Recently LORCA (the London Office for Rapid Cyber-Security Advancement) and Deloitte conducted a round-table with leading CISOs to understand the impact Covid-19 had on their day-to-day security operations. The main points raised by this session are publicly available, and we've included them here.
One of the main things flagged by this report is:
"There’s a clear need for data-driven, unbiased risk assessment platforms... ensuring that solutions allow organisations to quickly assess, onboard and monitor new suppliers while providing actionable, real-time insights that support agile supply chain management."
In this blog post we want to focus on one of those issues and discuss how it relates to DevSecOps and the Uleska Platform.
The report highlights the CISOs’ concern that ...
"organisations have managed disruptions in their supply chain by sourcing and onboarding new suppliers – sometimes overnight – without completing cyber risk assurance assessments"
... which introduces a good deal of immediate, and long term risk to the organisation. To put this into context, let's remember that supply chains, or 3rd parties, can account for over 50% of breaches. That could be 3rd party software (think BA or Equifax) or vendors (think Target or Facebook). The number of typical 3rd party vendors that have access to sensitive data is growing, with surveys a few years ago estimating an average of 450+ 3rd party vendors for large organisations.
You need to protect the data, and assets, wherever they may be. That's why organisations have security policies and technical requirements (often based on OWASP or NIST standards) to protect that data. This is the worry being raised by CISOs - the need for consistent protection of data assets is required, yet during events like Covid-19, business pressures may mean 3rd parties can't be assured effectively.
The report goes on to say CISOs ...
"noted that initial risk assessments are often based on a vendor’s own self-report, which could be biased and unreliable."
There's no consistent security testing methodology. When faced with a new vendor who has a security report - who did the testing for them? What experience do they have? What tooling did they use? What scope of testing did they perform? Security test reports are better at listing issues found, instead of describing the range of testing that was performed. Say your security policy requires any web pages with financial / billing data are not cached (see the recent Twitter security issue) - did the vendors security test include this check? If the report doesn't state so, how can you ensure your data will be secure and align to your security policy when residing with the vendor?
This situation comes about, like many things, due to time and budget constraints.
Many organisations will have security teams, and security tooling, but when security assurance processes require manual steps there will always be delays, and not everything can be covered. With 450 vendors to check, even if it took 2 days and £1,000 for each check, that's still 900 days (4 full time people) and £450,000 in cost, to check other people’s systems. And that's just one check.
"these situations highlighted the importance of being able to assess a vendor’s cyber health continually and not just when they’re onboarded."
Systems change, and it may be hard to keep in touch with all vendors updates, which means your checks need to be repeated often, which is simply not feasible or cost effective.
When there's too much to do, and not enough resources to do it, many organisations have turned to automation. One example of this is the UK NCSCs WebCheck - which helps Central Government, Local Government, Emergency Services & the National Health Service to perform simple security checks on their web sites and assets. Whilst these are not designed to be extensive (at the technical level), they allow consistent & automated assurance of partner websites, without burning time and money.
Can industry organisations do the same thing? This is where we believe DevSecOps orchestration provides an answer.
If manually checking 450+ 3rd party web interfaces is prohibitive, onboarding those 450+ vendor sites onto a DevSecOps platform that automates security checks relevant to the organisation’s security policy makes sense.
The report goes on to mention some services that can monitor the health of vendors, but ...
"these solutions weren’t suited to agile supply chain management because they lack features that support quick decision-making when onboarding a new supplier. For instance, an unbiased, up-to-date risk assessment doesn’t tell the organisation whether that supplier’s cybersecurity posture fits with their current risk appetite."
... and this is important. If your organisation's security policy requires your data is protected using certain authentication requirements, encryption, cloud configurations, etc, then you want to assure 3rd parties comply, whether they be a new vendor onboarded 5 minutes ago, or 2 years ago. As long as they're handling your sensitive data, you want continual assurance of compliance with your own security policies. As your security policies update due to the changing cyber and tech landscape, you need to remember that those policies can sometimes change quicker than you can re-check all your vendors.
In this manner a DevSecOps platform allows your tech team to setup the security checks and controls that match your security policy. These technical checks are then automatically run against vendors at the necessary cadance. This is like the NCSC's WebCheck, but specific for your security policy and your 3rd parties.
With 3-click onboarding of vendors, when situations such as Covid-19 occur and you need to onboard a lot of new vendors quickly, you can easily handle the automate-able checks quickly and consistently. Giving you more assurance of the safety of your data without slowing you or your security teams down.