At Black Hat 2019, Eric Doerr, GM of the Microsoft Security Response Center, reminded attendees of the interconnectedness of enterprise software supply chains and of their vulnerability to attack. Eric highlighted how supply chain compromises come in many guises:
- Manipulation of source code and of dependencies
- Replacement or corruption of supplied binary images
- Spoofing of distribution and update mechanisms
- Adulterated development tools and environments
- Inclusion of malware masquerading as valid manifest items
- Services-based attacks
The list of supply chain attack vectors is long and nefarious, and of course applies to hardware as well – peripherals, networking equipment, IoT devices, even server blades.
Supply chain cybersecurity best practices dictate a number of straightforward defenses:
- Supplier certification, requiring vendor supply of scanning reports and cross-checked Bills-of-Material (BOMs)
- Inbound malware screening and application of Software Composition Analysis (SCA) tools for vulnerability management
- Similar pre-deployment checks during test/QA
But as Eric pointed out, “I’m in your supply chain, and you’re probably in mine.” Software and services produced by one vendor can, and do, end up in other vendors’ manifests and stacks, propagating deep among suppliers and consumers. The multiplicity of organizations, code and services in this cascade of supply and consumption almost guarantee the inclusion of exploitable vulnerabilities and embedded hostile code.
Today, in the face of international sourcing, admixture of proprietary and open source code, and huge variability in vendor practices, securing the enterprise supply chain borders upon the impossible. What steps can CISOs and IT security teams take to mitigate risk from vendor and community-supplied software and firmware?
The first step is developing a strategy. Certainly, it makes sense to follow and enforce the supply chain security practices outlined above. But how do you mitigate the threats that survive the vendor-consumer gauntlet? Once past these protections, having effectively side-stepped perimeter defenses, supply chain attacks can run amok on your networks, inside your applications and across your data, on par with privilege escalations and high-level insider attacks.
Until the modern software supply chain cleans up its act, through self-regulation or government mandate, the best way to mitigate sourcing risk is with comprehensive Security Information and Event Management (SIEM)– integrating security monitoring, threat detection and response, combined with Endpoint Detection and Response (EDR).
Netsurion’s EventTracker SIEM and EDR together address supply chain threats, as follows:
- 24/7 ISO certified Security Operations Center (SOC) threat monitoring detects and alerts on threats originating inside your network, including attacks from supply chain software and firmware
- Real-time alerting and incident response generate rule-based alerts, including response to changes in source code repositories or updates to third-party binary images
- EventTracker integrates threat data feeds for comparison with SCA tools output and vendor scanning reports
- Endpoint sensors detect suspicious behavior of supply chain-derived applications, tools, environments, as well as third-party services, and block unauthorized file copying and downloading
- Elastic Search-based forensic tools enable search and forensic analysis of vendor and community-supplied software bases to ferret out known threats in system and application stacks
- Dashboard and modern user interface streamline analysis during third-party software ingress and software test/QA processes
In today’s landscape of interwoven ecosystem relationships and complex provenance of software and firmware, securing your technology supply chain ranges from daunting to near impossible. CISOs worry about fully vetting the integrity of software and hardware sourcing. They lose sleep thinking about potential ingress of malicious and vulnerable code across purchasing, development, IT and other entry points. With Netsurion SIEM and EDR, CISOs and security practitioners can rest easier and devs continue leveraging high value ecosystem software and firmware. Try it today.