A look at the measures recommended by industry pros at RSA Conference
In the middle of a global pandemic, amid rising global tensions and a hostile threat landscape, businesses might be forgiven for holding back on innovation and simply treading water to survive. However, treading water wouldn’t cut it against the combined forces weakening organizations’ supply chain security, as we learned in Part 1 of this three-part series on “Supply Chain Security Awareness.”
After digging through the supply chain risks organizations faced over the past 14 months, we took a closer look at the most recent US legislation and regulations that support stronger supply chain security—and cybersecurity in general—in Part 2 of our series.
Finally, in Part 3, we’ll explore the most effective solutions for prioritizing supply chain security and reducing risk in the months and years to come, as recommended by the experts at RSAC 2021. Without further ado, here’s the third and final installation of “Supply Chain Security Awareness.”
The new perimeter: secure partnerships
We’ve often heard “the perimeter is dead” in the context of the cloud. Certainly, businesses felt that pinch in the mad scramble to retrofit IT and security infrastructures for whole-company remote work. Those organizations that were already transitioning or had previously transitioned to the cloud had a leg up on their competitors.
However, in the context of the supply chain perimeter, it might be more accurate to say businesses need their partners and suppliers to incorporate security best practices as well. As organizations consider their supply chain acquisition process, they must apply due diligence to manage risk moving forward. Does the supplier test for vulnerabilities? What is the testing process? Do they have proper asset management processes? What about an incident response plan?
The real blockers for a lot of companies are insufficient transparency into their digital or physical supply chains. In “A Punch to the Supply Chain: Fighting Back to Resilience,” RSAC attendees learned that only 2 percent of executives are looking at their third-, fourth- or fifth-tier suppliers to lower security risks.
For a clear view of suppliers’ security, audit from the top level down to the sub-tier. Start by identifying all of your organization’s suppliers, from physical goods to hardware, software and other services. Consider partnering with an agency or firm to establish risk profiles for each supplier. Additionally, integrate software (AI/ML) to analyze risk within each tier.
Some organizations leaned on their partners to shore up supply chain security. Others leaned on their teams—a task made inherently easier through convergence. Rather than having physical security and cybersecurity departments operate in siloes, convergence allows for a holistic view of threats to the organization.
Mark Weatherford, CISO, AlertEnterprise and Chief Strategy Officer of the National Cybersecurity Center, told RSAC attendees about the power of a converged security team. “It’s important to have a common operating system,” he said. “Convergence has a profound effect.” Weatherford listed advantages such as safety benefits, cost savings and increased efficiencies in having a common security team with different focuses.
Weatherford spun the idea of convergence even further to include the integration of security and IT into the business as a whole. As we learned with SolarWinds, security is no longer the CISO’s responsibility alone—it has become a C-Suite, CEO and even board-level responsibility.
“If you don’t have convergence—if the CISO doesn’t talk to the CIO who doesn’t talk to the CEO—what happens when an incident happens?” asked Weatherford. “Do you send the guy with the gun, the guy with the wrench or the guy with the computer skills?”
For more information on convergence and its benefits, take a look at this guide from the Cybersecurity & Infrastructure Security Agency.
Where organizations stand in resilience depends on where their data sits across the globe. Industry pros left and right at RSAC stressed data asset management as an important requirement for suppliers to track and trace.
To begin, organizations should collect their own data. Given the free flow of information, do you know where your data is and who you’re sharing it with? Experts at several supply chain sessions warned: Make sure it doesn’t go beyond what’s necessary. Restricting access to sensitive data, segmenting networks, and protecting important assets with two-factor authentication helps organizations track data and defend against hacks.
As for suppliers, organizations should ideally be able to collect standard sets of data from each. Those standards will soon be issued forth by NIST as directed by President Joe Biden’s Executive Order. In the meantime, these data sets often exist today as a confusing accumulation of digital and software components—many of them pre-written and some coded from scratch.
In “DBOM and SBOM: New Options for Better Supply Chain Cybersecurity,” RSAC attendees learned that the average software product contains over 100 components, though some have thousands. Consultant and blogger Tom Alrich told participants, “Because each of these components can have its own vulnerabilities, they need to be tracked and remediated just like vulnerabilities in the code developers themselves wrote. You can’t do that if you don’t know what the components are.” Organizations can now systematically document these components in both the form of a Software Bill of Materials (SBOM) and a Digital Bill of Materials (DBOM).
An SBOM is essentially a list of the components (and their vulnerabilities) that make up a particular software product; SBOMs can attest to the status of a product’s code so that buyers can make an educated choice about risk. However, a simple list of components often isn’t enough. If your organization uses multiple software products that each have their own components, you’ll need to track them using automated processes. This means you’ll need to receive SBOMs in a machine-readable format, such as SPDX, Cyclone DX or SWID.
A DBOM, on the other hand, is an architecture—a standardized, repeatable set of repositories and channels—that allows organizations to share SBOMs and other attestations in the ways intended by parties involved. If the SBOM tells buyers what’s in the software, the DBOM tells who touched the software in development. It’s an ecosystem that replaces fax sheets, emails, spreadsheets and other information that is typically scattered.
This draft of NIST’s “Cyber Supply Chain Risk Management Practices for Systems and Organizations” is available for organizations to reference as guidance, though it has not yet been finalized.
Supply chain resilience doesn’t just happen—it’s planned and then tested. Robert Brese, VP, Executive Partner at Gartner, said at RSAC, “Scenario planning is key. You can build on techniques used in a number of different operational areas. For example, you could get into detailed table-top war-gaming regarding your strategic supply chain risks. The amount of time and effort you spend on that should be consistent with the commiserate business value.”
Operational testing can be much more complex than scenario planning for digital resilience. It requires organizations to pre-identify physical dangers and rule them out. A converged security team would be most beneficial for operational scenario planning, but if that’s not an option, look to the military for advice, consultation or even hiring purposes.
Scenario planning starts with asking the right questions. Marco Figueroa, Principal Threat Researcher, SentinelOne, told RSAC participants that one of the most important exercises is to form an internal think tank coming up with worst-case scenarios. Think: What would attackers want if they penetrated your network? What are your crown jewels?
“You need to have that conversation,” said Figueroa. “If it hits the CAT scan or MRI, is that segmented correctly? Or if you’re a car company, ask, ‘Could someone compromise the car-building process?’ These are conversations that I hope will happen in the wake of the [SolarWinds] attack.”
All together now
Organizations trying to unravel the complexity of their global supply chains probably feel a bit like Rapunzel brushing out the world’s biggest snarl. But the hardships experienced over the past 14 months—from the SolarWinds attack to the pandemic—have translated into lessons learned by suppliers and buyers alike. And those lessons have resulted in greater awareness, agility and alignment throughout the cybersecurity industry.
But the work is far from over. In fact, it’s only just begun. Organizations must look to NIST for guidance on SBOMs, DBOMs and standards for IoT development. New data privacy laws coming down the pike will require companies’ compliance, as will any further regulation on global trade. If you drive across your enterprise and third-party ecosystem culture of relentless awareness, you will not fall behind.
However, supply chain security awareness alone won’t give organizations a competitive edge. Andrea Little Limbago, Ph.D., Vice President, Research and Methodology at Interos, told RSAC attendees that in preparing for the new normal, we must avoid the inherent tendency to prepare for yesterday’s risks and disruptions. “We need to overcome this collective failure of imagination,” she said.
Therefore, organizations must also be agile—willing to expect the unexpected event or data point and deal with it as you go. Perhaps you have to shrink a 12-month planning cycle down to six or three months. Or you may need to prioritize auditing suppliers over restructuring teams for better efficiency. Use a framework that gives you a core set of guidelines while allowing for flexibility to address an emergent issue.Organizations that want to take supply chain resilience a step further will need to reach across their own perimeter to collaborate with others. In “A Punch to the Supply Chain: Fighting Back to Resilience,” Edna Conway, Chief Security & Risk Officer for Microsoft’s Azure, said, “Let’s be clear: It’s a world of ‘we.’ The concept of ‘us’ and ‘them’ doesn’t work anymore.” Collective security requires that we move from a shared responsibility model to a shared fate approach. If you don’t sit down at the table and participate in the dialogue, then you’re not part of the solution.