In 2024, we’ll see escalating threats from the software supply chainHaig Colter
Today’s modern supply chains can be large and complex, involving many suppliers doing many different things. As digital transformation initiatives have accelerated, the ecosystem of suppliers has exploded. Effectively securing the supply chain is hard because vulnerabilities can be inherent, or introduced and exploited, at any point in the supply chain. Unfortunately, a compromised software supply chain can cause significant damage and disruption. One high-profile incident was the SolarWinds attack of 2020, which continues to affect numerous organizations years afterwards. The attack is estimated to have infected more than 18,000 systems worldwide, causing irreparable damage amounting to billions of dollars.
For those less familiar, the hackers used a supply chain attack to insert malicious pieces of code into the Orion framework. In a supply chain attack, malicious actors target third-party resources. SolarWinds was a promising target for this kind of attack because many multinational companies and government agencies use their software; all the hackers needed was to install the trojan onto a new batch of updates to be distributed by SolarWinds.
SEC ruling impacts CISO role going forward
The recent news that the US Securities and Exchange Commission (SEC) has charged SolarWinds and its CISO for failing to disclose known material cybersecurity risks and vulnerabilities is sobering. With the introduction of new policies that will impact the CISO role going forward, the situation is a wake up call for the whole industry.
Additionally, a significant challenge of modern application development stems from potential supply chain threats due to the ever-increasing use of open source software (OSS). Developers often leverage open source code as building blocks, allowing them to concentrate on their own code. While this increases development speed and agility, it also exposes organizations to challenges which amount to taking code from strangers. Open source ecosystems are vast and highly dynamic, just as they are meant to be, but there is limited accountability for vulnerabilities in OSS packages. As a result, businesses must mitigate the risk of using open source themselves, meaning, compromised dependencies need to be found and fixed immediately.
Two-thirds of US businesses are directly impacted by software supply chain attacks
According to Gartner, software supply chain attacks have seen triple-digit increases, but few organizations have taken steps to evaluate the risks of these complex attacks. Almost two-thirds (61%) of US businesses were directly impacted by a software supply chain attack in the 12-month period ending in April 2023 and Gartner and other research shows software supply chain attacks are a global challenge that continues to grow dramatically.
Strategies to maintain trust in the use of open source software include knowing which open source packages are included via a Software Bill of Materials (SBOM). CISA defines an SBOM as a “nested inventory, a list of ingredients” that make up software components.
The growing importance of SBOMs
Biden’s ‘Executive Order on Improving the Nation’s Cybersecurity served as a wake-up call for federal software suppliers when it comes to SBOMs. They must now implement and adhere to minimum elements within them. Many experts are increasingly urging private software suppliers to do the same. Gartner predicts that by 2026, at least 60% of organizations procuring mission-critical software solutions will mandate software bill of materials (SBOM) disclosures in their license and support agreements, up from less than 5% in 2022.
So, what should security and risk management leaders do to better detect and prevent attacks, and protect their organizations?
We have recently announced a partnership with Enzoic’s Dark Web monitoring capabilities which, combined with our security operations platform, scans for credentials exposure and will help customers in the fight against software supply chain attacks, enabling them to act at the first sign of compromise.
Enabling customers to stay up-to-date with third-party breaches
The ThreatQ Platform provides tools for contextualizing and prioritizing intelligence, enabling security teams to respond more effectively to potential threats. With the Enzoic integration, customers can now tap into their vast, dynamically updated database of exposure incidents. The scanning happens automatically, with any exposures immediately presented in the ThreatQ intuitive, graphical dashboard. This means when there are third party breaches in the supply chain, customers can stay updated on accounts in their environment that have been exposed in breaches outside their perimeter.
The new integration supports a variety of other use cases, namely:
- Incident Response: Data exposure is often a sign of compromise. Timely alerts allow teams to respond to and remediate threats quickly.
- Proactive Threat Investigation: Teams can conduct proactive threat hunting informed by user exposures on the Dark Web via a threat intelligence database.
Taking swift action
Today’s resource-stretched security professionals need help to prioritize, automate and collaborate on security incidents, especially now they are dealing with an extended ecosystem of suppliers. The ThreatQ Platform enables more focused decision making; and maximizes limited resources by integrating existing processes and technologies into a unified workspace. The result is reduced noise, clear priority threats, and the ability to automate processes with high fidelity data. This enables our customers to take swift action as soon as exposure is detected. We’re always looking for ways to strengthen our platform in response to today’s dynamically changing cybersecurity environment and this new partnership with Enzoic gives ThreatQuotient vital insights into sensitive data on the Dark Web, enabling our customers to act before these exposures can negatively impact the business.
To learn more about the ThreatQuotient and Enzoic integration please click here.