Five Steps to Protect Your Supply Chain: A Board-Level Perspective
Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach reinforces the fragility of not only the software supply chain, but the entire third-party vendor ecosystem. As more information comes to the surface about the true depth and breadth of the breach, it is glaringly clear that this extensive ecosystem of vendors is the gateway for attackers to move laterally from network to network.
Over the last few years, many organizations have improved cyber defenses and have succeeded in making themselves increasingly harder targets for adversaries. However, even for these well-defended organizations, the greatest defense weaknesses now lie with their suppliers and partners who are less well protected but with whom they are highly interconnected or upon whom they rely for technology. Among too many partner organizations, cybersecurity is an afterthought at best, despite well-documented threats, making engaging with these organizations a high-risk activity that introduces unpredictable and, therefore, unmanageable cyber risk.
Improving visibility to defend against broader attack techniques
Gaining visibility into supply chain risk is undeniably complex. Business partners normally have limited insight into each other’s network defenses, and minimal ability to understand and mitigate the security risks inherent in these relationships. Industry-standard practices to date involve point-in-time questionnaires and audits that are useful, but which offer limited context about the ongoing state of cybersecurity within partner networks.
Obtaining this context is crucial. However, to circumvent the hardening of their primary targets, hackers attempt to exploit the weaker partner and leverage the trust relationship to "swim upstream" into the better defended, more desirable, target. While we saw a particularly effective approach to exploit the software update process in the SolarWinds hack, it is important to understand that there are a variety of approaches actors can take to infiltrate supply chain operations. An adequate defense needs to protect not only against the specific techniques used in SolarWinds, but should also guard against the broader class of techniques where an organization can be compromised via their relationship with a poorly defended partner.
Recent research undertaken by BlueVoyant with 1500 CIOs, CISOs and Chief Procurement Officers across six verticals and five countries showed the considerable extent of unmanaged risk in the software supply chain and third-party vendor ecosystems. Overall, the research revealed that globally four in five firms surveyed (80%) had suffered a cybersecurity breach caused by a third-party vendor and the average respondent’s organization had been breached in this way 2.7 times.
It is nearly impossible to effectively manage third-party risk unless the state of your partners’ defenses is clearly understood, both technically and operationally, and that you continually ensure that their cyberdefense posture is sufficient. It is critical that organizations have an in-depth understanding of the cyber risks associated with their supply chain relationships, mitigate those risks to the degree possible, and evaluate net risk versus the business value of the relationship. Put simply, if your organization is connected to another organization and you don’t have a clear view into the state of their cyber defense posture, you have accepted an unknown and unnecessary level of risk associated with that organization.
Having a high level of trust in partners makes you vulnerable
Our research highlights that, on average, organizations are working across a network that encompasses 1409 vendors. Within this network, companies will have several groupings of suppliers and partners that are integral to the business in different ways. For example, groups of suppliers who have access to the IT systems and network, and others who hold confidential information, as well as mission-critical suppliers whose ongoing operation is essential to business continuity. Further, there will be those who have a high level of trust in their business relationship and unwisely allow that trust to be carried over into their network interconnectivity, without establishing an adequate understanding of each other’s defensive position.
While many organizations have added rigor to their cybersecurity operations, many well-resourced and capable organizations have not. SolarWinds is not an isolated instance of a highly successful, but poorly defended, organization. Cybersecurity is too often not properly resourced and, in some cases, simply not a sufficient priority, even for organizations in the business of building software products. When partnering, organizations should verify before they trust and embed this into their cybersecurity protocol, repeating the verification process at regular intervals.
Our research uncovered that comprehensive reviewing of partner defenses is rare. Only 23% of organizations are monitoring all suppliers; meaning 77% had limited visibility and many only re-assessed their vendors’ cyber risk position annually, or less frequently. This means in the intervening period, organizations are effectively flying blind to risks that could emerge rapidly and unexpectedly in the prevailing cyber threat environment. Also concerning, 29% admitted that they had no way of knowing if an issue arose with a supplier.
Understanding the adversaries’ techniques
To make informed decisions about defensive capabilities, companies must first understand how advanced threat actors approach industrial-scale supply chain operation attacks.
Hacking is a for-profit, international, multi-billion-dollar business undertaken by professionals - generally organized crime and nation-state-funded actors. To be profitable, attackers must be able to assess many possible targets and make decisions about where to focus their resources for maximum impact; both in terms of value and volume. The most valuable intelligence is identifying those organizations that are important (as a potential target) and that have consistent weaknesses in their defenses.
As a secondary consideration, attackers look to identify normally well-defended targets who possess unexpected point-in-time vulnerabilities. These lapses are often the needed window of opportunity a skilled hacker requires to initiate and sustain long-term, illegal-business operations.
Developing these industrial strength capabilities allows hackers to scale their operations. However, this is technically complex, expensive, and requires sufficient depth of knowledge of offensive operations to build automated vulnerability detection engines. Unfortunately, most advanced cyber actors have the resources and skills to accomplish this and have already done so.
Criminals use sophisticated tools to scan the Internet - and all Internet-facing systems - for vulnerabilities and general system information to collect intelligence that will help them identify vulnerable targets. The efficacy of their vulnerability scanning and network intelligence collection determines their profitability. Threat actors continue to improve their capabilities at an alarming rate.
These are five key steps that organizations should employ to safeguard their supply chain:
1. Having the right contractual provisions in place from the outset
Historically, organizations have put contractual provisions in place that require the supplier to have good cybersecurity. The contractual provisions are important for enforcement purposes, but may or may not be fully complied with. The requirement of periodic questionnaires is useful, but they are a single point in time data collection effort, the answers to which can be broadly correct, but not necessarily comprehensively correct.
Onsite audit rights, again are useful, but are limited in terms of the number that can be practically conducted, and again, represent a single point in time. Although these techniques are necessary and valuable, they’re simply no longer sufficient. Today, contracts should stipulate regular monitoring of the supplier’s security posture and should document the procedure for identifying and remediating emerging risks that could compromise security and/or business continuity.
2. Understanding the risks
Typically organizations focus on partners with a higher dollar value, neglecting to consider that even small partners pose a material risk. Monitoring part of the supply chain, and not all of it, is a recipe for trouble as it creates vulnerabilities at various points across the supply chain. Therefore, organizations should expand assessment, monitoring and reporting programs to cover the long tail of vendors - regardless their size - and not just critical suppliers. As outlined above, when a hacker looks at suppliers, their priority list differs from that of the target organization. Where hackers look for easy vulnerabilities and trusted relationships so they can "hide in the forest," companies tend to prioritize the importance of relationships to the business. Organizations also need to establish agreed upon risk tolerance thresholds, applying different tolerances for different suppliers, determined by the access they have to data, systems, and their importance to overall operations.
3. Real-time monitoring
In the modern cyber context, auditing the supply chain only once a year makes as little sense as having a Managed Security Service (MSS) that works only once a year, or a company Security Operations Center (SOC) that operates only occasionally. Therefore, organizations must take a proactive defensive posture of rigorous and continuous assessment and monitoring of the supply chain, notifying suppliers when they are insufficiently protected - to ensure that the supply chain is not vulnerable to threat actors who are looking for every possible point of entry 24/7 - so they can detect and remediate critical vulnerabilities before an attack occurs.
4. Operationalize data for improved visibility and maximed value
To improve visibility of their supply chain, organizations should operationalize the data that they already collect, which will provide better and actionable insight to maximize the value of existing resources. This includes automating analysis of the most critical risks (the exceptions that need action versus the raw cyber risk data itself), prioritizing and triaging these critical risks in the context of their impact on the organization and reducing false positive alerts to remove the “noise," which allows in-house teams to properly focus on analyzing critical vulnerabilities.
5. Resources to remediate supply chain vulnerabilities
While it is a prerequisite for effective cyber defense to have the data on the cyber health and vulnerability status of your supply chain, that alone is not sufficient. Organizations must also have the personnel and expertise to curate findings for priority and accuracy, to follow up with vulnerable supply chain participants to ensure remediations are implemented, and to continuously monitor both the overall portfolio and individual suppliers. Typically they require substantial internal staffing - or part or all of the function - can be outsourced to BlueVoyant. We provide comprehensive supply chain cyber risk identification, prioritization and remediation services.
The SolarWinds attack, along with a number of other well publicized breaches have been driven by nation state-sponsored activity, foreshadowing near term and ongoing criminal syndicate attacks. Cyber criminals already have the ransomware capabilities to wreak long-term havoc on an organization's network. Their next target is the supply chain, making end-to-end monitoring of your entire supply chain a critical strategic imperative.