The SolarWinds supply chain attack that came to light nine months ago, brought into sharp focus the risk of purchasing software or hardware with deliberately or accidentally built-in weaknesses. Many organizations around the globe understood for the first time that the risk was higher than they had ever expected.
Perhaps the most shocking thing to come to light was the fact that the software supplier had been compromised more than a year before the breach and malicious activity was discovered, and not by Solar Winds, but a third-party security firm.
By breaching SolarWinds, the attackers were able to insert backdoor malware in the Orion network management system code that was delivered to Orion customers in an update to the Orion software. The backdoor was designed to enable the attackers to impersonate users and accounts of victim organizations.
Because the breach by suspected nation-state attackers affected more than 30,000 organizations, both public and private around the world, the SolarWinds supply chain hack is recognized as one of the biggest cyber security breaches of the past decade.
The very nature of a supply chain attack means that it does not affect only the software or hardware supplier involved, but also the potentially hundreds of thousands of organizations around the world that use its software as well as their customers and partners.
In the case of SolarWinds, the product that was targeted was the IT performance monitoring system called Orion, and it was probably chosen because as an IT monitoring system, it was not only widely deployed, but it also had privileged access to IT systems. This meant the attackers could obtain log and system performance data, and potentially access affected government and enterprise networks.
Hopefully, the SolarWinds supply chain will go a long way to changing the fact that most organizations have in the past underestimated cyber supply chain risks, even though cyber incidents can happen on any day, anywhere in a supply chain. As a result, cyber supply chain resilience management (C-SCRM) is essential for any business, and no business can afford to overlook it.
The risk of purchasing hardware and software with deliberately or accidentally built-in weaknesses looks higher than we expected. But it is not the only element of Supply Chain Risk. A supply chain can only be as strong as its weakest point. In a world where enterprises focus on what they can do best and add everything else through supply chains, it is more critical than ever to know these weak points and to limit the risks from them.
— Joerg Resch, KuppingerCole Co-Founder & Management Board Member
Because we understand how important cyber supply chain security is, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content in a variety of formats available.
Audio/video
To hear some of the comments, observations and recommendations by our analysts regarding the SolarWinds hack, listen to this analyst chat on Understanding the SolarWinds Incident and Recommended First Steps and on Post-SolarWinds Software Security Strategies.
The SolarWinds hack is also mentioned in this analyst chat on The Need For New Drivers to Improve Cybersecurity.
For a wider discussion on supply chain security, listen to this analyst chat on Applying The Zero Trust Principle To The Software Supply Chain to cover security for software in any form, whether it is developed in-house or externally procured.
In this video on Effective Cyber Supply Chain Risk Management (C-SCRM), Christopher Schütze, Cybersecurity Practice Director and Lead Analyst for KuppingerCole, details the essential components of such a strategy.
Research
Cyber supply chain resilience management (C-SCRM) is an important part of business resilience management. For more information on these two topics and how they are related, have a look at this KuppingCole insight on Business Resilience.
Advisories
Cyber supply chain security is linked to business resilience and therefore business continuity. For more on this topic, have a look at this Advisory Note on Business Continuity in the age of Cyber Attacks.
Blogs
Picking up the theme of Zero Trust in the context of cyber supply chain security, have a look at this blog post on The Next Level of Zero Trust: Software Security and Cyber Supply Chain Risk Management and this blog post entitled The Non-Zero Elements of Zero Trust, which discusses the zero trust approach to security in the context of the SolarWinds supply chain attack.
For some keen observations on the importance of C-SCRM, have a look at this blog post on Why C-SCRM Is Becoming so Essential for Your Digital Business.
Whitepapers
Underlining that cyber supply chain security is not only about hardware and software, but can involve individual components of these, such as the application program interfaces (APIs), upon which business interactions increasingly rely.
APIs have become a crucial factor in delivering operational efficiency, scalability and profitability for most businesses, and to read more about the context in which API security can be impacted by supply chain attacks, have a look at this Whitepaper on The Dark Side of the API Economy.
Webinars
The topic of the SolarWinds hack is referenced in this webinar on Effective Endpoint Security With Automatic Detection and Response Solutions and in this discussion on How Can Privileged Access Management Help Securing the Enterprise?
For a range of perspectives on the broader topic of supply chain security, choose from the following webinars:
- Digital Trust: Critical to Digital Business Success
- Are You Ready for Security Automation?
- Techniques for Securing Transactions With Identity Verification and Verifiable Claims
- Recruiting Customers, Suppliers and Even Competitors to Help Reduce Risk
Tech Investment
Organizations investing in technologies to improve cyber supply chain security can have a look at some of the related technology solutions that we have evaluated, starting with the Veracode Application Security Platform, which is a cloud-based application security testing platform for providing insights into software security risks.
Other supply chain related solutions we have evaluated, include: