Unlock the Intel podcast to hear cybersecurity experts discuss the importance of supply chain security and solution acquisition strategies for safeguarding IT environments. Discover how your Federal Government agency can mitigate risk for end users while maintaining compliant and efficient operations.
Anthony Jimenez
Today’s episode, in partnership with Intel, dives into the critical topic of supply chain integrity. Our guests today are Lisa Cangro and Matt Horany. Lisa is a Director for Trust and Security Software Go-To-Market Solutions and Sales and Matt is a Director for Technical Sales. Their conversation highlights the vital role of supply chain security in strengthening your agency’s overall security posture. You'll learn how safeguarding your IT environment can lay the groundwork for robust endpoint protection and resilient infrastructure. Let’s get started.
Lisa Cangro
My name is Lisa Cangro. I'm a member of the Intel trust and security ecosystem sales and go to market team, and I'll be moderating today's webinar. Our guest speaker is Matt Horany, a season technology leader with 22 years of experience in cyber security, having defined security architecture and software battery Williams, like Samsung and blackberry, we appreciate and thank you all for taking your valuable time with us this afternoon. Let me go through the agenda quickly. First, we'll talk about Intel's role in security, how we think about it, and why it's so important to us. Then we'll cover acceleration of counterfeit and gray markets and the threat it continues to present. We will provide an overview of the new federal regulations and why complying matters. And then finally, we'll look at relevant use cases. So, with that, to start us off, Matt, I'll ask you a quick question, what is the importance of Intel supply chain cyber security?
Matt Horany
What is the importance of Intel to supply chain cyber security? Well, some of you may or may not know that Intel was actually recently rated the most cyber secure company in the world, not by one but 2/3 party agencies, these very credible organizations rate 1000s of companies based on a stringent set of security criteria. Intel has helped to create many industry standards over the years and actively works on several independent security research projects because of Intel's collaboration with multiple OEMs who integrate Intel's designs into their products, we have a wealth of knowledge and experience on the manufacturing process and supply chain process, as well as components, and for this reason, we are focused on supply chain integrity with our trust and security software portfolio. Security starts with Intel. So why? Why do we say that? Well, because a machine can only be trusted if its hardware is secure. Security is foundational to Intel's business overall, and part of its DNA as a company. As you know, the brain of a device is the CPU, or in this case, Intel's chip. We are not only implementing security at the time of manufacturing and embedding it into our hardware designs, but we also bring software now in the form of software security and in the form of software products that leverage those hardware security technologies being able to provide you better insights and giving you the confidence that you can trust the systems that house and compute your most sensitive data assets. So, if you look at the way the market has changed over the last few decades, there has been a significant rise in counterfeit parts, and the gray market has grown over $60 billion annually. A large majority of these counterfeit and gray market parts are microprocessors. These are devices that may look and feel and even to some degree, operate as a normal processor or as a normal component. However, they can be compromised from a security standpoint, allowing an attacker to take control of a system or spy on your systems, and this is below the operating system, which makes it very, very difficult to detect. It's not only really about security, but it could also be about performance. Counterfeit devices may not perform like a genuine device, and so it's not only about security, but it's also about performance of those systems when it comes to keeping services up and running and not experiencing downtime and, of course, loss of revenue, etc., and the fallout from that. The numbers in that you're seeing here really speak for themselves, but the most concerning statistic is probably the one on the very right, which is that one in 10 and IT products sold worldwide are likely to contain counterfeit parts or be counterfeit themselves. Below the numbers you see here are actual examples of counterfeit parts being sold into either regulated industries or even into the federal government and even into military operations. And so, this is a real threat. It does happen. It is happening, and it is something that we're very concerned on.
Lisa Cangro
Yeah, so, Matt, why should federal agencies be concerned about supply chain, cyber security?
Matt Horany
Yeah, it's a great question. So, there's a number of reasons you should be concerned. Probably two of the most important ones, cyber security threats have increased more than 50% year over year, and the sophistication and persistence and innovation of hackers nation states bad actors continue to really defy logic. These mounting threats require federal agencies to be hyper vigilant securing systems and data to prevent theft, Mission delays, adequate support ransomware or just wreaking general havoc across your network, should be top of mind. These breaches, again, are hard to detect there. Many of them are at a very low level in the technology stack, and they can go undetected for long periods of time, causing significant damage, and as a result, it could be very expensive to remediate those damages. Secondly, there is increasing federal regulation, as I'm sure many of you are aware, that has specifically focused on supply chain cyber security. Most of this is outlined in NIST publication 800 dash 161 which talks about a cyber secure supply chain risk management system, and we'll talk more about that throughout the presentation. So, because of the things I mentioned, the federal government has required agencies and industries to start adopting certain processes and measures to implement supply chain cyber security in order to mitigate the risk that's posed and detect counterfeit parts, or help detect counterfeit parts and help mitigate the risk. Including on this slide are some of the top regulatory requirements that have been issued by the federal government, requiring cyber security risk management to be implemented in the supply chain. In each of these regulatory documents referenced is an EDIC for transparency, visibility and traceability, to assist in proving that a system can be trusted, and that's what we'll talk about directly related to Intel, transparent supply chain. And I'd like to point out specifically some recent regulation or recent guidance published by the DoD in 414, 0.67, which is a counterfeit prevention policy. And this regulation or guidance really talks specifically about the detection of counterfeit parts in military systems. So, what is needed really well, it's a lot of what I just mentioned in that last couple of sentences. It's visibility, it's traceability, it's transparency. So, governments regulated industries and even enterprise customers need to have visibility into their fleet beneath the operating system. They need to be able to trace and verify the provenance of systems and improve the overall security and most importantly, they either need to, or they will need to comply with growing regulations around supply chain, cyber security. This is not something that's going to going to taper off. It's probably going to become more stringent as time goes on. Intel, transparent supply chain, again, helps really enable these capabilities that I mentioned earlier. It is a software product from Intel that can be purchased to assist in the compliance with supply chain cybersecurity. We provide detailed information about a system. We collect many, many different identifiers about the components in that system, and we generate what's called a platform certificate which follows the trusted compute group standard, which really is the sort of de facto standard in the industry for providing cryptographic certificates, as well as interacting with the hardware root of trust of the system, which is what we use to generate that certificate. So, it is based on the hardware root of trust, or the Trusted Platform Module, we then provide a mechanism to attest the device and allow you to verify that the configuration can be trusted. So by collecting that information, generating the certificate based on the hardware, hardware root of trust, make it very difficult to fake the makeup of the system as a result, and then we give you ways to manage this throughout the life cycle and deploy it across your entire fleet.
Lisa Cangro
So Matt, how does Intel help comply with the federal regulations?
Matt Horany
Recently, there's been some updates to federal regulation around D far specifically, which is the, you know, the requirements that contractors have to really adhere to be able to be awarded new contracts from the federal government. Recently, DFARS has updated the cybersecurity risk management regulations that are outlined in NIST 801 61, that I referenced earlier, and now requiring contractors to meet these. Specific guidelines, and what we're going to show you is how Intel, transparent supply chain, specifically aids in fulfilling those requirements. What's important to note is that defense contractors really need to think about how they're going to meet these requirements if they want to be awarded new contracts, as I mentioned. So what you're seeing here is a sort of process flow for a cyber secure supply chain risk management system or c dash scrm, which is sort of becoming this common phrase within the industry, we not only provide a way to attest and help verify the integrity of a system, but Intel's transparent supply chain uses a validated process that complies with the characteristics of a cyber, secure supply chain risk management system, as set out in NIST 801 61 and what you're actually seeing here is Special Publication 1800 dash 30 4b which specifically outlines the usage of Intel's transparent supply chain tools to satisfy these requirements. What this means is that Intel's transparent supply chain helps to meet or exceed these requirements and control mechanisms that have been set forth by NIST, and it provides a real world implementation of these tools, which were jointly developed by NIST and Intel to again address the requirements that are set forth. So, Intel transparent supply chain, again, is really the first step in safeguarding the products we deliver to our partners and customers. We prioritize the detection of counterfeit components, which helps ensure that all devices are built on a foundation of authenticity and reliability. These tamper detection capabilities allow us to help identify any compromised components or changes in the system throughout the devices life cycle, I should say, unauthorized changes. We also offer bulk verification and auto verification support with our with our product, which helps to streamline the validation process. This solution allows for component level tracing from the manufacturer to a product's final assembly, and we also cover many critical aspects of the system, aside from the components, such as the BIOS and the Trusted Platform Module. So, in short, this is a really a proactive approach that allows you to address the challenges before they begin to impact your business or mission outcomes. Essentially, the Intel, transparent supply chain tools and software that we have can be deployed to any system that's running Windows or Linux, and again, we collect a host of information about that system, with the with the components inside the system. And we take that system information and we generate, based on the hardware root of trust, or the Trusted Platform Module, a platform certificate that allows that is tied to that machine, allows you to attest against that certificate whether that machine has been modified or changed under the hood. When we actually show you the delta or changes or makeup of the system, we verify the system integrity. And then we if there are in fact, differences or changes in the system configuration, we show that. And what you'll see on this next slide is just a little bit bigger picture of that, so you can kind of understand all the different types of things that that the software looks at. And this is not an exhaustive list by any means, the BIOS version has changed on the system, and that may not sound like anything too critical, but it certainly could be if the BIOS was upgraded, and that version is known to have gained a specific security vulnerability that has yet to been patched. You know your IT department has not approved that specific version or even downgraded to introduce previously patched vulnerabilities that could be exploited on the system.
Lisa Cangro
Can you take us through a couple of practical use cases for transparent supply chain?
Matt Horany
Absolutely, so we've seen a few practical deployments of this. I'd like to kind of take you through a couple of scenarios. So, the first one we'll talk about is really what we refer to as a traveling employee or traveling agent. So let's consider for a moment that a high ranking agent recently traveled for business, or is going to recently travel for business, and they may travel through a country with an elevated cyber security threat risk, and they happen to be carrying a system with them that contains sensitive data or classified data, whatever it might be. Now, there's a few challenges here right off the bat. One is having a lack of transparency below the OS to the component information on systems. In general, it's typically a hard thing to capture and view and keep track of. When you're talking about device management systems, there's several opportunities for potential tampering of the device, either while this person is traveling or while they're. Wearing it, you know, in a hotel or in a bag, or wherever it might be. So, it creates an increased attack surface with regards to, you know, their location, and the changing of that location. There's geopolitical tensions, you know, there's espionage, there's even insider threats right to compromising security. So, there's a number of things going on here where the system could be compromised. So, before the agent actually takes their trip, due to the nature of the information that they may be carrying with them, the IT Department took a system snapshot of that system using Intel's transparent supply chain tools and additional snapshots. So, when we say snapshots, we mean sort of a view of the current configuration of the machine. Additional snapshots can be taken while that person is in transit, and even again, when they return and the laptops bios, in this case, is found to have been altered, as I mentioned before, tying it back to that screenshot, that could be a significant security risk, especially if older BIOS versions could have contained several security vulnerabilities that haven't been patched yet. And so due to their compliance policies and Intel's transparent supply chain, they're able to flag this device, either upon return or during the trip, ensure that it's disconnected and not allowed to connect to any network, company or Agency Network, until further review has been done on the system, or they're able to remediate the upgrade down grade, whatever the whatever the challenge may be that's identified in the in the product. So, because of that, you get a lot of benefits out of this, which is you're able to detect unwanted system changes, again, sort of on demand. Through integration of these tools with various device management systems, you're able to verify that platform certificate validity, so ensuring that you know something hasn't changed under the hood. From a hardware or TPM standpoint, you're being able to monitor firmware versions below the OS with the bios, specifically, you're able to compare pre and post travel snapshots and enable a way to attest the system again and verify and detect tampering. So, there's a lot of benefits to being able to have again, visibility and traceability at the component level under the OS with Intel, Intel, transparent supply chain. So there's another scenario I'd like to take you through, and this one actually is deployed by one of the world's largest blind one of the world's largest banks, apologies there, where they receive all of their devices in a centralized location for their internal IT operations and so as they receive all these devices in obviously, they're going to, you know, load their enterprise golden configuration on these on these systems, with all of their different software and tools that they have for their standard enterprise configuration for these laptops or desktops. During this process, they actually use Intel, transparent supply chain as part of that software load process, and what they want to do is be able to strengthen the resistance of the device from tampering and verify the machine integrity state by testing the device and reduce their risk of exposure to vulnerabilities that may exist below the OS. And so, they get with Intel, transparent supply chain the ability to really, you know, again, have visibility to the actual hardware and see what their risk exposure might be. In this scenario, transparent supply chain tools are used to create a trusted system state. So, once they load all of that software, they're again taking a snapshot of the system with Intel transparent supply chain, and then they ship the system to the end user, or the employee. Once that employee gets that system, they unbox it. They run when they connect to a network the enterprise device management tools actually launched transparent supply chain tools in the background, and it takes another scan of that system to understand Has anything changed from the time it was shipped from the IT department until the time it got into the user's hands and show that and report that back to their compliance policy engine so that they can take action if something's been modified or changed underneath the hood. Again, they can limit the ability of the device to connect to a network, or they can have the employee bring it into an IT help desk station, whatever the case may be. So again, the challenges here are very similar. They have limited visibility without Intel, transparent supply chain to below the OS components and associated BIOS versions, those types of things. Really a lot of challenges en forcing configuration updates for foundational components. And how do they, how do they report on that and check on it, and difficulty detecting which systems may need patching for, you know, some of those lower-level components. So, the solution here with Intel trans. Parent supply chain really, again, verifies the machine state for them, gives them a way to update the machine state and store new configuration images as they update their IT configuration along the life cycle of the device. They can detect system changes for the hardware, BIOS versions, micro code and even the TPM memory banks and index is stored within the TPM, which house a lot of different types of software that's responsible for booting the system. So, this helps them reduce it. Help desk calls reduce, again, their overall risk exposure, which was the ultimate goal of deploying this solution, ensuring it compliance across their entire fleet, not just at the software level, but again, all the way down through the component level. So, a lot of good benefits here from by using Intel transparent supply chain.
Lisa Cangro
So, can you describe in a bit of detail about how transparent supply chain can be deployed to someone's existing device fleet?
Matt Horany
Sure, yeah. Transparent supply chain tools can integrate pretty easily with existing device management tools and help provide data and insights that can be leveraged across your organization, security compliance policies. So, integration can be done really with some simple scripting to automate the deployment, the scanning and the retrieval of system information that's captured by Intel's transparent supply chain. This is really just an example of the process flow at a very, very high level, obviously, of how Intel transparent supply chain tools can be leveraged with something, say, such as Microsoft Intune, for instance. So, snapshots can be taken, so the tool can be deployed out to all the devices fairly easily. Snapshots can be taken of all the systems as those snaps. Shots are taken and the tool scans the system on a regular basis. That information can actually be harvested by Microsoft in tune and fed up into a compliance policy that can then take action. So, if you want to report on, you know, has the memory changed, for instance, and you know, a true false comes back. The policy engine within Microsoft in tune can actually help you take action on that. Again. It could be locking the person's device. It could be preventing them from connecting to a network, or whatever the remediation tactic might be.
Lisa Cangro
That's great. Matt, thank you. Do you have any final thoughts you'd like to share with the audience?
Matt Horany
I think we covered a lot again, you know, I just want to reiterate that the reason we're focused on this is we have a lot of experience in this space with the multiple partners and OEMs, and our long history of building hardware, building systems, we understand very well the risks that can happen from a supply chain standpoint, and that's why we're in this business of trust and security software. So, thank you very much for your time and attention to the content.
Anthony Jimenez
Thanks for listening, and thank you to our guests, Lisa Cangro and Matt Horan. A don't forget to like, comment and subscribe to CarahCast and be sure to listen to our other discussions. If you'd like more information on how Intel can assist your organization, please visit www.carahsoft.com or email us at IntelCorp@carahsoft.com Thanks again for listening and have a great day.