Alice in Supply Chains

Tenchi Security
  • 0,0 (0)
  • NEUES AUS DER TECHNIK
  • MONATLICH

In 2022, Tenchi Security created the Alice in Supply Chains newsletter to share and highlight stories on third-party and supply chain risks and attacks, their impacts on services and businesses, and how the industry is moving forward to manage these risks. Following the meteoric success of the newsletter, we've created a podcast! Every month, hosts Adrian Sanabria and Alexandre Sieira will discuss the top six stories from each monthly newsletter, and their thoughts on the future of third party cyber risk management.

  1. VOR 2 TAGEN

    Bonus Episode with Special guest Alex Pinto | DBIR 2026

    In this special interview episode, Adrian and Alexandre sit down with Alex Pinto, lead author of the Verizon Data Breach Investigations Report, to walk through the 2026 edition before the broader industry has fully digested it. Pinto explains why the 2026 dataset, with 31,850 incidents and 22,624 confirmed breaches contributed by over 100 organizations in 145 countries — is the most statistically rigorous breach corpus in the industry. Tenchi Security is a 2026 contributor, providing the survival-analysis dataset behind the report's new look at third-party MFA and cloud privilege exposures. Alex Sieira walks through what the curves actually mean: half of MFA findings get fixed in seven days, but 45% of cloud privilege management findings are still open a year after discovery. The conversation digs into the headline shifts: vulnerability exploitation has now overtaken credential abuse as the most common initial access vector. Third-party involvement in breaches has climbed from 30% last year to 48% this year, and the median time to fully remediate CISA KEV findings slipped from 32 to 43 days. will probably be the most-talked-about new section of the 2026 report: Verizon analyzed an anonymized dataset from Anthropic. The data includes analysis of nearly 800 threat actors, maps their prompt activity to MITRE ATT&CK techniques, and cross-references it against MITRE's software database. The DBIR folks immediately think to ask the data: “are attackers using LLMs for novel techniques, or for things every EDR already catches?”The trio close out by debating Sieira's hypothesis that the metric to watch isn't total CVE volume — it's the percentage of vulnerabilities with reliable working exploits, which is the variable AI is most likely to move — and Pinto makes the case that vulnerability management is becoming a crisis-management discipline rather than a dashboard-watching one.References: The 2026 Verizon Data Breach Investigations Report (DBIR): https://www.verizon.com/business/resources/reports/dbir/Sieira and Pinto's RSA 2026 talk on how cloud-hyperscaler UX design impacts security outcomes https://path.rsaconference.com/flow/rsac/us26/FullAgenda/page/catalog/session/1755192044047001WRoaThe Vercel Breach: https://cyberscoop.com/vercel-security-breach-third-party-attack-context-ai-lumma-stealer/The British Library breach write-up Adrian cited as a candid post-incident report (their "Learning Lessons" document): https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf Tenchi Security has an article out with the biggest insights related to the report, find it here!

    1 Std. 8 Min.

  2. VOR 2 TAGEN

    Episode #17 | May, 2026

    Episode #17 of the Alice in Supply Chains podcast, with co-hosts Alex Sieira (CTO & Co-founder, Tenchi Security) and Adrian Sanabria (Principal Researcher, The Defenders Initiative), is now live! This month they dig into what happens when one breach detonates a chain of others, and why "we have a SOC 2 report" is no defense when the vendor underneath you gets popped. The featured case is Marquis Software Solutions vs SonicWall, where a 2025 breach of SonicWall's MySonicWall cloud backup service gave attackers everything they needed to break into Marquis, drop ransomware, and exfiltrate data on customers of 74 banks and credit unions. Three layers of lawsuits later (consumers suing the banks, banks pressuring Marquis, Marquis now suing SonicWall), Adrian and Alex use the case to make a point about software liability, the absurdity of "as-is" terms in critical infrastructure, and why bare-minimum vendor diligence and self-attestations will surface during discovery as exhibits against you.Story two is the Trivy supply chain compromise, where TeamPCP turned Aqua Security's open-source container scanner into a credential-harvesting beachhead. After an incomplete credential rotation following an earlier incident, the attackers pushed a malicious binary, dropping an infostealer that ran before the legitimate scan and silently swept GitHub tokens, AWS/GCP/Azure credentials, SSH keys, and Kubernetes tokens out of CI/CD runners and developer machines. The blast radius reached Cisco, the European Commission, Checkmarx, Bitwarden's CLI, LiteLLM, Guesty, S&P Global, and seeded the CanisterWorm npm worm. Alex walks through the "how not to get Trivied" playbook: pin GitHub Actions to commit SHAs, kill long-lived CI/CD credentials in favor of OIDC and ephemeral tokens, compartmentalize CI from CD (ideally on different platforms), shrink your dependency graph, and demand evidence of SAST/SCA and IR practice from every third party whose code ends up in your pipeline.Resources: https://destroyedbybreach.comhttps://kaynemcgladrey.com/compliance-paperwork-wont-save-you-from-a-vendor-breach/https://www.acaglobal.com/industry-insights/sonicwall-cloud-backup-breached-firewall-configurations-compromised/https://www.tenchisecurity.com/en/insights-news/secure-practices-trivy-supply-chain-attackhttps://thenewstack.io/teampcp-trivy-supply-chain-attack/

    49 Min.

  3. 23. APR.

    Bonus episode with special Guest John Hammond

    In this special bonus episode, Adrian and Alexandre are joined by John Hammond, one of cybersecurity’s most recognizable YouTube creators and Senior Principal Security Researcher at Huntress - a cybersecurity company dedicated to protecting businesses of all sizes against modern-day cybercrime - for a deep dive into software supply chain attacks using the recent Axios NPM compromise as a case study. It's a timely conversation: supply chain incidents have gone from occasional headlines to a near-constant drumbeat, and the Axios case offers an unusually clear window into how these attacks actually work end-to-end. - The discussion tackles the viral "stop updating your software" take head-on, with John arguing the real answer is nuance - keep patching Windows and Chrome, but treat CI/CD dependencies very differently. Adrian lays out his case for splitting vulnerability management into two distinct processes: traditional scan-driven work for compliance, and a separate intelligence-driven "VulnOps" function that operates more like incident response. - The group also walks through the remarkable social engineering campaign that compromised the Axios maintainer — a patient, weeks-long con involving a fake Slack workspace, rescheduled Teams meetings, and a click-fix payload disguised as an audio troubleshooting step. One striking data point from John: the malicious package detonated 89 seconds after hitting NPM. - The back half turns practical, with a concrete checklist for third-party risk teams and internal dev orgs: pin dependency versions, cache artifacts locally (which saved Tenchi during the Trivy incident, when attackers modified previously released binaries), enforce age-based release gates, separate CI from CD, apply least privilege to pipeline credentials, and maintain an asset inventory that can answer "do we have this package?" in seconds. John closes with homework for listeners: look up the Clean Source Principle.

    46 Min.

  4. 22. APR.

    Episode #16, April 2026

    In this April 2026 episode of Alice in Supply Chains, Adrian and Alexandre cover three stories that weren't on anyone's 2026 bingo card — and all of which land on the TPRM analyst's desk. AI in your third parties. Amazon's recent downtime, linked to engineers being mandated to use AI on production systems, raises a question most TPRM programs aren't equipped to answer: do you even know which of your vendors are using AI, which models, and how much agency those models have over customer data? Alexandre walks through AWS's generative and agentic AI scoping matrix — from no-agency to full autonomy — as a useful framework for architectural follow-up conversations. The pair also push back on Anthropic's "Mythos" vulnerability research claims, arguing the economics don't hold up against cheaper models, or against the real bottleneck: remediation, not discovery.‍ The FCC's ban on non-US routers. Adrian and Alexandre argue this is a thinly veiled economic measure dressed up as security policy. If this were really about backdoors, the US would mandate minimum security controls (as it does for medical devices and aviation) rather than country-of-origin rules. Netgear's mysterious exemption, the Salt Typhoon breaches that needed no backdoors, and the collapsed consumer labeling program all get airtime.‍ Is your third party a military target? Two AWS regions in Bahrain and the UAE were damaged during the Iran conflict, with one data center indefinitely down. Separately, a pro-Iran group compromised Stryker's Intune tenant and issued wipe commands across managed devices — including employees' BYOD phones. The takeaway: centralized management tools (Intune, MDM, patch management, AD) are high-value targets that TPRM questionnaires rarely probe deeply enough, and kinetic ceasefires don't extend to cyberspace.‍ Links: https://www.tenchisecurity.com/en/insights-news/cisa-says-harden-intune-heres-what-that-means-for-your-third-party https://aws.amazon.com/pt/ai/security/agentic-ai-scoping-matrix/ https://aws.amazon.com/pt/ai/security/generative-ai-scoping-matrix/ https://www.defendersinitiative.com/p/from-this-point-on-it-only-gets-rougher https://arstechnica.com/tech-policy/2026/04/fcc-exempts-netgear-from-ban-on-foreign-routers-doesnt-explain-why/ https://www.scworld.com/podcast-episode/2673-esw-310-shamim-naqvi-grace-burkard

    56 Min.

  5. 6. APR.

    Episode #15, March 2026

    Recorded April 1, 2026 — post-RSA 2026 editionHosts Adrian Sanabria (The Defenders Initiative) and Alexandre Sieira (CTO and Cofounder, Tenchi Security) reconvene — both recovering from the notorious con crud — to dig into the biggest stories from a packed month in third-party and supply chain security.This month, we have two main stories: The ongoing Delve controversy and data leaksOur RSAC Conference 2026 takeawaysAlex’s ESW Appearance securityweekly.com/esw452The episode we did with AJ Yawn on issues with SOC 2 reports https://www.tenchisecurity.com/en/alice-in-supply-chains/episode-7-hoxz2Tony Martin-Vegue’s excellent “acting rationally, given the incentives” take on the Delve scandal https://www.linkedin.com/posts/tonymartinvegue_i-know-youre-tired-of-the-delve-discourse-activity-7441294170406891520-UtGgAdrian’s blog with his RSAC Conference 2026 takeaways https://www.defendersinitiative.com/p/i-watched-all-11-main-stage-keynotesAlex Sieira’s RSAC talk with Alex Pinto (login required to watch the recording) https://path.rsaconference.com/flow/rsac/us26/FullAgenda/page/catalog/session/1755192044047001WRoaAdrian Sanabria and Adam Shostack’s talk on Breach Transparency from RSAC https://path.rsaconference.com/flow/rsac/us26/FullAgenda/page/catalog/session/1756101254392001bKZATenchi’s ‘near miss’ report https://www.tenchisecurity.com/en/insights-news/secure-practices-trivy-supply-chain-attack

    57 Min.

  6. 26. FEB.

    Episode #14, February 2026

    The Alice in Supply Chains Podcast is back for another episode! On it, Adrian Sanabria and Alexandre Sieira share their expert opinions on the most pressing matters in the TPCRM world -  as presented on issue #42 of our newsletter of the same name, also launched today! Here are our stories for this episode and their associated links: Cyber Risk at Scale: Safeguarding Portfolio Value in Private EquityGartner Predicts: TPCRM Evolves for the AI EraCanadian Privacy Commissioners Investigate the PowerSchool Breachhttps://www.newswire.ca/news-releases/ontario-and-alberta-privacy-commissioners-release-investigation-findings-into-powerschool-breach-affecting-school-boards-and-other-educational-bodies-866592221.htmlhttps://www.ipc.on.ca/en/resources/ontarios-privacy-commissioner-releases-investigation-findings-powerschool-breach-affecting-schoolhttps://oipc.ab.ca/wp-content/uploads/2025/11/FINAL-Investigation-Report-Regarding-PowerSchool-Breach-FOIP2025-IR-02.pdfnewswire.ca Ontario and Alberta privacy commissioners release investigation findings into PowerSchool breach affecting school boards and other educational bodies Also, RSAC is just around the corner! From March 22 to March 25, 2026, Tenchi Security will host the cybersecurity community attending RSA Conference in San Francisco at Harlan Records, which was exclusively reserved for the Tenchi Lounge - a space to unwind, exchange ideas, and build meaningful connections. Need more details? Check here: https://www.tenchisecurity.com/en/tenchi-rsa-lounge-2026

    55 Min.

  7. 11. FEB.

    Bonus episode with special guest Tony Martin-Vegue

    In this special interview episode, hosts Adrian Sanabria and Alexandre Sieira sit down with Tony Martin-Vegue, author of the upcoming book Heatmaps to Histadograms: A Practical Guide to Cyber Risk Quantification. Tony shares his journey from IT and cryptography to becoming a leading voice in cyber risk quantification, including his six years building Netflix's risk quantification program from the ground up. Tony Martin-Vegue brings over two decades of experience in IT and information security. With an economics degree that his mentor recognized as ideal for risk management, Tony has built cyber risk quantification programs at several large companies. Most recently, he spent six years at Netflix where he led approximately 3,000 FAIR-based risk assessments. He now runs his own consulting and advisory firm while promoting quantitative approaches to cyber risk.Resources Mentioned in the Episode: The website for Tony’s book: https://www.heatmapstohistograms.com/Link to Solar Winds breach: https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breachLink to Colonial Pipeline breach: https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attackThe Scoville Scale: https://en.wikipedia.org/wiki/Scoville_scaleHow to use Monte Carlo simulations in Excel: https://support.microsoft.com/en-us/office/introduction-to-monte-carlo-simulation-in-excel-64c0ba99-752a-4fa8-bbd3-4450d8db16f1The FAIR Institute: https://www.fairinstitute.org/The FAIR Framework: https://www.fairinstitute.org/blog/integrating-fair-models-a-unified-framework-for-cyber-risk-managementHow to Lie with Statistics: Information Security Edition https://www.youtube.com/watch?v=p3jJnl99LmcCyentia’s IRIS Retina Report https://www.cyentia.com/services/iris-risk-retina/Verizon’s 2025 Data Breach Investigations Report: https://www.verizon.com/business/resources/reports/dbir

    47 Min.

  8. 30. JAN.

    Episode #13 | January 2026

    Alice in Supply Chains is a monthly podcast by based on the Alice in Supply Chains newsletter - that provides interesting discussions and insights on all things related to third-party cyber risk management (TPCRM). It's hosted by two leading voices in the industry, Tenchi Security's Co-founder and CTO Alexandre Sieira & The Defender's Initiative Principal Researcher, Adrian Sanabria, and it promises expert opinions and takeaways to help audiences navigate the complex cybersecurity landscape. 1. 2026 Outlook AI hits "put up or shut up" time—needs to prove enterprise value beyond demosGeopolitical fragmentation accelerating, impacting supply chain dependenciesChina signaling supply chain independence (banning US/Israeli security vendors, declining Nvidia H200s)Upcoming episode with Tony Martin-Vegue on cyber risk quantificationRSA Conference: Tenchi hosting events at Harlan Records, Sun–Wed, during RSA week2. Announcements Upcoming episode with Tony Martin-Vegue on cyber risk quantificationRSA Conference: Tenchi hosting events at Harlan Records, Sun–Wed, during RSA week3. Stories covered Story 1: ENISA NIS2 SurveySurvey of 1,080 professionals across 27 EU countries on cybersecurity investments. Top investment driver: Regulatory compliance (70%), far ahead of proactive risk management (42%)Hardest to implement: Vulnerability management (#1), TPRM (#2)Supplier inventory: Under 10% of companies maintain one—current TPRM approaches don't scaleTop 2026 concerns: Ransomware and supply chain attacks (~47%)https://www.enisa.europa.eu/publications/nis-investments-2025Story 1 Resources https://www.enisa.europa.eu/publications/nis-investments-2025Story 2: SOC 2 Fraud AllegationsSocial media discussions allege compliance platforms and auditors are rubber-stamping SOC 2 reports. Claims of nearly identical reports across different companiesNo AICPA enforcement—peer review doesn't verify actual control testingPost-breach cases (e.g., PowerSchool) reveal SOC 2s claiming controls that weren't implementedTakeaway: Don't over-trust SOC 2s for critical third parties; consider independent verificationStory 2 Resources https://www.linkedin.com/posts/troyjfine_details-have-emerged-regarding-a-widespread-activity-7415043499676483584-nI5Zhttps://www.linkedin.com/posts/sieira_details-have-emerged-regarding-a-widespread-activity-7415394996184424449-CSzOhttps://infosec.exchange/@AlexandreSieira/115865691003110478 Story 3: Japan & Korea Cybersecurity RegulationsBoth countries responding to major 2025 breaches (Asahi, SK Telecom, KT, Coupang) with new rules. Mandatory breach reporting with government actively assisting incident responseKorea: GDPR-style fines up to 3% of annual sales for repeat breachesJapan: Expanding cyber intelligence capabilities, reflecting reduced reliance on US protectionTPRM angle: Public breach disclosure would enable better third-party "background checks" than self-reported questionnairesStory 3 Resources https://www.centerforcybersecuritypolicy.org/insights-and-research/japans-new-active-cyber-defense-law-a-strategic-evolution-in-national-cybersecurityhttps://www.japantimes.co.jp/news/2025/12/23/japan/crime-legal/new-cybersecurity-strategy-police-sdf/https://www.koreatimes.co.kr/southkorea/20251212/science-minister-vows-punitive-fines-against-companies-with-repeated-security-breachesOther Resources Mentioned The Alice in Supply Chains Newsletter https://www.linkedin.com/newsletters/alice-in-supply-chains-6976104448523677696/Episode 440 of the Enterprise Security Weekly podcast: why cybersecurity predictions are so bad https://youtu.be/qyn7F2NPCMs?si=P0bhGQtwwHXrnIhWPrior episode with AJ Yawn discussing how the SOC 2 sausage gets made https://www.tenchisecurity.com/en/alice-in-supply-chains/episode-7-hoxz2"The Security Products We Deserve" talk https://www.youtube.com/watch?v=GHuQC1qLnJ4Stay safe and stay vigilant!

    58 Min.
Alle anzeigen (21)

Info

In 2022, Tenchi Security created the Alice in Supply Chains newsletter to share and highlight stories on third-party and supply chain risks and attacks, their impacts on services and businesses, and how the industry is moving forward to manage these risks. Following the meteoric success of the newsletter, we've created a podcast! Every month, hosts Adrian Sanabria and Alexandre Sieira will discuss the top six stories from each monthly newsletter, and their thoughts on the future of third party cyber risk management.

Informationen

  • Erstellt von
    Tenchi Security
  • Jahre aktiv
    2025 - 2026
  • Folgen
    21
  • Bewertung
    Unbedenklich
  • Copyright
    © Tenchi Security
  • Sendungswebsite
    Alice in Supply Chains

Das gefällt dir vielleicht auch