MAY 2016

Skybox Security Overview

TM

Skybox focuses on your attack surface

Dedicated to providing total visibility and intelligence to prevent and
contain attacks
US based company with HQ in Silicon
Valley, offices globally
Evanssion as strategic distributor for
Middle East
Unique solution offering
More than 600K network devices, 8M
network assets managed by Skybox
More than 500 enterprise customers in
50 countries

TM

skyboxsecurity.com

Different customers, common challenges

Financial
Services

Service
Providers

TM

Government &
Defense

Energy &
Utilities

Technology

Healthcare

Consumer

skyboxsecurity.com

Different customers, common challenges

Financial
Services

Service
Providers

TM

Government &
Defense

Energy &
Utilities

Technology

Consumer

GCC

skyboxsecurity.com

The Challenges
97% of breaches are avoidable through standard controls
No visibility of the environment
Security big data
Disjointed security tools, process and
data silos
Securing strategic business programs
Shortage of skilled personnel
Evolving threat landscape
Organizations dont understand
their attack surface
TM

skyboxsecurity.com

Systematic Approach

Source: June 2015, Neil MacDonald, Gartners Adaptive Security

Architecture: New Approaches for Advanced and Insider Threats

TM

Evolution of Security Operations & Processes

TM

Your attack surface has many layers

Check Point

SECURITY CONTROLS

Firewalls
IPS
VPNs

NETWORK TOPOLOGY

Routers
Load Balancers
Switches

TM

ASSETS

Servers
Workstations
Networks

VULNERABILITIES

Location
Criticality

THREATS

Hackers
Insiders
Worms

skyboxsecurity.com

Horizon attack surface view

New Vulnerabilities
Vulnerabilities on sensitive
data leads to compromise

Violating Rule
Allows inbound access from
DMZ to deeper in network

Vulnerability Density
Multiple exploitable
vulnerabilities allowing
ongoing connection

TM

Indicators of Exposure
Vulnerability Density
Violating firewall rules
Directly exposed vulnerabilities
Platform violations
New vulnerabilities
Unauthorized change
Remediation latency
Policy violation
Unused firewall rules
Network zoning policy violation

TM

Automating Complex Security Processes

Enable more joined-up, efficient, risk aware processes
Key Processes

Benefits

Objective Vulnerability and Threat

Intelligence Management

Single point of reference for security

operations

Risk Centric Firewall/Network Change

Management

Proactive approach to security

Network Auditing and Optimization

Visibility of the attack surface

Proactive Defence Planning

Incident Response

TM

Identify Indicators of Exposure (IoE)

Support major business initiatives

Achieve better ROI from existing
investments and processes

skyboxsecurity.com

11

Modular approach
Flexible deployment options
Software platform scalable to the
largest networks
Each module addresses a piece
of the attack surface
Integrated with 100+ security
tools
Built-in vulnerability intelligence
feed

TM

skyboxsecurity.com

12

Appliance product line

Server class, Intel Based, 1U
server

2 models
5500: 32 GB RAM, 8 threads CPU

Manufactured by Patriot

6000: 128 GB RAM, 16 threads CPU

OS CentOS (Linux)

Virtual appliance

Software

Similar software as VMWare VM

Skybox Server software

Skybox Administration Web UI
(Apache, jQuery, Python)

TM

skyboxsecurity.com

13

Skybox Architecture

TM

skyboxsecurity.com

14

Deployment diagram
Integrates with existing infrastructure
Automation, workflows
No agent software, no impact to
live network
Built-in ticketing system
APIs for integration with
third-party systems
Appliance, Virtual appliance,
Software only

Open Integrated Flexible

TM

skyboxsecurity.com

15

Advanced Monitoring Service How does it work?

Remotely administered
and monitored by Skybox

Your Network
Skybox logs
database queries
OS information

Skybox Local
Agent

REMOTE ACCESS
LINK

Create alerts
Identify anomalies
Dashboard
ANALYTICS ENGINE

AMS
Center

Reports generation
Activity tracking

REPORTING ENGINE

Your data stays secure

on your network
TM

skyboxsecurity.com

16

Security policy management

Network security policy management model

SECURITY CONTROLS

NETWORK TOPOLOGY

Firewalls
IPS
VPNs

Network Devices
Ingress / Egress
Network Zones

Security Policy Management

Model
Network

Analyze
Firewalls

Network
topology view

Rule and
configuration checks

Normalized data
from 100+ vendors

Access path analysis

Access simulation

Risky rule
identification

Rule optimization

Change tracking

Understand
network context

TM

Confirm
effective controls

Monitor
Compliance
Automated audits
PCI DSS 3.0
FISMA

Manage
Rule Lifecycle
Change process
workflow
Change request

NERC

Comprehensive risk
assessment

NIST

Reconcile changes

Custom policies

Document
compliance

Verify changes

Continuously
verify rulebase

skyboxsecurity.com

19

Firewall Management
Firewall Analysis
Organizational
Policies
Industry Policy
NIST, PCIDSS

Rule
Compliance
Analysis

Risky Rule
Identification

Firewall
Optimization

Security
Network
Operations

Change Simulation Tracking

Normalized
Firewall
Configuration
Repository

TM

Automated Data Collection

Firewall Configuration + Log Data

Executive
Auditors

skyboxsecurity.com

20

Continuous Compliance Monitoring

Compliance Assessment
Automated policy compliance
checks
PCI DSS, NIST, FISMA NERC,
Custom Policies
View access policy violations
Track exceptions

TM

skyboxsecurity.com

21

Complete Visibility

Discover your boundary

Examine every access
path in the network
Verify network policy
compliance
Troubleshoot blocked
access paths
De-risk Major
Infrastructure projects

Network path analysis (Access Analyzer)

Access Analyzer takes into consideration:

Routing
NAT
Firewall
rules (ACL)
VPN

TM

skyboxsecurity.com

23

Zone-to-Zone Access Compliance

Internet / External
Los
Angeles

Only port 80

No Access
US

New
York

DMZ
Europe

London

Partners

Resellers

TM

Paris

Development

Only ports 80,

8080, 443, 22

Finance Servers

skyboxsecurity.com

24

Verify Network Security Controls on a

Continuous Basis Change Simulation
Deploy IPS as
compensating
control

Firewall
allows access
to risky
service

Change causes
compliance
impact

Access policy
violation in
partner zone
TM

Change Causes
Vulnerability
Exposure

skyboxsecurity.com

25

Accurate end-to-end route discovery

NAT-rich environments challenge most automated solutions
Issue

Blocks Access

Security Gaps

Failure to identify all firewalls in path

Incorrectly identifying firewalls in path

Incorrectly identifying addresses firewall observes

Only Change Manager uses total network understanding

Address to network resolution to utilizing NAT information to identify all
end-to-end networks
Access analysis on end-to-end path to identify firewalls and relevant
source/destination for each
Providing most accurate change planning available
TM

skyboxsecurity.com

26

Change management workflow

Service Management
Request

Capture
business
and/or
technical
details

Technical
Details

Translate
Path
identification
Rule analysis

Risk
Assessment

Identify policy
violations &
Vulnerability
exposures

Implementation

Assign to
team for
provisioning

Accept/Reject

Verification

Reconcile
against
observed
changes
Verify Access

Skybox Analytics Engine

TM

skyboxsecurity.com

27

Rule lifecycle management

Recertification
Date?

Creation
Workflow

Policy
Violations?

Path analysis
Risk analysis
Provisioning with metadata
Reconciliation

TM

Auto Ticket
Generation

Recertification
Workflow

Rule or Object
Usage?

Recertify
or Reject

Deprovision
Workflow

Validate request
Approval
Deprovision rule, IP,
object or service
Reconciliation
skyboxsecurity.com

28

Security Policy Management Requires a

Comprehensive View
Visualise the entire network
Troubleshoot network blockages
quickly
Automate firewall and network
device audits and optimization
De-risk the change process
Monitor & Verify all changes

TM

skyboxsecurity.com

29

Vulnerability & threat management

Vulnerability & Threat Management Challenges

Technical Challenges
Discover

Infrastructure too large to discover all

vulnerabilities frequently
Security data overload
Threat landscape is dynamic

Process Challenges

Correlate

Risk Assess

Hard to objectively risk assess vulnerabilities

Security resources have become reactive
Limited situational awareness during an incident

Remediate

Risks cannot be quantified

TM

skyboxsecurity.com

31

Traditional VM Solutions Cause Pain

Discovery
Too much data to handle
Infrequency of scans

Remediation
Hard to convert vulnerability
info to patch needs

Disruptive scans

Difficult to find remediation

options

Unable to scan all assets

Unnecessary patching

Analysis

Discover

Critical risks open for too long

No network context
Hard to correlate data from
multiple sources

Remediate

Analyze

Requires too much expertise

Unable to prioritize by business impact
TM

skyboxsecurity.com

32

Vulnerability & threat management model

Check Point

SECURITY CONTROLS

Firewalls
IPS
VPNs

NETWORK TOPOLOGY

Routers
Load Balancers
Switches

TM

ASSETS

Servers
Workstations
Networks

VULNERABILITIES

Location
Criticality

THREATS

Hackers
Insiders
Worms

skyboxsecurity.com

33

Skybox Vulnerability Detector

Scanless vulnerability assessment
Create a profile
of the products

Hosts

Apply rules to extract

vulnerabilities

Use rule-driven approach

for translating product
banners into standard
CPE format

Example:
Microsoft Corporation | Microsoft SQL Server 2005
(64bit) | 9.4.5000.00

cpe:2.3:a:microsoft:sql_server::2005:sp4:::::x64:

CVE-xxxx-xxxx

Extraction
Rules
Library

System, Asset
or Patch
Management
Daily
Sync

TM

Products
Patches

Product
Profiling

Microsoft Missing Patches

Vulnerability
Detection Rules
Library

Product
Catalog

Vulnerability
Profiling

Non-Microsoft
Vulnerabilities

Vulnerability List

Microsoft
Vulnerabilities

skyboxsecurity.com

34

Skybox Vulnerability Database &

attack vector intelligence
Skybox Research Lab aggregates 20+
vulnerability and threat feeds

Proprietary intelligence added by analysts

Over 50,000 vulnerabilities on 1,800

products

Exploitation
pre-conditions

Vulnerabilities with
no CVE

Likelihood of attack

Remediation
solutions

Including products, vulnerabilities, IPS

signatures, patches, malware patterns
(worms)

Conflict resolution

Cross-references

Updated daily

CVE compliant, CVSS v2 standard

ADVISORIES

SCANNERS

Cisco PSIRT
Microsoft Security Bulletin
Oracle
RedHat

eEye Retina
IBM Scanner
IMcAfee
Foundstone

TM

OTHER

IPS
Qualys Guard
Rapid7 Nexspose
Tenable Nessus
Tripwire nCircle

Fortinet FortiGate
HP TippingPoint
IBM Proventia

McAfee IPS
Palo Alto
Networks
Cisco Sourcefire

CERT
Mitre CVE
NISTs NVD

Rapid7 Metasploit
Secunia
Symantec Security Focus
Symantec Worms

skyboxsecurity.com

35

Main uses of the Vulnerability Database

Data normalization
(vulnerabilities, IPS
signatures)

Skybox
Vulnerability
Database

Attack vectors
information

Product and
vulnerability
profiling rules

Data Collection
into Security
Model

Attack
Simulation
Vulnerability
Detector

TM

skyboxsecurity.com

36

Vulnerability & threat management

Discover
Vulnerabilities

Analyze
Attack Surface

Prioritize
Response

Scanless
vulnerability
detection

Compensating
controls

Risk exposure

Attack simulation

Support for all

third-party VA
scanners

Network context

Customizable
security indicators

Vulnerability
intelligence feed
Same-day
identification

TM

Business impact
Vulnerability risk
assessments

Highlight assets
at risk

Attack vectors
Heat maps

Remediate
& Track
Remediation
planning
Ticketing and
workflow
Dashboards and
reporting

SIEM tuning
Focus on areas of
greatest impact

Respond
quickly

skyboxsecurity.com

37

Vulnerability Control - Objective vulnerability

analysis
Risk assess all vulnerabilities

Consider vulnerability Density

Consider vulnerability Age
Consider severity
Consider proximity
Assess business impact

Identify Exposed Vulnerabilities

Highlight indicators of exposure (IoEs)
Understand controls
Consider network context

Identify the critical few %

Reduce overall patching
Improve remediation SLAs

Provide remediation options

Prioritise remediation to maximise risk
reduction

Prioritise vulnerabilities by multiple factors

Vulnerability Profiling

Exposure Analysis

Attack Vectors
Virtual pen test

Target concentrations of vulnerabilities

to meet SLAs

Target attack vectors

against critical assets
Target specific attack vectors

Management view: dashboards to monitor

and track progress
View by
Context-Aware
Risk Level

Filter
Vulnerabilities
by Threat
Origin

TM

Check Impact of
Remediation
Activity

skyboxsecurity.com

40

Vulnerability Control Attack Path Analysis

Analytics highlight exploitable attack vectors

Model threat sources

Daily virtual penetration test
Identify attack vectors
Indicators of exposure
Remediation planning
Prioritise resource

Next Gen SOC:

Operationalizing Security Risk Management
IT Security Dashboard/eGRC Framework

Skybox Attack Surface

Model
Firewall management
Network compliance
FW Change management
Proactive,
pre-attack
exposure
Vulnerability
management
management
Threat
management

Patch Management, Vulnerability Scanners,

Asset Management, Threat Intelligence,
Network & Security Configs,
Mobile Device Management

Security Information &

Event Management (SIEM)
Post-attack incident
management

A lot of logs, events

network traffic

Advanced SOC - Integration View

Business View

Analyst View

Relevancy Identification /
KPIs / Exposure Analysis /
Business Impact

Analysis
Analysis
Analysis

TM

Correlated
Events

Forensics

Watchlist

SIEM
Firewall
Configs

Scanner
Data

Alerts

Network Packet
Capture

Router
Threat
Configs Intelligence

Logs

Pre-Attack
TM

Post-Attack

Typical MSSP Architecture/Approach

Customer B Single
Site, Dedicated Server

Key Challenges

Customer A
Multiple Sites

Customer C Single
Site, Shared Server

Generic approach
No customer context
Lots of irrelevant noise still
Large research function
Lots of manual analysis

Security

Analysts

Event
Processing

Landscape changes daily

Truly relevant/contextual?
No!

MSP SOC
TM

skyboxsecurity.com

44

Respond to New Threat Intelligence Quickly

Import New
Threat Data

Assign
and Track

Assess Relevancy
and Impact

Correlate to
Vulnerabilities

Threat intelligence

Threat analytics

Symantec
DeepSight

Identify threats
relevant to the
business

Confirm existing
vulnerabilities

Remediation
progress

Update tickets
with vulnerability
info

Record workflow

VeriSign iDefense
Skybox Dictionary

Automatically
trigger tickets

SLA on tickets

Reconcile and
Close Ticket

TM

skyboxsecurity.com

45

Vulnerability & Threat Management:

Game Changing Approach
Proactively prevents attacks and
contains damage
Identify and focus on exploitable
security risks
Generate improved ROI from
existing security tools
Automate critical processes:
Vulnerability and Threat Management
Proactive defense planning

Plan remediation and actions in

context of your environment

TM

skyboxsecurity.com

46

Questions

www.skyboxsecurity.com

Thank You

www.skyboxsecurity.com