Executive Summary: 

Software supply chain visibility and security are becoming increasingly critical for enterprise risk management programs. Maintaining a software inventory of traditional IT assets (laptops, desktops, servers) is relatively straightforward. However, embedded systems such as networking and IoT devices are often black boxes, with device owners having virtually no visibility into the underlying software components. H.I.G Capital successfully leverages the NetRise Platform to gain critical visibility into these devices, allowing for a comprehensive view of the complex software supply chain across the entire enterprise.

Client Overview:

H.I.G. Capital is a leading global private equity and alternative assets investment firm with over $45 billion of equity capital under management. Since its founding in 1993, H.I.G. has developed a strong reputation for successfully investing in and growing companies across a wide range of industries and geographies. The firm’s investment strategies include private equity, growth equity, real estate, debt/credit, lending, and bio-healthcare. With a presence in North America, Europe, and Latin America, H.I.G. Capital brings deep industry expertise, operational experience, and a flexible capital approach to help businesses achieve their full potential.

Challenges:

• Embedded devices such as telecommunications infrastructure, IoT, and building automation systems contain numerous software components that enterprises have no visibility into.
• The lack of visibility into the software supply chain of these devices renders enterprises incapable of answering questions such as “Where does this software component exist?” or “Where am I affected by this vulnerability?” (regarding vulnerabilities in software components such as OpenSSL, Log4J, etc.)
• These embedded devices often contain other non-CVE-related risks such as default credentials, misconfigurations, and more, which enterprises have limited capabilities to identify and address.
  
  

Solution and Implementation:

• H.I.G Capital security teams leveraged the NetRise Platform to automatically analyze the firmware of embedded devices in scope (telecommunications infrastructure, IoT, building automation systems, etc.) to gain critical visibility into their complex software supply chains.
• Using pre-existing asset inventory solutions, security teams identified the make, model, and versions of devices in scope and acquired the firmware for these devices through vendor support portals. Firmware was uploaded to the NetRise Platform and automatically analyzed to produce results in just minutes per device.
• The NetRise Platform serves as a centralized repository for firmware in use throughout the H.I.G Capital network, maintaining a software bill of materials (SBOM) for each device, as well as other critical security information such as device credentials, cryptographic material, misconfigurations, and more.
  
  

Results:

• H.I.G Capital uploaded firmware from over 50 different devices across more than 20 unique device vendors, gaining critical visibility into the underlying software supply chain of such devices.
• On average, more than 800 unknown (N-day) vulnerabilities were identified, with an average of over 7 vulnerabilities per device that have known exploits and an external/network attack vector. Mitigating controls were put in place for these higher-profile vulnerabilities to drastically reduce the risk of compromise from previously unknown vulnerabilities.
• H.I.G Capital now maintains an SBOM for all devices in scope, enabling the previously impossible capability to identify software components on these devices when new vulnerabilities are announced (e.g., CVE-2023-0286 in OpenSSL).
• Given the findings during the implementation of the NetRise Platform, H.I.G Capital developed and implemented new policies and procedures around firmware updating and ongoing management to ensure this advanced security analysis plays a role in the decision-making process when updating devices.
  
  

Testimonial:

"NetRise has given us unprecedented visibility into software security risks. As a CISO in higher education with limited resources, NetRise's platform allows us to identify and mitigate risks that other organizations don't even know exist. It's eye-opening to see the stark difference between publicly reported vulnerabilities and what NetRise actually uncovers in software. This tool is driving the future of software development practices and security."

Conclusion:

The software supply chain is growing more complex by the day, and enterprise security teams lack the technical means to identify and manage associated risks in embedded systems. The NetRise Platform has proven to be a low-friction, easily implemented solution that provides enterprises with critical visibility into the software supply chain and the vulnerabilities within these embedded systems. The combination of the NetRise Platform and data-driven policies and procedures around embedded device updating and ongoing management leads to a drastically improved security posture across the enterprise.