User s Guide. Skybox Risk Control Revision: 11

Transcription

1 User s Guide Skybox Risk Control Revision: 11

2 Copyright Skybox Security, Inc. All rights reserved. This documentation contains proprietary information belonging to Skybox Security and is provided under a license agreement containing restrictions on use and disclosure. It is also protected by international copyright law. Due to continued product development, the information contained in this document may change without notice. The information and intellectual property contained herein are confidential and remain the exclusive intellectual property of Skybox Security. If you find any problems in the documentation, please report them to us in writing. Skybox Security does not warrant that this document is error-free. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise without the prior written permission of Skybox Security. Skybox, Skybox View, Skybox Security, Skybox Firewall Assurance, Skybox Network Assurance, Skybox Risk Control, Skybox Threat Manager, Skybox Change Manager, Skybox 5000/5000W/5500/6000 Appliance, are trademarks and registered trademarks of Skybox Security, Inc. Check Point, SiteManager-1, FireWall-1, Provider-1, SmartDashboard, VPN-1, and OPSEC are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other trademark and registered trademark products mentioned in this document are the property of their respective owners. Skybox Security, Inc. Telephone (in the U.S.): SKYBOX ( ) Telephone (outside the U.S.): Fax: Website: support@skyboxsecurity.com

3 Contents Intended audience... 7 How this manual is organized... 7 Related documentation... 7 Technical support... 8 Overview of Skybox Risk Control... 9 Skybox View platform... 9 About Skybox Risk Control... 9 The process About the Skybox View Vulnerability Dictionary Basic architecture Part I: Security Metrics Overview of the Security Metrics feature About security metrics in Skybox View Predefined security metrics Workflow for security metrics Building the model Updating the dictionary Obtaining asset and vulnerability occurrence data Discovery Center Adding organizational hierarchy (Business Units) Analyzing security metrics Viewing security metrics information Focusing on a specific security metric Viewing security metrics information Switching between security metrics Understanding security metrics information Customizing the security metrics Initial customization Security Metric properties Additional customization Remediation Remediation workflow Continuous usage Security metrics notifications Recalculating the security metrics Skybox Risk Control version

4 Skybox Risk Control User s Guide Part II: Exposure Overview of the Exposure feature Introduction to exposure Automated IT security modeling Attack simulation and visualization Business impact analysis and risk metrics Regulation compliance Risk exposure management workflow Building the model Building the network topology Network visualization (maps) Creating and saving dedicated maps Navigating the Network Map Map Groups Validating the model Overview of validating the model Verifying completeness Model completion and validation Using model validation analyses Verifying topology Verifying access Validating the setup for attack simulation Adding Threat Origins Threat Origin types Threat Origin Categories Defining Threat Origins Disabling and enabling Threat Origins Adding Business Asset Groups Defining a Business Asset Group Business Impacts and Regulations Adding dependency rules Explicit dependency rules Implicit dependencies Simulating attacks Understanding Skybox View risk Identifying the critical issues Workflow Reviewing the directly exposed vulnerability occurrences Reviewing the Threat Origins Reviewing the Business Asset Groups Reviewing attacks Check whether the problem is access-related Skybox Risk Control version

5 Contents Remediation Marking vulnerability occurrences as ignored Mitigating critical vulnerability occurrences Creating tickets manually Updating the model after fixing vulnerability occurrences Using the What If model to test changes Continuous risk management Overview of continuous usage Attack simulation for continuous usage Monitoring the risk status Automating tickets Tickets and workflow Model maintenance Part III: Continuous usage Using tasks for automation Task sequences Scheduling tasks and task sequences Task groups Monitoring task results Reports Security Metrics reports Risks reports FISMA/NIST and Risk Assessment reports PCI DSS reports Tickets reports Vulnerability Management reports Vulnerabilities reports Exporting data to CSV files Exporting vulnerability occurrence data to Qualys format Model maintenance Updating the model General maintenance Part IV: Advanced topics Advanced modeling scenarios Modeling VPNs Modeling L2 networks Overlapping networks Virtual routers Virtual firewalls Clusters Modeling multi-homed assets Merging data Using clouds as Threat Origins Advanced dependency rules Skybox Risk Control version

6 Skybox Risk Control User s Guide Additional information about exposure About attack simulation About risk Skybox View analyses Viewing risk PCI DSS support in Skybox Risk Control Access Analyzer Creating new queries Access Analyzer output Adjusting the security metrics parameters Calculation of scores for Vulnerability Level Indicator security metrics Calculation of scores for Remediation Latency Indicator security metrics Impact levels Additional security metrics parameters Vulnerability Dictionary Vulnerability Dictionary information CVE compliance IPS support in Skybox View IPS dictionary Working with IPS in Skybox View Optimization Performance considerations Optimizing Access Analyzer analysis Part V - Planning deployment Planning deployment Deployment plan Deployment team Preparing data for Skybox View Information requirements Preparing a list of network devices Defining the collection strategy Preparing scanning information Preparing the data Phases of deployment First phase Worksheets for planning deployment Deployment overview worksheet Device mapping worksheet Network scans worksheet Business Asset Group mapping worksheet Index Skybox Risk Control version

7 Preface Intended audience The Skybox Risk Control User s Guide explains how to work with Skybox Risk Control. Use this document in conjunction with: Skybox View Installation and Administration Guide, which explains Skybox View installation, and various configuration and maintenance tasks Skybox Risk Control Getting Started Guide, which explains how to use the various features of Skybox Risk Control using predefined data The intended audience is any user of Skybox Risk Control. How this manual is organized This manual includes the following parts: Overview (on page 9) Security Metrics feature (on page 12) Exposure feature (on page 44) Continuous usage (on page 111) Advanced topics (on page 129) Planning deployment (see page 201) Related documentation The following documentation is available for Skybox Risk Control: Skybox Risk Control Getting Started Guide Other Skybox View documentation includes: Skybox View Installation and Administration Guide Skybox View Reference Guide Skybox View Developer s Guide Skybox View Release Notes Skybox Change Manager User s Guide Skybox Threat Manager User s Guide The entire documentation set (in PDF format) is available in the <Skybox_View_Home>/docs directory. A comprehensive Help file can be accessed from any location in the Skybox View Manager by using the Help menu or by pressing F1. Skybox Risk Control version

8 Skybox Risk Control User s Guide Technical support You can contact Skybox Security technical support by: Calling SKYBOX ( ) inside the U.S. or outside the U.S. Using the Skybox Security support portal at You must register to use the support portal. Registered users can view the knowledge base, download updates, and submit cases. Faxing (U.S. number) Sending an to support@skyboxsecurity.com When opening a case, you need the following information: Your contact information (telephone number and address) Skybox View version and build numbers Platform (Windows or Linux) Problem description Any documentation or relevant logs You can compress logs before attaching them by using the Pack Logs tool (see Packing log files for technical support, in the Skybox View Installation and Administration Guide). Skybox Risk Control version

9 Chapter 1 Overview of Skybox Risk Control This chapter is an overview of Skybox Risk Control. In this chapter Skybox View platform... 9 About Skybox Risk Control... 9 The process About the Skybox View Vulnerability Dictionary Basic architecture Skybox View platform Skybox Security delivers a complete portfolio of proactive security risk management solutions that automatically find, prioritize risks, and drive remediation in a large or complex network, before an adverse event occurs. Skybox solutions provide accurate intelligence for daily security and compliance management tasks such as firewall assessments, vulnerability management, threat management, and change planning. While other solutions have limitations such as finding a limited set of risks, can only be used on an infrequent basis, or are reactive and useful only after the breach has already taken place, Skybox enables daily security risk management for the complete enterprise network on an on-going basis. Skybox identifies and prioritizes a wide variety of risks automatically so that the security team has daily risk information to eliminate the most critical risks fast, before an attack. The Skybox Security Enterprise portfolio includes: Skybox Firewall Assurance: Firewall Assessment, PCI Compliance, Firewall Ruleset Optimization Skybox Change Manager: Firewall Change Management and Workflow Skybox Network Assurance: Network Modeling, Access Compliance, Connectivity Troubleshooting Skybox Risk Control: Attack Modeling, Risk Assessment, Vulnerability Management, Patch Optimization Skybox Threat Manager: Threat Analysis, Remediation Planning, and Tracking Workflow The products share common services including modeling, simulation, analytics, reporting, and automated workflow management. About Skybox Risk Control Skybox Risk Control automatically discovers and prioritizes vulnerability occurrences, using contextaware analytics that take network topology, security controls, business assets, and threat intelligence into account. Risk Control gives those on the front line of security the tools they need to focus attention on the most critical risks first to protect customer data, intellectual property and business services. Skybox Risk Control version

10 Skybox Risk Control User s Guide Highlight features Automatically creates and continuously updates a detailed model of your network topology, network and security devices, servers, and end points Incorporates vulnerability data from third-party scanners or with Skybox Vulnerability Detector, scanless vulnerability discovery technique, leveraging product configuration repositories and patch management systems, with daily vulnerability definition content updates Simulates attack scenarios from external or internal threats, highlighting possible exploitation routes by hackers, APT, malware, and internal threats, considering all network security controls such as firewalls and intrusion prevention systems Prioritizes vulnerabilities for remediation, based on exploitability and imposed risk, indicating the most critical vulnerabilities to be fixed Streamlines risk mitigation with automated proposal of remediation alternatives, including ticket generation and workflow Calculates security and risk metrics for every business unit, and for the organization as a whole Robust reporting features include customizable reports for specific audiences such as management, auditors and IT operations Advanced what-if modeling capabilities to predict risky behavior and potential business impact of proposed network changes Integrates with Skybox Threat Manager to prioritize vital threats and updated risk alerts Note: You can use Skybox Threat Manager together with the other features of Skybox Risk Control or separately. Skybox Threat Manager is documented separately in the Skybox Threat Manager Getting Started Guide and the Skybox Threat Manager User s Guide. Comprehensive device support. View the support list at The process The overall Risk Control process is divided into two basic cycles: Import asset and vulnerability data, and then generate security metrics for different technologies and different business units If desired, import network devices to get the topology, and then analyze the exposure of the network to potential attackers Security Metrics Cycle 1 Collect vulnerability occurrences (which also provides information on assets) 2 Organize the assets into Business Units 3 Look at the Discovery Center to understand the security of your inventory 4 Look at the security metrics and the analysis of top problems, such as a Business Unit with many security issues or a specific technology (e.g. Oracle Java) with security issues 5 Remediation track the pace of fixing the top issues 6 Continuous - perform the whole cycle on a regular basis to keep the organization's security status up-to-date Skybox Risk Control version

11 Exposure Cycle 1 Build the topology (bring network devices, view the map) 2 Define Threat Origins 3 Optionally define impact rules for Business Asset Groups 4 Run attack simulation 5 View the results exposure summary and details Chapter 1 Overview of Skybox Risk Control 6 Remediation check important Threat Origins (such as Internet) to see if there are directly exposed vulnerabilities that need fixing 7 Continuous - perform the whole cycle on a regular basis to minimize the organization's exposure About the Skybox View Vulnerability Dictionary The Skybox View Vulnerability Dictionary includes comprehensive and up-to-date data on network vulnerability definitions published within the world. Data source are NVD (National Vulnerability Database), published vulnerability repositories, vulnerabilities scanners, and threat management feeds. Each newly published vulnerability definition is represented in a standard format that includes a Skybox vulnerability ID (SBV ID), CVE ID (if one exists), references to scanner plugin IDs, CVSS score, description, links to relevant sources that describe the vulnerability definition, and solutions. In addition, each vulnerability definition is modeled to include exploitation preconditions and effects, which can then be used in attack simulation. The dictionary enables Skybox Risk Control to represent the vulnerability occurrences of an organization in a standard normalized way, independently of the vulnerabilities scanner or discovery method used to identify it. Skybox Risk Control then prioritizes the identified vulnerability occurrences based on information from both the dictionary and the model. The dictionary supplies the severity of the vulnerability occurrence (CVSS score), the difficulty of its exploitation, and the commonality of such exploitations. The model and attack analysis provides information on the exposure to external and internal threats, the business context, and the potential attack risk of each vulnerability occurrence. This enables the user to relate to rich and meaningful criteria for defining the SLA for remediation of vulnerability occurrences. Vulnerability occurrences with a high CVSS score, high business impact, exposure to various threats, and high attack impact (based on attack simulation), are typically classified as urgent. Basic architecture The Skybox View platform consists of a three-tiered architecture with a centralized server (Skybox View Server), data collectors (Skybox View Collectors), and a user interface (Skybox View Manager). Skybox View can be scaled easily to suit the complexity and size of any infrastructure. For additional information, see Skybox View architecture, in the Skybox View Installation and Administration Guide. Skybox Risk Control version

12 Part I: Security Metrics This part explains how to work with the security metrics feature of Skybox Risk Control.

13 Chapter 2 Overview of the Security Metrics feature You can automate the collection of vulnerability occurrence information from multiple disparate systems and calculate security metrics, which are risk indicators based on vulnerability occurrences. Security metrics provide threat indicators for your organization as a whole and for specific Business Units, enabling the security team to help management understand which threats pose the greatest risk and what your organization is doing about them. Figure 1: Security Metrics Summary page The Security Metrics feature uses vulnerability occurrence data collected on the network to calculate security metrics for each unit in your organization s hierarchy. The security metrics scores allow you to assess the current security and vulnerability status of your organization, track trends, and identify key contributors to poor performance. In this chapter About security metrics in Skybox View Predefined security metrics Workflow for security metrics About security metrics in Skybox View Skybox View uses security metrics to measure the security status of your organization. Skybox View includes predefined security metrics as well as the ability to create new security metrics and customize the existing ones. Skybox Risk Control version

14 Skybox Risk Control User s Guide Most security metrics in Skybox View measure the status of vulnerability occurrences in your organization. However, some security metrics such as MS-VLI, MS-RLI, and Cisco-RLI measure the status of applying security bulletins from vendor based catalogs. The following are the main parameters that define security metrics: Type Vulnerability Level Indicators: These security metrics measure the security status of your organization (or a part thereof) based on the status of its vulnerability occurrences or missing security updates. The more critical vulnerability occurrences or critical security updates in your organization, the higher the score. Vulnerability Level Indicators measure the average rate of vulnerability occurrences residing on assets in a group of assets, such as a Business Asset Group or a Business Unit. In simple terms, the rate is the average number of vulnerability occurrences per asset. Remediation Latency Indicators: These security metrics measure the remediation performance of your organization. The more time it takes to fix the critical vulnerability occurrences or missing security updates, the higher the score. View Remediation Latency Indicators measure the rate of overdue vulnerability occurrences: The Remediation Latency Indicator score for an asset represents the number of overdue (or relatively old) vulnerability occurrences residing on the asset, where each vulnerability occurrence is weighted. The weighting is calculated from the remediation priority of the vulnerability occurrence and its delay; high-priority vulnerability occurrences with a large delay have the highest weight. The Remediation Latency Indicator score for a group of assets (Business Asset Group or Business Unit), is the average of the Remediation Latency Indicator score of each asset in the group. Use the Remediation Latency Indicator metric to identify entities (vulnerability definitions or groups of assets) whose remediation latency is relatively high and to examine trends of remediation latency. Security View: Security View shows the status of vulnerability occurrences in your organization. Note: This is the standard view for most security metrics. Vendor Solution View: Vendor solution view shows the status of applying security bulletins from vendor-based catalogs and the prioritization of the bulletins that need to be applied. Whenever possible, results are displayed in terms of security bulletins, each of which is usually correlated to multiple vulnerability definitions. Vulnerability definitions that are not part of a security bulletins are displayed independently. Scope Vendor solution View is used by default for security metrics such as MS-VLI, MS-RLI, and Cisco-RLI, which measure the status of applying security bulletins from vendor based catalogs. The scope defines which vulnerability definitions are used in each security metric. This can include all vulnerability definitions, only vulnerability definitions or security bulletins from specific vendor-based catalogs (Microsoft, Cisco, Adobe, and/or Oracle), or a custom-defined set. You can also exclude specific groups of vulnerability definitions or products. Predefined security metrics Skybox View includes the following predefine security metrics, some of which are used to track vulnerability occurrence status and some to track remediation progress. Skybox Risk Control version

15 Chapter 2 Overview of the Security Metrics feature Security metric name Security metric long name Scope Description Vendor Solution View Adobe Bulletin Level Adobe Bulletin Level Indicator By Catalog = Adobe Security Bulletins This security metric measures the security status of your organization based on Adobe Security Bulletins. The more critical missing security bulletins, the higher the score. Cisco Remediation Latency Cisco Security Advisories Remediation Latency Indicator By Catalog = Cisco Security Advisory This security metric measures your organization s remediation performance of Cisco Security Advisories. The more time it takes you to apply the missing security advisories, the higher the score. MS Bulletin Level Microsoft Security Bulletins Vulnerability Level Indicator By Catalog = Microsoft Security Bulletins This security metric measures the security status of your organization based on Microsoft Security Bulletins. The more critical missing security bulletins, the higher the score. MS Remediation Latency Oracle Remediation Latency Overall - Remediation Latency Security View Microsoft Security Bulletins Remediation Latency Indicator Oracle Remediation Latency Indicator Remediation Latency Indicator By Catalog = Microsoft Security Bulletins By Catalog = Oracle Security Bulletins Any This security metric measures your organization s remediation performance of Microsoft Security Bulletins. The more time it takes you to apply the missing security bulletins, the higher the score. This security metric measures the security status of your organization based Oracle Security Bulletins. The more time it takes you to apply the missing security bulletins, the higher the score. This security metric measures the remediation performance of your organization. The more time it takes you to fix the critical vulnerability occurrences, the higher the score. Antivirus Integrity Vul Level Antivirus Integrity Vulnerability Level Indicator Custom = Anti-Virus Integrity This security metric measures the security status of your organization based on the alerts (vulnerability occurrences) on antivirus applications. The more unhandled critical alerts (vulnerability occurrences) you have on antivirus applications, the higher the score. Skybox Risk Control version

16 Skybox Risk Control User s Guide Mobile Vul Level Mobile Devices Alerts Vulnerability Level Indicator Custom = Mobile device Vulnerabilitie s This security metric measures the security status of your organization based on the alerts (vulnerability occurrences) on one or more of the following mobile devices: Apple Android Blackberry The more unhandled critical alerts (vulnerability occurrences) you have on mobile devices, the higher the score. New Vulnerabiliti es New Vulnerabilities (Last 30 Days) Vulnerability Level Indicator Custom = New Vulnerabilitie s last 30 days This security metric measures the security status of your organization based on the vulnerability definitions that were published in the last 30 days. The more unhandled new critical vulnerability occurrences you have, the higher the score. Overall Vul Level Vulnerability Level Indicator Any This security metric measures the security status of your organization based on its vulnerability occurrences. The more critical vulnerability occurrences you have, the higher the score. Web Browser Vulnerabiliti es Web Browser Alerts Vulnerability Level Indicator Custom = Web Browsers This security metric measures the security status of your organization based on the alerts (vulnerability occurrences) on any of the following web browsers: Internet Explorer Mozilla Firefox Google Chrome Apple Safari. The more unhandled critical alerts (vulnerability occurrences) you have on web browsers, the higher the score. Workflow for security metrics The following is the basic workflow for security metrics. 1 Analyze the security metrics (see page 29). 2 After you finish the setup, you can view the security metrics (on page 30) by organization hierarchy. 3 Make any necessary changes, such as changing the names, number of levels, or SLA periods of the security metrics (see Customizing the security metrics (on page 36)), and reanalyze. 4 In Skybox View, decide which vulnerability definitions or security bulletins to fix first and create tickets (on page 41) for them. If your organization handles the remediation process externally, export (on page 122) the relevant data to CSV. Skybox Risk Control version

17 Chapter 3 Building the model The Skybox View model (the model) is a schema in the Skybox View database that represents all or part of your organization s network; it is used for vulnerability occurrence profiling, attack simulation, risk analysis, and planning mitigation. When you have gathered as much information about your network as possible, you can begin building the model. It is recommended that you start with a relatively small first phase (for additional information, see First phase (on page 205)). Use the Model workspace and the Model tree to build the model. Note: Before collecting data from your organization s network the first time, the model must be empty. If you loaded the demo model for tutorial purposes, you must clear it (File > Models > Reset Model). In this chapter Updating the dictionary Obtaining asset and vulnerability occurrence data Discovery Center Adding organizational hierarchy (Business Units) Updating the dictionary The Skybox View Vulnerability Dictionary contains information about vulnerability definitions. When a vulnerability occurrence is found by a scanner (or by any other means), Skybox View uses the Vulnerability Dictionary to normalize the vulnerability occurrence and add all the vulnerability definition s information including its description, cross-references from various sources, and external URLs to the model. Skybox View includes the most up-to-date dictionary at the time of release, but new updates are issued periodically. If the Vulnerability Dictionary is more than a week old, update it before running vulnerability detection, calculating security metrics, or simulating attacks. To check the date and version of the Vulnerability Dictionary Select File > Dictionary > Show Dictionary Info. Update the dictionary by running the Dictionary Update Daily task. Note: This task is scheduled to run daily, but is not actually enabled to do so. To enable the Dictionary Update Daily task to run as scheduled 1 Click. 2 In the Operational Console tree, select Tasks > All Tasks. 3 In the Table pane, right-click the Dictionary Update Daily task and select Properties. 4 In the Properties dialog box, make sure that Enable Auto-launch is selected. 5 Click OK. Skybox Risk Control version

18 Skybox Risk Control User s Guide To verify that the task is running correctly 1 In the Table pane, look at the Dictionary Update Daily task. 2 If there are timestamps in the Started at and Finished at columns, the task has run successfully and you can skip the other instructions here. If there are no timestamps in the Started at and Finished at columns, the task has not run, and you must launch it manually ( ). 3 After the task is launched, check its messages. The task may fail if: The internet connection was not set correctly. There is no internet connection. In this case, you must download the dictionary and update it manually as specified in the Updating the dictionary topic in the Skybox View Installation and Administration Guide. Obtaining asset and vulnerability occurrence data Asset and vulnerability occurrence data is a necessary component of security metrics analysis and Exposure analysis. You can obtain this data from: Scanners: Organizations that use scanners on their networks can use Skybox View tasks to either read the scanned data via APIs (online collection) or import the data from files generated by the scanner. Other data sources: In many cases, areas in the network are not scanned or not scanned frequently because of deployment issues. In this case, obtain asset data from other sources, such as: Microsoft Active Directory: Skybox View can import Active Directory data to obtain your organization s Business Unit and Business Asset Group hierarchy and assets (but not asset products). Microsoft System Center Configuration Manager (SCCM): Skybox View can import SCCM data to obtain your organization s assets, products, and patches. Note: SCCM data for Microsoft technologies includes missing patches that are directly equivalent to vulnerability occurrences in Skybox View (for example: MS12-017). Other patch management and asset management systems: Skybox View can connect to these data sources (usually via ixml) and obtain information about assets, products, and sometimes missing patches for vulnerability occurrences. Import data from these other sources as often as necessary; the import is not dependent on the scheduling of specific scans. Note: Whichever sources are used, it is important to make sure that the Skybox View Vulnerability Dictionary is up-to-date (see Updating the dictionary (on page 17)) before you start. When asset data is imported from data sources that are not scanners and that do not include missing patches, it does not include any vulnerability occurrence data. Skybox View s Analysis Vulnerability Detector tasks analyze the asset data to extract vulnerability occurrences from it. For additional information, see: Retrieving scanner data (see "Retrieving the data" on page 19) Tasks, in the Skybox View Reference Guide Vulnerability detection (on page 19) For information about ixml, see the Integration part of the Skybox View Developer s Toolkit. Skybox Risk Control version

19 Retrieving the data Chapter 3 Building the model Scanner data provides information about assets and services, and information about the vulnerability occurrences that exist on scanned assets. You can add this data to the model using tasks. For information about tasks that collect scanner data and add it to the model, see Scanner tasks, in the Skybox View Reference Guide. For a sample workflow, see Workflow for importing a Qualys vulnerabilities scan (on page 20). Skybox View supports many scanners, such as Qualys QualysGuard and ncircle. A complete list of directly supported scanners is available at If your scanner is not supported, create an integration script that converts the source data to Skybox Integration XML (ixml) and import it to Skybox View. For information about ixml, see the Integration part of the Skybox View Developer s Toolkit. Patch data is an important component of the model that provides additional information about IT assets and vulnerability occurrences that is usually quite accurate and helps Skybox View to model your organization s network more accurately. You can retrieve patch data from asset management systems and patch management systems. You can use this data instead of, or in addition to, information collected from network vulnerabilities scanners. This is necessary when the vulnerabilities scanners do not cover the whole network, are not activated very often, or are not deployed at all. You can import data from asset and patch repositories as often as necessary; the import is not dependent on the scheduling of specific scans. Patch data is retrieved using collection tasks for supported patch management systems (such as Shavlik NetChk Protect), import tasks for Active Directory and SCCM, or using ixml to import patch information from other data sources (such as BigFix). For additional information about importing data from ActiveDirectory and SCCM, see Vulnerability detection (on page 19). For information about ixml, see the Integration part of the Skybox View Developer s Toolkit. Vulnerability detection Asset data is imported directly from patch management and asset management systems (such as Active Directory and SCCM) to Skybox View using tasks. After the asset data is imported, an additional task (of type Analysis Vulnerability Detector) must be run to infer the vulnerability occurrences from service banners imported as part of the asset data. Basic workflow for detecting vulnerability occurrences 1 (Optional) Import information from Active Directory to obtain your organization s hierarchy. For additional information, see Importing Microsoft Active Directory data, in the Skybox View Reference Guide. 2 View the imported Business Units, and Business Asset Groups in the Model workspace: Organization > Business Units & Asset Groups. When you select a Business Asset Group in the tree, you can see its assets in the workspace. 3 Run an Asset Management SCCM task to obtain asset information. For additional information, see Microsoft SCCM, in the Skybox View Reference Guide. 4 View the imported assets in the Model workspace: Organization > Model Analyses > New Entities > New Assets, or in any other appropriate analysis. 5 View the generated products (services) of all newly imported assets by selecting an asset and then viewing the Services tab in the Details pane. Note: You can also create operational analyses of type Services in the Model Analyses tree and, for example, set the value of the Discovery Method field to Vulnerability Detector. However, this analysis does not display the services for each asset separately. Until this point, there are assets with products, but no vulnerability occurrences. Skybox Risk Control version

20 Skybox Risk Control User s Guide 6 Run a task of type Analysis Vulnerability Detector. For information about these tasks, see Vulnerability Detector tasks, in the Skybox View Reference Guide. 7 View the generated vulnerability occurrences in any vulnerability occurrences analysis, such as Risk Control > Analytics Center > Analyses > Public Analyses > Vulnerabilities > New Vulnerability Occurrences (in the Risk Control workspace). The Discovery Method field of a vulnerability occurrence generated by this task is Vulnerability Detector. If necessary, you can display the Created Time field in the Table pane to make sure you are looking at vulnerability occurrences from the correct run of the task. Unidentified services There may be cases where an asset has services that Skybox View cannot identify based on their banner. This may occur because the banner format is new to the system or because the product is not yet supported (such as a new minor version of Windows). Sending unidentified banners to Skybox Security, as explained in the next section, can help speed up the identification. You can see these services in two places: Analyses of type Services (such as a New Services analysis). Asset analyses, in the Services tab of the Details pane, when the Show Unidentified Services check box is selected. Look at the Banner field (available as a column in Services analyses and by right-clicking the Service and selecting Properties) to see which product is involved. To send information about unidentified services to Skybox Security for identification (and inclusion in product updates) 1 Right-click the analysis that includes unidentified services and then select Export to CSV. 2 Create a ticket in Skybox View s support portal and add the CSV file as an attachment. Workflow for importing a Qualys vulnerability scan When imported into Skybox View, vulnerability scans provide information about the assets and services in your organization including their vulnerability occurrences. If the scan includes assets that are not already part of the model, they are added to the model. The following explains how to import a Qualys vulnerability scan. To import a Qualys vulnerability scan 1 In the Operational Console tree, select the Tasks node. 2 Click. 3 Type a Name for the task, such as Import Qualys Collection. Skybox Risk Control version

21 Chapter 3 Building the model 4 In the Task Type field, select Scanners Qualys Collection. 5 Fill in the Username and Password. Figure 2: Scanners - Qualys Collection task parameters 6 Define the Network Scope the locations and networks in the model to include in the task. When the collection data is imported, only data from the specified locations and network is merged with the existing model. If the network scope is empty, the entire collection is merged. 7 The Recency field defines how many days back to search for scans. To obtain the most recent scan, fill in this field according to how often scans are run. For example, if scans are run on a daily basis, 1 finds yesterday s scan. If scans are run on a weekly basis, 7 finds the most recent scan. For information about additional parameters in the task, see Qualys QualysGuard collection tasks, in the Skybox View Reference Guide. 8 Click Launch. 9 Verify that the task finished successfully: a) Select the task in the Table pane of the All Tasks node. b) Check that the value of the Exit Code is Success. If the task did not succeed, look in the Messages tab of the Details pane for information about what went wrong. This tab displays a log of the task; you can view the errors there to understand the problem. For example, a necessary file was deleted for some reason or moved to a different location. Skybox Risk Control version

22 Skybox Risk Control User s Guide 10 Close the Operational Console. 11 Check the results of the import as follows: a) Open the Risk Control workspace. b) Navigate to Analytics Center > Analyses > Public Analyses > Vulnerabilities. c) Right-click the New Vulnerability Occurrences folder and select New > Analysis. d) Type a Name for the analysis, such as Vulnerabilities imported by last Qualys scan. e) Fill in the following fields: Last Scan Time: As appropriate (Advanced tab) Discovery Method=QUALYS f) Click OK. Guidelines for setting up scanner tasks Review the following when setting up scanner tasks: Skybox View requires unrestricted scanning output output with a minimum of control devices (such as firewalls) blocking the route between the scanner and the scanned assets. Otherwise, Skybox View s analysis of access and attack scenarios in the model does not reflect the actual access and possibility of attacks in your organization. When your organization includes DHCP networks, you get a more accurate model if you use separate scans for the DHCP networks and for the static networks because Skybox View uses a different mechanism to merge scans of DHCP networks into the model. Some information found by vulnerability scanners is not needed for attack simulation. Skybox View supports blacklists, lists of scanner IDs that contain irrelevant information that Skybox View ignores. Blacklists are used when merging vulnerability occurrences into the model: scanner IDs on the blacklists are not translated into vulnerability occurrences in the model. For additional information, see Blacklists, in the Skybox View Reference Guide. Vulnerability occurrences in the model When a vulnerability occurrence is found by a scanner or by any other means, Skybox View uses the Skybox View Vulnerability Dictionary to formally model the vulnerability occurrence in the model. The following information is displayed for each vulnerability occurrence: Commonality: Unknown, Low, Medium, or High Generated by the Vulnerability Dictionary, commonality specifies how frequently attackers exploit vulnerability occurrences of this vulnerability definition. Severity: Taken from the CVSS base score, and displayed on a scale from Unknown to Critical, and as a number (0-10) Generated by the Vulnerability Dictionary. CVSS information: The Vulnerability Dictionary provides CVSS information for the base and temporal vector of each vulnerability occurrence. This standard enables users to easily analyze the impact of a vulnerability occurrence, including how can it be exploited (locally or remotely, with or without authentication, and so on) and its possible impact in terms of CIA (confidentiality, integrity, and availability). Life-cycle status: Found, Ignored, or Fixed Skybox View assigns an initial status of Found to each vulnerability occurrence detected. Later, this can be changed by Skybox View or by a user to Ignored or Fixed. Attack simulation uses only vulnerability occurrences with the Found status. Skybox Risk Control version

23 Chapter 3 Building the model When you run attack simulation, the exposure level of each vulnerability occurrence in the model is analyzed. The exposure level indicates how many steps are needed to access the vulnerability occurrence from a Threat Origin; direct exposure means that some Threat Origin can reach the vulnerability occurrence in only one step. Discovery Center The Discovery Center provides a high level view of the information Skybox View has about the model. At the top of the page, you can see: The number of vulnerability occurrences in the organization (that is, the parts of the organization are modeled) and their average age The number of vulnerability definitions The number of assets in the organization, including those which have not been scanned recently Figure 3: Discovery Center The various charts and tables below provide a high level view of the inventory of the organization, showing you how your organization looks from a Skybox View point of view. At first, this inventory enables you to see at a glance that all the information you expected is included in the model, and that, for example, you didn't miss a location or a critical network. As you continue to work with Skybox View, it also enables you to view your organization s assets from various perspectives, such as noticing how many of the assets are up-to-date and how many are overdue. Adding organizational hierarchy (Business Units) This section explains how to add Business Units and Business Asset Groups to the model. Skybox Risk Control version

24 Including information about your organization s hierarchy (Business Units and Business Asset Groups) in the Skybox View model enables Skybox View to present the inventory and findings in a logical way for your organization. You define this information after the network and security information is collected for your model. As stated in First phase (on page 205), it is recommended that you start with a first phase consisting of about five Business Asset Groups. Figure 4: Sample business hierarchy Note: When defining your organization s hierarchy, use names that match your organization. Create a naming convention that is understandable and meets the needs of your organization. This makes the first stage of definition easier, makes it easier to maintain the definitions, and makes it easier to add new ones when necessary. Business Units Business Units allow you to group your organization s Business Asset Groups into a hierarchy for management purposes. This is especially useful for large organizations. When you create analyses and reports, you can use the Business Units to organize (aggregate or filter) the results. You can also compare the risk levels of different Business Units. Defining Business Units To define a Business Unit 1 Do one of the following: In the Model tree, select the Business Units & Asset Groups node. To make the new Business Unit part of an existing Business Unit, select the parent Business Unit. 2 Right-click the node and select New > Business Unit. Figure 5: New Business Unit dialog box

25 3 Fill in the fields and click OK. Members (other Business Units and Business Asset Groups) are optional when first creating the Business Unit but you must fill them in later. Selecting an owner is optional. Managing Business Units After you create a Business Unit, you can create a hierarchy by creating Business Asset Groups or other Business Units inside the first one or by attaching existing Business Asset Groups or Business Units to the first one. You can also detach Business Asset Groups or Business Units from a parent Business Unit. To attach a Business Asset Group or a Business Unit to another Business Unit 1 In the Model tree, locate the Business Asset Group or Business Unit that is to become a part of another Business Unit. 2 Right-click the Business Asset Group or Business Unit and select Attach to Business Unit. 3 Do one of the following: Figure 6: Attach Business Units to Business Unit dialog box If the parent Business Unit exists, select it and click OK. The selected entity becomes a child node of the parent Business Unit. To make this entity part of a new Business Unit: a) Select the position in the tree where you want the new (parent) Business Unit. b) Click New. c) In the New Business Unit dialog box, fill in the relevant information. The entity that you are attaching automatically becomes a child of the new parent Business Unit, but you can also add other member entities using the Members field. d) Click OK. The new Business Unit is created in the selected position in the tree and the selected entity becomes a child node, as do any other member entities selected in step c.

26 To detach a Business Asset Group or Unit from a Business Unit 1 In the Model tree, locate the Business Asset Group or Business Unit to detach from a Business Unit. If the Business Asset Group or Business Unit is attached to more than one Business Unit, make sure that you locate the correct instance (that is, you are detaching it from the correct Business Unit). 2 Right-click the Business Asset Group or Business Unit and select Detach from Business Unit. If the Business Asset Group is no longer attached to any Business Units, it is moved to the bottom of the Business Units & Asset Groups node in the Model tree. Note: You can also attach and detach Business Asset Groups and Business Units to or from existing Business Units by dragging them to the desired locations in the Model tree. Business Asset Groups A Business Asset Group is a group of assets that serve a common business purpose. Use Business Asset Groups to model your organization according to functions provided by your IT infrastructure. To add a Business Asset Group 1 Do one of the following: In the Model tree, select the Business Units & Asset Groups node. To make the new Business Asset Group part of an existing Business Unit, select that Business Unit.

27 2 Right-click the node and select New > Business Asset Group. 3 Type a Name for the Business Asset Group. Figure 7: New Business Asset dialog box 4 Click the Browse button next to the Members field to select the members of the Business Asset Group. Select any of the following: Specific assets Networks If you select a network, every non-network-device asset currently in that network is included in the Business Asset Group. 5 (Optional) Select an Owner for this Business Asset Group. 6 Click OK. The Business Asset Group is saved. It is added in the Model tree under its parent node. For information about the parameters of Business Asset Groups, see Business Asset Groups, in the Skybox View Reference Guide. Other ways of adding organizational hierarchy information You can add new information about your organization s hierarchy to the model automatically in the following ways:

28 Import an ixml model Retrieve hierarchy information from various proprietary sources of information, such as a customized asset database. Scripts convert the proprietary information into a format (ixml) that Skybox View can import. For information about ixml, see the Integration part of the Skybox View Developer s Toolkit. Import a Skybox View model (in XML or encrypted XML format) Importing a model adds the new model s entities to the current model. In this manner, you can join several partial models representing different sections of your organization s network into a single model. Note: The imported models may also include Threat Origins.