3 Ways Govt IT Pros Can Prevent Software Supply Chain Attacks

Protecting government agencies from software supply chain attacks—and interrupting the Cyber Kill Chain—requires a concerted effort. Let’s look at three key practices agencies can follow to better protect against the growing threat of supply chain attacks and help ensure the software they procure doesn’t serve as a threat vector. (Courtesy of SolarWinds)
Protecting government agencies from software supply chain attacks—and interrupting the Cyber Kill Chain—requires a concerted effort. Let’s look at three key practices agencies can follow to better protect against the growing threat of supply chain attacks and help ensure the software they procure doesn’t serve as a threat vector. (Courtesy of SolarWinds)

Guest OpEd by Brandon Shopp, GVP, Product Strategy, SolarWinds

Software supply chain hacks are on the rise. According to the 2022 Verizon® Data Breach Investigations Report, 62% of cyberattacks originate through an organization’s supplier, often in the form of malicious code injected into a vendor’s software offerings.

The offending software then jeopardizes the customer’s data or system.

These threats are highly sophisticated, well-resourced, and persistent.

AST Announces 2022 'ASTORS' Finalists in Special FINALISTS EDITION Magazine
SolarWinds Recognized with Multi-Award Finalist Rankings in Seventh Consecutive ‘ASTORS’ Awards Programs.

Understanding the attacker’s weaknesses is key to preventing a supply chain hack from escalating.

A useful reference is the Lockheed Martin Cyber Kill Chain framework, which identifies the seven steps of a cyberattack.

The framework isn’t dissimilar to what a software supply chain hack is ultimately doing—breaking into an organization with the intent to infiltrate others.

But what can government security and IT pros do with this insight?

Let’s look at three key practices agencies can follow to better protect against the growing threat of supply chain attacks and help ensure the software they procure doesn’t serve as a threat vector.

  1. Software Audits Are Essential

To achieve their missions, lines of business concur with IT specialists to determine the software they need. But these buying decisions are often made without the knowledge and oversight of the CISO whose responsibility it is to ensure the software is protected and free from risk.

Today’s cloud-based tools allow IT and security teams to consolidate and view important enterprise-wide asset information—such as unauthorized software, licenses, subscription renewals, vendor contracts, and more—via a single pane of glass. (Courtesy of SolarWinds)
Today’s cloud-based tools allow IT and security teams to consolidate and view important enterprise-wide asset information—such as unauthorized software, licenses, subscription renewals, vendor contracts, and more—via a single pane of glass. (Courtesy of SolarWinds)

Furthermore, as operations expand to the cloud, getting a complete view of the organization’s digital assets—and potential attack surface—is increasingly difficult.

For these reasons, software audits are more important than ever. But as digital ecosystems expand, taking inventory and assessing the security posture of each asset is a mammoth undertaking.

One way to streamline the process is to automate IT asset life cycle management.

Today’s cloud-based tools allow IT and security teams to consolidate and view important enterprise-wide asset information—such as unauthorized software, licenses, subscription renewals, vendor contracts, and more—via a single pane of glass.

(Managing IT assets can be a challenge if you don’t have a powerful tool to accurately track your IP-connected devices. Whether it’s ensuring all your employees are using the latest operating system software version or quickly attaching a related item to a ticket, with SolarWinds Service Desk, you can keep track of your inventory and budget and ultimately mitigate risk when staying on top of your assets. This short video shows you how to install and use the Solarwinds Discovery Agent and Discovery Scanner. Courtesy of SolarWinds and YouTube.)

But asset discovery is just the first step; security pros need to understand the functional relationships between software and systems—where data flows, how systems are connected, etc.—and the potential avenues and impacts of a laterally moving cyberattack.

The right asset management software should also integrate with security software for accurate and complete security audits and quick remediation of vulnerabilities capable of making agencies vulnerable to steps one through four of the Cyber Kill Chain (reconnaissance, weaponization, delivery, and installation).

  1. Protect Unsecured Systems

One of the main reasons software supply chain hacks are successful is keeping software and systems up-to-date and protected against hacks is an overwhelming task.

According to an IDC® InfoBrief—Building a Secure Future: Risk Management, Mitigation, and Protocols for Software Supply Chain Threats—only 49% of organizations are capable of rapidly deploying patches and updates, and a mere 12% patch in real-time.

This is problematic since supply chain hackers increasingly exploit outdated software as a preferred threat vector.

Since real-time patching is almost impossible to achieve manually, government security pros must find an alternative method to close security gaps.

(Tim Brown, SolarWind CISO and VP of Security, explains how SolarWinds is ensuring the integrity of the build process and how we share learnings with our partners, community, and customers; as well as how we’re leveraging and contributing to open-source initiatives and lead by example in securing the supply chain. Courtesy of SolarWinds and YouTube.)

One option is to use automation to detect and deploy critical third-party software patches as they become available and then track the success of the patch update.

Another emerging approach involves using digital twins to simulate the impact of patches on system integrity and likely performance outcomes. In this way, public sector security pros can apply the “trust but verify” model and stay current with all updates—without any performance impacts.

  1. Work With Vendors to Reduce Risk

When a vendor is compromised, their customers rightfully expect them to be proactive in their outreach, share attack intelligence, and assist with mitigation efforts.

But to ensure secure software development and effective cyber supply chain risk management (C-SCRM), agencies should also work closely with key suppliers throughout the vendor life cycle—not just after a cyber incident occurs.

Questions to ask include the following:

  • How do your vendors secure software code?

Agencies should also include key vendors in cyber resilience and improvement activities. (Courtesy of SolarWinds)
Agencies should also include key vendors in cyber resilience and improvement activities. (Courtesy of SolarWinds)
  • Have they established secure software development framework roles and responsibilities?

  • Are they using automation and DevSecOps to automate developer and security toolchains?

  • What policies and measures do they have in place to prevent malicious or vulnerable software from entering their customer base?

  • How are they monitoring risk in their own supply chain?

  • If a breach occurs, what’s their process for notifying customers?

Agencies should also include key vendors in cyber resilience and improvement activities.

Finally, a robust C-SCRM program must continuously assess and monitor each vendor’s security program for the life of the relationship.

A Concerted Effort

Protecting government agencies from software supply chain attacks—and interrupting the Cyber Kill Chain—requires a concerted effort. As these attacks increase, a successful defense requires an understanding of these advanced threats, how they happen, and ways to mitigate them.

It also requires proactive communication and collaboration between the public and private sectors in an environment free of finger-pointing.

By knowing the enemy and through collective action, all parties can help prevent a threat from escalating into a breach.

(Learn how the SolarWinds Platform is designed to connect with your critical business services, to provide flexibility, visibility, and control—wherever your environment lives and wherever you’re going next. It’s the simplicity you expect from SolarWinds, with deployment models to support you today and tomorrow, from on-premises to cloud-native SaaS solutions. Courtesy of SolarWinds and YouTube.)

About the Author

Brandon Shopp
Brandon Shopp

Brandon Shopp is the Global Vice President of Product Strategy, SolarWinds.

Brandon is a High-bandwidth Product Management professional, experienced with a wide variety of software products, business models, M&A, and go-to-market strategies.

His specialties include product management, enterprise management software, networking, systems management, mergers and acquisitions, M&A, application management, networking monitoring, and systems monitoring. 

SolarWinds Worldwide Named a Triple-Finalist in 2022 ‘ASTORS’ Homeland Security Awards

The 2022 'ASTORS' Awards Ceremony and Exclusive Luncheon Banquet will be held on Wednesday, November 16th, 2022, from 12:00 pm through 2:30 pm at none other than the Jacob Javits Convention Center in New York City during ISC East!
The 2022 ‘ASTORS’ Awards Ceremony and Exclusive Luncheon Banquet will be held on Wednesday, November 16th, 2022, from 12:00 pm through 2:30 pm at none other than the Jacob Javits Convention Center in New York City during ISC East!

American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.

The Annual ‘ASTORS’ Awards Program highlights the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure our readers have the information they need to stay ahead of the competition and keep our Nation safe – one facility, street, and city at a time.

AST has officially Announced the 2022 ‘ASTORS’ Awards Finalists in our 2022 ‘ASTORS’ FINALISTS EDITION *Fully Interactive* Mobile Magazine Here.

Additionally, the 2022 ‘ASTORS’ Government Excellence and Public Safety Award Honorees have also been announced (Click Here), although there are several late-entry nominations still to be announced!

Homeland Security remains at the forefront of our national conversation as we experience an immigration crisis along our southern border, and crime rates that are dramatically higher than before the Pandemic across the United States.

These challenges have become a national priority with an influx of investments in innovative new technologies and systems.

Commissioner Bill Bratton signs copies of his latest work, ‘The Profession: A Memoir of Community, Race, and the Arc of Policing in America,’ at the 2021 ‘ASTORS’ Awards Presentation Luncheon.

The pinnacle of the Annual ‘ASTORS’ Awards Program is the Annual ‘ASTORS’ Awards Ceremony Luncheon Banquetan exclusive, affordable, gourmet, full-course plated meal event, in the heart of New York City, held at the International Security Conference & Exposition (ISC East) since it’s inception in 2017.

And who better to address the aforementioned challenges, and initiatives to meet today’s threat landscape than Deputy Executive Assistant Commissioner (DEAC) Diane J. Sabatino of the Office of Field Operations, U.S. Customs and Border Protection (CBP), the opening keynote speaker at the much-anticipated 2022 ‘ASTORS’ Awards Presentation Luncheon, on Wednesday, November 16th, 2022.

In a typical year, DEAC Sabatino oversees the facilitation of legitimate travel for more than 410 million travelers in the air, land, and maritime environments.
In a typical year, CBP OFO DEAC Sabatino oversees the facilitation of legitimate travel for more than 410 million travelers in the air, land, and maritime environments.

As the DEAC of the Office of Field Operations, U.S. Customs and Border Protection (CBP)Mrs. Sabatino leads over 31,000 employees and oversees an annual operating budget of $6.5 billion.

American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.

(See highlights from the 2021 ‘ASTORS’ Awards Ceremony and Luncheon in NYC. Courtesy of AST and Vimeo.)

The continually evolving ‘ASTORS’ Awards Program will emphasize the trail of Accomplished Women in Leadership in 2022, as well as the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders – because #MentorshipMatters.

I’m Katherine Schweit, an attorney, security consultant, and retired FBI special agent. I was tagged by the FBI to create their Active Shooter program after the terrible tragedy at Sandy Hook Elementary School. Since then, I’ve devoted my energy to helping prevent more tragedies. My mission is to teach people their role in ending gun violence in their community. You can make a difference. Parents, educators, community leaders, policymakers, and security professionals can all help stop the killing. It starts with knowledge. You are part of the solution.
“I’m Katherine Schweit, an attorney, security consultant, and retired FBI special agent. I was tagged by the FBI to create their Active Shooter program after the terrible tragedy at Sandy Hook Elementary School. Since then, I’ve devoted my energy to helping prevent more tragedies.
My mission is to teach people their role in ending gun violence in their community.
You can make a difference. Parents, educators, community leaders, policymakers, and security professionals can all help stop the killing.
It starts with knowledge. You are part of the solution.” (Courtesy of Katherine Schweit)

In addition, up to 200 Attendees at the 2022 ‘ASTORS’ Awards Luncheon Banquet will receive a complimentary autographed copy of STOP THE KILLING: How to End the Mass Shooting Crisis‘ by the former head of the FBI’s active shooter program, Katherine Schweit, who will be in attendance to sign her book.

Ms. Schweit offers insight into what we can do to end the active shooter crisis plaguing America.

Within the pages of STOP THE KILLING she provides us with an insider’s look at what we’ve learned and failed to learn, about protecting our businesses, houses of worship, and schools.

Special Guests at the 2022 ‘ASTORS’ Awards Program, include Commissioner Bill Bratton (and executive director of TENEO RISK Advisory Group), Katherine Schweit, former head of the FBI’s active shooter program, NYPD’s Finest Chief of Department Kenneth Corey, as well as Dr. Kathleen Kiernan, President at NEC National Security Systems (NSS, which deploys groundbreaking solutions for government use, including access control and security, next-gen identity verification, scene processing, advanced analytics, and intrusion detection, and is our Platinum Sponsor for the 2022 ‘ASTORS’ Awards Program).

Thomas Richardson, FDNY Chief of Department; Dr. Kathleen Kiernan, President of NEC National Security Systems; and Richard Blatus, FDNY Assistant Chief of Operations at the 2021 ‘ASTORS’ Awards Luncheon at ISC East.

AST Honors Thomas Richardson, FDNY Chief of Department; Dr. Kathleen Kiernan, President of NEC National Security Systems; and Richard Blatus, FDNY Assistant Chief of Operations, at the 2021 ‘ASTORS’ Awards Luncheon at ISC East.

Dave Cagno, Comm Bratton’s Chief of Staff will also be in attendance; as well as Kym Craven, Executive Director for National Association of Women Law Enforcement Executives (NAWLEE);  representatives from DHS Federal Protective Service (FPS); Argonne National Laboratory (ANL); DHS Science & Technology (S&T); the Federal Emergency Management Agency (FEMA); the United States Coast Guard, and the U.S. Office of Personnel Management (OPM); CISA’s Interagency Security Committee (ISC), and Executive Leadership including Director Shonnie Lyon, of the DHS Office of Biometric Identity Management (OBIM).

We have representatives of the esteemed New York City Fire Department(FDNY); the New York City Police Department(NYPD); and the NYC Hospital Police, invited this year, as well as Executive Management from the U.S. Cybersecurity and Infrastructure Security Agency (CISA); Mr. Michael Breslin of LexisNexis Risk Solutions, and Mr. Tom O’Connor of FedSquared Consulting; nominated by Professor Dean Alexander; Women In International Security Global (WIIS); the 30×30 Initiative, a coalition of professionals advancing the representation of women in policing; and Operation Lifesaver, Inc. (OLI) (rail safety advocates).

Our keynote speaker TSA Administrator David Pekoske delivered a moving and timely address on the strategic priorities of the 64,000 member TSA workforce in securing the transportation system, enabling safe, and in many cases, contactless travel, and more (Be sure to see Interview.)
TSA Administrator David Pekoske addressing attendees at the 2021 ‘ASTORS’ Awards Luncheon in New York City on November 17, 2021. (Be sure to see AST Exclusive Interview, facilitated by Dr. Kathleen Kiernan HERE.)

The United States was forever changed on September 11th, 2001, and we were fortunate to have many of those who responded to those horrific tragedies join us at our 2021 ‘ASTORS’ Awards Presentation Luncheon.

In the days that followed 9/11, the critical need to protect our country catapulted us into new and innovative ways to secure our homeland – which is how many of the agencies and enterprise organizations that are today ‘ASTORS’ Awards Champions, came into being.

Enter, American Security Today, the #1 publication and media platform in the Government Security and Homeland Security fields with a circulation of over 75,000 readers and many tens of thousands more visiting our AST Website at www.americansecuritytoday.com each month.

The 2022 ‘ASTORS’ Awards Program is Proudly Sponsored by New PLATINUM SPONSOR:   NEC National Security Systems (NSS),

New Premier Sponsors Rajant Corporation, guardDog AI, plus IPVideo Corporation, and

Returning Premier Sponsors ATI Systems, Automatic Systems, Fortior Solutions, RX Global, and SIMS Software!

In 2021 over 200 distinguished guests representing Federal, State, and Local Governments, and Industry Leading Corporate Firms gathered from across North America, Europe, and the Middle East to be honored among their peers in their respective fields.

ISC East is the Northeast’s leading security & public safety event, hosted in collaboration with premier sponsor Security Industry Association (SIA) and in partnership with ASIS NYC.

Each year, to keep our communities safe and secure, security dealers, installers, integrators, and consultants, along with corporate, government, and law enforcement/first responder practitioners, convene in New York City to network, learn and evaluate the latest technologies and solutions from premier exhibiting brands.

Representing NEC at the 2021 'ASTORS' Awards Luncheon -Stacey Brown, SVP Raffie Beroukhim, Dr. Kathleen Kiernan, 2021 'ASTORS' Industry Leader of the Year; Christopher Gillyard, Rachel Sisk, and Frank Sangiorg
Representing NEC Corporation at the 2021 ‘ASTORS’ Awards Luncheon at ISC in New York City – NEC Director of Marketing Stacey Brown, NEC Senior Vice President Raffie Beroukhim, NEC NSS President Dr. Kathleen Kiernan, the 2021 ‘ASTORS’ Extraordinary Industry Leadership & Innovation Person of the Year; NEC NSS Regional Sales Director Chris Gillyard, NEC NSS Executive Assistant Rachel Sisk, and NEC Regional Sales Director Frank Sangiorgi

This combination of one-on-one conversations with top innovators, high-quality special events, and cutting-edge education and training, makes ISC East the most comprehensive East Coast event to guide the industry in getting back to business.

Taking place November 15-17 at the Javits Center in NYC (SIA Education@ISC: November 15-17 | Exhibit Hall: November 16-17), ISC East will be co-located with the Natural Disaster & Emergency Management Expo (NDEM EXPO), a comprehensive trade event and online resource dedicated to the preparation, response, and recovery of physical and human assets of public and private organizations, and the 33rd ASIS NYC Expo. 

Corporate firms, the majority of which return year to year to build upon their Legacy of Wins, include:

Advanced Detection Technologies, AMAROK, ATI SystemsAxis Communications, Automatic Systems, BriefCam, Canon U.S.A., Cellbusters, CornellCookson, CyberArk  Fortior Solutions, guardDog.ai, Hanwha Techwin of America, High Rise Escape Systems, IPVideo Corporation, Konica Minolta Business Solutions, NEC National Security Systems, NICE Public Safety, OnSolve, PureTech Systems, Quantum Corporation, Rave Mobile Safety, Regroup Mass Notification, Robotic Assistance Devices, Rajant Corporation, SafeLogic, Select Engineering Services LLCSinglewire Software, SolarWinds Worldwide, Teledyne FLIR, Valor Systems, and West Virginia American Access Control Systems, just to name a few!

Team ATI Systems (featuring Dr. Ray Bassiouni, second from right) Accepts the 2021 Platinum 'ASTORS' Award for the ATI Systems Mobile Solutions for Giant Voice, in addition to a 2020 'ASTORS' Extraordinary Leadership & Innovation Award at the 2021 'ASTORS' Awards Luncheon at ISC East.
Team ATI Systems (featuring Dr. Ray Bassiouni, second from right) Accepts the 2021 Platinum ‘ASTORS’ Award for the ATI Systems Mobile Solutions for Giant Voice, in addition to a 2020 ‘ASTORS’ Extraordinary Leadership & Innovation Award at the 2021 ‘ASTORS’ Awards Luncheon at ISC East.

Why American Security Today?

The traditional security marketplace has long been covered by a host of publications putting forward the old-school basics to what is Today – a fast-changing security landscape.

American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State, and local levels of government as well as firms allied to the government.

American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers’ eyes throughout the story with cutting-edge editorial that provides solutions to their challenges.

Harness the Power of the Web – with our 100% Mobile Friendly Publications

AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.
AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.

AST Digital Publications are distributed to over 75,000 qualified government and homeland security professionals, in federal, state, local, and private security sectors.

‘PROTECTING OUR NATION, ONE CITY AT A TIME’

AST Reaches both Private & Public Experts, essential to meeting these new challenges.

Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture, and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.

American Security Today

These experts are from Government at the federal, state, and local levels as well as from private firms allied to the government.

AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website, and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.

AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.

Team TSA
AST Honored the 20th anniversary of the Transportation Security Administration (Team TSA at the 2021 ‘ASTORS’ Awards Presentation Luncheon.)

Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.

To learn more about ‘ASTORS’ Homeland Security Award Winners solutions, Be On the LookOut for the 2022 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2022 ‘A Year in Review’.

The Annual CHAMPIONS edition includes a review of ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firm’s products and services, including video interviews and more.

For example, please see the AST 2020 CHAMPIONS Edition.

It will serve as your Go-To Source throughout the year for ‘The Best of 2022 Products and Services’ endorsed by American Security Today, and can satisfy your agency’s and/or organization’s most pressing Homeland Security and Public Safety needs.

From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection, and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware and Networking Security – Just to name a few), the 2021 ‘ASTORS’ CHAMPIONS EDITION will have what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.

It will also include featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2022 ‘ASTORS’ Awards Program.

For a complete list of 2021 ‘ASTORS’ Award Winners, begin HERE.

For more information on All Things American Security Today, as well as the 2021 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at mmadsen@americansecuritytoday.com.

AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

  • Provides named sources
  • Reported by more than one notable outlet
  • Includes supporting video, direct statements, or photos

Subscribe to the AST Daily News Alert Here.

Learn More…

Three Preventative Strategies to Help Mitigate Asset Risk in Your Agency