Do you trust your cyber security supply chain?
Creating a Secure Cyber Security Supply Chain
We all know the importance of maintaining a solid cyber security capability and maintaining a secure cyber posture. We all know the stats about malware, ransomware, cyber IP Theft, data breach fines, and compliance mandates. I don’t think there’s anyone left that does not understand that they need to be cyber secure.
One of the big questions that remains is simply this: “Who do I trust?” And this extends into the supply chain for your service providers and vendors of both software and hardware.
“All organisations should consider cyber supply chain risk management”. – The Australian Cyber Security Centre (ACSC)
The National Cyber Security Centre in the UK (NCSC) documents the type of attacks that could occur through a third party software provider, including compromise of industrial control systems on critical infrastructure.
In the US, the Federal Government has introduced the Cyber Security Maturity Model (CMMC) to mandate minimum security posture for all suppliers to government to “assess and enhance the cybersecurity posture of the Defense Industrial base. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.”
Outside of government, there are still very few companies that set business standards for their suppliers or truly understand the security implications of the vendors that they might choose – especially if they are choosing based on price. Choosing an open source product written by unknown contractors in Eastern Europe or Asia may not be the best answer.
It’s a topic to take seriously and to consider in great detail when choosing who to trust to assist your organisation maintain a secure environment.
So how do I choose?
Obviously, a reasonable start is some form of certification. This could mean an ISO27001 certification, certification of compliance with the CMMC (when that becomes more available) as well as certification of the actual product.
The team at Prophecy are deep into an ISO27001 project that will see us certified to this international standard as well as preparing for CMMC certification to enable us to continue to supply the Defense sector in the United States. We have also had our software verified by a third party company that specialises in vulnerability assessment. We have used Veracode and have had both Snare Enterprise Agent and our Agent Manager attain “Verified“ level. (Read here for more information on Prophecy’s Verified status)
Linked to this is risk from open source software – particularly in relation to the tracking use of open source components as new versions become available and older components might have vulnerabilities that remain unpatched. You only need to look to the Equifax breach to see how this can be a significant challenge to manage and one that can have massive consequences. Other issues include projects that might have value now but decrease as active involvement decreases and/or a lack of visibility into who is contributing to open source projects and where they might be coming from.
Why is sovereign capability important?
In a global market with players from almost every country, it is critically important to look at capability from home as well as from those countries that have a level of integration and acceptance when it comes to cyber maturity, cooperation around defense and intelligence, as well as protections for IP and trademarks. Obviously, local companies usually have created the IP that you will be deploying in your environment and have local support in your time zone and in your language an understand the local regulatory and legal environment in which you operate. They will be there is you need them and in your legal jurisdiction if something really goes wrong.
In addition to this, sovereign capability will drive the growth of jobs and the economy – which is very important after the disruptions to the global economy due to COVID) – and potentially also drive exports. Snare software, for instance, is developed in Australia with Australian resources and we generate nearly 80% of our revenue outside Australia.
To expand this our slightly further you could then also look to those geographies that have formal alliances. Like the Five Eyes countries as an example.
The Five Eyes
The Five Eyes is an intelligence sharing alliance comprising Australia, Canada, New Zealand, The UK and the US. This is a formal agreement on intelligence sharing at an intergovernmental level and is a factor that could be considered in choosing a vendor if they are based in one of these geographies and are used by government or defense agencies in those countries.
This also shows the importance of secure supply chains as any supplier to these agencies could potentially introduce vulnerabilities that could possibly allow access into other agencies in other geographies.
If you are a trusted supplier to any of these agencies then that’s a good recommendation for the commercial world too.
Snare was developed by defense personnel for defense purposes and we have many military and defense agencies and defense suppliers using our software around the globe as Snare has been trusted for Centralised Log Management for decades.
So what do you do if you aren’t sure where your providers are headquartered or need to take steps to ensure your supply chain is trustworthy?
There’s a lot to take in here but in essence its all about trust.
Start by asking if your suppliers have the following:
- Speak my language, reside in my time zone, have developers I know and a legal framework I can work with and use?
- Are they trusted by government in my country or in countries that have a level of engagement and cooperation with my own?
- If they are an international company do they have a team in my country that is bound by our laws?
- Is the IP protected by law and do I have protections in the license to use the software?
- Can I be comfortable that I am not introducing risk by choosing a vendor when I am trying to reduce risk?
If you have questions about your supply chain or want to speak with our expert team about implementing Snare’s suite of services as a part of your trusted supply chain, reach out. We are trusted by over 4,000 companies across the globe for log management and can help you create a stronger cyber security infrastructure during a time when it is more important than ever to trust your vendors and your partners.