The news-making SolarWinds Orion attack has drawn attention towards supply chain security vulnerabilities – especially the ones that involve third-party software applications and hardware components that sum up most of these day’s enterprise IT environments. This attack potentially impacted more than 18,000 organisations, spread from a compromise of third-party network management vendor SolarWind’s Orion software.
The progression of supply chain attacks
While the SolarWinds compromise is bizarre in many ways, supply chain attacks are not at all a new thing. For a long time now, attackers have targeted third-party vendors across both digital and physical supply chains – from software and technology providers, to attorneys and consultants, to manufacturing and logistics companies – as backdoors to the networks of their enterprise or government business partners.
According to Bloomberg, the Cybersecurity and Infrastructure Security Agency (CISA) reported in 2019 that federal agencies faced about 180 different threats from the digital supply chain alone. And in recent months, the world has seen a surge in supply chain attacks targeting healthcare companies involved in Covid-19 vaccine development and delivery.
A rational zero-trust approach that will not cripple supply chain operations
With remote working being the new normal, working with numerous third-party vendors has become an inevitable part of doing business. The downside to it is that it creates security blind spots that can become dangerous. Many companies and government agencies are embracing Zero Trust models – in which they trust nothing and verify everything to protect themselves. But as vendor ecosystems grow in size and complexity, a hard and fast “trust nothing” strategy down the supply chain can quickly inhibit business operations and slow innovation. A successful security strategy must be both realistic and sustainable.
Here are four takeaways outlining steps organizations can take to significantly reduce the impact of a potential supply chain attack:
1. Protect privileged access
With dramatic cloud migrations underway, and the adoption of transformative digital technologies, privileged accounts and credentials represent one of the largest attack surfaces for organisations today. Identifying and managing privileged access is paramount to disrupting the attack chain – regardless of whether the attacker infiltrated the environment via the supply chain or by other means – and maximising risk mitigation.
2. Embrace a defense-in-depth approach
There is no silver bullet for cybersecurity, and no one vendor or tool can completely prevent an attack. An assumed breach mindset calls for multiple layers of security, such as endpoint detection and response, next-gen antivirus, strong privileged access management and application, and OS patching. But remember, cybersecurity is a journey, and it doesn’t have to happen all at once. A good starting point is to adopt a risk-based approach, investing first in the security controls that reduce the greatest amount of risk.
3. Consistently enforce least privilege everywhere
While breaches are inevitable, organisations can take steps to limit the blast radius of an attack by eliminating unnecessary privileges and permissions based on the principle of least privilege. Widespread adoption of public cloud services and SaaS application has accelerated the need for least privilege controls in cloud environments. In fact, a recent ESG survey ranked overly permissive privileges as the most common attack vector against cloud applications. Strong least privilege enforcement can help prevent all identities, whether on-premises or in the cloud, from reaching sensitive targets.
4. Monitor for privileged credential theft
As the SolarWinds attack shows, sophisticated attackers go to great lengths to hide their activity and avoid detection, and it can be extremely difficult to spot a supply chain infiltration. By monitoring privileged sessions, organisations can more easily spot suspicious behavior and patterns indicative of credential theft and better understand what critical assets are being targeted – enabling faster, more decisive response to protect the organisation.
Effective protection of the supply chain means adoption of a different mindset, one that assumes a breach will happen at some point. Because the supply chain represents a critical attack vector, an attack in this area could be a critical one, so cyber measures must be stepped up accordingly. Securing access to sensitive data and systems means organisations can reduce the risks significantly, thereby making it more difficult for attackers to achieve their end goals.
This article has been written by Rohan Vaidya, Regional Director – India, CyberArk