How to Protect the Security of Your Supply Chain as the Attack Surface Expands
The security of software supply chains is a growing issue for organizations as users, applications, and data become more hyperconnected, creating a widening attack surface, and thus, increasing risk.
While zero trust architectures are being used in an attempt to thwart attacks, a new study by ESG and Illumio finds that almost half (47%) don’t believe they will be breached.
The multitude of tools organizations can use to support Zero Trust initiatives can make it difficult to determine where to begin, the study notes. Consequently, practices like segmentation, which prevent attackers from having unfettered access to corporate resources when compromises inevitably occur, are becoming overlooked, the study found.
This has created a clear disconnect between the need, interest, and proper application of Zero Trust, the study maintains.
Another recently released study, by ISACA, finds another significant issue: 30% of respondents said that their organization’s leaders do not have sufficient understanding of supply chain risks. Only 44% indicated high confidence in the security of their organization’s supply chain, and they are not optimistic about the future, either. Fifty- three percent said they expect supply chain issues to stay the same or worsen over the next six months.
Some have experienced the pain directly: 25% of the 1,300 IT professionals in the ISACA study with supply chain insight indicated that their organization experienced a supply chain attack in the last 12 months.
Similarly, more than one-third of respondents (36%) in the ESG/Illumio study have been the victims of a successful ransomware attack over the past two years.
ISACA survey respondents cited five supply chain risks as being their key concerns:
- Ransomware (73%)
- Poor information security practices by suppliers (66%)
- Software security vulnerabilities (65%)
- Third-party data storage (61%)
- Third-party service providers or vendors with physical or virtual access to information systems, software code, or IP (55%)
So what happens now? Both reports offer some concrete suggestions worth heeding.
Improved Visibility and Better Operational Results
For Zero Trust to be successful, IT and security professionals must understand the assets that reside throughout the enterprise, how they relate and where the greatest risks are. They need visibility into their software environment. The ESG/Illumio study finds that mature organizations were 4.3 times more likely to have comprehensive visibility into traffic across their environment–and five times more likely to have comprehensive visibility into traffic across all types of application architectures.
Mature organizations have also been able to leverage success with Zero Trust segmentation into broader business results. These organizations will move 14 production applications to the cloud over the next year that they otherwise wouldn’t be due to a lack of confidence in their security, the ESG/Illumio study said.
Respondents also reported freeing up an average of 39 person-hours per week in their security teams due to increased operational efficiencies enabled via Zero Trust.
Better Governance Needed
Eighty-four percent of respondents in the ISACA survey indicated that their organization’s supply chain needs better governance than what is currently in place. Nearly one in five said their supplier assessment process does not include cybersecurity and privacy assessments.
Additionally, 39 percent have not developed incident response plans with suppliers in case of a cybersecurity event and 60 percent have not coordinated and practiced supply chain-based incident response plans with their suppliers.
Nearly half of respondents (49 percent) say their organizations do not perform vulnerability scanning and penetration testing on the supply chain.
Better Collaboration and Coordination with Suppliers
The ISACA advocates for a multi-pronged approach that includes regular cybersecurity and privacy assessments and developing and coordinating incident response plans in close collaboration with suppliers.
This will require building strong relationships with your organization’s suppliers and establishing ongoing channels of communication, as well as information-sharing, the ISACA advises.
John Pironti, a member of the ISACA Emerging Trends Working Group, outlined key steps organizations can take to strengthen their IT supply chain security:
- You can’t protect what you don’t know you have. Develop and maintain an inventory of suppliers and the services/technologies they offer.
- Require disclosure of open-source software components.
- Conduct a threat and vulnerability analysis of the key third parties your business uses.
- Create a technical and organizational measures contract addendum for supply chain contracts.
- Trust, but verify. Conduct evidence-based reviews of key third parties.
As the ISACA notes, organizations clearly have to have confidence in the security, integrity, and availability of all their systems and suppliers. As David Samuelson, ISACA CEO said, it’s of the utmost importance to take “swift and meaningful actions to improve supply chain security and governance.”
A Dynamic SBOM Helps You Shore Up Supply Chain Security
The software bill of materials (SBOM) is widely touted as a way to ensure the security and integrity of software products. Specifically, SBOMs that are dynamic are useful and effective for visibility into your software environment.
SBOMs that are dynamic are able to easily and automatically account for the constant change swirling around the software landscape. Static SBOMs, in contrast, are of minimal use. They’re static entities in the midst of ongoing shifts — meaning the SBOM artifact they create quickly becomes out-of-date. It’s the “dynamic” and automation part of SBOM documents that make them true security tools.
With offerings such as Dynamic SBOM, organizations can take a big step toward making software more secure and defending against supply chain threats amid a growing attack surface.