CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Understanding Why Supply Chain Security is Often Unheeded

Many organizations downplay the critical aspect of whether their cybersecurity provider has the ability to properly vet a third-party vendor's cybersecurity posture.

There are multiple reasons behind this and there are also considerations of where the cybersecurity vetting process can go off the rails during supply chain purchases.

Generally speaking, as an industry we have the ingredients on hand to dramatically reduce the variety and scale of supply chain threat vectors, yet the reality is that supply chain security for most organizations is still pretty poor.

After giving this situation a great deal of thought, the issue is that supply chain security is considered far too late in the buying cycle to impact the buyer's final decision.

If you consider the psychology of a typical buying cycle, the further the vendor selection and engagement process progresses the less likely a customer is to heed evidence that their preferred vendor poses a risk to the organization. 

 

Why Isn’t Supply Chain Security Prioritized?

Too many organizations still don't understand the importance of a secure supply chain in maintaining their own security and end up hiring a cybersecurity partner that doesn't properly prioritize supply chain security.

This lack of prioritization happens for many reasons, even when an organization realizes its security provider is leaving a gaping hole in defense. Cost is often a factor; lack of knowledge regarding the security threat inherent to leveraging supply chain vendors and being unwilling to rip out their current provider's security stack and replace it with another, is also an issue. 

The danger behind this line of thought is quite apparent. A quick look at the number of cybersecurity incidents that started in an organization's supply chain should be enough to show that this approach is a recipe for disaster. Without going into detail on each, some of the biggest were the 2020 SolarWinds attack, MOVEit in 2023, and Okta also in 2023.

Trustwave SpiderLabs' recent threat intelligence reports also paint a dark picture regarding the threat posed by third parties. In three of its threat intelligence reports, third-party suppliers are listed as a top threat vector for these verticals: healthcarehospitality and financial services.

The reports show that cybercriminals often target these third parties as a strategic maneuver. If they successfully breach a third-party vendor, they often gain access to the targeted company's data. It is also apparent that the end customers are impacted in a more opportunistic manner where an attacker simply targets the vendor in the hope they will then gain access to more ‘interesting’ organizations, without a prior specific target in mind.

Additionally, financial services and other organizations are subject to a wide range of regulations. If a third party fails to comply with these regulations, it could put the financial services or other organizations at risk of fines, penalties, or even criminal prosecution. A cybersecurity vendor conducting a proper vetting program can reveal all this information before it becomes problematic.

 

The Checklist Approach to Security

Unfortunately, even when an organization opts to give a nod to supply chain security, the method often used to choose a provider is to have it fill out a form and tick the boxes that indicate "we have security." This approach does not go nearly far enough. Simply put, there is no way to say if the supplier is telling the truth or if it even knows if its own supply chain is secure.

Instead, organizations should have a detailed and qualified conversation about risk versus benefit as opposed to simply telling themselves that removing a vendor with poor security will be hard and then letting the chips fall where they may.

The issue comes down to balancing the effort an organization is willing to put into keeping secure, versus not putting in place so much security that it negatively impacts the business.

 

How Trustwave Approaches Supply Chain Security 

 As we have explained here, Trustwave understands that education and awareness are key inputs when it comes to prioritizing, buying, and using supply chain security. 

Our process involves holding a thought-provoking conversation in which we can explain Trustwave's broad experience delivering supply chain security and perhaps educate the client on why their current security product is not working.

Trustwave has vetted thousands of vendors for organizations, and even organizations that have a great reputation as a business partner and would likely sail through a security assessment, are often the gateway threat actors use in a supply chain attack. 

very organization needs visibility, even into second and third-tier vendors; without this level of understanding, you are leaving yourself open to attack.

Here are six general principles to keep in mind when contemplating how to secure your supply chain.

1. Know Your Suppliers

Start with procurement and ask them for a list of a vendor’s suppliers, but you'll often have to scan IT suppliers in detail, as well as everything from financial providers to courier companies.

2. Triage the List

Working out which suppliers matter to your business and assessing the impact of any cyber incident they experience might have on you is the next step.

3. Ask the Correct Assessment Questions and Obtain Evidence
Questions should range from the supplier's ability to encrypt data, whether it uses MFA, the supplier's password policies, patching program management, architecture and segmentation, cloud usage, and many more. A best practice is to balance your assessment questions. Too few and you won't know what's actually going on too many and you'll be lucky to get a response from your suppliers.

4. Interpret the Results with an Eagle Eye

The assessment is only as good as the tool or the human analysis behind it. We recommend you know which parameters impact a vendor's risk rating and how that vulnerability may impact your business.

5. Use Automated Scanning Tools with Care

These tools have their place, albeit the licensing cost is often considerable, particularly if you haven't done step 2 and you're scanning every vendor!

6. Threat Detection Should be Part of Your SCR Strategy

A threat detection service or capability will alert you to incidents and breaches in real-time. At a minimum, it will enable you to respond quickly when the worst happens, or at most, stop the threat before it reaches your critical systems. 

 

Finally, if you're looking to improve resilience against supply chain risks, you can talk to us. Our Supply Chain Risk Diagnostic Service is ready to shorten the time needed to get your SCR management program up and running. 

Alternatively, when revisiting your in-house cyber risk assessments, or looking for a more efficient third party to do this for your business, look here for a description of our Managed Vendor Risk Assessment Service

Latest Trustwave Blogs

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More

Balancing Innovation and Security: How Offensive Security Can Help Navigate the Tech Industry’s Dual Challenges

Two of the greatest threats facing technology-focused organizations are their often-quick adoption of new technologies, such as artificial intelligence (AI), without taking security measures into...

Read More

Trustwave Government Solutions (TGS) Salutes New Mexico’s New Cybersecurity Executive Order

New Mexico Governor Michelle Lujan Grisham issued an Executive Order to shore up the state’s cybersecurity readiness and better safeguard sensitive data by conducting a state-wide security assessment...

Read More