Supply Chain Security

One oft-overlooked security risk organisations face is their supply chain. The vast majority of organisations depend on some combination of subcontractors, third-party software-as-a-service vendors, IT providers, software dependencies, physical equipment suppliers, and other upstream businesses. What if one of the businesses your organisation depends on was breached by an attacker? Would they be able to exploit your dependency on that business to gain a further foothold into your organisation? This kind of threat is known as a supply chain attack, and its indirect nature makes it a risk that standard audits and security services often miss. Typically, an organisation is no more secure than its dependencies are - yet organisations also lack the ability to directly remediate security issues that third-party organisations may have.

One of the services Shellhex offers aims to mitigate this particularly challenging security risk. Our Supply Chain Security offering is geared towards helping your organisation determine:

  • What third parties and dependencies does your organisation have?
  • How much real risk of breach do these third parties face?
  • How can your organisation develop the ability to protect itself from an attacker acting through a third party?
  • Are there more secure alternatives to the most at-risk third parties you depend on?

Supply Chain Threat Types

Supply chain attacks take many forms. Some target software vendors and distribute malicious updates to customers. Others target managed service providers, cloud platforms, contractors, consultants, or suppliers with privileged access to systems and information. Attackers often target third parties because they are easier to compromise than the organisations they ultimately wish to attack. In other cases, attackers target suppliers precisely because they provide access to many downstream organisations at once. Compromised suppliers may even become commodities in criminal markets, with access sold to other attackers who then target their customers.

Regardless of the target or motivation, the requirements are similar for downstream organisations seeking security from possible vendor breaches. Effective remediation requires a supply chain audit and targeted hardening strategy. Our approach to supply chain security focuses on understanding both the dependencies your organisation has and the pathways through which those dependencies could be abused by an attacker. We draw on our knowledge of real-world supply chain attacks to identify and target the highest-risk supply chain attack pathways.

Examples of Supply Chain Risks

Supply chain attacks can emerge from many different sources. Examples include:

Pick your scenario:

A managed service provider is compromised by an attacker. Because the provider possesses remote administrative access to your systems, the attacker is able to leverage that access to compromise your organisation without directly breaching your defences.

What You Receive

Our Supply Chain Security service is designed to provide organisations with a clearer understanding of the indirect risks they face through third parties and external dependencies.

Typical deliverables include:

  • Identification and categorisation of key suppliers, vendors, and dependencies.
  • Analysis of dependency criticality and access levels.
  • Assessment of likely supply chain attack pathways.
  • Identification of dependencies that may warrant additional scrutiny or monitoring.
  • Recommendations for reducing exposure to supply chain threats.
  • A written report summarising findings and priorities.
  • An optional follow-up meeting to discuss the results.

Our goal is not to eliminate dependence on third parties, which is rarely practical, but rather to help organisations understand where their greatest external risks originate and how those risks can be managed. Remediation recommendations may include technical controls, vendor management processes, contractual requirements, monitoring strategies, contingency planning, or migration away from particularly high-risk dependencies.

Pricing

Our pricing of a Supply Chain Security service depends on the complexity of the assessment. We offer two tiers.

Supply Chain Security Review

Price: £1,800 exclusive of VAT

Our Supply Chain Security Review tier is aimed at smaller companies with simple vendor ecosystems. It includes one workshop where we will meet with your company to discuss your supply chain, as well as a dependency mapping questionnaire your organisation can fill out for us. Based on this information, we will offer a report with remediation recommendations, as well as an optional follow-up meeting to discuss recommendations.

Comprehensive Supply Chain Assessment

Price: From £4,000 exclusive of VAT

For medium-sized and larger organisations with complex vendor ecosystems, high security requirements, or regulatory obligations, we offer a Comprehensive Supply Chain Assessment. These engagements include multiple workshops, detailed vendor and dependency analysis, assessment of trust relationships and attack pathways, prioritisation of critical supply chain risks, and a more extensive report containing strategic recommendations for improving supply chain resilience. We also provide a consultation meeting with leadership to discuss findings and mitigation strategies.