For most global companies, supply chain risk management traditionally has focused on managing third-party risks—often in the limited context of the physical supply chain. But what the SolarWinds cyber-attack harshly revealed is the catastrophic havoc fourth and fifth parties can also wreak in the often-ignored cloud supply chain.
Hackers implanted malicious code into the software-build process of SolarWinds’ Orion products in order to compromise customers’ Orion services using a backdoor and steal their data.
Speaking on a Dec. 23 Webinar, Jim Routh, chief information security officer (CISO) of MassMutual, called the SolarWinds hack “a shift in the tectonic plates of cyber-security.” He recommended companies and organizations think about what steps they can apply immediately from a cloud supply chain risk management standpoint. “This is a wake-up call for the enterprise,” he said.
Here are five things companies can, and should, do right now:
Start by having the right conversations. “The bottom line is that we’ve been having the wrong conversations,” said Bob Brese, vice president and executive partner at Gartner and former chief information officer (CIO) for the U.S. Department of Energy. Many conversations CIOs and CISOs have with the C-suite and the board focus on solving technical problems, rather than managing risk, he said.
“Not all vulnerabilities are created equal,” Brese added. In today’s cloud supply chain, for example, it may be that monitoring a fourth- or fifth-party relationship (so called Nth parties) takes precedence over reducing the number of vulnerabilities that are unpatched in a system, especially one that isn’t carrying proprietary information that needs to be kept confidential or secret. It’s all about having the right conversations around what are the most critical aspects of your ecosystem, Brese said.
The C-suite and the board don’t have to be as technically competent as IT and cyber-security professionals, but they must be knowledgeable about the company or organization’s risk posture and where attention needs to be focused from a cloud supply chain risk management standpoint. “That will at least allow you to start to draw a line in the sand on what your organization’s risk appetite is on a day-to-day basis,” Brese said.
“With that, the CIO and CISO can make a lot of progress on securing the enterprise and managing fourth- and fifth-party relationships,” Brese added. “Those are hard conversations to have, because a lot of folks just haven’t given it much thought.”
Focus on building resiliency into the fabric of the enterprise. A key part of the conversation the C-suite and board should have with the CISO and CIO should focus on how to build greater resiliency into the development, security, and operations (DevSecOps) pipeline. “Those are healthy conversations to have,” Routh said.
At the foundational level, it starts with robust software management: “Repository management is a big deal, not a little deal,” Routh said. It must be treated like a third party, requiring its own unique and specific set of controls, and software developers must be educated on making that more resilient, he said.
“The use of cloud services is going to continue to accelerate. Real-time, data-informed decision-making is critical.”
Bob Brese, VP and Executive Partner, Gartner
Technical jargon aside, think of it from a risk management standpoint: All companies and organizations use software. Software developers, in turn, increasingly rely on open-source components that are hosted by an Nth party—a cloud-service provider. Thus, just in the scope of using software, most companies are dealing with third, fourth, and fifth parties as part of a single ecosystem.
“The entire supply chain is now tied to the development process,” Routh said. That creates a tremendous amount of risk for companies that demands a tighter set of controls and higher levels of scrutiny to manage in this new environment where cyber-criminals are only getting more sophisticated.
Baking controls into the ecosystem at the design stage helps to drive down IT costs, as well. “Doing it right the first time costs less than fixing a big problem downstream,” Routh said.
Do not ignore basic cyber-security hygiene. Much like the 2017 “NotPetya” cyber-attack—in which Russian threat actors exploited weaknesses in legacy unencrypted network management protocols and stole credentials, personal data, and sensitive corporate information—the SolarWinds breach is just the latest stark reminder about the importance of practicing basic security hygiene, including basic access-management controls. “From an access-management standpoint, you have to use your best identity-access control professionals to design cyber-security controls to repositories,” Routh said.
Some lessons can be taken directly from SolarWinds, which described in an FAQ advisory how it is “increasing existing actions and taking additional actions across the enterprise to further harden and improve the security of our environment and products.” Such efforts have included:
- Further restricting access rights to its build environment and build pipeline;
- Auditing and surveillance;
- Refreshing all employee and contractor credentials and credential security and elevating access restriction; and
- Resigning all release code with new certificates.
Perform enhanced due diligence using network monitoring tools. It’s critical that companies’ third-party governance capabilities include real-time data. “The use of cloud services is going to continue to accelerate,” Brese said. “Real-time, data-informed decision-making is critical.”
The traditional way of vetting vendors and partners—have a consulting firm conduct interviews, perform audits, issue questionnaires, onboard them, and then conduct an occasional evaluation—is “definitely a recipe for disaster in today’s rapidly evolving, cloud-enabled, multi-partner ecosystem,” Brese said. You’ve got to leverage the technologies that are out there today and have critical conversations about where to monitor your ecosystem.
Create strong partnerships. As cloud services become easier to bring into an ecosystem, it becomes incumbent on CIOs and CISOs to build strong partnerships with finance and procurement, Brese said. Having that collaborative relationship reduces the risk that a business unit will introduce a cloud service into the ecosystem without the knowledge of the CIO or CISO that doesn’t align with the company’s architecture and cloud supply chain risk management process and, in the worst case, introduces a vulnerability into the system.
Another aspect of this partnership should include a chain of accountability—understanding what accountability the CISO and CIO have and accountability the business partners have. “In most companies, the person who owns the P&L (profit and loss) owns the risk,” Brese said. “Partner with them to jointly handle the risk.” Get a shared understanding of who is accountable for what and how you’re going to respond in the event of a cyber-incident.
Collaboration with vendors is equally important. “Sometimes, these cloud providers are going to be your best friend, because they’re the ones that have scale and can really help harden some of the solutions you need to deliver your products and services,” Brese said.
Although it can be challenging at times to build resiliency through collaborative efforts when a third party’s priorities differ from the priorities of the company, “in the end, there is a symbiotic relationship between you and your third parties,” Brese said. “If you have a parasitic relationship with a vendor, ditch them. Find one that is willing to work with you.”
It’s better that a third party or an Nth party recognizes the challenges it faces and has a plan in place to address that challenge than saying absolutely nothing at all. “Never let a good incident go to waste,” Routh said. “If there is any trigger event to get commonality around risk management, [the SolarWinds hack] is it.”