Do you all remember the infamous Solar Winds attack that occurred
some time ago? That kind of Cyberattack
was deemed to be what is known as a “Supply Chain” attack. No, it has nothing to do with UPS or FedEx,
but the aim here is that the Cyberattacker can use just one point of entry to
infect literally thousands of victims with malware, ransomware, Trojan Horses,
etc.
With the case of Solar Winds, the attacking group exploited
a vulnerability found in one of the tools that was use to disperse software
updates and patches to all of its clients.
In response to this, there have been many cries in the Cyber
industry to come up with some sort of guidance or framework, that will help to
alleviate this same kind of threat vector from happening again.
As a result, a Cyber based organization known as MITRE (this
is the same group that came out with the infamous “ATT&CK” framework. It is a complete knowledge base of known
threat vectors and their corresponding signatures, and it can also be used to
create threat models for the future.
Well, they have come out with a new framework that should help
curtail Supply Chain attacks, and it is called the “System of Trust”, also
known as “SoT” for short. Within it, also
comes a new tool called the “Risk Model Manager” (RMM”). It was actually first released at the RSA conference
last year, and the details of it can be seen at the link below:
https://www.darkreading.com/application-security/mitre-creates-framework-for-supply-chain-security
The actual RMM tool will be formally announced at the RSA conference
that is set for this year. More information
about this is right here:
The actual SoT platform is hosted entirely on the AWS, and it
deals with 14 Cyber risk areas, which include some of the following:
*The financial information and data of the third-party vendor.
*The kind of Cyber practices that are enforced and followed.
*Any other risks that should be taken into account.
Of course this is not the complete list of 14 areas, but the
above mentioned are some of the key areas of focus for this new framework. It should
be noted that while any vendor can use this framework (at least this is my
understanding of it so far), one of its main objectives is to also to help vet out
third party vendors as businesses still continue to outsource their processes
to others for handling.
In turn, once a third party vendor has been decided upon by
a company, this framework can also be used to ascertain how they use their own
software packages to distribute services to clients. At the present time, there some 40+ vendors that
are working with MITRE to help get it ready for widespread adoption on a global
scale. Some of these include the following:
*Microsoft
*BlackBerry
*CISA
*Cisco
*Dell Technologies
*Intel
*Mastercard
*NASA
*Raytheon
*Schneider Electric
*Siemens
*The Open Group.
These above mentioned heavy hitters are fine tuning the SoT
framework by inputting various kinds and types of into a scoring algorithm, and
from there, determining the Cyber advantages as well as weaknesses that a third
party vendor may have in their systems.
Also, these companies are testing the SoT framework for their own
internal uses as well.
Eventually, it is the main intention of MITRE to offer this framework
as an open-sourced project, so that businesses can fit and mold it based upon their
own security requirements.
It should also be noted that MITRE also came out with a
newer framework, called the “D3FEND” model, and this is used by many organizations
today in an effort to take an honest assessment of their own security
posture. More information about this can
be seen at the link below:
https://www.darkreading.com/endpoint/d3fend-framework-seeks-to-lay-foundation-for-cyber-defense
My Thoughts On This:
One of the primary differences of the SoT versus the other
frameworks created by MITRE is that this one is much more holistic in
nature. In other words, it does not look
at a specific component or Cyberattacker, rather, the entire IT and Cyber
practices of a potential third party vendor comes into the microscope for very minute
scrutinization.
Probably of the biggest obstacles for the SoT framework is
that it is still so new, that widespread adoption of it yet has not picked up.
But it is expected that this will change for the positive as the big-name
companies start to adopt it themselves.
But I have one caveat here. Any company can adopt all of the
frameworks that they want to (and there are hundreds of them), but none of it
means anything until it has been adopted in full use and practice. There are organizations out there that still inky
use them partially.
But also remember that frameworks can go only go so
far. In the end, true Cybersecurity
comes down to employees, and their ability to report suspicious behavior to the
higher ups in a confidential manner.
In this regard, employees should never be regarded as the weakest
link in your chain. They are the strongest,
and should be treated as such.
No comments:
Post a Comment