Coalition at the White House: Understanding our involvement with the NIST
Recently, Coalition had the honor of being one of the few insurance providers, alongside several leaders from the technology industry, to attend a White House meeting convened by President Biden on cybersecurity policy. Coalition understands the delicate balancing act organizations face operating in a highly connected world: no technology is entirely secure, and cyber risk is an ever-present threat with no regard for industry or organization size.
To that end, we committed to enabling organizations to take control of their cyber risk through free access to our Coalition Control platform. We also committed to participating in the partnership between industry and the National Institute of Standards and Technology (NIST) to bolster the security of the technology supply chain.
In addition to ransomware, supply chain attacks are among the most significant risks we’ve observed over the last year as they enable threat actors to target hundreds of organizations at once. The NIST has a critical role in improving the security of our technology supply chain, a crucial aspect of protecting America’s business interests in the face of a growing wave of cyber attacks. Insurance companies like Coalition can play a unique role in this dialogue. Our scanning technology provides us with a robust data set on the security conditions that lead to financial losses following a cybersecurity incident. As a result, we can offer our policyholders incentives for implementing good cybersecurity controls and preventative measures, thereby helping them proactively address and mitigate their risk.
As our CEO Joshua Motta said, “There is no industry in the world with more data on managing cyber risk and no industry better positioned to incentivize the controls that reduce the likelihood or success of a cyber attack in the first place.”
Who is the NIST, and what is their role in securing the supply chain?
The National Institute of Standards and Technology (NIST) is a government agency tasked with creating standards and advising industry and government on various subjects, including cybersecurity (obviously our favorite). NIST publishes a variety of standards that provide guidance for businesses on operating their systems and networks securely. This includes Special Publications (SP) that deal with topics ranging from enterprise risk management to cloud computing and beyond. More recently, NIST has faced the task of offering guidance for emerging issues in cybersecurity, like supply chain risk management after the Solarwinds and Codecov breaches. These breaches highlighted gaps in the organization's understanding and mitigation of cyber risks in the supply chain. NIST seeks to guide organizations to minimize risk and maximize their operational resilience. NIST recommendations can be high-level and are remarkably effective at guiding security policy and control development. Still, there are opportunities to democratize this information and provide organizations with standards and policies for supply chain risk that are easier to understand and implement. The NIST cybersecurity framework was last updated in April 2018 and was downloaded over 205,000 times, in addition to another 262,000 downloads of the first version — meaning that many organizations evaluate these recommendations. Since then, the cyber landscape has evolved dramatically: ransomware has become a criminal business model while supply chain attacks broaden the number of targets cyber threat actors can compromise with one attack. As a result, Coalition is excited to participate in helping the NIST craft a dynamic set of standards that meet the needs for how technology — including the attacks that compromise it — is used today.
What exactly is supply chain risk?
Supply chain risk is everywhere. Even if you are merely a consumer, you have exposure to this risk. Internet of things (IoT) devices, such as doorbells, thermostats, Wi-Fi routers, even our phones, expose us to supply chain risk due to the complex supply chains required to manufacture these devices. Every vendor that writes software or makes hardware that goes into those devices needs to be 100% secure for the end product to be completely secure. Think about how many devices and different kinds of software you use as consumers every day. It's not hard to imagine the level of exposure businesses face when it comes to supply chain risk.
Supply chain attacks are wide-scale events targeting the underlying software, which might happen to involve email but can also target a wide range of business systems. – Coalition Claims Report
What do businesses need to know to protect their operations?
Understanding your exposure is half the battle, and it begins with quantifying the systems and software that are critical to or expose internal operations and data, including standard business tools like email, hardware products deployed on your network, and common tools like software libraries. Most businesses require inputs like these to function, and NIST covers this in SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
The part of SP 800-171 details asset management and how to implement access controls based on the concept of least privilege and role-based access. Essentially, this recommends organizations only grant users the minimum access required to perform their job duties — something easier said than done. However, there are steps organizations can take. When mitigating supply chain risks, treat applications and IoT devices like users: grant them the minimum access to the other systems and networks necessary to perform their function. Overly permissive access could allow an attacker to compromise one of these IoT devices, then move laterally to other, more valuable targets on your network. This same process can also apply to third-party vendors and software components — only grant the bare minimum access required.
What else can businesses do?
Every business has an attack surface — places where an attacker could gain a foothold or entry to your networks and systems. In addition, every vendor, third-party provider, and software company creates additional attack surfaces in the form of either direct network or system access granted to the hardware or software they provide. This risk can be due to the direct deployment of a device on your network, such as plugging in a new server or providing an interconnection between your system and the third-party, such as an API.
Supply chain attacks are wide-scale events targeting the underlying software, which might happen to involve email but can also target a wide range of business systems. – Coalition Claims Report
Systems and software components that operate directly in the environment provide tacit access to internal networks and systems in a hard-to-quantify manner. Microsegmentation is a robust mitigation strategy and requires that each endpoint be appropriately isolated from all other endpoints. The emerging cybersecurity product market called Secure Access Service Edge (SASE) seeks to make that more manageable and more accessible to the market. Another way we can monitor this risk is by monitoring those third parties' externally-facing network exposures and public code repositories where software libraries are stored and managed.
Monitor your vendors with Coalition Control
Stopping cyber attacks against our supply chain isn’t just a technology problem; it’s a risk management problem. Coalition is ready to share our insurance claims data with the government, private industry, and academia in the hopes of increasing security across all organizations. Additionally, every organization in the United States and Canada can access Coalition Control, our free attack surface monitoring solution that includes the ability for organizations to monitor vendors, partners, and other third parties, thereby keeping an eye on vulnerabilities in outsourced or shared infrastructure. And just as we promised at the White House summit on cybersecurity, we are committed to offering this for free for all organizations. Over time, we anticipate seeing more public frameworks from government institutions around the world and new laws that will require far greater disclosure of cybersecurity incidents. Insurance companies like Coalition have an opportunity to help guide organizations to implementing cybersecurity best practices in real-time. These commitments made by CEO Joshua Motta at the White House meeting, from free access to Coalition Control to partnering with other industry leaders and the NIST, are just the beginning of Coalition’s work to provide security for all.