Managing Software Supply Chain Risk Starts With Visibility
Tanium’s Tim Morris explains why continuous visibility is a prerequisite for effective software supply chain security
There were over 20,000 common vulnerabilities and exposures (CVEs) published in the National Vulnerability Database (NVD) last year. That’s up 10% from 2020 and represents a new all-time high for the fifth year in a row. Managing the cyber risks associated with these bugs would be a challenge at the best of times. But it’s getting even harder as organizations build out their digital investments and accelerate home-grown software projects.
As Tanium technology strategist Tim Morris explains in a new video, the key to managing this spiraling supply chain complexity – and defending against software supply chain attacks – is to gain complete visibility into what’s running and then the control to fix any issues.
What is software supply chain management?
Supply chains are an essential conduit to produce the products we consume every day. Whether it’s a new pair of jeans or a bottle of Aspirin, there’ll be a list of ingredients or materials provided by suppliers. On its face, software is no different. Software is assembled from base components, and those components are built by the multiple developers, teams and companies that make up the software supply chain. But unlike most manufactured goods, the organizations using software are unlikely to have a handy list of ingredients provided by their vendors.
In fact, software supply chains are becoming more complex as more DevOps teams look to build products in-house using third-party open-source code. While this accelerates time-to-value, it creates added opacity and could open the organization to additional risk. Just look at the Log4j utility. When bugs are hidden in “Russian dolls” of compressed files, it becomes harder to find and fix CVEs across the environment when they come to light.
All of this is a magnet for threat actors. Open-source code has greatly expanded the corporate attack surface, adding more opportunities for them to both exploit known bugs in code and even inject new ones into code libraries. That’s not all. Attackers are also ramping up efforts to compromise trusted proprietary software. For example, this is what was done with SolarWinds.
Supply chain security starts with seeing the components within components
All of this is happening on the endpoint, making this the new frontline in the battle against cyber risk. The challenge is that today’s security teams need not only to understand what applications are running across these endpoints at all times, but also what components are used inside these apps. What if there’s a hidden bug in one of these components, for example? Or if the component itself has been misconfigured and is now at risk of compromise?
This is also taking place in the context of an endpoint environment that has grown considerably since pre-pandemic days. Thanks to an explosion in remote working devices and cloud investments, the attack surface has never been broader. And the bad guys need only get lucky once.
Time for action
So what does best practice risk management look like for the software supply chain? It comes down to the essential cyber-hygiene principles: know, manage, secure. Organizations can’t secure what they don’t manage, and they can’t manage what they don’t know. The first step is visibility into what’s running through comprehensive asset inventory and configuration management.
Tanium helps by delivering this insight continually at speed and scale, allowing teams to ask questions of their environment, drill down into the contents of applications, and take immediate action if something isn’t right. This comprehensive visibility also supports the kind of real-time incident response that just isn’t possible with tools like extended detection and response (XDR). If the bad guys are working in seconds and minutes, we can’t afford to respond to incidents days later.
Get a comprehensive view of your risk posture with our no-cost risk assessment. Request your risk report today.