New Year’s Resolution: Get Control Over Your Supply Chain Security

Subscribe to Eclypsium’s Threat Report

A steady stream of high profile supply chain vulnerabilities and attacks has pushed supply chain security to the top of many organizations’ 2023 to-do lists. Executive leaders, IT teams, and security teams need to know for sure that the technology that they rely on is genuine, unaltered, and free from threats and vulnerabilities. Yet, while these organizations know that they should be doing something, it is not always clear exactly what that is, or even whose responsibility it is. 

This is because supply chain security forces organizations to look at their risk in somewhat new ways. Naturally, we still care about the basics of vulnerabilities and threats. However, the root causes of supply chain risks often stem from outside entities that are not directly under an enterprise’s control such as their technology vendors, suppliers, service providers and their many upstream sub-suppliers. Technology no longer starts with a clean slate – teams must be able to take any new product or software update and roll back the clock to independently verify the integrity and posture of that product. 

And like many new year’s resolutions, even the best intentions will quickly founder without a solid plan. The good news is that NIST has provided the needed plan for supply chain security in the form of Special Publication 800-161. This document spells out the unique challenges of supply chain risks and how to build a comprehensive security program to address them. Our new whitepaper, A NIST Blueprint for Securing Digital Supply Chains (PDF), provides added detail to help organizations put this plan into action. The paper walks through the key points of SP 800-161 and highlights specifically how modern tools can make supply chain security proactive, simple, and automated.

Specifically, readers will learn:

  • How to Solve the Problem of Information Asymmetry – Enterprises typically can’t see behind the curtain to know how suppliers actually build and develop their products, and even if they could, buyers can’t be expected to be experts on every product that they buy. Learn how simple scans can level the playing field and allow organizations to proactively verify the integrity of their products and uncover hidden vulnerabilities or misconfigurations.
  • How to Use SBOMs to Hold Suppliers Accountable – Organizations are increasingly requiring their suppliers to provide detailed Software Bill of Materials (SBOMs) that spells out exactly what code is contained within their products. An SBOM is a great start but is only valuable if an organization can actually verify that the actual product matches what’s in the SBOM. Learn how to easily audit vendor SBOMs and ensure that the SBOM covers all critical code all the way down to the firmware.
  • How to Take an Organization-Wide Approach to Supply Chain Security – Supply chain security is bigger than a single task or job role. It includes the processes for how organizations evaluate and procure new products, how IT teams provision new assets for service, and how those assets are operationally maintained and secured over time. Learn the key roles and responsibilities required for strong supply chain security including executive leaders, business and mission leaders, and operational staff.

These are just some of the ways that organizations can start to make their supply chain security efforts more tangible and effective. So, we encourage you to take a few minutes and review the paper or reach out to the team at info@eclypsium.com to learn more.