High-profile cyberattacks on software vendors have brought supply chain security concerns to the forefront. While these kinds of attacks are not new, the increased reliance on digital technology significantly impacts the risk for organizations of all sizes. As the business world becomes more interconnected and more digital, the exposure to supply chain attacks will grow even more.
Regardless of your industry, business model, and the type of service or product you offer, you need to identify, assess, and manage this risk. Let’s take a look at what is supply chain security and ways you can bolster it.
What are supply chain attacks?
Major cyberattacks on several software vendors have illustrated the massive ripple effects of a supply chain attack, which could impact thousands of organizations that may not even be direct customers. But software is not the only type of vendor that is part of your supply chain—you need to think broader.
The intent of these attacks is to inflict damage through the supply chain, which includes all the systems and operations working together to develop, produce, process, distribute, and deliver products and services to your end customer.
In the digital world, this especially concerns cybersecurity, including the security, integrity, and availability of your critical IT resources. The attacks often take place through malware that threat actors sneak into software, firmware, or hardware to cause harm to organizations further down the chain, all the way down to the end consumer.
The chain includes elements such as:
- Third-party and open-source software components used in enterprise software
- Cloud services, including those providing software, platforms, and infrastructure
- Suppliers, partners, and vendors that provide various services, including software development, data management, IT services, and cybersecurity
Today’s supply chains are complex, and one of the biggest challenges is that you don’t have complete visibility into all the nodes. Yet your risks are coming not only from your third-party vendors but from any of the Nth party that you don’t have a direct relationship with.
Software supply chain: security risks skyrocket
Although several significant breaches of software vendors in 2020 and 2021 have greatly raised awareness about software supply chain security, this trend has been growing for some time. The U.S. National Counterintelligence and Security Center (NCSC) called 2017 a watershed year for software supply chain attacks, noting the growing impacts of cyberattacks like NotPetya, which paralyzed networks across the globe and disrupted numerous businesses.
As NCSC stated, “software supply chain attacks are an efficient way to bypass traditional defenses and compromise a large number of [systems],” and “hackers are circumventing traditional cyber defenses to compromise software and delivery processes to enable successful, rewarding, and stealthy methods to subvert large numbers of computers through a single attack.”
According to the U.S. Cybersecurity and Infrastructure Security Center (CISA), three common techniques that threat actors use to execute attacks on the software supply chain include:
- Compromising open-source code—developers of both proprietary and open-source software use publicly accessible code libraries, and threat actors take advantage of this by inserting malicious code into those libraries.
- Hijacking software updates—since developers typically have a centralized system for pushing out patches and updates, threat actors infiltrate the vendor to insert malware that is then distributed as part of the update to all customers.
- Undermining codesigning—developers use codesigning to validate the code integrity and the author’s identity, and threat actors can impersonate a trusted vendor to insert malicious code into updates.
These attacks are often highly sophisticated and stealthy, and are carried out by advanced persistent threat (APT) groups and nation-state actors, who have the resources to plan and execute their attacks for months and even years.
Cybersecurity experts predicted several years ago that this attack vector would be used increasingly—and recent events proved them right. For organizations, this means:
- Reevaluating cybersecurity models to ensure they consider supply chain security
- Implementing holistic strategies for risk assessments and third-party risk management
- Deploying defense-in-depth, layered security that minimizes the impact of supply chain attacks
Securing your supply chain with a zero trust approach
An effective strategy that can help you mitigate supply chain security risks is the zero trust model. This model assumes that every person, device, and connection is a potential threat, and doesn’t trust them whether they’re inside or outside the network. Interest in the zero trust approach has especially grown with the rise of remote, distributed workplaces and the adoption of the multi-cloud because network-based security defenses are ineffective for those use cases.
Zero trust is based on the premise that the perimeter has been breached and you need to take the steps to minimize the impact. In the context of supply chain security, this model prevents privilege escalation, lateral movements, command-and-control callbacks, and other malicious activities because all requests are continuously and dynamically verified.
The impact of privileged access on supply chain security
According to CISA, privileged access is one of two unique vulnerabilities related to supply chain security. That’s because many third-party software solutions require privileged access to operate in your environment. These types of solutions range from remote access and IT management to cybersecurity.
What makes the risk especially high is the fact that many of these products are deployed across your network or architecture, and if compromised, could give threat actors access to your critical systems. And many organizations simply use the default software settings without considering the implications.
An identity-based approach that applies artificial intelligence and machine learning can mitigate the risk by establishing baselines, identifying behavior anomalies, and denying abnormal access. Identity-based security also helps you implement privileged access management (PAM) and enforce a least privilege model.
Securing your software supply chain
Mitigating a software supply chain attack is challenging because your IT and security team typically doesn’t control all the components of the chain and likely can’t compel every vendor in that chain to quickly mitigate risks. However, you can apply various best practices to limit the hard to your organization.
Steps you can take include:
- Inventory all the software used in your environment and understand the risks.
- Before you select a new software product, research the vendor’s practices and security controls.
- Collaborate with your key suppliers and establish a management program for the vendors and the components.
- Implement security tools and processes such as network segmentation, vulnerability and configuration management, encryption, multi-factor authentication, data governance, and incident response and recovery.
Supply chain security is essential to your ability to defend your organization against threats. Identity-based security provides a variety of benefits for strengthening your resilience in the event of a compromised supply chain. SailPoint Identity Security can help you in mitigating third-party risk—as well as other risks that you face in today’s digital, connected world.
You might also be interested in:
Take control of your cloud platform.
Learn more about the SailPoint Identity Security Platform.