With large enterprises sporting hundreds of applications, firewalls, routers, and other networking devices -- and more than 139 newly announced vulnerabilities each week -- how do they know what vulnerabilities actually matter?Answering that question is a lot harder than just looking at software vendor risk rankings and rushing to patch the "criticals" and pass on the "lows."
Last year, CERT tallied more than 7,000 publicly disclosed vulnerabilities. Who has time for that much patching?
In fact, many organizations may find, when all mitigating controls -- firewall rules, network segmentation, IPS devices, etc. -- are taken into account that they actually may want to patch a couple low-risk vulnerabilities on a machine managing highly classified data. Or, maybe patching one or two at-risk systems in the DMZ ensures the rest of the infrastructure is secure -- because all of those security controls mitigate the other unpatched systems. And the rest of the patching can wait for a little while, at least until the patches have been tested.
That level of management sure beats the heck outta wrangling up a dozen admins to run vulnerability scans, and then rush out untested patches for several hundred systems. I can think of about a thousand ways I'd rather spend my budget.
Yet, it goes without saying that today's networks are just too complex to make those kinds of decisions off-the-cuff. There are too many network connections, segments, servers, and firewall rules for any mere mortal to configure in their head. That's where risk modeling software, from vendors such as Skybox Security step in.
I profiled a credit union, WesCorp, a number of years ago when Skybox Security was just starting out. I had been interviewing that company's CISO (at the time it was Chris Hoff, now chief architect of security for Unisys) about vulnerability scans and patching. He explained how he was able to better manage his patching processes by modeling the actual risks those vulnerabilities created and weigh their severity against the actual business value his systems. I'd never heard of such a capability before, and was quite intrigued. The eventual story is available here.
Essentially, Skybox's Skybox View risk management platform enables organizations to model their risk through analytical and predictive threat and vulnerability analysis. Basically, the software works by creating a virtualized representation of the network. And then analyzing where potential attack vectors against, say, unpatched systems, may exist. It can do this by amassing an enormous amount of data about the current network architecture and security defenses in place. This model also can be used to simulate what-if scenarios that detail how your risk posture might change along with planned network changes.
Today, to get updated on how companies are using Skybox View, I spoke with Bill Geimer, program manager for Newington, Va.-based technology provider Open System Sciences. Open System Sciences provides the U.S. Agency for International Development (USAID) many of the services the agency, which has systems spread throughout about 100 countries, needs for its risk management program and to maintain FISMA compliance.
Geimer explained how Skybox View helps him and his team to grab information from all of its point security and networking products (which consists of thousands and thousands of devices) as well as daily network security assessments. Every day Geimer gets a report that details what systems have changed, and what systems may need to be patched.
Most important, Geimer explained how it is now possible for the entire security team to "be in tune with anything that changes our risk and to respond accordingly."
There aren't many organizations today that can make such a claim, and mean it. But that's what Geimer was able to achieve.
I don't know for sure, but I'd bet five years ago when Skybox first hit my radar, the company had fewer than a dozen customers. Today, it has more than 125, including some big names: AstraZeneca, Barclays Capital, British Energy, Cisco, Citi, Merrill Lynch, Reuters, Visa, and others. Its channel also has grown quite impressively, and now includes partners such as BT, Cable and Wireless, FishNet, IBM, VeriSign, and Wipro.
In June the company plans to release an update to its risk-management platform. The new version will add a Web-management interface, make it easier to map compliance reports to the Payment Card Industry Security Standard, and add additional operating system support, as well as include support for virtual firewalls and routers.