Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:43 PM
George V. Hulme
George V. Hulme

Focus On Managing Risk, Not Gruntwork

With large enterprises sporting hundreds of applications, firewalls, routers, and other networking devices -- and more than 139 newly announced vulnerabilities each week -- how do they know what vulnerabilities actually matter?

With large enterprises sporting hundreds of applications, firewalls, routers, and other networking devices -- and more than 139 newly announced vulnerabilities each week -- how do they know what vulnerabilities actually matter?Answering that question is a lot harder than just looking at software vendor risk rankings and rushing to patch the "criticals" and pass on the "lows."

Last year, CERT tallied more than 7,000 publicly disclosed vulnerabilities. Who has time for that much patching?

In fact, many organizations may find, when all mitigating controls -- firewall rules, network segmentation, IPS devices, etc. -- are taken into account that they actually may want to patch a couple low-risk vulnerabilities on a machine managing highly classified data. Or, maybe patching one or two at-risk systems in the DMZ ensures the rest of the infrastructure is secure -- because all of those security controls mitigate the other unpatched systems. And the rest of the patching can wait for a little while, at least until the patches have been tested.

That level of management sure beats the heck outta wrangling up a dozen admins to run vulnerability scans, and then rush out untested patches for several hundred systems. I can think of about a thousand ways I'd rather spend my budget.

Yet, it goes without saying that today's networks are just too complex to make those kinds of decisions off-the-cuff. There are too many network connections, segments, servers, and firewall rules for any mere mortal to configure in their head. That's where risk modeling software, from vendors such as Skybox Security step in.

I profiled a credit union, WesCorp, a number of years ago when Skybox Security was just starting out. I had been interviewing that company's CISO (at the time it was Chris Hoff, now chief architect of security for Unisys) about vulnerability scans and patching. He explained how he was able to better manage his patching processes by modeling the actual risks those vulnerabilities created and weigh their severity against the actual business value his systems. I'd never heard of such a capability before, and was quite intrigued. The eventual story is available here.

Essentially, Skybox's Skybox View risk management platform enables organizations to model their risk through analytical and predictive threat and vulnerability analysis. Basically, the software works by creating a virtualized representation of the network. And then analyzing where potential attack vectors against, say, unpatched systems, may exist. It can do this by amassing an enormous amount of data about the current network architecture and security defenses in place. This model also can be used to simulate what-if scenarios that detail how your risk posture might change along with planned network changes.

Today, to get updated on how companies are using Skybox View, I spoke with Bill Geimer, program manager for Newington, Va.-based technology provider Open System Sciences. Open System Sciences provides the U.S. Agency for International Development (USAID) many of the services the agency, which has systems spread throughout about 100 countries, needs for its risk management program and to maintain FISMA compliance.

Geimer explained how Skybox View helps him and his team to grab information from all of its point security and networking products (which consists of thousands and thousands of devices) as well as daily network security assessments. Every day Geimer gets a report that details what systems have changed, and what systems may need to be patched.

Most important, Geimer explained how it is now possible for the entire security team to "be in tune with anything that changes our risk and to respond accordingly."

There aren't many organizations today that can make such a claim, and mean it. But that's what Geimer was able to achieve.

I don't know for sure, but I'd bet five years ago when Skybox first hit my radar, the company had fewer than a dozen customers. Today, it has more than 125, including some big names: AstraZeneca, Barclays Capital, British Energy, Cisco, Citi, Merrill Lynch, Reuters, Visa, and others. Its channel also has grown quite impressively, and now includes partners such as BT, Cable and Wireless, FishNet, IBM, VeriSign, and Wipro.

In June the company plans to release an update to its risk-management platform. The new version will add a Web-management interface, make it easier to map compliance reports to the Payment Card Industry Security Standard, and add additional operating system support, as well as include support for virtual firewalls and routers.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Who knew face masks could also prevent the PII from spreading
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...