Cyber attacks on products, devices, vehicles and critical infrastructure are on the rise. One of the tools that can be used to identify cyber threats are SBOMs, or Software Bill of Materials. How exactly can they be used to keep products more secure? What are their limitations? Why and how should a manufacturer or business use them? In this interview series, we are talking to business leaders, cyber security officers, and experts about SBOMs about how we can effectively use SBOMs to keep all of us secure. As a part of this series, I had the pleasure of interviewing Mike Sanchez, Chief Information Security Officer at United Data Technologies.
Mike Sanchez is the Chief Information Security Officer at United Data Technologies, a Florida-based IT intelligence firm of about 300 employees.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Igrew up in a city called Hialeah, a suburb of Miami. Made up of hard-working folks, and back then most fleeing communist Cuba, my parents among them. Growing up in that environment, I observed folks like my parents and immediate family members like uncles and aunts working hard, not making excuses but making sure that my generation had everything we needed to not only get by but excel.
Is there a particular story that inspired you to pursue a career in tech or cybersecurity? We’d love to hear it.
Becoming an engineer/pilot has always been my dream. The Apollo space program had an enormous influence on what I wanted to be, which is an Astronaut. So, engineering and technology were embedded early on in my life. I originally wanted to be an aeronautical engineer but the nearest school offering that program back in the late 80s was Embry Riddle or University of Florida. I didn’t have much support in attending either but did have a chance to attend the University of Miami where I then switched my focus to Computer Engineering. I went on to serve in the United States Marine Corps and aspired to be a fighter pilot. Unfortunately, I didn’t meet the 20/20 vision requirements. But I loved my time in the Corps despite not achieving that goal. Once I left the Marine Corps, I joined Visa International where I was lucky to work with some fabulous folks that mentored me and put me in opportunities where I was exposed to leading technologies even before they were operationalized like Chip, encryption standards covering internet communications especially for payment transactions, and others. Most people think Visa is a Credit Card Company but it’s really a technology company. Visa continuously innovates the technologies that help support and grow the electronic payment industry. I eventually oversaw Visa’s Emerging Technology business right about the time internet payment standards were taking off. So, I saw the development of encryption standards and participated in developing the security framework called PCI which is the standard merchants and vendors must adhere to in terms of securing their payment processing information. That was my initial experience into the world of risk and cybersecurity which spans about 15 years now.
Can you share the most interesting story that happened to you since you began this fascinating career?
A couple of years ago, my team and I were working with a service provider that had been hit by a ransomware attack. The hackers had encrypted the company’s data and were demanding a ransom payment in exchange for instructions to recover the files.
Unfortunately, we’ve seen far too many of these ransomware attacks now and I’ve never seen an instance where the victim pays the ransom, and the bad actors return a majority of their files back. Even when they do, I always suspect they return it with some type of backdoor code embedded in the data they return making the company susceptible to a return attack. After assessing the situation more, we realized the attackers had actually stolen data that, although important, did not rise to classification levels that would adversely impact the organization or that of his employees and customers. Armed with this information, I advised the client not to pay the ransom despite being urged by his insurance company to do so. The team then identified the type of malware infecting the systems and we were able to help the client recover their systems and stop the virus from impacting other systems. I think about this event because it’s one of those rare situations where you speak to the people contracted by the hackers to collect payment. It’s a surreal moment because you rarely get to speak to anyone associated with an event like this and with satisfaction can say the client was not going to pay the ransom. It’s like that moment when Bruce Willis famously says “Yippie, kai yeh so and so”. It’s also a moment of incredible trust relied upon from an individual whose business is down and you’re able to help them and their employees get back to business.
Although these attacks are incredibly stressful engagements that not everyone likes handling particularly when the alarm goes off at 10:00pm on a Friday evening, I find them uniquely fulfilling particularly when you end up helping folks who feel helpless and hopeless when we walk in.
You are a successful leader. Which three-character traits do you think were most instrumental to your success? Can you please share a story or example for each?
- Hard Work Ethic — I was exposed to it early on, but really understood how important it was when I served in the Marine Corps. Your character as a leader is continuously tested in that environment. If you’re not willing to work hard and do as much or more as what you’re asking from the Marines assigned to you, no one will follow you anywhere.
- Integrity — Always deliver what you promise. It must guide your efforts in your business and your personal life. Not having integrity in everything you do, will make life exceptionally hard and stressful.
- Never ever stop learning — No matter your position, you can never stop learning and gaining valuable experience which contributes to having confidence in your work and your opinion. An attack that renders one of our clients without being able to operate, will quickly turn me from hero to zero in a wink of an eye. Because of this, I’m always trying to learn what type of techniques and tactics are being used, the challenges our clients deal with and what other things we need to do to improve our services.
Are you working on any exciting new projects now? How do you think that will help people?
In this space, we’re always working on something exciting. But for the past two years, we’ve been working on putting together a group of cybersecurity and risk management services we call UDTSecure. Every organization, no matter the size, or industry faces significant challenges. We believe we’ve come up with a group of core service offerings that help organizations overcome challenges related to personnel, process and technology. This is extremely important particularly for our K-12 clients which typically don’t have all the resources to battle a constant barrage of cyberattacks on a daily basis. So far we’ve had good success in deploying these services to a number of clients and are excited about its promise.
How has the cybersecurity landscape evolved since you first started your career, and what trends do you expect to see in the coming years?
- Cybersecurity is now very much a board level item. That wasn’t necessarily the case 7 to 10 years ago.
- The spending on cybersecurity has grown exponentially. Organizations allocate about 10% of their IT budget for cybersecurity services and solutions. This was unheard of 10 years ago when it was approximately 3 to 5% of an organization’s IT budget.
- The CISO position has evolved and become more important to the organization. This position practically didn’t exist 5 to 10 years ago.
- Cybersecurity issues have evolved into a business focus issue instead of merely a technology focus.
- In terms of trends, AI applications will help us develop solutions that are able to detect and respond to attacks faster. However, AI applications like ChatGpt probably pose the biggest threat. AI applications like ChatGPT can now be leveraged to develop sophisticated bots with malware to specifically exploit vulnerabilities of an application or in networks in half the time. The amount of intelligence hackers can gain prior to attacking an organization, now takes seconds instead of hours compiling intelligence from different data sources. It’s also extremely fast in creating custom made email messages attackers can then utilize during email phishing campaigns. So, it’s early in the ballgame so to speak; but AI capabilities are definitely outpacing our ability to react accordingly.
For the benefit of our readers, can you briefly tell our readers why you are an authority on the topic of SBOMs?
I’m always very careful about anyone that calls themselves an authority in anything having to do with cybersecurity and risk management. You are continuously tested in this field and authority status can quickly turn you into rookie status. Let’s just say, my team and I have a deep understanding of SBOMs in how they’re used and how they’re leveraged from the standpoint of helping to reduce and hopefully eliminate — as much as possible — application vulnerabilities.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page, let’s begin with some simple definitions. Can you tell our readers what exactly an SBOM is and what its purpose is?
Yes, an SBOM refers to a “Software Bill of Materials.” In simple terms, it’s an inventory of components that make up a particular software application. It’s helpful when understanding what components or functions do, what other components or functions they interact with, or which components or functions they depend on for a particular software application to work as expected.
How exactly does an SBOM make us more secure?
One of the most important ways is to have visibility into what components make up the application and which of those components have a dependency on a third party connection. Imagine if Company A requires real time information from Company B to provide critical information on Company A’s application. Company B was the target of a ransomware attack that leveraged a vulnerability in the way it shares information with its partners. Company A could quickly find out if its application is vulnerable by scanning its SBOM information and identifying whether Company B’s vulnerable data source is listed. It can then take steps to mitigate the vulnerability by either severing communications or by identifying some other type of control to mitigate against the potential risk.
Another way it helps is by identifying how many users are using an organization’s specific application and how many licenses the organization has purchased to ensure coverage and meeting licensing compliance. An organization runs the risk of being penalized for not having the number of licenses required in place.
Using SBOMs also provides an organization a quicker way of identifying which components not only make up an application but which ones can be leveraged for an attack. There could be a component that focuses on authenticating users based on a specific methodology. Perhaps its passwords or passwords with another layer like Multi-Factor Authentication. If there were a vulnerability tied to this function which allows a user to bypass the application’s authentication mechanism being reported by different intelligence sources, a scan of the SBOM can quickly spot if the application uses the component in question so an organization can quickly apply mitigations that avoid a bypass of authentication.
The SBOM also lists the latest version of components being used within the application as well. This aids in identifying if the application requires patching or configuration fixes applied to bring the application to date with the latest security releases.
Which companies absolutely need to have SBOMs, and which companies are not required but can benefit from them? Are developers required to create SBOMs? How about manufacturers of products or devices?
Currently, SBOMs are viewed as recommended best practices and are not specifically mandated within a security framework or regulatory act. Organizations which have to comply with security and privacy requirements are scrutinized throughout the year to demonstrate their systems, processes, applications, and technologies meet requirements of the regulatory bodies they are required to answer to.
The use of SBOMs is significantly being adopted and becoming increasingly more important for organizations within sectors such as Finance, Banking, Energy, Utilities, Healthcare and government agencies. Without the proper inventory of components that identify important components or functions like authentication, version release, 3rd party communications, logging, and more, it would be challenging to determine if the application is routinely updated, where data is coming from, or test for vulnerabilities. Vulnerabilities that could introduce ransomware into the environment, provide unauthorized access to other systems, or control critical systems.
SBOMs are mostly developed by the engineers which create the application during its development process and have the necessary application information. Manufacturers of products or services should have SBOMs particularly those which have to demonstrate compliance to a security or privacy requirement. Besides the compliance requirements, manufacturers of products or services should at a minimum adopt industry best practices that help customers stay informed as to the components being used. This could potentially prevent a manufacturer’s client from exposing its own infrastructure to vulnerabilities.
What are the common misconceptions you have seen about SBOMs?
- SBOMs are complicated to produce. Not true. There are applications that can help automate their development and inclusion within each application.
- Only developers should have access to SBOMs. SBOMs should be shared across other business stakeholders including legal, risk and compliance departments, Chief Information and Security Officers and IT operations.
- Much like the first point, some people think SBOMs are only relevant to enterprise level organizations. However, SBOMs are extremely important for any organization of any size that develops their own proprietary application, leverages open-source libraries as a component of their applications, or utilizes data sources or components from a 3rd party organization.
What are some of the errors you have seen companies make when they create SBOMs? What can be done to avoid those errors?
- Organizations fail to keep the SBOM up to date with the latest information.
- Organizations losing resources which originally developed the SBOM and were responsible for updating it.
- Establishing a standard to follow which incorporates minimum requirements. This helps avoid different groups from developing SBOMs based on different formats which then become hard to understand or evaluate.
- Centralize processes like SBOM management, evaluating and approving changes and or updating the SBOM itself including when changes can be applied and how are these changes communicated with.
Ok, here is the main question of our interview. Can you please share five best practices for organizations looking to implement SBOMs effectively? If you can, please share an example for each.
- Identify an individual responsible for managing and keeping track of SBOMs and related applications. Even if different departments may contribute to the technical components of an application, S-B-O-M management should be a centralized function.
- Employ and adopt one of the frameworks. There are a few which are widely used such as NIST, and ISO or ones available through an open standard format like SPDX or CycloneDX. Ensure its adoption and use through periodic reviews with different stakeholders. Consider incorporating metrics that measure the number of changes made to SBOMs per application.
- Make an inventory of all applications and utilize an automated tool that identifies existing SBOMs. Review the results of these scans with stakeholders and identify gaps between existing documentation and results from scans. Repeatedly use the tool to validate mitigation efforts identified during periodic reviews to ensure fixes are applied.
- During the periodic reviews, include members from development, IT, risk management, HR and other teams which oversee application development to confirm SBOMs are embedded within software development lifecycle processes.
- Ensure vulnerability scans are being performed per internal vulnerability management policies. Prioritize mitigation efforts dependent on the severity of the vulnerability and overall importance of the application to the organization. Track mitigation efforts are being completed in accordance with internal vulnerability management policies.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂
Lately, the use of AI is everywhere. I believe AI’s capabilities to quickly learn and evolve is outpacing our own abilities to process outcomes. I’m concerned about its use but hopeful with its ability to help people everywhere by solving complex problems. To this end, a movement that promotes a responsible use of AI development could help maximize AI’s potential benefits while minimizing risks and unintended consequences. A human-centered approach can help ensure AI technology is designed to serve people’s needs instead of the other way around.
How can our readers further follow your work online?
I regularly post and share best practice risk and cybersecurity tips through linkedin and UDT’s own website and social media channels.
Thank you so much for joining us. This was very inspirational, and we wish you continued success in your important work.
This article was originally published on Medium on April 26, 2023 by David Leichner.