How to deal with emerging threats (eg: log4j) in your supply chain
Emerging threats are unpredictable. In cyber security, we’re used to things de-railing our productive workday plans. When something needs dealing with, it needs dealing with. It’s how we deal with it that will make the difference between slight inconvenience and major incident.
So you’ve just been made aware of a new emerging cyber threat, whether that’s a technical software vulnerability...
...or a changing political landscape,
you need to act quickly.
As responsible security professional, you check your internal position: your asset register, network diagram, a few conversations with key people in the business to understand how vulnerable you are and what you can do to mitigate. You understand the extent of your exposure, you make a plan, start actioning and present back to your team. Sorted. Then you’re asked a dreaded question: Any exposure through our supply chain?
Getting accurate, timely information about how vulnerable your supply chain is to a specific threat is notoriously difficult. In most cases, this particular threat is not something you or your suppliers were thinking about yesterday. Your suppliers have spent the day scrambling around to figure out their exposure, just like you have.
At the moment, for the vast majority of security teams, this effort goes something like:
- Speak to procurement or look at the supplier management system (if you’re lucky) to identify who your suppliers are.
- Identify which suppliers could:
- Feasibly be vulnerable to threat X, and
- Have an impact on you if they are
- Decide what information you need from those suppliers to enable you to assess your own exposure and make risk-based decisions on mitigating actions (will I really need to tell my marketing team they can’t use their favourite email marketing platform for the foreseeable future?!)
- Contact the suppliers with your list of questions (assuming you have the right contact details)
- Wait 1-2 weeks while the suppliers find the answers and check with their legal teams what they can and can’t say.
- Decide what immediate action you need to take, and which suppliers you’ll need to follow up with when to keep as accurate a picture of your risk exposure as possible as the situation evolves over the next few weeks/months.
Meanwhile, the attackers are filling their boots, exploiting the situation left, right and centre.
No wonder cyber crime is such a lucrative business if this is the best kind of agility we can muster up in our defence.
Organisations are now so interconnected and dependent on each other that we need to start taking down some of those human, bureaucratic barriers that prevent an effective response. We need to start making meaningful connections between security teams in supplier-client organisations before an incident happens. We need to start sharing information about IT infrastructure and network activity with trusted partners as a daily norm so that when sh*t hits the fan, we can deal with it quickly and effectively.
The community we’re building at Risk Ledger is enabling these connections and starting to blur the lines between third party risk management and operational security in the supply chain.
The image above shows the interconnectedness of organisations using Risk Ledger for their supply chain security. Each dot is an organisation, with a security team sat behind it maintaining their control profile and collaborating with security teams in client and supplier organisations to better defend as one.
So where do we go from here?
We noticed that clients and suppliers struggled to respond effectively when a new, urgent threat was discovered - so we created a tool to fix this.