decline, does that impact anything that you would bring up to management in terms of your confidence for recommending this vendor? Well, we'd have to consider all the risks first. But yes, when we see it trending down, obviously that is a positive sign. Now we definitely would want to monitor this vendor continuously over time to ensure that there's not another spike. But just because it's trending down alone does not mean that we don't have mitigating factors that we might need to take advantage of on our end. So really it's food for thought and it is timely food for thought and that's why I find it so valuable. That's fair. And I know working with you, how much you value password reuse. Because it says quite a bit about the policy within the company. And ninety three percent, I imagine, would be one of those other mitigating factors that you'd have to call out. Yeah. So we do see some really positive signs. But there's quite a few data points here for a reason. And so it tells a more full story. Alex, question from the chat. So something came asking, in the same vein, what do you recommend for retroactive implementation of this tool? So of supply chain threat protection. If we were to bring this on and we see current vendors that are infected, etcetera, but for larger vendors where it might take a longer time for them to investigate or identify what specific systems are infected? Well, I there's there's two layers to it. So one, with your smaller vendors, obviously, the smaller the company, the fewer the signals, the more poignant every signal can be. And so it's obviously bringing them into this will give you some visibility. But also, you have the ability to take this and share it with them so that they can go do something about it. If it's a much larger for example, we're gonna say a mom and pop under fifty shop versus a really large organization. Right? Like global SaaS enterprise. Well, at these two levels, we're going to have a very different latency in terms of response and system, because there's more that goes on. There's two different operations here. Right? And so what I would advise would be to bring over both and to expect different timelines for remediation. I wanna make sure I answer the whole question, though, Colette. Do you think that was the core? That's the whole question, but if whoever asked that wants to do a follow-up, bear with it and I'll bounce it back to Alex. I can add to that. So like Alex said, the information decays because it's not valuable the older it gets. So when you're looking at your vendor and the trends over time, the example earlier, we had eight years of information. You need to decide what is the timeline of information that's most important to you right now with that vendor just based on the risk ranking that you've assigned them. And then yes, I would work very closely with them. Now it depends on what kind of leverage you have contractually, but that might be an opportunity for you to consider that you might need more leverage contractually or you might need to get on the phone with their security team and their CISO just to work out what is it that you guys need to remediate to make sure you can continue relationships. And then I'll throw in one more question from here because I think it ties into things. The person was asking, are third parties able to mitigate directly within this tool? So Alex, I know you have a good answer for this. Yeah. Great great question. Currently, the answer is no, but but we see giving third parties the ability to attest to what they have remediated as a really powerful part of our future where we, again, get back to we're not disparaging brands. We're trying to create a more secure ecosystem and community set. So yes, in the future, this is absolutely part of the direction of the product itself. Also, just to say, if they are looking directly for remediation, these signals obviously are provided within the tools that we do offer in the other parts of our Threat Protection family with Workforce and Endpoint. And so I might point them in that direction and they can use that in collaboration with our Guardian series or the integrations we have with our EDR vendor to be able to automatically remediate some of these things. And I'll throw in one last question because it kind of bounces off of what you were just saying that I can answer, Alex. We had another question come in that's asking, we use a significant number of freelancers that are using their personal emails. So Gmail, Hotmail, Yahoo, is there a way to monitor them in supply chain? So for this question, this wouldn't be a supply chain threat protection use case necessarily, and this isn't the direction the demo will go. But if you glance on the left hand side, and I'll cover a little bit at the end in terms of what our platform offering entails, thank you for zooming in, you'll see you have workforce, which is meant to protect your employees. That's where the contractor fits in around their identity exposures. And then endpoint goes into those compromised applications and malware infections. That would be the better place for you to monitor your freelancers with those free mail accounts that you don't have control over, because it'll give you insight to what devices beyond your control. So BYOD, the independent devices, things like that, were infected with and where where they had access to your corporate system. So those would be the places where it would make better sense for that particular use case. Anything to add, Alex? No. I think that's spot on cloud. Perfect. But also, I think this is very emblematic of people, devices, applications, as well as your third parties all coming together in the same threat protection family. So that's also part of the beauty of the Console. I know we're not doing a broader Console thing. But it's so nice to have these things unified. But I have another Console related esque question, since we're on this topic. And this is why I love a fun Q and A chat. So I'm so happy y'all are engaged in asking questions. So I think this was a follow-up question to the initial one where the person was asking about larger company and the timeline. So they're saying, basically, how to approach these findings with a large vendor if we invest with them, and it's a longer timeline, or would modem or would a more dedicated precise tool like SpyCloud investigations be recommended for that type of monitoring if it's concerned for executive management if any investment account have been compromised? I can definitely answer that question, but I'm curious how you would, Leah. I am a it depends kind of person. And so being in the risk management space typically, know, as I'd mentioned before, would be more concerned about the timeline and what are the issues that we're concerned with. And then if you wanted to use investigations, yeah, that would take you a layer deeper, much, much So yeah, it depends though for me. Because I'm usually in a consultation point of view. What I will say to compliment Leah's point too is you're not gonna see the piece of functionality in this specific demo today. But an exciting part of this release, which we'll announce at the webinar, is if you do also have investigations, we now have the ability You will see an action area over here, where you can actually directly take that domain and you can go and pursue an investigation. So if you say, this gave me high level knowledge of what was going on, it piqued my interest for a number of different reasons, I'm ready to actually now continue that investigation. It actually is going to pre populate your search form within investigations, and all you have to click is Go. It's going to take the time period. It's going to take the domain, And you're one click away from basically kicking off that investigation. So the two work really well together, depending on what you need to do. Awesome. So with that, Leah, third scenario for you, final one. Let's say we talked about smaller companies earlier. Let's just say we're working Sorry, Alex. We're still on. There we go. No problem. Thanks for doing that. So demo fun. So what we have here is a situation where this company has it says eleven to fifty, but you happen to know it's only twenty five people at this company. And the security team actually came to you this time. They were monitoring. They saw this. To them, this seemed anomalous. But then they kind of just quickly passed this over to your desk and said, Hey, go ahead and take a look at the specialized research partner. How would you look at this data? What sticks out to you? Right. And in scenario, research partner has some of our most highly sensitive data and IP. So despite the fact that it's a small company or partner, we still have a high risk because of the type of data that they handle and that, you know, security has come to me and said, Hey, there's been a phishing event and we need to dig into this. You know, what do you think we need to do next? I would probably, like we said, please give me more information on the phish incident and let me know when it happened, which we could see in the last twelve months in this particular case happened around July through January of twenty six, which is a long period of time. So, I would want to act very quickly to reach out to the vendor to get more information right away. And just, I mean, I think objectively, it's very interesting that roughly twenty percent of this tiny company's employees have been phished. So it's awfully concerning. So to make that communication easier for you, Leah, what we're going to do, and this is a coming soon feature, but we did want to show folks during this webinar, is that we do have an upcoming report. And this is an example from this situation with Leah, where she wants to be able to communicate, for example, in this team, her counterpart on the other side, her partner Richard, and let them know exactly what they've seen. The past six months, there's been a huge spike in Phish employees. She's concerned about it. And more than anything, she needs to understand what's going on. What remediation that they're taking. And now in this, the report itself is going to give them a little quick explanation as to what this thing is in the first place. That's what you see here in the header. The second is the message, and it also allows for Leah to communicate that it's her sending it. It's her voice. The time period of the report itself. We are exclusively sending it to emails that contain the domain of specialized research here. And so that's just part of our Privacy Act. We're not going to send these reports to everybody. You have to be at that domain. Now, within there, they're going to get in this report, their Threat Index. It's going to break down what they had. Obviously, it's quite a high score and sorry, it's a very high index. But they're also going to get the core signal set. Remember, this is a very small company. And so you can see data that goes quite high in here, depending on who your partner is. Obviously, enterprises will have numbers into the thousands here sometimes. But in this circumstance, they can actually get those phishing employees. And while we're going to have text obfuscation to make sure that their employees are protected, This, a very small company who maybe can't turn around and remediate all of these things as quickly as a larger, more sophisticated operation, gives them really actionable data to be able to go and do something with. So, Leah, to your point, if we run into this in the future, as soon as we have this report, you can simply send it and share it. And so really looking forward to that. Hope it makes it just a cleaner handoff. Yeah, I'm excited about building stronger relationships. I think that's my focus with this tool. Okay, so a few more questions from the chat and this is a fun one, it's a three parter. So question one, do you support evidence capture for audits and exams? I'll let y'all answer that. Jersey? You would have to take screenshots in this case. Okay. Question two. Is this intended to replace questionnaires or augment them? Augment them. It's it's peanut butter and jelly sandwich. It's better together. Yes. Much better together. Question three. How does your platform support defense sector risk use cases? Oh, the answer is quite well. And so we can monitor today up to one thousand. But I know this is just an example. Defense, sometimes you're partnering with very large manufacturers, component manufacturers, organizations, whomever may be. But oftentimes you're also partnering with smaller, more specialized ones. So I actually think this is a good case, where you can have the distribution of those things. We basically, as faint of a signal as it is, one or two as a count for a phish employee, just as an example here, might be incredibly helpful for you. Or, for example, an infected device or an infected employee where they don't even know that they're being taken advantage of in nation state IP is being leaked. And so national security is on the line for potential foreign threat actors, just as an example there. But this is a really powerful combination. Also, with recent compliance changes that are encouraging the defense industry to now have to monitor and be aware of their exposure via the third parties they partner with. It's obviously even more top of line. So this is directly supportive of new compliance that has come out. Thank you. All right, Alex, I'm gonna show up the next screen and share. You could do a recap of what this new product is. Let's do it. Sounds good. Oh, actually, just kidding. We got a good question in. So I like answering questions as they come in. So question was, and someone said they might have missed this. I don't think they did, so you're good. But is there a limit of how many phished emails it will list or mask on the phished employees list in this report? So on that bottom right phished employees Great question. In this specific report, it is going to be five. But what we are going to evolve this in the future to contain is actually and this can't be opened by you as the sender because it's not your domain, it's not your data, and we need to ensure privacy there. But in accordance with CISA, we're going to offer for the ability if a company has a security. Txt file set up on their side, that means that we're gonna be able to find an email where we can safely send and grab a private key from or a public key from them to be able to hand off an exposed plain text data set that's much larger of this information for them to actually go and remediate. It will not be the entirety of the set. For example, let's just say you had one hundred phished employees in there. You might within that given sample have twenty or so, but they are going to get that in plain text so they can directly go and remediate all of those phishing phishing emails for their employees. Awesome. Okay. I'm gonna replace share. And Alex, give us a quick summary of all the goodness that Supply Chain threat protection offers. Oh, goodness. So much goodness. So effectively, just know that you can continuously monitor throughout the life cycle with any company who is a critical partner you share data with. They leverage your data. Again, it could be your trusted third party. It can be your subsidiary. It could be your portfolio company. And of course, it can be your vendor. You're going to have the evidence of the compromise that you need to be able to have more or less a silhouette of what's going on with them, that is complemented by the fact that it's continuous. And then finally, have the identity threat index to give you a very quick point of reference relative to the size of that company, what's going on. And you'll also be able to see the evolution of their security efforts and exposure over time. And so that's what you're able to do with Supply Chain. We're very excited for folks to start trying it. And if you have any questions in the meantime, I'm sure we'll connect. But I think right now, Leah We're gonna do a question, and then we'll get to Leah because we keep getting good questions. So this was a question, and I'll add some context to it. So the question was, do you offer an AI generated summary for supply chain related alerts? And I think this question stems from our investigations product does have AI insights that is based off of investigative tradecraft that we offer. But Alex, as it relates to supply chain, is that something we offer or will offer in the near future? It is something that we are looking to invest in in the future. And the principal use case would love to work with some of the folks on call to make sure that we're doing the right thing. But the general direction right now is to say, okay, I have a really high volume of companies that I'm monitoring who all have sort of distinct signals and profiles. How can it be serviced to me generally what's going on, as well as really high criticality relative to what I consider high criticality exposures being surfaced to me. And so that's possibly beyond just a summary and more so high fidelity signals being surfaced directly in context that you don't have to manually go and grab. But yes, we are looking at expanding this to include like we do have for AI Insights. Love all the questions. Thank you for the answer. Now it's time for some more Leah time. Hi, everyone. All right, let me be completely transparent with you. I've been in compliance and risk management roles for over fifteen years. I've evaluated multiple vendor management tools on the market. I've sat through dozens of demos promising to revolutionize third party risk management, and in some ways they have. But here's the thing they can't give you, transparency into actual compromise. That's what I want to make sure everybody keeps top of mind. To truly minimize business impact, I need timely and trustworthy data that's actionable in real time. Then that's been my struggle with every other vendor tool I've used. There's a point in time when a vulnerability is exploited, escalating threats and risks throughout the supply chain. And we all, as the good guys, want to be right there in that moment partnering to reduce the impact of the crime being committed, to spread awareness to our stakeholders across the business so they can manage the risks that arise when a vendor in the supply chain has been compromised. As a GRC leader, I'm not very interested in asking my team to waste time contacting my vendors over low and unactionable risks or contacting them months after a breach to ask if SpyCloud's data has been impacted. Rather, I need our security team to receive the data in real time so they can respond immediately. And for me and my team to be able to assist in response by managing compliance aspects, post incident risk remediation tracking, you know, something scorecards just don't provide today. It's the actionability we need. So, to be clear, risk scoring doesn't need to be replaced. It needs some augmentation as we were discussing earlier. And this is to provide the teams with enhanced timely and actionable data. Insight into compromise is happening right now. As you're well aware, there's a huge difference between this vendor has weak DNS security versus this vendor has forty seven employees with stolen credentials circulating in the criminal forms right now. So, I want to show you how easy it is to get started with supply chain. Colette, can we look at the next slide? All right. So, if it were up to me, what I would do is start with taking the inventory of your vendors. And I've ranked my vendors based on the data that they hold and interact with, the access they have, the criticality they are to the business operations. Rank your supply chain based on your criteria. Once you've done that, select your top ten, the top ten most riskiest apps, partners, vendors you have. But start small and you manage those ten companies that make the most sense. Then evaluate the data. Try to get comfortable with all the features of the tool. Understand current and past trends, create a new baseline, and then help in the procurement. So take a procurement example, look at a new partner, you get a detailed view of their exposure prior to the purchase or their exposure in the current timeframe. Then do a deep dive. So now that you have sort of a good sample of partners, vendors, suppliers loaded, dive in, explore reporting when it was released. See what you can find out, see all the different aspects that you can drill into and have fun. Awesome. Thank you, Leah. So before we wrap up and jump into Q and A so you can start pondering and thinking all the good questions to ask, I do want to just bring us back up a level. So, our supply chain threat protection product isn't just a standalone point solution. It really is, like Alex was mentioning, you could sneak peek on the left in the demo screen. It's part of a broader identity threat protection platform, and it's whether you're protecting employees, consumers, or investigating cybercrime. And that matters because identity risk doesn't sit neatly in one team anymore. And SpyCloud gives security, identity, GRC fraud, incident response, just to name a few, a shared source of truth. You get the same exposure data, the same evidence, the same timeline. So you're not all chasing the same problem in parallel. What that does in practice is it removes friction. So your security teams can detect and act faster. GRC teams have evidence instead of assumptions. Procurement and vendor teams, they have informed conversations instead of checkbox reviews. And then response teams aren't starting from zero when something does happen. So it's really not about adding another tool. It's about shortening the distance between exposure, between decision and action across all teams that touch identity risk, whether they call it that or not. That's how identity threat protection becomes operational and not theoretical. So we're gonna pop on this fun Q and A screen, and I'm just gonna check back in, see if there were any questions. Alex and Leah are here for anyone that wants more convo or more scoop, whether it's about risk reduction or operational impact, we're here to go deeper. Okay. We do have a question coming in and it's asking. So this is a this is really a solution for a small business was the question. Alex, you wanna take that? Oh, absolutely not. So this is it's not that a small business couldn't benefit from this, but this is for enterprises. That's why we can scale up to one thousand companies and it can be across all the different types of companies that I've sort of reiterated. So no, this is absolutely built for enterprises and the feature set is to support enterprise teams. It could be used by smaller companies, though. Okay. I do have another question, if that's okay. This question is, how is supply chain threat protection different from just running spy cloud investigations on vendor domains or email addresses? Continuous monitoring at scale is a huge part of this. We also are signals that we surface in there are fine points versus investigations, obviously, is super powerful, but you're doing a lot of the interpretation yourself. This is us doing much surfacing much of many of the key points that you might already be looking for on a continuous basis. So this is, yeah, at scale monitoring. Okay. We'll do another one. How do you prioritize vendor risk when everything looks bad? What signals actually move a vendor to the top of the list? Okay. So scoring wise, I will say I will tease for folks that we do weight malware and phishing a little more heavily than the rest of the signals, particularly malware. But from a policy perspective, Leah, if you saw all red, what are you doing? It comes back to the it depends situation. Are we procuring the vendor or is it an existing vendor? But, as we said earlier, we're not trying to disparage. So if it's all red, we're probably going to pull the lever all red, all hands on deck. But again, partner with the partner and make sure we get more information from them. Just because it's all red doesn't mean we need to go hair on fire running around emergency style. Just take it, take the information, take a deep breath, reach out. Awesome, throwing more questions at you guys. How is this different from third party risk management platforms that are already doing or claiming continuous vendor monitoring? Leah, as somebody who's been through that process many a time, yeah, I think you're the Yeah, sure. I can help with that. So, you know, I had, like I mentioned earlier, evaluated a lot of third party risk vendors. We're talking about threat indices here. We're not scraping data from OSINT and we're not just gathering older information from have I been pwned or anything like that. We're getting real actionable information right now. So, we're able to instead of just give a risk score, we can enhance that information. And as I said before, it doesn't make that information useful. It's just that it can be augmented with real compromised data in real time. And then we have one more unless some new ones pop up. The question is, how do you handle situations where a vendor would dispute the finding or a claim that the exposure is outdated or irrelevant? I would ask for evidence, you know, just to see what we could work with. If we want to share screen because they don't want to send it on email or submit it to a portal or anything like that, we can certainly do that, but I wanna work with the partner. So if they truly are gonna stonewall us, in that case, I'm gonna gather the larger management team. Obviously, the threat indices needs to be high enough for us to do this, but we will still continue to push because it's our risk we have to mitigate by doing business with them. And one small thing I'll say too is on the more meta Spy Cloud side. If we see that our scoring is being claimed to be kind of off, we will actually work with Leah and team to go through these exact processes to make sure that, in fact, if we are making a mistake, that we rectify it. But at the same time, our data is pretty good. Typically, it's pretty accurate. Alex is being modest. It's better than pretty good. But a couple more questions. And they're from the same person, so I'm going to stack it. So question is, what feedback have you received from existing customers using this tool or module, and what do they cite as the platform's strongest differentiators? I think we could all tag team on this, but Alex, kick it off. This is It's hard to pick just one. Yeah. Yeah. It's a but I think the one that I I appreciate the most is that there was a comment early on in the early access period, actually, where it was we were working with the director of SecOps, they were saying, this is actually the third party risk management solution, which we would argue that we're of in that space, not fully. We're complementing those tools. But they said this is the tool actually built for security teams. This is actually interesting data. This is actually high enough fidelity for me to do something with. And I trust this data more. So I think the quote, which is more qualitative than a specific feature and allow them to add the specific features, is more of this is the third party risk management tools actually designed security teams and how they operate. What about you, Colette? What sticks out to you? No. So actually, I'll tackle that second question that ties into this, and it's what feedback has led to product changes, roadmap adjustments. And I think it's how we mentioned this, this isn't like a side quest for us. It is a natural extension. Our customers really truly appreciate and value the quality of data that we bring as one of the largest originators of recaptured darknet data that is actually actionable. And it makes sense in how we're operating and how we're working to view our workforce as an extended picture being more than just employees, more than just your contractors, your freelancers, and that it does extend out to that supply chain. So, bringing this data into a place where we can extend that visibility for our customers to ensure a more comprehensive identity threat protection program is kind of the goal and the feedback that we get from our customers and why Alex and team partner with Lia and build these products. Alex, anything to add? No. I I think that's right, Colette. And I I would just say directionally, a few of the things that folks have given us feedback on are scale, which we're pursuing, fidelity of the alerts, tuning them to what really matters to them. How can I take your scoring system and reflect the way my team looks at these threats as a priority? Those are a few of the areas that you're going to see a really strong focus on. As well as some folks Lucy brought up earlier, sort of like the idea of attestation. That is also something that we're looking at. We do wanna help close the loop here, not only to help support actual remediation, but also to make sure when we are getting it wrong, that we're allowing companies to reflect that within our system. I'd also add that as differentiator. We actually do care about these things. Not putting anybody under the bus, but I think other tools kind of speak for themselves in the lack of their investment in that category. I'd like to tag onto that, Alex. So, you know, being in the GRC seat, we receive the reports from some of the third party risk management tools. And we receive them for most. And when I do see that the information is incorrect, so we dispute and say, hey, the URL or this doesn't belong to us or that is a false positive or all of this information that's really just, for us kind of a nuisance. So now we spend the time of course to respond. We want everybody to be comfortable with us. So I think what differentiates supply chain for me is this is a true partnership because you were actually giving them information that they can use and they're going to be happy that they can have a chance to respond to their own environment rather, someone let them know that something was going on that they didn't know about. And again, it's a partnership. It's not a situation where we're pointing fingers at each other and saying that you can't practice security or anything like that. So yeah, the ability to build a strong community with my partners is what makes this a differentiator with the data. And sorry to tag on a tag here, folks. But to what Leah just said, it was super important because among the other three things that we just mentioned as the directional roadmap, actionability is a huge piece, Huge piece of where we're headed with this. So you've already seen the nearcoming, the sort of immediate feature set that is coming. But there are some very exciting things that are already in discovery as well in this that I think that Leah and team might directly benefit from, for example. So just a few things for all of our attendees as we're nearing the end of this great event. Everyone will get a recording of this, but if you're an existing customer and you want more information, you can always contact your customer success manager or any other SpyCloud contact. We're happy to show you something more personalized, tailored to your environment, how this works with the larger ecosystem that you have across the SpyCloud offering. And any people just exploring and getting started with SpyCloud, we're happy to follow-up and, again, do something more tailored around supply chain threat protection so you can get a view of what your risk could potentially look like. Everyone will get a recording, and I just wanna say thank you everyone for taking time out of your day to join us for this conversation, ask all these great questions. We can't wait to see and hear from you again.