The SolarWinds breach provides a useful reminder that modern adversaries, both cybercriminals and hostile state-actors, continue to innovate and evolve in sophistication, guile, and persistence. They are using the same advanced tools in the development of their attacks – heuristics, machine learning, artificial intelligence, increased integration, and automation – as legitimate tech vendors and service providers are using to defend their businesses and customers. It is a battle in which attackers generally have a first-mover advantage: it is easier to attack than it is to detect, contain, terminate, and recover from an attack.
Implementing a full-bore ISO/IEC or NIST security framework is often beyond the needs and resources of many MSPs, but the philosophy behind them can still useful. They provide a proven vocabulary and methodology for managing cybersecurity risk. By starting with these basic questions, you can start down the path of systematically identifying and mitigating your software supply-chain security risk. A framework-based mindset can help you to identify areas where existing processes can be strengthened and new processes implemented, as well as prioritize your security requirements and set appropriate expectations with your suppliers and partners.