You are on page 1of 46

Skybox Security

Overview
Model the Attack Surface

DMZ

Security Controls Network Topology Assets Vulnerabilities Threats

2
Fastest–growing company
Silicon Valley HQ
in our space
Offices around the globe
$270M funding since February 2016

Who We Are
5–star reviews
700+ active customers
Vulnerability/Threat Management
50 countries, all verticals
Risk/Policy Management

3
Who Relies on Us

Financial Service Government Energy & Technology &


Healthcare Consumer
Services Providers & Defense Utilities Manufacturing

4
Why We’re Needed

97% of breaches are avoidable through standard controls

Limited visibility Non–actionable Lack of resources


intelligence and
data silos

5
Why We’re Needed

Skybox helps bridge the security management gap

Unparalleled visibility Integration with Intelligent automation


and comprehensive existing technologies and orchestration
network modeling and added intelligence

6
Improve Existing Resources
Firewall/Network
Security &
Infrastructure

Vulnerability
Management,
SIEM

120+
technology
Endpoint integrations
Security

Cloud/
Virtual

7
Skybox Security Suite

Integrated Security Management


Attack Surface Visualization
• Total visibility of the attack surface
– Physical, virtual, cloud and
OT environments
– Vulnerabilities and threats
• Measurable risk reduction
• Improved communication across
teams and up management chain

8
Skybox Security Suite

Integrated Security Management

Security Policy Management


• Easy, efficient compliance reporting
• Intelligent workflows and automation
• Proactive risk assessments of security
and network changes

9
Skybox Security Suite

Integrated Security Management


Vulnerability and Threat Management
• Vulnerability prioritization aligned to
the current threat landscape
• Exposed and exploited vulnerabilities
highlighted
• Resources directed where they’re
needed most

10
Skybox Security Intelligence Feed

Skybox Research Lab Exploits in the wild

700,000+ sites
in the dark web
Vulnerabilities used in
ransomware, exploit kits, etc.

30+ security
data feeds
Attack vector details

11
Security Policy Management

Model Analyze Monitor Change


Network Security Controls Compliance Management

• Network topology • Cloud security tags • Automated audits • Change request


view • Firewalls • PCI DSS • Tech details
• Normalized data • Rule and • FISMA • Risk assessment
from 120+ configuration checks
technologies • NERC • Provisioning options
• Network path analysis • NIST • Reconciliation and
• Physical, virtual, cloud
and industrial • Rule optimization • GDPR verification
• Access simulation • Change tracking • Custom policies

Understand Confirm Document Continuously


Network Context Effective Controls Compliance Verify Rulebase

12
Vulnerability and Threat Management

Discover Analyze Prioritize Remediate


Vulnerabilities Attack Surface Response & Track

• Scanless • Hot spot analysis • Imminent threats • Remediation planning


vulnerability detection • Attack simulation (exposed/active • Ticketing and
(physical/cloud) exploit) workflow
• Business impact
• Support for all third- • Potential threats • Dashboards and
party VA scanners • Network topology and (known/available
compensating reporting
• Threat-centric exploit)
controls
vulnerability • Attack vector details
management • Threat context

Same-Day Highlight Assets Focus on Areas of Respond


Identification at Risk Greatest Impact Quickly

13
Firewall Assurance
Comprehensive Multi-Vendor Firewall Management

Firewall Continuous Firewall Rule


Security Assessment Policy Compliance Life Cycle Management

How It Works

1 2 3

Collect & Normalize Analyze Report & Act

14
Change Manager
Secure, Automated Firewall Change Management

Change Management Automated Risk Rule Recertification


Automation Assessment Workflow

How It Works

1 2 3 4 5

Request Identify Assess Implement Verify

15
Network Assurance
Complete Visibility and Command of Hybrid Network Access and Routes

Network Compliance
Network Model Security Analytics
Verification

How It Works

1 2 3

Collect & Normalize Create a Model Analyze in Context

16
Vulnerability Control
Threat-Centric Vulnerability Management

Scanless Assessments Network + Threat Context Exposed and Exploited Vulns

How It Works

1
2
3

1 2 3 4

Assess Analyze Prioritize Remediate

17
Threat Manager
Threat Intelligence Analysis and Response

Consolidated Threat Contextual Threat Focused Threat


Intelligence Assessment Response

How It Works

1 2 3

Collect & Normalize Check Relevancy Track Remediation

18
Visualize Your Entire Attack Surface From
Multiple Perspectives

US
Unsecure Device Configuration (Total: 72)

Name: UDP reply packets – filtered #Violations: 1


Vulnerability Risky Access Policy: Checkpoint FW Standard Policy
Exposure Rules Last 4 Months
Name: Encrypted Line Password - required #Violations: 1
Policy: Cisco IOS RTR Standard Policy

311 Assets Name: IP source routing - prohibited #Violations: 1


Policy: Cisco IOS RTR Standard Policy
5 Firewalls
Name: Password Encryption Service - required #Violations: 1
Exploited
Site Details Unsecure March April May June Current Policy: Cisco IOS RTR Standard Policy
in the Wild Device
Vulnerabilities Configuration Name: SNMPv3 Group - required #Violations: 1
Policy: Cisco IOS RTR Standard Policy

Exploitable
Vulnerabilities

19
Skybox Horizon
Attack Surface Visualization

Risky Access Rule


Allows inbound access from DMZ
to deeper in network

Exploited in the Wild Vulnerability


Vulnerability with available and active
exploit is attacked

Unsecure Device Configuration


Misconfiguration enables the
continuation and spread of attack

20
Threat-Centric Vulnerability Management

Attack Surface Model

Context: Asset Exposure/Criticality

Vulnerability
Intelligence Prod FW Backbone Core Router

Vulnerabilities
+ Main Router GatewayEastA

Exploits in the Wild

Main FW GatewayEastA IPS

21
Threat-Centric Vulnerability Management

Attack Surface Model

Context: Asset Exposure/Criticality

Imminent Threat
Vulnerability
High-priority
Intelligence Prod FW remediation/mitigation
Backbone Core Router
Analytics Prioritize
Vulnerabilities
+ Main Router
Potential Threat GatewayEastA

Exploits in the Wild Gradual risk


reduction
Main FW GatewayEastA IPS

22
Security in Multi-Cloud Environments
NSX
AWS Azure
(Private)
Complete Visibility

End–to–end path analysis

Policy compliance across networks


in a single dashboard view

Out–of–the–box regulatory
compliance checks

Threat–centric
vulnerability management

23
Security in Industrial Networks

Visibility and path analysis


for combined IT and OT
OT networks IT
Production Control
Business/
System Network
Corporate Network
Risk analysis

Util Util
Vulnerability detection E A
Internet
Util
B
RTU/PLC/DCS Util Util
Controller Units & C D
Field Devices Neighboring
Utilities

24
GDPR—How Skybox Can Help
Article 25 Article 30 Article 32

Record
Data Protection Security
Processing
By Design of Processing
Activities

Article 33 Article 34 Article 35

Breach Notification
Breach Notification Data Protection
to Supervisory
to Data Subject Impact Assessment
Authority

25
Take Control of Your Attack Surface

Attack Surface Threat and


Automation and
Visibility and Vulnerability
Orchestration
Analytics Intelligence

26
Thank You
Skybox Security
Technical Overview

28
Skybox Architecture

29
Deployment Diagram
• Integrates with existing
infrastructure
• Automation, workflows
• Not a scanner, Agentless
• Built-in ticketing system
• APIs for integration with
third-party systems
• Appliance, virtual appliance,
software only

30
Network Model Visualization

31
A Comprehensive Network View
Detailed Model Complex and Changing Network

• Network context
• Network size, complexity
• Multi-vendor environment
Device-Level view

• Routers, LBs, FWs, Assets


• Routing tables, ACLs, IPS
• NAT/PAT, VPNs, Tunnels

32
Network Path Analysis
Access Analyzer
Understands
• Routing/PBR
• NAT/PAT/VPNs
• Load Balancing
• Firewall rules
• Multiple routes

33
Continuous Compliance Monitoring
Automated
Compliance Checks
– Access Compliance
– Configuration Compliance
– Rule Compliance
• PCI, NIST, Custom Policies
• Vendor best practices
• Track exceptions

34
Optimise Rules
• Spot shadowed and redundant
rules quickly
• Gather log data to analyse
historical rule usage
• Tighten the rule base, improve
security and effectiveness
• Have a consultative conversation

35
Zone-to-Zone Access Compliance
Internet /
External

Only Port 80

No Access
Paris
New
York

DMZ

London
Development

Partners
Only Ports 80, 8080, 443, 22
Resellers

Finance Servers

36
Optimizing Change Management Workflow
Automate Change Management
Change
Request
• Vastly improve operational costs
• Reduce time to implement changes Technical
Details

• Risk assessment before change is made


Risk
• Automate changes/generate configuration Assessment

• Reconcile changes Change


Implementation

Reconcile
and Verify

37
Change Management Workflow
Technical Risk Implementation
Request Verification
Details Assessment

Capture Translate Identify policy Assign to Reconcile


business/ violations & team for against
Path
technical Vulnerability provisioning observed
identification
details exposures changes
Rule analysis
Accept/Reject Verify Access

Skybox Analytics Engine


38
Change Management Workflow

Request for Other


Audit Trail
Request Firewall Change
Maintained
Change Requests

Technical Risk
Implementation Verification
Details Assessment

Skybox Change Manager

39
Skybox Vulnerability Database
• Skybox Research Lab aggregates 30+ vulnerability and
threat feeds
• More than 70,000 vulnerabilities on 8,000+ products
• CVE compliant, CVSSv3 standard
• Updated daily

ADVISORIES SCANNERS IPS OTHER


CERT, ICS CERT Symantec Security
Adobe Microsoft BeyondTrust Rapid7 Nexpose Fortinet FortiGuard Flexera Secunia Focus
Apple Oracle Retina Tenable Nessus McAfee IPS IBM X-Force Rapid 7 Metasploit
Cisco Red Hat McAfee FoundstoneTripwire IP360 Palo Alto Networks Mitre CVE Zero-day
Qualys Cloud Trend Micro TippingPoint NIST NVD vulnerabilities for
Platform Cisco SourceFire OSVDB published incidents

40
Skybox Vulnerability Database
Subscribed customers
30+ threat feeds updated daily

Skybox
… Research

Labs
Dedicated team
verifies, normalizes,
adds more data

41
Main Uses of the Vulnerability Database

Data normalization Skybox


Attack vectors
(vulnerabilities, IPS Vulnerability information
signatures) Database

Product and
vulnerability
profiling rules

Data Collection
Attack
into Security
Simulation
Model
Vulnerability
Detector

42
Remediate the stuff that matters!

Threat-Centric Vulnerabilities Identified


Vulnerability Management

• How do we prioritize for


remediation?
• Are critical assets at risk?
• What’s our trend in fixing vs
finding vulnerabilities?
• Which vulnerabilities should I
fix for the biggest impact?

43
Threat-Centric Prioritization

44
Vulnerabilities

Attack Simulation CVE 2014-0160

CVE 2014-0515

CVE 2016-0076
Compromised
Server

Internet
Hacker

Attack Vectors

Infected
Partner

45
Thank You

46