Michael Sechrist from BAH on preventing supply chain attacks.

Dave Bittner:  And joining me once again is Michael Sechrist. He's chief technologist at Booz Allen Hamilton, and he also leads their manage threat services intelligence team. Michael, it's always great to have you back. I wanted to touch today on supply chain attacks. You had some information that you wanted to share about preventing those kinds of attacks. What do you have for us? 

Michael Sechrist: Sure, yeah. Thanks again for having me on. One of the things that we're seeing is sort of third-party and fourth-party risks being a significant concern for enterprises. There is growing number within the ecosystem and IT environments of vendors and vendor management - become a top concern for security professionals. One of the aspects of that is that - that falls on is how do you secure your ecosystem when you're dealing with so many significant parties that have access to potentially critical data, critical assets within your enterprise? 

Michael Sechrist: One of the things we're working on with those clients is to work to profile the client's enterprise and identify sort of where are those critical nodes and links for the enterprise with the - with those vendors and providers. And so we do that by doing sort of baseline profiling assessments, sort of risk prioritization and mitigation strategies. And we implement those with the clients in order to build up their program awareness and their visibility into their entire ecosystem. 

Dave Bittner:  How do you recommend that organizations go about sort of dialing in how far down that chain to go? 

Michael Sechrist:  It goes pretty far. I don't think it's the ability to kind of just be reliant on a questionnaire or a survey - is going to satisfy concerns or kind of the security risks that are present today. It's going to take actual baseline profiling of, you know, which IP addresses potential vendors are using in order to relay or have some sort of communications with your IT environment. It's going to be the exact sort of software that has to be downloaded, the versions that are being used, how software packages get updated. Those type of details are very important today in order to identify anomalous activity. 

Dave Bittner:  What are your recommendations for people getting started with this, kind of starting that journey of trying to get a handle on what's going on with their supply chain? 

Michael Sechrist: Top priority is understanding your critical risks and where your critical data and assets lie. Without knowing that, it's going to be very difficult when you're looking at your vendor ecosystem, so to speak, and identifying which ones or which vendors you want to make sure you have a very strong profiling of. You know, without that sort of internal linkage, you're going to kind of maybe have to boil the ocean, which is going to drain resources and be kind of inefficient over the long term. 

Dave Bittner:  All right. Well, Michael Sechrist, thanks for joining us. 

Michael Sechrist: Thank you very much.