What are Software Supply Chain Attacks?

Software supply chain attacks, or digital supply chain attacks, have become increasingly prevalent over the last couple of years. Noted as the first large-scale attack in recent months, the SolarWinds data breach wreaked havoc on supply chains across a multitude of industries.

But that was just one of the latest examples of the devastation and disruption a well-coordinated supply chain attack can cause. Other third-party data breaches, like the TargetHome Depot, and NotPetya incidents, made it clear that protecting the supply chain must be a top priority for security managers. 

What’s the best way to protect against potential software supply chain attacks? To get the answer, let’s define what those attacks are, how they happen, and how organizations can defend against them.

The software supply chain: the weakest link?

Attackers understand these challenges, so, instead of targeting an organization’s network, they target its software supply chain partners. They find a weakness in a vendor’s software development or update cycle, and insert code into the software. A single piece of malicious code can have enormous ripple effects across that vendor’s entire ecosystem. This happened with SolarWinds and, in fact, is likely happening right now in another organization’s network, since studies show there’s a new cyberattack every 39 seconds.

How to prevent a software supply chain attack with security ratings

While software supply chain attacks are becoming increasingly sophisticated and prevalent, they can be mitigated, as long as organizations do more than traditional vendor security assessments. Instead, they must maintain a continuous monitoring stance that starts at the beginning of the vendor onboarding process and continues throughout the vendor/client relationship.

The first step is to use security ratings to evaluate vendors’ security postures before they become part of the software supply chain ecosystem. A security rating is a data-driven representation of a number of cybersecurity factors that impact an organization’s cybersecurity program, including compromised systems, known security vulnerabilities, adherence to industry best practices, and more. Findings are presented in an easy to understand score, similar to a credit rating, with a scale from 250 - 900. The higher the rating, the better the security posture.

Organizations can use these findings to make several determinations. Companies may decide not to partner with vendors with low security ratings, citing an enhanced cybersecurity risk. Or, they may opt to work with vendors with mid-level risk and consult with them on how to improve their security rating. 

In any case, security managers will have a good sense at the outset of the relationship of the type of risk the third-party will introduce to their organizations. That puts them ahead of the game before the partnership even begins.

Malicious attackers tend to look for the weakest link in an organization’s security posture. Often, this resides in a company’s software supply chain

There are a couple of reasons for this. First, despite periodic cybersecurity audits, organizations often don’t have a very good sense of their vendors’ security postures. These assessments only offer a point-in-time snapshot of a vendor’s security stance, which isn’t enough in today’s ever-evolving threat environment. Second, some companies are managing hundreds of vendors––even fourth and nth parties––making it almost impossible to accurately assess each vendor’s potential for risk. 

Prioritizing and continuously monitoring software supply chain risks

Once vendors are onboarded, security managers can prioritize risks in their vendor pools and focus on the most dangerous or pressing threats. For instance, a vendor that handles highly sensitive data is more likely to pose a significant risk than a vendor that does not. Managers can look at these risk profiles, combine them with the insights gleaned from security ratings, and determine which vendors need the most attention.

Since security ratings are highly dynamic, managers can keep tabs on their vendors’ security postures over time. This makes it easy to monitor when a security rating drops below an agreed upon threshold. For example, if during the initial contract phase an organization specifies a bottom line security rating of 650, and a vendor’s rating goes below that number, security managers can have honest conversations with the partner to discuss ways to improve their risk levels. If the vendor does not comply, the partnership can be terminated. 

That’s a worst case scenario, however, Ideally, the vendor will do what is recommended to make improvements, resulting in more sound cybersecurity for both the vendor and all of their clients. Companies can then monitor the vendor to ensure their security ratings remain at acceptable risk thresholds.

Protecting the software supply chain from attack

The SolarWinds data breach showed how important it is to protect your supply chain––and how easy it is for hackers to turn a single attack into an event that impacts thousands of organizations. With the estimated cost of data breaches reaching $3.86 million, companies literally can’t afford to let this happen anymore, either to themselves, their partners, or the supply chain. 

They must take the necessary steps today to mitigate risk posed by their third-party resources. Continuous monitoring, based on security ratings, is a highly effective tool that helps companies fortify themselves and protect the software supply chain as a whole.