KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
My name is Nicholas. Thanks for inviting me. Thanks for everybody who is attending physical and well, a warm welcome to everybody who is online elsewhere. Thanks for watching and joining this session. So today Kok asked me to talk about cybersecurity and the software supply chain. And to be honest, this topic is quite interesting from a several perspective. So I have 20 minutes, let go, let's go on this journey. So towards myself, I'm a former hacker still associated to the Hagar community.
I like, I like makers. I'm a nerd. I like everything which is related to security, disassembling systems, having a look, how they work and as well, I'm engaged of course, in cybersecurity, running in own company with Ashwin who takes care on the lifecycle of software in IOT products. And this is of course a very important topic. So first of all, let's go on a journey together and we start with a preload because I know many of you are from the it industry. If you are a CSO, okay, you need to take care of what's going on out there.
But we know that there are as well, a lot of people from the cybersecurity industry attending and then for the preload, I would like to have a look that, that you look at this picture. This is the shiny front.
And we, as a cybersecurity industry are selling to CSOs and CEOs. Everything's great. Everything is nice, shiny, perfect.
I mean, just the way how sales is working and that's the promise we are giving, but we are all experienced people in this, in the it industry. I mean, many of us, I, I had yesterday at dinner and someone told me, oh, you know, remember the first time you get in touch with the internet and blah, blah, blah. So we all know how it is working. And we know as well, maybe this shiny picture, it's a nice promise. But the reality is more like this.
I mean, even after a long history of it, we are still fixing the stuff very roughly. And even if the sales has told you, this is a shiny building, sometimes what you get is this. And even for many cybersecurity suppliers, even their CEOs believe their product is this, but what their own team is building is this. So I think as these are critical parts of the supply chain, we need to discuss about the situation and how we can get to a better yeah. Risk mitigation and strategies to deal with that reality. So first of all, have a brief look on software supply chains, what they are.
I mean like everybody, first of all, in the audience, if you're physically there, that can cover, if you, if you need otherwise for the online people go under your desk, if it's too terrible. But first of all, we need to have a look. What are software supply chains? And I think the first issue, many, a lot of people were aware of, of software supply chain was when we had this solar wines Orion stuff in the end of the year, because it was the first time for many people that they realized, oh, this is not only a problem from someone.
This is a problem, which is affecting me, even if I don't know that this supplier is however, in my software supply chain. And then there was a lot of research going on in large companies to find out what kind of products might be affected from this security incident. And it took a long time. And for many of them, it was really a stress because they had the problem in their product and they shipped this problem in their product, towards their customers.
And by that, as all we know, it's maybe a global damage already, and we didn't know what is to do because it's still not finished the whole trouble, but maybe it's a billion us dollar global damage already, which has happened by that single incident on all the risk medication. What, what is going on? So this was solar once around the problem is, Hey, this was like the MI miry botnet in the IOT. This was the perfect template for a lot of people out there to understand that's attacking the software supply chain is a very powerful tool.
So what we see now with, after SolarWinds Orion already this year, that this type of attack has rised about 650%. So obviously a lot of people out there on the attacker side have realized, well, this is a super powerful and valuable attack. And that's why this type and forms of attacking are now rising really in a tremendous number. So we need to take care of that. So what is the prehistory?
Well, the prehistory of software supply chains, they're not new. We already knew them.
I mean, some people maybe remember on stocks net, which was warm in 2010 and was written really particularly for, for a PLC for a OT device to yeah. Really perform a cyber attack on the Iran at nuclear pro. We know as well. Like if you talk about equipment back doors that the first like powerful equipment, which has built and deployed the customer had already back doors in there always backdoors in equip for several reasons.
But 2011, we were talking about UI. I mean, we had this discussion a lot with the 5g equipment, but keep in mind that Ciscos and other providers as well have always backdoor issues for several reasons. So it seems to be that on the hardware level, on the software level, I mean, it's a long problem. Then we had 2020 Equifax.
We had, again, some back doors in routers. We had solar wines Orion. We had 2021 on the Azure cloud, a big one ability on, on the database. It was five years.
We, as, as far we know, five years, the vulnerability could be used and exploited, which has exposed all the data, which is stored in this cloud services. And now 2021, very, a very well form of attack is going to the MPM packages, trying to compromise systems, which are built up on the regular frameworks. We know. So it seems to be, well, a lot of things are going on there. So obviously the roof is on fire. The question is, why is the roof on fire? And if we know the why we can discuss about how we can might resolve it.
So first of all, there are some things, and this is related to any software industry and as well to the cybersecurity software industry, one problem with is nearshoring and offshoring. And this is the way if we look into companies, which software, which is now usually way how software is deployed and even in the cybersecurity industry.
So, but do you really know what you are offshoring or nearshoring partners and suppliers are implementing not only from a quality perspective, but as well, really from the code level, from the code reviews, other backdoor in there, or not only vulnerabilities or exploits or bucks or whatever, have they really implemented stuff in a way which could be afterwards easily exploited, but not so easily detected by a code review.
And if you have a look where offshoring nearshoring is mainly done Asia, Russia, Ukraine, I mean, this are as well, all the states, which are currently on the heavy observation on the way, how state motivated cyber attacks are performed and carried out. So think about what is your offshoring assuring strategy second? And this is related to our topic here, OT and IOT. We are increasing the product, complexity, complexity, and even the product supply chain. I know really many vendors who are stepping into IOT and they're brilliant, for example, sensor construction companies.
And now they get a requirement from the customer to make the data online and stuff like that. And then the first question is always like, oh, how do we get the sensors with the right connectivity into the internet?
Oh, for example, we need a wireless land module in there. We have no expertise on wireless wireless land module, which will just source them from a vendor, a supplier. And mainly there are as well in Asia. And then if you ask what kind of software is running there, we'll find out, oh, there's a completely Linux service deck running on most of this modules. And there is less definition and less knowledge from the companies implementing that. What really kind of Linux that is running on that modules are the back doors in there.
And we have seen now many cases where they're just having become surprised that there wireless land module is just opening communication channels to servers, which they never have an idea that the servers are existing. And this is really a problem. So because the complexity is increasing and you can start from the module, which is built in, in the hardware. But I mean, the chain is going through the cloud through the app, whatever, there's a lot of complexity we need to control in chains. Third industrial software development.
Everybody of us knows agile, who of us had worked in projects where the project team, or even like the project manager team said, well, let's do an MVP, minimal wild product. Cool.
You know, what is the real, what MVP will stand for? It's not minimal while in a product it's maximum vulnerability potential. And exactly, that's, what's an MVP because what we see is that from the MVP level, then going to the product level and so on, I mean, many things which have been not done right at the beginning were never fixed afterwards in the project. So we have to think a little bit on the way, how we go into industrialized software production there. How do we deal with software from the shelf? How do we deal with all the dependencies we are using?
Because we are implementing libraries frameworks, Hey, this is the fast way. The brief fast way to build software using libraries and frameworks. I know as well, there's a big run on, on low code. Everybody now in the industry tells me, oh, we need to go to low code. Great.
Hey, think about all the dependencies you're creating by adding this complexity to your products and how to deal with them in the future fourth wrong risk perception, which of your supplier, which of your components are really critical. And if you go to the classical way, how you do risk perception, maybe this is, this is you leading you to the wrong tracks. If we take solar ones, Orion, I mean, they did everything right in, in, in, in terms how a risk manager or supplier manager of their customer is having a look on their company and they have their audits in there.
They have the certificates they're using the standards. It's all fine.
However, executing standards in the right manner, having the right behavior and the management. This is something which goes often terrible phase in between the audits.
So, and by that, the risk perception may fail. If you only do this hard checks on are the standards implemented and all the audit cycles done and stuff like that as well. It's rather interesting that you can find some suppliers, which are only are responsible for smart piece of the software, but they're heavily connected inside the industry to many other players. And they're completely below the rather of any risk management and risk monitoring. And this kind of suppliers, software suppliers are super valuable for the attackers. So it's rather important to change as well.
The perception, not only from how, how is my risk management monitoring and how, how can I deal it as a customer with my suppliers? It's as well changed the perception towards their techers. What are the components and the suppliers with the most connections in the industry, which have the most used elements like they're part of certain frameworks and attackers are focusing on them, because then they're getting the whole amplification efforts when they compromise such element in the supply chain. So if everything's going terrible, wrong, obviously it's going terrible, wrong.
The question is how we get back control and how can we minimize risk in software supply chains? That's the big question. And to be honest, I'm not a profit. I have no perfect answer on that because it's really a mess. I only can tell you may, there are some methods and some things we might can use from our current existing tool sets. And by that, if we apply them correctly, we are getting back to the driver's side seat and we are getting back control. Okay.
So First of all, as I said, it's important if we go to the risk management and the risk monitoring on the, the question, what are our critical suppliers that we are not forgetting audits, that's all good. We need to keep audits, but we need to implement as well other tools. And another way on how we look on our suppliers and one element is see your suppliers in terms of what kind of relations they have in your software stacks. See it in the same way, like a social graph, what are the elements with the most relations in software stacks?
What are these elements, which are having critical, critical connections, and you can model it really like in a social craft. And then you will see, oh, certain elements in this big supplier networks, which you never have recognized. They are getting a, really a weight from that perception. They have a heavy weight in your social risk network and that suppliers, you should carefully have a look on it, implementing tools, how to monitor them in between the, the usual methods you're using. For example, with audits and certificates.
Second, of course, of serve and monitor. I mean, that's what we do because the back doors are not only the new normal, they always have exist. All what we know is we are more maybe aware from back doors because of all those public discussions on certain equipment enterprise, but they have been always there and they will not disappear because the complex are getting more and more, the products are getting more and more complex. So the possibilities to implement back doors are better than ever. So observe and monitor.
And if you go to observe and monitor, don't forget to, if you choose a vendor who is providing you the observing and monitoring software, don't forget to put him into your social graph, risk analytics way to have a clear look on this vendor. Third, create software bill of materials. This is the only way how we really have a possibility to get an idea of what's going on in terms of what kind of software is deployed on which devices, what kind of vulnerabilities are on which devices. And secondly, you can build relations again, out of the software bill of materials.
And then for example, you know, that the critical software library or component is not only applied on a single devices, this maybe applied on 78% of all your devices. Oh, and then in terms of risk mitigation and risk management, you know, oh, this component maybe is really super critical going again to this social craft idea. And last but not least, as I said, review your outsourcing. I think maybe we have done this too much in the past driven by the economic reasons that this is a super opportunity for cost savings.
But however, it seems to be that we need to have a look how much outsourcing activities we really should ship outside the companies and what we can get back, because this is really the best way to control what's going on. And by that, thank you very much. Thanks for your attention. And I'm looking for your questions.
