How can infosec professionals critically reassess how they detect and quickly prevent inevitable supply chain attacks?
The impact radius of the SolarWinds SUNBURST supply chain attack is still not fully known. Yet this major breach already serves as a cautionary tale for infosec professionals and their organisations. Supply chain attacks, which exploit third-party vulnerabilities to gain access to sensitive information or damage an organisation, are not new. However, their increasing sophistication, as evidenced by the SolarWinds attack, means infosec professionals need to critically reassess how they can detect and quickly prevent inevitable supply chain attack attempts.
The devil is in the due diligence
Following the same, standardised rule book for supply chain attacks will unfortunately no longer cut it. Infosec professionals are comfortable approaching their due diligence for new vendors as a tick box-based exercise, with forms quizzing new suppliers on company details ranging from references to credentials and regulatory compliance such as SOC2 and Cloud Security Alliance (CSA) membership.
However, these longstanding best practices are often not a match for protecting against constantly evolving supply chain threats. Even worse, sometimes best practices aren’t possible to follow, with infosec professionals struggling to allocate the time and resources needed to keep their supply chain protected. With this in mind, they have to work smartly when it comes to due diligence.
Key to companies’ due diligence is prioritising critical suppliers who require a level above best practice to ensure their security. A good practice which CISOs and CIOs may want to consider is frequent IT audits beyond the standard third-party attestation, which is a minimum requirement for securely managing organisations’ data. While this requires additional time and effort to be afforded to customers and third-party auditors, it can shed critical insight into vendors’ best practices. Knowing if vendors are rigorously following best practices, or only adhering to them on occasion, is a vital step for supply chain due diligence.
Apply internal best practices to external vendors
Once organisations have assessed how critical each supplier is, CISOs can easily rank them in correlation with the risks they pose. For instance, if you have limited visibility into a critical supplier’s infrastructure, security professionals need to plan for worst-case scenarios such as supply chain leaks or backdoors. However, whether this vendor is critical or not changes their risk rating in relation to the organisation. What we learned in the SolarWinds attack was that one of the vendor’s recommendations was to disable standard security controls on their software.
While this practice is extremely common for CISOs for their own internal risks, it is not a common business practice for external risks. Quantifying both external and internal risks is something security professionals need to be actively doing now. Security professionals know vulnerabilities will always exist within their systems and their supply chain, which inherently makes security a risk-based discussion with their suppliers.
Proactively locate, react and resolve attacks
Alongside the current documentation which details what measures vendors have in place against attacks, businesses need to be able to detect lateral movement within their network. Without this, organisations are fighting blind against adversaries once they are inside the perimeter defences. Introducing additional layers of defence, such as network detection and response (NDR), which can monitor and record all activity occurring on the network whether there was a detection or not, can be effective.
According to Gartner, NDR provides important security controls across many stages of a supply chain attack kill chain. With this visibility, CISOs and CIOs can track in detail an offender’s movements across their entire IT estate. This ranges from new connections to abnormal user behaviour or a supply chain attack. With a full picture of network movement, SecOps and SOC teams can quickly uncover attacks and remediate vulnerabilities to stop and prevent further damage.
It’s clear supply chain attacks are inevitable and businesses should expect them to happen. The differentiator is an organisation’s ability to rapidly react by quickly locating the activity and remediating the issue as soon as possible. Security professionals can no longer rely on carefully constructed business moats to block malicious activity. The moat will be breached, but it’s how quickly organisations react to resolve the situation which counts.
by Mike Campfield, VP, GM International Operations and Global Security Programs