The best practices for the best protection

With the right strategies, you can safeguard your supply chain from even the most sophisticated attackers.

There’s hope ahead

However dangerous, these troubling outcomes won’t keep you up at night if you employ the right practices.

The first thing you can do is take a hard look at what software you use, who your partners are, and how your data is shared. In our highly connected world this is often a tall order and requires prioritization based on your unique IT environment. Start by identifying and evaluating any data processors, SaaS services, and manufacturers you connect and interact with, focusing on those that directly access your most critical business systems and data.

Next, it’s important to assess the types of resources, security controls, and practices those third parties have in place – answering the question of how they protect your data. Understanding the connection points and security practices of the third parties you work with gives you a better lay of the land and a roadmap for how to build your defenses. Remember, security is a two-way street: If any connected entity is vulnerable, all their connected entities may be vulnerable as well.

In this way, many organizations elect to adopt a zero trust methodology to help defend against third-party risks. Using zero trust, you assume the network is already compromised, and can compartmentalize third parties off with the minimum user network access needed to perform their tasks. These presumptive elements of access management and network segmentation can greatly minimize the impact from a third-party breach and increase your overall cyber resiliency to third-party risks.

Work smarter, not harder

Manually reviewing application code is a monumental task, and often you can face issues when scaling. Additionally, code flaws need to be identified and prioritized. There are open source flaws that may not have a high exploitability rating. Knowing this, your organization should consider these best practices:

THREAT MODELING

During the design phase, think like an attacker. Consider how a threat actor might compromise your application and determine ways to mitigate those vulnerabilities before development starts. Specifically, make traceability in development and supply chain actions a focal point.

DEVELOPER TRAINING

Teach developers secure coding practices. Training should include joint exercises with the security team to ensure governance of the development cycle while supporting the overall development environment. Using secure training videos is one such option. There are also tools and vendors that can “gamify” the training process to make it more enjoyable for the development team. This includes:

Measuring the security and integrity of third-party code as well as scanning open-source code for vulnerabilities before putting it into your application.
Leveraging application security testing tools to find software defects while your applications are in development or in runtime. This includes fuzz testing.
Conducting continuous penetration tests on all applications and connected infrastructure to help you find and address vulnerabilities.
Monitoring your application in runtime as well as utilizing webapp firewalls and runtime self-protection. This helps you detect and block known or unknown payloads.

As you introduce these practices, do so with the goal of establishing a strong relationship between security and development teams. This will go a long way to support traceability and observability best practices.

Using the right resources

You also don’t have to undertake all these practices alone. Leading SHI partners like Okta understand the challenges of third-party risk and cyber resiliency. They can aid in simplifying the identity and access management processes by reducing complexity, providing strong access management, and monitoring across a broad range of technologies.

Additionally, proven endpoint solutions like SentinelOne’s Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) can provide an effective first line of defense, both in the detection and prevention of third-party risks. Its AI/ML looks for suspicious and abnormal activity and can halt attacks to your network, almost like a digital canary in a coalmine. Their Singularity Extended Detection and Response (XDR) solution likewise offers military-grade protection at incredibly fast speeds: the industry’s first and only cybersecurity autonomous technology. With innovative hackers entering the cybersphere every day, a partner at the cutting edge of technology can often be your only suitable response.

It’s also worth aligning to hallmark industry security standards such as NIST 800-53, 800-161, and CSF Framework. The National Institute of Standards and Technology maintains these frameworks in collaboration with outside technology partners and industry leaders. Each provides additional guidance and recommendations for addressing key areas of third-party and supply chain risks, making them your North Star for cyber resiliency.