Back to Hub

Analyst Eye on scanning the dark web

08/29/2023 By and

Adobe Stock

Continuing our series of analyst observations on procurement tech market movements, this week we are considering the development of dark web monitoring as a tool in cyber supply chain risk management.

“During a recent product demo,” Meena Ibrahim, Spend Matters Research Analyst, recalls, “a supplier intelligence provider mentioned its partnership with a platform that uses the dark web to uncover supply chain risk.” What made this interesting was that there are vendors that provide supplier data management and risk protection for supplier data, but relatively few of them actively scrape the dark web for sensitive information. This is despite the years of examples for why procurement needs a more proactive cyber supply chain risk management (C-SCRM) strategy.

In 2018, cyber risk warranted a mention by Spend Matters Chief Research Officer Pierre Mitchell as he wrote about how procurement could take a more proactive role in enterprise risk management (the points of which remain pertinent five years later). But it only received a mention and after other variables like natural disasters and trade policy. Even in the 7-part risk series published last year, cyber risk is treated as a smaller category of risk. “However,” Meena notes, “the increase in supply chain breaches in recent years has made many businesses prioritize monitoring cyber supply chain risk management. Still, there are organizations that have not yet implemented programs to manage cyber security and may not know just how at risk they are.”

The latent cyber risks in the software supply chain became readily apparent in 2020 when the software company SolarWinds discovered it had been hacked. The breach extended far beyond just SolarWinds, however, as the hacking strategy was a supply chain attack. Simply put, hackers targeted SolarWinds to infect its program with a malware that the company then passed onto to its customers during a routine update. These customers, which were the real targets, included multinational companies, such as Cisco, and governmental agencies, such as the Department of Homeland Security.

While SolarWinds is an extreme example, the reliance on other parties that comes with software procurement — especially with the increasing emphasis on SaaS. According to a 2021 report by SecureLink and Ponemon Institute, 51% of organizations have experienced a third-party data breach that led to misuse of confidential information. Similarly, Sonatype’s eighth annual report on the State of the Software Supply Chain found that over the last three years, software supply chain hacks have increased by 743% and six out of every seven vulnerabilities are due to transitive dependencies, which occurs when a piece of software a company uses in turn uses another piece of software to function.

“This increase in supply chain breaches in recent years has made many businesses prioritize monitoring cyber supply chain risk management (C-SCRM),” Meena concludes. But even though there are strategies a company can employ to reduce the amount of risk in its software supply chain, one obviously cannot wield absolute power on outside parties. So, something is bound to go wrong.

One important emerging part of C-SCRM is dark web scanning. While the concept of scanning the dark web for information is not new, it has yet to become a common practice in Procurement. “The market for dark web monitoring solutions that target supply chain data is not yet saturated,” Meena says. “That said, if the technology proves its value, I would not be surprised to see more providers appear in the coming years as standalone solutions or partner solutions to supplier risk intelligence and management providers. It is a market segment we will keep an eye on.”

Lab 1 and Searchlight Cyber are two platforms that claim to scan the dark web for stolen supply chain data. They use different means to back up these claims. Lab 1 collects compromised data to create risk insights and ratings; Searchlight Cyber calls itself the “Dark Web Experts” and has a solution called DarkIQ, which identifies cyberattacks before they happen, so organizations can take measures to prevent any threat.

On a more basic level, though, scanning the dark web would help companies more quickly bring breaches to light. In 2019, for example, ImmuniWeb discovered a little over 21 million login credentials stolen from Fortune 500 companies. Simply knowing that the risk is there does a lot towards actually addressing it. One can only assume that dark web scraping technologies will become more relevant in the world of supplier risk and assessing how well they prevent risk. What will be interesting to follow is who establishes the benchmark for how this new market will work.

But what now?

  • If you want more in-depth coverage of any risk-focused solutions, you can research vendors and consultants serving the procurement and supply chain industry by using Spend Matters comprehensive, free directory.
  • If you have found solutions and can’t decide between them, log into the TechMatch, where you can directly assess the capabilities of digital procurement solutions, conduct side-by-side comparisons and identify product and service differentiators.
Analyst Eye