Navigating the Hidden Risks: Securing Your Digital Supply Chain

Every organisation today is inextricably connected within a vast web of intricate dependencies. Consider the hundreds of digital devices in a typical office. From laptops to servers, networking appliances to office printers, every one of these devices is built by an external party.

These products incorporate hundreds, sometimes thousands, of components sourced from a revolving door of suppliers, who might in turn rely on their network of sub-suppliers. The result is a complex, fluid supply chain laden with a myriad of invisible risks – and where a single weak link could potentially compromise the entire system.
 

A fast-growing problem

Supply chain attacks can be devastating and have far-reaching consequences for businesses and governments, going by high-profile incidents such as the SolarWinds hack. Already, supply chain attacks are a major problem, and the latest Verizon Data Breach Investigations Report say the supply chain is responsible for over 60% of system intrusion incidents. According to CISA, one in four (25%) exploited vulnerabilities in pre-installed software and firmware.

Even ransomware actors, longtime experts at phishing and credential theft, are increasingly exploiting vulnerabilities in third-party technologies, including targeting third-party code developed by vendors and manufacturers of IT infrastructure. Today, 48% of ransomware attacks start by exploiting software vulnerabilities, of which two-thirds are found in software that comes pre-installed on devices.

The trend of supply chain attacks is accelerating at a fast pace, with attackers in the form of state-sponsored attackers, advanced persistent threat (APT) actors, and organised cybercriminal groups. Moreover, the global nature of supply chains means that rising geopolitical tensions and increasing trade disputes can only further impact its stability and security.

New approach needed

Supply chain attacks impact every business across the industry, from government agencies, telecommunications, the financial services industry, to enterprises. It is easy to understand why when one considers a typical PC or laptop, a staple computing device used by millions daily around the world for collaboration and work.

The average PC is built with components from more than 200 suppliers across 39 countries. Apart from manufacturing the components, suppliers often also develop the supporting firmware, software drivers, and ancillary applications. Vulnerabilities in any of these components are inherited by the device, accruing quickly to represent a significant material risk.

So how can organisations defend against supply chain attacks? Repurposing traditional approaches such as network or end-point defences is ineffective and limited in scope when it comes to addressing the unique challenges of supply chain security. Instead of shoehorning solutions never designed with the supply chain security in mind to work, a new approach is needed.

A common mistake in supply chain security is a misplaced notion of trust in a particular brand or supplier, using it to justify inaction. The issue is not the level of confidence in a chosen brand, but about having the right mechanisms in place to identify and validate the individual make-up of each product. But why should individual components matter?
 

Managing supply chain risks

Food products make a good analogy here. At the supermarket, individuals with food allergies or the more health conscious would usually scrutinise the labels for the ingredients used in each food item. Similarly, only with detailed information about the devices they use can organisations make an informed decision about the vulnerabilities and risks that they inherit through the supply chain.

Only when every component is identified can risks be properly appraised and vulnerable components promptly patched. In situations where patches are no longer available or in critical infrastructure where changes must be minimised, compensating controls could be deployed. This might come in the form of active monitoring to scrutinise vulnerable components for signs of compromise to stop exploitation, or failing that, to catch it as early as possible.

It is worth noting that supply chain security cannot be a one-time check at deployment but must be an ongoing exercise where the systems and components within a given infrastructure are continually verified. This should last through the entire lifecycle of each product until it is decommissioned.

Finally, supply chain security is multi-faceted and should include the manufacturing and IT environment of the supplier. For instance, a supplier might at some point be compromised. Proprietary source code might be illegally accessed, or digital certificates might be stolen. While these do not immediately impact the deployed system, the risks would have changed and should hence be taken into consideration.
 

Eclypsium: From core to cloud

Eclypsium was founded to address supply chain risks from the foundational level of hardware and firmware to cloud deployments, allowing organizations to quickly implement crucial security controls, asset inventory, vulnerability management, and threat detection across their entire digital supply chain.

With a vast database of external products and components, as well as their associated supply chain risk, organisations can better understand and address the risks within their infrastructure. This means they can validate the authenticity and integrity of components from their suppliers, making it simpler to confirm secure supply chain practices.

By implementing supply chain security, organizations not only strengthen their security posture but minimise the risk of security breaches and meet regulatory requirements.