LAB2 R12: Optimize Your Supply Chain Cyber Security Post Conference Summary Allan Thomson Jamison M. Day, Ph.D.
Table of Contents INTRODUCTION... 3 SUPPLY CHAIN CYBER SECURITY TRENDS... 4 Outsourcing Increases Threat Surface Area... 4 Increase in Use of Supply Chain Partner Threat Vector... 4 Scarce Resources for Internal Detection and Defense... 4 Recently Publicized Supply Chain Cyber Incidents... 5 CYBER SECURITY IN SUPPLIER SELECTION EFFORTS... 6 Supplier Selection: Cyber Security Best Practices... 6 Vendor & Service Provider Contracts: Cyber Security Best Practices... 6 SUPPLY CHAIN CYBER STRATEGY MATRIX 4 QUADRANTS... 7 Recommended Threat Management Activities for All Quadrants... 8 Quadrant I Maturity & Access... 9 Quadrant II Maturity & Access... 9 Quadrant III Maturity & Access... 9 Quadrant IV Maturity & Access... 9 METRICS FOR SUPPLY CHAIN CYBER SECURITY... 10 2
Introduction Thank you for spending some of your valuable time at RSA Conference 2017 attending our Learning Lab, Optimize Your Supply Chain Cyber Security. There were so many great sessions, and your participation in our Lab means a lot to us. We hope you found it as engaging and educational as we did, and that your Lab interactions provided some valuable ideas to take back to your organization. This summary is designed to recap the concepts we discussed together during the Learning Lab. The issues relating supply chain management and cyber security are complex and varied, and two hours was barely enough time to scratch the surface. We both felt that many people contributed key insights that will help mature cyber security awareness and overall enterprise security posture vis à vis supply chain partners. Both of us were glad to see such enthusiastic and insightful participation from this Lab s participants. If you have any follow up questions on our lab please feel free to contact us directly. Thank you. Allan Thomson Jamison M. Day, Ph.D. 3
Supply Chain Cyber Security Trends Outsourcing Increases Threat Surface Area Supports focus on core competencies Extends information system endpoints beyond organization cyber defense perimeter Hackers are increasingly exploiting this Increase in Use of Supply Chain Partner Threat Vector Up 22% from 2014 to 2015 o (http://www.pwc.com/us/en/cfodirect/issues/cyber security/information security survey.html) 80% of breaches originate in supply chain o (http://blogs.rsa.com/the growing need to manage third party and vendor risk/) Scarce Resources for Internal Detection and Defense 79% of U.S. companies lack the tools & resources for effective internal cyber security o (http://trust.brandprotect.com/download ponemon executive study) Monitoring the extended information supply chain presents an even greater burden Efficient allocation of cyber security resources often requires triage decisions 4
Recently Publicized Supply Chain Cyber Incidents COGENT HEALTHCARE BREACH (2013) (http://www.healthcarebusinesstech.com/vendor mistake causes data breach/) Transcription provider stored notes on a website Failure to activate a firewall left patients personal information exposed AT&T BREACH (2014) (http://www.itbusinessedge.com/blogs/data security/att breach by vendor awakens new insider threat concerns.html) Employees at a service provider violated privacy & security guidelines Accessed accounts to obtain codes that unlock phones for sale in other markets GOODWILL BREACH (2014) (https://krebsonsecurity.com/2014/09/breach at goodwill vendor lasted 18 months/) Retail POS vendor compromised by malicious hackers Installation of infostealer.rawpos malware (undetectable til Sep 5, 2014) Affected more than 330 Goodwill locations for over 18 months Allowed theft of customer credit card information TARGET BREACH (2013) (https://krebsonsecurity.com/2015/09/inside target corp days after 2013 breach/) External defenses were found to be robust at detecting and blocking attacks Heating & Air Conditioning provider compromised by malware (via email) Target VPN credentials obtained Poor network segmentation allowed access to every POS registers in every store Password policies not being enforced/followed Default passwords in some internal systems Services/systems missing critical security patches Vulnerability scanning program in place, but no or slow remediation was taken U.S. OFFICE OF PERSONNEL MANAGEMENT (2014) (https://krebsonsecurity.com/2015/06/catching up on the opm breach/ & https://krebsonsecurity.com/2016/09/congressional report slams opm on data breach/) Background check providers hacked by Chinese; credentials used to access OPM Exploited enterprise management software vulnerability Loaded keystroke logging malware on workstations of database administrators Exfiltration included: background investigation, personnel, fingerprint OPM lacked: o Comprehensive cyber asset inventory o Vulnerability scanning program o Multi factor authentication o Visibility on network traffic 5
Cyber Security in Supplier Selection Efforts Supplier Selection: Cyber Security Best Practices CYBER ASSET INVENTORY Obtain a list of IPs, CIDRs, ASNs, etc. being used by the company. If they do not know what assets need protection, they are unlikely to be very secure. CYBER SECURITY CERTIFICATIONS Review any certification documentation to assess cyber security assurance practices o ISO 27001 o Cyber Essentials o PCI Compliance (where applicable) 3 RD PARTY RISK ASSESSMENT Examine company practices for o Security patches o Spam & malicious email o Employee cyber security training o Access control permissions o Intrusion detection o Equipment (clear chain of custody / firmware validation) o Network architecture o Brand security PENETRATION TESTING Have a 3 rd party perform a penetration test. Examine corrective actions taken from previous tests and after presenting the results of the current test. THREAT INTELLIGENCE RESEARCH Analyze available intel from o Threat Intelligence Feeds o Vulnerability scans (e.g. Nessus) o Domain reputation monitoring o Content in social media, dark web, forums, chat channels, Pastebin, etc. BUILD CYBER SECURITY TEAM RELATIONSHIP Initiate direct communication between your cyber security teams to assess threat management maturity. Vendor & Service Provider Contracts: Cyber Security Best Practices Consider requiring: o Cyber security insurance o Rapid notification of any breach o Collaboration in cyber defense activities 6
Supply Chain Cyber Strategy Matrix 4 Quadrants Each of your supply chain partners is different; some require access to sensitive systems or data while others don t, and some have strong approaches to managing cyber security while others struggle. The following matrix provides a generalized framework for allocating your cyber security resources among a diverse range of supply chain partners. Our session also discussed the importance of supply chain partner criticality. That is, the importance of and/or the lack of alternatives to a supply chain partner. In these cases, it may be important to elevate the level of threat management effort. 7
Recommended Threat Management Activities for All Quadrants For every partner, regardless of what quadrant they are in, your company should employ automated and passive defense solutions (which do not require continuous activity to keep in place) whenever possible to reduce the manual effort required from your cyber security team. UNIQUE VPN KEYS SEGMENTED DMZS Since every partner is a potential attack vector, be sure to use segmented demilitarized zones (DMZs) and unique VPN keys for each partner. Not only does this allow for more tailored management across a variety of attack surfaces, but it appropriately quarantines any critical threat arising from another organization without affecting others ability to interact with your company. Deliberating for days or weeks on how to deal with a threat after learning about one gives attackers time to gain a greater foothold into your networks and/or exfiltrate more information. Therefore, determine in advance what situations justify cutting off vendor access, and set up the processes for doing so. FIREWALLS ANTI MALWARE ANTI VIRUS INTRUSION DETECTION SYSTEMS INTRUSION PREVENTION SYSTEMS ADVANCED AUTHENTICATION The proper use of firewalls, anti malware, anti virus, intrusion detection systems, intrusion prevention systems, and multi factor authentication require little on going effort and provide a significant increase in security. 3 RD PARTY THREAT MONITORING The cyber asset inventory obtained during supplier selection should provide a list of IP ranges and domain names that can be monitored with alerts. As threat intelligence feeds report significant indicators of compromise associated with those addresses, your cyber security team can contact the affected partner to ask them how they are responding to the security vulnerability and therefore your own and how they are going to address the issue and make improvements. 8
Quadrant I Maturity & Access Risk: est Actions: o Assess more often than contract renewal o Ensure sound cyber security practices are maintained Relationship: o Preferably establish direct ties between security operations center teams (if willing) o Otherwise, via ISAC/ISAO Quadrant II Maturity & Access Risk: Moderate Actions o Regular sharing of suspicious activity, IOCs, threat intel o Engage for response and remediation o Joint red team and penetration testing efforts Relationship o Most valuable supply chain cyber security allies o Strong regular connection between security operations center teams o Leverage cooperation and collaboration whenever possible Quadrant III Maturity & Access Risk: Moderate Actions o Regular vulnerability scans (e.g. Nessus) o Monitor access and use Relationship o Communicate when unsafe practices are identified o Encourage awareness of the need for cyber security Quadrant IV Maturity & Access Risk: est Actions o Enforce stringent access policies o Remain alert for indications of unauthorized activity o Employ active defense techniques (network activity monitoring, behavioral analysis, APT defense) o Pre define policies and procedures for quickly severing access Relationship o Ensure your cyber security team is involved in vendor performance reviews o Regularly update your understanding of threat risk & weigh it against value obtained from the vendor 9
Metrics for Supply Chain Cyber Security Unfortunately, coordinating supply chain management and cyber security management is often difficult and traditional organizational incentive structures are not helping. Supply chain organizations typically evaluate performance based on total cost savings while the value of cyber security efforts is seldom understood until there is an incident. However, as information related supply chain interactions continue to expand the surface area subject cyber threat beyond controlled organizational boundaries, this coordination is increasingly important. Our discussion suggested that developing valuation metrics for cyber security that can inform total cost of ownership (TCO) may provide the missing link for incentivizing inter departmental activities that enhance supply chain cyber security. Even simple estimates of expected value (likelihood * estimated impact) could provide a useful starting point for evolving the relationship as well as a better understanding of the return on investment from cyber security efforts. 10
SESSION ID: LAB2-R12 Optimize Your Supply Chain Cyber Security Jamison M. Day, Ph.D. Principal Data Scientist LookingGlass Cyber Solutions @jamisonday Allan Thomson CTO LookingGlass Cyber Solutions @tweet_a_t
Chatham House Rules Participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.
In Supply Chains, Success & Security are Interdependent Outsourcing and strategic partnerships allow your organization to focus on improving its core competencies As others provide supporting functions necessary to your business, you extend information system endpoints outside your own defense perimeter Hackers not only know this, they are exploiting it!
Important Breach Trends Up to 80% of Breaches now Originate in the Supply Chain Howarth, Fran. The Growing Need to Manage Third Party and Vendor Risk. RSA Blog on Mar 31, 2015. Cyber Incidents Involving Business Partners Up 22% 2014 to 2015 PWC: 2017 Global State of Information Security
Recent Vendor-Originating Cyber Incidents
DISCUSSION: Your Nightmare Scenarios Summarize your top three (3) supply chain cyber incident nightmare scenarios Consider financial performance Brand reputation customer loyalty Estimate your organization s expected financial loss from each scenario
Streamlining Your Supply Chain Cyber Security Monitoring your extended supply chain s information systems is an additional burden 79% of U.S. companies lack the resources & tools for internal detection and defense Ponemon Institute 2016 External Threats Report For efficient allocation of cyber security resources, triage effort based on partners Access to sensitive systems/data Cyber security maturity
Contracts Don t Guarantee Cyber Security Each new supply chain partner increases your organization s attack surface area Integrating cyber security into your supply contracts does not make you safe! Each day presents new opportunities for threat actors Cyber security teams must efficiently allocate limited resources
Cyber Security in Supplier Selection Practices Cyber Asset Inventory Cyber Security Certifications ISO 27001 Cyber Essentials PCI compliance (where applicable) 3 rd Party Risk Assessment - Examine Practices for: Security patches Spam & malicious email Employee cyber security training Access control permissions Intrusion detection Equipment Network architecture Brand security 3 rd Party Penetration Testing Examine corrective actions taken Threat Intelligence Research Threat intelligence feeds Vulnerability scans (e.g. Nessus) Domain reputation monitoring Content in online channels Forums, Pastebin, dark web, social media, etc. Build relationship with supplier s cyber security team Contractually require cyber security insurance, rapid notification of any breach, and collaboration in cyber defense activities
Discussion: Supply Chain Partner Cyber Security Evaluation What steps does your company take to evaluate the cyber risk associated with candidate supply chain partners? How and when is your cyber security team made aware of new supply chain partners? How might you alter the supplier selection practices at your organization to enhance its cyber security?
Cyber Maturity / Trust in Partner LookingGlass Supply Chain Cyber Strategy Matrix I. Periodic Assessment II. Collaborative Encourage All Partners Towards Cyber Maturity III. Continuous Monitoring IV. 3 rd Party Integrated Outsourcing Drives Greater Need for Access Partner Access / Impact to Company Systems / Data
Maturity Exercise: Supply Chain Partner Classification Identify several of your organization s supply chain partners Categorize each of them into one of the four quadrants Try to identify at least three within each quadrant I. Periodic Assessment III. Continuous Monitoring Access II. Collaborative IV. 3 rd Party Discuss the characteristics of at least 4 different partners and why you feel they should be categorized in the quadrant you placed them in.
Actions for All Quadrants (I, II, III, IV) Automated & Passive Defense Solutions Unique VPN keys & segmented DMZs for each partner Allows tailored management & provides rapid quarantine capability Firewalls Anti-malware Anti-virus Advanced authentication Intrusion detection systems Intrusion prevention systems Advanced authentication 3 rd party threat monitoring Great way to encourage cyber maturity Rate and discuss your organization s maturity in applying each of these cyber security solutions Does your organization use any other supply chain cyber defense solutions for securing itself from all partners? What steps could your organization take to enhance its ability to use all of these solutions?
Maturity Quadrant I: Periodic Assessment Maturity & Access I. Periodic Assessment II. Collaborative For your supply chain partners in Quadrant I III. Continuous Monitoring Access IV. 3 rd Party How does your organization ensure supply chain cyber security with these partners? What kind of cyber security-focused relationships do you maintain with these partners? What steps could your organization take to improve supply chain cyber security with these partners?
Maturity Periodic Assessment Profile Risk: est I. Periodic Assessment II. Collaborative Actions: Assess more often than contract renewal Ensure sound cyber security practices are maintained III. Continuous Monitoring Access IV. 3 rd Party Relationship: Preferably establish direct ties between security operations center teams (if willing) Otherwise, via ISAC/ISAO
Maturity Quadrant II: Collaborative Maturity & Access I. Periodic Assessment II. Collaborative For your supply chain partners in Quadrant II III. Continuous Monitoring Access IV. 3 rd Party How does your organization ensure supply chain cyber security with these partners? What kind of cyber security-focused relationships do you maintain with these partners? What steps could your organization take to improve supply chain cyber security with these partners?
Maturity Collaborative Profile Risk: Moderate I. Periodic Assessment II. Collaborative Actions Regular sharing of suspicious activity, IOCs, threat intel Engage for response and remediation Joint red-team and penetration testing efforts III. Continuous Monitoring Access IV. 3 rd Party Relationship Most valuable supply chain cyber security allies Strong regular connection between security operations center teams Leverage cooperation and collaboration whenever possible
Maturity Quadrant III: Continuous Monitoring Maturity & Access I. Periodic Assessment II. Collaborative For your supply chain partners in Quadrant III III. Continuous Monitoring Access IV. 3 rd Party How does your organization ensure supply chain cyber security with these partners? What kind of cyber security-focused relationships do you maintain with these partners? What steps could your organization take to improve supply chain cyber security with these partners?
Maturity Continuous Monitoring Profile Risk: Moderate I. Periodic Assessment II. Collaborative Actions Regular vulnerability scans (e.g. Nessus) Monitor access and use III. Continuous Monitoring Access IV. 3 rd Party Relationship Communicate when unsafe practices are identified Encourage awareness of the need for cyber security
Maturity Quadrant IV: 3 rd Party Maturity & Access I. Periodic Assessment II. Collaborative For your supply chain partners in Quadrant IV III. Continuous Monitoring Access IV. 3 rd Party How does your organization ensure supply chain cyber security with these partners? What kind of cyber security-focused relationships do you maintain with these partners? What steps could your organization take to improve supply chain cyber security with these partners?
Maturity 3 rd Party Profile Risk: est I. Periodic Assessment II. Collaborative Actions Enforce stringent access policies Remain alert for indications of unauthorized activity Employ active defense techniques (network activity monitoring, behavioral analysis, APT defense) Pre-define policies and procedures for quickly severing access III. Continuous Monitoring Access IV. 3 rd Party Relationship Ensure your cyber security team is involved in vendor performance reviews Regularly update your understanding of threat risk & weigh it against value obtained from the vendor
Exercise: Supply Chain Cyber Security Metrics How does your company measure the value of supply chain cyber security? How might your company improve these metrics? Review your list of potential organization improvements Which of these are most likey and least likely to provide a good return on investment?
Discussion: Conclusions What were the most valuable insights that surfaced during this session? How do you hope to change the supply chain and cyber security practices in your organization?
Apply What actions will you take within the next 3 weeks? What actions will you take within the next 3 months?
Go Ahead Connect Your Organization. SAFELY!!!