Supply Chain Cybersecurity – The Case for Outside-in Exposure Monitoring
Article is originally from teiss.co.uk
Camille Charaudeau at CybelAngel explains why organisations desperately need an ‘outside-in’ approach to security
In these days of rapid cloud migration and endless digital supply chains, the idea of a secure perimeter is well and truly dead. Nevertheless, organisations still naturally tend to adopt an internal approach to security, looking out at incoming threats.
But an increasing number of cyber-threats now require organisations to look beyond their own perimeters and have visibility of external risks that could cause harm to their business. Cloud storage, exposed credentials and leaks through an ever more complex supply chain infrastructure can all cause material damage to a business’s operations.
In fact, research indicates that four in five software supply chains were exposed to at least one cyber-attack in the last 12 months.
These attacks are designed to evade the usual outwards-facing approach to security. So is it time to flip the script and take an ‘outside-in’ view of security?
Why are supply chain attacks so dangerous?
Supply chain attacks have become one of the most prevalent cyber-threats in recent years because they exploit the connections of trusted suppliers and partners.
The tactic is not particularly new. The nation-state group known as Dragonfly has been specialising in third-party strikes on the energy sector for over a decade. But rapid digitalisation means more firms now have extensive digital supply chains. This presents criminal gangs with a large attack surface and more connections to target.
Larger organisations can easily have tens of thousands of direct suppliers, particularly if they deal in manufacturing and production. Proctor and Gamble for example reportedly has over 75,000 suppliers. Most organisations have increasingly large and sprawling digital supply chains, regardless of their field.
Any third-party access to an organisation’s systems or data can be exploited in a third-party attack. Compromising a contractor or service provider will enable attackers to take advantage of their network access privileges. Services such as data analysis or accounting will likely have copies of sensitive data on servers outside the organisation’s control.
SOC teams that are using standard internal endpoint monitoring solutions are unlikely to have any visibility into the security status of these external locations.
Even the most diligent outward-looking security strategies can be undone by a vulnerable third-party supplier. The issue is complicated further by the fact that each supplier will have its network of connections. Rather than a supply chain, each organisation now sits within a vast and tangled supply web, and breaches at any point can ripple out and affect multiple organisations. As a result, each organisation’s true attack surface is increasing exponentially.
The growing impact of supply chain attacks
A continual string of high-profile supply chain breaches has dominated the headlines over the last few years.
In February 2022, automotive giant Toyota pre-emptively decided to shut down its entire domestic manufacturing operation after a plastic supplier called Kojima was breached. The supplier had third-party access to Toyota’s manufacturing plants, so the company opted to halt production before the connections could be used to launch a serious attack against it.
It is estimated that shutting down production for a day interfered with the output of 13,000 vehicles. A major breach could have been far more disruptive.
In an unrelated incident in October 2022, Toyota discovered that close to 300,000 customer records were inadvertently leaked when a third-party web developer uploaded them to a GitHub account set to public access. The data was publicly available for at least five years before the error was discovered.
Incidents like these are especially damaging for organisations as they will face impacts such as operational downtime, regulatory fines, and loss of customer data, even if the fault originated with a third party.
A large food and beverage manufacturer we have worked with estimated that operational downtime from a breach could cost between $500k and $1m per day, while privacy law violations from exposed customer data could cost $30m.
Organisations need to gain visibility of these external risks before they culminate in costly data breaches. Adopting a more external view of threat monitoring will make a crucial difference here. So how can organisations put it into practice?
Using an outside-in approach to enhance visibility
An outside-in approach to data monitoring means going beyond the usual internal endpoint monitoring, vulnerability scans, and firewall protections, and adopting external attack surface management (EASM). This involves continually monitoring the wider internet for any connected assets related to the company.
This approach will help to uncover assets that the company previously had no knowledge of. For example, a sales partner may have a database of customers as part of its service – but inadvertently leave it exposed by storing it in an unsecured, publicly accessible AWS bucket. External attack surface management solutions will discover vulnerable assets like this, regardless of where they exist and how they were created.
This is particularly valuable in today’s convoluted digital environment, as it will uncover vulnerabilities from first party connections all the way through ‘Nth-party’ systems in their supply webs.
When a breach or leak does occur, external monitoring can also rapidly locate any data related to the company by monitoring open and dark web mentions. This means the data owner has a chance to get ahead of the breach and take steps to close or mitigate it.
In the best-case scenario, the data can be taken down, or at the very least the business can gain full visibility of the extent of the issue. This enables the firm to put the most appropriate response into action rather than an uninformed general announcement of a breach.
Continual external monitoring is best achieved through a blend of AI and human-led analysis. This provides the best of both worlds, combining the tireless speed and accuracy of AI with the context and experience of human analysts to create actionable intelligence.
With an outside-in approach to security monitoring, enterprises can finally expand their visibility to their extended external attack surface. This gives them a much better chance of stopping or mitigating third party and supply chain risks, regardless of where the threat originates.
Camille Charaudeau is VP of Strategy at CybelAngel
For the original article, visit teiss.co.uk
Exposures happen everyday, are you protected? Get a complimentary External Exposure Scan to find out.