March 3, 2021

Supply Chain Security w/ Omkhar Arasaratnam

by Cyber Ranch

Listen Now

Supply Chain Security w/ Omkhar Arasaratnam

March 3, 2021 Cyber Ranch

00:00:00

Show Notes

Today, host and CISO Allan Alford interviews Omkhar Arasaratnam, a veteran of the cybersecurity industry, on the topic of supply chain security. With a career in security going all the way back to 2004, and with experience working for IBM and several financial institutions before becoming an Engineering Director at Google, Omkhar brings much hard-earned insight to the table! Looking to tap into that insight, Allan poses two questions for Omkhar. First, how would he characterize or define supply chain security and its implications? And second, how would he explain the SolarWinds breach and its fallout? Omkhar centers his thoughts on the SolarWinds situation, a costly breach in which hackers manipulated a code base and used it as a leverage point to gain access to high-worth targets. This attack required precision and focus, and is of the first public breaches; however, Allan and Omkhar imagine that there will be copycat attacks to come, and that the attack is a wake up call for all those with access to client data to step up their supply chain security. Both providers and consumers with a hand in supply chain security have a responsibility to tighten their controls. Supplier checks should be more frequent, software suppliers need to be very buttoned-down in how they control their entire build architecture, and those overseeing supply chain security need to carefully navigate the available vehicles for managing supply chain risk. These vehicles, including questionnaires, right to audit, open source/credit-check style tools, and GRC tools, all have benefits and drawbacks, and no company manages supply chain security perfectly. With a lot of sympathy for SolarWinds, though, Allan and Omkhar think that further work needs to be done in the cybersecurity space to bolster supply chain security measures. Omkar details his own “black box” idea, which he imagines would be a strong component of a more comprehensive security protocol. Allan explains how this comprehensive protocol could function, and while making such a system an international standard is far off, Omkar and Allan agree that there are tools in place for cybersecurity professionals to move toward a better system. There are issues of risk to weigh, myriad solutions to compare, and precursor tasks to address, but it’s time to get a conversation going that will ideally lead to change! Key Takeaways: 1:10 - Allan asks Omkhar to share about his background before jumping into the main topic. 1:53 - Allan has two questions for Omkhar. 5:09 - Consumers and providers have a responsibility to step up their game. 7:41 - The conversation shifts toward the vehicles for managing supply chain risk. 9:05 - What’s Omkhar’s take on the open source/credit score-style check? 11:55 - Allan and Omkhar turn to Omkhar’s black box idea. 17:22 - Omkhar thinks highly of Allan’s comprehensive approach, but there are obstacles. 21:50 - What are these obstacles, and what is the needed precursor work? 26:20 - As the conversation ends, Allan asks about Omkhar’s motivation and passion. Links: Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Learn more about Omkhar Arasaratnam on LinkedIn. Sponsored by our good friends at AttackIQ
Read more

Recent Episodes

September 20, 2023
by Cyber Ranch

Allan is joined by AJ Grotto: William J. Perry International Security Fellow and Founding Director of the Program on Geopolitics, Technology and Governance at Stanford University.  He also serves as the faculty lead for the cyber policy specializatio...

September 13, 2023
by Cyber Ranch

Warning: Some naughty language in this show, but well placed naughty language! Challenge issued!!!! Allan has teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who ...

September 7, 2023
by Cyber Ranch

Nearly 43% of cyber-attacks are on small businesses. 82% of ransomware attacks were targeted at companies with less than 1000 employees. 61% of SMBs were the target of a Cyberattack in 2021. 37% of companies hit by ransomware had fewer than 100 emplo...

August 30, 2023
by Cyber Ranch

You know you're being watched, right? Imagine for some reason you needed to bury a treasure where nobody would ever find it.  In today's society, how could you even do that?  How can you get from Point A to Point B without being observed or tracked i...

August 23, 2023
by Cyber Ranch

In this LIVE! show at Black Hat, Allan and his friend George Finney (recurring guest, CISO @ SMU, multi-times author and CEO of Well Aware Security) discuss cybersecurity in popular culture.  They talk about the impact on real-world cybersecurity pra...

August 16, 2023
by Cyber Ranch

Did you miss Black Hat this year?  Well you won't miss the great conversations that were had, as Allan captured so many good ones for this special Black Hat retrospective episode.   Did you get to attend Black Hat this year?  See if your experience w...

August 9, 2023
by Cyber Ranch

A brief thank you to our listeners and a request for feedback on the show. We'll catch y'all next week!

August 2, 2023
by Cyber Ranch

The OpenSSF is doing invaulable work for the cybersecurity community.  And their new managing director happens to be Omkhar Arasaratnam, whose appearance on the show a while back created one of our most popular episodes ever!  Omkhar is back to talk ...

July 26, 2023
by Cyber Ranch

Cloud security remediation can be a daunting task that impacts Dev, Sec and Ops teams all.  And it can be a huge, manual, pain in the...  You get the idea.  But there are techniques to navigate it and to overcome many of the common traps and hurdles....

July 19, 2023
by Cyber Ranch

In this episode, Allan and Drew tackle and interesting subject that was suggested by Drew and that Allan posted for the LinkedIn community to gather around: things we believe in cybersecurity that we cannot prove. The LinkedIn conversation was phenom...