Today, an increasing reliance on third parties to perform a variety of operational business functions has generated growing demand for organizations to better understand the security postures of every vendor they engage with.
Cybersecurity is no longer limited to monitoring organizations’ internal security posture; they now need to understand and address the cyber risk posture of companies in their supply chains.
New guidance from the U.S. National Institute of Standards and Technology recommends a variety of best practices to mitigate supply chain cyber risk. This has been published in response to the dramatic increase in software supply chain security incidents.
Concerns were raised after recent cases of malicious actors continuously exploiting new and existing vulnerabilities in software, as well as in the security programs of IT and software providers, to gain unlawful access to customers and data. The increasingly common cadence of major incidents highlights the risks of software and software developers being compromised.
A Disproportionate Approach to Risk
Despite this, disproportionately little attention is given to risk across the third-party ecosystem. BlueVoyant’s threat intelligence reveals that the average time to exploit new vulnerabilities is weeks, yet hackers can start exploiting these much quicker. For this reason, the U.S.’s Cybersecurity & Infrastructure Security Agency (CISA) now requires regulated government agencies to patch new vulnerabilities in two weeks, if not sooner.
Organizations, therefore, need a fundamental re-think of the problem. Traditional approaches such as questionnaires cannot provide the continuous monitoring that is critical to effective third-party cyber management programs.
Organizations must think about how they can identify those vulnerabilities and patch them faster than adversaries can exploit. If they don’t, they are open to significant risk.
Adopting an approach of patching in days and minutes instead of months is the only way organizations can accelerate the remediation of supply chain vulnerabilities.
This sounds simple, but many organizations are still slow to patch, leaving them open to exploits. There are occasionally specific reasons why rapid patching cannot be achieved, but in those cases, risk visibility is the minimum requirement, enabling alternative mitigations to be implemented.
Quicker Patching: A Case in Point
On June 1, 2022, Atlassian was made aware of an active vulnerability in its Confluence Data Centre and Server, now classified as CVE-2022-26134. The critical exploit can provide unauthenticated remote code execution of arbitrary code on affected Confluence Server or Data Centre instances. The following day, Atlassian released a fix for the issue.
Following this, about 30% of vulnerable organizations had patched vulnerable instances within 10 days. However, according to our threat intelligence, the patch rate plateaued the following week, with 70% of vulnerable Confluence instances remaining exposed. Furthermore, 60% of all related global systems monitored by BlueVoyant were still unpatched six weeks after the patch was released.
This highlights one of the key third-party cyber risk challenges facing enterprises today – it is difficult to get vendors to rapidly remediate vulnerabilities, even if they represent a critical threat to organizations’ extended IT ecosystem.
How ROCs Can Help
A risk operations center (ROC) can continuously identify threats across extended vendor ecosystems, collaborating directly with clients and vendors on how to remediate and patch critical vulnerabilities. Combining a ROC with seasoned cybersecurity analysts shortens the time taken to remediate risks.
The result is a quicker response time and a significantly more efficient patching rate. With the Confluence fix, more than 50% of vulnerable instances in vendors served by a ROC were patched by June 8, five days after the fix was made available. Of all unique instances of originally vulnerable Confluence versions in client footprints seen on June 2, just 24% of total instances were still vulnerable by June 15.
Why Aren’t ROCs Used in Every Organization?
Many organizations prefer to utilize in-house resources to manage their supply chains. But herein lies the challenge. According to our research, the number of companies reporting supply chains of 1000-plus suppliers more than doubled in a 12-month period, making it increasingly difficult for internal teams to juggle day-to-day core activities with enforcing cybersecurity best practices across every supplier. This approach is not scalable, as businesses grow supply chains in the pursuit of operational resilience.
Organizations should question whether they have the resources to continuously monitor and triage third-party cyber risk. Furthermore, given the risk of burnout, will they be able to retain talent?
Organizations looking to drastically decrease their vendors’ remediation mean time across growing supply chains should consider using a third-party managed service approach. Without this, businesses could suffer a cyber-attack. Therefore, a continuous, iterative approach is required to protect businesses from supply chain cyber incidents.
Companies must weigh the cost and benefit ratio of building, staffing and managing their own program by utilizing a managed risk service provider.