Yuriy Bulygin is CEO and co-founder of Eclypsium.
These days we hear a lot about trust in cybersecurity. From zero trust, which demands that we “never trust and always verify,” to the implicit decentralized trust that fuels blockchain technologies, the notion of trust has become a cornerstone of the modern digital enterprise.
Yet these ideals are often glossed over when it comes to the products and vendors that form the backbone of our IT infrastructure.
Organizations depend on a growing constellation of technology products and services, which in turn, typically rely on dozens of third-party suppliers or components. From the embedded firmware to the software that comes preinstalled on hardware, networking equipment, and other IT infrastructure products, a critical flaw in just one of these is sufficient to wreak complete havoc.
For today’s CISO, mitigating this third-party risk has become an urgent priority and why Gartner projects that 60% of supply chain risk management leaders will use cybersecurity risk as a significant determinant in how they do business by 2025.
Deconstructing Risk Assessment
Last year, we saw dozens of supply chain incidents that directly resulted in massive risks to IT infrastructure. Ransomware attacks gave attackers the signing keys and firmware for the motherboards and storage drives used in hundreds of products. Vulnerabilities in VPNs, firewalls and routers were all used in attacks in the wild.
While there’s no shortage of companies that test the “feeds and speeds” of a product’s performance, there are few resources to help IT decision-makers objectively evaluate the deeper, intrinsic security postures of these products—especially regarding vulnerabilities in the underlying components.
Instead, enterprise CISOs rely on a combination of three methods for assessing supply chain risk:
• Software And Hardware Bill Of Materials: SBOMs provide clarity by documenting the elements within a product, but they also have limitations. They often lack insight into vulnerabilities in proprietary code, don’t reveal the provenance of code or components, don’t recognize configuration problems, or verify the integrity of code. The SBOM provides a record of what “should be” in the product, but it is up to the buyer to actually check.
• Vendor Questionnaires: While vendor questionnaires offer a structured approach to gathering crucial information on third-party risk, they come with their own set of challenges. Such questionnaires often suffer from inconsistent methodology, and the compilation and review process can be a monumental time sink. And relying on vendors to tell you about the risks in the products they’re trying to sell you is a tenuous strategy at best.
• Open-Source Intelligence (OSINT): Open-source intelligence aims to leverage publicly available data as a means to evaluate third-party supply chain risk. However, this information is often not reliable, timely or accurate.
Using Technical Data To Assess Risk
As an industry, we need a new approach to risk assessment for IT products, going beyond the need for a single technology solution. We need a fresh methodology that allows organizations to evaluate the changing risk factors in their products, aiming to incisively analyze the “guts” of the technologies that interact with data and provide hard metrics that we can use to measure risk and hold our vendors accountable.
The good news is that there are well-vetted models we can use for inspiration. The U.S. federal government has been wrestling with the challenges of supply chain risks for quite some time, and many of the lessons learned by NIST, CISA and other agencies can directly translate to private enterprises. Let’s look at a few examples:
Cybersecurity Standards For The Supply Chain
NIST SP 800-171 sets cybersecurity standards for nonfederal organizations that work with federal information. And if this sounds exotic, it’s not. This is not a cybersecurity strategy for protecting top-secret classified data. It’s an approach for how normal enterprises that work with the federal government are expected to protect unclassified federal information. Many vendors may already have to comply with this or a similar regulation.
Enterprises should question how a prospective vendor protects their own code and environments. And do they extend those same expectations to their suppliers? Of course, being able to verify a vendor or supplier’s cybersecurity can be a challenge, but it at least sets a standard.
Making Supply Chain Security An Active Process
One big problem today is that supply chain security efforts are often passive. SBOMs are collected for reference, questionnaires are answered, and boxes are checked. If organizations hope to make real improvements in mitigating their risk, they must have the ability to do their own verification. This can be done with specialized supply chain security tools or with open-source tools and elbow grease, like:
• Know your inventory. Organizations have many vendors, with many models of products, with many versions. If news breaks that attackers are exploiting a Unified Extensible Firmware Interface (UEFI) vulnerability in a certain supplier’s motherboard, do you know which of your devices are affected?
• Verify integrity and monitor baselines. Integrity checking allows you to verify that the code you received from your vendor exactly matches the code that should be in that system. It confirms that the product wasn’t tampered with in transit or that a component wasn’t swapped out for a cheaper option. Once it’s in your possession, capture a baseline and watch it for any unexpected changes.
• Extend vulnerability and threat scanning. Once we have deep visibility into our IT assets, we need to look for problems such as vulnerabilities, misconfigurations and threats. These issues are often deeply buried and may not be accessible via normal scans. Likewise, attackers often drop implants into these low levels specifically to hide from more traditional security tools. Security teams must have complementary approaches that can look for these risks that fly under the radar.
As the old saying goes, “trust must be earned, not given.” To effectively mitigate supply chain risks, decision-makers must recognize that trust isn’t just about vendor promises or cursory evaluations. It demands a comprehensive understanding of the entire supply chain, ensuring that every component, no matter how small, is vetted for potential vulnerabilities.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
