This post is part of our special eBook, 6 Steps to Secure your IT Supply Chain. You can download the entire eBook here.
Historically, IT environments have always consisted of various vendors' platforms, software, and systems. But in the cloud and IoT era, and especially in a time of digital transformation, the external IT pieces provided by third-party suppliers have grown more interconnected and vulnerable to attack than ever before.
IT depends more and more on software as a service (SaaS) rather than homegrown
software. Whether software is a commercial off-the-shelf product, internally developed, or a cloud service, almost all of it tends to be composed of a patchwork of different ready-made componentry and APIs, both closed and open source. In fact, according to recent figures, the average enterprise software today contains 203 other third-party code dependencies.1
Whether at the code, application, platform, or even hardware level, dependency on other companies' technology opens up organizations to risk. At each juncture, these suppliers of the building blocks of the modern IT environment offer potential threat avenues of exposure to hackers, opening their products to compromises like SolarWinds Orion.
As attacks against these building blocks increasingly become a key part of threat actors’ playbook, taking proper steps to secure the enterprise’s IT supply chain is crucial to maintaining an effective cybersecurity program. Ideally, organizations should be doing that so that they aren’t reactively responding to every headline-inducing supply chain attack but instead have all of the protections and defenses in place to know their risks are already mitigated in numerous layers.
Here’s what it takes to start moving towards better protection.
Step one: Continuously Inventory and manage IT assets
Organizations need to know quickly when a named vulnerability like Ripple202 or a highly impactful backdoor like SolarWinds Sunburst affects their infrastructure. This can’t happen if IT and business leaders don’t have a thorough understanding of what is running in their environments and which service providers can connect to or are closely integrating with the enterprise’s systems.
1 “The 2020 State of the Octoverse,” GitHub, December 2020
2“Ripple20: 19 Zero-Day Vulnerabilities Amplified by the Supply Chain,” JSOF, 2020
Documenting and continuously keeping tabs on the hardware and software asset portfolio configuration state prepares organizations to quickly identify where the risk of IT supply chain attacks may occur. This can be a tall task when done manually, so leveraging an automated tool is crucial here.
When paired with regular cybersecurity risk assessments, IT asset inventories can also help security strategists understand where best to reconfigure or add security controls to their architecture to mitigate supply chain risks.
Step two: Monitor third-party risk
A big part of IT supply chain security is keeping tabs on how much risk vendors are
introducing into the environment. The U.S. Department of Defense’s Cybersecurity Maturity Model Certification and audits of providers’ CMMC levels can help provide point-in-time snapshots of vendors and service providers.
For more continuous views, particularly in the case of cloud services, some enterprises may consider using a third-party risk management platform to keep tabs on the state of security at vendors and other partners that connect to the organization’s systems or handle its data regularly. This works best when companies use that feed to integrate third-party risk management into vendor management practices, with a focus on working with suppliers to drive down the risks that SaaS and cloud services introduce to the enterprise’s environment.
Step three: Address software supply chain hygiene
As organizations work to secure their application layers from IT supply chain attacks, software hygiene will play a big part in the process. For commercial and SaaS software, this starts with strong vulnerability and configuration management practices aided by the asset inventory discussed above. Supplementing this with rigorous audits and penetration tests can ensure that known and unknown software flaws and configurations are quickly dispatched.
In the meantime, software supply chain management practices are crucial for companies engaging in internal development or extensive integration and customization of their software ecosystems. This starts by developing and managing a bill of materials to thoroughly understand the library and component dependencies—open source or otherwise—that software utilizes under the hood. Stepping up the maturity of code repository management and offering greater governance over the components and APIs that their developers can pull from can help organizations make significant headway in reducing software supply chain risks.
For the complete list of steps, check out our eBook, 6 Steps to Secure your IT Supply Chain, here.
Ultimately, organizations can’t simply buy their way out of the problems posed by sophisticated supply chain attacks. If it were as easy as purchasing a tool, that would be the hottest-selling security tool on the market. Instead, organizations must roll up their sleeves and get to work, taking the measures described above to reduce the likelihood of an attack landing, as well as speeding up their detection of them via proactive monitoring and rapid response.
To close, ransomware “is present in almost 70% of malware breaches this year”, according to Verizon’s 2022 Databreach Investigations Report. Examine your organization's cybersecurity defenses against the most recent ransomware campaigns, zero-day attacks, or other exploits; we are offering* a complimentary ransomware readiness assessment to organizations uncertain about their cybersecurity risks.
We’ll review our findings with you and provide recommendations to remediate any risks quickly. Schedule your evaluation here.
Related: Protect your supply chain from attacks like Kaseya Ransomware and Strategies For Securing Your Supply Chain