In the end, any IT system is only as secure as its various components. Federal, state, and local agencies have learned that the hard way, as software platform and application providers have been hacked as a way to get into government systems. The Executive Order on Improving the Nation's Cybersecurity issued by the White House in May dedicates Section 4 to the topic of enhancing the security of the software supply chain.
Speaker 1: On behalf of FedInsider and Carahsoft, we would like to welcome you to our mini-series headlines in cybersecurity, which aims to translate the years hot buttons cybersecurity news stories into actionable steps state and local governments can take to protect themselves from attacks and recover when disaster strikes. Today's podcast brought to you by IronNet Cybersecurity is focused around supply chain hacks. Journalist John Breeden will moderate as Matthew Butkovic, Technical Director of Cyber Risk and Resilience at Carnegie Mellon Software Engineering Institute in Joel Bork, Senior Threat Hunter at IronNet explain how supply chain hacks happen and the measures governments can take to mitigate them.
John Breeden: And hello, everybody. Thank you so much for joining us today. I'm John Breeden and I will be moderating what I know will be a lively and interesting discussion about the critical topic of securing the supply chain. Until recently, the supply chain which consists of all the various vendors and third parties, that an agency or an organization works with have been almost kind of overlooked in terms of cybersecurity. And the attackers have taken notice using that supply chain to launch sometimes very devastating attacks. We will talk about how to prevent that from happening today. So it's both a critical and a highly technical topic, but have no fear because we have two of the world's leading experts in this field to help cover everything for us. So let me introduce both of them and then we can get started. So first, I wanted to extend a warm welcome to Matthew Butkovic, the Technical Director for Cyber Risk and Resilience at the Carnegie Mellon Software Engineering Institute. Matthew, it's an honor to have you with us today.
Matthew Butkovic: Hello, John. Great to be here. Thanks for having me.
John Breeden: And I am also proud to welcome Joel Bork the senior threat hunter with IronNet Cybersecurity. Joe, thank you so much for taking the time to talk with us about this important topic.
Joel Bork: Yeah, thanks so much for having me. It's a pleasure to be here.
John Breeden: So thank you both, again, for being here. I definitely want to dive into this topic. But both of you have such impressive backgrounds and credentials, I thought we should first let the audience get to know you a little bit better. And then we can dive into the dark heart of supply chain attacks and things like that. So Matthew, let's begin with you on this. Can you tell us a little bit about your background, and your responsibilities as the Technical Director for Cyber Risk and Resilience at the Carnegie Mellon Software Engineering Institute?
Matthew Butkovic: Yeah, thanks, John. So in the cert Division here at the Software Engineering Institute, we tackle a variety of cyber topics and challenges. My directorate focuses on determining the cyber city posture of organizations. What I mean by that is looking at the operational resilience, which includes supply chain. So how good are you in relation to a given set of criteria? How good are you or how secure resilient are you're in relation to the threats that you face? I've been, especially in supply chain for quite some time here. I joined CMU about 10 years ago. Prior to that I worked in manufacturing and banking, where I was facing supply chain issues in a very practical way over and over again. So this topic has certainly is one that I feel is a little underrepresented in cyber, but that's changing. Thanks to the attention being brought to you by recent incidents, I'm sure Joel will elaborate on the technical means by which we will be exploited in the supply chain. My work has largely focused on the concepts that underpin that thing. Think of the models, frameworks that allow you to measure in a rigorous way, your cybersecurity posture.
John Breeden: Excellent. And thank you, Matthew, I believe you're correct, that this is kind of an underrepresented area. I'm really glad that we're focusing a show on it today to kind of bring that to the forefront for folks. And Joel, we also appreciate you being with us here today. Can you tell us a little bit about how you became the Senior Threat Hunter with IronNet Cybersecurity?
Joel Bork: Yeah, absolutely. So thank you, once again, for having me. It's a pleasure to be here. I started out doing FedRAMP assessments, so really penetration testing, cloud service providers, right think everybody from G Suite all the way to a number of other smaller cloud service providers who offer services in the cloud. So this was a great leeway into cybersecurity where I really was digging into what are the attack vectors I can use to compromise these cloud environments. When I moved over to IronNet, I had the opportunity to move over to their threat hunting team. And so from there, I began threat hunting in organizations around the world from critical infrastructure to finance to now organizations all over the globe. And it's been fantastic helping lead that hunt forward capability here at IronNet. And then I also do consulting services with IronNet. Right. So in regards to the work and services that we provide, so it's been a pleasure. I absolutely love what I do, helping people from that technical aspect.
John Breeden: Oh, great. Well, thank you, Joel. And I know being a threat hunter is it's a really cool job, you have to think like a hacker and really understand the network and the technology. It's very impressive. So it's a really is an honor for me to have you on the show today. Thanks for being here. And thank you both for sharing your very impressive backgrounds. So many of our audience today are tuning in from state and local governments, where they are dealing with the challenges associated with securing their supply chain. So we'll see if we can offer them some good advice and help during today's show. So let us begin by level setting the situation for our audience. Today, we hear a lot about the dangers associated with supply chain management. And some of the recent headlines certainly show what can happen when an attacker compromises the supply chain in some way. But I think as Matthew kind of mentioned, even after all of that, it's still a little bit of a murky area for a lot of people and not really well defined. So Matthew, before the show, you and I were talking a little bit about some of the supply chain news headlines. And you pointed out that even some of the most recent high profile breaches like what happened with the SolarWinds software is actually only one small example of the kinds of supply chain issues that agencies should be considering. Can you explain some of the areas that encompass the overall supply chain security strategy?
Matthew Butkovic: Certainly, John, so the supply chain is an expansive topic or category of something. So if you think about the list of items in the list of services, you're procure from the outside, even for a smaller organization, it's a rather lengthy list. So think about all the software you own or all the software, you access, your cloud service providers, all the hardware you purchase. All of this is part of the supply chain. And the thing that unifies the silver thread that connects all of these supply chain elements, in my mind is trust. What I mean is the trust you place in the devices, the software, the services that you allow to enter your enterprise. So whether you're a large organization or a small organization, at a very basic level, you've made the decision that this this device, the software, the service is trustworthy. Therefore, I'm permitting it to interact with my organization. And really, it's that that misplaced trust, or that broken trust that leads to cybersecurity incidents events, such as some of the recent headlines involving SolarWinds. You mentioned SolarWinds. July, we're talking earlier about how SolarWinds as a class of attack, that is exploiting the software development supply chain or cycle isn't new. I mean, arguably, SolarWinds is the most shocking example we've had. But I think back to incidents like how Vax and dragonfly, where the energy sector, specifically the control systems, software vendors, were found to be sorry, they had been exploited by an adversary, the adversary was successful in violating the trust of the software update process, and the SolarWinds attack is much the same. And what I mean by all that is, all of this is essentially variations on the theme, that theme being that you can't have a defense that allows you to evaluate every line of code every device at a fine grain level, therefore you make risk informed decisions about the services and the products that you use. And you're going to find it time. So there's lapses in the security that those vendors extend or provide to those products.
John Breeden: That makes a lot of sense. And I'm sure we'll be getting into that later on in the show as well. So Joel, in a little bit, you're going to be talking about taking us through kind of a real attack example on the supply chain, so we can kind of understand how that happens. But for now, can you describe in general terms how an agency or an organization can be breached through their supply chain? I mean, how does it basically happen? And how do they get in through a vendor? I mean, it's kind of a kind of a hard concept to think about.
Joel Bork: Yeah, absolutely. So we're gonna address this from a number of different angles, right. And I think the last US Secretary of State Mike Pompeo said it really well. He said DISA trust and verify. Right, so when you're doing third party vendor assessment, hey, you have to distrust and then go and about verify that they're doing that they're following the proper security procedure, right. But this just doesn't apply to your third party vendors in your supply chain. Right. But it also applies to the subcontractors you've hired on to do work for you. What accesses have you given them? What accesses do they tell you that they have, and then distrust that and then go validate it right and verify that all they have access to, right so everything from the target hack right where it came through the H back vendor to we have Casaya ransomware. We’re using that software update, they were able to deploy ransomware then to the SolarWinds where they were able to basically to install a backdoor DLL into over 18,000 organizations. So once again, as you can tell from just a 32nd description of supply chain attacks, it varies an extremely large amount. So hopefully that answered the question, but I'm really looking forward to digging deeper with you.
John Breeden: No, absolutely. Thank you. And, Joel, I'll ask you this real quick, because I thought it was a good question. One of the things that needs to be considered is not only your subcontractors, but also your subcontractors' subcontractors.
Joel Bork: Yeah, no, that's a great question. And you know, we'll touch on this a little more later, as well. But I'd love to address that now is look, how much visibility Do you have into your subcontractors today. And I know iron that is sponsoring this. And so I'm going to keep away from kind of the salesy side of what we do at IronNet, but we're looking to bring a collective defense perspective into your supply chain into those you work with. And it's something that it's difficult, right? Because when we talk about sharing of data, there's this stigma behind it that is hard to overcome. Right? So how do you do that in an anonymous way where you can still gain visibility into what are the things that are impacting your supply chain, and know the risks that that poses to you? Like, that's a difficult problem to solve. And so does third party vendor management, does that really check the box? Does that fully comprehensive? And the answer's no. How do we grow? How do we build security products alongside the people we work with and connect these organizations in a way that we can, we can share and correlate the threats hitting us both? And that's some of the problems that IronNet is looking to address.
John Breeden: Excellent. Well, thank you. As you both have mentioned, given how broad the supply chain category is, it seems like the prevailing wisdom that is really emerging in terms of defending it is that agencies need to focus on two areas, both prevention and then resilience. So Matthew, looking at the supply chain security as kind of a two-step set process, it seems to me like it's a lot like how experts said, that's how they should deal with ransomware, where you should have really good protection up front. But then you also really need a plan to recover should the worst happen. Could you explain why resilience is so critical in terms of supply chain security?
Matthew Butkovic: Yeah, certainly, John. So I think you've hit it right in the head, there's, there's two pieces to this. There's keeping assets out of harm's way. And then there's preparing for response, once those assets have been affected in negative by some negative events, a cyber-attack in this case, right? So you've got to strike a balance between what you invest in prevention, what you invest in recovery, or resilience, do we one without the other really isn't sufficient. You can't build the walls high enough or dig the Meet the moat deep enough to truly prevent all cyber-attacks. Right. That's, that's the truth of it. So you need to ensure you're doing all the things that are necessary, but ultimately, probably not sufficient to fully secure your organization, which means, anticipate the worst case scenario anticipate when the incident happens, and then preposition, the capabilities you need. What I mean by that is, if you think about a breach situation, that is the result of a supply chain compromise, how does that affect the critical services? The things the organization? Does the critical assets? Maybe that could be data or, or intellectual property, and then recovering from it? How long can we sustain a degraded mode of operation before things that are truly detrimental will happen to us? So it's striking a balance with a dose of realism, which is bad things happen. And bad things happen to supply chain and bad things happen? The supply chain in organizations, just like your own right, which is just it's uncomfortable, but the true, I just want to build on the question about the subcontractors of contractors, what they call the fourth party problem. And I think it kind of speaks to two things that are really important in the prevention and resilience context. There is no outsourcing of risk, right? I would argue that in the supply chain, the best you can do as a transference, but never a full transference. So what we're striving for, and I believe Joel use the term is having adequate visibility in the supply chain to allow us to make risk informed decisions about our defenses and also about our recovery and response capabilities.
John Breeden: Makes sense. And thank you, Matthew, for addressing that question, as well. And Joel, as a threat hunter, you get to study how attackers can get around security and also what tools techniques and services are the most effective in halting them. Can you help our audience today by maybe talking about some of the best practices that they should consider for preventing attacks on their supply chain? Now we're kind of looking at that prevention side of the equation.
Joel Bork: Yeah. And that's, that's really where a lot of the cybersecurity folks are like, what can we do to reduce the risk to help implement security practices? I think Matt hit it on the head, like how do we increase visibility because you can't defend what you can't see. Right? So you have to have that Oct visibility triad completed, right? And what is the sock visibility trade? Well, it's having EDRC of endpoint detection and response, it's having your sims, you're aggregating your logs of the things core to your organization. And then the third pillar of that is network detection response. Right, and we'll talk about some of that more in the SolarWinds. And why each of those pieces are important. But what this really boiled down to, is that first question on this slide is Why is resilience so important? Because it's defense in depth? Right? What is the real problem we're having in cybersecurity? And some people would say the false positive issue, right? But is that really the biggest problem? Because in my opinion, I'd much rather have two alerts about something than zero, right? So why is resilience so important? Why is building defense in depth so important? Because we have to build that defense in depth to gain that visibility, so that we can respond. So what are a few things in the supply chain best practices that we can implement? Well, it's that third party vendor management, right? How many times has and this is why having a cybersecurity team is so important, right. And I know there's some state and local governments where like, I'm not thinking of to have my own. What's really fantastic in this vertical is that we're seeing organizations where peers come together and work together to build out cybersecurity practices, right. Think of banking association, think munis and co-ops who are peers who can help protect each other, and they can bring resources together. So having your own cybersecurity organization who can go out do third party vendor management. And if we're talking about software, what are you doing to test that software? Right? We'll talk about this in a bit. But SolarWinds, that actual malicious code would not execute if it was in a sandbox. So even after you test it, how are you monitoring it in a production network? Right? All of those are things that we need to implement moving forward, or else we still won't have visibility over these threats within our organizations.
John Breeden: Wow, lots of consider that thank you, Joel, appreciate your look from kind of the inside behind the curtain there. So Matthew, earlier you were explaining about the reasons why resilience is so important when securing your supply chain, drilling down into that a little bit, what are some of the things that agencies should implement in order to give themselves better resilience and to be better prepared to recover quickly? Should their supply chain get compromised, and they get attacked?
Matthew Butkovic: Sure. So John, I think first is acknowledging that you have an intermesh set of capabilities required for this. So to do Incident Management, well as responding to some disruptive event, you have to do asset management, well, if you don't know what you own, and what you operate, and its criticality, you really can't do this. Well. So and Joel touched on this, it's about visibility. And then I think insights and insights being prioritizing and making the hard decisions about the things we focus on, when we face a disruption. Also, that requires you to understand the scale and depth of the compromise you've had. So for instance, if there's a supply chain attack evolving a software update, Joel explained that with the SolarWinds attack, it's very difficult to detect this sort of malware, even with sophisticated techniques. So and one sense, right, we don't want to give up on doing those things want to make it harder for the adversary. But I'd suggest that even any agency, any organization should consider doing a tabletop exercise, or just a thought experiment that says, if we find that our software supply chain is tainted, if there is malware, as part of the package we've loaded, what are the steps, we take one through 10, to limit the exposure, triage the situation, and then invoke a prioritized plan of attack to recover back into the standard way of working. So all of this can sound really daunting. And here at the Software Institute, I've had the opportunity to work with our partners in Homeland Security, and assessing this adversary posture of many types of, of organizations, including state, local, and small utilities. And the thing that I would highlight is fit for purpose, which is, all of this sounds really complicated. And it can be but everyone should consider starting small, and building aspiring to have a more comprehensive view of supply chain risk management. But getting started doesn't have to be complicated. It doesn't have to be expensive. It just starts with a solid understanding of your organization, your priorities, and most importantly, in the case of the supply chain, the vendors that you're relying on.
John Breeden: No, that makes a lot of sense. Thank you so much, Matthew. So Joel, in addition to some of the things that you mentioned before, should agencies also consider using a third party to evaluate their supply chain? And the vendors within it? I mean, will your vendors or can states kind of require their vendors to go under this type of audit? I mean, I suppose they could make it a contingent on working with them or something like that. And then secondly, have you seen examples where an agency believes that their vendors are secure and then finds out when they actually take a look under the covers that they're really not?
Joel Bork: Yeah, that's a great question. And really I want to, I want to kind of circle back on what Matt was talking about. And then I want to address that question as well. What Matt was referring to is really implementing a solid incident response, policy plan and procedure, right? And how do you gain visibility and then react and respond to certain events that occur? And that is so core and fundamental and with COVID, right, we've all shifted from this beats on prem, to fully remote environments. And one of the things, you know, back to hey, what can we do to help protect our organizations? When was the last time you took a look at that incident response plan? And have you migrated it from that on prem? Incident response plan to this fully remote environment that we're now living in? And if you haven't, please, please, please dig into that and make the changes required? And then those tabletop exercises? Right, once you've done that tested, awesome, automatic, you feel some topics? Or some additional thoughts on that, please jump in.
Matthew Butkovic: Yeah, thank Joel, I was reflecting on what you were, how you're describing what organizations can do. And I think one of the critical differences in utilizing a third party that we need to unpack here is that you're now managing an arm's length, the things that you could do to evaluate the operating effectiveness of your cybersecurity controls, when it belonged to you is very different when you're relying on a third party. And I'm thinking about experiences I've had working with organizations moving to the cloud, where you're not likely to have a right to audit clause. But rather, you need to depend on the opinion of a third party. I'm thinking about John's question. So I think it's imperative as you draw on third parties, especially service providers, that you're obtaining third party opinions related to the operating effectiveness of those controls. And that that typically, in this context means a sock report. And you know, that could be a webinar unto itself, how to how to seek and dry notice as well traveled down to having done FedRAMP. And in related assessments, but the point I'm making here is there is an implicit transference in the mechanism that you can apply to determine if security is working or not working. When you when you put your trust in the third party, you're also putting trust in either their examination that's done of them for you by a third party, or you hiring a third party to perform that assessment. But the nature of it is very different than if you're completely on prem and managed these things all within your own four walls.
Joel Bork: And Matt, great insight into that. You know, so should you get it consider third party evaluating your supply chain and your vendors? Yes, you know, if you don't have your own team who can perform this, it is something you have to do with it in this day and age. Now, on the other hand, this is something that I'm actually doing for a couple of organizations, right from reworking their third party vendor management policy to the plan, right? What is the questionnaire? What do we want to map it to all the way to the process? And have I seen examples where agencies vendors are not as secure as they thought, unfortunately, often, you know, and you'll see these vendors, they say, Hey, this is the most secure platform for your xyz net need, you name it, right? And we get in there. And we ask these questions, and we get in there. And we asked for their due diligence packet. And by the way, if you go and ask your third party vendor management's for their due diligence packet, if they don't have one, you need to be asking more questions, right? Because we've gotten in there and said, Okay, what are you actually doing for it? Who's managing that service for you? Oh, you don't have anybody? What firewall are you using? You're, you're using what? Right? So ask these questions and dig in. And if you hire somebody, make sure they've done this a number of times, because to be honest, they'll tell you, your vendors will tell you the truth. And what you may find is that it is not the most secure place to store your data or run your processes and procedures for your organization. So 100%, this needs to be done. And there are organizations and V CISOs and companies who perform while it's not an audit, it's third party vendor management.
John Breeden: Absolutely. Absolutely. Well, thank you both. That was really good answer to my question. So let's dive a little bit deeper into some of the threats to the supply chain. And we will be sure to consider both the technology and the human aspects which are sometimes overlooked. So Matthew, Joel has graciously offered to walk us through an attack in just a minute so that we can visualize some of the technical issues involved with that. But I wanted to start the segment with you because I think the human side of this is often overlooked. Could you maybe talk about how governance management and risk assessment is so critical to an overall supply chain defense?
Matthew Butkovic: Yeah, certainly, John. So I think you all would agree, although we'll discuss specific technical attack techniques, all attacks originate, right from human interaction or human hands, right. So we're at the point yet where AI is attacking us autonomously. Thank goodness, that's probably coming. But as it stands now, right? A malicious actor decides they're going to do something to you, in this case, via the supply chain, and then they take a set of steps to find a way to interact, access and exploit your resources, typically your network and your applications and data. Everything I've just described requires you anticipating what could go wrong. Therefore, you need to build a strategy to identify, as Joel said, look at those indicators of threat. Look at those industry indicators of compromised, identify that you've been breached or exploited, and then have a strategy that's based on your risk appetite, your risk tolerance, the critical drivers in your organization. I know that sounds like a bit of a jumble. But what I'm really saying is it comes down to the basics of governance, which is you have to keep the organization in trim, meaning that you're not exceeding those thresholds around risk. So again, this sounds really complicated. But I would argue that you're doing this in other facets of your daily operations. Now, in any agency that's represented on this call, there's decisions you make about the physical risk the organization is willing to incur using third parties, and you likely have plans then to do something different or to compensate if something goes wrong. It's really no different cyber, it's just the means and methods are look far more complicated, and certainly are require a specialized skill set.
John Breeden: Excellent. Well, thank you, Matthew. So I'll turn things over to you. Why don't you walk us through an example of an attack and maybe put particular emphasis on areas where maybe there was a weak point in place or where a particular tool or tactic might have actually helped out.
Joel Bork: So let's go ahead and jump into this because I know we are limited on time. And we want to talk about kind of the breadth of supply chain. So this first one was really cool, because actually, right before we started this, we were talking about this target hack. And some of you may have remembered from a number of years ago, that target was compromised by their HVAC services, I was actually talking about this. And that goes, Wait a second, I drive by them on my way to work, like I have pictures. So we actually grabbed this from that right before we jumped in. But remember, this is a form of third party vendor management. And I'm going to kick it over to Matt here in a minute, because he's got some comments on this. But look, most people wouldn't go and dig into their HVAC vendor. But you have to realize that their thermometers were internet connected and on the same subnet as their payment services, or at least connected to the same network. And they were able to pivot over into those point of sale units and compromise a significant amount of financial data out of target. And it did have a severe impact to them. So that I'm going to kick it over to you throw your commentary in there on this one.
Matthew Butkovic: Yeah, I think so. So um, yeah, I just said I literally drive by Fazio Mechanical Contracting, or mechanical services are called back then, on my way to work every day. So they're located in Sharpsburg, suburban Pittsburgh. So this medium size family run mechanical services organization? Was the point of origin for the first billion dollar breach in US history? Let me think about that. And the cautionary tale was twofold. Right? This is certainly supply chain attack in that Fazio was granted access to target systems. And I would argue that that arguably, target did too little to control that access meeting. They gave them credentials with not a lot of they're not what they weren't asking a lot of things regarding how are you going to use this credentials, and protect the access we're giving you. So definitely supply chain attack. And then I think about the way I was taught to do vendor management and vendor risk management when I was in the corporate world. And typically, you line up all of the all of the organizations you business with, and you create a cut line, you say, Well, if we don't do a million dollars worth of business with an organization, or 10 million or 500,000, whatever the number is, we're not going to look at that organization or look at that look at it with the same rigor that we do those on the top of the list. Well, I can guarantee you that Fazio mechanical services was never making tier one. When it came to vendors with target, yet they were the source of a billion dollar breach, right? So the takeaway for me is ensure you're doing a comparable level of vendor analysis, no matter the size of the vendor. Now, we all know there's time and expense involved there. That's why focusing on the fundamentals is really important. I think with all of this and third party risk management, and supply chain risk management. Understand the cost involved with evaluating the entities you do business with and creating service level agreements, and service reviews. Ensure that you're getting maximum value out of that investment and cast a wide enough net. So you don't have Fazio mechanical service situations lurking where you've given access to maybe a marginal player when you look at the overall spend with vendors. But this access that you've granted them could result in a serious incident.
Joel Bork: This comes back to scope that not scope creep, but permissions creep, right. You got to think when we're giving our own employees administrative access. When was the last time we went back and reviewed? Do they have least privilege which means do they have a year later since we've granted them administrative do they still need that access or your HVAC vendor? Do they still need that access? And so this is permissions creep, and it happens all over the world. Even when organizations hire somebody or an employee makes a lateral move, we may give them new permissions. But did we remove the old? Right? And so all of this is once again, do you have visibility into that? Another question I'd like to answer is, would you tell your suppliers if you have been compromised and the possible effects that it could have on them? And I would say, yes, honestly, guys, honesty's the best policy. And so one of the recent supply chain attacks that happened was the Casaya ransomware attack. And it was a software supply chain attack that impacted a large number of organizations, specifically managed service providers, and the beauty of this attack. And you know, it's been documented and stated that because organizations were forthcoming, because they were honest, and they worked together to disclose as much information as possible to everyone who was affected, the remediation time took about a third of the time, because you have to remember if you're impacted, and you can work together with others, right? This is about collective defense, this is about coming together to protect each other at the same time as we're worried about ourselves, right? So we have to work together, and it will help with your remediation time. And once again, honesty is the best policy. And if you're trying to build trust, remember, the more trust you build, the faster your business will, will move as well.
John Breeden: Yeah, you bring up a good point, Joel. I mean, it's a lot of times when we think about supply chain security, you think of the responsibility of the subcontractors to the main organization to the government entity or whoever is at the top of the pyramid, if you will. But that responsibility also does go back the other way, to an extent if the government agency gets hacked by maybe through one of their vendors, it's important for them to let the other people who are connected farther down the chain know about it so that they can defend themselves as well.
Joel Bork: Yeah, great. And that's you're spot on, right. So here at IronNet, we're doing a defense industrial base protection. And to be honest, these primes, they're saying, look, the supply chain and in the defense industrial base, which is our supply chain, that is the weakest link, right? And how do we help protect them. So you got to know these prime's they are interested in assisting sub subcontractors where they can, while they can't assume the risk, it is about being mutually beneficial to each other and driving business and making sure we're protected. So let's open these lines of communication. And that is really the way forward. So.
John Breeden: No, I mean, that's amazing. Guys, I just I want to move on, because these are points that I think we need to make sure we get to. So Joel, one of the things that that you and I were talking about before the show that you said you wanted to make sure you address that was important was the concept of increased supply chain risk due to valid code signing certificates being used with malicious code? And it kind of goes into a little bit of what you're talking about before. But could you maybe explain that? And if anything, what agencies can do to prevent that from happening?
Joel Bork: Yes, well, how did they like if we're talking software supply chain? And look, this works? And we're just seeing the tip of the iceberg of this? How did they do it? What happened was they injected that DLL, it didn't get logged, and then the SolarWinds organization bundled up that update and signed it with a valid certificate and deployed it to everybody. Right? So typically, you'll see a self-signed certificate. And for those of you who, who don't know what I'm referring to right now, that's okay. But if you go to a website with a self-signed certificate, you'll see that little lock pad at the top of your browser look like it's open, right? And it'll be red. And it'll say, oh, you might not be secure, right? And that's basically a website without a certificate, same thing, but for a software update. So remember, what's happening is these updates are being pushed with malicious code. And that's where it comes back to that baselining. And the Delta, that Matt was talking about is, you need to understand what's on your endpoints, what normal look should like. So then when you're seeing that delta or that anomaly, you can then just dig deeper. And then hopefully, you're working with peers and those who have similar platforms and software and services that you do to say, are you seeing the same thing? Is it just me? And if they are seeing it work together, right, I mean, that's what's going to help remediate this.
John Breeden: Excellent. And then, Matthew, the question I had for you, a little earlier, you were talking about risk tolerance as being a critical factor in securing the supply chain. And I was thinking it might be helpful for state and local viewers today, if maybe you could talk to some of the factors that should go into an agency assessment of the risk tolerance, what are some of the things that they should consider when they're trying to build up and define their risk tolerance?
Matthew Butkovic: Sure, sure. I know this risk tolerance and risk appetite seem like very sort of ethereal concepts at times but the end of the day, ask yourself, what is the maximum tolerable outage disruption, deviation from standard way of working that we that we can endure? Right? So this is really how you determine what your what resilience should look So, I'm sure that most folks in the audience they had a slinky as a kid, or at least know what a slinky is. And if you were like me, you took one end and, and my brother took the other end, and we pulled on the slinky as hard as we could. And it just became a bent piece of wire, it would slink no more. And that's the way we should think about risk and resilience, which is, you want to understand the outward bound, how far can you be stretched, and pivot and come back and your shape, your intended shape and not be a bent piece of wire, but rather, the slinky again, so I know it's kind of a juvenile sort of description, but I think it helps people come understand what we mean we talk about these concepts of risk and resilience. But more simply, your risk factors should stem from an impact assessment. And that's an operations and business impact assessment. So if you're an agency, and let's say that you're responsible for administering some, some services to citizens in the state, ask yourself, what are the scenarios that could impair or bring down that service? And then on a sliding scale? When does it go from, from something that is an annoyance to absolutely critical to detrimental and perhaps creates a situation where we're human life is being risk, it all comes down to impact and then you quantify that impact and marry that up with the capabilities that that you need to avoid that negative outcome.
Joel Bork: I'm just gonna throw this out there. Today's the first day I've ever got to talk about cybersecurity and slinkies in the same conversation.
John Breeden: Love those slinkies, man. So this has been a really amazing show. I want to thank you guys both for being there. We're running a little short on time. But you guys have both been fantastic. So let me just sneak in a final question. To our experts. I'd be remiss if I didn't do that, since I have you both here with us. So Joel, we covered a lot of threats to the supply chain today. And you gave us a ton to think about in terms of tools and tactics moving forward, are there any government wide or maybe industry wide programs or partnerships like threat intelligence sharing and things like that, that you think could really be a big help in securing the supply chain?
Joel Bork: Yeah, that's a great question once again, so are there any government wide or industry wide programs? Absolutely. The ice ax and ice owls are a great place to start. And once again, they're not actually sharing each other, right? So the EISAC and FSISAC and ITISAC, they're working on their own verticals, but they're not actually sharing together. And so this is one of the other things and I'm not trying to get on the sales box here, I promise. But we're trying to help bridge that gap of correlating that threat intelligence in more real time as it happens. So that's what iron defense is do or IronNet, and IronDefense our platform is doing in real time for our clients around the world. So absolutely. Those ISACS, that threat intelligence sharing, you know, one of the issues they're having is getting that participation to occur. So please participate, please reach out to those, not just those organizations, those industry threat intel sharing platforms, but reach out to your peers, what are they doing in the in the industry? How are they sharing? How can you collaborate together? When these things happen? What similar platforms are you're using? And then also, once again, it comes back to do that third party vendor management.
John Breeden: So Matthew, thank you for being with us here today, as well, I thought your insights, especially on the human side of the supply chain security were invaluable, really. So for our state and local guests who want to beef up their risk assessment, and their governance management, what are some good plans for them to follow and ways that they can get started down that critical path?
Matthew Butkovic: Sure, I've got some really good news here, John. So first appointed the kind of the easiest stuff, which is, the entire catalog of things that I've constructed here at cert are free and available to anyone. So if you take a look at the website, or reach out to me be happy to help Joel mentioned the Multistate ISAC. I'd also point out the cyber resilience review, which is an assessment that Carnegie Mellon help DHS establish. We've performed these now for hundreds of organizations, including many state and local governments, I would certainly consider drawing on Homeland Security's offer of free assistance to perform this assessment, which includes an evaluation of your third party risk and supply chain risk management practices. Everything I've just described is free. So that free is always good. And I wanted to point out that these are all free.
John Breeden: Oh, absolutely. And when it's free, and it's actually really valuable, it's even better. So thank you so much.
Joel Bork: I want to say to those listening, while it is free of charge, please, please, please dedicate some of those people resources, because the more you dedicate towards that process, as it occurs, the more value you'll get out of it. So great add, Matt.
Matthew Butkovic: Yeah, that's a great point, which is it's free of charge, but certainly, there is an investment of time and please do make the most of it.
John Breeden: Great. Well, thank you and thank you for making the most of our time today. This has been amazing. I appreciate Matthew and Joel, both you for being here. All of your insights made this an amazingly productive session focused on in a very critical and complicated topic, I learned an awful lot today about the supply chain and I'm sure our audience did as well. So thank you both for being here.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft or IronNet can assist your state or local government agency, please visit www.carahsoft.com or email us at IronNet@carahsoft.com. Thanks again for listening and have a great day.