Over the past 20 years, there has been one consistent security threat that keeps CISOs up at night: supply chain risk. With limited control or governance over their vendors’ ecosystems, managing the potential exposure and risk they present is a difficult task with significant consequences, if ignored.
Increasingly, supply chains are reported as a target for threat actors and a source of system compromise. A secure software supply chain requires meeting the following two objectives:
Over 11,000 malicious packages have been discovered on popular repositories like npm, PyPI, and RubyGem
Kroll received multiple reports that a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer was being actively exploited to gain access to MOVEit servers. Kroll observed threat actors using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion lifecycles. This vulnerability would also enable a threat actor to move laterally to other areas of the network.
The file transfer app is used by thousands of organizations around the world, making this a significant Software Supply Chain cyber incident. A number of those organizations have suffered a data breach as a result of the vulnerability, with customer and / or employee data being stolen.
Kroll alerted clients to the Log4j vulnerability and proceeded to work with several impacted customers. Our Kroll Responder team also refined telemetry searches to identify potentially impacted instances of Log4j in association with external connections to identify applications and hosts that need the most urgent attention.
Log4shell was a vulnerability in the logging tool Log4j, which was used by millions of computers running online services globally. The software supply chain attack impacted governments, organizations and individuals.
Kroll can help your business identify potential gaps, weaknesses and vulnerabilities in the software supply chain, give visibility into your third-party dependencies and identify misconfigurations that can lead to supply chain compromise. For clients, we undertake two clear processes in our approach to securing the software supply chain.
The operational review maps the technology stack used to support applications adopted across the organization against the adopted capabilities (i.e., processes, practices and technologies) that support the organization's ability to obtain and maintain visibility about threats and vulnerabilities. The accompanying report will contain a matrix depicting the current state and gaps for controls and capabilities that prevent, identify and detect software supply chain security issues. This report will also contain recommendations for improvements and to fill gaps identified.
The technical review encompasses a configuration review of platforms used to support development (e.g. source code management, CI/CD) and a point-in-time software review to identify known vulnerable or malicious packages. The accompanying report will contain the detailed findings from the configuration review(s) and dependency scans.
Our software supply chain security assessments can be delivered as part of Kroll’s ultra-flexible cyber risk retainer, along with a variety of security advisory services such as Virtual CISO (vCISO) Advisory Services, Cybersecurity Due Diligence for M&A and Application Security Services. In addition to bringing solutions together in one flexible package, the retainer allows clients to gain prioritized access to Kroll’s elite digital forensics and incident response team in the event of an incident.
Hours Of Offensive Security Work Per Year
Incident Response Cases Per Year
Cybersecurity Certifications
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
Kroll’s product security experts upscale your AppSec program with strategic application security services catered to your team’s culture and needs, merging engineering and security into a nimble unit.
Pre and Post-transaction assessment can uncover costly risks.
AI is a rapidly evolving field and Kroll is focused on advancing the AI security testing approach for large language models (LLM) and, more broadly, AI and ML.
Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.
Kroll’s team of certified cloud pen testers uncover vulnerabilities in your cloud environment and apps before they can be compromised by threat actors.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Fortify your defenses and maximize your technology investment with a Microsoft 365 security assessment from Kroll.