Delivered as a webinar, this slide deck provides best practices for gaining total visibility of your attack surface and ways to manage and reduce your risk, network vulnerabilities, and potential breaches
Skybox Security has a software platform that uses analytics to give you comprehensive information about your organization’s attack surface. That knowledge is crucial to solving everyday security problems in an accurate and actionable manner. Our solutions are used for firewall management, network compliance, vulnerability management, and more.
We believe that Continuous visibility of attack surface is critical
That to get this visibility you have to Combine a lot of data about your network and endpoint, sometimes from dozens of vendor systems
That analytics are a must to solve complex information security challenges
And once you have the intelligence, you need to work it into regular security processes, automating security management at every step in order to stay ahead of attacks
Key points –
Not focuses on a single vertical or region
Pick a few and mention how the customer uses Skybox
Competitive landmines –
Proven support of large global organizations
Examples –
7 of top 10 banks use Skybox
Deployments as large as 700k nodes
Orgs with complex security policies/rules
Key Points –
Link between avoiding breeches and attack surface
Not understanding the attack surface prevents effective action regardless of controls
Competitive landmines –
Full understanding of the attack surface
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Different version script:
Presentation Notes:
After talking about likelihood, it’s a good segue into the attack simulation slide.
This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement.
Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling.
May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.
When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities.
Script:
This slide shows how our attack simulation works. We start with that network model containing layer 3 devices.
<advance>
On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations.
Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities.
As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
Old script for attack simulation:
Presentation Notes:
After talking about likelihood, it’s a good segue into the attack simulation slide.
This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement.
Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling.
May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.
When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities.
Script:
This slide shows how our attack simulation works. We start with that network model containing layer 3 devices.
<advance>
On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations.
Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities.
As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
Script: (click through first 5 builds – last one is Threat Actors)
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Different version script:
Presentation Notes:
After talking about likelihood, it’s a good segue into the attack simulation slide.
This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement.
Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling.
May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.
When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities.
Script:
This slide shows how our attack simulation works. We start with that network model containing layer 3 devices.
<advance>
On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations.
Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities.
As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
Script: (click through first 5 builds – last one is Threat Actors)
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Different version script:
Presentation Notes:
After talking about likelihood, it’s a good segue into the attack simulation slide.
This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement.
Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling.
May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.
When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities.
Script:
This slide shows how our attack simulation works. We start with that network model containing layer 3 devices.
<advance>
On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations.
Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities.
As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
Sales version of slide-
Continuously monitor change and minimize risks
Link and automate security processes
Huge time savings in delivering the path information
Presentation Notes:
Change management -- top of that continuum.
Once you got the network in compliance, you want to keep it there.
Skybox has a change management API where the customer can use their own third party ticketing system to plug in to our analysis engine or we can supply that interface. Either way we can help out with all of the common phases that a workflow process will go through.
Two of the big areas where we can get a return on investment:
1. Path Analysis – huge time savings. For a given request, Skybox can show you exactly which firewalls need to be changed in seconds, without this kind of automation they can take anywhere from a couple of hours to couple of days to do this research, to figure out for a given the request what are the firewalls between point A and point B, which ones currently allow the access, and which ones need to be updated to allow that access, so we can do that in seconds, takes you long time if you do it on your own.
2. Risk Analysis – ensure security and compliance. For a given request, Skybox shows if it is going to violate security policy or expose the vulnerability to a new part of the network. To do that on your own, you would be digging through documents, which is time-consuming and error-prone.