The Supply Chain is Part of Your Organization’s Security Posture

By Robert Hannigan

SolarWinds was not the first supply chain cyber attack and it won’t be the last. Everyday companies find themselves compromised through their vendors, who unknowingly deliver attacks – especially ransomware in the past year – to the customer company. Once a compromised company is delivering a sophisticated attack through a software upgrade it’s already too late to do anything but contain the damage. The first line of defense needs to be upstream – at the point where the supply chain company is first compromised.

At BlueVoyant we have issued plenty of advice to help our clients manage any possible compromise from SolarWinds. We have also talked about it in a recent Financial Times article - about the wider supply chain cyber risk challenges.

But C-Suite executives will want to go beyond the immediate problem and look for the next SolarWinds. Once they have asked their team all the obvious questions about their current use of SolarWinds Orion within their own company networks, and the likely exposure, they should be asking two bigger questions.

• Which companies in our supply chain were exposed to the SolarWinds compromise, even if we weren’t directly?
• Looking across our entire supply chain, can we see other companies who have poor security and might compromise us? If so, what are we doing about it?

SolarWinds and other supply chain attacks should force a shift in mindset for senior executives. They need to start seeing their entire vendor ecosystem as an extension of their own networks, because that’s how attackers see it. They need not just to do due diligence when onboarding a vendor, but continuous monitoring. Cyber threats and company networks are dynamic, so a dated snapshot isn’t going to help. In the modern cyber context, auditing your supply chain once a quarter, makes as much sense as having a managed security service that works only once a quarter, or a company SOC that only operates occasionally. It’s like buying an antivirus product for your laptop and only switching it on when you want to audit how bad things are.

If you are monitoring the entire supply chain continuously, including the long list of companies no-one has heard of where the attack may actually come from, you then need to do something with that information. Even the best cyber team cannot cope with the sheer volume of data about 10,000 vendors: they need an expert service to prioritize actions and approach the vendor to help them improve. Cyber problems in the supply chain don’t just need identifying and cataloguing, they need fixing if the risk is going to be reduced. We have to move from admiring the supply chain problem to fixing it, assessing the risk to reducing it.

This continuous monitoring, escalation of real concerns, and remediation with supply chain companies means processing huge volumes of cyber external metadata on thousands of companies in real time. To avoid burying customers in false positives demands sophisticated automation and a high degree of expertise, especially about how supply chain attacks are delivered. That is what BlueVoyant does for private sector and government customers across four continents. We process more metadata than any other supply chain cyber security company and, critically, we provide an expert service to produce actionable insights from that data. We have the largest collection of ex-government and private sector talent used to dealing with this external data and looking at supply chains from an attacker’s perspective. We take the burden off busy teams by showing them at a glance what needs fixing against their own risk thresholds, and we go straight to the vendor to help them fix it.

At BlueVoyant we have never needed to capitalize on cyber incidents like the SolarWinds attack. We were able to give our clients the answer to the questions above immediately. We could of course tell them within hours which companies in their supply chain were likely to be exposed, without going through lengthy internal investigations. But much more importantly, our service answers the key question about what a company like SolarWinds Corporation looks like from the outside – from the attacker’s perspective. As with so many other supply chain companies, we could see plenty of IT hygiene and vulnerability issues, but we automatically highlighted five which we thought of serious concern (open RDPs and an Exim email server vulnerability which has been exploited previously). We do not know officially how the attack on SolarWinds was delivered, but we can say with certainty that these routes could have been readily exploited by an attacker. Finding those routes and closing them at speed is what BlueVoyant’s service does across a company’s entire supply chain.

Read our global survey of CIOs and CISOs across five countries in 2020 to understand how companies manage third-party cyber risk.

Robert Hannigan is Chairman of BlueVoyant International. Until 2017, Robert was Director of GCHQ, the UK’s largest intelligence and security agency and NSA equivalent. There he led the creation of the UK’s National Cybersecurity Centre (NCSC) and oversaw the UK’s pioneering Active Cyber Defense Program.