Could A Zero Trust Policy with Vendors Have Prevented Sunburst’s Impact?
Tune into our follow-up discussion on the SolarWinds’ supply chain attack. (Watch part one here.) In this episode, our cybersecurity consultants discuss, debate and decode the information that has come out since our original response video to the FireEye breach. We introduce the idea of having a company zero trust policy for vendors and software, as well as how to use organizational threat models to determine your current security risks. Our consultants also discuss the risks and benefits of disclosing what gets patched and whether cybercrinimals can use this as a checklist for future attacks.
Inside the Podcast:
- How zero trust policies help you protect against vendor supply chain attacks
- What is organizational threat modeling and why it differs from the standard threat model framework
- Why supply chain software is highly attractive to cyber criminals
- Supply chain threat actors and patterns
- How to build your defensive measures with attack patterns that are more realistic based upon criminal cyber trends
- Our debate on the benefits and risks of publishing mitigation techniques that could be used as checklists to attack in the future
SolarWinds & Using Organizational Threat Models Against Supply Chain Attacks
VerSprites approach to threat modeling provides a risk-based approach that is backed by evidence. VerSprite’s security experts correlate real threats to your attack surface of application components and identify risk by first understanding the context of what the software or application is intended to do for the business or its clients. We also conduct exploitation tests that support threat motives within the model to validate whether they are probabilistic. Correlating viability with sustained impact allows this methodology to resonate as a highly effective risk-focused threat modeling approach. Learn how we can tailor our threat modeling approach to fit your overall organization’s security needs. Learn more →
VerSprite leverages our PASTA (Process for Attack Simulation and Threat Analysis) methodology to apply a risk-based approach to threat modeling. This methodology integrates business impact, inherent application risk, trust boundaries among application components, correlated threats, and attack patterns that exploit identified weaknesses from the threat modeling exercises.