Following the SolarWinds supply-chain attack, as well as recent nation-state attacks like the 2017 NotPetya campaign, corporate risk officials need to take a more holistic approach in how they protect themselves against third-party risk, according to a panel of information security officers and other cybersecurity officials at the Shared Assessments summit last week.
Companies need to build operational resilience across the entire spectrum of security, evaluating everything from business continuity policies to physical security, operational security and environmental sustainability, according to Edna Conway, VP and chief security & risk officer, Azure at Microsoft, speaking during the summit.
"I think an architecture that blends these two [security and resiliency] is something we all need to move to and SolarWinds was but one example of why we need to look at ourselves holistically, internally and across our third-party ecosystems," Conway said.
The rise in supply chain threats has forced thousands of companies around the U.S. to reassess their risk posture, as threat actors have taken advantage of vendor relationships and privileged access to open up new vectors of attack against targeted customers.
What has emerged in recent cyber campaigns, including NotPetya, the 2017 CCleaner hack and now SolarWinds, is that the new threat vector is to compromise a company's product in order to then attack its customers, according to Dawn Cappelli, VP and CISO at Rockwell Automation, a manufacturer of industrial control products.
"What was new about SolarWinds was the way that they attacked the development environment," Cappelli said. "They didn't just go into the source code repository and tamper with the code, they had a very specific target which was the build environment itself. And we've never seen that before."
Rockwell Automation is conducting risk analysis and threat models of its build environment and has formed a working group with other companies to review. The company has also started asking more questions of critical suppliers that may pose a potential threat to the company.
Companies have recently stepped up assessments and monitoring of third-party vendors, demanding extensive compliance checklists, questionnaires and using other screening methods.
However, this approach is not always considered an efficient method of ensuring safety. Companies should not become overly reliant on annual assessments with thousands of questions, according to Erinmichelle Perri, CISO at The New York Times.
"If we look at SolarWinds, what saved us was strong security programs, not 4,000 questions that the vendor had to answer about the state of their security programs," Perri said.
She much prefers using a centralized source like Security Scorecard or Bitsight, in order to get real-time information.