Into The Wild Blue Yonder
12–4–2024 (Wednesday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Wednesday, December 4, 2024, and I’m just as surprised as you that it’s already December. But here we are.
The Wild Blue Yonder
This week, we’re tracking a story that’s been developing for since before the Thanksgiving holiday - back on November 21 - and that is the ransomware attack on supply chain management platform Blue Yonder, used by companies across the world, including Starbucks, Walgreens, ABInbev, and others.
The Wall Street Journal noted the impact included Starbucks employees that couldn’t get paid for hours they’d actually worked, only the ones they were scheduled for as their entire back office was down.
By way of background, Blue Yonder was acquired by Panasonic a few years back for more than $7B, and it was announced in 2022 that Panasonic intended to spin it back out as a public company, though that hasn’t happened - and this incident certain won’t help.
The firm has now admitted that it’s ransomware, but this latest update comes after a long period of silence from November 24 to December 1. In the absence of updates from the company, many have been speculating based on dark web posts, and other data points, that the attacker got into BlueYonder’s Private Cloud at the hypervisor level, deleted the backups, then encrypted all 5 data centers. Yeesh.
So, what can we learn from this - both for ourselves and for our vendors?
First things first - we have very little to go on here (which regular viewers know is another pet peeve of mine - the lack of intelligence sharing about how attackers are executing these attacks), but we know a few things that would be helpful:
First: Immutable Backups. Set your backups to roll off at a defined interval (work with your legal and privacy team to meet data retention requirements), then don’t allow deletion. In fact, the UK’s NCSC has recently published some very good guidance on ransomware resistant backup solutions - it’s linked below and I suggest you check it out.
Second: Prevent Hypervisor Compromise. For things that are this critical, it’s worth ensuring you’ve got layers of defense that give you a fighting chance - things like MFA, using bastion hosts to access these administrative consoles, and using a Privileged Access Management (PAM) Solution. All with logging, monitoring, and alerting - of course.
Third: Network Segmentation. Like everything, this one has a balance between friction and risk reduction, as the more segmentation you create, the more you need to manage. But it also can really help keep something like this from taking everything down, and serve to keep the blast radius “manageable.”
So, if you’ve got these Top 3 checked off for your own environment, what do we make of the “digital supply chain” elements - third party risk management - where our vendors might not be quite as diligent as we’d like (or even as they say they are, in the case of Blue Yonder).
The basics of this answer are not a technical question, but rather a business one: which vendors are critical, and in what ways? How long can you afford to be without their services? What is your contingency plan if they are not available?
In the case of Blue Yonder, we’re going on the better part of two weeks, which means we’ve got concerns about perishable inventory, pay periods, and other mechanics that we need to ensure are functional for our business.
While you can spend a tremendous amount of energy building a TPRM program, setting standards, and conducting audits, a more tangible step is to build contingency plans for your own business and add contractual clauses to make you whole in the event of an outages such as this.
Beyond that, it’s likely more work than it’s worth and you’ve got a shop of your own to mind. Axios noted today that attackers are shifting from data breaches to total destruction - and perhaps Blue Yonder is just on the leading edge of this shift.
Fundraising
From a fundraising perspective, given the holiday week here in the US, it’s not surprising to see a pretty low total number of newly committed capital, coming in at just $1.5B, a low week for Q4 and maybe for the year.
That said, we’re continuing to see deal flow in the private market, and watching the ServiceTitan IPO as a bellwether heading into 2025.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and with that, we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.cnn.com/2024/11/24/business/ransomware-attack-blue-yonder/index.html