The SolarWinds incident catapulted the concept of supply chain attacks into the spotlight of business risk management. However, it was merely the opening act for a series of events that would follow.
In today’s interconnected world, our reliance on third-party vendors is inevitable. While this dependency is essential, it also comes with risks that need to be diligently managed. Consider this: Why would a hacker spend time exploiting individual vulnerabilities across multiple companies when they could focus on a single product used by hundreds?
Supply chain risk is not going away and the recent MOVEit breach reinforces this precarious nature of relying on third parties. Not because these types of vendors are any less diligent, but rather because they present more lucrative targets for attackers. In fact the full impact of this breach is still being discovered with over 1,000 companies and over 60 million individuals affected.
The CIO and CISO: Partners in Arms
As vendors face immense pressure to secure their products, they are not the only ones bearing the burden. CIOs and CISOs must also understand the risks associated with these third-party systems and take necessary precautions.
This collaboration between CIOs and CISOs is crucial in crafting secure environments for these systems. Understanding the risks these products represent and the technology solutions needed to mitigate are the opening lines in the conversation.
Good cybersecurity practice involves following a few key principles, and then builds from there. In addressing the software risks posed here, two principles are longstanding accepted in the security world: “assume breach” and “defense in depth”. A newer principle, sometimes accused of being a buzzword, is “zero trust”.
“Assume breach” is the idea we should operate our infrastructure with the realization we can never secure it entirely. As defenders, we must find every vulnerability and secure it. A hacker must only find one to exploit. And that one might just be an end-user, not a software system.
But what is an IT leader to do if being 100% secure is impossible? Assume you are going to fail, that you’ll be breached, and then design around the reality.
–> The big idea for “assume breach” preaches detection.
How do you know if hackers are in your system? Do you know what the normal behavior of your systems and users looks like? Are you monitoring and baselining the activity? Would you then be alerted if the behavior changes? These are all important considerations.
Defense in Depth
Because we must assume we’ll be breached, the next principle is to have “defense in depth”. This is the idea we have separated our systems in ways to prevent a breach of one level from becoming a widespread breach.
While Internet-facing systems have long been placed into a proverbial demilitarized zone, many companies end up with relatively flat networks on the inside, with end-user computers and servers having open network access. Add a VPN to the mix, and now remote users have that same access to everything.
–> Defense in depth requires that we have a layered defense.
If a hacker takes over an end-user computer, they should have limited access to other resources. You can get to the files the user can get to, but you shouldn’t be able to remote control the server. You shouldn’t have network-level access to database servers or other “back-end” systems.
“Zero trust”, as a principle, not a buzzword, then layers a reauthorization protocol on top of defense in depth. As a user connects to various resources, they are not automatically authorized in future attempts just because they were for the earlier ones. I can log into my desktop, but if I try to access sensitive files, I will be prompted to log in again, and this time perhaps with multiple factors (MFA).
–> Zero trust means all traffic between systems is expected, intentional, and freshly authorized.
Add to this good monitoring from our “assume breach” approach, and we can start to look for activity that falls outside the planned traffic. Is there a user trying to access information they shouldn’t? Is there traffic between systems that is unusual?
Our well-controlled paths are monitored as well to make sure the right kind of data is moving in the right direction. We need TLS inspection in place. Otherwise, it’s all encrypted traffic. We’ll see data flowing, but not realize social security numbers are suddenly moving outside of their “secure” zone and headed out to the Internet.
Putting It All Together
This combined approach of assume breach, defense in depth, and zero trust helps build the right level of controls around both our protected information and the third-party systems upon which we rely. By planning the paths intentionally, putting in good authentication and authorization on the channels, and then monitoring everything, we begin to stand a chance when our third-party software is inevitably breached.
While these techniques may not prevent the breach, they can definitely limit the damage. As technology leaders, we should be able to detect illegitimate activity early and then shut it down. This may prevent any sensitive information from leaking, or only a minimal amount. It will also prevent hackers from lateral movement without triggering other alarms.
The risk associated with third-party software is an unfortunate yet integral part of modern business operations. While it’s a vulnerability we have to live with, applying risk-mitigating controls like “assume breach,” “defense in depth,” and “zero trust” can help CIOs and CISOs sleep a bit easier at night.