Host Adrian Vernon, Sr. Director of Product Management Chris Goettl, and VP of Security Daniel Spicer explore recent challenges concerning the rise in supply chain attacks.
The conversation includes:
Host Adrian Vernon, Sr. Director of Product Management Chris Goettl, and VP of Security Daniel Spicer explore recent challenges concerning the rise in supply chain attacks.
The conversation includes:
Adrian: Well hi everyone, welcome to another edition of the Ivanti Insights podcast. I'm your host Adrian Vernon, and we have a special guest. I'm going to save that introduction after this message for our sponsors. So last month in June, we had the Ivanti Solutions Summit that was held in early June, and we want to give a big shout out to the sponsors from that event. Clever Choice Si-Ware, Datasette, DRYiCE by HCL technologies, Kifinti Solutions, Network Consulting Service, Prevolution and Qualcomm for their support. Without their support, we could not have put on such a great event that was viewed by thousands of individuals worldwide, so a big thank you to those that I just named. Again, a usual co-host here in the house for Ivanti Insights is Chris Goettl, Senior Director of Product Management. Chris, on our end, we're looking ready to head into the weekend, this is going to air a few days later, but hope you're looking forward to a good weekend there in Minnesota. We have a special guest joining us for the first time at Ivanti Insights.
Chris: Yeah absolutely. So we're very excited this week, we get to have our very own Daniel Spicer, who is our VP of Security joining us today, and Daniel is going to be helping us with a specific topic around some of the recent challenges that the industry has been seeing around supply chain attacks. One thing Adrian, that I've been seeing a lot of since solar winds and a lot of the scrutiny around the industry about hey, how are vendors securing their code and their environments, and making sure that I'm safe as their customer? Well, we had another recent incident with Kaseya, and with that, in my role on the product side, I'm definitely seeing a change in the interactions that I'm having with companies that we do business with and the questions that they're driving. So it's been an interesting time.
Adrian: Yeah, I would say so, and Daniel you'll let it officially welcome you to your first appearance on Ivanti Insights, and we know for sure this won't be the last. As Chris mentioned, you're the Vice President of security here at Ivanti, it's a pleasure to have you. Let's start with you Daniel, because you're the guests, we're going to let you go first. Just let's start in general, what is a supply chain attack and why should organizations care?
Daniel: So first, thank you very much, I really appreciate you having me on the show and looking forward to a good discussion. One of the things that we have to start coming to grasps with is as our solutions, our products, and our technologies and services become more complicated, it's not just a single product, right? We are making products that are an accumulation of other products; components that are open source. We have components that come from other companies and we kind of merge these together into single offerings. Then we sell those to companies who then use those as part of their supply chain for how they deliver their offerings. So there are really two components to the supply chain attack. One of the things that you see in Kaseya for example is how a service of a service has affected hundreds and hundreds of companies and organizations around the world. And then you have things like code cove, where this actually affected product development and building of solutions for a bunch of other software companies. And so there's really two ways to look at this supply chain issue.
Adrian: Chris, what would you add to that if anything, as we kind of kick off the topic?
Chris: This challenge that companies need to be a lot more aware of not only the vendors that they're doing business with, but also who those vendors do business with; the components that those vendors are utilizing. One thing that is always prevalent in the technology space. With my development teams that I work with, we try to accelerate our ability to deliver new value to our customers by spending time on the things that we are the experts on. Where there's something that already exists in the market, why should I spend time with my developers to reinvent that? I want to use something off the shelf to be able to drive that level of value from somebody who's the expert in that, and be able to focus on the things that I can bring additional value for. So within a product of ours, we may be utilizing things like oh, hey, I'm running on a Windows OS, so I'm going to utilize Microsoft's crypto, which has already FIPS compliant. And then I don't have to become the expert on that type of encryption, get it certified with FIPS and do all of those things, I can stand on the shoulders of those. Then I've already done that work. So you end up with this ecosystem of, to Daniel's point, open-source and other solutions that all come together underneath another vendor. And that vendor may be the thing that another company is using to serve up services like in the case of Kaseya, you've got a product developed for MSPs that they provide a service to their customers as well. So it becomes an ever complicated ecosystem that companies are really starting to get more and more exposed to.
One of the things that's very important is understanding what are the right questions to ask? What are the right things to certify with each of the vendors that you're doing business with and the products that you interact with? Now as I say this, it's like one of those things where me and my teams need to be diligent about those things. So we've got open source documentation about any components we're using like that. We need to be aware of what those are, make sure they're documented, and if there are any other binaries or development toolkits in, that we've made sure that we're keeping up to date with those as well. If they've got a security vulnerability, we need to address that within our solution or every step down the line. It could be exposing more and more risk to each of those layers as we peel back how a product goes out and serves the market. So it's definitely a complicated topic, and one that I think a lot of companies are really starting to try to mature their processes around today.
Adrian: So Chris, if I understand correctly, I think you may be advocating that hey, you know what, times are changing, that's obvious and enterprises should be rethinking how they engage with vendors. Is that accurate?
Chris: Absolutely.
Adrian: And Daniel along those lines, so Chris talked about the questions that they might ask a vendor, but is just expanding your question list or reframing the questions that you ask vendors is that enough?
Daniel: Yeah, it's a good question, that's really the challenge, right? Part of our standard questions is certifications. We talked about ISO and SOC 2 and try to get the list of when they did their pen tests. A lot of these documents are definitely things that companies do because they're expected to do it as part of their compliance and part of the proof that they provide to us when I say why should I trust you as a vendor. And the challenge is a lot of times the practices don't actually match that documentation, and by the time you're realizing it it's really too late, right? You’re discovering that the practices don't match what's documented after you've already had an event or an issue, and so it's really hard to get a real grasp of what the actual practices are just by asking questions.
Adrian: So these supply chain attacks they're on the rise as attacks; all the attacks that we see in cybersecurity are on the rise. So Chris, let's start with you, how can organizations start to do a better job defending against the supply chain attacks?
Chris: Yeah, so I think a few things, one and this isn't just because I'm a provider of a patch management solution. Now don't get me wrong, I am, and it's important, but we need to make sure that we're managing the software life cycle within any technologies in our environment. Make sure that your OSs are up to date, make sure that the applications that your users are using are up to date. There's a lot of technologies though that aren't just simply, hey, I can go patch this. Some of them require more complex upgrades and updates to be able to move that forward. You can't just go and apply a patch to a very complicated multi-part system. So keeping up with those types of processes and those types of applications and making sure to understand the software life cycle of any of the applications or vendor tools running in your environment is very important. That vendor, if they're doing their job, they're resolving issues, they're resolving security vulnerabilities, they're providing you updates on a regular cadence. If you aren't taking those changes in and implementing them, then you're still open to those risks, so that is one very important part of this. Another part of it is making sure that the vendors you're doing business with, and for those of you who are running your own internal development processes, what is the software development life cycle look like in each of those environments? This is something that we've actually taken a lot of time and effort to think through. At Ivanti, we reevaluate that software development life cycle on a regular basis and look to areas we can always improve on that. So that's a very important part as a vendor, that we feel is our responsibility and that other companies out there that are listening to this, you want to make sure that your vendors are implementing good software development lifecycle practices.
Adrian: Daniel, would you add anything to that on your best practice tips for how organizations can defend against supply chain attacks in the future?
Daniel: Yeah, you can go into a rabbit hole for sure trying to evaluate a vendor, it's really difficult. I think one of the big thing is definitely connect with your network. Try to talk to your peers, understand who has done well by you, who has not done well by you and try to make sure that there's a little bit of cross sharing there. We're also looking into expanding some of our questions, especially when we're using software in our environment to request things like what open source and third party products are actually built into the tools and asking them to actually give me a copy of their threats model. And Chris knows this, talking about that software development life cycle, we have a really well-defined threat model that we make sure is updated for all of our products. And to ensure that we understand how these security of the product is designed into the product, and then make sure that nothing gets broken. But you know, it's not even just software, you really have to be careful about your services as well, and it will be negligent not to talk about them. Any of your service providers who come in and have access to sensitive data, you really need to understand how they're taking care of their systems. If you have a third party connecting to your network, they're on your network. And so however they're taking care of their end-point, how they're patching and antivirus and even anti-phishing to make sure that they're not losing the credentials that they use into your environment. Really making sure that you have a good understanding of the vendor's security processes and plan and not being afraid to ask them additional questions.
Adrian: And you started talking about a rabbit hole, Daniel, you and Chris warned me about this before we came on the air here. I'm going to throw it out anyway, just to get some quick thoughts and we may need to follow up and do a dedicated episode for this. But back in May, President Biden signed an executive order aimed at improving cybersecurity. Now improving software supply chain security was included as part of this order, how does that impact things here? Is that something we can quickly dive into in a minute or so?
Daniel: I think that it goes back to making sure that you have that bill of material for each of the software products you're providing and making sure that you have a good visibility in what the entire chain is of the product you're buying. Just remember that when you buy a software product, you're not just buying one software product, you're buying a product that got a bunch of other products built into it, whether they be open source or third-party partners that you're OEMing with. So having that bill of materials was one of the really key things that I got out of the Biden directive specifically on supply chain.
Chris: I think the one thing that I really liked about it was how much more prescriptive this has been compared to a lot of guidance we've seen previously. Breaking it down into a couple of key areas, there was the importance around the software development life cycle, there was the focus around shifting towards zero trust in general within any organization is good. We need to be more aware of what's trying to access our data. We're in a world where users and devices are much more difficult to keep track of, they're not just within our perimeter and we can control them anymore. So the prescriptive angle of the administrative executive order was probably the single biggest thing that I appreciated about it. Compared to a lot about privacy and regulatory guidance that has come out over the years that's just been a little bit too vague and still leaves people trying to figure out what are the steps they should be taking. Two things specific to the supply chain topic today, one, make sure that you're taking this guidance and helping to drive a better vendor risk program within your organization and the vendors you do business with. Two, for those of you who are doing your own development internally, deeper into that software development life cycle and improve your own practices around that. Whether it's a product that you're developing for internal purposes only, or for external customers or services, those are two key areas relating to this topic today that I think everybody can get some additional value out of and refine or improve their own maturity in those areas.
Adrian: Chris, you talked about things being vague, vagueness coming out of Washington DC, that never happens, I mean come on.
Chris: Never or any other regulatory body that has tried to put together a framework that tries to direct things, right? Yeah, absolutely.
Adrian: That's right. All right, we're winding down here guys, so Daniel, we're going to toss it over to you as our first time guest, any final parting pearl of wisdom that we didn't hit upon yet in this broadcast.
Daniel: Yeah, again maybe a separate conversation dedicated to this Biden directive. But if anyone listening hasn't already read it and really looked at it from a supply chain perspective, remember even if you are not a direct provider to a government agency, you are somewhere in that supply chain. And so you got to remember that eventually that directive will roll down to you, so definitely take a look.
Adrian: Okay, Chris your final parting shot.
Chris: I definitely agree with Daniel on that one, the world we live in is a lot smaller. The tools that we utilize ourselves or develop across the environment can be utilized in a variety of different ways. Whether you're directly under a federal umbrella or not, even at a global perspective, the guidance coming out of that administrative directive is definitely pushing in the right direction to try to get ahead of the cybersecurity challenges that we're seeing today.
Adrian: Okay gentlemen, that's about all the time we have for today. Daniel Spicer our VP of Security here at Ivanti, thank you for joining us for the first time, certainly not your last time here on Ivanti Insights. We look forward to more conversation with you. Chris as always, a pleasure to sit next to you and do this podcast together, and we'll see you again in a couple of weeks. Until then folks, thanks for joining us, stay safe, be secure and keep smiling.