The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024
Blog July 19, 2024
Crowdstrike Outage: Know Your Supply Chain
Supply chain detection is vital for third-party incident response
Knowing Your Supply Chain (KYSC) is becoming an increasingly important component of cyber resilience. Understanding the dependencies within your organization and those of your vendors is critical for responding to incidents effectively. Even the most reliable vendors and partners can experience issues.
Today, a widespread outage impacted CrowdStrike Falcon, affecting the global supply chain. While we won’t delve into the specifics of this outage, we will use it as an example to highlight the importance of KYSC in managing emerging issues and incidents.
SecurityScorecard provides a comprehensive view of companies worldwide that utilize CrowdStrike. By operationalizing this data, you can build a portfolio of vendors and third parties using the affected software. With Automatic Vendor Detection, you gain access to a Software Bill of Materials (SBOM) for each company in your third-party, fourth-party, and Nth-party ecosystem.
Proactive third-party Incident response
Prioritizing your vendors based on criticality or other business-relevant factors allows you to take proactive measures to protect your organization. This approach not only safeguards your business from potential issues and incidents but also ensures compliance with regulatory mandates like the Digital Operational Resilience Act (DORA).
In the event of a major zero-day or other cybersecurity incident, you don’t have to wait for vendors to respond to status questionnaires or provide SBOM details. SecurityScorecard’s AI-driven collections engine automatically updates this information, making it readily available at your fingertips.
SecurityScorecard CEO & Co-Founder, Dr. Aleksandr Yampolskiy, added:
“When I used to work at Goldman Sachs, the policy was to get tools from multiple vendors. This way, if one firewall goes down by one vendor, you have another vendor who may be more resilient.
Today’s global outage is a reminder of the fragility and systemic ‘nth-party’ concentration risk of the technology that runs everyday life: airlines, banks, telecoms, stock exchanges and more. SecurityScorecard, in collaboration with McKinsey, produced research showing that 62% of the global external attack surface is concentrated in the products and services of just 15 companies.
An outage is just another form of a security incident. Antifragility in these situations comes from not putting all your eggs in one basket. You need to have diverse systems, know where your single points of failure are, and proactively stress-test through tabletop exercises and simulations of outages. Consider the “chaos monkey” concept, where you deliberately break your systems—e.g., shut down your database or make your firewall malfunction to see how your computers react.
Whether caused by a malicious DDoS attack or a faulty patch update, the end result of an outage is the same: Users are denied access to critical systems.
This disruption creates a fertile ground for exploitation, as attackers prey on the vulnerability of users seeking solutions. The timing of this event and how public it is happens to be exactly what attackers look for to craft targeted attacks. Threat actors may use social engineering tactics to disguise malware as legitimate restoration tools to gain unauthorized access to systems. Vigilance is paramount, as organizations must not only address the outage but also fortify defenses against opportunistic attacks that exploit the chaos.”
Cyber risk concentration
Today’s global outage is a stark reminder of the fragility and systemic “nth-party” concentration risk inherent in the technology that underpins our daily lives — airlines, banks, telecoms, stock exchanges, and more. Our reliance on technology creates massive single points of failure, leading to widespread disruption when these systems falter.
Recent research by SecurityScorecard, in collaboration with McKinsey & Company, highlights and quantifies this concentration risk. The findings emphasize that a significant portion of the global external attack surface is controlled by a relatively small number of tech providers and nth parties. This issue is not diminishing; in fact, we are only beginning to grasp the potential for chaos caused by this concentration.
Understanding and managing your supply chain is critical in mitigating these risks. By proactively identifying dependencies and potential vulnerabilities within your ecosystem, you can strengthen your organization’s resilience against such disruptive events.