The recent high-profile cybersecurity incidents involving SolarWinds, Accellion, and Microsoft have brought supply-chain risk into focus as thousands of organizations, including Fortune 500 companies and government agencies, have been impacted by these attacks. While these weren’t the first instances in which a hacker exploited a third party to attack United States infrastructure and private businesses, industry leaders and cybersecurity experts are wary of the increasingly sophisticated methods being used by these malicious actors.
In this webinar hosted by Exiger and SecurityScorecard, Katie Arrington, CISO A&S of the United States Department of Defense, and Bob Kolasky, Director of the Cybersecurity and Infrastructure Agency’s (CISA) National Risk Management Center (NRMC) discussed:
- The federal government’s push to secure its supply chain in the aftermath of several high-profile data breaches.
- How small businesses have considerably less manpower and fewer resources than the nation-states that often target them to infiltrate their larger customers’ networks.
- The need for organizations to have continuous visibility of their third-party networks.
- A pending executive order from the Biden administration.
- The importance of collaboration between the public and private sectors.
The panel kicked off the conversation by unpacking the impact of the SolarWinds attack.
“The scale of impact and remediation was much more complicated than many of these incidents that we’ve seen in the past,” said Kolasky. “We all need to get better at understanding where there is software that has access to important systems. We need to invest more in zero-trust environments.”
The panelists agreed that while there’s no way to completely secure an IT system, risk can be bought down by understanding the security posture of the vendors that make up an organization’s supply chain, and by sharing intelligence freely across the private and public sectors.
This collaboration is essential, given the resource gap between nation-state actors and the small businesses they attack to reach larger companies and government agencies.
“Adversaries are always looking for new ways to get in, and you don’t want to blame the victim when a nation-state is spending hundreds of thousands of man-hours to create something,” said Arrington. “A small company is not going to be able to withstand that.”
The need for visibility
The point-in-time assessments that security professionals have historically relied upon create blind spots that make it difficult to match the growing complexity of third-party networks as well as the volume and sophistication of attacks they currently face.
“It’s as if my business partners were marbles, the bag of marbles has been dumped on the ground, and I’ve been told to find the marbles that represent my critical business partners,” said Sam Kassoumeh, COO and Co-Founder of SecurityScorecard. “In reality, the risk comes from not just my critical partners, but all of my partners. The holistic view is critically important.
Brandon Daniels, President of Global Markets at Exiger echoed the importance of third-party-network visibility in ensuring continuity:
“Our vendor ecosystem is just as important as our people and processes,” he said. “We can’t draw the line at our doorstep when it comes to security, because our vendor ecosystem is much bigger than that, and it represents our ability to deliver.”
Arrington and Kolasky agreed that a variety of tactics, strategies, and technologies are needed in order to gather and share the intelligence that promotes sound risk-management decision-making. By increasing awareness of where risk resides within vendor ecosystems, and by tracking and presenting that information continuously to partners and regulators, organizations can shape strategy more effectively—and drive accountability among those they do business with.