NYC — From Delta Airlines to Best Buy, a number of big-name companies were involved this year in data breaches – but even though their names made headlines, the actual security incidents occurred due to flaws in third-party partners.
Across the board, companies are scratching their heads trying to determine the best methods to manage their supply chain – including hardware, software and beyond – in order to maintain end-to-end security. But it’s not an easy task.
Ultimately, “There needs to be a shift in conversation,” Emily Heath, chief information security officer at United Airlines, said at the WSJ Cyber Executive Forum on Tuesday. “We’re responsible for patching our own computers but we also work with hardware and software suppliers… and we’re the ones in the headlines even when the vulnerabilities come from the third parties. I spend a ton of time worrying about their products.”
Supply chain attacks are particularly insidious for several reasons. First, they provide a lucrative opportunity for hackers to exploit a vulnerability and hit several companies at once – and rack up more customers’ data. Second, with the widening net of the tech ecosystem and more partnerships being formed, it’s difficult to pinpoint and prevent them.
In fact, a recent survey by CrowdStrike found that two-thirds of firms surveyed experienced a software supply-chain attack in the past 12 months.
Even if companies have strategies in place for securing the supply chain, they might not work.
CrowdStrike’s survey revealed that 87 percent of those that suffered a software supply-chain attack had either a full strategy in place, or some level of response pre-planned at the time of their attack — which proved ineffective.
Worse, on average, respondents from nearly all of the countries surveyed took close to 63 hours to detect and remediate an attack.
How can companies start to secure their supply chain and coordinate with their third-party parents? The first step, said Heath, is understanding those parties – who they are and what they bring to the partnership. “Step one is understanding…what they do for you, who goes to accounts payable, and so on,” she said.
Securing the Supply Chain
Edna Conway, chief security officer of Global Value Chain at Cisco, has found success in taking a “layered approach” to securing the supply chain.
Conway has built an architecture incubated inside the supply chain and manufacturing that she says covers 11 domains – including identity management, access control and behavioral security.
“We need to take a comprehensive view of who is providing what. We need to understand and map that, and write requirements for third parties that aren’t prescriptive but goal-based,” she said. “What processes and tools are a shared concern? We need to understand the businesses of our third parties so we can blend that.”
Another aspect of securing supply chains is dealing with the scale, as some companies might have thousands of technology partners.
For Rob Joyce, senior advisor of cybersecurity strategy for the National Security Agency (NSA), supply chain is hierarchical.
“When you think of securing the supply chain, you need to work down the pyramid for who you choose to secure your business,” he said. “People need to think about supply-chain partners with a high threat model.”
Heath agreed. United Airlines – and others – are facing an increasingly complex ecosystem. United needs to juggle tens of thousands of partners and suppliers that the airline does business with – third parties who might be connected to their network, have access to the network, or does some sort of business with them.
“You need tiering – you need levels, because you can’t secure them all,” she said.
The good news, said Conway, is that high-profile breaches like Ticketmaster and Kmart have “woken up” the world.
“We’re seeing more architectures being developed that allow us to act on threats that can cause manipulation or disruption,” said Conway.