Supply Chain Security: What You Need to Know - Part 1: On Being a Sausage Expert

All technology has a supply chain, from the meatiest servers and cloud instances to the most humble security camera. This is because supply chains make things far easier, more efficient, and cost-effective when it comes to the technology we buy. Virtually all code, whether local or in the cloud, open-source or not, software or firmware, is the result of complex supply chains. 

Instead of a single vendor building everything from scratch, highly complex systems are broken into component parts or tasks and handled by specialists. The whole ecosystem works based on abstraction and specialization. An enterprise doesn’t need to know how the sausage is made for their laptops; they just buy them and use them to do their work. Likewise, the laptop vendor doesn’t need to know the details of building an SSD or a network controller from scratch. Instead, they can find a supplier with the right combination of features, quality, and cost and move on. Similarly, developers don’t have to reinvent the wheel with every project but can pull from an open-source project or just use an API. Those open-source packages, likewise, have dependencies that they automatically pull. Every layer is designed so that someone or something can consume the value of the technology without having to worry about the details upstream. This is 100% by design and a feature, not a bug. 

Saying the Quiet Part Out Loud About the Supply Chain

Of course, when it comes to security, you do have to worry about how the sausage is made. Every step in the process can (and increasingly does) introduce vulnerabilities and threats. A supplier three steps away could make a mistake when writing their code and create an inescapable vulnerability. A developer could pull from an outdated, vulnerable package. A vendor could be compromised by an external actor and have malicious code planted in their valid code a la the Solar Winds supply chain attack. A supplier or sub supplier could be knowingly or intentionally under the control of an unfriendly government and do the same.

And this is the rub. For a cybersecurity world that has widely embraced the ethos of Zero Trust, virtually all of our technology is built on a foundation of implied trust. Each product is a nested doll of trust between suppliers, sub-suppliers, OEMs, resellers, and ultimately consumers. It’s true of all code, and managing this risk is critical for any organization that doesn’t want to be blindsided by the next Sunburst, Log4shell, BootHole, Heartbleed, or hundreds of others. 

Supply Chain Security Joins the Chat

However, the answer simply cannot be for every entity (enterprise, manufacturer, developer, etc) to become an expert on every aspect of their supply chain. That would defeat the whole purpose of why technology abstraction is good in the first place. Enterprises need an affordable laptop that works so that they can run a business, not traverse nine rings of manufacturing hell to understand how a laptop was built. Not to mention, a laptop or server isn’t even a single supply chain – it’s dozens of supply chains. It’s a sweater of supply chains that you’d need to unravel. Likewise, developers need to be able to connect to an API or pull from an open-source project and move on. Asking the consumer to unravel the whole process that makes technology practical and affordable is not the answer. 

However, this is exactly what a supply chain security tool does. It has the super-deep domain expertise to automatically unravel the sweater and go N layers deep if need be. Unlike traditional vulnerability or threat detection tools, it can dig down to every layer of a product from applications, to the OS, to the chipset, to the firmware running in the smallest components. 

Knowing What is Good

In addition to looking for what’s bad, a capable supply chain security tool will also proactively verify the good. It will maintain an encyclopedic knowledge of the code that should be in a product at virtually every level. This cuts across asset types (e.g. laptops, servers, networking gear, operating systems, applications, etc) as well as the many manufacturers and individual models of gear. This makes it possible, not to just selectively look for mistakes, but proactively verify the integrity of each component.

These tools are also able to audit a product as a whole to make sure all the many components and protections are working together. To revisit our previous sweater analogy, this is akin to not only making sure that all the fibers are strong, but that the whole sweater is properly constructed and doesn’t have any holes or loose seams. This is actually a tremendously complex task when it comes to technology. A final product relies on dozens of elements, protections, and settings from OS vendors, chipset vendors, application vendors, and OEMs all working together. A small mistake along the way, and even the most hardened Secured-core device can be left defenseless.

Being Operationally Proactive

But most importantly, a supply chain security tool can make this work simple and automated. Instead of trusting their vendor or trusting that what the SBOM says actually matches what’s in the product, a quick scan can proactively assess the asset and tell if there is a problem and, if so, how to fix it. 

This can be done by procurement teams when evaluating prospective products and vendors. It can be done by IT teams when new products are delivered or when new updates are applied. It can be done by vulnerability management to see if newly discovered supply chain vulnerabilities are putting the organization at risk. They can be done by threat hunters to see if the integrity of any of their assets has been compromised. Instead of requiring tons of new expertise, organizations can add simple scans to the workflows and processes that are already working.

Parting Thoughts

Ultimately enterprises are in the business of using technology, not deconstructing it. It isn’t your job to do a code review of every arcane element in the business. However, all of that code is your risk. Real-world risks are coming through this door in the enterprise. It’s not your business, but it has to be your business to safeguard against that risk. And that is what supply chain security tools can do for you.