With the key building blocks that will allow us to achieve our vision for revolutionising supply chain cyber security now firmly in place, and with thousands of organisations already joining communities of peers on Risk Ledger to leverage the power of networks to Defend-as-One, it is time reveal Phase 3 of our roadmap for building the future of supply chain security.
In this final article in our series, we will outline our plan for building the first digital SOC for the supply chain, allowing organisations to come together to actively detect, respond to, and prevent attacks across the entire network of connected organisations in real-time, and forever change TPRM from a mainly reactive and compliance-driven exercise into an active cyber defence discipline.
Defend-as-One is no longer a concept: How Risk Ledger has put it into practice
As we have established in the previous articles in our series on “Shaping the Future of Supply Chain Cyber Security”, siloed approaches to third-party risk management and supply chain cyber security are becoming not just obsolete but in fact counterproductive in the face of burgeoning cyber security threats and geopolitical tensions globally. More and more organisations are realising this and joining our rapidly expanding network of organisations willing to work together to Defend-as-One.
Already, we are building up connected networks of suppliers and clients who are able to collaborate for mutual benefit, while transforming third-party risk management (TPRM) processes and making them far more effective. Security teams can now work together directly with the security teams at their suppliers as well as with peers across their industry who share similar pain points and challenges. They also already collaborate when a security incident or emerging threat anywhere in their supply chains appears. Aided by our network effect that generates data from across all supplier organisations quickly when events like these happen, this allows for much swifter and more effective incident response.
TPRM from compliance to security operations
The next phase of our roadmap to future-proof supply chain cyber security, we are now focussed on actively moving TPRM from the realm of compliance and mere risk management, into a more operational domain. This is the final shortcoming of current approaches to TPRM that we want to tackle head-on.
A fundamental problem with TPRM has been that people have too often treated their TPRM programmes as a governance and compliance exercise. The overall goal then becomes to demonstrate that we provide adequate assurance rather than pursuing the fundamental objective of reducing security risks.
It means that many teams don't see it as constructive and valuable, creating a vicious cycle in which, because people just see it as a necessity for compliance, they don't put the required effort into it, which means the value depreciates. We need to break free from that vicious cycle and take a different approach to make it more effective and reduce the challenges.
This is why we need to start approaching TPRM as an operational challenge rather than a pure governance one and involve our Security Operations teams. The first point of call is talking to in-house threat intelligence teams or external providers. Raising and utilising critical threat intelligence data to appreciate where our suppliers sit and what risks they could face is incredibly useful for responding to attacks in an operational way.
Third-party risk management and incident response are usually split between the Governance and the SecOps teams, which is not a helpful way to look at the problem of how to reduce the likelihood and impacts of attacks against our corporate supply chains. It raises the question: What do we do when a supply chain incident strikes? Do we have to contact our Governance, Risk and Compliance (GRC) teams since they are supposed to have a relationship with the suppliers in question, or should this be our SecOps teams responsible for handling the incident response?
Every supplier assurance review is a real opportunity to gather crucial threat intelligence data on our suppliers and develop strong relationships, helping us build that comprehensive database of security data and create alliances. So when an incident happens in the future, whether there's an incident at that supplier in particular or a more industry-wide incident such as the MOVEit Transfer attack, we are in the position to quickly reach out and collaboratively address any problems in partnership with that supplier. It also allows you to build a system where you can quickly search and draw insights from our databases to ascertain which suppliers in your ecosystem could be most vulnerable to a specific attack, or what kind of risks they could pose to us if affected, which will further increase our ability to respond to attacks when they strike quickly.
This is what Risk Ledger has been able to achieve to date. Now let’s turn to what we have in store next.
Building a Security Operations Centre for the supply chain
Stage one and Stage two of our roadmap to build the future of supply chain cyber security solved the efficiency problem. It makes understanding other organisations’ security more continuous and unlocks the ability to measure previously unseen supply chain risks such as concentration and systemic risks, as well as laid the groundwork for a new way of collaboration based on our Defend-as-One methodology.
Stage three will first complement our existing inside-out data points raised from the security assessments suppliers conduct on our platform with additional outside-in data and then overlay our network map with additional threat intelligence feeds.
Taking continuous monitoring to the next level
As we discussed in the previous article, Risk Ledger has already taken clear steps towards a more continuous monitoring of suppliers’ security controls. To briefly recap, we have done so by using a core standardised assessment framework that allows us to compare suppliers' security like to like, but most importantly means that now numerous clients are reviewing the same suppliers based on the same framework and controls. The benefits organisations currently reap from Risk Ledger’s approach to continuous monitoring are the following:
- Risk Ledger is running bi-annual re-assessments on all the suppliers on its platform for organisations, so they don’t have to anymore;
- Clients are notified through regular feeds directly when a any security control at any of their suppliers has changed;
- and since there are many eyes on each supplier at all times, changes in supplier security controls get noticed much quicker.
Risk Ledger is currently in the process of introducing additional outside-in data. This will add to the ability of clients to continuously monitor their suppliers’ security. External outside-in data points provide useful indicators as to what a supplier actually does in the real-world. This extra data can act as validation of a supplier’s responses, giving customers additional confidence in their risk assessment.
The data points themselves may not directly validate a security control, but rather indicate that something may be amiss behind the scenes. For example, does an unexpected open port mean that suppliers are not using Infrastructure-as-Code as thoroughly as reported?
The types of outside-in data that Risk Ledger will seek to scan and ingest into its platform will include, over time:
- Vulnerability Scanning. Regularly checks for known vulnerabilities in systems and applications.
- Threat Intelligence. Provides data on emerging cyber threats relevant to the supplier's ecosystem.
- Supplier Monitoring. Tracks the external security posture of third-party vendors continuously (including email security, Web security and port scanning).
- Open-Source Intelligence. Gathers publicly available information that could signal risks (including Sanctions & Embargo lists; Financial credit checks; Negative news screening; etc)
- Attack Surface Monitoring. Identifies exposed parts of a network or system that could be targeted.
- Breach & Dark Web Monitoring. Detects signs of past breaches or ongoing exposure within the supplier's environment and scans the Dark Web for new vulnerabilities or ongoing attacks.
This will provide tangible new benefits to organisations already using the platform:
- Expanded Coverage. Additional outside-in data will allow organisations to monitor a wider network, including smaller as well as 4th-party suppliers that might not receive questionnaires, reducing blind spots in the supply chain, and giving full visibility of potential risks.
- Burden Reduction. Continuous Monitoring helps alleviate the effort of needing to onboard and review suppliers one-by-one, allowing organisations to give quicker updates to the business that enhancing the decision-making process on suppliers and onboarding.
- Holistic picture of Supplier Risk. Provides both qualitative (questionnaire) and quantitative (scanning) data, allowing customers to make more informed decisions, further increasing confidence in risk assessments, ensuring that organisations are not missing critical information.
- Real-Time Data for Faster Response. Alerts when security risks change, allowing organisations to respond more quickly. This pro-actively mitigates risks and allows security teams to act before breaches escalate.
Integrating insider threat intelligence
But this is not all. Our roadmap also includes the plan to create an entirely new class of Cyber Threat Intelligence (CTI), generated directly from events happening inside the IT networks of the connected organisations on our platform. Current CTI relies on finding evidence of cyber-attacks by monitoring the dark web or other external sources. We want to do this by building integrations into new cloud native security tools that sit on the first line and incentivising organisations on the platform to integrate their point solutions. Does an organisation use Crowdstrike? Plug it into Risk Ledger. Is an organisation deployed on AWS? Plug in AWS’s security hub.
By integrating the various security tools used by supply chain organisations themselves directly into Risk Ledger, we can use the combined power of all first-line security-scanning tools in the network to detect attacks. The idea is that our platform will act like a radar, scanning cyber space for incoming threats – and enabling the network to mobilise effectively to counter any attacks. In this way, all supply chain members benefit from network immunisation – meaning that when one organisation comes under attack, all others in the network provide support and advice to immunise the whole supply chain against the same attack.
This collaborative cyber security defence system will provide real-time threat intelligence much more quickly than is possible today and would amount to creating the first digital SOC for the supply chain. It means organisations across entire networks can learn about new threats as they emerge, and find out quickly if a cyber-attack occurs anywhere in the network.
Towards a digital SOC for the supply chain
As we have argued in this series, organisations are linked, whether they like it or not, and the responsibility for preventing cyber attacks must be shared by the entire ecosystem. No one can do it alone. This is the basis of our idea for a digital SOC for the supply chain. This envisioned SOC could take the form of national security operations centres for the supply chain, loosely modelled on the UK Cyber Government Security Centre (Cyber GSeC), the Government Cyber Coordination Centre (GCCC) or the UK NCSC-led comprehensive security operations centres (SOCs).
Within these SOCs for the supply chain, organisations with large security operations and strong expertise in hunting, detecting and responding to attacks, for example, should rally around their smaller partners and suppliers to protect the whole system, supporting them with their advanced expertise and resources.
In the context of a more NATO-wide collaboration, these national SOCs could then work in conjunction with the new NATO Integrated Cyber Defence Centre (NICC) and its Virtual Cyber Incident Support Capability (VCISC), which are valuable additions to NATO’s overall cyber defence capabilities, and will ensure more ready and equal access across all members of the Alliance to up-to-date threat intelligence and, crucially, operational and technical support during incidents.
These new NATO capabilities could significantly increase expertise and resources to the proposed national SOCs for the supply chain, while laying the basis for a potential future integrated and NATO-wide SOC for the supply chain.
But regulators also have an important role to play. We must move away from a culture of assurance, threats and fines, to one where organisations supporting our critical national infrastructure, national security agencies, private sector partners and all critical suppliers come together to collaboratively defend against supply chain attacks and strengthen the overall resilience of the entire ecosystem.
Conclusion: From isolated to collective defence
In our series of articles, we have argued that organisations worldwide face a future in which increasingly well organised criminal networks and state-sponsored threat actors are using increasingly sophisticated tools and attack techniques to target our data and systems through the weakest links in our complex supply chains.
We believe the Defend-as-One methodology we have proposed, and are actively putting into practice on the Risk Ledger platform, offers the greatest opportunity for entire supply chain ecosystems to stay one step ahead of the malicious actors – now and in the future.
We believe that solving a single CISO’s supplier assurance pain is only scratching the surface of the problem and opportunity that currently exists. For the first time in history, national security now relies on the ability of private sector organisations to defend themselves against cyber-attacks, not dedicated military entities.
We are building a system that improves the resilience of every node (member) of the network, and as such seek to improve the resilience of the entire digital economy, driven by the incentivisation of the individual members themselves. We want organisations to start thinking about a new security doctrine that realises that we are much stronger defending together than we are in silos.
As we have argued in this series, a genuine Defend-as-One approach thus demands a cultural change in the way organisations view supply chain security. Security teams must shift from seeing themselves as isolated defenders of their data and systems to being part of a wider network, united against potential attackers. In the same vein, instead of viewing suppliers as potential security threats, they should be regarded as security assets.
Enabling and encouraging collaboration across all organisations in the supply ecosystem will effectively create a multi-disciplinary Security Operations Centre (SOC) for each supply chain network. By connecting all of the diverse organisations and suppliers in complex supply chains to this new SOC, we contest that this will instil a sense of shared accountability for cyber security defence.
