“You’re in the supply chain whether you like it or not.”
These were sentiments shared by Jack Hamm, principal engineer at Gigamon, and Katie Moussouris, CEO at Luta Security at Black Hat 2017 today.
Speaking in a session titled ‘Cyber Risks and Supply Chain Failures: Whether to Zig or Zag’ Hamm and Moussouris explored the challenges of securing the supply chain and the threats it poses, arguing that it impacts us all through dealing with vast numbers of suppliers and partners, or even just by the simple fact that you carry a smartphone.
“You carry around a little supply chain in your pocket,” said Moussouris. “You choose every time you delay a patch: you are part of supply chain security and you actively participate in it, no matter what.”
However, warned Hamm, the problem is that improving the standard of security best practices across your companies supply chain is very difficult.
“From a security operations standpoint,” Hamm said, “it’s really hard [to secure the supply chain]. You’re going to have to look at a lot of data collection, a lot of data processing, a lot of aggregation and you’re going to have to pull a lot of signals out of a lot of noise. This is just going to get harder, and even if you do figure out how to secure your supply chain there are problems like NotPetya which originated in the supply chain.”
Moussouris added that any compromise in your supply chain has the potential to affect the end security of the consumer, the user, the device etc.
In an attempt to tackle the problem Hamm explained that, at Gigamon, he has tried to implement a shift from forensic response to real-time monitoring, something he has dubbed ‘The New Security Model: The Defender Lifecycle’. The key here, he continued, is using machines to fight machines, as we need to stop pitching humans against the machines of the attackers and use automation to fix the asymmetry between attackers and defenders.
“Being ready for multi-party vulnerability coordination means being ready for the next ‘Heartbleed’, it means being ready for the next time you have to apply a critical update to your phone,” Moussouris said. “There needs to be an acceptance you will have to respond to this on some level, either as an IR practitioner yourself or as someone who sits in the supply chain. You can’t wait until the next big event that you will have to respond to in order to prepare; automation is certainly the key to doing it at scale.”