10/22/2021 | Press release | Distributed by Public on 10/22/2021 09:58
Supply chains are on everyone's mind right now - from consumer-tech bottlenecks to talks of holiday-season toy shortages. Meanwhile, cyberattacks targeting elements of the supply chain have become increasingly common and impactful - making this area of security a top priority as organizations ensure their digital defense plans are ready for 2022.
Here's the thing, though: Supply chains are enormously complex, and securing all endpoints in your partner ecosystem can be a herculean challenge.
On Thursday, October 21, 2 members of Rapid7's Research team - Erick Galinkin, Principal Artificial Intelligence Researcher, and Bob Rudis, Chief Security Data Scientist - sat down to get the perspectives of 2 industry panelists: Loren Morgan, VP of Global IT Operations, Infrastructure and Delivery at Owens & Minor; and Dan Walsh, CISO at VillageMD. They discussed the dynamics of supply chain security, how they think about vendor risk, and what they're doing to tackle these challenges at their organizations.
Head to our 2022 Planning series page for more - full replay available soon!
The conversation kicked off with a foundational question: What do we mean when we talk about supply chain risk? The answer here is particularly important, given how sprawling and multivariate modern-day supply chains have become.
Dan defined the concept as "the risk inherent in the way we deliver business results." For example, you might be working with a solutions provider whose software relies on open-source libraries, which could introduce vulnerabilities. The impact can be particularly high when a vendor your organization relies on in a strategic, business-critical capacity experiences a security issue.
Bob noted that the nature of supply chain risk hasn't fundamentally changed in the past decade-plus - what's different today is the scale of the problem. That includes not only the size of supply chains themselves but also the magnitude of the risks, as attacks increase in frequency and scope.
For Loren, acknowledging and acting on these growing risks means asking a central question: How are our partners investing in their own defenses? And further, how can we get visibility into the actions our vendors are taking to counteract their vulnerabilities?
Erick pointed out that one of the more practical ways of achieving visibility with technology vendors is the software bill of materials (SBOM). An SBOM is a list of all the libraries, dependencies, third-party modules, and other components that a provider brings into their software product.
"It's like an ingredient list on a package of food," Dan said. Because of the level of detail it provides, an SBOM can offer much greater insight into vulnerabilities than a compliance certification like SOC2 would.
"Ultimately, from our vendors, what we're looking for is trust," Dan noted. The visibility an SBOM provides can go a long way toward achieving that trust.
But not all vendors might jump at the request to produce an SBOM. And how do you know the SBOM is fully accurate and complete? The cloud complicates the picture considerably, too.
"A SaaSBOM is a lot trickier," Erick noted. With fully cloud-based applications, verifying what's in an SBOM becomes a much tougher task. And cloud misconfigurations have become an increasingly prominent source of vulnerabilities - especially as today's end users are leveraging an array of easy-to-use SaaS tools and browser extensions, multiplying the potential points of risk.
Dan suggested that in the future, the industry might move to an ABOM - a highly memorable shorthand for "application bill of materials" - which would include all source code, infrastructure, and other key components that make an application tick. This would help provide a deeper level of visibility and trust when evaluating the risks inherent in the ever-growing lists of applications that enterprises rely on in today's cloud-first technology ecosystem.
So, what key concepts and practices should you implement as you put together a 2022 cybersecurity plan that factors in supply chain risk? Here are a few suggestions our panel discussed.
Ultimately, holding your vendors accountable is the most important step you can take in the effort to build a secure supply chain.
"It's incumbent on consumers to hold their vendors' feet to the fire and say, 'How are you doing this?'" Erick commented. Demand real data and clear documentation rather than vague responses. When we do this for our own organizations, we make each other safer by demanding more of vendors and raising the bar for security across the supply chain.
Stay tuned for the next 2 installments in our 2022 Planning webcast series! Next up, we'll be discussing the path to effective cybersecurity maturity and how to factor that journey into your 2022 cybersecurity program.