skybox vulnerability controldownloads.skyboxsecurity.com/files/installers/skybox_view/8.5/8.5... ·...

Skybox Vulnerability Control

Getting Started Guide

8.5.600

Revision: 11

Proprietary and Confidential to Skybox Security. © 2017 Skybox Security, Inc. All rights reserved.

Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Vulnerability Control, Skybox Threat Manager, Skybox Change Manager, Skybox Appliance 5500/6000/7000/8000, and the Skybox Security logo are either registered trademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries. All other trademarks are the property of their respective owners.

Contact information

Contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox support portal

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal


Skybox version 8.5.600 3

Intended audience .................................................................................... 5 How this manual is organized ..................................................................... 5 Related documentation .............................................................................. 5 Technical support ..................................................................................... 6

Introduction ........................................................................................... 7 Skybox Vulnerability Control ...................................................................... 7

How Vulnerability Control works .......................................................... 10 Basic architecture ................................................................................... 10

Before you begin .................................................................................... 11 Prerequisites .......................................................................................... 11 Starting Skybox Vulnerability Control ........................................................ 11 Skybox model ........................................................................................ 12

Vulnerability Control overview ................................................................. 13 Main summary page ................................................................................ 13 Discovery, prioritization, remediation ........................................................ 13 Discovery Center overview ....................................................................... 14

Discovery Center in the tree ............................................................... 18 Vulnerability Definitions and Assets ...................................................... 18

Prioritization Center ................................................................................ 19 Security metrics ................................................................................ 22

Remediation Center overview ................................................................... 23 Remediation Center in the tree ............................................................ 24

Exposure information and analyses ........................................................... 25

Security Metrics ..................................................................................... 27 Viewing the security metrics .................................................................... 27 Predefined security metrics in Skybox Vulnerability Control .......................... 28

Exposure by threat ................................................................................. 29 Exposure by Threat Summary page .......................................................... 29 Analyzing exposure ................................................................................. 30 Viewing exposure ................................................................................... 31 Viewing vulnerability occurrences ............................................................. 33 Viewing threats ...................................................................................... 35 Viewing Business Asset Groups ................................................................ 37 Network Map .......................................................................................... 39 Using the Attack Explorer ........................................................................ 40

Contents

Skybox Vulnerability Control Getting Started Guide


Viewing vulnerability occurrences in the Attack Explorer ......................... 41 Using the Attack Explorer to analyze access to your network ................... 43 Planning remediation using the Attack Explorer ..................................... 44

Access analysis ...................................................................................... 49 Analyzing access .................................................................................... 49 Analyzing access from the internet to the network ...................................... 50

Operational Console ............................................................................... 54 Opening the Operational Console .............................................................. 54 Tasks .................................................................................................... 54

Tickets .................................................................................................. 56 Creating tickets ...................................................................................... 56 Viewing and managing tickets .................................................................. 57

Additional information about Skybox data ................................................. 58 Model workspace .................................................................................... 58 Locations & Networks .............................................................................. 59 Viewing the properties of an entity ........................................................... 60 Viewing detailed information about an entity .............................................. 61 Viewing access rules ............................................................................... 63 Viewing and managing routing rules ......................................................... 64

Using Skybox Vulnerability Control reports ................................................ 66 Skybox Vulnerability Control reports ......................................................... 66 Reports tree ........................................................................................... 67 Vulnerability Management reports............................................................. 68


Preface

Intended audience The Skybox Vulnerability Control Getting Started Guide provides background information about what Skybox Vulnerability Control does and how it works, and explains how to get started using the product. This Getting Started Guide is intended for use with the demo model only. To model your organization’s network and work with that model, see the Skybox Vulnerability Control User’s Guide.

The intended audience is anyone who wants to learn how to use Skybox Vulnerability Control.

How this manual is organized This manual includes the following chapters:

› Introduction (on page 7) to Skybox Vulnerability Control › Before you begin (on page 11), which includes:

• Instructions for starting and logging in to Skybox

• An overview of the GUI

• Instructions for loading the demo model

If you are familiar with Skybox, you can skip most of this section. However, make sure to load the demo model file.

› Vulnerability Control overview (on page 13) › Tutorials on:

• Using the Security Metrics feature (on page 27)

• Using Exposure (on page 29)

• The Operational Console (on page 54)

• Tickets (on page 56)

• Using Skybox Vulnerability Control reports (on page 66)

The tutorials are basic scenarios, to show you how Skybox Vulnerability Control can help you to secure your system. You do not need to do every tutorial; select those that will help you with your tasks in Skybox Vulnerability Control.

Related documentation The following documentation is available for Skybox Vulnerability Control:

› Skybox Vulnerability Control User’s Guide › Skybox Threat Manager Getting Started Guide



› Skybox Threat Manager User’s Guide

Other Skybox documentation includes:

› Skybox Installation and Administration Guide › Skybox Reference Guide › Skybox Developer’s Guide › Skybox Release Notes › Skybox Change Manager User’s Guide

The entire documentation set (in PDF format) is available here

You can access a comprehensive Help file from any location in the Skybox Manager by using the Help menu or by pressing F1.

Technical support You can contact Skybox using the form on our website or by emailing [email protected]

Customers and partners can contact Skybox technical support via the Skybox support portal

When opening a case, you need the following information:

› Your contact information (telephone number and email address) › Skybox version and build numbers › Platform (Windows or Linux) › Problem description › Any documentation or relevant logs

You can compress logs before attaching them by using the Pack Logs tool (see Packing log files for technical support, in the Skybox Installation and Administration Guide).

http://downloads.skyboxsecurity.com/files/Installers/Skybox_View/8.5/8.5.600/Docs

https://lp.skyboxsecurity.com/ContactMe1.html

mailto:[email protected]




Chapter 1

This chapter contains introductory information about Skybox Vulnerability Control.

In this chapter

Skybox Vulnerability Control .................................................. 7

Basic architecture ............................................................... 10

Skybox Vulnerability Control Skybox™ Security arms security professionals with the broadest platform of solutions for security operations, analytics and reporting. By integrating with more than 100 networking and security technologies organizations are already, the Skybox Security Suite merges data silos into a dynamic network model of your organization’s attack surface, giving comprehensive visibility of public, private and hybrid IT environments. Skybox provides the context needed for informed action, combining attack vector analytics and threat-centric vulnerability intelligence to continuously assess vulnerabilities in your environment and correlate them with exploits in the wild. This makes the accurate prioritization and mitigation of imminent threats a systematic process, decreasing the attack surface and enabling swift response to exposures that truly put your organization at risk.

Introduction



Skybox arms security leaders with a comprehensive cybersecurity management platform to address the security challenges of large, complex networks. The Skybox Security Suite breaks down data silos to build a dynamic network model that gives complete visibility of an organization’s attack surface and the context needed for informed action across physical, multi-cloud and industrial networks. We leverage data by integrating with 120 security technologies, using analytics, automation and advanced threat intelligence from the Skybox Research Lab to continuously analyze vulnerabilities in your environment and correlate them with exploits in the wild. This makes the prioritization and mitigation of imminent threats an efficient and systematic process, decreasing the attack surface and enabling swift response to exposures that truly put your organization at risk. Our award-winning solutions automate as much as 90 percent of manual processes and are used by the world’s most security-conscious enterprises and government agencies, including Forbes Global 2000 companies. For more information visit the Skybox Security website

Vulnerability Control harnesses total attack surface visibility and threat-centric vulnerability intelligence to spot vulnerabilities that are most likely to be used in an attack against your organization. Eliminate risks 100-times faster than traditional scanning and manual analysis with on-demand vulnerability discovery, threat-centric prioritization and remediation guidance based on the context of your attack surface and threats in the wild. Reduce false positives to near-zero levels, streamline workflows, optimize gradual risk reduction and respond to imminent threats within hours—not days.

https://www.skyboxsecurity.com/

https://www.skyboxsecurity.com/

Chapter 1 Introduction


› Finds vulnerability exposures and exploitable attack vectors on-demand with intelligence on exploits in the wild

› Prioritizes vulnerabilities based on threats and the risk imposed to your network

› Detects vulnerabilities on network devices and ‘unscannable’ systems › Targets imminent threats for immediate response and systematically reduces

potential threats with context-aware remediation guidance

Highlights

› On-demand vulnerability assessments

• Combines data from vulnerability scanners, patch management systems and endpoint agents—including those running in virtual and cloud environments—with scanless assessments from Skybox Vulnerability Detector

• Discovers vulnerabilities on network and security devices and in traditionally "unscannable" zones, including virtual and cloud environments

• Uses network and security control context to identify exposed vulnerabilities

› Threat-centric vulnerability intelligence and exposure analysis

• Identifies exposed vulnerabilities using the network model, attack vector analytics and multi–step attack simulations

• Discovers potential attack scenarios and detects bypassed or compromised security measures

• Highlights vulnerabilities with exploits available, involved in active attack campaigns or distributed on the dark web

• Improves change management by evaluating proposed changes for new vulnerability exposures

› Prioritization in the context of threats and your attack surface

• Puts exposed vulnerabilities and those most likely to be exploited at the top of your priorities list

• Analyzes attack vectors in the context of the network, mitigating controls and Skybox Research Lab investigations of the current threat landscape

• Prioritizes imminent threats for immediate remediation and identifies potential threats for ongoing, gradual risk reduction

› Same-day imminent threat response

• Recommends best remediation actions to eliminate imminent threats in hours, instead of days

• Optimizes gradual risk reduction to systematically reduce the attack surface and ensure potential threats don’t escalate

• Tracks remediation progress and closure

• Measures remediation effectiveness with customized risk metrics



HOW VULNERABILITY CONTROL WORKS The following diagram shows the typical process of working with Vulnerability Control.

Basic architecture The Skybox platform consists of a 3-tiered architecture with a centralized server (Skybox Server), data collectors (Skybox Collectors), and a user interface (Skybox Manager). Skybox can be scaled easily to suit the complexity and size of any infrastructure.

For additional information, see the Skybox architecture topic in the Skybox Installation and Administration Guide.


Chapter 2

This chapter contains introductory information about working with Skybox.

In this chapter

Prerequisites ...................................................................... 11

Starting Skybox Vulnerability Control .................................... 11

Skybox model .................................................................... 12

Prerequisites

› Skybox must be installed on your system before you can begin to work with the tutorials in this guide.

› The Skybox Server must be running before you can start the Skybox Manager. If it is not running on your local machine, you need its name or IP address to connect to it.

Starting Skybox Vulnerability Control

To start Skybox Vulnerability Control

1 In the Windows system tray, right-click the Skybox icon ( ) and select Open Skybox.

Before you begin



2 You can log in to any Skybox product at this point by clicking its icon above the User Name field. Make sure that Vulnerability Control is selected.

3 Type your user name and password.

If you were not assigned a user name and password by your Skybox administrator, use the default user name skyboxview with the password skyboxview.

4 If the Server was not specified during installation or you do not want to connect to the default Server, select the desired Server or type its IP address.

5 Click Login.

6 The 1st time that you work with Skybox, click the Load demo model link in the workspace to load the demo model file.

The display refreshes after the model is loaded.

Note: The demo model file includes a small model for which data has been collected and various configuration tasks have already been run.

Skybox model Skybox collects data about your network using Skybox’s own data collectors and from data that Skybox imports from 3rd-party products. You enter business information and security data manually after it is gathered from the various parts of your organization. Information about vulnerabilities comes from the Skybox Vulnerability Dictionary; the actual vulnerability occurrences in your system are part of the data imported from network scanners.

The collected data is converted to a formal, standardized format (using XML). Skybox then creates a model of your network and displays the model in workspaces. Each workspace enables you to view and manage a different aspect of the model data.

› The Vulnerability Control workspace displays exposure and security metrics. › The Threat Manager workspace displays threat-related information. › The Tickets workspace displays information about all tickets issued on model

entities. › The Reports workspace displays templates that generate reports based on the

data in the model. › The Model workspace displays general information about all data in the

model.


Chapter 3

In this chapter

Main summary page ............................................................ 13

Discovery, prioritization, remediation .................................... 13

Discovery Center overview ................................................... 14

Prioritization Center ............................................................ 19

Remediation Center overview ............................................... 23

Exposure information and analyses ....................................... 25

Main summary page After the demo model loads, the Vulnerability Control Summary page is displayed in the workspace. On this page, you can see summaries about the vulnerability occurrence data in your organization. The scores for each center provide an indication of how your organization is doing in that part of the risk assessment process.

You can see the average scan cycle, the risk level of threats to your organization, and the number of vulnerability occurrences in SLA (not late to be fixed). Note that an ‘excellent’ score on the SLA may be caused by a fairly new model—no vulnerability occurrences have been in the model long enough to be out of their SLA.

Discovery, prioritization, remediation The process used in Vulnerability Control is discovery, prioritization, and then remediation.

Vulnerability Control overview



1 Discovery: Monitor and understand the organization, its assets, and its technologies

2 Prioritization: Correlate vulnerability data with exploit availability and use, highlight issues by importance and urgency

3 Remediation: Monitor the remediation process (how fast issues are fixed)

You can view the data from these perspectives at the organizational level and for each level of the organization.

The following information is also available in Vulnerability Control:

› Exposure by Threat: Information regarding exposure to various threats › Analyses: Advanced queries on different entities in the system

Discovery Center overview The Discovery Center is the main area for understanding the health of your network model in terms of vulnerability occurrences and assets.

To understand the overall health of your vulnerability occurrences and assets 1 In the tree, click Vulnerability Control. Use this node to view overall data

from all 3 perspectives (discovery, prioritization, and remediation).

2 Click the Discovery Center tab.

3 Look at the highlights at the top of the page. You can see such things as the average age of vulnerability occurrences, number of newly discovered vulnerability occurrences, and number of assets with overdue scans.

The highlights area helps you to understand whether the vulnerability information in your model is up to date.

Chapter 3 Vulnerability Control overview


4 Look at the 1st chart, Last Reported Vulnerability Occurrence by Source. You can see that vulnerability occurrence data in the demo model comes from various sources including Qualys scans, SCCM, and the Skybox Vulnerability Detector.

The chart displays how much of the network each source is covering, and how old the data currently is.

5 The Last Reported Vulnerability Occurrence table at the bottom lists the

number of vulnerability occurrences for each reporting period, and how many of them are new.



6 The 2nd chart in the top row, Vendors by Vulnerability Definitions, helps you to understand the breakdown of Vulnerability Definitions across different vendors (technologies).

This can help security or systems managers understand where to focus for mitigation and remediation efforts.

7 Click the arrow next to the chart name to switch between viewing both new and existing Vulnerability Definitions to viewing new Vulnerability Definitions only.



8 The Top New Vulnerability Occurrences by Definition chart lists the most ‘popular’ (that is, the most frequently occurring) new Vulnerability Definitions.

9 The OS Vendors by Number of Assets chart helps you to understand how

many assets per vendor have vulnerability occurrences.

The chart shows the number of assets per vendor and highlights those that were scanned more than 91 days ago as overdue for rescanning or re-identification by Skybox Vulnerability Detector.

If you mouse over a vendor, you can see how many overdue assets from that vendor are in the model.

The same information is available as a list in the OS Vendors by Overdue Assets table. You can click a link in the table to view additional information.



DISCOVERY CENTER IN THE TREE You can view Discovery Center information for each level of the model, from your entire organization down to individual Business Asset Groups. This information includes a Summary page with various charts and tables showing the status of your networks and assets, and pages with detailed information about vulnerability occurrences and assets.

To view the health of the whole organization or a specific part of it 1 Make sure that Discovery Center is selected above the tree.

2 In the tree, click Organization > Asia Pac Operations.

You can see the Summary page for this level, including highlights at the top and 4 sections. These sections are the same as those in the Discover Center overview page, but filtered for the currently selected Business Asset Group. The Overdue Assets highlight is also filtered for the currently selected entity.

3 Look at the number of overdue assets in the highlight. In the OS Vendors by Number of Assets and OS Vendors by Overdue Assets sections, you can see the vendors of the overdue assets.

4 Click a link to drill down to more information about the Vulnerability Definitions page or the Assets page.

VULNERABILITY DEFINITIONS AND ASSETS The Vulnerability Definitions page and the Assets page are part of the Discovery Center.

The Vulnerability Definitions page lists all the Vulnerability Definitions that directly affect your organization, with detailed information about each Vulnerability Definition.



The Assets page lists all the scanned assets, grouped by operating system vendor.

For each asset, you can see detailed information, including access and routing rules, vulnerability occurrences, and business attributes.

Prioritization Center The Prioritization Center is used to view your organization’s assets and understand how the vulnerability occurrences are affecting the assets, in terms of exposure and exploitability.

Skybox includes advanced exploitability information about vulnerabilities, which are divided into: No Exploit, Exploit Available, or Exploited in the Wild. “Exploited in the wild” refers to vulnerabilities actively being targeted by malware, ransomware, exploit kits, and threat actors in the wild. “Exploit available” means that there are published exploits available for the vulnerabilities, but they are not yet being used.

This enables the security team to prioritize vulnerabilities by their threat level. Imminent threats (for example, exposed vulnerabilities and those that are exploited in the wild) should be remediated promptly, while potential threats (for example, exploit available and no exploit) should be remediated in a “business as usual” time frame.

To make sure that the data is current

› On the toolbar, click . This reanalyzes the security metrics and the exposure data.



To switch to the Prioritization Center overview 1 In the tree, click Vulnerability Control, and then click the Prioritization

Center tab.

The left-hand side of the page shows a pyramid of the riskiest vulnerabilities in the current context according to their urgency.

For each layer of the pyramid (Exposed, Exploited in the Wild, Exploit Available, and No Exploit), you can see the risk, number of vulnerability occurrences in this layer, and number of Vulnerability Definitions involved. The selected layer points to information on the right-hand side, including a chart that is a breakdown of the security metric at that level; you can see which parts of the organization are most affected by it.

2 Make sure that Exploited in the Wild is selected in the pyramid.

3 Look at the chart.

It represents the organization’s security statistics from the point of view of a security metric named Overall – Vul Level, for the Exploited in the Wild threat level.

You can see that, for Exploited in the Wild vulnerabilities, the Europe Operations subunit has critical risk and the most affected assets as opposed to the other 2 subunits. Europe Operations should be fixed first.



Note: You can also view the security statistics according to different security metrics (for example, new vulnerabilities, web browser vulnerabilities, or a vulnerability advisory). These indicate how much your organization is affected by vulnerabilities from each of these vendors.

4 Look at the list of Vulnerability Definitions under the chart. These are the Vulnerability Definitions that contribute the most risk in this scenario.

5 In the pyramid, click the Definitions link in the Exploited in the Wild layer.

The view switches to show the Vulnerability Definitions by exploitability.

6 You can change the exploitability filter to view the Vulnerability Definitions at

the desired exploitability level or levels.

7 Select an exploited in the wild vulnerability and look at the Malware & Exploits tab in the Details pane.

• For exploited in the wild vulnerabilities, you can see the malware, ransomware, and exploit kits that are using this Vulnerability Definition.



• For vulnerabilities with available exploits, you can see information about the available exploits.

SECURITY METRICS In Skybox, security metrics are calculated based on the density and severity of vulnerability occurrences. They provide threat-level ranking for your entire organization and for each Business Unit and Business Asset Group. There are predefined security metrics to cover different types of vulnerabilities (for example, Microsoft Security Bulletins, Cisco Security Bulletins, and web browser vulnerability occurrences), and you can define additional security metrics.

To understand the security status of your organization 1 In the tree, select Organization.

2 Above the tree pane, make sure that the Prioritization Center is selected.

3 In the workspace, click the All Security Metrics tab.

This chart represents the organization’s security statistics from the point of view of various security metrics: new vulnerabilities, new web browser vulnerabilities, or new vulnerability advisories. These indicate how much your organization is affected by vulnerabilities from each of these vendors.



Remediation Center overview The Remediation Center is the main area for understanding the pace of vulnerability occurrence remediation in your organization. The pace is monitored according to the desired remediation pace of your organization based on the organization’s SLA, which specifies how long it should take for vulnerability occurrences to be fixed. Vulnerability occurrences that still have time to be fixed are in SLA. After that, they are out of SLA with various delay levels. For example, if the SLA for critical vulnerability occurrences in your organization is 30 days, a vulnerability occurrence is in minor delay if it was not fixed within 60 days, in medium delay within 90 days, and in major delay after that.

To understand the pace of vulnerability occurrence remediation in your organization 1 In the tree, click Vulnerability Control, and then click the Remediation

Center tab.

2 Look at the highlights at the top of the page.

This is a summary of the current state of vulnerability occurrence remediation.

3 Look at the top set of charts.

• The 1st chart shows the remediation rate of vulnerability occurrences in

the organization.

• The 2nd chart shows how many high and critical vulnerability occurrences are already out of SLA, and by how much.

• The 3rd chart shows a comparison of how many high and critical vulnerability occurrences were found in the past months or weeks vs. how many were fixed. This helps you to understand whether you are keeping pace with the rate at which vulnerability occurrences are found in the organization.



4 Look at the All Security Metrics section.

The table shows SLA-related information about all security metrics. The main column—In SLA Vulnerabilities—makes it easy for you to see which security metrics have a low percentage of vulnerability occurrences that are in SLA. Examine these security metrics carefully to see what happened.

REMEDIATION CENTER IN THE TREE For each level of the Security Metrics tree, the Remediation Center includes a Summary page with various charts and tables showing the remediation status of the vulnerability occurrences affecting your organization. There is also a table that lists the SLA definition for each severity level.

You can view Remediation Center information for each level of the model.

To view the remediation rates for the whole organization or a specific part 1 Above the tree, make sure that Remediation Center is selected.

2 In the tree, select Organization.

The information in the top half of this page is very similar to that displayed on the Remediation Center overview page, but in slightly more detail; you can select a different security metric to see the remediation for that security metric at this level of the organization.

3 Look at the SLA Statistics table.

This table lists SLA statistics for the selected node and the selected security metric.



4 Look at the SLA Definition table.

This table lists the SLA definition for this security metric for each severity.

Note: The SLA for each security metric is defined separately.

5 The 2nd tab in the Remediation Center lists the Vulnerability Definitions or security bulletins. When you drill down from the Summary page, the list is sorted according to what you click. For example, if in the Found Vulnerabilities by SLA table, you click the Minor Delay link, the list of vulnerabilities is sorted by the Minor Delay column.

Exposure information and analyses The Exposure by Threat section of the Vulnerability Control tree shows vulnerability occurrences exposed to various threats to your organization (for example, corrupted insiders or internet hackers).



The Analyses section shows the results of various queries on entities, including a list of all vulnerability occurrences that are directly exposed to a threat, the risk of all the Business Asset Groups, and vulnerability occurrences by operating system. Skybox includes many predefined analyses, and you can create additional analyses to suit your organization’s requirements.


Chapter 4

Skybox Vulnerability Control calculates risk and compliance data from multiple disparate systems and displays the results in various security metrics.

Security metrics are calculated for each unit in your organization and for the whole organization. Security metrics measure the security status of your organization based on the selected set of Vulnerability Definitions or security bulletins. The more critical unhandled vulnerability occurrences or missing security bulletins that you have, the higher the score.

In this chapter

Viewing the security metrics ................................................. 27

Predefined security metrics in Skybox Vulnerability Control ...... 28

Viewing the security metrics You can view a list of the security metrics from the Remediation Center overview. You can then select the security metric on which you want to focus and view information about the results of that security metric for a specific entity or across the organization.

To switch security metrics 1 In the tree, select Vulnerability Control; in the workspace, click the

Remediation Center tab.

2 Look at the All Security Metrics pane. You can see a list of all the security metrics with additional information about each one, including what percentage of the vulnerability occurrences affected by this security metric are in SLA and the risk level of this security metric.

The security metric selected by default is Overall – Vul Level. All scores in the tree, in the Prioritization Center, and in the Remediation Center are based on this security metric.

Security Metrics



3 Click the link in the Web Browser Vulnerabilities security metric.

The Security Metrics Summary page for the organization appears, with Web Browser Vulnerabilities in focus. This security metric is now the primary security metric and is reflected throughout Skybox Vulnerability Control.

Predefined security metrics in Skybox Vulnerability Control Skybox includes the following predefined security metrics. You can add additional security metrics as necessary, or customize existing ones.

› Adobe – Bulletin Level: Security status based on Adobe Security Bulletins. › Red Hat – Advisory Level: Security status based on Red Hat Security

Advisories. › MS – Bulletin Level: Security status based on Microsoft Security Bulletins. › New Vulnerabilities: Security status based on alerts (Vulnerability

Definitions) published in the last 30 days › Web Browser Vulnerabilities: Security status based on the alerts

(Vulnerability Definitions) on any of the following browsers: Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari.

› Cisco – Advisory Level: Security status based on alerts (Vulnerability Definitions>) on Cisco Security Advisories.

› Oracle – Bulletin Level: Security status based on alerts (Vulnerability Definitions>) on Oracle Security Bulletins.

› Antivirus integrity – Vul Level: Security status based on alerts (Vulnerability Definitions) on antiviruses.

› Overall – Vul Level: Security status based on all types of Vulnerability Definitions.

› Mobile – Vul Level: Security status based on alerts (Vulnerability Definitions) on any of the following mobile devices: Apple, Android, and Blackberry.

For each type, the more unhandled critical security bulletins or Vulnerability Definitions that you have, the higher the score.


Chapter 5

The exposure by threat feature of Skybox Vulnerability Control continuously quantifies your organization’s risk and prioritizes vulnerability occurrences by considering threats, security controls, business information, and network policies.

This tutorial explains how to use this feature to analyze and mitigate risk in your organization’s network.

In this chapter

Exposure by Threat Summary page ....................................... 29

Analyzing exposure ............................................................. 30

Viewing exposure ................................................................ 31

Viewing vulnerability occurrences ......................................... 33

Viewing threats .................................................................. 35

Viewing Business Asset Groups ............................................. 37

Network Map ...................................................................... 39

Using the Attack Explorer..................................................... 40

Exposure by Threat Summary page Click Exposure by Threat in the tree. The Exposure by Threat Summary page is the main page for Exposure, where you can see summaries about your organization’s risk from various perspectives.

The Summary page contains information about:

› Exposed Vulnerability Occurrences: Vulnerability occurrences grouped according to the Threat Origins that can easily access them and according to their risk (exposed vulnerability occurrences are located on assets that are 1 or 2 steps away from a Threat Origin)

• Threat Origins are locations from which attacks can be launched against your organization. Threat Origins include: Internet Hacker, B2B, and Corrupted Insider.

• Direct vulnerability occurrences are vulnerability occurrences that are directly exposed to the Threat Origin.

• 2nd-step vulnerability occurrences are 1 step further away from the Threat Origin than direct vulnerability occurrences.

These are the vulnerability occurrences that should be fixed as soon as possible to prevent attacks.

Note: You can see additional steps in the Attack Explorer.

Exposure by threat



› Threat Origins by Risk: The Threat Origins that impose the most risk on your organization

From the Summary page, you can drill down to whichever Threat Origin interests you. Alternatively, you can drill down to a Threat Origin by selecting it in the Tree pane.

Analyzing exposure After the demo model is loaded, the Exposure by Threat Summary page displays general information about exposure. Some detailed exposure information is not kept when a model is saved and must be reanalyzed after the model is loaded.

The analysis is done by a predefined Skybox task named Analyze – Simulate Attacks. During this analysis, Skybox checks how potential attackers (Threat Origins) can use the network and vulnerability occurrences to attack your organization’s Business Asset Groups. The task analyzes access to and within the network by checking network-level connectivity from any source to any destination (on any port) to find possible attack scenarios. Skybox considers network topology, traffic rules, preconditions, and effects of vulnerability occurrences (taken from the Skybox Vulnerability Dictionary), and uses them to analyze multi-step attacks.

The analysis:

› Outputs an attack graph that includes all possible attacks on your network according to the existing vulnerability occurrences.

Note: Only part of this graph is visible to users, but all the graph’s data is used as the basis for information provided by Skybox.

› Assigns risk levels to all Business Asset Groups, according to the likelihood of their being attacked.

The results of attack simulation are used as the basis for exposure, risk analyses, the Attack Explorer, and risk-related reports.

Chapter 5 Exposure by threat


To analyze exposure

› On the toolbar, click .

Analysis should be done any time that there are changes to the model (for example, new firewall data is added or there are new vulnerabilities scans). When working with real data, you run the Analyze – Simulate Attacks task after you run import or vulnerability detection tasks.

Viewing exposure

Exposed Vulnerability Occurrences The graphs on the Summary page indicate the main exposure issues currently facing your organization. Resolving them greatly reduces the risk to your organization.

Exposed vulnerability occurrences are located on assets that are 1 or 2 steps away from a Threat Origin. In addition to direct damage that these assets might sustain as the result of an attack, they might also serve as gateways to other assets in your network. These vulnerability occurrences require immediate attention; their mitigation reduces the risk profile for the whole organization.

The number of exposed vulnerability occurrences is much smaller than the total number of vulnerability occurrences. After you sort the exposed vulnerability occurrences by risk, you can clearly see which vulnerability occurrences need immediate mitigation. Even in a much larger network, the number of exposed nodes with high or critical risk is a fraction of the original number of assets in the network.

You can see which vulnerability occurrences are most accessible to each Threat Origin in the Vulnerability Occurrences by Threat graph. When you click a link in the graph, you can see a list of the vulnerability occurrences.

You can see which vulnerability occurrences are most accessible to each Threat Origin in the Direct Vulnerability Occurrences by Risk graph. When you select a specific threat, the graph is linked; click a level to go to a list of the vulnerability occurrences for that Threat Origin, sorted by level.



The Trend of Direct Vulnerability Occurrences graph shows whether the number of direct vulnerability occurrences for each of the 3 top risk Threat Origins is increasing or decreasing. You can select whether to view all 3 top Threat Origins or just 1 of them, and you can select whether to view the daily, weekly, or monthly trend.

Threat Origins The Top 3 Threat Origins table displays the risk, and the number of direct vulnerability occurrences and 2nd-step vulnerability occurrences for each of the top 3 Threat Origins. Click a Threat Origin to drill down to the list of vulnerability occurrences (direct and 2nd-step) for the selected Threat Origin.

The Risk column includes a 5-level, color-coded scale: . The risk of each Threat Origin is indicated by a highlight on the scale. For example, a Threat Origin with Critical risk has the following icon in the Risk column: .



The Direct Vulnerability Occurrences and Second Step Vulnerability Occurrences columns show the number of (direct or 2nd-step) vulnerability occurrences for the Threat Origin, the change since the previous day in number of vulnerability occurrences (for example, +4 means that there are 4 more vulnerability occurrences since the last time the risk was analyzed), and the general trend since the previous analysis (up arrow or down arrow). Click a link in a column to drill down to a list of vulnerability occurrences with that exposure for the Threat Origin.

Viewing vulnerability occurrences When you drill down from the Summary page to the vulnerability occurrences of a specific Threat Origin, you see a list of vulnerability occurrences that the selected Threat Origin can use to attack the Business Asset Groups in your organization.

Depending on your point of origin, you might see only direct vulnerability occurrences, only 2nd-step vulnerability occurrences, or direct and 2nd-step vulnerability occurrences. You can change this using the filters at the top of the tab.

To view vulnerability occurrences 1 On the Vulnerability Occurrences by Threat graph on the Exposure

Summary page, click the Direct Vulnerability occurrences link for the Corrupted Insider Threat Origin.

A list of vulnerability occurrences appears. These are all the vulnerability occurrences that Corrupted Insider can exploit directly.



2 If the vulnerability occurrences are grouped by severity, ungroup them.

3 Select a vulnerability occurrence in the table and look at the Details pane

below the table.

Each tab contains a different type of information about the vulnerability occurrence. Some information relates specifically to this vulnerability occurrence (including the asset and service on which the vulnerability occurrence is found) and some is general information about the Vulnerability Definition, including the CVSS metrics and known solutions for this Vulnerability Definition.

4 Click to display advanced information tabs about the vulnerability occurrence, including the external vulnerability databases that include the Vulnerability Definition and external URLs that report on this Vulnerability Definition.

Severity vs. risk Severity is the value in the 1st column. It is defined in the Skybox Vulnerability Dictionary, mainly based on the CVSS metrics of the Vulnerability Definition. Severity and risk provide important information about the vulnerability occurrences in your organization. However, while severity is a useful tool for comparing vulnerability occurrences, it does not take the metrics of your system (network, business, and security information) into account. The imposed risk that Skybox calculates for each vulnerability occurrence provides much more accurate information about how the vulnerability occurrence affects your system. This imposed risk is based on factors that include the location of the vulnerability occurrence in the network and the potential damage that could be caused if the vulnerability occurrence is used as part of an attack.



Viewing threats A threat in Skybox is a possible attack from a specific Threat Origin on Business Asset Groups. Threat Origins are defined manually in Skybox; they are not imported.

The definition of a Threat Origin includes the attacker’s location, the likelihood of attack, the attacker’s skill level, and the privilege level (root or user) of the attacker on the attacking computer. It also includes the Threat Origin Categories to which the Threat Origin belongs. The default Threat Origin Category names are External Threats, Internal Threats, Worm Threats, and B2B Threats, but you can change these names to suit your organization’s requirements.

During attack simulation, Skybox checks how these potential attackers can use the network and vulnerability occurrences to attack the Business Asset Groups.

On the Exposure by Threat Summary page, you can see overview information about the exposure of your organization to the defined Threat Origins and you can drill down to the vulnerability occurrences that enable attacks from each Threat Origin. You can drill down to additional information about each of the top 3 Threat Origins.

To view the Threat Origins in your organization 1 With the Exposure by Threat Summary page open, click the Threat Origins

tab in the workspace.

You can see a list of the Threat Origins in your organization. For each Threat Origin, you can see its location and its imposed risk: the risk that the Threat Origin can potentially cause to your organization.

2 Select a Threat Origin in the list (click in the Threat Origin’s row, but do not

click its link at this point).

• The Details pane lists the attacks that this Threat Origin can perpetrate on your organization. Other information available in the Details pane includes the vulnerability occurrences (direct and 2nd-step) that the Threat Origin could use to attack your organization, and the risks—the regulations (for example, SOX and GLBA) that would be affected by these attacks—and the risk that each of them would pose.

3 At the top of the workspace are 2 buttons:

• : Opens the Access Analyzer, where you can see the access route from the Threat Origin to any node in your organization.

• : Opens the Attack Explorer, where you can view all the attacks from the Threat Origin, define a set of remedies to block the attacks or reduce risk, and create tickets for these remedies.



To view information about a specific Threat Origin 1 In the table, click a link to a Threat Origin. (Alternatively, you can select the

Threat Origin in the Tree pane.)

Depending on the tab that you select, you can see the attacks, vulnerability occurrences, or risks for the Threat Origin.

2 Select an attack in the Table pane to view additional information about it in

the Details pane.

3 Click the Risk Factors tab.

The Details pane shows the risk for the selected Threat Origin (Internet Hacker) attacking each destination to which it can gain access, sorted by Risk; the risk factor of the Internet Hacker Threat Origin is greatest on the Back End Payment System.

Because the type and amount of damage to a Business Asset Group are defined by the Business Impacts and Regulations, the risk for each Business Impact or Regulation is listed separately. For example, you can see that the risk to the Back End Payment System from this Threat Origin is High for Mission Critical and that the risk is Low for Financial Information Confidentiality.

4 In the Table pane, click the Vulnerability Occurrences tab.

5 Select a vulnerability occurrence to view additional information about it in the

Details pane.



Viewing Business Asset Groups The 3rd tab visible for the Exposure by Threat node in the Tree pane is Business Asset Groups. This tab provides information about all the Business Asset Groups in your organization. The information in the table includes their risk, and how many assets and vulnerability occurrences they have. As with Threat Origins, you can click Attack Explorer to see all possible attacks on a Business Asset Group, define a set of remedies to block the attacks or reduce risk, and create tickets for the remedies.

To view information about a Business Asset Group 1 With the Exposure by Threat node selected, click the Business Asset Groups

tab.

2 In the table, you can see the risk, number of assets, and number of vulnerability occurrences for each Business Asset Group.

3 Select the Back End Payment System Business Asset Group.

In the Details pane, you can see additional information about the Business Asset Group.

4 Click the Regulations tab.

In Skybox, a Regulation is a rule that specifies the damage to an organization as a result of not handling a Business Asset Group in conformity with a regulatory requirement (for example, Sarbanes-Oxley, GLBA, or HIPAA).

5 You can see that the Back End Payment System Business Asset Group is currently classified according to 3 regulations: GLBA Privacy Rule, SOX 404, and SOX 409. For each Regulation, you can see the type and amount of damage that would occur if it is compromised.

6 In the Table pane, right-click Back End Payment System and select

Properties.



7 Click the Regulations tab.

You can see which Regulations are associated with this Business Asset Group (GLBA Privacy Rule, SOX 404, and SOX 409). For the SOX 404 Regulation, the Loss Type is CIA (confidentiality, integrity, and availability) and the potential damage that would be incurred if this Business Asset Group is attacked is High.

8 You can change the damage level of a Regulation on the Business Asset Group, and you can switch between the sliding scale and monetary rates.

a. Select the Regulation (in this case, select SOX 404).

b. Click the Browse button in the Damage column.

c. Select Monetary ($) and type 40000000 (40 million).

d. Click OK.

e. Click Cancel to close the Back End Payment System Properties dialog box; do not save the changes.



In Skybox, a Business Impact is a rule that specifies the damage to an organization as a result of security or availability loss of the information associated with a Business Asset Group. The information available for Business Impacts is the same as that available for Regulations. With the Back End Payment System Business Asset Group selected in the Table pane, click the Business Impacts tab. You can see the Business Impacts associated with Back End Payment System, with their possible damage and loss type if the Business Asset Group is compromised.

Network Map The Network Map provides a visual representation of network connectivity: it displays your organization’s networks, and their interconnections through routers and firewalls.

The Network Map contains:

› Networks (with their IP addresses)

› Segmented networks

› VPNs

› Perimeter Clouds

› Connecting Clouds

› Firewalls

› Routers

To open the Network Map and view entities

1 On the toolbar, click .

The Network Map window opens.



2 In the Map field, select Organizational Map.

To view or modify the properties of an entity in the map, right-click the entity and select Properties. You can also view other entity-specific information by selecting, for example, Routing Rules or Access Rules.

3 Right-click main_FW and select Access Rules to open the Access Control List Editor, which lists all the access rules for this firewall.

main_FW is in the New York area. You can zoom with the mouse if you can't see it otherwise.

4 Close the ACL Editor and the network map when you are finished.

Using the Attack Explorer Use the Attack Explorer to view risk on a specific entity (for example, the risk of a Business Asset Group or the risk from a Threat Origin), define remedies to block attacks or reduce risk, and create tickets for these remedies.

Note: The Attack Explorer does not display any results until you run the Analyze – Exposure task or analyze exposure at least once on the model that you are using.



To open the Attack Explorer 1 In the Tree pane, select Exposure by Threat, and then click the Business

Asset Groups tab in the workspace.

2 In the Table pane, select Back End Payment System.

3 At the top of the list, click .

The Skybox Attack Explorer consists of 3 panes:

• Information: The left pane contains information about attacks on the selected entity.

• Map: The upper-right pane contains an Attack Map for the selected Business Asset Group.

• Solutions: Use the lower-right pane to select the vulnerabilities on which to create tickets.

When you open the Attack Explorer, it displays a compressed summary of possible attacks on the selected Business Asset Group. In this view, you see how the selected Business Asset Group can be attacked, at the level of networks or locations. You can expand any entity in the map to view specific attacks.

In the Map pane, you can see the Threat Origins and the basic routes that they can take to get to Back Payment System (the selected goal). A darker arrow between 2 nodes indicates a more likely attack path than a lighter arrow.

VIEWING VULNERABILITY OCCURRENCES IN THE ATTACK EXPLORER

The Attack Explorer presents information about the assets, services, and vulnerability occurrences in the system, in the context of each attack. With the Attack Explorer, you can see potential attacks and use this information to prevent them.



To view a vulnerability occurrence in the Attack Explorer 1 With the Attack Explorer still open for Back End Payment System, click

.

The Map pane changes to display detailed information about nodes involved in the attacks with the highest probability. The vulnerability occurrences are depicted in larger text and the smaller text above the vulnerability occurrence name shows the node’s location. (Mouse over the text of any line of the location to enlarge the text.)

For example, 1 location of the BIND (53/TCP) vulnerability occurrence is US (location) > NY (sublocation inside the US location) > dmz (network inside the NY sublocation) > dmz_dns0 (asset).

2 Click this vulnerability occurrence.

Information about the vulnerability occurrence appears in the Information pane (left pane of the Attack Explorer), including its location and its impact on the course of the attack.



You can enlarge the pane or scroll down in it to see all available information.

USING THE ATTACK EXPLORER TO ANALYZE ACCESS TO YOUR NETWORK

In addition to providing information about the steps of an attack (the Threat Origin, vulnerability occurrences, and Business Asset Group involved in the attack), you can use the Attack Explorer to understand how the attacker can gain access from one attacked asset to the next. This access analysis provides full network access analysis, including access rules and routing information.



To show the access route between Internet Hacker and dmz_dns0

1 Click .

2 Click the arrow leading from the Internet Hacker node to the dmz node.

3 On the dmz node, click to show the assets in this network. Select dmz_dns0.

4 Again, click the arrow leading from the Internet Hacker node to this node.

5 In the Information pane, click Access Route.

The access route between the nodes appears in the Information pane, including access rules and routing information.

PLANNING REMEDIATION USING THE ATTACK EXPLORER This section of the tutorial explains how to manually create and manage remedies (in the form of tickets). When you finish this section, you will have a good idea of what you can do with the information presented by Skybox to better protect your organization’s Business Asset Groups.



You create a remedy by selecting the best solution from a list of suggested solutions (for example, patch software, change an access rule, or remove an unnecessary service) and creating a ticket with the suggested solution for a member of your organization’s team to apply on the network. However, the vulnerability occurrence is not mitigated until the assigned team member implements the solution. To update the model so that the vulnerability occurrence is no longer valid, either wait for or launch the next scanning task, or mark the vulnerability occurrence as fixed in the model.

You can create a ticket even when you are not sure of the best solution to the problem. In this case, the ticket informs the owner of the problem and it is their job to select the proper solution and apply it.

Skybox’s ticketing system keeps track of the status of existing tickets, whether they are created automatically (by tasks) or manually, as above.

Planning strategy with the Attack Explorer Looking at the Map pane, it seems that the best way to mitigate all possible attacks on the Back End Payment System Business Asset Group is to block all attacks going into Europe and into dmz_dns0.

To block all these attacks 1 In the Map pane, right-click an arrow leading into Europe and select List

Entry Attack Steps.

The entry vulnerability occurrences associated with a link (an arrow) are those vulnerability occurrences in the link’s destination that can be exploited directly from the link’s source. The exit vulnerability occurrences associated with a link are those vulnerability occurrences in the link’s source that can be exploited to access the link’s destination in an attack.

The entry vulnerability occurrences for the selected path are listed in the Solutions pane.

2 For each vulnerability occurrence listed, select the check box in the S (To be

Solved) column.

Note: Vulnerability occurrences that already have tickets—that is, someone is already planning to solve them—cannot be selected.



3 Repeat steps 1 and 2 for all paths to Europe and to dmz_dns0 until all attack paths through them to the Back End Payment System Business Asset Group are grayed out.

At this point, you can see that blocking all attacks to Europe and to dmz_dns0 does not involve many vulnerability occurrences. If it did, and if there is another possible strategy, you could clear the vulnerability occurrences and try the other strategy before creating any tickets. For this exercise, you now create tickets for the marked vulnerability occurrences.

Creating tickets using the Attack Explorer After you plan a strategy, you can create tickets for the marked vulnerability occurrences.

To create tickets from the Attack Explorer 1 In the Solutions pane, click the Selected Solutions tab.

The attack steps that you marked as Selected are listed in this pane.



2 Right-click the Apache Chunked-Encoding vulnerability occurrence and select Create Ticket.

3 Click the Browse button next to the Owner field to select an owner for the

ticket.

The owner is the person responsible for implementing the suggested change on the actual network.

Note: When adding tickets for your model, select a Due Date and make sure that Priority is set correctly for the problem.

4 Select a solution:

a. Click the Solutions tab. This tab lists known solutions for the Vulnerability Definition. Mouse over the description of a solution to see a tooltip containing additional information.

These solutions are taken from the Skybox Vulnerability Dictionary and include links to sites for downloading patches and upgrades (or for additional information) when necessary.

Remember that each solution has a cost. For example, upgrading a service might involve shutting down an application for several hours. If this is a mission-critical application (for example, an online banking application that must be available 24/7), this is obviously not a feasible solution for you.

b. Select the solution whose Solution Type is Block.

5 Click OK.

The ticket is created, but it is not added to the model.



6 Repeat steps 3 through 6 to create tickets for each selected vulnerability occurrence. For this tutorial, it is not necessary to select a solution for every ticket.

Note: You can create a set of tickets for several vulnerability occurrences: select the vulnerability occurrences, right-click, and follow steps 3 through 6 to create the tickets as with a single vulnerability occurrence. This is useful if, for example, there are several vulnerability occurrences of a single Vulnerability Definition or several vulnerability occurrences to be fixed by a single owner. When you create tickets in this manner, you must type a Title Prefix. This prefix is appended to the beginning of the name (title) of every ticket created by this action.

When you use multiple selection, some fixes that are applicable to single vulnerability occurrences in the selected set might not be available.

7 Click OK to save the tickets and close the Attack Explorer.


Chapter 6

The Access Analyzer analyzes access in the network topology, taking into account access rules, routing rules, assets, and services.

The Access Analyzer runs on the current model and finds all routes between the selected source and destination. For each destination asset, you can see:

› The ports that are exposed › The access path between the source and the destination (similar to the

Explain Access option in the Attack Explorer)

In this chapter

Analyzing access ................................................................. 49

Analyzing access from the internet to the network ................... 50

Analyzing access The Access Analyzer requires a source and a destination to analyze access:

› If you define a specific source and leave the destination as Any, the Access Analyzer checks which destinations can be reached from the specified source point.

› If you define a specific destination and use Any for the source, the Access Analyzer checks which source points can access the specified destination.

› If you define a specific source and a specific destination, the Access Analyzer checks the access between the 2 specified points.

Note: You must give a value other than Any to at least 1 of Source and Destination.

Other properties refine the query and define how the access is analyzed.

Query results are presented in 2 views:

› A results tree that shows the relevant services, aggregated by their assets, networks, and locations

For example, the results tree of a query verifying access to your mail server would show all assets that have access to the mail server, together with the services on the assets from which the access can be obtained.

› Step-by-step explanations of the access routes

Access analysis



When you select an entity in the results tree, you can see the starting point and ending point of the route and the hops along the way (routers and firewalls).

Analyzing access from the internet to the network The following exercise analyzes access from the internet to 2 points in the organization’s network:

› The DMZ network › An internal network (nocServers)

To analyze access from the internet to the DMZ

1 On the toolbar, click .

Chapter 6 Access analysis


2 Click the Browse button next to a Scope field.

3 In the Available Entities field, expand the Locations & Networks node:

a. Scroll down, select Internet [perimeter cloud], and click to move the selection to the Selected Source field.

b. Select US > New York > dmz[192.170.33.0/24] and click

to move the selection to the Selected Destination field.

4 Click OK.

5 The Services field of the Destination area is set to Any. Do not change it.

6 Click .

The results of the analysis appear in the Analysis Results pane.

7 On the toolbar, click to show specific network entities in the results, rather

than IP address ranges.

8 Expand the results:

• Under the lowest location (New York) are the accessible networks ( ), in this case dmz.

• Under the dmz network are assets that are accessible from Internet. The icon next to each asset specifies the asset’s type.



9 Expand each asset to see the services ( ) through which the asset can be accessed.

The port and protocol through which the service is accessed are in parenthesis.

You can scroll inside the tree or resize the window to better see the results.

10 Select the IIS service on app_7_web_0.

11 In the Map pane, under Current Map, select Organizational Map.

The access route from Internet (the source) to this service is displayed in the text pane and the Map pane.

To analyze access from the internet to the nocServers network 1 Clear the current destination scope (dmz) and define a new scope:

a. In the Access Query pane, click the Browse button next to a Scope field.

b. In the Source and Destination Scope dialog box:

1. In the Selected Destination field, select dmz and click Remove.

Chapter 6 Access analysis


2. In the Available Entities field, select Locations & Networks > US > Los Angeles > nocServers[192.170.23.0/24 and click

to move the selection to the Selected Destination field.

3. Click OK.

2 Click .

In the Live field, you see the following message: “There is no access between the source and destination.”

3 Close the Access Analyzer window.


Chapter 7

The Operational Console is a tool for managing Skybox tasks and Collectors. Tasks import data from external sources, analyze data, generate reports and backups, and so on. Collectors are Skybox products that connect with various devices and retrieve their data.

In this chapter

Opening the Operational Console .......................................... 54

Tasks ................................................................................ 54

Opening the Operational Console

To open the Operational Console


The Operational Console opens in a separate window.

The GUI of the Operation Console is set up the same way as the Manager GUI, with a tree on the left and the workspace on the right.

Tasks Skybox includes predefined tasks that are configured for standard usage but are not enabled to run automatically (auto-launch). You can modify any of these tasks and enable auto-launch, and you can create new tasks to suit your organization’s requirements.

To view all tasks

› In the Operational Console tree, select Tasks > All Tasks.

A list of tasks appears in the Table pane, with information about the 1st task in the Details pane.

Tasks can be scheduled or run manually.

To the right of each task’s name you can see additional information about the task, including its type and information about the most recent run. When you select a task that has run, the Details pane lists all task messages generated by the most recent run.

Operational Console

Chapter 7 Operational Console


Task sequences Tasks can be run as sequences (of tasks) that are run one after the other. This often makes the most sense when considering how to schedule tasks. For example, after updating the model with data from specific devices, you should reanalyze the data in the model based on this new information, create tickets on problematic new data (for example, new vulnerability occurrences with critical severity), and perhaps generate some reports. The following is a sample task sequence:

1 Various import tasks

2 Analyze – Exposure (this task analyzes exposure when data is imported to the model on a regular basis)

3 Analyze – Security Metrics

4 Tickets – Auto Generation

5 Tasks that generate reports on the status of data in the model, such as:

• Generate Risks Details Report

• Generate Vulnerability Details Report

• Generate Tickets Overview Report

• Generate Security Metric report


Chapter 8

As you saw in the Attack Explorer section of the Exposure tutorial (on page 40), tickets provide a to-do list for immediate response and management tracking.

Tickets are created manually (using the Attack Explorer or otherwise) or automatically (using a Skybox task). They are assigned an owner, a priority, and a due date. When the owner fixes the problem (on the actual assets), they must change the status of the ticket to Fixed in Skybox. However, the vulnerability occurrence exists in the model until one of the following occurs:

› The next scheduled collection task runs and discovers that the vulnerability occurrence no longer exists.

› You (manually) run a collection task that discovers that the vulnerability occurrence no longer exists.

› You mark the vulnerability occurrence as fixed in the model.

In this chapter

Creating tickets .................................................................. 56

Viewing and managing tickets .............................................. 57

Creating tickets In this section, you create a ticket for a specific vulnerability occurrence. Although the tutorial explains how to do this manually, tickets can be created automatically by running a task of type Tickets – Auto Generation. These tasks work with predefined polices that specify the circumstances under which tickets should be created. For example, one such policy defines that tickets should be created for all new Vulnerability Definitions with critical severity. You can also define custom policies for this purpose.

Each ticket must have an owner, a priority, and a due date. The default priority is determined by the priority of the vulnerability occurrence.

To create a ticket 1 In the Vulnerability Control tree, select Analyses > Public Analyses >

Vulnerabilities > By Exposure > Direct.

Vulnerability occurrences that are 1 step away from attackers are listed in the Table pane and information about the 1st vulnerability occurrence is displayed in the Details pane.

2 Select a critical vulnerability occurrence, right-click it, and select Create Ticket.

Tickets

Chapter 8 Tickets


3 In the New Vulnerability Occurrence Ticket dialog box, select an owner and a solution, as you did when creating tickets in the Attack Explorer (on page 46).

4 Click OK.

Viewing and managing tickets

To view new tickets 1 Open the Tickets workspace.

2 Select Public Ticket Analyses > All Tickets > Open Tickets > New.

Recently created tickets (with New status) are listed in the Table pane and information about the 1st ticket in the list is displayed in the Details pane.

Note: When working on a system with multiple users, you can see only tickets that are assigned to you, using My Tickets instead of All Tickets.

3 Right-click the 1st ticket in the list. You can change single fields of the ticket (including Owner, Status, Priority, or Due Date) or open the Properties dialog box to change several fields.


Chapter 9

The tree in the Model workspace is a hierarchical view of your network, as it exists in the model. It provides an easy way to view all network entities.

In this chapter

Model workspace ................................................................ 58

Locations & Networks .......................................................... 59

Viewing the properties of an entity ........................................ 60

Viewing detailed information about an entity .......................... 61

Viewing access rules ........................................................... 63

Viewing and managing routing rules ...................................... 64

Model workspace

The tree in the Model workspace includes the following top-level nodes:

› Sites: Sites in the network (used primarily for Skybox Horizon) › Virtual Domains: Virtual domains in the network › Threat Origin Categories: Threat Origins defined in the network › Business Units & Asset Groups

Additional information about Skybox data

Chapter 9 Additional information about Skybox data


› Locations & Networks › Network Groups › Asset Groups › All Assets: Non-network-device assets grouped by their type › All Network Devices: Network devices grouped by their type › Vulnerability Occurrences: Vulnerability occurrences in the network › Dependency Rules: Dependency rules defined in the network › Model Analyses: Analyses for validating gateways, assets, and networks in

the model

Note: In the demo model, most nodes contain entities; when working with your own model, some nodes might be empty.

Locations & Networks The Locations & Networks tree in the Model workspace reflects the physical or geographical organization of your network, as in the following example.

The tree holds a hierarchy of locations. Each location can contain:



› Other locations

For example, a state inside a country or a building inside a site.

› Networks and clouds

Some networks are divided (physically) into network segments. Network segments are also part of the Locations & Networks tree.

The bottom part of the Locations & Networks tree contains:

› Networks and clouds that are not associated with any location › An entry that represents all assets that are not associated with any network

(unassigned assets)

Viewing the properties of an entity You can view the properties of any entity in the Details pane, and you can view and edit the main properties of each entity in a separate dialog box. In this exercise, you view the properties of main_FW.

To view properties 1 If main_FW is not listed in the Table pane, select All Network Devices >

Firewalls.

There are often several paths in the tree to reach the same entity. For example, you can also reach main_FW from Locations & Networks > US > New York > gatewayEastA.

2 In the Table pane, right-click main_FW and select Properties.

Note: In Skybox, firewalls (and other gateway devices) are classified as entities of type Asset.



3 Mouse over a field that contains data.

A tooltip listing the values selected for that field appears. This is especially useful for fields that hold multiple values.

4 Click Cancel.

To view additional information about an entity in a table, right-click the entity. For example, when you right-click a firewall, besides its properties, you can view its access rules, routing rules, or network interfaces.

Viewing detailed information about an entity The Details pane displays detailed information for the entity selected in the Table pane. For example, if you select a workstation, you can view its routing rules, vulnerability occurrences, and services.

To view the services defined for a workstation 1 In the tree, select All Assets > Workstations.

The 1st workstation is selected.

2 In the Details pane, click the Services tab.

You can see the services defined for the selected workstation.

3 The information in the Details pane is divided into tabs according to the type

of entity selected. By default, only tabs containing basic information are displayed, but you can display additional (advanced) tabs by clicking .

To display or hide advanced tabs 1 In the tree, select Locations & Networks > US > New York >

gatewayEastA.

The assets in the gatewayEastA network are displayed in the Table pane and information about the 1st asset in the list is displayed in the Details pane.



2 Click .

Advanced information tabs are displayed in the Details pane. The icon changes to .

Zooming in on a property When displaying information about an entity, you can zoom in on a specific property to see additional information. For example, an attack can be a property of an asset or a Business Asset Group, but it is also an attack entity, with its own properties; you can zoom in on the attack, making it the currently selected entity and displaying its properties.

To zoom in on a property and display it as an entity 1 Select main_FW in the Table pane.

2 In the Details pane, click the Services tab.

3 Select the 1st service in the list.

4 Click (at the top of the Details pane).

The Details pane changes; the properties in the Details pane are the properties of the selected service.

To return to the previous view




Viewing access rules Skybox provides a detailed modeling of access (filtering) rules and other traffic control measures (routing rules) on the firewalls and routers in your network. This data is retrieved by importing the configuration of rules from the file repository or by polling the devices themselves.

Although different vendors display access rules differently, Skybox normalizes the different types and all access rules are displayed using the same format.

Note: Both firewalls and routers can have access rules and routing rules.

To view the access rules for a firewall 1 In the tree, select All Network Devices > Firewalls, and then select

main_FW in the Table pane.

2 In the Details pane, click the Access Rules tab.

• Each chain of access rules is displayed in a separate tab. Click the tabs at the bottom of the Details pane to switch between rule chains.

• A rule displayed with a light gray background is an implied rule (that is, an access rule not explicitly defined by the user but derived from other firewall settings).

• A rule displayed in gray, italicized font is disabled (that is, it has no effect).

Note: The display of access rules in the Details pane is read-only.

3 For more information about the access rules, open the Access Control List Editor: right-click main_FW in the Table pane and select Access Rules.



You can view the original text of a selected access rule as it came from the firewall (click Show Resolved Addresses). For a firewall whose ACL includes firewall objects, you can view the objects for the selected access rule in the Object Tree pane to the right of the Access Control List Editor.

You can edit the rules, move them within the list, and delete them. This is useful mostly when working in the What If model, since regular collection overwrites manual changes.

4 Select the 1st rule and look at the Object Tree.

5 Click Cancel.

Viewing and managing routing rules

To view and manage the routing rules for a specific router 1 In the tree, select All Network Devices > Routers.

The routers are listed in the Table pane and detailed information about the 1st router is displayed in the Details pane.

2 In the Table pane, select Main Router.

3 In the Details pane, click the Routing Rules tab.

The routing rules in the Details pane are read-only.



4 To view and manage routing rules, right-click the router (Main Router in this example) in the Table pane and select Routing Rules.

You can add, modify, and delete routing rules and you can change their order.

5 Click Cancel.


Chapter 10

Skybox Vulnerability Control provides:

› Vulnerability Management reports, which provide a higher view of the vulnerability management process

› Other reports, each of which covers a specific area of the process

In this chapter

Skybox Vulnerability Control reports ..................................... 66

Reports tree ....................................................................... 67

Vulnerability Management reports ......................................... 68

Skybox Vulnerability Control reports The following report types are available in Skybox Vulnerability Control:

› Vulnerability Management reports are an overview of the vulnerability management process, as presented in the Vulnerability Control workspace

› Risks reports show overall business risk metrics, detail current business risks, and show trends and deltas (when modeling is on a continuous basis).

These reports are used for managing exposure.

› Vulnerabilities reports are technical reports containing vulnerability occurrence and attack data

These reports are used when working with exposure.

› Security Metrics reports show security metrics scores and related information

These reports are used when working with security metrics.

› Tickets reports contain information about workflow tasks (tickets). You can use these reports to track various workflows in Skybox Vulnerability Control.

These reports are used for remediation.

There are several predefined report definitions for each report type. The scope of each predefined report definition is the organization’s network. Admins can customize the predefined reports to suit organizational requirements and can create new report definitions. Users can create private report definitions. You can generate reports in several formats.

Using Skybox Vulnerability Control reports

Chapter 10 Using Skybox Vulnerability Control reports


Report generation and data export Reports can be generated via tasks or as needed, either from the Reports workspace or from the Vulnerability Control workspace. For example, you can right-click the security metrics node in the Vulnerability Control workspace and select Reports > Generate security metrics Report. The report opens in a separate PDF window.

You can export data from Skybox to CSV using any of the following methods:

› CSV Export tasks › Right-click a node in the security metrics section of the Vulnerability Control

tree and select the Export to CSV option › Right-click an analysis in the Vulnerability Control tree and select the Export

to CSV option › Display a table in any workspace; from the File menu, select Export to CSV

Reports tree Use the Reports tree to manage report definitions and to generate reports. Report generation can be scheduled and you can email the results to selected users.

The Reports tree is divided into a public folder and a private folder; predefined reports are in the public folder and report definitions that you create are stored in your private folder. The Public Report Definitions folder is divided according to report type.



Vulnerability Management reports Vulnerability Management reports provide an overview of the vulnerability and risk management process that is similar to the overview that you can see in the Vulnerability Control workspace.

To view a Vulnerability Management report 1 In the tree, right-click Private Report Definitions and select New > Report

Definition.

2 In the Report Type field, select Vulnerability Management.

3 Give the report a name.

Do not make changes to any of the other properties.

4 Click Generate to generate the report.

The report includes a summary of the Discovery Center and the Prioritization Center, and more detailed information about discovery and analysis. The report also includes the Report Properties section, which lists the properties of the report.

• The Discovery Summary section includes information about data age

• The Analytics Summary section includes Security Metrics and Exposure Analysis

• The Exposure Analysis subsection displays vulnerability occurrence exposure data from several perspectives

Modifying report definitions You can modify report definitions in various ways. For example, in Vulnerability Control reports, you can decide that you are only interested in the discovery section and not the analytics section.

skybox vulnerability controldownloads.skyboxsecurity.com/files/installers/skybox_view/8.5/8.5... ·...

Documents