Supply Chain Security Is Tough: So What Should Good Look Like?

The SolarWinds attacks caught the eye of virtually everyone in the cybersecurity community. There are plenty of Chief Information Security Officers (CISOs) out there who are no doubt extremely thankful their organization wasn’t compromised. But who can say they won’t be a victim of the next major supply chain attack? Because there will be a next time. 

Whether we’re talking about third-party software, hardware or service providers, organizations still rely too much on trust and manual, spreadsheet-based approaches to provide assurance on cyber risk. As an industry, we need to develop a better way of doing things — one that combines rich, quantitative data with reputable third-party attestations and assessments. 

The challenge deepens, of course, when it comes to managing supply chains end to end. Can you vouch for the security practices of your third parties’ third parties? Global organizations have struggled with this for years, and there are no simple answers. What we can say is that best practice supply chain security should always start with visibility — into your IT assets and those of your partners. 

Only with this kind of back-to-basics approach can you begin to answer those fundamental questions to help calculate risk exposure: Who are your suppliers? What’s their security maturity? What data can they access? And how do they use it?

The problem with supply chains

The complexity of modern supply chains can very soon make risk management efforts spiral out of control. It doesn’t help that, for decades, many organizations used manual processes and audits based on overly simplistic questions to help them calculate supplier risk (e.g., do you have a patch management program?). This approach may elicit binary responses or highly subjective answers that can’t be validated through any form of third-party attestation.

Take the fallout of the SolarWinds incident. Some organizations asked their suppliers: “Did you have the affected versions of SolarWinds Orion in your environment?” But the “yes/no” response this elicited is not enough to base important risk calculations on. If the supplier in question had weak asset and application management processes in place, they might not even know the answer with any certainty. And what good is an assurance based on partial or incomplete data?

As we shall discuss, mature organizations asked more-open questions (e.g., How does your company approach threat modeling? Describe your approach to patch management.) In answering these more holistic questions, you can obtain a much wider assurance of supplier security.

In addition, some organizations have tried to move beyond the manual spreadsheet-based approach with technical solutions that try to calculate the security posture of suppliers more rigorously. But many services will succeed only in providing an incomplete, “outside-in” view of suppliers based on a limited set of criteria and subjective scoring. They’re not holistic enough to be much help.

This is just the tip of the iceberg. Other challenges with supply chain security include:

Security/risk teams engaged too late:

Supply chain governance is often performed too late in the onboarding process. By that time, it may be too late to mitigate or remove risk. The security and risk team can come under tremendous pressure from the business to give its blessing to the new deal. Keen not to be seen as the “department of no,” CISOs may feel like they have no choice but to do so.  

Recertification doesn’t happen: 

As important as rigorous due diligence prior to onboarding is, periodic reappraisal of the relationship is also critical. It may be a SaaS provider whose service was originally deployed to just a small number of developers using only test data. 

That app may now be used by hundreds of employees and processing critical business information. Periodic recertification is vital to dynamically manage risk as it evolves. Unfortunately, supply chain security is “set and forget” for many organizations. 

End-to-end visibility and assurance:

Third-party risk management is one thing, but the further upstream or downstream you go, the harder it gets. What about your suppliers’ suppliers? And their suppliers? The challenge here is that there’s no consistent, industry-wide best practice for managing end-to-end supplier risk. 

I ask my suppliers to provide detailed data based on threat models and risk analysis, but their processes to validate their own partners could be lightweight, cursory inspections. When each component of the supply chain is different, it becomes incredibly challenging to qualify aggregate risk end to end.

What happens next?

All organizations struggle with these challenges to a certain extent — even those with relatively mature cybersecurity programs. That’s why it helps to go back-to-basics and try in the first instance to answer those basic questions of who your suppliers are, what their security maturity is and how they use your data, if at all.

This boils down to visibility: understanding what IT assets you own, what’s running on them and what third-party dependencies there are. It’s simple to say but not always to do. Tanium research found that 94 percent of global IT decision-makers have discovered endpoints within their IT environment that they were previously unaware of.

This same visibility must be extended to your suppliers. They must be able to provide a comprehensive and accurate inventory of their IT assets to understand the status of endpoints and what software versions are installed. And they must be able to patch promptly to mitigate risk dynamically. 

This should be part of a holistic effort to calculate the overall maturity of your suppliers’ security posture — taking in not just point-in-time, often incomplete, patch and vulnerability telemetry but also a supplier’s approach to threat modeling, secure software development, security architecture and much more. 

Focusing on prescriptive questions like “were you running the malicious SolarWinds Orion update?” provides an ostensible assurance at a point in time but won’t help when the next global cyberattack emerges. Effective supply chain security demands a far more expansive approach.

Once you have this quantitative data to hand, combine it with third-party attestation and evaluations to gain a 360-degree view of risk in each supplier. You might want to use international standards to help here, like ISO 27001. 

Define a minimum set of requirements and embed them into contracts. This will help build a more consistent, data-driven alternative to that arbitrary, spreadsheet-based approach to assurance, which too many of us still adhere to.

Here are some other considerations:

• Get security/risk teams involved as early on in the new supplier due diligence process as possible. Requirements should be based on the sensitivity of the service being provided.
• Security recertification should be performed periodically and aligned to the criticality of the service provided.
• Carry out comprehensive threat modeling/risk analysis to better understand who your main adversaries are, where they may strike and how. This will help to inform your supply chain security strategy. 
• Ensure your suppliers have a clear process for breach notification in the event of a worst-case scenario.
• Understand suppliers’ approaches to the security software development lifecycle (SDLC): how are their developers trained and certified in application security? What are their processes for static and dynamic analysis? 
• Define incident response playbooks, so you know what good looks like if the worst happens.

This isn’t an exhaustive list, and you’ll notice that it doesn’t address the challenge of end-to-end supply chain assurance. This is a topic we as an industry need to think about more carefully. 

---

Want to gain visibility into the health of your IT environment? Request a free Cyber Hygiene Assessment to help understand the state of your endpoints, identify critical gaps, get your cyber risk score and walk away knowing how to improve your IT hygiene.