• Home
  • Blog
  • Five Steps to Protect Your Supply Chain: A Board-Level Perspective

Five Steps to Protect Your Supply Chain: A Board-Level Perspective

Last month, the cybersecurity industry faced its latest major attack through a third-party IT management software company, SolarWinds. This breach reinforces the fragility of not only the software supply chain, but  the entire third-party vendor ecosystem. As more information comes to the surface about the true depth and  breadth of the breach, it is glaringly clear that this extensive ecosystem of vendors is the gateway for attackers to move laterally from network to network.  

Over the last few years, many organizations have improved cyber defenses and have succeeded in making  themselves increasingly harder targets for adversaries. However, even for these well-defended organizations, the greatest defense weaknesses now lie with their suppliers and partners who are less well protected but with whom they are highly interconnected or upon whom they rely for technology. Among too many partner  organizations, cybersecurity is an afterthought at best, despite well-documented threats, making engaging with  these organizations a high-risk activity that introduces unpredictable and, therefore, unmanageable cyber risk.  

Improving visibility to defend against broader attack techniques  

Gaining visibility into supply chain risk is undeniably complex. Business partners normally have limited insight  into each other’s network defenses, and minimal ability to understand and mitigate the security risks inherent  in these relationships. Industry-standard practices to date involve point-in-time questionnaires and audits that  are useful, but which offer limited context about the ongoing state of cybersecurity within partner networks.  

Obtaining this context is crucial. However, to circumvent the hardening of their primary targets, hackers attempt to exploit the weaker partner and leverage the trust relationship to “swim upstream” into the better  defended, more desirable, target. While we saw a particularly effective approach to exploit the software  update process in the SolarWinds hack, it is important to understand that there are a variety of approaches  actors can take to infiltrate supply chain operations. An adequate defense needs to protect not only against  the specific techniques used in SolarWinds, but should also guard against the broader class of techniques  where an organization can be compromised via their relationship with a poorly defended partner.  

Recent research undertaken by BlueVoyant with 1500 CIOs, CISOs and Chief Procurement Officers across six  verticals and five countries showed the considerable extent of unmanaged risk in the software supply chain  and third-party vendor ecosystems. Overall, the research revealed that globally four in five firms surveyed  (80%) had suffered a cybersecurity breach caused by a third-party vendor and the average respondent’s  organization had been breached in this way 2.7 times.  

It is nearly impossible to effectively manage third-party risk unless the state of your partners’ defenses is  clearly understood, both technically and operationally, and that you continually ensure that their cyberdefense  posture is sufficient. It is critical that organizations have an in-depth understanding of the cyber risks  associated with their supply chain relationships, mitigate those risks to the degree possible, and evaluate net  risk versus the business value of the relationship. Put simply, if your organization is connected to another organization and you don’t have a clear view into the state of their cyber defense posture, you have accepted  an unknown and unnecessary level of risk associated with that organization.  

Having a high level of trust in partners makes you vulnerable  

Our research highlights that, on average, organizations are working across a network that encompasses 1409 vendors. Within this network, companies will have several groupings of suppliers and partners that are integral  to the business in different ways. For example, groups of suppliers who have access to the IT systems and  network, and others who hold confidential information, as well as mission-critical suppliers whose ongoing  operation is essential to business continuity. Further, there will be those who have a high level of trust in their  business relationship and unwisely allow that trust to be carried over into their network interconnectivity,  without establishing an adequate understanding of each other’s defensive position.  

While many organizations have added rigor to their cybersecurity operations, many well-resourced and  capable organizations have not. SolarWinds is not an isolated instance of a highly successful, but poorly  defended, organization. Cybersecurity is too often not properly resourced and, in some cases, simply not a sufficient priority, even for organizations in the business of building software products. When partnering,  organizations should verify before they trust and embed this into their cybersecurity protocol, repeating the verification process at regular intervals.  

Our research uncovered that comprehensive reviewing of partner defenses is rare. Only 23% of organizations are monitoring all suppliers; meaning 77% had limited visibility and many only re-assessed their vendors’ cyber  risk position annually, or less frequently. This means in the intervening period, organizations are effectively  flying blind to risks that could emerge rapidly and unexpectedly in the prevailing cyber threat environment. Also concerning, 29% admitted that they had no way of knowing if an issue arose with a supplier.  

Understanding the adversaries’ techniques  

To make informed decisions about defensive capabilities, companies must first understand how advanced  threat actors approach industrial-scale supply chain operation attacks.  

Hacking is a for-profit, international, multi-billion-dollar business undertaken by professionals – generally organized crime and nation-state-funded actors. To be profitable, attackers must be able to assess many  possible targets and make decisions about where to focus their resources for maximum impact; both in terms of value and volume. The most valuable intelligence is identifying those organizations that are important (as a potential target) and that have consistent weaknesses in their defenses.  

As a secondary consideration, attackers look to identify normally well-defended targets who possess unexpected point-in-time vulnerabilities. These lapses are often the needed window of opportunity a skilled  hacker requires to initiate and sustain long-term, illegal-business operations.  

Developing these industrial strength capabilities allows hackers to scale their operations. However, this is technically complex, expensive, and requires sufficient depth of knowledge of offensive operations to build  automated vulnerability detection engines. Unfortunately, most advanced cyber actors have the resources and  skills to accomplish this and have already done so.  

Criminals use sophisticated tools to scan the Internet – and all Internet-facing systems – for vulnerabilities and  general system information to collect intelligence that will help them identify vulnerable targets. The efficacy  of their vulnerability scanning and network intelligence collection determines their profitability. Threat actors  continue to improve their capabilities at an alarming rate.  

These are five key steps that organizations should employ to safeguard their supply chain:  

1. Having the right contractual provisions in place from the outset 

Historically, organizations have put contractual provisions in place that require the supplier to have good  cybersecurity. The contractual provisions are important for enforcement purposes, but may or may not be fully  complied with. The requirement of periodic questionnaires is useful, but they are a single point in time data  collection effort, the answers to which can be broadly correct, but not necessarily comprehensively correct.  

Onsite audit rights, again are useful, but are limited in terms of the number that can be practically conducted,  and again, represent a single point in time. Although these techniques are necessary and valuable, they’re  simply no longer sufficient. Today, contracts should stipulate regular monitoring of the supplier’s security  posture and should document the procedure for identifying and remediating emerging risks that could  compromise security and/or business continuity.  

2. Understanding the risks 

Typically organizations focus on partners with a higher dollar value, neglecting to consider that even small  partners pose a material risk. Monitoring part of the supply chain, and not all of it, is a recipe for trouble as it creates vulnerabilities at various points across the supply chain. Therefore, organizations should expand assessment, monitoring and reporting programs to cover the long tail of vendors – regardless their size – and not just critical suppliers. As outlined above, when a hacker looks at suppliers, their priority list differs from  that of the target organization. Where hackers look for easy vulnerabilities and trusted relationships so they  can “hide in the forest,” companies tend to prioritize the importance of relationships to the business. Organizations also need to establish agreed upon risk tolerance thresholds, applying different tolerances for different suppliers, determined by the access they have to data, systems, and their importance to overall operations.  

3. Real-time monitoring 

In the modern cyber context, auditing the supply chain only once a year makes as little sense as having a  Managed Security Service (MSS) that works only once a year, or a company Security Operations Center (SOC)  that operates only occasionally. Therefore, organizations must take a proactive defensive posture of rigorous  and continuous assessment and monitoring of the supply chain, notifying suppliers when they are insufficiently  protected – to ensure that the supply chain is not vulnerable to threat actors who are looking for every  possible point of entry 24/7 – so they can detect and remediate critical vulnerabilities before an attack occurs.  

4. Operationalize data for improved visibility and maximed value 

To improve visibility of their supply chain, organizations should operationalize the data that they already  collect, which will provide better and actionable insight to maximize the value of existing resources. This  includes automating analysis of the most critical risks (the exceptions that need action versus the raw cyber  risk data itself), prioritizing and triaging these critical risks in the context of their impact on the organization and reducing false positive alerts to remove the “noise,” which allows in-house teams to properly focus on  analyzing critical vulnerabilities.  

5. Resources to remediate supply chain vulnerabilities 

While it is a prerequisite for effective cyber defense to have the data on the cyber health and vulnerability status of your supply chain, that alone is not sufficient. Organizations must also have the personnel and expertise to curate findings for priority and accuracy, to follow up with vulnerable supply chain participants to ensure remediations are implemented, and to continuously monitor both the overall portfolio and individual  suppliers. Typically they require substantial internal staffing – or part or all of the function – can be  outsourced to BlueVoyant. We provide comprehensive supply chain cyber risk identification, prioritization and remediation services.  

The SolarWinds attack, along with a number of other well publicized breaches have been driven by nation state-sponsored activity, foreshadowing near term and ongoing criminal syndicate attacks. Cyber criminals already have the ransomware capabilities to wreak long-term havoc on an organization’s network. Their next  target is the supply chain, making end-to-end monitoring of your entire supply chain a critical strategic  imperative.  

Related reading