Share Blog Post
The increasing complexity of software supply chains and the rise of sophisticated cyber threats have made it critical for organizations to implement comprehensive security measures. A crucial aspect of modern software development, the Software Bill of Materials (SBOM), empowers developers and security teams with a clear understanding of the components present in their software projects. Coupling the insights gained from SBOM data with the power of threat intelligence can significantly enhance an organization's ability to detect and mitigate software supply chain attacks at their root.
In this blog, Cyware illustrates how SBOM data, shared through the Software Package Data Exchange (SPDX) standard, can be integrated with Cyware's threat intelligence platform, Intel Exchange (CTIX). This integration enables organizations to streamline their SBOM management process and translate into even more effective defense against supply chain attacks through the benefit of advanced threat intelligence insights.
The Synergy of SBOM and Threat Intelligence in Addressing Supply Chain Attacks
SBOM provides transparency into the components, libraries, and modules of a software project, enabling organizations to identify dependencies and potential security risks. By maintaining and managing SBOM data, security teams can ensure a secure and efficient development process, thus forming an essential piece of the supply chain attack prevention puzzle.
Integrating threat intelligence into this process takes security to the next level. Threat intelligence provides real-time insights into the tactics, techniques, and procedures (TTPs) used by threat actors, thereby arming organizations with actionable information to detect and prevent cyberattacks, including those targeting software supply chains.
When threat intelligence is combined with the insights gleaned from SBOMs, organizations can proactively identify and address potential vulnerabilities and safeguard their software supply chains.
In the following sections, we demonstrate how the integration of SBOM data, shared through the SPDX standard, into Cyware's Intel Exchange can provide organizations with an automated, hassle-free approach for managing their SBOM configurations, fortified by the power of threat intelligence insights.
How Cyware Simplifies SBOM Management and Integrates Threat Intelligence?
Intel Exchange streamlines the process of maintaining SBOM configurations and bolsters them with enriched threat intelligence, providing organizations with critical insights into potential risks and vulnerabilities. Using Cyware Orchestrate, users can onboard SBOMs generated onto Intel Exchange enabling easy maintenance, correlation, and management.
In this use case, Orchestrate playbook runs on a cron schedule to connect to developer security platforms (Eg: GitHub, Snyk, etc.), export the SBOM components, convert the SBOM data from the SPDX format into a STIX 2.1 compliant format, and proceed to onboard the STIX object onto Intel Exchange. Once the data is onboarded, it can be contextualized by adding relations to vulnerabilities and enriched through further orchestration and timeline generation. Let’s learn about the implementation steps.
Step 1: Configure the integration of the developer security platform
To demonstrate the use case, let’s use Snyk as the developer security platform to generate the SBOM packages.
Fig 1. Snyk connector in Orchestrate
To configure the Snyk connector in Orchestrate, obtain the API token from the “Account Settings” tab in Snyk.
Fig 2. API token in Snyk account settings
After retrieving the API Token from Snyk, configure the Snyk instance in Orchestrate. This configuration will allow the playbooks in Orchestrate to generate SBOM configurations for all supported projects on Snyk via the Snyk API.
Step 2: Set up SBOM management using Orchestrate
Once the Snyk integration is fully configured, proceed to configure the playbook in Orchestrate that syncs the SBOM packages from Synk onto Intel Exchange to manage and contextualize the intel.
Fig 3. Orchestrate playbook to generate SBOM (SPDX) files
The Orchestrate playbook is effectively set to run across a cron schedule. On every run, the playbook connects to Snyk and automatically lists all organizations available on Snyk. This includes all the organizations and all the projects within those organizations.
Once the SBOM (SPDX) files are generated for each project in each organization, the raw SBOM files are passed onto a sub playbook.
Fig 4. Sub-playbook to convert SBOM data into STIX-compliant format
In this sub playbook, we convert the SBOM data into a STIX compliant format and onboard them onto Intel Exchange as custom STIX SDOs.
Step 3: Integrate SBOM components in Intel Exchange and leverage threat intelligence
Once onboarded, Intel Exchange maintains each of the SBOM packages as individual STIX SDO entities, which can be investigated, managed, and actioned upon.
Fig 5. STIX SDO entity generated for an SBOM package
This fine-grained management gives analysts flexibility to understand each package individually, view them in correlation with a broader perspective by adding relations, and work with these entities in the threat investigations feature.
By integrating SBOM components into Intel Exchange, security analysts can leverage the platform's capabilities to analyze and contextualize SBOM data with enriched threat intelligence information.
This empowers organizations to not only manage SBOM configurations effectively but also derive actionable insights from potential risks and vulnerabilities associated with their software components. Please note that the image provided below is for reference purposes only and may not necessarily be associated with any specific threat actors.
Fig 6. Threat visualization for an SBOM package in Intel Exchange
The Benefits of Leveraging Cyware TIP for SBOM Management
By utilizing Intel Exchange for the management of SBOM processes, organizations can gain several benefits, including:
- Enhanced intel-driven security: By linking SBOM data to vulnerabilities, malware, IOCs, and threat actors in the Intel Exchange platform, security teams can gain a comprehensive understanding of the potential risks associated with their software components and address them proactively, informed by relevant threat intelligence.
- Reduced manual efforts: The Orchestrate playbook automates the generation and integration of SBOM configurations, reducing manual intervention and the risk of human error.
- Consistency: Regular playbook execution ensures that the SBOM data is up-to-date and consistent across all projects, enabling better decision-making and risk management.
- Improved collaboration: Sharing SBOM data in the STIX format ensures that different stakeholders in the software supply chain can efficiently communicate and collaborate, leading to a more secure and efficient development process. Alongside the improved collaboration in the software supply chain, managing SBOM by implementing them in STIX, allows enterprises to effectively utilize the already encompassed STIX ecosystem and toolset for SBOM management.
Level Up Your SBOM Management with Cyware’s Intel Exchange
By leveraging the integration of SBOM data into Intel Exchange, organizations can streamline their SBOM management process and enrich them with threat intelligence information.
This ensures a more secure and efficient software development environment while staying ahead of potential risks and vulnerabilities in the ever-evolving software supply chain. Explore how combining the power of SBOM and threat intelligence can bring significant value to your organization by connecting with our team at Cyware.
Tags
Posted on: June 26, 2023
Related Guides
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
