In the past year, software supply-chain attacks have been the bane of organizations across the globe.
Around this time last year, many IT engineers had looked to their year-end holidays, only to be plunged back into work with a new problem caused by the infamous Log4j.
The problem stemmed from vulnerabilities in the Java software used in so much of the world’s modern IT infrastructure, from servers to apps that power digital services across all sectors.
Countless organizations were impacted as a result, and their IT teams worked around the clock to patch the loopholes which would enable malicious actors to get in and take control of their systems.
The problem was not simply finding and applying a software patch but finding where the vulnerability was located across the entire technology stack.
Doing so took a long time for many organizations that did not have the visibility they desired of their Java software and dependencies. Even today, many enterprises are still unsure if they have patched everything.
In the past year, software supply-chain attacks, often driven by vulnerabilities such as Log4Shell, have been the bane of organizations across the globe. And these threats are just the tip of the iceberg.
Cyber attackers are now well organized in the Dark Web, with different specialists taking on roles such as the crafting of phishing e-mails, penetration testing, and the exfiltration of data.
By attacking the software vendors that supply otherwise well-defended organizations, these hackers can more easily bypass robust cybersecurity measures. At the same time, they can also use the same exploit to target multiple victims.
A catch-22 situation
For organizations, such supply chain attacks are hard to ward off because they have to trust the suppliers of the many components that make up their IT infrastructure.
When an update checks out to be from the actual supplier, say, with a file checksum verification, then an organization would usually go ahead to update its system software. Not doing so might open it up to other vulnerabilities.
There is also no turning back from third-party software suppliers, including those that are behind the often-used Java software that underpins so much of today’s apps and digital services.
Today, an estimated 40 per cent to 80 per cent of the lines of code in software come from third parties such as libraries, components, and software development kits (SDKs). Vulnerabilities in these components open organizations to cyber threats.
Unsurprisingly, research firm Gartner predicts that by 2025, 45 per cent of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
Bolstering defenses against new threats
What can organizations do in such a seemingly catch-22 situation? They have to do more to check that the foundational software that their business depends on is running securely even as they ensure that performance isn’t impacted.
They cannot do this manually, because of the sheer complexity and interconnectedness of their systems today. Think of the many software dependencies involved in Java, for example, and it becomes clear how difficult it is to hunt for a specific piece of code to patch up the Log4Shell vulnerability.
Organizations need the right tools that tell them where to look and fix a problem, so they can spend their time getting a loophole patched up instead. Visibility is crucial here for a view of one’s own code and to know what malicious software is circulating in the wild and infecting others.
To find a problem with Java software, for example, it will be useful for a cybersecurity tool to continually look up the software components in place and map them against a curated Java-specific database of common vulnerabilities and exposures (CVEs).
By presenting this in an easy-to-read format, the automated tool would be taking out false positives and allowing IT teams to zoom in accurately into a particular CVE to fix the issue. Better yet, do not run this tool as a separately installed and managed piece of software, but rather as an agentless cloud service that does not add more performance overhead.
After all, if the core of your infrastructure is being slowed down because it is continually checked for vulnerabilities, you are also degrading the performance and experience for users. Therefore, eliminating false positives with no performance impact is critical.
An e-commerce site that is too slow to load ends up losing vital sales when customers get frustrated waiting for a checkout to be completed. Similarly, an app that doesn’t show a customer’s information ends up being ignored and abandoned for its poor experience.
Just as important as speed is the traceability of what goes on in the Java applications, libraries, and frameworks. A tool that can retain a history of the components and code run will be important for forensics efforts, should there be an exploit.
Being a step ahead
Like other cyber threats in recent years, the only way that organizations can ward off increasingly common software supply chain attacks is to be more vigilant and stay a step ahead of them. Doing so means being able to detect a threat with more automated tools that deliver better insights to bolster one’s defenses.
With many of today’s cyber criminals so well organized to bring in big money from potential victims, organizations cannot afford to fall behind the game in terms of getting their defenses ready and effective against emerging threats. They certainly have to be better than the bad guys in their efforts.
The good news is that cyber defenses are also evolving to meet the challenges that have arrived of late. Automation will help organizations do a lot more when it comes to finding a vulnerability and improved visibility will enable them to better counter a threat. By using the latest tools available, they can avoid the same tough situation they faced last year with Log4j.