I have been working in the cybersecurity industry for close to 25 years. When I started, PCI-DSS was still four years in the future. I mention this because PCI-DSS, outside of financial reporting compliance standards (GLB), was the first broadly audited cybersecurity standard across multiple industries. There has always been a sort of love/hate relationship between cybersecurity and best practices. One of the biggest challenges is that a regulatory audit is a “moment in time” look at security hygiene, determined months ahead. The audits become a “pass the requirements successfully” task versus an honest view of existing security capabilities with feedback to improve existing defensive capabilities. I have heard many cybersecurity professionals exclaim that these compliance audits reduce the effectiveness of cybersecurity defenses by setting defensive standards for adversaries to read while at the same time pushing much needed resources from cyberdefense programs over to compliance.
When we look at supply chain risk management (SCRM), point-in-time audits have some value when adding a new organization into an ecosystem to ensure that the standards of cybersecurity hygiene are in place, but that is as far as the matter goes.
Supply chain ecosystem members must maintain cybersecurity hygiene standards while the supply chain is operating, and in today’s world, that is a 24X7 process. To achieve 24X7 cybersecurity hygiene standards, organizations must be able to continuously monitor and show their environments are protected and safe and that they are not putting anyone else in the supply chain ecosystem at risk. This is the basis for continuous compliance.
As discussed in an earlier blog, we are seeing the more prominent vendors in the ecosystem (the ones with the most significant risk) pushing the need for continuous compliance out to the other vendors in the ecosystem as a “cost of doing business” with them. We also see supply chains that have created ecosystem organizations to standardize continuous compliance requirements. Standardization is beneficial because some supply chain members are asked for dashboards and reports from multiple companies in the ecosystem, often with variations in the cybersecurity requirements.
A company audited by multiple vendors, with numerous control variations and little preparation time, must have a mature cybersecurity program with integrated dashboards and reports. If they do not, continuous compliance will become onerous and costly. We have one customer who shares dashboards that contain 48 different variations on required controls across 55 different ecosystem partners.
So how does a medium or smaller-sized organization with finite resources meet these continuous compliance requirements, upgrade its cybersecurity hygiene, and afford it all? Here are five best practices that our customers shared.
1. Supply chain defense requires process-focused cybersecurity
Many companies overlay security silos over their IT system and processes instead of deploying them to operate within the supply chain process. A good example is deploying endpoint detection and response agents on your laptops and workstations while not considering the defense of IoT systems, even though those systems are more integral to the supply chain process.
Best Practice: Map out supply chain processes and the IT systems involved. Supply chain process managers work with cybersecurity and IT teams (or partners) to map threat surfaces based on process, not on technology. Risk score all threat surfaces to determine which are at the greatest risk to attack and choose the best technology and method to protect them. Deploy defensive programs focusing on areas of greatest risk.
Consideration: That IoT system, or newly connected OT system to the Internet, may very well be the best starting point as opposed to adding new endpoint EDR tools or deploying new cybersecurity awareness programs. Start with the supply chain process and risk, not technology stacks or the latest hyped cybersecurity technology.
2. Define and deploy cybersecurity controls that support continuous defense and compliance
A simple way to say this is to monitor everything. Have systems that watch critical systems and critical controls 24X7. This does not mean reducing or replacing existing security controls like multifactor authentication, but it does include watching those controls to ensure they are operating correctly. Supply chain processes never sleep, so cybersecurity defense must never sleep.
Best Practice: Utilize AI, specifically supervised and unsupervised machine learning, to watch for anything that changes or does not match normal operations. Critical areas to monitor include your internal network traffic, all internet gateway traffic, directory systems (cloud and on-premise), and any device you can place a monitoring agent on (AV, EDR, etc.).
Consideration: A new ransomware variation in Europe called ‘Prestige,’ a supply chain attack striking at logistics and transportation companies. It uses sophisticated payload delivery strategies, and one of those includes copying the payload directly to an Active Directory Domain controller. The AD domain controller logs are amazingly noisy and challenging to monitor manually, and the adversary knows and exploits this. The good news is that there are reliable, affordable AI-based tools to monitor AD systems, including CyGlass.
3. Extend cyber security through every step of the contract lifecycle
Just as you took a “process-centric approach to your cybersecurity controls,” do the same with all of your supply chain ecosystem contracts. When awarding a contract, stipulate compliance with necessary cyber security controls in the supplier contract. This step is well defined in a National Cyber Security Centre (NCSC) download you can find here and in the list below. While the NCSC steps differ from the ones CyGlass developed from our customers, it is equally as valuable.
Best Practice: Ensure the contracts and any new agreements with suppliers, outsourcers, and contractors your organization works with to support supply chain operations include provisions around cybersecurity expectations. These expectations should be defined regarding incident alerting, remediation capabilities, and threat and vulnerability data sharing. Also, clearly define reporting time expectations.
Consideration: Do not forget that terminating a contract also means removing all process and access integration created for the supply chain process defined in the contract. Make sure you regain control of your assets and remove all user and system access. This process is much easier when your contract clearly defines the systems, data sharing, and access that was created.
4. Deploy “platform or complete” systems that monitor or watch over as many threat surfaces as possible
This is the old cybersecurity strategy battle of “best-in-breed” versus “complete integrated platform” applied to SCRM. If you have a large cybersecurity team of 20 or more staff, best-of-breed technology with custom integration is possible. But an integrated platform is the way to go if you have a smaller team and limited resources. Regarding SCRM, look for a platform that covers the most threat surfaces possible. Be sure not to fall for vendor marketing hype; for example, Gartner places extended detection and response (XDR) at the apex of messaging hype with low actual value. Many vendors offering XDR only cover limited threat surfaces and have limited response capabilities, even though they claim otherwise.
Best Practice: When choosing technology, look for coverage of cloud, IoT, network, directory, data centers, remote locations, endpoints, etc. Utilize the processes-focused threat surface list from step one in this blog to create your requirements checklist and find your optimal tool. Use the requirements checklist to determine winning outcomes from vendor “proof of concept” trials.
Consideration: Deployment models for cybersecurity tools are changing, and new technologies deliver greater capabilities at lower costs. For example, CyGlass runs in the Amazon Web Services Cloud (AWS), eliminating the need for onsite hardware and software, thereby reducing management and updating costs. At the same time, using the AWS Cloud Platform adds instant scalability and AI computing power. New cloud-based deployment models are game changers for cybersecurity tools.
5. Implement automated, easily shareable dashboards and reports that reflect the near real-time operational status
The final step on our list can be considered the reverse side of the coin from step three. While you require your suppliers to meet and prove cybersecurity hygiene standards, your ecosystem partners will require the same of you. We hear from our customers that partners will need everything from daily access to threat and risk dashboards to on-demand audits completed by the partner’s internal audit team or third-party auditors they contract with. The goal is to utilize automation to keep reporting requirements as straightforward as possible, especially for teams with limited resources.
Best Practice: Utilize cybersecurity tools with automated reporting capabilities in their product and include them in the base license. Ensure that the reporting tool is easy to configure and that access to or PDR versions of the required reports can be created and sent out quickly and efficiently. Platforms incorporating correlated reporting capabilities across threat surfaces and integrated technologies are an even better choice as they reduce the number of reports that need to be generated.
Considerations: In some more complex supply chain ecosystems, customers have reported that they need to create hundreds of variations on a core set of control effectiveness reports. These variations can range from mixing control sets to adjusting the parameters on control effectiveness scoring levels. If you utilize a managed service partner (MSP, MSSP, MDR), ensure your contract includes reports and required configuration change capabilities at a cost within your budget. If you attempt this internally, your cybersecurity tool must consist of an easy-to-use reporting configuration manager. Doing this manually will be untenable.
Our final word of advice is to keep improving as you build out your SCRM program. Do not let the program stagnate. Our adversaries do not rest, and neither can you.
Curated List of SCRM Standards and Resources
Here is a curated list of the websites that our customers and partners have shared with us to support their supply chain risk management and compliance programs. Please note: This list is for supply chain risk management and not “software supply chain” or security of the software development process.
https://www.cisa.gov/ict-supply-chain-library
- A library of program-level resources, including checklists and best practices, provided by the US Cybersecurity and Infrastructure Agency (CISA)
- An exhaustive report from CISA across threat surfaces and scenarios that can be mapped to supply chain processes
- A similar library and best practices resources portal from the UK National Cyber Security Centre (NCSC)
- Download this excellent primer on supply chain risk management by NCSC
- A download from NCSC that is utilized by many of our UK customers and described above
https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management
- The US National Institute of Standards (NIST) SCRM project portal includes NIST SP 800-161 control standards and mappings supporting this blog’s recommendations
https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management/publications
- The complete NIST SCRM library link. Excellent resources on standards, controls, best practices, and audit standards
https://www.dni.gov/index.php/ncsc-what-we-do/ncsc-supply-chain-threats
- Director of National Intelligence, National Counterintelligence and Security Center portal to guidelines, best practices, executive orders, and detailed information on critical infrastructure across supply chain ecosystems
https://www.isaca.org/resources
- ISACA is the Information Systems Audit and Control Association, and they offer a variety of audit training and education. They provide great free and low-cost resources such as risk management, audit standards, SCRM training, and CMMI/CMMC standards information.
Bill Munroe
VP Marketing, CyGlass
