My Document - Skybox Security

Skybox Vulnerability ControlUser Guide

12.0.100.00

Revision: 11

Skybox Security, Inc. | 2077 Gateway Place, Suite 200, San Jose, CA 95110 USA | +1 866 675 9269 | skyboxsecurity.com

Proprietary and Confidential to Skybox Security. © 2022 Skybox Security, Inc. All rightsreserved.

Due to continued product development, the information contained in this document maychange without notice. The information and intellectual property contained herein areconfidential and remain the exclusive intellectual property of Skybox Security. If you find anyproblems in the documentation, please report them to us in writing. Skybox Security does notwarrant that this document is error-free.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted inany form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.

Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, SkyboxVulnerability Control, Skybox Change Manager, Skybox Appliance6000/7000/8000/8050/11000/12100/12200, and the Skybox Security logo are either registeredtrademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries.All other trademarks are the property of their respective owners.

Skybox version 12.0.100.00 3

ContentsContents3

Preface 8Intended audience 8

How this manual is organized 8

Related documentation 8

Technical support 9

Overview of Skybox Vulnerability Control 10Skybox Security Posture Management Platform 10

Basic architecture 11

About Skybox Vulnerability Control 11

Vulnerability Control process 12

About the Skybox Vulnerability Dictionary 13

Threat-Centric Vulnerability Management 14Overview of Threat-Centric Vulnerability Management 15

About Threat-Centric Vulnerability Management 15

Workflow for Threat-Centric Vulnerability Management 16

Discovery 17

Updating the Vulnerability Dictionary 17

Getting asset and vulnerability occurrence data 18

Discovery Center 26

Adding organizational hierarchy (Business Units) 27

Adding additional information about a vulnerability 30

Prioritization 31

Prioritization overview 31

Prioritization Center 31

Using the Prioritization Center 33

Security metrics 34

Understanding security metrics information 36

Remediation 40

About remediation levels 40

Remediation Center 41

Workflow for remediation 42

Creating tickets for remediation 42

Customizing the security metrics 43

About security metrics in Skybox 43

Initial customization 43

Security metric properties 44

Skybox Vulnerability Control User Guide


Additional customization 46

Continuous usage for Threat Centric Vulnerability Management 47

Security Metric triggers 47

Recalculating the security metrics 48

Creating other triggers 48

Exposure 50Overview of the Exposure feature 51

Introduction to exposure 51

Automated IT security modeling 52

Attack simulation and visualization 53

Business impact analysis and risk metrics 54

Regulation compliance 55

Risk exposure management workflow 55

Building the model 57

Building the network topology 57

Validating the model 65

Overview of validating the model 65

Best practices for model validation 67

Model validation tasks and analyses 68

Access Analyzer test queries 76

Network Map visualization 77

Task error messages 78

Item counts 78

Creating Perimeter Clouds automatically 79

Validating the setup for attack simulation 79

Model Booster 80

Why use Model Booster? 80

How does Model Booster Work? 80

Minimum network requirements 80

How to run Model Booster 81

Model Booster limitations 81

What are connecting routers? 81

Excluding networks 82

Use cases 82

FAQs 83

Network visualization (maps) 85

Network Map 85

Creating and saving dedicated maps 86

Navigating the Network Map 86

Map Groups 89

Adding Threat Origins 92

Threat Origins overview 92

Threat Origins 92

Threat Origin Categories 93


Defining Threat Origins 94

Disabling and enabling Threat Origins 95

Using Business Asset Groups for risk metrics 96

Business Impacts and Regulations 96

Adding dependency rules 98

Explicit dependency rules 98

Implicit dependency 99

Simulating attacks 100

Attack simulation 100

Understanding Skybox risk 100

Viewing risk 101

Identifying the critical issues 102

Workflow 102

Reviewing directly exposed vulnerability occurrences 103

Reviewing Threat Origins 104

Reviewing Business Asset Groups 105

Reviewing attacks 105

Checking whether the problem is access-related 107

Remediation 109

Marking vulnerability occurrences as ignored 109

Mitigating critical vulnerability occurrences 110

Reviewing Vulnerability Definitions 110

Creating tickets manually 111

Updating the model after fixing vulnerability occurrences 119

Using the What If model to test changes 119

Continuous risk management 121

Attack simulation for continuous risk management 121

Monitoring the risk status 121

Automating ticket creation 122

Tickets and workflow 124

Model maintenance 128

Continuous usage 129Using tasks for automation 130

Reports 131

Reports overview 131

Security Metric reports 131

Risks reports 132

FISMA/NIST and Risk Assessment reports 132

PCI DSS reports 133

Tickets reports 133

Vulnerability Management reports 134

Vulnerabilities reports 134

Exporting data to CSV files 135

Exporting vulnerability occurrence data to Qualys format 136




Updating the model 137

General maintenance 140

Deployed product list 142

Advanced topics 146Advanced modeling 147

Modeling VPNs 147

Modeling L2 networks 151

Mapping overlapping networks 154

Virtual routers 156

Virtual firewalls 157

Virtualization and clouds 157

Clusters 160

Modeling multihomed assets 161

Merging data 162

Using clouds as Threat Origins 168

Advanced dependency rules 168

Additional information about exposure 170

About attack simulation 170

About risk 171

Risk profiles 175

Risk factors 176

PCI DSS support in Skybox Vulnerability Control 177

Skybox analyses 178

Analyses overview 178

Risk analyses 179

Creating an analysis 179

Access Analyzer 181

Creating queries 181

Access Analyzer output 185

Modifying security metric properties 195

Calculation of scores for VLI security metrics 195

Calculation of scores for RLI security metrics 196

Impact levels 198

Additional security metrics properties 199

Skybox Vulnerability Dictionary 200

Skybox Vulnerability Dictionary information 200

CVE compliance 202

Skybox Intelligence Feed 203

About the Skybox intelligence feed 203

How it works 203

Data sources 203

Merging from multiple sources 205

Vulnerability information 205


Exploits 206

Products 207

Skybox Vulnerability Center 208

Skybox intelligence feed SLA 208

IPS support in Skybox 209

IPS Dictionary 209

Working with IPS in Skybox 209

Optimization 221

Performance considerations 221

Optimizing Access Analyzer analysis 222

Deployment 223Planning deployment 224

Deployment plan 224

Deployment team 225

Phases of deployment 226

Preparing data for Skybox 227

Information requirements 227

Preparing a list of network devices 227

Defining the data collection strategy 228

Preparing scanning information 229

Preparing the data 229

Modeling unsupported devices 230

Starting deployment 231

First phase of deployment 231

Appendices 232Skybox Intelligence Feed Supported Products and SLA 233


Preface

Intended audienceThe Skybox Vulnerability Control User Guide explains how to work with Skybox VulnerabilityControl. Use this document in conjunction with:

l Skybox Installation and Administration Guide, which explains Skybox installation, andconfiguration and maintenance tasks

The intended audience is users of Skybox Vulnerability Control.

How this manual is organizedThis manual includes the following parts:

l Overview of Skybox Vulnerability Control

l Threat-Centric Vulnerability Management

l Exposure

l Continuous usage

l Advanced topics

l Deployment

Related documentationSkybox documentation includes:

l Skybox Installation and Administration Guide

l Skybox Reference Guide

l Skybox Developer Guide

l Skybox Release Notes

l User Guides for other Skybox products

The entire documentation set (in PDF format) is here

Note: If you are not using the latest version of Skybox, you can find the documentation for yourversion at https://downloads.skyboxsecurity.com/files/Installers/Skybox_View/<your major version/<your minor version>/Docs. For example,https://downloads.skyboxsecurity.com/files/Installers/Skybox_View/11.5/11.5.100/Docs

You can access a comprehensive Help file from anywhere in Skybox Manager by using theHelp menu or by pressing F1.

https://downloads.skyboxsecurity.com/files/Installers/Skybox_View/latestDocs



Technical supportYou can contact Skybox using the form on our website or by [email protected].

Customers and partners can contact Skybox technical support via the Skybox Support portal.

When you open a case, you need:

l Your contact information (telephone number and email address)

l Skybox version and build numbers

l Platform (Windows or Linux)

l Problem description

l Any documentation or relevant logs

You can compress logs before attaching them by using the Pack Logs tool (see the Packinglog files for technical support topic in the Skybox Installation and Administration Guide).

https://www.skyboxsecurity.com/contact-sales/

mailto:[email protected]

https://www.skyboxsecurity.com/support/portal


Chapter 1

Overview of Skybox Vulnerability ControlThis chapter is an overview of Skybox Vulnerability Control.

In this chapter

Skybox Security Posture Management Platform 10

Basic architecture 11

About Skybox Vulnerability Control 11

Vulnerability Control process 12

About the Skybox Vulnerability Dictionary 13

Skybox Security Posture Management PlatformOver 500 of the largest and most security-conscious enterprises in the world rely on Skybox®

Security for the insights and assurance required to stay ahead of dynamically changing attacksurfaces. At Skybox, we don’t just serve up data and information. We provide the intelligenceand context to make informed decisions, taking the guesswork out of securely enablingenterprises at scale and speed. Our Security Posture Management Platform delivers completevisibility, analytics, and automation to quickly map, prioritize, and remediate vulnerabilitiesacross your organization. The vendor-agnostic platform intelligently optimizes securitypolicies, actions, and change processes across all corporate networks and cloudenvironments. With Skybox, security teams can now focus on the most strategic businessinitiatives while ensuring enterprises remain protected.

For additional information visit the Skybox website.

Skybox Security Posture Management Platform includes:

l Skybox Vulnerability Control: Powers threat-centric vulnerability management bycorrelating intelligence on vulnerabilities in your environment, the surrounding network andsecurity controls and exploits in the wild focusing remediation on your most critical threats

https://www.skyboxsecurity.com/



l Skybox Firewall Assurance: Brings multivendor firewall environments into a single view andcontinuously monitors policy compliance, optimizes firewall rulesets, and finds attackvectors that others miss

l Skybox Network Assurance: Analyzes hybrid environments end to end across physical,virtual and cloud – even operational technology – networks, illuminating complex securityzones, access paths and policy compliance violations

l Skybox Change Manager: Ends risky changes with network-aware planning and riskassessments, making firewall changes a secure, consistent process with customizableworkflows and automation

The products share common services, including modeling, simulation, analytics, reporting,and automated workflow management.

Basic architectureThe Skybox platform consists of a 3-tiered architecture with a centralized server (SkyboxServer), data collectors (Skybox Collectors), and a user interface (Skybox Manager). Skyboxcan be scaled to suit the complexity and size of any infrastructure.

See the Skybox architecture topic in the Skybox Installation and Administration Guide.

About Skybox Vulnerability ControlVulnerability Control harnesses total attack surface visibility and threat-centric vulnerabilityintelligence to spot vulnerabilities that are most likely to be used in an attack against yourorganization. Eliminate risks 100-times faster than traditional scanning and manual analysiswith on-demand vulnerability discovery, threat-centric prioritization and remediation guidancebased on the context of your attack surface and threats in the wild. Reduce false positives tonear-zero levels, streamline workflows, optimize gradual risk reduction, and respond toimminent threats within hours—not days.

l Finds vulnerability exposures and exploitable attack vectors on-demand with intelligenceon exploits in the wild

l Prioritizes vulnerabilities based on threats and the risk imposed to your network

l Detects vulnerabilities on network devices and unscannable systems

l Targets imminent threats for immediate response and systematically reduces potentialthreats with context-aware remediation guidance

Highlightsl On-demand vulnerability assessments

o Combines data from vulnerability scanners, patch management systems and endpointagents—including those running in virtual and cloud environments—with scanlessassessments from Skybox Vulnerability Detector

o Discovers vulnerabilities on network and security devices and in traditionallyunscannable zones, including virtual and cloud environments

o Uses network and security control context to identify exposed vulnerabilities

l Threat-centric vulnerability intelligence and exposure analysis

Chapter 1 Overview of Skybox Vulnerability Control


o Identifies exposed vulnerabilities using the network model, attack vector analytics andmulti–step attack simulations

o Discovers potential attack scenarios and detects bypassed or compromised securitymeasures

o Highlights vulnerabilities with exploits available, used in active attack campaigns, ordistributed on the dark web

o Improves change management by evaluating proposed changes for new vulnerabilityexposures

l Prioritization in the context of threats and your attack surfaceo Puts exposed vulnerabilities and vulnerabilities most likely to be exploited at the top ofyour priorities list

o Analyzes attack vectors in the context of the network, mitigating controls and SkyboxResearch Lab investigations of the threat landscape

o Prioritizes imminent threats for immediate remediation and identifies potential threats forongoing, gradual risk reduction

l Same-day imminent threat responseo Recommends best remediation actions to eliminate imminent threats in hours, instead ofdays

o Optimizes gradual risk reduction to systematically reduce the attack surface and ensurepotential threats do not escalate

o Tracks remediation progress and closureo Measures remediation effectiveness with customized risk metrics

l Comprehensive device support

Refer to the Skybox website for a list of supported devices

Vulnerability Control processThe main Vulnerability Control process, Threat-Centric Vulnerability Management, is:

1. Discover: Gather and assess information about assets, network topology, security controls,and vulnerabilities in your environment, including physical, virtual, and cloud networks.

2. Prioritize: Correlate vulnerability data with exploit availability and use. Analyze potentialattack paths and business impacts to prioritize remediation according to imminent andpotential threats.

3. Remediate: Apply patches or use IPS signatures, access rules, segmentation, and so on toblock attack paths. Address imminent threats first and deal with potential threats over time.

4. Track: Track progress and analyze trends to find areas that need more attention orresources. Monitor remaining vulnerabilities for changes in exposure or use in the wild.

You can get additional information by analyzing your network for exposure to threats:

1. Import network devices to get the topology (if you have not yet done this).

2. Define the potential threats.

3. Analyze the exposure of the network to these threats.

https://lp.skyboxsecurity.com/WICD-2017-11-DS-Supported-Devices_03AssetLP.html



About the Skybox Vulnerability DictionaryThe Skybox Vulnerability Dictionary consolidates vulnerability data for more than 2000products that are used extensively in enterprise network environments, including servers anddesktop operating systems, business and desktop applications, databases, runtimeframeworks, networking hardware and software, and security software. This data selection istailored to Skybox’s enterprise customers, according to the most relevant products and theircorresponding vulnerabilities in a large enterprise network.

The Skybox Vulnerability Dictionary supports more than 100,000 vulnerabilities. The SkyboxVulnerability Dictionary is a collection of information from leading public and private securitydata sources, and built as a superset of vulnerabilities. As a state-of-the-art vulnerabilitydatabase, the Skybox Vulnerability Dictionary is CVE compliant and implements CVSS v3standards.



Threat-Centric Vulnerability ManagementThis part explains how to work with Threat-Centric Vulnerability Management.


Chapter 2

Overview of Threat-Centric Vulnerability ManagementThis chapter provides an overview of Threat-Centric Vulnerability Management.

In this chapter

About Threat-Centric Vulnerability Management 15

Workflow for Threat-Centric Vulnerability Management 16

About Threat-Centric Vulnerability ManagementVulnerability Control uses a variety of factors to prioritize vulnerabilities—from baselineinformation (for example, security advisories and CVSS scores) through the unique context ofyour network, security controls, and business, to Skybox Research Lab intelligence on thethreat landscape.

Skybox correlates this vast and diverse data set to divide vulnerabilities in your environmentinto 2 main categories—those that pose a potential threat to your organization and those thatpose an imminent threat. Vulnerability Control streamlines management of potential threats’gradual risk reduction, and monitors changes in the threat landscape to ensure such threats donot escalate. Imminent threats are prioritized for immediate remediation.

Threat information is filtered by security metrics, which are risk indicators based onvulnerability occurrences. The default view takes into account all vulnerability types, but youcan view data for a set of vulnerabilities, including Microsoft, Adobe, and web-browser related.Threat-Centric Vulnerability Management enables you to assess the security and vulnerabilitystatus of your organization, track trends, and identify key contributors to poor performance.



Workflow for Threat-Centric Vulnerability Management

Basic workflow for Vulnerability Control

1. Discover

a. Collect data about the assets in your model. This data includes information aboutvulnerability occurrences on all collected assets.

b. Look at the Discovery Center to understand the security of your inventory.

c. If they were not organized automatically, organize the assets into Business Units tomake it easier to understand the security status of different parts of your organization.

2. Prioritize

a. Analyze the data (click ). This correlates the vulnerability and asset data withexploit availability and use.

b. In the Prioritization Center, see how your organization is affected by exposure todifferent vulnerabilities, how likely it is to be exploited by malware and ransomware, andto determine the order in which vulnerability occurrences should be fixed.

3. Remediate

l Block attack paths by applying patches or using IPS signatures, access rules,segmentation, and so on. Address imminent threats first and deal with potential threatsover time.

In some organizations, the Skybox user is responsible for either creating tickets for themost urgent issues or exporting data to a CSV file. In others, another department isresponsible for remediation, and the user implementing this workflow is responsible formaking sure that remediation proceeds at an acceptable speed.

4. Track

l Use the Remediation Center to track progress and analyze trends, to find areas thatneed more attention or resources. Monitor remaining vulnerabilities for changes inexposure or use in the wild.

Repeat the cycle on a regular basis to keep your security status up to date.


Chapter 3

DiscoveryWhen you start using Skybox Vulnerability Control, the 1st step is to discover which assets andproducts, and (consequentially) which vulnerabilities your organization includes and how theassets are organized—connect to your repositories, management servers, and scanners, andimport their data into the model. The import process creates the Skybox model (the model),which is a normalized database stored as a CMDB.

We recommend that you start with a small part of your network—not more than 1000 assets,understand how Skybox works, and then expand your model to the entire network.

Important: Before collecting data from your network the 1st time, the model must be empty. Ifyou loaded the demo model, clear it (File > Models > Reset Model).

In this chapter

Updating the Vulnerability Dictionary 17

Getting asset and vulnerability occurrence data 18

Discovery Center 26

Adding organizational hierarchy (Business Units) 27

Adding additional information about a vulnerability 30

Updating the Vulnerability DictionaryThe Skybox Vulnerability Dictionary contains information about Vulnerability Definitions.Skybox uses the Vulnerability Dictionary to normalize vulnerability occurrences found byscanners, adding information—including description, cross-references from various sources,and external URLs—to the model.

Skybox includes the most up-to-date Vulnerability Dictionary at the time of release, butupdates are released 6 days a week. We recommend that you check for Dictionary updatesdaily; update the Dictionary before importing vulnerability data or working with vulnerabilities.

To check the date and version of the Vulnerability Dictionaryl Select File > Dictionary > Show Dictionary Info.

To enable the Dictionary Update – Daily task to run automatically

1. Click .

2. In the Operational Console tree, select Tasks > All Tasks.

3. In the Table pane, right-click the Dictionary Update – Daily task and select Properties.

4. In the Properties dialog box, select Enable Auto-launch.

5. Click OK.

6. (Optional) Run the task.



To verify that the task is running correctly

1. In the Table pane, select the Dictionary Update – Daily task.

2. Look at the task’s most recent run time and status, and in the task messages for success orerror messages.

Getting asset and vulnerability occurrence dataAsset and vulnerability occurrence data is a necessary component of security metrics analysisand Exposure analysis. You can retrieve this data from:

l Vulnerability scanners

l Patch and system management solutions

l Skybox Vulnerability Detector, which you can use to detect vulnerability occurrences basedon product-version-patch information

To retrieve asset and vulnerability information, create tasks in the Operational Console thatcollect information from these data sources via their API or by reading files, and then normalizethe data and add it the model.

Scanners

Skybox supports many scanners. There is a complete list of directly supported scanners atQuick reference: Scanners in the Skybox Reference Guide. If your scanner is not directlysupported, you can create an integration script that converts the source data to iXML and thenimport the iXML file into the model.

l For information about iXML, see the Integration part of the Skybox Developer Guide.

Some information found by vulnerability scanners is not required for attack simulation. Skyboxsupports blacklists—lists of scanner IDs that contain irrelevant information that Skybox ignores.When merging vulnerability occurrences into the model, scanner IDs on the blacklists are nottranslated into vulnerability occurrences in the model. For additional information, see theBlacklists topic in the Skybox Reference Guide.

Skybox Vulnerability Detector

If there is no vulnerability occurrences data (for example, no scanners are available), but yourorganization has an asset repository, you can use Skybox Vulnerability Detector to retrievevulnerability occurrences. Vulnerability Detector deducts vulnerability occurrences on assets,thereby creating vulnerability occurrences in the model. For additional information, seeDetecting assets and vulnerability occurrences.

Workflow for importing a Qualys vulnerability scan

Vulnerability scans provide information about the assets and services in your organization,including their vulnerability occurrences. If the scan includes assets that are not part of themodel, these assets are added to the model.

To import a Qualys vulnerability scan

1. In the Operational Console tree, select the Tasks node.

2. Click .

Chapter 3


3. Type a Name for the task.

4. In Task Type, select Scanners – Qualys Collection.



l For information about the task properties, see the Qualys QualysGuard collection taskstopic in the Skybox Reference Guide.

5. Fill in Username and Password.

6. Define the Network Scope—the assets and container entities in the model to include in thetask.

When the collection data is imported, only data from the specified locations and network ismerged with the model. If the network scope is empty, all collected data is merged.

7. Recency specifies how many days before today to search for scans. To retrieve the mostrecent scan, type a value in this field according to how often scans are run. For example, ifscans are run daily, a value of 1 finds yesterday’s scan. If scans are run on a weekly basis,a value of 7 finds the most recent scan.

8. Click Launch.

9. Verify that the task finished successfully:

a. Select the task in the Table pane of the All Tasks node.

b. Check that the Exit Code is set to Success.

If the task failed, check the Messages tab of the Details pane. This tab displays a log ofthe task; you can view the errors to understand the problem. For example, a necessaryfile was deleted or moved to a different location.

10. Close the Operational Console.

11. Check the results of the import:

a. Open the Vulnerability Control workspace.

b. Navigate to Analyses > Public Analyses > Vulnerabilities.

c. Right-click the New Vulnerability Occurrences folder and select New > Analysis.

d. Type a Name for the analysis.

e. Set Vulnerability Type to Vulnerability Occurrences.

f. Fill in:

l Scan Time

l (Operational tab) Discovery Method=QUALYS

Detecting assets and vulnerability occurrences

Asset data is imported directly from patch management and asset management systems intothe Skybox model using tasks. After the asset data is imported, run an additional Analysis –Vulnerability Detector task. These tasks infer the vulnerability occurrences from servicebanners imported as part of the asset data.

The supported management systems are:

l Microsoft SCCM (with or without additional information from Microsoft Active Directory)

l Red Hat Satellite

Chapter 3


Detecting assets and vulnerability occurrences using Microsoft SCCM data

Typical workflow for detecting assets and vulnerability occurrences using SCCMdata

1. Add hierarchy information by doing one of:

l Import the information from Microsoft Active Directory (see the Microsoft Active Directorysection in the Skybox Reference Guide)

l Add the information manually

2. View the imported Business Units, and Business Asset Groups in the Model workspace;select Business Units & Asset Groups. When you select a Business Asset Group in thetree, its assets are listed in the workspace.

3. Run an Asset Management – SCCM Collection task to retrieve asset information. Forinformation about these tasks, see the Microsoft SCCM section in the Skybox ReferenceGuide.

4. View the imported assets in the Model workspace: Model Analyses > New Entities > NewAssets or in another relevant analysis.

5. View the products (services) of all newly imported assets by selecting an asset and thenselecting the Services tab in the Details pane.

Note: You can create Services operational analyses in the Model Analyses tree and, forexample, set Discovery Method to SCCM. However, these analyses do not display theservices for each asset separately.

Up to this point, there are assets with products, but no vulnerability occurrences.

6. Run an Analysis – Vulnerability Detector task; set Service Source to SCCM.

l For information about these tasks, see the Vulnerability detection tasks: Patch data topicin the Skybox Reference Guide.

7. View the created vulnerability occurrences in a vulnerability occurrences analysis (forexample, Vulnerability Control > Prioritization Center > Analyses > Public Analyses >Vulnerabilities > New Vulnerability Occurrences in the Vulnerability Control workspace).

The Discovery Method of a vulnerability occurrence created by this task has a value ofVulnerability Detector. Display Created Time in the Table pane to confirm that you arelooking at vulnerability occurrences from the correct run of the task.

Detecting assets and vulnerability occurrences using Red Hat Satellite data

Typical workflow for detecting assets and vulnerability occurrences using Red HatSatellite data

1. Run an Asset Management – Red Hat Satellite task to retrieve asset information. Forinformation about these tasks, see the Red Hat Satellite section in the Skybox ReferenceGuide.

2. View the imported assets in the Model workspace: Model Analyses > New Entities > NewAssets or in another relevant analysis.

3. View the products (services) of all newly imported assets by selecting an asset and thenviewing the Services tab in the Details pane.



Note: You can create Services operational analyses in the Model Analyses tree and, forexample, set Discovery Method to Satellite. However, these analyses do not display theservices for each asset separately.

Up to this point, there are assets with products, but no vulnerability occurrences.

4. Run an Analysis – Vulnerability Detector task; set Service Source to SATELLITE.

l For information about these tasks, see the Vulnerability detection tasks topic in theSkybox Reference Guide.

5. View the created vulnerability occurrences in a vulnerability occurrences analysis (forexample, Vulnerability Control > Prioritization Center > Analyses > Public Analyses >Vulnerabilities > New Vulnerability Occurrences in the Vulnerability Control workspace).

The Discovery Method of a vulnerability occurrence created by this task has a value ofVulnerability Detector. Display Created Time in the Table pane to confirm that you arelooking at vulnerability occurrences from the correct run of the task.

Continuous detection

Run Skybox Vulnerability Detector on a frequent basis to analyze updated vulnerability data.For example, you can include it in a task sequence with either Asset Management – SCCMCollection or Asset Management – Red Hat Satellite Collection tasks.

After you run the task, the average age of vulnerability occurrences (and other relevantinformation) is displayed in the Discovery Center.

Detecting vulnerability occurrences from previous scans

Skybox can discover recently published Microsoft vulnerabilities on assets based on previousscans. This is useful after updates are made to a vulnerability source—for example, after PatchTuesday—but the scans are recent. Scanning is intrusive and resource intensive; using theVulnerability Detector task is neither.

To detect vulnerability occurrences from a previous scan

1. Run an Analysis – Vulnerability Detector task.

l For information about these tasks, see the Vulnerability detection tasks topic in theSkybox Reference Guide.

2. View the new vulnerability occurrences in analyses or via the Discovery Center.

Custom Vulnerability Definitions

There might be Vulnerability Definitions that affect your organization even before they arereported by your alert service or Vulnerability Definitions that affect proprietary products thatare not supported by the alert service.

These Vulnerability Definitions are supported in Skybox as custom Vulnerability Definitions.

l Uncataloged Vulnerability Definitions from Qualys, Tenable, Rapid7 Nexpose, and Tripwirescans are added and managed by Skybox automatically.

l Uncataloged Vulnerability Definitions from other sources and formats must be added andmanaged manually.

Chapter 3


Changing the source name and prefix

By default, the source name for custom Vulnerability Definitions is Internal, and the sourceprefix is INT. You can change the source name and source prefix if necessary.

To change the source name of custom Vulnerability Definitions

1. Navigate to Tools > Options > Server Options > Threat Management.

2. Change Source Name and Source Prefix for these Vulnerability Definitions.

3. Click OK.

Creating and managing custom Vulnerability Definitions manually

You create and manage custom Vulnerability Definitions in the Custom VulnerabilityDefinitions dialog box. Make all necessary changes and then submit the changes to theVulnerability Dictionary. After custom Vulnerability Definitions are created (and submitted),they are stored in the Skybox database and function in the same way as other VulnerabilityDefinitions, except that they are managed separately. If you created custom VulnerabilityDefinitions manually and they are not updated automatically, you can update them manually.

Note: The Custom Vulnerability Definitions dialog box is the only place where you can modifycustom Vulnerability Definitions.

Vulnerability Definitions added or changed after the most recent time that changes weresubmitted to the Vulnerability Dictionary have a status of Pending.

Creating custom Vulnerability Definitions

To create a custom Vulnerability Definition

1. On the toolbar, click .

2. In the Custom Vulnerability Definitions dialog box, click Add.

3. In the New Custom Vulnerability Definition dialog box, fill in the fields as described inProperties of custom Vulnerability Definitions.

4. Click OK.

The Vulnerability Definition is listed in the table as Pending. It is not yet available for useoutside this dialog box. After submitting the changes, the Vulnerability Definition becomesavailable for general use.



Editing custom Vulnerability Definitions

When you modify a custom Vulnerability Definition, the changed version has Pending status,but the original version remains available for general use. After the changes are submitted theupdated version replaces the previous version.

Submitting the changes

When you submit changes for custom Vulnerability Definitions, Skybox adds the new customVulnerability Definitions and the changes to existing custom Vulnerability Definitions to theSkybox database. This can take several minutes.

Changes are submitted every time that an alert service or Dictionary update task runs. Youcan submit changes manually by clicking Submit Changes in the dialog box.

Properties of custom Vulnerability Definitions

The properties of custom Vulnerability Definitions are described in the following table.

PROPERTY DESCRIPTION

General

Title The title of the Vulnerability Definition.

Severity (Read-only) The severity of the Vulnerability Definition. The severity is calculatedfrom the scanner severity information and the information that you provide in theCVSS tab.

Source (Read-only) The source of the Vulnerability Definition.

CVE The CVE ID of the Vulnerability Definition, if known.

ID (Read-only) The ID of the Vulnerability Definition, including the prefix for customVulnerability Definitions.

BID The Bugtraq ID of the Vulnerability Definition.

Published Date The date on which the Vulnerability Definition was published.

Created by (Read-only) The user who created the Vulnerability Definition. For automaticallycreated Vulnerability Definitions, the value is System.

ModificationDate

(Read-only) The date that the Vulnerability Definition was most recently modified.

Description A free-form description of the Vulnerability Definition.

UserComments

Additional information or comments about the Vulnerability Definition.

CVSS The CVSS version to use, and the CVSS base score and temporal score metrics.After filling in this information, click Calculate to get the CVSS base and temporalscores for the Vulnerability Definition.

AffectedProducts

Use this tab to select deployed products that are affected by this VulnerabilityDefinition and, optionally, to edit the versions that are affected by the VulnerabilityDefinition.

History Lists changes to the Vulnerability Definition (for example, information added bysubsequent scans).

Chapter 3


Automatic creation of custom Vulnerability Definitions

When vulnerability occurrences are imported from scanners, they are associated with theappropriate Vulnerability Definition in the Vulnerability Dictionary.

New custom Vulnerability Definitions

If a vulnerability occurrence does not match any Vulnerability Definition in the VulnerabilityDictionary, Skybox checks the list of custom Vulnerability Definitions:

l If the vulnerability occurrence matches a custom Vulnerability Definition, the definition ofthe matching custom Vulnerability Definition is updated.

l If the vulnerability occurrence does not match any custom Vulnerability Definition, Skyboxcreates a custom Vulnerability Definition based on the information in the vulnerabilityoccurrence, and the vulnerability occurrence is associated with it. The new customVulnerability Definition includes the scanner name and scanner ID; together, these 2 fieldsprovide a unique way to identify the Vulnerability Definition.

Skybox cannot create a custom Vulnerability Definition unless the vulnerability occurrencecontains the following fields:

l Common Info

l Last Modification Time

l System Description

l Title

Note: These are the Skybox names for the fields; different scanners often have differentnames for these fields.

Supported scans

This feature is supported for scans from the following device types:

l Qualys

Regular Qualys scans are supported; Qualys HostDetection (Host List VM Detection) filesare not supported because they do not contain the necessary vulnerability data.

l Tenable

l Rapid7 Nexpose

Regular Nexpose reports are supported; NexposeSimpleXML reports are not supportedbecause they do not contain the necessary vulnerability data.

l Tripwire

Merging custom Vulnerability Definitions with Vulnerability Dictionary definitions

Whenever the Vulnerability Dictionary is updated, Skybox checks whether any newVulnerability Definition matches a custom Vulnerability Definition. Matching is based on thescanner name and scanner ID.

If there is a match, Skybox:

1. Moves vulnerability occurrences from the custom Vulnerability Definition to the newVulnerability Definition and adds a comment to the history of the new VulnerabilityDefinition



2. Moves tickets on the custom Vulnerability Definition to the new Vulnerability Definition

3. Disables the custom Vulnerability Definition and adds a comment to its history; the customVulnerability Definition is no longer part of KPI calculations

Vulnerability occurrences in the model

When a vulnerability occurrence is found, Skybox uses the Skybox Vulnerability Dictionary toformally model the vulnerability occurrence in the model. The following information isdisplayed for each vulnerability occurrence:

l Exploitability: Exploitability, which is taken from the Vulnerability Dictionary. can be NoExploit, Exploit Available (there are published exploits), or Exploited In The Wild (thepublished exploits—malware or ransomware—are already used by threat actors).

l Severity: Severity is taken from the CVSS base score, as listed in the VulnerabilityDictionary.

l CVSS information: The Vulnerability Dictionary provides CVSS information for the base andtemporal vector of each vulnerability occurrence.

CVSS information enables users to analyze the impact of a vulnerability occurrence,including how it can be exploited (for example, locally or remotely, with or withoutauthentication) and its impact in terms of CIA (confidentiality, integrity, and availability).

l Commonality: Commonality, which is generated by the Vulnerability Dictionary, specifieshow frequently attackers exploit vulnerability occurrences of this Vulnerability Definition.

l Life-cycle status: Skybox assigns an initial status of Found to each vulnerability occurrencedetected. Later, Skybox or a user can change this to Ignored or Fixed. Attack simulationuses only vulnerability occurrences with the Found status.

When you run attack simulation, the exposure level of each vulnerability occurrence in themodel is analyzed. The exposure level states how many steps a Threat Origin needs to accessthe vulnerability occurrence; direct exposure means that there are Threat Origins that canreach the vulnerability occurrence in only 1 step.

Discovery CenterThe Discovery Center provides a high-level view of the information Skybox has about theassets and vulnerability occurrences in the model. At the top of the page, you can see:

l The number of vulnerability occurrences in your organization (that is, in the parts of yourorganization that are modeled) and their average age

l The number of Vulnerability Definitions

l The number of assets in your organization, including assets that were not scanned recently

Chapter 3


The other charts and tables in the page provide a high-level view of the inventory of yourorganization, showing your organization from a Skybox point of view.

When you start using Skybox, use this inventory to check that all information that you expect isin the model and that, for example, you did not miss a location or a critical network. Later, youcan view assets from various perspectives in the inventory—for example, how many assets areup to date and how many are overdue.

Adding organizational hierarchy (Business Units)This section explains how to add Business Units and Business Asset Groups to the model.

Including information about your organization hierarchy (Business Units and Business AssetGroups) to the model enables Skybox to display the inventory and findings in a logical way foryour organization. You add this information after the network and security information iscollected for your model. We recommend that you start with a 1st phase consisting of about 5Business Asset Groups.

You can add your organizational hierarchy manually or by using a tool (for example, ActiveDirectory; for information about importing Active Directory data, see the Microsoft ActiveDirectory section in the Skybox Reference Guide).

We recommend that when you define your organization hierarchy, you use names that matchyour organization. Create a naming convention that is understandable and meets yourrequirements. This makes it easier to maintain the names and to add names when necessary.



Business Units

Business Units enable you to group Business Asset Groups into a hierarchy for managementpurposes. This is especially useful for large organizations.

When you create analyses and reports, you can use the Business Units to organize(aggregate or filter) the results. You can compare the risk levels of different Business Units.

Defining Business Units

To define a Business Unit

1. In the Model tree, select the Business Units & Asset Groups node. (To make the newBusiness Unit part of an existing Business Unit, select the parent Business Unit.)

2. Right-click the node and select New > Business Unit.

3. In the New Business Unit dialog box, fill in the fields and click OK.

l Members (other Business Units and Business Asset Groups) are optional when creatingthe Business Unit but you must fill them in later.

l Selecting an owner is optional.

Managing Business Units

After you create a Business Unit, you can create a hierarchy by creating Business AssetGroups or other Business Units inside the 1st Business Unit, or by attaching Business AssetGroups or Business Units to the new Business Unit. You can also detach Business AssetGroups or Business Units from a parent Business Unit.

To attach a Business Asset Group or a Business Unit to another Business Unit

1. In the Model tree, locate the Business Asset Group or Business Unit that is to become apart of another Business Unit.

2. Right-click the Business Asset Group or Business Unit and select Attach to Business Unit.

3. In the Attach Business Units to another Business Unit dialog box:

l If the parent Business Unit exists, select it and click OK.

l To make this entity part of a new Business Unit:

a. Select the position in the tree for the new (parent) Business Unit.

b. Click New.

c. In the New Business Unit dialog box, fill in the fields.

The entity that you are attaching becomes a child of the new parent Business Unitand you can add other member entities using Members.

d. Click OK.

The new Business Unit is created in the selected position in the tree and the selectedentity becomes a child node, as do all member entities selected in step c.

To detach a Business Asset Group or Business Unit from a Business Unitl In the Model tree, right-click the Business Asset Group or Business Unit and select Detachfrom Business Unit.

Chapter 3


If the Business Asset Group or Business Unit is attached to multiple Business Units, youmust select the correct instance (that is, you are detaching it from the correct BusinessUnit).

If a Business Asset Group is no longer attached to any Business Units, Skybox moves it tothe bottom of the Business Units & Asset Groups node in the Model tree.

Business Asset Groups

A Business Asset Group is a group of assets that serve a common business purpose. UseBusiness Asset Groups to model your organization according to functions provided by your ITinfrastructure.

A Business Asset Group can either contain assets or have a list of criteria (for example, “allfirewalls in the Boston network”, “all assets with the Windows operating system”, or “all assetswith an <xxx> tag”).

Use Model – Integrity tasks to continuously update Business Asset Groups with the assets thatmatch the group’s criteria. This ensures that the scope of each Business Asset Group issynchronized with changes in your network.

To add a Business Asset Group

1. In the Model tree, select the Business Unit to which the Business Asset Group is to belong.If you did not create the Business Unit yet, select the Business Units & Asset Groupsnode.

2. Right-click the node and select New > Business Asset Group.

3. In the New Business Asset Group dialog box:

a. Type a Name for the Business Asset Group.

b. Click the Browse button next to Members to select the Business Asset Group members:

i. Specify the assets that are to be members of the Business Asset Group—selectnetworks or assets, and properties that the assets must have to belong to this group.For example, all assets whose name starts with FW_ or all assets that have a service,operating system, or product.

For additional information, see the Business Asset Group members topic in theSkybox Reference Guide.

ii. Click Preview to list the assets that are included according to the current definition.

iii. Click OK to save the definition.

c. (Optional) Select an Owner for the Business Asset Group.

d. Click OK.

Skybox selects the assets to include in the Business Asset Group based on yourdefinition. The Business Asset Group is added in the Model tree under its parent node.

For information about the properties of Business Asset Groups, see the Business AssetGroups section in the Skybox Reference Guide.

How Business Asset Groups are updated

Business Asset Groups are updated by Model – Integrity tasks. We recommend that you runthis task whenever you run an import task, because it might change the composition of some



Business Asset Groups.

You can run the update on an ad hoc basis by right-clicking the Business Units & AssetGroups node and selecting Calculate Asset Group members.

If Business Asset Groups in the model were not updated in a relatively long time (the defaultvalue is 30 days), a warning message is shown.

Other ways of adding organizational hierarchy information

You can add information about your organization hierarchy to the model:

l Import an iXML file

Retrieve hierarchy information from a proprietary source of information (for example, acustomized asset database). A script converts the proprietary information into a format(iXML) that Skybox can import.o For information about iXML, see the Integration part of the Skybox Developer Guide.

l Import a Skybox model (in XML or encrypted XML format)

Importing a model adds the model’s entities to the current model. In this manner, you canjoin multiple partial models representing different sections of your network into a singlemodel.

Adding additional information about a vulnerabilityBusiness attributes are business information about Vulnerability Definitions that can be storedwith the Vulnerability Definition in the model. You can use this information to provide additionalbusiness context for the Vulnerability Definitions and for integration with other systems; theadditional information can be cross-referenced by the other system. Business attributes areaccessible anywhere Vulnerability Definitions are displayed in Vulnerability Control.

Admins create business attributes in Tools > Options > Server Options > Business Attributes> Vulnerability Definitions.

You must add business attribute information manually, but you can add information to multipleVulnerability Definitions together.

To view the business attributes of a Vulnerability Definitionl In a list of Vulnerability Definitions, right-click a definition and select Set BusinessAttributes.

To set or edit the business attributes of selected Vulnerability Definitions

1. In a list of Vulnerability Definitions, right-click the rules and select Set Business Attributes.

2. Make the necessary changes.


Chapter 4

PrioritizationSkybox prioritizes vulnerabilities according to their threat level.

In this chapter

Prioritization overview 31

Prioritization Center 31

Using the Prioritization Center 33

Security metrics 34

Understanding security metrics information 36

Prioritization overviewSkybox uses exposure and exploitability to prioritize vulnerabilities by threat level. Imminentthreats (for example, exposed vulnerabilities and vulnerabilities that are exploited in the wild)should be remediated promptly; potential threats (for example, exploit available and no exploit)can be remediated in a business-as-usual time frame.

l Exposed vulnerabilities are vulnerabilities that are 1 or 2 steps away from a Threat Origin(location of potential attackers).

l Exploitable vulnerabilities are vulnerabilities that can be targeted by malware, ransomware,exploit kits, and threat actors. Exploited in the wild refers to vulnerabilities that are targetedin the wild. Exploit available means that there are published exploits available for thevulnerabilities, but these exploits are not yet in use.

You can prioritize on a regular (daily) basis by scheduling Analysis – Security Metrics tasks or

manually by clicking . During analysis, Skybox analyzes each vulnerabilityoccurrence on each Business Unit and Business Asset Group for exposure to threats andexploitability. Skybox then assigns risk levels and scores for your organization. Scores canrange from 0 to 100; 0 is the least critical—there are no vulnerability occurrences—and 100 isthe most critical.

Prioritization CenterThe left-hand side of the Prioritization Center overview page displays the Risk by ThreatLevels chart.



Vulnerabilities that are exposed to a Threat Origin and vulnerabilities that are exploited in thewild are considered imminent threats and should be fixed first. Vulnerabilities for whichexploits are available but have not been used and vulnerabilities for which there are noexploits are considered potential threats. The occurrences and definitions links for each leveldrill down to the corresponding list. For example, clicking the occurrences link for Exploited inthe Wild brings you to a tab that lists the Exploited in the Wild vulnerability occurrences.

The right-hand side of the page provides additional information about the selected layer of thegraph on the left. You can see how this layer (in the preceding example, Exploited in the Wild)is divided across your organization, and how many assets are involved in each. The TopVulnerability Definitions by Contribution list shows the Vulnerability Definitions that contributethe most risk. These are the Vulnerability Definitions to fix first.

Chapter 4


You can use the links on the right-hand side to drill down to information about a subunit orVulnerability Definition.

Note: You can also view the prioritization in Security Metrics reports.

Using the Prioritization CenterWhen you view the Prioritization Center for part of your organization, the Summary tab issimilar to the Priority Center overview page.

The other pages include:



l Exposure: A list of the exposed vulnerability occurrences in this part of your organization

l Exploitability: A list of the vulnerability occurrences in this part of your organization groupedby exploitability level

l All Security Metrics: A list of the supported security metrics for your organization, withinformation about how each metric impacts this part of your organization

Security metrics measure the security status of your organization based on the selected setof Vulnerability Definitions or security bulletins. The more critical unhandled vulnerabilityoccurrences or missing security bulletins, the higher the score.

Security metricsInformation in the Prioritization Center is displayed according to the selected security metric.

You can switch the focus to a different security metric from the Prioritization Center Summarytab, so that you can see how vulnerabilities related to that security metric affect yourorganization.

To view information about a different security metric

1. At the top of the Summary tab for an entity, click to view the list of security metrics.

2. Select the security metric to display.

The scores for that security metric are shown in the tree and the information displayed inthe workspace is based on that security metric.

Predefined security metrics

Skybox includes the predefined security metrics described in the following table. Somesecurity metrics track vulnerability occurrence status; others track remediation progress.

Chapter 4


SECURITYMETRIC NAME

SECURITYMETRIC LONGNAME

SCOPE DESCRIPTION

Security Bulletin View

Adobe – BulletinLevel

Adobe – BulletinLevel Indicator

Security BulletinVendors =Adobe SecurityBulletins

This security metric measures the securitystatus of your organization based on AdobeSecurity Bulletins.The more critical missing security bulletins,the higher the score.

Cisco – AdvisoryLevel

Cisco SecurityAdvisories –VulnerabilityLevel Indicator

Security BulletinVendors = CiscoSecurityAdvisory

This security metric measures yourorganization’s remediation performance ofCisco Security Advisories.The more critical missing securityadvisories, the higher the score.

MS – BulletinLevel

MicrosoftSecurityBulletins –VulnerabilityLevel Indicator

Security BulletinVendors =MicrosoftSecurityBulletins

This security metric measures the securitystatus of your organization based onMicrosoft Security Bulletins.The more critical missing security bulletins,the higher the score.

Oracle – BulletinLevel

Oracle –VulnerabilityLevel Indicator

Security BulletinVendors =Oracle SecurityBulletins

This security metric measures the securitystatus of your organization based on OracleSecurity Bulletins.The more critical missing security bulletins,the higher the score.

Red Hat –Advisory Level

Red Hat SecurityAdvisories –VulnerabilityLevel Indicator

Security BulletinVendors = RedHat SecurityAdvisory

This security metric measures the securitystatus of your organization based on RedHat Security Advisories.The more critical missing securityadvisories, the higher the score.

Security View

AntivirusIntegrity – VulLevel

AntivirusIntegrity –VulnerabilityLevel Indicator

Custom = Anti-Virus Integrity

This security metric measures the securitystatus of your organization based on thealerts (Vulnerability Definitions) on antivirusapplications.The more unhandled critical alerts onantivirus applications, the higher the score.

Mobile – VulLevel

Mobile DevicesAlerts –VulnerabilityLevel Indicator

Custom =Mobile device –Vulnerabilities

This security metric measures the securitystatus of your organization based on thealerts (Vulnerability Definitions) on Apple,Android, and Blackberry mobile devices.The more unhandled critical alerts onmobile devices, the higher the score.

NewVulnerabilities

NewVulnerabilities(Last 30 Days) –VulnerabilityLevel Indicator

Custom = NewVulnerabilities –last 30 days

This security metric measures the securitystatus of your organization based onVulnerability Definitions published in thepast 30 days.The more unhandled new critical



SECURITYMETRIC NAME

SECURITYMETRIC LONGNAME

SCOPE DESCRIPTION

vulnerability occurrences, the higher thescore.

Overall – VulLevel

VulnerabilityLevel Indicator

Any This security metric measures the securitystatus of your organization based on itsvulnerability occurrences.The more critical vulnerability occurrences,the higher the score.

Web BrowserVulnerabilities

Web BrowserAlerts –VulnerabilityLevel Indicator

Custom =WebBrowsers

This security metric measures the securitystatus of your organization based on thealerts (Vulnerability Definitions) on:l Microsoft Internet Explorerl Mozilla Firefoxl Google Chromel Apple SafariThe more unhandled critical alerts on webbrowsers, the higher the score.

Understanding security metrics informationAfter you understand the factors that contributed the most to a unit’s security metric score, youcan decide how to proceed.

The right half of the Prioritization Center Summary tab is divided into sections; each sectionprovides a different way to understand the information:

l Top subunits

Top subunits can be displayed as a chart or as a table. Click (chart) or (table).

The chart shows the contribution of the selected unit’s subunits to the unit’s total securitymetrics score.o The color of each entity corresponds to its risk level.o The height of each subunit represents the size (in number of assets) of the subunitrelative to the other subunits.

o The chart displays the largest 5 subunits.

The table shows the risk level of the top 3 subunits and how much each contributes to thescore of the parent entity.

Double-click a subunit to drill down to the Summary tab for that entity.

l Top Vulnerability Definitions or Security Bulletins

This table contains a list of the 5 Vulnerability Definitions or Security Bulletins (dependingon which security metric is used) with the greatest contribution towards a unit’s securitymetrics score. Drill down to the vulnerability occurrences to display additional information.o For Microsoft Security Bulletins, you can view information about bulletin supersedence(see Superseding Security Bulletins).

Chapter 4


l Trends

If enough information was collected to create security metrics trend graphs, you can viewthe trends of a unit to track remediation progress relative to earlier security metrics scoresof that unit.

Start by looking at the top subunits; try and identify factors with a high contribution to the unit’ssecurity metrics.

If you lower the security metrics scores of these factors (that is, fix what is causing the securitymetric to be high), the security metrics score of the parent unit is decreased significantly.

l If you find units with a high contribution to the security metrics score of the parent unit, youcan use the top-down approach to search for the cause.

A unit can have a high security metrics score but not contribute significantly to the securitymetrics score of its parent unit. Fixing such units is usually not a high priority—even asignificant lowering of their security metrics scores does not have much impact on thesecurity metrics score of the parent unit.

l If you find Vulnerability Definitions with a high contribution to the security metrics score, youcan start the process of mitigating their vulnerability occurrences (for example, by creatingtickets).

Properties of security metricsl Type

o Vulnerability Level Indicators: These security metrics measure the security status of all orpart of your organization based on the status of its vulnerability occurrences or missingsecurity bulletins. The more critical vulnerability occurrences or critical security bulletinsin your organization, the higher the score.

Vulnerability Level Indicators measure the rate of vulnerability occurrences found onassets in a group of assets. In simple terms, the rate is the average number ofvulnerability occurrences per asset.

o Remediation Latency Indicators: These security metrics measure the remediationperformance of your organization. The more time it takes to fix the critical vulnerabilityoccurrences or missing security updates, the higher the score.

Remediation Latency Indicators measure the rate of overdue vulnerability occurrences:

l The Remediation Latency Indicator score for an asset represents the number ofoverdue (or relatively old) vulnerability occurrences found on the asset. Eachvulnerability occurrence is weighted; the weighting is calculated from the remediationpriority of the vulnerability occurrence and its delay; high-priority vulnerabilityoccurrences with a large delay have the highest weight.



l The Remediation Latency Indicator score for a group of assets (Business Asset Groupor Business Unit), is the average of the Remediation Latency Indicator score of eachasset in the group.

Use the Remediation Latency Indicator metric to identify entities (vulnerabilityoccurrences or groups of assets) whose remediation latency is relatively high and toexamine trends of remediation latency.

l Viewo Security View: Shows the status of vulnerability occurrences in your organization.o Security Bulletin View: Shows the status of applying security bulletins from vendor-basedcatalogs and the prioritization of the security bulletins that have not been applied. Ifpossible, results are displayed in terms of security bulletins, each of which is usuallycorrelated to multiple Vulnerability Definitions. Vulnerability occurrences that are not partof a security bulletin are displayed separately.

l Scope

The scope defines the Vulnerability Definitions that Skybox uses in each security metric.This can include all Vulnerability Definitions, only Vulnerability Definitions or securitybulletins from vendor-based catalogs, or a custom-defined set. You can exclude groups ofVulnerability Definitions or products.

The following security bulletin vendors are supported:o Adobeo Appleo Ciscoo Googleo Microsofto Mozillao Oracleo Red Hat

Superseding Microsoft Security Bulletins

For security metrics using Microsoft Security Bulletins, information about patch supersedenceis available. When you select a Microsoft Security Bulletin, you can see the bulletins that arecompletely or partially replaced by this bulletin and the newer bulletins that replace it. AMicrosoft Security Bulletin completely or partially replaces another bulletin if patches includedin the newer bulletin replace patches included in the older bulletin.

The estimated contribution to solving vulnerability occurrences for the selected Business Unitfor each Microsoft Security Bulletin is displayed. This includes the direct contribution of theselected bulletin and the direct contribution of all bulletins it supersedes. The SupersedingBulletins tab in the Details pane lists the bulletins that the selected bulletin supersedes andthose that supersede it, including the same information about each of those as for the selectedbulletin (for example, reported date and affected assets). Bulletins that supersede the selectedbulletin might be in a gray font. These bulletins supersede the selected bulletin but are not inthe scope of the selected node. This information is provided so that you are aware of thenewest relevant Microsoft Security Bulletins and can decide whether to apply them.

Chapter 4



Chapter 5

RemediationAfter viewing the Prioritization Center, you understand what needs fixing and can startremediation.

Use the Remediation Center to track the remediation status of your organization, including thenumbers of found vulnerability occurrences and fixed vulnerability occurrences in each part ofyour organization, and to understand how remediation is progressing over time.

You can remediate with or without using Skybox. You can create Skybox tickets onVulnerability Definitions and assign them to users for detailed tracking.

In this chapter

About remediation levels 40

Remediation Center 41

Workflow for remediation 42

Creating tickets for remediation 42

About remediation levelsSkybox monitors remediation levels according to the remediation pace of your organization foreach security metric. For example, critical Microsoft Security Bulletins might have an SLA of 20days (that is, all critical Microsoft vulnerability occurrences should be fixed within 20 days) butcritical Adobe Security Bulletins might have an SLA of 30 days.

Vulnerability occurrences that have time to be fixed are in SLA. After that, they are out of SLAwith various delay levels. For example, if the SLA for critical vulnerability occurrences in theselected security metric is 30 days, a vulnerability occurrence is in minor delay if it is not fixedwithin 60 days, in medium delay if it is not fixed within 90 days, and in major delay after that.

By default, the SLAs for each security metric are:

l Critical vulnerability occurrences: 30 days to fix

l High vulnerability occurrences: 60 days to fix

l Medium vulnerability occurrences: 90 days to fix

l Low and Info vulnerability occurrences: No SLA

You can:

l Change SLAs per security metric, according to the most urgent security metrics for yourorganization

l Change the SLAs for security metrics

For information about changing the SLAs of a security metric, see Defining the SLA perseverity level. You can change the default SLAs in Tools > Options > Server Options >Vulnerability Control.



Remediation CenterThe purpose of the Remediation Center is to help you to understand the pace of vulnerabilityoccurrence remediation in your organization, and to know the vulnerabilities that require themost urgent remediation.

At the top of the page is a short overview of the state of remediation for the selected securitymetric.

The color of each status specifies its ranking (excellent, good, fair, or poor). You can switch theview to a different security metric from here.

In the next section (Remediation Overview):

l The 1st chart shows the remediation rate of vulnerability occurrences in your organization.

l The 2nd chart shows how many high and critical vulnerability occurrences are out of SLA,and by how much.

l The 3rd chart shows a comparison of how many high and critical vulnerability occurrenceswere found in the past months or weeks vs. how many were fixed. This helps you tounderstand whether you are keeping pace with the rate at which vulnerability occurrencesare found in your organization.

At the bottom of the page is a summary of the remediation information for each security metric.

The main column is In SLA Vulnerabilities, which lists the security metrics that have a lowpercentage of vulnerability occurrences that are in SLA.

Chapter 5


Workflow for remediation

Typical workflow for remediation

1. Select Remediation Center (above the tree).

2. In the tree, click the Security Metrics node.

3. Select a technology to explore and select its security metric.

4. The 1st chart (Found Vulnerabilities by SLA) gives you an idea of the scope of the delay invulnerability occurrences that need fixing.

5. The 2nd chart enables you to focus on the high and critical vulnerability occurrences withthe most delay.

6. Click in the part of the chart that interests you (for example, Critical > Major Delay); thisbrings you to a list of Vulnerability Definitions in the Vulnerability Definitions / SecurityBulletins tab.

7. You can look at the Vulnerability Definitions, see how many vulnerability occurrences eachVulnerability Definition has, and determine those that most need fixing. If your organizationremediates using Skybox tickets, you can open tickets.

Creating tickets for remediationYou can use tickets to handle the remediation process. You can create tickets on eitherVulnerability Definitions or security bulletins. You can create tickets on each VulnerabilityDefinition or security bulletin, so that you can have separate tickets for the same VulnerabilityDefinition or security bulletin in different settings.

To create a ticketl Right-click the Vulnerability Definition or security bulletin in the Table pane and selectCreate Ticket.

A threat alert ticket is created.

The scope of these tickets depends on what you selected in the Security Metrics tree whencreating the ticket. For example, if a ticket is created on a security bulletin when the EuropeOperations Business Unit is selected in the tree, the Network Scope of the ticket includes onlythis Business Unit.

When you close a ticket for a Vulnerability Definition or security bulletin, its related vulnerabilityoccurrences are marked as Fixed.

For additional information about the ticket workflow, see Tickets and workflow.


Chapter 6

Customizing the security metricsThe security metrics scores are intended to provide information about the security status ofyour organization. Because security status is determined by your policy and other factors, youmight need to modify properties that Skybox uses in displaying and calculating the securitymetrics scores.

You can customize the predefined security metrics and you can add additional securitymetrics. Each security metric is managed separately.

To manage the security metrics, right-click the top-level node in the tree and select ManageSecurity Metrics.

In this chapter

About security metrics in Skybox 43

Initial customization 43

Security metric properties 44

Additional customization 46

About security metrics in SkyboxSkybox uses security metrics to measure the security status of your organization. Skyboxincludes predefined security metrics; you can customize predefined metrics and create newsecurity metrics.

Some security metrics in Skybox measure the status of vulnerability occurrences in yourorganization. Other security metrics measure the status of applying security bulletins fromvendor-based catalogs.

Initial customizationThe default values for security metrics display properties and calculation values are usuallyadequate as a starting point. We recommend that you do only minimal customization beforethe 1st analysis of security metrics.

You might want to change the following to match your naming conventions and SLAs:

l The names (long and short) of the security metrics

l The security metric scale of security metrics (see Changing the security metrics scale)

l The SLA per severity level (SLAs are used in the remediation process) (see Defining theSLA per severity level)

To customize a security metric

1. Right-click the Vulnerability Control node and select Manage Security Metrics.

2. In the Manage Security Metrics dialog box, select the security metric to customize and clickModify.



3. Make the necessary changes and click OK.

The Security metric properties topic includes information about the properties.

4. After making changes to a security metric, reanalyze (click Analyze on the toolbar).

Changing the security metrics scale

By default, the security metrics scale includes 5 levels, which map the number of foundvulnerability occurrences (or missing security bulletins) to a 0-100 score, a named level, and acolor scheme similar to that used in Skybox for risk levels.

The default values for all VLI-type security metrics are listed in the following table. Each High-level vulnerability occurrence is worth 0.3 of a Critical-level vulnerability occurrence, and eachMedium-level vulnerability occurrence is worth 0.03 of a Critical-level vulnerability occurrence.

NUMBER OF CRITICAL-EQUIVALENT VULNERABILITYOCCURRENCES OR MISSING SECURITY BULLETINS

VLISCORE

LEVELNAME

COLOR

0 to 0.5 0 to 20 Very Low

0.5 to 2 20 to 40 Low

2 to 4 40 to 60 Medium

4 to 6 60 to 80 High

6 to 1,000,000 80 to 100 Critical

You might need to:

l Change the number of critical vulnerability occurrences or critical missing security bulletins

l Delete levels to match your SLA

If you delete levels, you might also need to change information about the remaining levelsaccording to your SLAs and naming conventions.

l Change the level names

For additional information, see Security metric properties.

Defining the SLA per severity level

You can define the SLA for each severity level of a security metric. The SLA is the expectednumber of days for the remediation of vulnerability occurrences.

The default SLAs are:

l Critical: 30 days

l High: 60 days

l Medium: 90 days

l Low: None

l Info: None

Security metric propertiesAll security metrics have the same properties. These properties are described in the followingtable.

Chapter 6



Basic tab

Enable Specifies whether the security metric is visible to users.

Highlight insummary page

Specifies whether the security metric is highlighted in the Vulnerability ControlSummary tab.l Up to 3 security metrics can be highlighted in the Vulnerability ControlSummary tab.

Short Name An abbreviation for the name of the security metric. The short name is used inSkybox Manager and in Security Metric reports.

Long Name The full name of the security metric. The long name is used in Security Metricreports.

Description A description of the security metric.

Type The security metric category:l Vulnerability Level Indicator: Measures the security status of yourorganization based on its vulnerability occurrences or on the update level ofsecurity bulletins. The more critical vulnerability occurrences or criticalmissing security bulletins, the higher the score.

l Remediation Latency Indicator: Measures the remediation performance ofyour organization. The more time it takes you to fix the critical vulnerabilityoccurrences, the higher the score.

Scope The scope of the security metric:l Any: The scope is all Vulnerability Definitions and all catalogs of securitybulletins.

l Security Bulletin Vendors: The scope is defined by security bulletin vendors;entries are displayed as missing security bulletins.

l Custom: The scope is defined by a customized set of Vulnerability Definitionsand security bulletins. Select a set from the drop-down list.

To edit a Vulnerability Definition set or to define a set, click .

Excluded:VulnerabilityDefinitions

Vulnerability Definitions to exclude from the security metric scope.

Excluded:Products

Products in the selected Product List to exclude from the security metric scope.

View How the security metric is displayed.l Security View: A prioritized list of vulnerability occurrences.l Security Bulletin View: A prioritized list of security bulletins and vulnerabilityoccurrences.

VulnerabilityOccurrence AgeCriteria

Specifies whether the age of vulnerability occurrences analyzed for the securitymetric type is determined by publication date or by the date of discovery on yournetwork.

SLA SLA per severity level

Critical The SLA in days for vulnerability occurrences with Critical severity.

High The SLA in days for vulnerability occurrences with High severity.




Medium The SLA in days for vulnerability occurrences with Medium severity.

Low The SLA in days for vulnerability occurrences with Low severity.

Info The SLA in days for vulnerability occurrences with Info severity.

Advanced tab

Automaticallynormalizesecurity metriclevels on nextsecurity metricsanalysis

By default, this option is hidden.Specifies whether Skybox refactors the security metrics scores so that thedistribution of scores across the Business Units is according to the normaldistribution. The score is adjusted according to the number of vulnerabilityoccurrences per asset in your organization, which removes the problem of onlyhigh scores or only low scores.l This action is intended to create a basis for comparison of the security metricslevels. Refactoring is only performed once per security metric.

Security Metricsscale

The security metric scale is divided into 3 to 5 levels. Skybox includes defaultvalues for mapping the number of critical vulnerability occurrences per asset to asecurity metric score (and level); you can change these to suit your organization.Each level includes:l Name: The name of the levell Level Color: The color to represent this level in Skybox Manager (using RGBvalues)

l Value (Upper Bound): The highest number of critical vulnerability occurrencesin this level

l Score (Upper Bound): The highest score for this level (from 0-100)

The lowest level in the security metric scale.

The 2nd-lowest level in the security metric scale.

The middle level in the security metric scale.

The 2nd-to-highest level in the security metric scale.

The highest level in the security metric scale.

For the default values of each predefined security metric, see Predefined security metrics.

Additional customizationBecause security status is determined by multiple properties, you might need to makeadditional changes to the security metric scales. For example, both the size of yourorganization and the number of vulnerability occurrences or missing security bulletins that isacceptable influence the mapping. In some organizations, 2 critical vulnerability occurrenceson an asset is unacceptable; in other organizations 2 critical vulnerability occurrences on anasset is acceptable and 4 or 5 critical vulnerability occurrences on an asset is unacceptable.

For a table of security metric properties, see Security metric properties.

For detailed information about the scale values, how the security status is calculated, andadvanced security metric properties that are not configurable in Skybox Manager, seeModifying security metric properties.


Chapter 7

Continuous usage for Threat Centric Vulnerability ManagementYou can automate Skybox by setting up the necessary tasks to run on a regular basis (seeUsing tasks for automation).

You can schedule many processes in Skybox to run automatically, including:

l Model updates

l Recalculation of the security metrics scores

l Notifications of changes to security metrics scores

l Reports (documented in the Skybox Reference Guide)

l General maintenance of the model (including saving and loading backup versions)

In this chapter

Security Metric triggers 47

Recalculating the security metrics 48

Creating other triggers 48

Security Metric triggersA Security Metric trigger is a rule that defines the conditions under which security metric(email) notifications are created. For example, “Notify the owner of the Corporate Services unitwhenever the security metrics score of that unit becomes greater than Medium.”

Notifications for security metrics events are created (based on the triggers) when Analysis –Security Metrics tasks are run.

Setting up Security Metric triggers

Admins can set up triggers to send email notifications when security metric levels change.

To create a trigger

1. Select Tools > Administrative Tools > Triggers.

2. In the Skybox Admin window, right-click the Triggers node and select New Trigger.

3. In the New Trigger dialog box, set Trigger Type to Security Metric.

4. Fill in the fields according to the table in the Security Metric trigger properties topic in theSkybox Reference Guide.

5. Click OK.

When Analysis – Security Metrics tasks are run, the triggers are checked, and emailnotifications are sent according to your definition.

Note: Triggers can be disabled and re-enabled by right-clicking the trigger.



Recalculating the security metricsSecurity metric scores are sensitive to changes in the model. Actions that might affect securitymetrics scores include:

l Data import or collection

l Skybox Vulnerability Dictionary update

l Aging (running a Model – Outdated task)

l Running an Analysis – Vulnerability Detector task

l User changes to the model (for example, deleting, adding, or modifying vulnerabilityoccurrences or assets)

You can recalculate security metrics scores manually after a change or you can schedule anAnalysis – Security Metrics task to run as part of a task sequence after tasks that might affectthe security metrics scores. As part of the security metrics analysis task, alerts can be sent tousers when the security metric levels change. For information about these tasks, see theSecurity Metrics calculation tasks topic in the Skybox Reference Guide.

The RLI scores for critical vulnerability occurrences increase over time—recalculate the RLI ona regular basis even if no other changes were made, either manually or by scheduling anAnalysis – Security Metrics task to run on a regular basis.

Creating other triggersYou can also create event-based rules (triggers) that send email notifications for:

l Tickets: A notification is sent when a ticket changes in a way that matches a trigger fortickets.

For example, you can create a trigger that sends notifications to all members of the DevelopSolutions group when a ticket is promoted to the Develop Solutions phase.

Note: For tickets, you can also trigger Skybox tasks that run a script. For information aboutthese triggers, see the Ticket trigger properties topic in the Skybox Reference Guide.

l Threat alerts: A notification can be sent for a single threat alert or for multiple threat alerts.

For example, after collecting threat alerts, Skybox checks the Threat Alert triggers for threatalerts that meet their criteria. If multiple threat alerts meet the criteria for a trigger, it sends asingle notification with multiple threat alerts. However, a separate notification is sent foreach trigger. If, for example, a trigger sends notifications to the person responsible forWindows products every time that threat alerts affecting a Windows product are receivedand 5 Windows threat alerts are received from a collection, a single notification containingall the newWindows threat alerts is sent. If other threat alerts that match additional triggersare received during the same collection, separate notifications are sent for those threatalerts.

To create a trigger

1. Select Tools > Administrative Tools > Triggers.

2. In the Skybox Admin window, right-click the Triggers node and select New Trigger.

Chapter 7


3. Select the Trigger Type.

4. Fill in the fields as described in the Skybox Reference Guide:

l Ticket trigger properties

l Threat Alert trigger properties

5. Click OK.

Notifications are triggered and sent (according to the selected properties).



ExposureThis part explains how to work with the Exposure feature of Skybox Vulnerability Control.


Chapter 8

Overview of the Exposure featureThis chapter explains how Exposure works in Skybox.

In this chapter

Introduction to exposure 51

Automated IT security modeling 52

Attack simulation and visualization 53

Business impact analysis and risk metrics 54

Regulation compliance 55

Risk exposure management workflow 55

Introduction to exposureExposure is a main feature of Skybox Vulnerability Control. You can view overview informationin the Summary tab of the Exposure by Threat node.

The exposure-related information displayed on this tab includes the direct vulnerabilityoccurrences (vulnerability occurrences that are 1 or 2 steps away from a Threat Origin) andthe Threat Origins that pose the most danger to your organization.

The tab displays information about critical exposure in your organization; you can drill down toget additional information. The information displayed on this tab includes the directvulnerability occurrences (vulnerability occurrences that are 1 or 2 steps away from a ThreatOrigin) and the Threat Origins that pose the most danger to your organization. You can viewadditional information about Threat Origin and Business Asset Groups using the tabs at thetop of the Summary tab.



Automated IT security modelingTo identify, quantify, and mitigate security exposure, Skybox Vulnerability Control builds amodel—a virtual map representing the security risk profile of your organization. The modelconsists of:

l Threat profiles

l Network access information

l Vulnerability occurrence data

l Business Asset Group classification

All 4 components are required to analyze business impacts completely and accurately.

Skybox Vulnerability Control uses the open collection architecture of the Skybox platform.Information is collected by scheduling regular data collection tasks that continuously providethe model with up-to-date information about changes to the network infrastructure.

Using Skybox, you can have a single view of your security environment that is updatedautomatically and continuously. Subsequent attack simulation and what-if analysis can be runsafely on this model instead of on your networks and devices.

Chapter 8


Attack simulation and visualizationSkybox Vulnerability Control conducts exhaustive, nonintrusive attack simulations against themodel to measure the effectiveness of potential threats in penetrating security defenses. Theunique Skybox Attack Simulation Engine ascertains which assets are reachable andexploitable, and which assets are secure.

An Attack Map provides a visual, step-by-step analysis of attacks, based on simulations ofattack paths. Skybox Vulnerability Control graphically illustrates the multistep path an attackercan take, identifying the vulnerability occurrences exploited and the network traversed for eachexploitable path.



This analysis enables IT departments to identify the top few percent of exploitable vulnerabilityoccurrences that make up the primary risks to critical assets. Working from this analysis,security and IT professionals can focus on critical exposures when they occur and reduce thetime to remediation from weeks to hours.

Business impact analysis and risk metricsBased on the results of attack simulation, Skybox Vulnerability Control analyzes the potentialbusiness impacts on assets in terms of potential breaches in confidentiality, integrity, andavailability (CIA). Attack simulation computes the likelihood of attacks. Skybox VulnerabilityControl then calculates business and compliance risks by analyzing asset values and attackprobabilities. To provide the most useful analysis, you can import business-impact rules andregulation compliance classifications from asset management databases or other predefinedsources.

Risk metrics are calculated for every Business Asset Group. Metrics are consolidated for eachBusiness Unit and for the organization. Managers can view the results of risk analysis inreports built on flexible report templates and select the most effective remediation processesto reduce critical risk exposure.

Chapter 8


Regulation complianceSecurity professionals can classify Business Asset Groups according to specific regulations tocontinuously monitor the risks facing regulated assets. You can select from predefinedRegulation templates, including SOX, HIPAA, FISMA, FIPS 199/200, and NIST. Complianceofficers or risk managers can also specify Regulation templates for their own industry. Usingthese classifications, Skybox Vulnerability Control can analyze compliance risks and generateexecutive and auditor reports.

Risk exposure management workflowBefore you can use Skybox to manage risk exposure, you must add information to the model(see Building the model).

To manage risk exposure

1. Simulate attacks by running an Analysis – Exposure task (for example, the predefinedAnalyze Simulate Attacks task). This task simulates all scenarios for attacking yournetwork from the specified Threat Origins and uses this information to compute risk levelsand attacks. The derived data is stored in the Skybox model.

2. Review the results of the simulation in the Summary tab of the Exposure by Threat node.

3. Use the summary information and the Attack Explorer to identify the causes of the mostcritical risk to your organization.



4. Reduce your risk by mitigating critical vulnerability occurrences and faulty access.

5. Generate reports (see Reports). For example, you can generate reports to:

l Show the risk on all or part of your organization

l List the vulnerability occurrences on a scope, with or without detailed information andsuggested solutions

l List tickets issued for mitigation

l List a set of tickets (for example, tickets that are open but have passed their due date)

Implement this process after you build the model and every time that you make significantchanges to the model.

Note: Risk Exposure Analysis is performed in the Exposure workspace and the Exposure tree.


Chapter 9

Building the modelIn this chapter, we assume that your organizational model includes:

l Assets and vulnerability occurrences (see Updating the Vulnerability Dictionary and Gettingasset and vulnerability occurrence data)

l An organizational hierarchy of Business Units and Business Asset Groups (see Addingorganizational hierarchy)

This chapter focuses on the additional information that Exposure requires, including networks,gateways, clouds, and locations.

Building the network topologyThe network topology consists of networks and the gateways that connect them.

To build the network topology, create and run tasks for collecting and importing data from thenetwork devices that you specified in Preparing a list of network devices.

To build the network topology

1. Click .

2. In the Operational Console tree, select the Tasks node.

3. For each set of devices to import, create a task to import their configurations:

Click .

l For information about importing device data offline, see the File import tasks chapter inthe Skybox Reference Guide.

l For information about device-specific online collection tasks, see the Tasks part of theSkybox Reference Guide.

4. After you run each task, check that it succeeded:

a. In the Operational Console, open Tasks > All Tasks.

b. In the Table pane, locate the task and check that the task Exit Code is Success.

If a task fails, check the Messages tab of the Details pane.

5. Verify that the import is correct and complete:

a. In the Model tree select the correct node for the imported devices.

b. Check that:

l (For a new device) The imported device is in the list in the Table pane

l (For an existing device) The device modification time is the time of this import, notthat of a previous import

c. Review the device’s network interfaces:

l Right-click the device in the Table pane and select Network Interfaces.



d. If the device has routing rules:

i. Right-click the device and select Routing Rules. Check that the routing rules wereimported.

ii. Use a sample routing rule to confirm that it was imported correctly—select a routingrule on the device and look for its logical match in the routing rules in Skybox.

Note: A correctly imported set of routing rules (or access rules) logically matches the setof rules on the device. However, rules might not be modeled in the same way that theyoccur on the device.

e. If the device has access rules:

i. Right-click the device and select Access Rules. Confirm that the access rules wereimported.

ii. Select an access rule on the device and look for its logical match in the access rulesin Skybox.

f. On the toolbar, click . Make sure that the imported device is in themap and that it is correctly connected.

6. (Recommended—especially for large networks) Create locations. Locations group networksand simplify how Skybox displays the model.

Locations

A large organization can include hundreds of networks. Locations are container entities thatcreate a hierarchic structure for networks in your organization, to make it easier to navigateand view the network structure.

A location can include networks and other locations. For example, a Europe location mightcontain networks and London and Paris locations. These locations, in turn, might includenetworks and other locations.

Define locations manually in the Model workspace and then add networks or additionallocations to them.

Note: You can create locations using iXML. For information about iXML, see the Integrationpart of the Skybox Developer Guide.

Chapter 9


If you are working with a large network, define a location for each physical location that youdiscover and add to it the networks discovered in that network segment. A location can be avery broad grouping (for example, Europe) or a much more local grouping (for example, ITRoom or 2nd Floor).

For a gateway to be contained in a location, all its networks must be in that location. If evenone network belongs to another location (or is not associated with a location), the gateway isdisplayed in the map even when all locations are collapsed. We recommend that you includegateways that are internal to a location as part of the location; do not include gateways thatconnect multiple locations in a location.

To create a location and add it to the tree

1. In the tree, expand the Locations & Networks node and locate the parent node for thelocation.

If the location belongs at the top level, select the Locations & Networks node as the parentnode.

2. Right-click the parent node and select New > Location.

3. In the New Location dialog box:

a. Type a Location Name for the location.

Location names must be unique throughout the model. You cannot use the characters“/” and “\” as part of a location name.

b. (Optional) Click the Browse button next to Members to specify the location’s members.

Note: If you define the location before you discover the topology, you cannot selectmembers for the location.

c. (For a Skybox user to receive notifications about entities in this location) Click theBrowse button next to Owner to specify the location owner from all authorized Skyboxusers.

To add a network or location to a location

1. In the tree, right-click the network or location to add to an existing location and select Attachto Location or Move to Location.

2. In the Attach networks to location or Move locations to location dialog box, as required:

l Select the parent location for the selected entity and click OK.

l To make this entity part of a new location:

a. Select the position in the tree for the new (parent) Business Unit.

b. In New (which contains a list of parent types), click Location.

c. In the New Location dialog box, type a name and other relevant information.

The entity that you are attaching becomes a child of the new parent location; you canadd locations and networks using the Members field.

Note: Repeat steps b and c to create a hierarchy of locations. The entity that youattach becomes a child of the most recently selected location in the tree.



For example, you have a network named Operations Center and it belongs in Miami,but there is no location named Miami. The 1st time that you click New, create alocation named US. Inside the US location, create a location named Florida; insidethe Florida location, create a location named Miami. The Operations Center networkbecomes a member of the Miami location.

d. Click OK.

The location is created in the selected position in the tree and the selected entitybecomes a child node, as do members selected in step c.

Clouds

Clouds model areas that are missing in the model so that you can analyze access between thesurrounding areas or to and from the missing areas.

Clouds are special network objects that represent networks that are connected to the modelbut are not modeled completely (for example, the internet, partners, or parts of your networkthat are not modeled). Model as a cloud any network over which your organization has nocontrol or for which it cannot retrieve device configurations and scan data.

There are 2 types of clouds:

l Perimeter Clouds: Perimeter Clouds (often referred to as clouds) represent networks orareas in your network that are at the perimeter of the network (for example, partnernetworks and the internet).

Multiple network interfaces can be connected to the same Perimeter Cloud, but PerimeterClouds do not include routing abilities—2 devices connected to the same Perimeter Cloudare connected in the Network Map but access queries (using Access Analyzer) are blocked.Access queries that include a Perimeter Cloud always end in the cloud.

l Connecting Clouds: Connecting Clouds represent missing areas in the middle of yournetwork. These might be parts of your network for which you cannot retrieve data or MPLSnetworks between parts of your network.

Unlike Perimeter Clouds, Connecting Clouds have routing abilities. Multiple networkinterfaces can be connected to the same cloud—they are connected in the Network Map (viathe Connecting Cloud), and access queries work between the devices connected to theConnecting Cloud.

Perimeter Clouds are usually user-defined but can be created automatically as part of modelvalidation.

Connecting Clouds are user-defined except for MPLS networks, which can be createdautomatically as part of model validation.

Creating and editing Perimeter Clouds

You can create Perimeter Clouds manually or automatically.

Creating Perimeter Clouds manually

The easiest way to create a Perimeter Cloud is to define a network as a Perimeter Cloud.However, this is not sufficient when the Perimeter Cloud represents an area outside theboundaries of your network.

If you create a Perimeter Cloud that is not based on a network in the model, include andexclude IP addresses for the network that you are configuring. For example:

Chapter 9


l If you are configuring an internet cloud, exclude the IANA reserved addresses (click Privatein the Network Properties dialog box).

l If you are configuring a public network, exclude public IP addresses used by yourorganization. Otherwise, Skybox might produce erroneous results in access analysisqueries due to spoofed access.

If you know the IP addresses for the Perimeter Cloud, configure them in the Cloud Addressestab.

To define a network as a Perimeter Cloud

1. In the Model tree, expand the Locations & Networks node and locate the network that youwant to define as a cloud.

2. Right-click the network and select Define Network as Cloud.

Note: If the cloud is connected to multiple networks, set IP Address and Mask to 0.0.0.0 /0.0.0.0.

To create a Perimeter Cloud

1. In the Model tree, expand the Locations & Networks node and locate the parent node forthe cloud.

If the cloud belongs at the top level, the parent node is the Locations & Networks node.

2. Right-click the parent node and select New > Perimeter Cloud.

l For information about the properties of Perimeter Clouds, see the Perimeter Clouds topicin the Skybox Reference Guide.

3. In the New Perimeter Cloud dialog box:

a. Type a Name for the cloud.

b. Set IP Address and Mask to 0.0.0.0 / 0.0.0.0.

This enables the cloud to be connected to network interfaces of multiple devices. (Acloud’s IP address has no influence on access analysis; use the Cloud Addresses tabto specify the scope of the cloud.)

c. Specify the scope of the cloud using the 2 panes in the Cloud Addresses tab:

l Include: A list of IP address ranges to include in the scope of the cloud.

l Exclude: A list of IP addresses to exclude from the scope of the cloud specified in theInclude pane.

d. In the Routable from Cloud tab, define the IP address ranges that are permitted asdestination addresses when access is checked from this cloud. Skybox uses theseaddress ranges for all queries starting at the cloud in attack simulation and in AccessAnalyzer.

l Include: A list of IP address ranges to use as destination addresses from this cloud.

l Exclude: A list of IP address ranges to exclude from the destination address ranges.

e. Click OK.



Creating Perimeter Clouds automatically

We recommend that you create Perimeter Clouds automatically only after the model is ascomplete as possible, as part of model validation.

Attaching Perimeter Clouds to the network

After you create a Perimeter Cloud manually, attach it to the network devices in yourorganization that border the cloud.

To attach a Perimeter Cloud to a device

1. Open the Network Interfaces dialog box:

l In the Network Map, right-click the device and select Network Interfaces.

l In the tree:

a. Navigate to a node that contains the device (for example, All Network Devices >Firewalls).

b. In the Table pane, right-click the device and select Network Interfaces.

2. In the Network Interfaces dialog box, select the network interface to attach to the PerimeterCloud network and click Modify.

3. In the <network interface name> Properties dialog box, in Network, select a PerimeterCloud.

4. Click OK.

Connecting Clouds

Connecting Clouds represent missing networks (or groups of networks) between 2 entities inthe model (for example, sensitive areas in your organization that cannot be fully modeled).When these networks are added to the model, Access Analyzer can analyze access throughthem.

When and where are Connecting Clouds required?

Connecting Clouds are often required when you are creating the model and parts of yournetwork are missing from the model. Sometimes, specific areas are missing; sometimes, youcan use the Network Map to display all gateways that have missing next hops (that is, nextrouting hops that are mentioned in the routing table but are not connected to the gateway in themodel) and decide which of them must be connected.

Viewing gateways with missing next hops

To view gateways with missing next hops

1. Confirm that a Model Completion and Validation task ran after importing the latestupdates.

This task checks all gateways for missing next hops.

2. Open the Network Map. If necessary, open the map that displays the part of the model onwhich you want to focus.

Chapter 9


3. In the Highlight pane, select Has Missing Next Hops.

All gateways with missing next hops are highlighted. Each such gateway has a tooltip listingits missing next hops.

Creating Connecting Clouds

The easiest way to create a Connecting Cloud is to select multiple gateways and networks inthe map that should be connected and create a Connecting Cloud from them. Or you canselect 2 gateways, networks, or network interfaces in the Table pane and create theConnecting Cloud from there.

To create a Connecting Cloud

1. Select the gateways or networks in the map that are missing connections between them.

2. Right-click and select Connect via Cloud.

l For information about the properties of Connecting Clouds, see the Connecting Cloudstopic in the Skybox Reference Guide.

3. In the Connect networks via cloud wizard, type a Name for the cloud and click Next.

4. In the top pane, review the list of gateways and networks:

5. For each gateway with unspecified networks, select the network interface of the network touse to connect to the cloud.

The following fields might be helpful in deciding the network interface to use:

l Missing Neighbors shows the network interfaces that have missing neighbors.

l Potential Match specifies whether the network interface is a good match for theconnection.

When you select a network interface for the gateway, the network to which that networkinterface is connected is shown next to the gateway in the top pane.

6. Click Finish to create the cloud.

Adding connections

You can add gateways and networks to a cloud.

To add entities to a Connecting Cloud

1. Select the gateways and networks to add to the cloud; right-click and select Connect viaCloud.

2. In the Connect networks via cloud wizard:

a. Select Existing Connecting Cloud, select a cloud, and click Next.

b. In the top pane, review the list of gateways and networks.

c. For each gateway with unspecified networks, select the network interface to use toconnect to the cloud.

The following fields might be helpful in deciding the network interface to use:

l Missing Neighbors shows the network interfaces that have missing neighbors.

l Potential Match specifies whether the network interface is a good match for the newconnection.



When you select a network interface for the gateway, the network to which that networkinterface is connected is shown next to the gateway in the top pane.

d. Repeat steps a through c until every item in the list includes a network.

e. Click Finish to add the selected entities to the selected cloud.


Chapter 10

Validating the modelModel validation is an ongoing process to verify that the model is complete and correct.

In this chapter

Overview of validating the model 65

Best practices for model validation 67

Model validation tasks and analyses 68

Access Analyzer test queries 76

Network Map visualization 77

Task error messages 78

Item counts 78

Creating Perimeter Clouds automatically 79

Validating the setup for attack simulation 79

Overview of validating the modelModel validation verifies that the model meets the following criteria:

l Completeness: There are no missing elements in the model.

l Correctness: The model reflects your network (for example, the topology is correct; externalclouds are connected to the correct interfaces).

Inconsistencies can occur because data is collected using different methods. For example,routing rules on a gateway might point to a router that is not in the model; add the missingdevice to the model.

If the model is not accurate, performance, accuracy, and usability suffer. An invalid modelcauses accuracy issues in the following Skybox analyses:

l Access Analyzer

l Access Policy Analysis

l Network Map

l Access Compliance

l Path Analysis (in Change Manager)

l Attack Simulation (in Vulnerability Control)

Validate the model:

l After every milestone (for example, after adding a segment of your network to the model), toensure that the model represents access in your network.

l After collecting data and building the model, before you move on to the analysis stage.



We recommend that initial validation be done with assistance from a Skybox ProfessionalServices engineer. Your organization’s networking team should also be involved.

Common problems to solve during the model validation process include:

l Missing devices

l Missing routes

l Inaccessible environments (for example, MPLS networks or the internet)

l Network device misconfiguration

l Modeling inaccuracies

l Disconnected gateways

Model validation is not a 1-time job—it is a continuous process to make sure that every changein the network is reflected and validated. For example, adding a device in the real networkmight cause issues in the model.

Basic validation methods

Validation methods to use while building the model (and on a continuous basis) include:

1. Discovery Center: Check that the numbers match what you expect; check whether themodel needs updating.

2. Model validation task and analyses

Model – Completion and Validation tasks run various tests to check the health of themodel. Their results are displayed in the built-in model validation analyses, which listentities that you might need to fix, including gateways, network interfaces, and assets. Themost important analyses to check at this stage are those that list gateway issues andnetwork interfaces with problems.

3. Access Analyzer test queries

Check the access to your network from different external locations. If there is insufficientaccess, gateways might be missing in the model. If there is too much access, sets of accessrules might be missing.

Note: Access Analyzer test queries that you want to use regularly to check access can beconverted to access validation tests and run by Model – Completion and Validation tasks.

4. Network Map visualization

After you have built the basic topology of the network, use the Network Map to make surethat the network is connected. Unconnected nodes or network segments are a sign ofmissing information.

5. Task error messages

Error messages from online collection tasks and offline file import tasks might mean thatsomething went wrong.

6. Item counts

Check that the number of assets added to the model is what you expect, and that theelement names and types are correct.

These methods are explained in more detail in the following sections.

Chapter 10


Best practices for model validation

Recommended best practices in the model validation process

1. Inventory comparison: Compare the model’s assets and networks with information fromother systems, including asset management systems, configuration management systems,and IP Address Management (IPAM) systems.

2. Use networking resources: People that know the network well and can identify issuesquickly.

3. Concentrate on completing the model before checking the model’s accuracy. Tests withAccess Analyzer can work, but only after all network devices are in the model. Anincomplete model leads to inaccuracy.

4. Complete the model as much as possible before you run Model – Completion andValidation tasks that includes actions that change the model (for example, convertingperimeter networks to clouds or adding connecting routers).

5. Look at missing neighbors of network interfaces to find missing devices in the model.

Identify the missing neighbors that are out of your network by checking that their IPaddresses match the internal IP addresses or IP address ranges that your organizationuses. An IP address that is out of the internal ranges might be used by 3rd-partyconnections or MPLS networks managed by external providers, or mean that the missingdevice is managed by an ISP (for internet connections).

Such missing neighbors can be identified and converted to Perimeter Clouds (internet or3rd-party) or assigned to Connecting Clouds (MPLS networks). (You can use a Model –Completion and Validation task to create Connecting Clouds for MPLS networksautomatically (see the Model completion and validation tasks in the Skybox ReferenceGuide).)

6. Use naming conventions: Skybox uses a naming convention for clouds. When Skyboxidentifies a cloud or a network, we recommend that you change its name to match thenaming conventions of your organization. This enables you to distinguish clouds in themodel that were recently created by Skybox (which require review and validation) fromthose created previously that are already validated.

7. Use Mark as viewed to ignore acknowledged model validation issues.

8. Create analyses: Create model analyses to split the information and get a betterunderstanding of what is happening. For example, you could filter the list of duplicatenetwork interfaces (or another model validation issue) by creating an analysis of duplicatenetwork interfaces that were not marked as viewed.

9. Use the Skybox model to gain knowledge of the network or device. Use the routing tableor addresses behind interfaces, to identify networks that are behind an interface and tounderstand the context of the device. For example, an interface with ABI that includes manyIP addresses but does not include internal IP addresses is configured as the defaultgateway interface. This might mean that the interface is connected to the internet.

10. Most organizations have defined processes to decommission network devices or to installdevices in their network. Make sure that, as part of this process, the team responsible formaintaining Skybox is aware of network changes and applies them to the Skybox model (for



example, delete decommissioned devices and associated tasks; add a task to collectrecently installed devices).

11. After finishing the model validation during deployment, we strongly recommend that youreview and remediate new issues at least once a week. There are analyses for new assetsand interfaces in the model that you can review.

Model validation tasks and analysesThe built-in model validation analyses list entities that might need fixing. The most importantanalyses to check at this stage are those that list gateway issues and network interfaces withproblems.

The Model Validation task finds model validation issues about entities including gateways,network interfaces, and assets.

Issues found by the Model Validation task are listed under Model Analyses > ModelValidation.

Validating gateways

The following sections explain how to validate gateways in the model.

Disconnected gateways

Diagnosis

Standalone devices (devices that are not connected to other devices in the model) are shownas islands in the Network Map.

If no network interfaces of a device are connected to other network devices, the device is adisconnected gateway.

Unless the gateway has no routing rules (which can be identified using the Gateways with noRouting Rules analysis), at least one network interface of a disconnected gateway has amissing neighbor.

Usually, disconnected gateways are addressed when fixing other issues (using the NetworkInterfaces Validation analyses).

Root causes and their solutions

ROOT CAUSE SOLUTION

Missing device in themodel (next hop)

Collect or import the missing neighbor.

Device not mapped toConnecting Cloud

Map the network interface to a Connecting Cloud.

Decommissioneddevice

Delete the gateway from the model. Add the gateway to the collection taskexclude list.

Overlapping networks l Fix the device configuration by configuring the network interface netmaskand re-collecting or re-importing the device into the model

l Assign the network interface in Skybox to the correct network (affects theSkybox model only)

Chapter 10


Firewalls with no access rules

Diagnosis

There are Firewall assets in the Skybox model that have no access rules—the list of accessrules is empty. A normal firewall in a production network should have at least one rule (explicitDeny rule).


ROOT CAUSE SOLUTION

Import or collection issue Check the import or collection task messages for errors.Make sure that the access rules are in the configuration inSkybox.

Firewall has no access rules (forexample, a new firewall or firewall notconfigured)

Check with the firewall administrator if this is correct. Canbe ignored if acknowledged by the firewall administrator.

Gateways with no routing rules

Diagnosis

There are network devices in the Skybox model with no routing rules—the list of routing rules isempty. Normal network devices in production with routing abilities should have at least onerule. Gateways with no routing rules can cause speculation (giving less accurate results andpoor performance) in access analysis and inaccurate Access Compliance results.


ROOT CAUSE SOLUTION

Collection issueThe device was collected by aSkybox Collector using anonline collection task

l Check the collection task messages for errors. Check theconfiguration in Skybox and make sure that the routing rules fileis there.

l Check the Routing Table Collection command in the task’sAdvanced tab.

l Check that you have authorization to run the command with thetask’s credentials.

After fixing, re-collect the device.

Import issueThe device was imported intothe model from rawconfiguration files

l Check the collection task messages for errors. Check theconfiguration in Skybox and make sure that the routing rules fileis there.

l Make sure that routing information is in the same file as theconfiguration data or that both files are in a separate 1st-levelsubdirectory of the specified directory.

l Make sure that the routing file includes routing rules.After fixing, re-import the device configuration and routing data.

Validating network interfaces

The following sections explain how to validate network interfaces on assets in the model.



Disconnected interfaces

Diagnosis

There are device interfaces that are not connected to a network. This can cause missingconnectivity, incorrect visualization, and incorrect access results.


ROOT CAUSE SOLUTION

Interfaces for sync between clusters l (Normal behavior) Acknowledge (“Mark asViewed”)

l Create a networkl Assign interfaces to the correct network

Interface with netmask /32(255.255.255.255)

l (Normal behavior) Acknowledge (“Mark asViewed”)

l Create a networkl Assign interfaces to the correct network

Merging issue when there are 2 networksthat are both candidates for the networkinterface (misconfiguration of netmask indevices)

Investigate the root cause and act accordingly. Look atthe modeled networks to find the networks that matchthe interface (assign them to locations if overlapping).

Next hop and destination networks not in model

Diagnosis

“Next hop and destination networks not in model” issues highlight gateways that are missing inthe Skybox model.

Examine the routing rules for each device. A typical entry includes:

l Destination network: “Where am I trying to get to?”

l Gateway: “How do I get there?” (that is, Next Hop – IP Address)

The Model Validation task examines each routing rule to find the gateway (an IP address) andchecks whether the gateway is in the Skybox model. The task also looks for the destinationnetwork and checks whether the destination network is in the Skybox model. If an entry has agateway that is not in the Skybox model and the destination network is not in the Skybox modeleither, the Model Validation task adds an interface issue of “Next hop and destinationnetworks not in model”.

If the destination network is not in the model, no other network device in the model holds thenetwork. If the network should indeed not be in the model (use an IP address management toolto look for the network and confirm that it is not part of your networks), the most likelyremediation is to convert the network to a Perimeter Cloud.

Chapter 10



ROOT CAUSE SOLUTION

Missing device (the gateway should be in the Skybox model) Import or collect the missing next hopdevice

Out of scope deviceA device that is not managed by your organization and youcannot get the configuration

l Convert the network to aPerimeter Cloud

l Assign the network interface to aConnecting Cloud

l Run Model Booster to createconnecting routers

Old routing rule (no longer in use)There is a routing rule, but it is old (the gateway might bedecommissioned)

l Fix the routing issue (deviceconfiguration)

l Acknowledge the issue in Skybox(“Mark as Viewed”)

Next hop is in a separate network

Diagnosis

The routing rules for each device are examined. The networks and gateway are in the model.However, the gateway is connected to another network.


ROOT CAUSE SOLUTION

Network devices can bemisconfigured (differentnetmask assignments) butwork in real life

Fix the network device configuration (assign the same netmask forinterfaces).Determine the network that contains the gateway and then open theinterface properties and assign the correct network (this isapplicable for Skybox only and has no impact on the networkdevice).



Potential matching network for interface assigned to cloud

Diagnosis

An interface is connected to a cloud but has a missing next hop that is in another network ofthe model.


ROOT CAUSE SOLUTION

The Model Validation task created the cloudbefore importing the missing next hop

Assign the interface to the regular networkinstead of the cloud.

The interface is locked to the cloud Unlock the interface from the cloud. Assign theinterface to the regular network.

Chapter 10




VPN or tunnel endpoint is missing

Diagnosis

In a VPN or tunnel interface with peer-to-peer configuration, one peer is in the Skybox modelas part of the asset or interface that has the issue, but the other peer is not in the Skyboxmodel.

Treat this issue as a “Missing next hop” issue. A missing peer points to a missing interface on adevice that is missing in the model.


ROOT CAUSE SOLUTION

Missing deviceThe missing peer is part of an in-scope network device that isnot in the Skybox model

Import or collect the missing device

Out of scope deviceThe missing peer is part of a network device that is not in theSkybox model and the device is out of scope

Convert the device to a PerimeterCloud

Old VPN or tunnel configurationThe VPN or tunnel is configured on the device, but the otherpeer does not exist because it was decommissioned

Fix the device configurationDelete the network assignment fromthe network interface and lock itAcknowledge (“Mark as Viewed”)

Duplicated network device

Diagnosis

There is an interface that is part of a duplicate network device. The Model Validation taskchecks duplication of devices based on name and network interfaces. If multiple devices havethe same name and the same interface configurations, interfaces that are part of the duplicatedevices have this issue.


ROOT CAUSE SOLUTION

Merging issueSkybox did not merge thedevices

Consult with Skybox Support. You must specify differences betweenthe devices.Merge manually.

Duplicated IP address in network

Diagnosis

There are multiple interfaces with the same IP addresses in the same network entity. In normalnetwork behavior, there should be no duplicate IP addresses in the same network (except forvirtual addresses and interfaces). An organization can have overlapping IP addresses, butthese should be configured in the Skybox model as different networks, each in a differentlocation.

Chapter 10



ROOT CAUSE SOLUTION

An old network deviceAn old interface entry in Skybox

Delete the asset from the model.Exclude the asset from the task, using the collection taskexclude list.

A merging issue in assets with the sameinterface that creates the same interfacemultiple times in the same network

Consult with Skybox Professional Services / SkyboxSupport. You must specify differences between thedevices.Merge manually.

Overlapping networksOverlapping networks exist in the realnetwork, but their locations were notspecified

Create locations and move the overlapping networks todifferent locations. Assign each network interface to adifferent network entity (in a different location).

Overlapping networks

Diagnosis

There are multiple overlapping networks—1 network is covered by another. This causesconnectivity issues (2 devices that should be connected are not).


ROOT CAUSE SOLUTION

Network devices can bemisconfigured (different netmaskassignments)

Determine the network that contains the gatewayFix the network device configuration (assigning the samenetmask for interfaces)Open the interface properties and assign the correct network(applicable in Skybox only – has no impact on the networkdevice)



Access Analyzer test queriesCheck the access to your network from different external locations. If there is insufficientaccess, gateways or network segments might be missing in the model. If there is too muchaccess, sets of access rules might be missing.

Check access by creating real-world queries and results (5 to 10 samples) in Access Analyzer.

Test queries can include:

l A spectrum of test types

l Internet inbound

l User environment to internet

l User environment to user environment

l Customer-specific and network-specific

Start with simple queries and progress to more complex.

We recommend that you convert queries that validate your model into access validation tests.These tests are run by Model – Completion and Validation tasks to validate the model on acontinuous basis, as explained here.

Access validation tests

The main goal of the deployment phase is to collect the full network and model it in Skybox. Tomake it easier, you can add a ‘safety net’ to catch collections that break the network topologyand decide if these collections are valid.

This safety net consists of a group of access queries that are saved as access validation tests.The tests can be run automatically after every collection as part of the Model Validation task,to ensure that the model is stable. Broken access is visible in the Model Analyses > ModelValidation area, making it easy to pinpoint the root cause and fix it.

Chapter 10


To convert an access query into an access validation test

1. Open the access query in Access Analyzer.

2. Click Analyze.

3. In the menu above the results, click (Save Access Validation Test).

To run access validation tests as part of the Model Validation task

1. In the task parameters, select Run Access Validation Tests.

2. Make sure that the Limitation Type parameter is not set to No precalculation.

To view the results of access validation testsl In the Model workspace, in the tree, select Access Validation Tests.

Network Map visualizationSkybox creates a map of the interconnections in your network named the Network Map. Afteryou have built the basic topology of the network, use the Network Map to make sure that thewhole network is connected. Unconnected nodes or network segments are a sign of missinginformation. Search for islands—parts of the networks that are disconnected.

To open the Network Map from Skybox Manager, click on the toolbar. Whenyou open the Network Map, it is redrawn according to the most recent information in yourmodel. You can create and save maps of sections of your network.



Note: If this is the 1st time that you are opening the map, either open Organizational Map toload the map of your entire model or select a different map that someone else created.

For additional information, see Network Map.

Task error messagesError messages from tasks might mean that something went wrong.

Note: Successful import or collection of a device does not necessarily mean that Skyboxretrieved all required information. For example, if you import a device without its routing file,Skybox models the device, but the dynamic routing rules are missing.

Item countsCheck that the number of assets added to the model is what you expect, and that the elementnames and types are correct.

Chapter 10


Creating Perimeter Clouds automaticallyModel – Completion and Validation tasks can create Perimeter Clouds automatically; thiscompletes the model with clouds, and fixes missing parts of the model. This feature is disabledin the Model Validation task; we recommend that you enable it only after you are sure that alldevices are in the model, to avoid creating unnecessary Perimeter Clouds.

The task converts perimeter networks to Perimeter Clouds for:

l A VPN or tunnel network, peer-to-peer, for which a peer is missing.

Skybox changes the name to %PEER1-IP%_%PEER2-IP%.

l A regular network that is a perimeter network. A perimeter network is a network withmissing next hops.

Skybox changes the name to Accessible Via %LIST-OF-MISSING-NEXT-HOPS-FROM-THE-SAME-INTERFACE% or leaves the Perimeter Cloud name as the network name.

Running the Model Validation task with automatic creation of Perimeter Clouds fixes thefollowing model validation issues:

l Next hop not in model

l Next hop and its destination networks not in model

l VPN or tunnel endpoint is missing

The Model Validation task cannot always complete the model or create Perimeter Cloudsautomatically. For example:

l Skybox cannot create a Perimeter Cloud for a perimeter network that is configured on adevice that is not in the model

l A device without routing information

Missing next hop analysis is based on routing rules; if these do not exist, Skybox cannotconvert networks to clouds.

The Model Validation task can be run to Connect Perimeter Networks As ConnectingRouters. This runs Model Booster, which creates virtual connecting routers to connectbetween missing next hops in the network model. Any existing Perimeter Clouds areconverted to connecting routers if possible. See Model Booster for additional information.

For additional information about these tasks, see the Model completion and validation taskstopic in the Skybox Reference Guide.

Validating the setup for attack simulationSkybox attack simulation produces accurate results only if attack locations are definedthroughout the network. Define a Threat Origin for every external link from which an attackmight originate.

Attack simulation is also dependent on the definition of important internal resources. Everyserver that provides a revenue or productivity function should be a member of a BusinessAsset Group; associate at least one Business Impact with every Business Asset Group.

Manual verification is the only method available for checking the configuration of BusinessAsset Groups and Business Impacts.



To validate the business information

1. Compare the list of Business Asset Groups in the model with the list provided during thedeployment-planning phase.

2. Compare the model with access rules:

a. Look through the firewall rulebase that protects the server networks.

b. For each inbound service rule, verify the importance of the service.

c. In the model, check that the service’s asset belongs to a Business Asset Group.

3. Most organizations maintain separate networks for servers. Examine the server networks:

a. Check that all members of the server network are providing services.

b. Check that every server is inactive, unimportant, or part of a Business Asset Group.

Model BoosterModel Booster creates virtual connecting routers to connect between missing next hops in thenetwork model. It takes as input the network model created by Skybox.

Important: Model Booster is an innovative feature in an experimental phase. Use it with careand preferably with the assistance of Skybox Professional Services. Make sure to back up themodel before using this feature.

Why use Model Booster?If a network model exists but not all layer-3 devices were imported, the model might beincomplete. This, in turn, causes end-to-end access analysis to fail on many queries due tobroken routes. The affected use cases include Access Analyzer, Access Compliance, ChangeManager in network mode, and attack simulation (exposure analysis).

Use cases describe several scenarios for when you would want to implement Model Booster.

How does Model Booster Work?Model Booster creates virtual connecting routers between perimeter networks. For 2 perimeternetworks to be connected, the router leading to the 1st perimeter network must be accessiblefrom the router leading to the 2nd perimeter network and vice versa. If a perimeter networkcannot be connected to another perimeter network, it is transformed into a Perimeter Cloud.

Minimum network requirementsl For Model Booster to work, at least 2 network devices with routing rules must exist in themodel. Model Booster connects networks only if the routing rules from both sides can routeto the other router.

l Model Booster connects a model with only firewalls (no routers), provided all the firewallshave routing rules, both static and dynamic.

Note: Model Booster cannot replace NAT devices (like load balancers); they are required forthe Skybox model to be NAT aware.

Chapter 10


How to run Model BoosterModel Booster is part of the Model completion and validation task. Model Booster can be runas often as necessary.

1. Initially, complete the model with as many firewall and NAT-capable devices as possible.This process is described in Building the model.

2. After this is done, run Model Booster and Validate the model.

3. Continue to add additional devices and run Model Booster to increase model accuracy.

l Connect Perimeter Networks As Clouds converts networks to Perimeter Clouds.

l Connect Perimeter Networks As Connecting Routers runs the Model Booster and createsPerimeter Clouds for networks that cannot be connected by virtual routers.

For additional information, see the Model completion and validation tasks topic in the SkyboxReference Guide.

Model Booster limitationsl Policy-based routing rules (PBRs) are currently not considered by Model Booster. ModelBooster calculations and connectivity can only be based on routing rules.

l Model Booster cannot generate access rules on connecting routers, only routing rules.Where routers have ACLs, we recommend that you import those devices into Skybox.

l Model Booster cannot deduce NAT rules. Therefore, it is important for the accuracy of theSkybox model to import NAT devices (for example, load balancers).

l Assets imported from scanners are, by default, created without networks. For assets to beconnected to networks, you must import the network device configurations that have thosenetworks configured on them, so that their networks are created and the assets attached.

l Model Booster is not supposed to complete connectivity in internal or external cloudenvironments, because such environments usually model all the involved devices.

l Model Booster cannot connect L2 firewalls as they lack routing rules.

l MPLS connectivity replacement by Model Booster is still in the experimental stage.

What are connecting routers?A connecting router is created by the Model Booster and connects between missing next hopsin the model.

../../../../../Content/Documentation/FA_NA/Building the model.htm

../../../../../Content/Documentation/FA_NA/Validating the model.htm



Connecting router naming convention

Connecting routers receive a name similar to connecting_router_10.0.0.0 / 28, where10.0.0.0 / 28 is the address of the perimeter network that was selected as the anchor of therouter.

If, for example, there should be connectivity between (N1, N2) and (N1, N3), then N1 isselected as an anchor and a router connecting (N1, N2, N3) is created with N1 as its name.

Viewing connecting routers

To see all the connecting routers, create a Host analysis and put connecting_router* in assetnames.

Another option is to view them as regular routers under All Network Devices > Routers in theModel workspace.

In an extreme case, the Model Booster creates a connecting router between every pair ofperimeter networks in the model. However, in practice, the Model Booster unifies manyconnections into one connecting router with multiple interfaces.

Editing Connecting routers

Connecting routers are read-only. You cannot edit any of its data.

Excluding networksYou can define hosts, host groups, or networks to exclude from the Model Booster calculation.

In sb_server.properties, add the following:

#hosts to exclude: host name, host name, host name, ...

perimeter_completer_exclude_hosts=

#networks to exclude: network address 1, network address 2, networkaddress 3, ...

perimeter_completer_exclude_networks=

#locations to exclude: location name 1, location name 2, location name 3,...

perimeter_completer_exclude_locations=

#business units to exclude: business unit name 1, business unit name 2,business unit name 3, ...

perimeter_completer_exclude_business_units=

Use casesThe use cases for implementing Model Booster include:

Chapter 10


Access Analyzer and Network Assurance

A user runs Model Booster to automatically connect as many perimeter networks in the modelas possible to facilitate Access Analyzer and network access compliance.

Vulnerability Control

A user with only Vulnerability Control can import only firewalls and network devices that aredirectly connected to the endpoints (used as their default gateways) and use this functionalityto complete the model gaps resulting from missing network devices. This allows them to runexposure analysis on the model.

FAQs

Does Model Booster introduce speculation into the model?

All connecting routers are created with routing rules from the routers that lead to the networksthe router is associated with. No speculation is introduced.

The Model Booster connection is based on existing routing rules only. Therefore, it does notassume connectivity based on speculation.

How do the new connecting routers affect the performance of the model?

From an access calculation perspective, because there is no speculation, there is nosignificant impact on access calculations.

Due to an increase in the size of the model and greater save and load time, there will be animpact on performance proportional to the number of additional connecting routers and routingrules.

Can Model Booster also complete access rules in the model?

No. Model Booster can only deduce the routing rules on the connecting router. The router willnot have any access rules.

What happens when the real router, currently modeled by one or more connectingrouters, is imported?

If a new device is brought into the model, the connecting routers representing it are deleted inthe next run of model validation.

When Model Booster runs, it deletes and recreates all connecting routers. Therefore, if a realrouter is brought into the model, Model Booster does not recreate the connecting routers thatpreviously represented it. If the new router itself has networks with missing next hops, ModelBooster will try to connect them.

If there is a connecting router already in the model, why import the actual routerconfiguration?

The Model Booster can simulate the routing capabilities of one or more routers. However, toincrease the accuracy of the model and to analyze the configuration of these routers or theiraccess rules, you must to import the actual router configuration into the model.

Does Model Booster complete cloud environments?

In general, Model Booster is designed for completing traditional data centers. With cloudenvironments, because all the information is gathered from the network management solution,



there is no need for Model Booster to be applied.

Is a connecting router checked for compliance in Configuration, Rule, or AccessCompliance analysis?

Connecting routers are excluded automatically from any Skybox analysis.


Chapter 11

Network visualization (maps)After the model is built, Skybox creates a map of the interconnections—the Network Map.

This chapter describes the Network Map.

In this chapter

Network Map 85

Creating and saving dedicated maps 86

Navigating the Network Map 86

Map Groups 89

Network Map

To open the Network Map from Skybox Manager, click on the toolbar. Whenyou open the Network Map, it is redrawn according to the most recent information in yourmodel. You can create and save maps of sections of your network.

Note: If this is the 1st time that you are opening the map, either open Organizational Map toload the map of your entire model or select a different map that someone else created.



Creating and saving dedicated mapsBy default, the Network Map displays the entire model. However, it is easier if you creatededicated maps for specific scopes. We recommend that you create a separate map for eachnetwork scope that you want to view in detail.

Creating a dedicated map

To create a map

1. In the File pane of the control panel, click .

2. In the New Network Map dialog box, define the scope of the map.

l For information about the properties of Network Maps, see the Map properties section inthe Skybox Reference Guide.

3. Click OK.

Saving maps

To save a mapl To save the map (including changes that you made): In the File pane of the control panel,

click .

l To save the map (including changes) with a different name: In the File pane of the control

panel, click .

Viewing changes to the map

Changes to the model that occur while the Network Map window is open are not reflected in

the map. If changes were made, click at the top of the control panel. You are prompted tosave all unsaved maps, the map definitions from the Server are refreshed, and the selectedmap is reloaded to the Map pane.

Navigating the Network MapNavigate the Network Map using the control panel.

Chapter 11


Map layout

Skybox lays out the nodes of the selected map. You can:

l Select and move nodes of the map to make the map easier for you to work with.

l Click to redraw the map using the same calculation formula. This is useful if youchanged the display (for example, if you created map groups or hid nodes).

If you did not change the display or if relayout does not make the map easier for you to use,

tune the layout properties using the Layout pane ( ) to change thevalues used in the calculation formula (see the Layout properties topic in the SkyboxReference Guide).

l Click . Skybox redraws the map to fit the size of the window.

l Click inside the white space of the map and scroll to resize the map or move the mouse toreposition the map in the window.

Highlighting parts of the map

Skybox can highlight specific nodes or sets of nodes in the map to help you to understand yournetwork. Highlighting is temporary—when you change maps or save a map, all highlighting iscleared.

l Highlighting neighbors: By default, when you select a node in the map, the node ishighlighted; its immediate neighbors are highlighted in a lighter color than the selectednode. You can change the number of neighbors highlighted by changing

.



Note: This property is saved with the map.

l Highlighting different types of nodes: Use the Highlight pane to specify the node types tohighlight in the map (automatically, not by selection). For example, you can highlight allPerimeter Clouds, a location, or nodes that have missing next hops. Each type of node ishighlighted in a different color; you can select multiple nodes type to highlight at the sametime.

Filtering the map

You can filter the map to display only specific nodes. To display the filter pane, click in thecontrol panel.

Note: Use Ctrl-F to display the filter pane, and Esc (in the Show field or in the white space ofthe Map pane) to close it.

l Show: Select nodes in the map by typing in the (full or partial) name or IP address of thenodes. Only these nodes (and their neighbors) are displayed.

You can use the characters ? and * for standard pattern matching in the filter; you can alsouse regular expression syntaxes:o ^X: Specifies an expression (X) that is at the beginning of the name or IP addresso X$: Specifies an expression (X) that is at the end of the name or IP addresso [xyz]: Specifies a character that is either x, y, or zo [^abc]: Specifies a character that is anything except a, b, or c

l Show Only Highlighted: Filters the map to display only highlighted nodes.

l Regular Mouse Mode: When you select nodes in the map, the selected nodes and theirneighbors are highlighted.

l Focus: Only selected nodes and their neighbors (within a radius of NeighborsDistance) are displayed.

l Extend: When you select nodes in the map, the map expands (if parts of it are hidden)by adding all neighbors of the selected node up to a radius of Neighbors Distance.

l Display All Nodes: Restores all hidden nodes to the map but keeps the magnification(so that nodes might not be displayed). Also clears all highlighting.

Exporting maps

You can export maps as graphic files or Visio files.

l Export image: Saves the visible portion of the map as a graphic file to the directoryspecified in the Export dialog box.

Note: You can change the resolution of the saved image in the Export dialog box for easierviewing outside Skybox.

Chapter 11


l Export to Visio: Exports the visible portion of the map as a Microsoft Visio VDX file sothat non-Skybox users can view or print the map.

For additional information about the control panel and the filter pane, see the Network Mapcontrol panel topic in the Skybox Reference Guide.

Map GroupsA Map Group ( ) represents a region or area in the network. Map Groups can includegateways, networks, and other Map Groups. Usually, map group members are topologicallyrelated, so that a collapsed group makes sense.

Defining Map Groups reduces the complexity of the model in the Network Map and providesbetter orientation in large networks. Each Map Group can be highlighted in a different color,enabling you to distinguish between entities that belong to different groups. You can collapse aMap Group so that only a representative node is displayed in the map.

Map Groups are stored globally in the model; creating or changing a Map Group in one mapaffects all other maps that contain that Map Group.

Map Group scopes

Each Map Group has a set of defining members (usually the group’s gateways) and additionalmembers. The additional members are the neighbor nodes of the defining member nodes.

The user specifies the defining member nodes. Skybox completes the additional membernodes. This makes the Map Group definition more compact and eliminates the need toexplicitly attach newly discovered networks to Map Groups; newly discovered networks areadded to the Map Groups of their gateway neighbors.

Creating Map Groups

Before defining Map Groups:

l Set the Highlight mode of Map Groups to All (in the Map Group pane, in Highlight, selectAll).

This highlights each Map Group in a separate color and highlights new groups in differentcolors when the groups are created.

l Set the Highlight Neighbor distance (at the top of the control panel) to 0.

This prevents highlighting neighbor nodes when selecting nodes for a Map Group.

To create a Map Group

1. Select the set of nodes that define the scope of the Map Group.

Nodes (gateways and networks, but not Perimeter Clouds) whose neighbors are all in thescope of the Map Group are automatically added to the group as members—it is usuallysufficient to select a set of gateway nodes as the defining members. You only need to selectnetwork nodes explicitly if they are to be part of the group but some neighbor gateways arenot part of the group.

2. Right-click in the selection and select New Map Group.

3. In the Map Group dialog box:



a. Type a Name for the group.

b. (Optional) Change the highlight color of the group.

c. (Optional) To display the group in collapsed form after it is created, select Collapse.

d. Click OK to create the Map Group.

Note: Map Groups have labels; use the View pane of the control panel to toggle whether todisplay these labels.

Map Group hierarchies

To create a hierarchy of Map Groups, you can work top-down (for example, by creating a ParisMap Group when a Europe Map Group already exists) or bottom-up (for example, by creatinga Europe Map Group when Paris and London Map Groups already exist).

To create a Map Group inside a Map Group

1. Select the nodes of the Map Group to include in the new Map Group.


To create a Map Group that contains Map Groups

1. Select the labels of the Map Groups (and other gateway or network nodes to include in thenew Map Group).


To view the hierarchy of Map Groups

1. Right-click a node in the map and select Attach to Map Group.

2. In the Attach to Map Group dialog box, view the Map Group hierarchy; then click Cancel toclose the dialog box (without attaching anything).

Working with Map Groups

The following options in the Map Groups pane of the control panel are useful:

l Highlight All: Highlights each Map Group in a different color

l Collapse All / Expand All: Collapse or expand all Map Groups. Collapse replaces themembers of a map group by a representative node.

The following options on the shortcut menu are useful when you edit a Map Group:

l Collapse Map Group: Right-click a member of the Map Group or the group label, and thenselect Collapse Map Group.

l Expand Map Group: To display the member of a collapsed Map Group, right-click the noderepresenting the Map Group and select Expand Map Group.

To attach nodes to a Map Group

1. Select a set of nodes or labels of Map Groups to attach to another Map Group.

2. Right-click in the selection and select Attach to Map Group.

3. Specify the target Map Group in the dialog box. The selected nodes or Map Groups aredetached from other Map Groups and attached to the selected target Map Group.

Chapter 11


To detach nodes from a Map Group

1. Select a set of nodes or labels of Map Groups to detach from the Map Groups to which theyare attached.

2. Right-click in the selection and select Detach from Map Group.

To delete a Map Group

1. Select a Map Group (by selecting either the Map Group’s collapsed node or its label).

2. Right-click the selection and select Delete Map Group.

Note: This command deletes the map group definition but does not delete the membernodes of the map group nor subgroups of the selected group.


Chapter 12

Adding Threat OriginsA Threat Origin is a potential starting point for an attack.

This chapter explains Threat Origins and how to add them to the model.

In this chapter

Threat Origins overview 92

Threat Origins 92

Threat Origin Categories 93

Defining Threat Origins 94

Disabling and enabling Threat Origins 95

Threat Origins overviewThreat Origins are specified by defining the network entities (assets, networks, or locations)where an attacker might be located. Threat Origins are indicated in Skybox by .

Typical locations for Threat Originsl Perimeter Clouds

o For information about defining Perimeter Clouds, see Creating and editing PerimeterClouds.

l Locations where you expect mobile devices to be connected

l Points inside your organization that you suspect could be the source of an internal attack

l Locations in which security is limited (for example, DMZ networks or workstation networks(which are prone to infection via email))

For effective risk analysis of your network, specify the Threat Origins that seem most probablefor your organization.

Tip: In First phase, we recommend that you start with a 1st phase consisting of 1 or 2 threats.

Attack simulation tests all scenarios for attacking the network starting from the Threat Originsdefined in the model and it uses this information to analyze risk.

Threat OriginsProperties of Threat Origins include the estimated skill level of the attackers and the attacker’sprivilege on the attacking machine.

For example, for Threat Origins from the internet, you assume that there are highly skilledattackers, but for Threat Origins inside your organization, you assume that the attackers areless skilled. The skill level is taken into account when analyzing the likelihood of successfulattacks and the risks imposed by these attacks.



You can specify the Business Asset Groups that a Threat Origin can attack. When you define aBusiness Asset Group, you can define the Threat Origins that you expect might attack it. Bydefault, Threat Origins attack all Business Asset Groups.

Threat Origin CategoriesThreat Origins are classified into Threat Origin Categories, so that they can be groupedwhenever risk is displayed or reported. For example, you can show risk for, or generate areport about, all Threat Origins that originate outside your organization (usually namedExternal Threats).

To view risk from specific threats in an analysis or a report, add those threats to a Threat OriginCategory and select that category to filter the analysis or report.

Skybox includes 4 Threat Origin Categories with the following default names:

l External Threats

l Internal Threats

l B2B Threats

l Other Threats

The Other Threats category is disabled by default. You can enable it if required.

A Threat Origin can belong to multiple categories. For example, an attacker from the internetcould be classified as external and B2B. You can create analyses that return only ThreatOrigins in selected categories.

Managing Threat Origin Categories

Only Admins can manage Threat Origin Categories.

Renaming Threat Origin Categories

Although you cannot define additional categories, you can rename categories to suit yourorganization. For example, you can change 2 of the Threat Origin Categories to Internet andCompetitors, and define each Threat Origin accordingly.

To rename a Threat Origin Category

1. In the Threat Origin Categories folder of the Model tree, right-click the category and selectRename.

2. Type a name for the category.

Skybox uses the new name wherever this Threat Origin Category is mentioned (forexample, in the column names of specific analyses, the Risk Profile tab of Business Units,Business Asset Groups, and vulnerability occurrences, and the filtering fields of analysesand reports about Threat Origins).

Enabling and disabling Threat Origin Categories

You can enable or disable Threat Origin Categories.

To enable or disable a Threat Origin Categoryl In the Threat Origin Categories folder of the Model tree, right-click the category and selectEnable or Disable.

Chapter 12


Enabling or disabling a Threat Origin Category does not affect the status of Threat Originsin that category. Threat Origins are always accessible from the All Threat Origins node ofthe Model tree. However, you can only view the risk from Threat Origins in a category aspart of the total risk for that category.

Defining Threat OriginsWhen you define a Threat Origin, remember that a Threat Origin does not attack itself. That is,Skybox does not analyze attacks between assets or networks that are part of the same ThreatOrigin—if you define a Threat Origin with multiple locations, Skybox does not analyze attacksbetween the assets or networks in those locations.

Many Threat Origins can make it harder to understand the risk; use a small number of ThreatOrigins.

To define a Threat Origin

1. In the Model tree, expand the Threat Origin Categories node.

2. Right-click All Threat Origins and select New > Human Threat Origin.

l For information about the properties of Threat Origins, see the Threat Origins section inthe Skybox Reference Guide.

3. In the New Human Threat Origin dialog box:

a. Type a name for the Threat Origin.

b. Click the Browse button next to Threat Location to specify the location of the ThreatOrigin.

c. Select the required Threat Origin Categories.

d. Specify Attacker Skill and Likelihood to Attack.

Important: Specify the likelihood in a way that differentiates between more probable andless probable attack sources.

e. Click OK.

The Threat Origin is saved. It is listed in the Table pane when you select its ThreatOrigin Category node in the Model tree.

Properties in the Advanced tab include:

l Attacker Privilege

l Cloud Source Addresses: Risk for Threat Origins is usually assigned an equal valuefrom all source IP addresses. Sometimes, the risk for attacks from wide address rangesand the risk for attacks from specific addresses is different; for information abouthandling this issue, see Using clouds as Threat Origins.

l Business Asset Groups: By default, each Threat Origin can attack all Business AssetGroups. If there are Business Asset Groups that this Threat Origin does not attack,configure the Threat Origin so that Skybox ignores them during risk analysis:

o Select all such Business Asset Groups in Analyze for risk and click to movethem to Ignore.

You can usually leave the default values for these properties.



Disabling and enabling Threat OriginsBy default, Threat Origins are enabled.

Disabling Threat Origins can be useful:

l If (while building the model) not all firewalls are included in the model, the Threat Originshave access to large parts of the network. This can slow down attack simulation and mightalso mean that Skybox shows very high risk on all Business Asset Groups (some groupswould not be accessible if the firewalls were included). Disabling Threat Origins speeds upattack simulation and cuts down on the amount of risk displayed.

l To evaluate the risk from a Threat Origin, you can disable the others.

To disable or enable a Threat Originl In the Table pane, right-click the Threat Origin and select Disable or Enable.

Disabled Threat Origins are displayed with a grayed-out icon ( ).


Chapter 13

Using Business Asset Groups for risk metricsAs defined in Business Asset Groups, a Business Asset Group is a group of assets that servea common business purpose.

This chapter describes the additional information that is required to use Business AssetGroups for risk metrics.

In this chapter

Business Impacts and Regulations 96

Adding dependency rules 98

Explicit dependency rules 98

Implicit dependency 99

Business Impacts and RegulationsAn impact is a way of measuring the loss on a Business Asset Group. Impacts involve damageto Business Asset Groups:

l As a Business Impact (for example, mission-critical damage or low-level financial damage)

l As a compromise to a security Regulation with which organizations must comply (forexample, SOX or GLBA).

Skybox uses Business Impacts and Regulations to calculate the risk on the Business AssetGroup. You define them separately and attach them to Business Asset Groups.

Note: By default, Skybox ignores the impact level for security metrics analysis.

Skybox comes with predefined Business Impact and Regulation templates, and predefinedBusiness Impacts and Regulations for the most common Business Impacts and Regulations.Use the templates as the basis for creating Business Impacts and Regulations to suit yourrequirements.

Adding Business Impacts and Regulations

You can add Business Impacts and Regulations directly from a Business Asset Group byclicking New or you can add them from Tools > Administrative Tools > Business ImpactTypes (or Tools > Administrative Tools > Regulations). You must specify the Loss Type,Damage Level, and attached Business Asset Groups.

Only Admins can create Business Impacts and Regulations.

Best practice for working with Business Impacts

Use different Business Impacts for different types of loss or at least to differentiate betweenconfidentiality and integrity versus availability. If you do not find an appropriate BusinessImpact (or Regulation) for a Business Asset Group, add a Business Impact (or ask an Adminto add one for you).



Attaching Business Impacts and Regulations to Business Asset Groups

The following instructions explain how to attach a Business Impact or Regulation to a BusinessAsset Group.

To attach Business Impacts or Regulations to a Business Asset Group

1. Expand the Business Units & Asset Groups node of the Model tree and locate theBusiness Asset Group.

2. Right-click the Business Asset Group and select Properties.

3. In the properties dialog box click the Business Impacts tab or, to attach Regulations, clickthe Regulations tab.

4. Select the Business Impacts to attach to the Business Asset Group.

5. You can change the Damage of a Business Impact for this Business Asset Group:

a. Click the Browse button next to the Damage.

b. In the Damage dialog box, you can:

l Change the Level by selecting a different value from the drop-down list.

Levels are mapped internally to monetary values for risk analysis.

l Click Rate and type the damage in monetary units.

Chapter 13


Rates need not be exact values, but they should approximate the magnitude of thedamage.

c. Click OK.

6. Click OK.

To detach Business Impacts or Regulations from a Business Asset Group

1. Expand the Business Units & Asset Groups node of the Model tree and locate theBusiness Asset Group.


3. In the <Business Asset Group name> Properties dialog box:

a. Click the Business Impacts tab or, to detach Regulations, click the Regulations tab.

b. Clear each Business Impact or Regulation to detach from the Business Asset Group.

c. Click OK.

Adding dependency rulesThe security of a Business Asset Group depends on the security of its members. It can alsodepend on the security of infrastructure servers and on the security of other assets.

Dependency rules enable you to define these dependencies and specify how attacks onassets affect the security of the Business Asset Groups. The Skybox Attack Simulation Engine(exposure analysis) uses dependency rules when computing the effects of an attack.

Dependency rules relate to the type of security loss. For example, an availability loss of a DNSserver might imply an availability loss for a Business Asset Group; a confidentiality loss of adatabase server usually implies a confidentiality loss for the application that uses thatdatabase.

Skybox has 2 types of dependency rules:

l Explicit dependency rules

l Implicit dependency rules

Viewing dependency rules

You can view dependency rules directly from the Model tree (Dependency Rules node).

By default, only explicit dependency rules are listed.

To view implicit dependency rules

1. Navigate to Tools > Options > Manager Options > Risks Configuration.

2. Select Show Implicit Dependency Rules.

Explicit dependency rulesExplicit dependency rules express dependency if:

l The security of a Business Asset Group depends on the security of its members in a waythat is not covered by the implicit dependency

l A Business Asset Group depends on an infrastructure server that is not a member of theBusiness Asset Group



An explicit dependency rule specifies how security loss on a set of assets affects the securityloss on another set of assets or Business Asset Groups. Dependency rules relate to the type ofthe security loss (confidentiality, integrity, or availability) and to the type of the dependency:

l At Least One: A security loss suffered by any asset affects the destinations.

l All: Only a security loss suffered by all assets in the set affects the destinations.

For suggestions about when and how to use explicit dependency rules, see Explicitdependency rules (advanced).

To define a dependency rule

1. In the Model tree, right-click Dependency Rules and select New Dependency Rule.

2. In the New Dependency Rule dialog box:

a. Type a Name for the dependency rule and, optionally, a description in User Comments.

b. In the Cause pane, use Loss Type, On, and Network Entities to describe the cause ofthe damage (for example, an Integrity or Availability loss on All web servers in yoursystem).

c. In the Effect pane, use the same fields to describe the effect of the damage (forexample, an Availability loss on a payment system).

Implicit dependencyAn implicit dependency defines how the security of a Business Asset Group depends on thesecurity of its member assets. By default, an implicit dependency means that:

l A security loss (confidentiality, integrity, or availability) on a member implies the same typeof security loss on the Business Asset Group

l An integrity loss on a member implies an availability and confidentiality security loss on theBusiness Asset Group

The dependency is created when you assign assets to a Business Asset Group.

For information about changing implicit dependency, see Advanced dependency rules.


Chapter 14

Simulating attacksAttack simulation simulates an attack on your network from a set of Threat Origins andanalyzes the results.

This chapter explains how to run attack simulation and how to understand the results.

In this chapter

Attack simulation 100

Understanding Skybox risk 100

Viewing risk 101

Attack simulationAttack simulation simulates all attack scenarios for attacking your network from a set of ThreatOrigins and analyzes the results. The derived data is stored in the Skybox database.

An attack scenario represents a set of actions that an attacker can execute from a specifiedstarting point towards a specified destination, for the context of your network—deviceconfigurations, network topology, and vulnerability occurrences.

Attack simulation examines the ability of potential attackers to attack your network and assets.Because attack simulation is invoked on a model of your network, it can initiate attacks fromevery Threat Origin, trying all attack paths without adding load or causing damage to thenetwork.

Attack simulation is run using the Analyze Simulate Attacks task.

You can run this task manually, after you have built or changed the model (including changingthe status of a vulnerability occurrence to Fixed) or you can schedule it to run at predefinedtimes. Changes to the risk of an entity or exposure of vulnerability occurrences are onlyreflected in the analyses after you run attack simulation.

Note: Attack simulation requires heavy computations. The task can run for minutes or evenhours, depending on the size and complexity of the network. For large, complex networks,schedule this task at off hours.

For information about scheduling tasks, see the Scheduling task sequences topic in theSkybox Reference Guide.

To run attack simulation manuallyl Select Tasks > Analyze Simulate Attacks.

Understanding Skybox riskAttack simulation provides information about possible attacks on your network, taking intoaccount the network access constraints and the behavior of each vulnerability occurrence.Risk analysis assesses the likelihood of attacks and the potential damage that they can cause.



As part of attack simulation, Skybox calculates risk for:

l Business Asset Groups and Business Units

l Business Impacts and Regulations

l Vulnerability occurrences

l Attacks

l Threat Origins

For information about the calculation of risk, see About risk.

Viewing riskYou can view risk information:

l On the Summary tab of the Exposure by Threat node:o In the Direct Vulnerability Occurrences by Risk grapho In the Threat Origins by Risk table

l From a table in the Exposure area that includes a Risk column

l Risk profiles: The major components that contribute to the risk for a selected entity

l Risk factors: How the combination of a source (Threat Origin), a destination (BusinessAsset Group or asset), and a Business Impact or Regulation (explaining the potential lossfrom the risk factor) can affect the selected entity.

l In the Attack Explorer: Information about the assets, services, and vulnerability occurrencesin the system, in the context of specific attacks

l Risks reports: Information about high-risk entities of a specified type

l Risk analyses: Risk for all entities that meet the analysis criteria—for example, one analysislists all critical vulnerability occurrences and another lists all critical Business Units


Chapter 15

Identifying the critical issuesAfter attacks are simulated, the Summary tab of the Exposure by Threat node highlights thecritical exposure issues, including the vulnerability occurrences that are most likely to beexploited and the Threat Origins that have the highest risk. You can drill down from this tab tofind additional information about each issue.

In this chapter

Workflow 102

Reviewing directly exposed vulnerability occurrences 103

Reviewing Threat Origins 104

Reviewing Business Asset Groups 105

Reviewing attacks 105

Checking whether the problem is access-related 107

WorkflowThe basic workflow to identify the critical issues is:

Note: The order of the first 2 steps is not important; they are different starting points forlocating the critical issues. If you find the critical issues with the 1st step, you might not need touse the 2nd.

1. Review the exposed vulnerability occurrences to see whether a limited set of high-riskvulnerability occurrences are enabling most of the attacks.

2. Review the list of high-risk Threat Origins to determine whether there are Threat Originsthat are causing a great deal of the risk.



3. If there are no indications that specific threats or vulnerability occurrences are causing highrisk, check the Business Asset Groups. You can also check whether the problem is causedby access-related issues (for example, an access rule that is passing too much traffic).

Reviewing directly exposed vulnerability occurrencesDirectly exposed vulnerability occurrences are a single step away from a Threat Origin.

To review the directly exposed vulnerability occurrences

1. The Vulnerability Occurrences by Threat graph (on the Prioritization Center page and onthe Summary tab of the Exposure by Threat node) shows the numbers of directly exposedand 2nd-step vulnerability occurrences for each Threat Origin. Click a link in the graph toview the vulnerability occurrences.

2. In the list, select a vulnerability occurrence to view additional information in the Detailspane.

3. The Direct Vulnerability Occurrences by Risk graph (on the Summary tabs) shows thenumber of direct vulnerability occurrences for each risk or severity level. Select a ThreatOrigin to view the number of direct vulnerability occurrences for each risk or severity level,and then click a link in the graph to view the vulnerability occurrences.

4. Expand the group of critical or high-risk vulnerability occurrences to view the problematicvulnerability occurrences.

5. In either graph, you can change the filter to include only direct vulnerability occurrences or2nd-step vulnerability occurrences.

6. Select a vulnerability occurrence in the table and view additional information about it in theDetails pane.

Chapter 15


Each tab contains different information about the vulnerability occurrence. Someinformation relates to this vulnerability occurrence (for example, the asset and service onwhich the vulnerability occurrence is found) and some is general information about theVulnerability Definition (for example, the CVSS metrics and known solutions for thisVulnerability Definition).

7. As required:

l Mitigate the high-risk vulnerability occurrences by opening tickets on them.

l Drill down into high-risk vulnerability occurrences using the Attack Explorer.

Obviously, the vulnerability occurrences must be mitigated, but this step might give youadditional information to help in your selection of solutions for them.

Note: You can open vulnerability occurrence tickets from the Attack Explorer.

Reviewing Threat OriginsHigh risk on a small number of Threat Origins indicates that these Threat Origins might be themajor cause of risk for your organization.

To review the Threat Origins

1. The Top 3 Threat Origins table (on the Prioritization Center and Exposure Summary tabs)shows risk levels and numbers of vulnerability occurrences for the 3 Threat Origins that putyour organization at the highest risk. Click a link to view more details about a Threat Origin.

The Attacks tab is displayed in the Table pane. You can view the attacks that this ThreatOrigin can perpetrate on your organization.

2. Select the attack with the highest risk.

3. Right-click the attack and select Attack Explorer.

The Attack Explorer opens with the selected attack displayed visually in the Map pane. Youcan see how many steps it takes to get from the Threat Origin to the destination BusinessAsset Group and a topological overview of the attack.

4. Look at the width of the arrows in the attack.

A wide arrow shows that there are many ways to perform the step. If the arrow of one step ismuch wider than the others, this often indicates a root cause that is enabling the access.The cause can be:

l Entities that need patching or other remediation (for example, risky services, aVulnerability Definition, or a group of assets that need updating).

l An access issue (usually, a firewall that is permitting too much access).

5. Select the widest arrow and check the statistics in the Information pane.

For example, many vulnerability occurrences but only a few Vulnerability Definitions orports could mean that patching the affected services would significantly reduce the risk onyour network.

After you identify the problem, create a ticket.



Reviewing Business Asset GroupsHigh risk on a small number of Business Asset Groups might mean that these Business AssetGroups are the major cause of risk for your organization.

To review the Business Asset Groups

1. In the tree, select the Exposure node.

2. In the workspace, click the Business Asset Groups tab.

For each Business Asset Group in the table, you can see its risk, and how many assets andvulnerability occurrences it has. (The vulnerability occurrence count includes allvulnerability occurrences found on assets of the Business Asset Group, not only the directlyexposed vulnerability occurrences.)

3. In the Table pane, select the Business Asset Group with the highest risk.

4. In the Details pane, click the Attacks tab.

5. Select the attack with the highest risk.

6. Right-click the attack and select Attack Explorer.

The Attack Explorer opens with the selected attack displayed visually in the Map pane. Youcan see how many steps it takes to get from the Threat Origin to the destination BusinessAsset Group and a topological overview of the attack.

7. Look at the width of the arrows in the attack.

A wide arrow shows that there are many ways to perform the step. If the arrow of one step ismuch wider than the others, this often indicates that a root cause is enabling the access.The cause can be:

l Entities that require patching or other remediation (for example, risky services, aVulnerability Definition, or a group of assets that need updating).

l An access issue (usually, a firewall that is permitting too much access).

8. Select the widest arrow and check the statistics in the Information pane, to check whetheranything looks odd.

For example, many vulnerability occurrences but only a few Vulnerability Definitions orports could mean that patching the affected services would significantly reduce the risk onyour network.

After you identify the problems, create a ticket.

Reviewing attacks

Note: The Attack Explorer does not display results until you run attack simulation (exposureanalysis) at least once on the model that you are using. The information displayed in the AttackMap is based on the analyses made during attack simulation. If you changed information thatmight affect the analyses, rerun attack simulation before using the Attack Explorer.

The Attack Explorer displays information about the assets, services, and vulnerabilityoccurrences in the system, in the context of specific attacks. Use the Attack Explorer to:

Chapter 15


l View potential attacks

l Drill down into the causes of potential attacks

l Define strategies to block potential attacks

l Create tickets

The Attack Explorer consists of 3 panes:

l Information: Initially, the left-hand pane contains information about the entity on which youopened the Attack Explorer. When you select an entity in the Map pane, information aboutthat entity is displayed. There are additional options in this pane that enable you to drilldown into the information.

l Map: The upper-right pane contains an Attack Map for the selected attack (or other selectedentity).

l Vulnerability occurrences: In the lower-right pane, select the vulnerability occurrences forwhich to create tickets.

To open the Attack Explorer

1. In the Exposure workspace, locate the entity to view in the Attack Explorer:

l Threat Origin

l Business Asset Group

l Vulnerability occurrence

l Attack

Note: Especially in large models, it is often most useful to open the Attack Explorer on anasset, vulnerability occurrence, or attack. Otherwise, it might be difficult to read the largeamount of data displayed in the Map pane.

2. Open the Attack Explorer:

l Select the entity and then click at the top of the table (for example, forThreat Origins or Business Asset Groups).

l Right-click the entity and select Advanced > Attack Explorer.

The Attack Explorer opens with the selected entity displayed in the Map pane and



information about the entity displayed in the Information pane.

Checking whether the problem is access-relatedRisk might be caused by unnecessary access on firewalls. In the Attack Explorer, a wide arrowfrom one point (Point A) to another (Point B) means that there are many ways to access PointB from Point A. The solution might be to mitigate all vulnerability occurrences on Point B, but itcould be that changing the filtering rules on a firewall between Point A and Point B would meanthat the vulnerability occurrences are not directly exposed, thus lowering the risk.

To check whether a problem is access-related

1. Open the Attack Explorer on an entity.

2. In the Map pane of the Attack Explorer, right-click a link and select Show Access Route.

You might need to drill down to an entity inside the destination of that link.

3. In the Information pane, check the Access Route to see the firewalls that are used.

4. Drill down into the access rules to check for unnecessary access:

a. In the Access Route, click a rule link to examine it.

The selected rule is highlighted in the Rule Match Details dialog box.

b. Check the access rule to determine whether it permits unnecessary access (you candouble-click the rule to display its properties). For example:

l An Any-Any rule that must be limited

l Access must be limited to specific services

c. Repeat steps a and b until you find the access rule that needs modifying.

5. (Optional) Use the What If model to check whether restricting access by modifying theaccess rule has the required effect (fewer attacks using the same attack path).

Chapter 15


6. Create a ticket on a vulnerability occurrence on Point B that is affected by this access rule.Typically, in Possible Solutions, select Block or User-Defined. You can explain theproblem in User Comments.


Chapter 16

RemediationAfter you find an important issue, you can start the remediation process by issuing thenecessary tickets.

If a vulnerability occurrence seems irrelevant, you can mark it as Ignored. Ignored vulnerabilityoccurrences are not checked for exposure, so the results of exposure analysis are cleaner.

In this chapter

Marking vulnerability occurrences as ignored 109

Mitigating critical vulnerability occurrences 110

Reviewing Vulnerability Definitions 110

Creating tickets manually 111

Updating the model after fixing vulnerability occurrences 119

Using the What If model to test changes 119

Marking vulnerability occurrences as ignoredYou can specify to not use a vulnerability occurrence during risk analysis. You might do thisbecause:

l Your organization is aware of the vulnerability occurrence risk, but has decided to acceptthis risk for its own reasons

l Your organization has decided that the vulnerability occurrence is not important in riskanalysis

l The vulnerability occurrence does not exist (that is, incomplete scanner information causedSkybox to mistakenly define a service as vulnerable)

To specify that a vulnerability occurrence is not used during risk analysis, mark it as ignored.

To see changes in the risk values after marking vulnerability occurrences as ignored, rerun theAnalyze Simulate Attacks task.

To mark a vulnerability occurrence as ignored from the Attack Explorer

1. Select the vulnerability occurrence in the Vulnerabilities pane.

2. Click the appropriate icon:

l : Mark as ignored because the vulnerability occurrence does not exist

l : Mark as ignored because the vulnerability occurrence is not important

l : Mark as ignored because the risk of the vulnerability occurrence is accepted by yourorganization

3. Click Apply to save the vulnerability occurrence status to the model.



To mark a vulnerability occurrence as ignored from Skybox Manager

1. Select the vulnerability occurrence in the Table pane or in the Details pane.

2. Right-click the vulnerability occurrence and select Change Status.

3. In Change Status to, select Ignored and then click OK.

4. Select the reason for ignoring the vulnerability occurrence and click OK.

Mitigating critical vulnerability occurrencesAfter you validate a vulnerability occurrence and decide that it is important, you have a betteridea of the type of fix that is required. You can mitigate critical vulnerability occurrences:

l Patch or upgrade the vulnerable service

l Delete the vulnerable service if it is not required on the vulnerable asset

l Change access on the firewalls so that the vulnerability occurrence is not accessible

In most organizations, especially large organizations, the people who identify the criticalissues are not those who fix the issues. In Skybox, the 1st step of mitigation is to assign ticketsto the appropriate staff members to make them aware of the problem. A ticket can include asuggested solution for fixing the problem.

Reviewing Vulnerability Definitions

Vulnerability Definition statuses

Vulnerability Definitions have statuses that help to classify them:

l Unassigned: Vulnerability Definitions that are waiting for review. The initial status of allVulnerability Definitions.

l In Process: Vulnerability Definitions that have tickets with status New, In Progress, orReopened.

l Resolved: Vulnerability Definitions that have tickets with status Closed, Resolved, orVerified.

l Irrelevant: Vulnerability Definitions that are not relevant for your organization. This status isassigned to Vulnerability Definitions that are marked as irrelevant by the user and toVulnerability Definitions that have tickets with status Rejected or Ignored.

To view the status of your Vulnerability Definitions, display the Status column in the Tablepane. (Right-click a column heading and select Customize Current View.)

Vulnerability Definitions also have a review indicator that can be set. To view the reviewindicators, display the For Review column.

Marking Vulnerability Definitions as irrelevant

If you decide that a Vulnerability Definition is not relevant, you can manually change its statusto Irrelevant. Vulnerability Definitions that have tickets with a status of Ignored or Rejectedare also assigned a status of Irrelevant.

If a Vulnerability Definition has a status of Irrelevant and there are updates to the VulnerabilityDefinition from the Skybox Vulnerability Dictionary or the alert service, the Vulnerability

Chapter 16


Definition is updated and marked as for review (in the For Review column of the analysis), butits status does not change.

To mark a Vulnerability Definition as irrelevant

1. Right-click the Vulnerability Definition and select Mark as Irrelevant.

Note: If the Vulnerability Definition has Open tickets, marking the Vulnerability Definition asIrrelevant closes its tickets automatically.

2. In the Mark Vulnerability Definition as Irrelevant dialog box, type a comment in Enter acomment and click OK.

Marking Vulnerability Definitions as for review

To mark or clear the review status of a threat alertl Right-click the threat alert and select Set (or Clear) Review Indication.

Creating tickets manuallyTickets in Skybox represent action items that must be implemented in your network.

After you ascertain the critical issues, you can create tickets and assign them to staffmembers.

Ticket types

You can create tickets for:


Vulnerability occurrence tickets are vulnerability occurrence specific. These tickets caninclude a proposed solution for remediating the vulnerability occurrence.

l Vulnerability Definitions

Threat alert tickets are not vulnerability occurrence specific. These tickets can includeproposed solutions for remediation.

l Business Asset Groups

Open a Business Asset Group ticket if the risk of a Business Asset Group is too high. Thesetickets are less useful for specific issues and are usually used as alerts.

Each ticket is assigned to an owner (someone responsible for making sure that the action itemis implemented); you can assign each ticket a due date so that you can track its status. Selectan owner—in most organizations, the IT Systems team is responsible for solutions for specificvulnerability occurrences (for example, patches and upgrades) and the Network Operationsteam is responsible for access-related solutions (for example, fixing access rules).

Note: Tickets can only be assigned to Skybox users.

You can set up ticket phases, which define different steps for remediation (see the Definingticket phases topic in the Skybox Reference Guide).



Creating tickets

To create a ticket from Skybox Managerl In the Table pane, right-click the selected entity and select Create Ticket or Create ThreatAlert Ticket.

For information about creating:o A single vulnerability occurrence, see Creating tickets for a vulnerability occurrence

You can create a threat alert ticket for the vulnerability occurrence’s VulnerabilityDefinition; when a patch is created that solves vulnerability occurrences of a VulnerabilityDefinition, you can use a vulnerability occurrence to create a threat alert ticket thatcovers all vulnerability occurrences of that Vulnerability Definition (see Creating threatalert tickets).

o Multiple vulnerability occurrences, see Creating threat alert ticketso A set of separate vulnerability occurrence tickets, see Creating sets of tickets for multiplevulnerability occurrences

For information about creating tickets from the Attack Explorer, see Creating vulnerabilityoccurrence tickets in the Attack Explorer.

Tip: Tickets can be created automatically using tasks (see Automating tickets).

Viewing tickets

After a ticket is created, you can view it and manage it from the Tickets tree.

Creating tickets for a vulnerability occurrence

To create a ticket for a vulnerability occurrence

1. In the Tree pane, open a vulnerability occurrences analysis for which the results in theTable pane are vulnerability occurrences.

2. In the Table pane, right-click the vulnerability occurrence for which you are creating a ticketand select Create Ticket.

Chapter 16


3. Fill in the fields according to the table in the Vulnerability occurrence ticket properties topicin the Skybox Reference Guide:

l Select an owner for the ticket.

l Other fields are optional or have default values.

4. To recommend solutions to the ticket owner:

a. Click the Solutions tab.

Solutions from the Skybox Vulnerability Dictionary are listed; the list might also includecustom solutions prepared in your organization.

b. Select the appropriate solutions or add custom solutions.

The ticket is created and added to the list of new tickets for the selected owner.

Creating vulnerability occurrence tickets in the Attack Explorer

To create vulnerability occurrence tickets in the Attack Explorer

1. In the Map pane, find a set of links such that by blocking them all you block the attacks onthe Business Asset Group.

For example, if you are most concerned about a specific Threat Origin, find the set of linksthat blocks all attacks from that Threat Origin.

2. Examine the entry (or exit) vulnerability occurrences associated with these links.



The entry vulnerability occurrences associated with a link are vulnerability occurrences inthe link’s destination that can be exploited directly from the link’s source.

l To list a link’s entry vulnerability occurrences in the Vulnerability Occurrences pane,double-click the link in the Map pane or right-click the link in the Map pane and select ListEntry Vulnerability Occurrences.

The exit vulnerability occurrences associated with a link are vulnerability occurrences in thelink’s source whose exploitation enables access to the link’s destination in an attack.

l To list a link’s exit vulnerability occurrences in the Vulnerability Occurrences pane, right-click the link in the Map pane and select List Exit Vulnerability Occurrences.

The selected vulnerability occurrences are listed in the Vulnerability Occurrences pane, inthe Attack Steps tab. Vulnerability occurrences that have vulnerability occurrence ticketsare listed, but you cannot select them. Because they have tickets you cannot create newtickets for them in the Attack Explorer, but you can create tickets for them manually.

Tip: To view the Access Route of a link, right-click the link and select Explain Access.

3. Block each link by marking its entry or exit vulnerability occurrences as To be Solved.

4. Review the To be Solved vulnerability occurrences and create tickets.

At this point, the requests for new tickets are only in the Attack Explorer.

5. Click OK to save your remediation decisions (assigned tickets, and vulnerabilityoccurrences marked as Ignored) to the Skybox database.

A separate ticket is created for each of the selected vulnerability occurrences.

Example

In this Attack Map, blocking: (a) links 1, 3, and 4; (b) links 2, 3, and 4; or (c) link 5, blocksattacks on the selected Business Asset Group (named Finance Application).

Marking vulnerability occurrences

To mark vulnerability occurrences as To be Solvedl In the Vulnerability Occurrences pane, mark each vulnerability occurrence as To be Solvedby selecting its S check box.

Chapter 16


After vulnerability occurrences are marked as To be Solved, nodes that can no longerparticipate in attacks become gray in the upper pane, representing the post-fix situation.

Creating tickets

You can create tickets for a set of entry or exit vulnerability occurrences directly from theVulnerabilities pane and go on to the next set of vulnerability occurrences. Or, in each set,select the vulnerability occurrences to use to create tickets and click the Selected Solutionstab to display the To be Solved vulnerability occurrences.

Note: When you select a link in the Map pane and list its vulnerability occurrences, theselected vulnerability occurrences overwrite the previous vulnerability occurrences in theVulnerabilities tab of the Vulnerabilities and solutions pane. However, the Selected Solutionstab contains an aggregation of all vulnerability occurrences marked as To be Solved until thelink is selected.

To review vulnerability occurrences and create tickets

1. In the Vulnerability Occurrences pane (in the Attack Steps tab or Selected Solutions tab),display the To be Solved vulnerability occurrences.

2. Select vulnerability occurrences for which you want to assign a ticket with the same solution(or with no suggested solution) to an owner.

3. Click .

l For information about the ticket fields, see the Vulnerability occurrence ticket propertiestopic in the Skybox Reference Guide.

4. Fill in the fields of the ticket.

l If you are creating tickets for multiple vulnerability occurrences, type a string in TitlePrefix. This string is prepended to the vulnerability occurrence name and location tocreate the title of the vulnerability occurrence ticket.

l In User Comments, type an explanation of how to mitigate the vulnerability occurrences.

5. Click OK to create the ticket.

Note: Tickets created in the Attack Explorer are not added to the model until you click Apply(or click OK close the Attack Explorer).

6. Repeat steps 2 through 5 until all necessary tickets are created.

7. Save your changes:

l Click Apply to save the tickets (and vulnerability occurrences that you marked forignoring) without closing the Attack Explorer.

l Click OK to save your changes and close the Attack Explorer.

Creating threat alert tickets

You can create threat alert tickets in different ways to meet specific needs:

l You can create a ticket for a Vulnerability Definition instead of for a vulnerability occurrence.For example, if a security patch is released for a Vulnerability Definition, you could create athreat alert ticket instead of creating a ticket for each vulnerability occurrence.



l You can create a threat alert ticket for specific vulnerability occurrences of the VulnerabilityDefinition.

l You can create a threat alert ticket for a group of Vulnerability Definitions so that they are allhandled in a single ticket

To create a ticket for all vulnerability occurrences of a Vulnerability Definition

1. In the Vulnerability Control tree, select Prioritization Center > Analyses > Public Analyses> Vulnerabilities and then select an analysis that displays Vulnerability Definitions (forexample, Miscellaneous > Vulnerabilities by Definition or Dictionary > VulnerabilityDictionary).

2. In the Table pane, right-click the Vulnerability Definition for which you are creating a ticketand select Create Ticket.

3. In the New Threat Alert Ticket dialog box:

a. Fill in the fields according to the table in the Threat alert ticket properties topic in theSkybox Reference Guide.

The default Network Scope for the ticket is all vulnerability occurrences of the selectedVulnerability Definition.

b. To recommend solutions for the vulnerability occurrences:

i. Click the Solutions tab.

Solutions from the Skybox Vulnerability Dictionary are listed; the list might alsoinclude custom solutions prepared in your organization.

ii. Select the appropriate solutions or add custom solutions.

c. Click OK.


To create a threat alert ticket for specific vulnerability occurrences

1. In the Vulnerability Control tree, open a vulnerability occurrence analysis (underPrioritization Center > Analyses > Public Analyses > Vulnerabilities) for which the resultsin the Table pane are vulnerability occurrences (and not Vulnerability Definitions).

2. In the Table pane, select vulnerability occurrences of the threat alert for which you arecreating the ticket.

3. Right-click the vulnerability occurrences and select Create Threat Alert Ticket.

4. In the New Threat Alert Ticket dialog box:

a. Fill in the fields according to the table in the Threat alert ticket properties topic in theSkybox Reference Guide.

The selected vulnerability occurrences are the default Network Scope for the ticket.

b. To recommend a solution for the vulnerability occurrences:

i. Click the Solutions tab.

Solutions from the Skybox Vulnerability Dictionary are listed; the list might alsoinclude custom solutions prepared in your organization.

Chapter 16


ii. Select a solution or click Add Custom to specify a custom solution.

You can add multiple custom solutions.

c. Click OK.


To create a threat alert ticket for multiple Vulnerability Definitions

These tickets can only be created for Vulnerability Definitions, not Security Bulletins.

1. Open a list of Vulnerability Definitions from anywhere in Vulnerability Control.

2. In the Table pane, select the Vulnerability Definitions to manage together.

3. Right-click the Vulnerability Definitions and select Create Ticket.

The name of the ticket includes the SBV IDs of the included Vulnerability Definitions.

4. Continue as in the previous procedures. In the Solutions tab, all solutions for the selectedVulnerability Definitions are included. The solutions are labelled according to theirVulnerability Definition. You can select multiple solutions and add custom solutions.

Creating sets of tickets for multiple vulnerability occurrences

You can select multiple vulnerability occurrences and create separate but similar tickets foreach vulnerability occurrence. The ticket names all have the same prefix (which you specify),followed by the name of the Vulnerability Definition and the IP address of its asset.

Note: This is not the same as creating a threat alert ticket for multiple vulnerability occurrencesof the same Vulnerability Definition (see Creating threat alert tickets).

Each set of tickets that you create has a single owner. For example, if Joe is responsible forvulnerability occurrences of a Vulnerability Definition in one part of your network and Jane isresponsible for similar vulnerability occurrences in another part of your network, you define aset of tickets for Joe and a different set for Jane, even if there is no other reason to split thesevulnerability occurrences.

To create a set of tickets for multiple vulnerability occurrences

1. In the Tree pane, as required:

l Select the Vulnerability Occurrences node of the Model tree.

The Table pane displays all vulnerability occurrences.

l Open a vulnerability occurrences analysis for which the results in the Table pane arevulnerability occurrences (and not Vulnerability Definitions).

The Table pane displays the vulnerability occurrences.

2. In the Table pane, sort the list of vulnerability occurrences to make it easier to select asubset.

3. Select the vulnerability occurrences. Right-click in the selection and select Create Ticket.

In the New Vulnerability Occurrence Ticket dialog box, the field label Title is replaced byTitle Prefix. The title of each ticket consists of the prefix that you type here, followed by thename of the Vulnerability Definition and the IP address of its asset. (In the precedingexample, you could use the prefix Jane for one set and Joe for the other set.)



4. Fill in the fields according to the table in the Vulnerability occurrence ticket properties topicin the Skybox Reference Guide.

5. Recommend solutions to the owner for the vulnerability occurrences:

a. Click the Solutions tab.

Solutions from the Skybox Vulnerability Dictionary are listed; the list might also includecustom solutions prepared in your organization.

b. Select the appropriate solutions or add custom solutions.

6. Click OK.

The tickets are created and added to the list of new tickets for the selected owner.

Adding custom solutions

You can add custom solutions for threat alert and vulnerability occurrence tickets, and usethem in the same way as predefined solutions.

You can add custom solutions:

l From within a ticket for that ticket and all other tickets for the same Vulnerability Definition

l From a list of tickets for those tickets and all other tickets for the same VulnerabilityDefinitions

To add a custom solution from within a ticket

1. In the Solutions tab, click Add Custom.

2. In the New Custom Solution dialog box:

a. Type a Name for the solution.

b. In Solution Type, select the type.

c. In Description, type your solution.

d. If your organization added additional fields, fill in their values also. Mandatory fields aremarked with an asterisk.

e. Click OK.

To add a custom solution for selected tickets from a list of tickets

1. Right-click the ticket or tickets and select Add Custom Solution.

2. In the New Custom Solution dialog box:

a. Type a Name for the solution.

b. In Solution Type, select the type.

c. In Description, type your solution.

d. If your organization added additional fields, fill in their values also. Mandatory fields aremarked with an asterisk.

e. Click OK.

Chapter 16


Updating the model after fixing vulnerability occurrencesWhen a vulnerability occurrence is fixed in your network, you must update the model to reflectthe new life-cycle status of the vulnerability occurrence and attack simulation run on the newdata. Otherwise, the analysis is no longer accurate.

There are various ways to update the model:

l Wait for the next scanner task to detect the changes.

l Run a selective scan to detect or verify whether vulnerability occurrences marked as Fixedare fixed.

l Manually mark vulnerability occurrences as Fixed in the model based on approval fromstaff members. This is useful if no offline file import or online collection of network data isplanned in the near future.

To mark a vulnerability occurrence as Fixed

1. Find the vulnerability occurrence in the Table pane of an analysis (or the VulnerabilityOccurrences node of the Model tree).

2. Right-click the vulnerability occurrence and select Change Status.

3. Change the status to Fixed and click OK.

4. In the confirmation dialog box, select a fixed status (I’m sure the vulnerability occurrencewas fixed or The vulnerability occurrence was probably fixed) and click OK.

If you select The vulnerability occurrence was probably fixed, the vulnerability occurrenceis checked during the next vulnerability occurrence scan (which changes the status toFound if the vulnerability occurrence is rediscovered). Until then, Skybox considers thevulnerability occurrence as Fixed and does not use it for attack simulation.

Using the What If model to test changesSkybox supports a What If model that allows you to simulate the effect of solutions beforeapplying them to your network. Use this model to test planned changes to architecture or todevice configurations. You can simulate the changes to your system and then check thepotential effects on your system without making the changes. You can analyze potential risksdue to the changes without harming your system; the changes you make to the What If modeldo not affect the Live model or your network.

To use the What If model for testing

1. Open the What If model:

l If there is a What If model, select What If from the drop-down list on the toolbar.

l To create a What If model:

a. Select File > Models > Create Model.

b. In the dialog box:

l Set Source Model to Live

l Set Target Model to What If



l Select Switch to target model after creation

c. Click OK.

This copies the Live model to the What If model and switches to the What If model.

2. Modify the What If model.

3. Run the Analyze Simulate Attacks task on the What If model.

4. Check the analyses to make sure that you get the required results and then recommendthat these network or security changes are made in your network. If the changes relate tovulnerability occurrences or Business Asset Groups, switch to the Live model and open theappropriate tickets there.

5. You can return to the Live model to view the security situation in your network. Skyboxsaves the What If model.


Chapter 17

Continuous risk managementThis chapter explains how to ensure the continued security of your network on a proactive(continuous and automated) basis, instead of checking and securing the system on a reactivebasis every several months.

The benefits of continuous risk management include:

l A shorter window of exposure to new vulnerabilities

l A continuous view of the security status of your network

l A small effort every day or week, compared to a large project on a quarterly or semiannualbasis

In this chapter

Attack simulation for continuous risk management 121

Monitoring the risk status 121

Automating ticket creation 122

Tickets and workflow 124


Attack simulation for continuous risk managementRun the Analyze Simulate Attacks task:

l After data is added to the model, because new data influences the risk

l After other changes to the model (for example, Dictionary updates or aging)

Include this task at the end of every task sequence that includes tasks that make changes tothe model.

Monitoring the risk statusWhen data is added to the model, you can monitor the risk status:

l Review risk metrics to identify security problems in your network

You can view risk metrics from the Summary tab of the Exposure by Threat node or fromanother Exposure node that displays risk

l View risk trends to understand changes to your network in a broader context

You can view risk trends for vulnerability occurrences in the Trend of Direct VulnerabilityOccurrences graph on the Summary tab of the Exposure by Threat node. For ThreatOrigins, the Top 3 Threat Origins table includes the delta values for direct and 2nd-stepvulnerability occurrences from the current number of vulnerability occurrences to theprevious number (from the most recent time that exposure was analyzed).



l Check whether assets or services were added to your network

l Check whether new vulnerability occurrences were detected

Checking for new entities

You can add assets to your network, add services on assets, and vulnerability occurrencesmight be detected on these new assets and services, and on existing assets.

If these entities cause high risk or if the vulnerability occurrences are directly exposed, theyaffect the exposure results. Skybox provides analyses that identify new entities and provideinformation about them.

Use the following analyses to identify new entities:

l In the Model Analyses > New Entities node of the Model tree:o New Assets: Recently discovered assetso Assets with New Services: Assets with newly discovered services

l In Vulnerability Control > Prioritization Center > Analyses > Public Analyses >Vulnerabilities > New Vulnerability Occurrences:o New Vulnerability Occurrences: Recently discovered vulnerability occurrenceso Uncataloged Vulnerability Occurrences: Vulnerability occurrences detected byscanners but not yet modeled in Skybox

Note: Keeping your Skybox Vulnerability Dictionary up to date usually eliminates mostuncataloged vulnerability occurrences.

You can add or change analyses. For example, to view the changes in different majorlocations, make copies of the analysis and then change the name and network scope of eachcopy.

Automating ticket creationThis section explains how to set up and use automated ticketing in Skybox.

Tip: You can integrate Skybox with other ticketing systems (see the Tickets API chapter in theSkybox Developer Guide or contact Skybox technical support).

Setting up ticket automation

This section explains how to set up policies for automatic ticket creation.

A policy defines the conditions under which tickets of a specified ticket type are createdautomatically. Tickets are not created when the conditions of a policy are met, but only whenyou run a Tickets – Auto Generation task.

The following predefined policies are included as part of the Skybox installation:

l New Direct Externally Exposed vulnerability occurrences: Creates tickets for new directlyexposed vulnerability occurrences and for existing vulnerability occurrences that havebecome directly exposed.

l New High/Critical Vulnerability Definitions: Creates tickets for new high or critical severityVulnerability Definitions.

Chapter 17


l (Disabled) Vulnerability Definitions Subject to Worm Attack: Creates tickets forVulnerability Definitions that have many vulnerability occurrences in your network. TheseVulnerability Definitions are prone to exploitation by attackers and worms.

You can use these policies as is or edit them, and you can create policies to meet the needs ofyour organization.

Creating policies

A policy includes filters for the entities for which tickets to create. A ticket is created for anentity only if it matches every filter. Policies also include information about the ticket—who theowner will be and how to define the ticket priority.

To create a policy

1. Select Tools > Administrative Tools > Policies.

2. On the toolbar of the Skybox Admin window, select Policy > New <Policy Type>Generation Policy.

3. In the dialog box, fill in the fields.

l For property definitions of Vulnerability Definitions ticket policies, see the Threat alertsticket policies topic in the Skybox Reference Guide.

l For property definitions of vulnerability occurrences ticket policies, see the Vulnerabilityoccurrences ticket policies topic in the Skybox Reference Guide.

4. Click OK.

The policy is added to the list of policies.

Creating tickets from policies

Usually, tickets are created from policies using Tickets – Auto Generation tasks. By default,these tasks create tickets for all policies. However, you can create separate tasks for eachpolicy type if that is helpful to your organization.

When you create tickets (using a ticket task or manually for a policy), Skybox:

l Evaluates all relevant policies

l Creates tickets

We recommend that you create tickets automatically every time that changes are made to themodel. For example, after devices are updated or after running a vulnerability detection taskyou can schedule a ticket creation task for the policy that checks for new directly exposedvulnerability occurrences.

For information about task sequences, see Using tasks for automation.

To create tickets manually from a policy

1. Select Tools > Administrative Tools > Policies.

2. In the Table pane of the Skybox Admin window, right-click the policy to run and selectGenerate Tickets.

Skybox searches the model for entities that meet the policy requirements and creates aticket for each such entity.



Tickets and workflowTickets in Skybox represent action items that must be implemented in your network. They canbe created manually or from policies that are configured to create tickets for entities on whichspecified thresholds are reached.

Managing Skybox tickets is a way of ensuring that all security issues found by Skybox areresolved correctly and within the designated time frame.

Tip: You can set up ticket phases, which define different steps for remediation (see theDefining ticket phases topic in the Skybox Reference Guide).

Monitoring tickets

To make sure that all tickets are handled correctly, monitor the status of tickets.

Verifying that tickets are being acted on

You can check the status of tickets using:

l Tickets reports

l Tickets analyses

Overdue tickets have a status of New or In Progress but have passed their assigned due date.You can contact the ticket owners to find out why they did not handle the ticket.

The ticketing workflow provides a history of compliance to security requirements; update thestatus of tickets to reflect the status of the solutions applied.

Working with tickets

Tickets can be:

l Viewed

l Assigned to different owners

l Edited

l Changed to a different status

l Promoted or demoted

l Closed

To view and handle tickets, select the ticketed entity in the appropriate workspace and accessthe ticket in the Tickets tab of the Details pane. You can also access them in the Ticketsworkspace.

You view and handle groups of tickets in the Tickets workspace. For example, to view alltickets created within the past week, use the Public Tickets > All Tickets > Open Tickets >New analysis.

Viewing tickets

Folders in the Tickets tree contain analyses related to tickets.

The top-level nodes of the Tickets tree are:

l Public Ticket Analyses: Contains the tickets analyses available to everyone who logs in toSkybox Manager.

Defining ticket phases.htm

Chapter 17


o The All Tickets folder contains tickets in the system distributed by status.o The My Tickets folder contains only tickets that are owned by the logged-in user.

l Private Ticket Analyses: Contains analyses that are not available to other users of thesystem. Use this folder to create your own tickets analyses.

You can view additional properties of a ticket:

l Select the ticket in the Table pane and view the information in the Details pane.

l Double-click the ticket in the Table pane to open it.

Searching for tickets

You can search for tickets without creating an analysis for them. The search is based on amatch between a text string and a selection of the following ticket fields:

l Title

l ID

l User Comments

l Status

l Priority

l Owner

l Solution Name

To search for tickets

1. With the Ticket workspace open, click (on the toolbar).

2. In the Search panel, type a string in Find What.

3. In Look In, select the ticket field in which to search for the string.

4. Click .

Tickets that include the search string in the specified field are listed in the Table pane.

Changing ticket statuses

Skybox supports the following predefined ticket statuses:

l New: The default status for all new tickets.

l In Progress: The owner has seen the ticket and is in the process of handling it.

l Ignored: The ticket is not important, and the owner has decided to ignore it. Skybox usesthis status, for example, if the vulnerability occurrence for which the ticket was created is afalse positive.

l Rejected: The problem for which the ticket was created exists, but the solution is irrelevantor cannot be applied. This can happen, for example, if the suggested solution is to changean access rule to block access, but changing that rule also blocks access to an importantapplication.

l Resolved: The problem was handled by its user, but the fix is not verified.

l Closed: The task was completed and verified. The final ticket status.



Admins can add up to 5 custom ticket statuses in Skybox (see the Custom Ticket Statusestopic in the Skybox Installation and Administration Guide).

Except for automatically created tickets, which are closed when their conditions are no longermet, ticket status does not change automatically. Status must be changed manually by theticket owner or by an Admin.

To change the status of a ticket

1. Find an analysis containing the ticket.

2. In the Table pane, right-click the ticket and select Change Status.

3. In the dialog box, select the New status for the ticket and click OK.

The status of the ticket changes. Although the ticket might no longer match the currentanalysis (for example, a ticket whose status was changed from New to In Progress nolonger matches the criteria of the New analysis), the ticket is listed in the old analysis untilyou refresh the screen or navigate from the current analysis.

Note: Changing the status of a vulnerability occurrence ticket to Resolved or Closed changesthe status of the vulnerability occurrence in the model to Fixed and the vulnerabilityoccurrence is no longer used for attack simulation (see Closing vulnerability occurrencetickets).

Working with multiple tickets

To perform an action on several tickets together

1. Select the tickets.

2. Right-click and select the action.

You can perform the following actions on a group of vulnerability occurrence tickets:

l Reassign

l Change the status

l Change the priority

l Change the due date

l Add an attachment

l Add a custom solution

You can perform the following actions on a group of threat alert tickets:

l Request to close

l Change the priority

l Promote

l Demote

l Add an attachment

l Add a custom solution

Chapter 17


Closing tickets

You close a ticket by changing its status to Closed. When you close a vulnerability occurrenceticket, the status of the vulnerability occurrence changes in the model; see Closingvulnerability occurrence tickets.

When you delete a policy, you are asked whether to close all tickets created by the policy orleave them unchanged.

Important: When you finish working with a ticket, close it; if you delete a ticket, you lose thehistory of the problem that caused the ticket.

Automatic closure of threat alert tickets

By default, threat alert tickets must be closed manually. However, you can configure Skybox toclose threat alert tickets automatically when all vulnerability occurrences related to the threatalert are fixed.

To configure automatic closurel Set close_vt_tickets_in_last_phase_enabled=true in <Skybox_Home>\server\conf\sb_server.properties

Closing vulnerability occurrence tickets

Usually, tickets affect entities in the model only when the ticket owner implements thechanges. However, some changes to the status of a vulnerability occurrence ticket affect thevulnerability occurrence for which the ticket was opened.

Note: Admins can configure Skybox so that closing a ticket does not affect the vulnerabilityoccurrence in Tools > Options > Server Options > Ticket Configuration.

l When you manually change the status of a vulnerability occurrence ticket to Resolved, thestatus of the vulnerability occurrence changes to Fixed.

These vulnerability occurrences are checked during the next scan to confirm that they arefixed.

l When you manually close a vulnerability occurrence ticket, the status of the vulnerabilityoccurrence changes to Fixed.

Skybox does not use Fixed vulnerability occurrences for attack simulation.

If you select a solution for a vulnerability occurrence ticket, when you close the ticket the modelchanges according to the solution that you selected:

l Upgrade: The service version found by the scanner is overwritten with the version providedin the solution.

l Patch: The patch is recorded as applied on the asset.

l Remove: The service is marked as down.

For example, if the selected solution is to upgrade the service on which the vulnerabilityoccurrence is found, the service is upgraded on the asset in the model.

Tickets that are closed automatically do not change the model or affect the vulnerabilityoccurrences for which they were created.



Managing tickets analyses

You can edit or copy analyses in the Tickets tree to meet your requirements, you can createanalyses from scratch, and you can delete irrelevant analyses.

You can sort the results of a tickets analysis by various properties, including status, priority,ticket type, and ticket owner. You can display additional columns of information (for example,operating system, service, or the policy that created the ticket) or hide columns to focus onspecific aspects of the analysis.

Note: Users can create and edit analyses only in the Private Ticket Analyses folder.

If you are working with phases, you can create a separate analysis for each phase.

Model maintenanceYou can automate the process of maintaining and updating the model, including:

l Model updates

l Data monitoring

l General maintenance

For information, see Model maintenance.

You can schedule reports to run on an automated basis and sent to selected recipients (seethe Automating reports topic in the Skybox Reference Guide).



Continuous usageThis part explains how to work with Skybox Vulnerability Control on a continuous basis.


Chapter 18

Using tasks for automationYou can use scheduled task sequences and tasks in Skybox to automate processes, includingdata updates, model maintenance, and reports.

For information about:

l Managing tasks, see Managing tasks in the Skybox Reference Guide.

l Creating task sequences, scheduling tasks and task sequences, and best practices forsetting up task sequences, see Working with tasks in the Skybox Reference Guide.

l Specific tasks, see the Tasks part of the Skybox Reference Guide.


Chapter 19

ReportsReports in Skybox are detailed accounts of data in the model.

This chapter describes the report types in Skybox Vulnerability Control.

In this chapter

Reports overview 131

Security Metric reports 131

Risks reports 132

FISMA/NIST and Risk Assessment reports 132

PCI DSS reports 133

Tickets reports 133

Vulnerability Management reports 134

Vulnerabilities reports 134

Exporting data to CSV files 135

Exporting vulnerability occurrence data to Qualys format 136

Reports overviewReports in Skybox are detailed accounts of data in the model (for example, high-risk entities,firewall changes, overdue tickets, or top 10 entities). You can schedule report generation andsend reports to designated Skybox users.

You can generate reports in standard report formats (PDF, HTML, and RTF). Some reporttypes are saved in CSV format. CSV files can be used by 3rd-party applications for additionalprocessing.

There are several ways to work with reports:

l Generate reports while you are working:

1. Right-click an entity in the Tree pane

2. Save the table in CSV format

l Schedule report generation via tasks (including Report – Auto Generation tasks and CSVexport tasks)

l View (and generate) reports in the Reports workspace, and customize their content

Security Metric reportsSecurity Metric reports contain security metrics information for the selected security metrictype (VLI or RLI) and information about:



l The contribution of Vulnerability Definitions to the security metrics

l The contribution of subentities to the security metrics scores

l Trends

These reports are usually used for reviewing security metrics in a specific entity. To avoidinformation overload, Security Metric reports can show data about a single entity only or aboutan entity and its child subentities (1 level down).

To generate a Security Metric report, specify the scope and the security metric type.

For information about defining Security Metric reports and the sections that can be included inthe reports, see the Security Metric reports topic in the Skybox Reference Guide.

Risks reportsDepending on the scope of the report, risks reports can contain information about:

l The Business Units with the highest potential risk of being compromised.

l The Business Asset Groups with the highest potential risk of being compromised byattacks and vulnerability occurrences.

l The Regulations and Business Impacts with the highest potential risk of beingcompromised.

l The Threat Origins in your network that impose the highest potential risk on high-valueBusiness Asset Groups.

These reports are usually used to highlight the Business Asset Groups with the highest riskand to provide the risk factors that caused the risk on these Business Asset Groups.

For additional information about defining risks reports and the sections that can be included inthe reports, see the Risks reports topic in the Skybox Reference Guide.

Predefined risks reports

Skybox includes the following predefined risks report definitions:

l Risks – Details: Details of the top entities of each selected entity type. Entities with no riskare not included in the report. Risks are displayed qualitatively (on a scale of Very Low toCritical).

l Risks – Overview: An overview of the top entities of each selected type. Entities with no riskare not included in the report. Risks are displayed qualitatively (on a scale of Very Low toCritical).

l Regulation Compliance Risk – Details: Information about the top Regulations that are atrisk of being compromised including detailed explanations of how the risk of each entity iscalculated.

FISMA/NIST and Risk Assessment reportsFISMA/NIST reports and Risk Assessment reports provide information about systems, threatstatements, risk assessment, and actions with milestones.

Use these reports to meet FISMA risk reporting requirements. FISMA Risk Managementreports use US Government nomenclature; Risk Assessment reports use standardnomenclature.

Chapter 19


Note: The text fields in the Properties dialog box for Risk Assessment reports and FISMA RiskManagement reports contain placeholder text; change this text before generating the reportsfor the 1st time. The information in these fields is used in the introductory section of the report.

For additional information about defining these reports and the sections that can be included inthe reports, see the FISMA/NIST reports and Risk Assessment reports topics in the SkyboxReference Guide.

PCI DSS reportsPCI DSS reports provide information about vulnerability occurrences found on systemcomponents, including Business Asset Groups, networks, and network devices. Thevulnerability occurrences are listed as action items according to their exposure.

These reports are usually used to show compliance with PCI DSS Requirement 6.1 (6.2 in PCIDSS v3.2).

Note: The Introductory Text in the Properties dialog box that defines this report is used as theintroduction to the report. By default, it contains text that explains how the report demonstratescompliance with PCI DSS Requirement 6.1. If you use the report for other purposes (forexample, to show compliance with a different standard), change this text before generatingthese reports.

For additional information about defining PCI DSS reports and the sections that can beincluded in the reports, see the PCI DSS reports topic in the Skybox Reference Guide.

Predefined PCI DSS report

Skybox includes the following predefined PCI DSS report definitions:

l PCI DSS – Requirement 6.1: Presents vulnerabilities in your network as action items inaccordance with PCI DSS Requirement 6.1.

Tickets reportsTickets reports contain summary and detailed information about tickets.

l Overview tickets reports are usually used to review and monitor ticket progress, and to listtask assignments.

l Detailed tickets reports are usually used to implement the changes specified in the tickets.

Tickets reports show the status, priority, and assigned owner of tickets that meet the reportcriteria. You can filter these reports according to many different properties.

For additional information about defining tickets reports and the sections that can be includedin the reports, see the Tickets reports topic in the Skybox Reference Guide.

Predefined tickets reports

Skybox includes the following predefined tickets report definitions:

l Open Tickets – Overview: An overview of open Skybox tickets, including the priority,status, and owner for each ticket. The tickets are grouped by priority.

l Open Tickets – Details: Detailed information about all open Skybox tickets. The tickets aregrouped by Priority.



l Overdue Tickets – Details: Detailed information about all Skybox tickets that have passedtheir due dates, including the status, priority, and owner for each ticket. The tickets aregrouped by owner.

Vulnerability Management reportsVulnerability Management reports are high-level reports that provide an overview of thevulnerability and risk management process. This is similar to the overview in the VulnerabilityControl workspace. These reports contain information about:

l Discovery: The age and status of vulnerability occurrences and assets (including anindication of overdue assets)

l Analytics: Security metrics that need remediation and exposed vulnerability occurrences

You can configure the report to include only discovery or only analytics information.

For additional information about defining Vulnerability Management reports and the sectionsthat can be included in the reports, see the Vulnerability Management reports topic in theSkybox Reference Guide.

Vulnerabilities reportsVulnerabilities reports are technical reports that contain summary and detailed informationabout vulnerability occurrences found in the model.

Use these reports to review the vulnerability occurrences in a specific network segment orlocation, to filter exposed vulnerability occurrences, to show vulnerability occurrences with aspecified severity level, or to show vulnerability occurrences that impose the highest risk onyour organization. The reports can include trends in vulnerability occurrence statistics.

l Overview reports contain counts of vulnerability occurrences that meet the report criteria.You can group the vulnerability occurrences by operating system, location, Business Unitsand Business Asset Groups that they affect, and Vulnerability Definitions.

l Detailed reports contain all information about each vulnerability occurrence that meets thereport criteria.

l Reports that provide solutions contain all information about each vulnerability occurrenceand known solutions for mitigating that vulnerability occurrence.

For additional information about defining vulnerabilities reports and the sections that can beincluded in the reports, see the Vulnerabilities reports topic in the Skybox Reference Guide.

Limiting the scope of vulnerabilities reports

We recommend that you define vulnerabilities reports with limited scopes to avoid excessivelylong reports. By default, reports of vulnerability occurrences are limited to 5000 vulnerabilityoccurrences for Overview reports and 1000 vulnerability occurrences for Details (and Details &Solutions) reports—for detailed reports, the report is based on the first 1000 vulnerabilityoccurrences that Skybox finds that match the report definition criteria. The detailed informationin a detailed report is limited to the first 50 vulnerability occurrences.

You can limit the scope of a vulnerabilities report by changing any of the following properties ofthe definition on which the report is based:

Chapter 19


l The scope of the network to include in these reports

l The type of operating systems to include in these reports

l The vulnerability occurrence properties, including:o Imposed risko Statuso Severityo Commonalityo Vulnerability Definitiono Scan time

To change the scope of a vulnerabilities report definition

1. Right-click the report definition name in the Tree pane and select Properties.

2. Make scope changes.

l For information about defining the properties of vulnerabilities reports, see theVulnerabilities reports topic in the Skybox Reference Guide.

Note: An Admin can change the maximum number of vulnerability occurrences to includein reports (not recommended).

3. Click OK to save the information and close the Properties dialog box.

Predefined vulnerabilities report definitions

Skybox includes the following predefined vulnerabilities report definitions:

l Vulnerabilities – Details: Detailed information about the vulnerability occurrences in themodel.

l Vulnerabilities – Overview: An overview of the vulnerability occurrences in the model.

l Vulnerabilities – Solutions: Detailed information about the vulnerability occurrences in themodel and suggested solutions for each vulnerability occurrence.

Exporting data to CSV filesYou can export much of the information in Skybox in CSV format. The CSV files can then beopened with an application for additional processing.

There are 3 ways to export Skybox data to a CSV file:

l Via the Tree pane

l By selecting the table

l Using tasks

To export information about an entity in the Tree pane to a CSV file

1. Select an entity in the Tree pane.

2. Right-click the entity.

Usually, there is either a Reports submenu or an Export to CSV option.



3. Select the relevant option.

To export a table to a CSV file

1. Display a table in the Table pane or in a tab of the Details pane.

For example, to save a list of the Vulnerability Definitions that contribute to the securitymetrics score of a Business Unit, select the Business Unit in the tree and then click theVulnerability Definitions tab in the workspace.

2. To save specific columns only, display the columns to save and hide other columns.

l To display or hide columns, right-click in the header row of the table, select CustomizeCurrent View and then select or clear columns.

3. Select a row in the table.

This focuses the Save operation on the selected table.

4. From the File menu, select Export Table to CSV.

5. In the Save dialog box, navigate to the required location and click Save.

Using tasks to export data to CSV files

Model data can be exported to CSV (character-separated values) files using tasks. If you use atask, you can export the data on a regular basis. The following CSV export tasks are availablefor Skybox Vulnerability Control (for information about these tasks, see the Skybox ReferenceGuide):

l CSV – Security Metrics Export

l CSV – Analysis Export

Exporting vulnerability occurrence data to Qualys formatVulnerability occurrence analyses (lists of vulnerability occurrences) can be exported to XMLfiles in Qualys format for integration with SIEM solutions.

To export an analysis to Qualys formatl Right-click the name of the analysis in the tree and select Export to XML – VulnerabilityOccurrences.

To create a Qualys vulnerability occurrence export task for an analysis

1. Create an XML Vulnerability Occurrence (Qualys Format) Export task.

l For information about these tasks, see the Qualys format XML vulnerability occurrencesexport tasks topic in the Skybox Reference Guide.

2. Use Analysis Definition to select the analysis for which you want to create the task.

3. (Optional) Change properties of the task.

When you run the task, the table is saved to <analysis name>_<date>--<time>.xml in theselected directory.

CSV security metrics export tasks.htm

CSV analysis export tasks.htm


Chapter 20

Model maintenanceModel maintenance includes:

l Updating the model

l Confirming that offline file import and online collection tasks ran successfully

l Validating the model to check for missing or incorrect information

l Deleting entities that are no longer required

l General maintenance procedures, including updating the Skybox Vulnerability Dictionaryand saving the model

In this chapter

Updating the model 137

General maintenance 140

Deployed product list 142

Updating the modelThis section explains activities that keep the model up to date.

Automating data collection

Run online collection and offline file import tasks for all devices according to the schedule onwhich each device is updated.

l For information about scheduling tasks, see Scheduling task sequences.

l For information about the properties of tasks, see the sections relating to the tasks in theTasks part of the Skybox Reference Guide.

Vulnerability occurrence maintenance

This section explains how to maintain vulnerability occurrences in the model.

Vulnerability occurrence life cycle

Every vulnerability occurrence has a life-cycle status from the time that it is found by a scannerand merged into the model, or created by a user, until it is finally deleted by the system or by auser. The life-cycle status changes according to user decisions, merges of scanning results,and ticket processing.

Internal life-cycle statuses include:

l System status: Computed by Skybox. System status is affected by system algorithms,which take user decisions into account.

l User-defined status: Assigned by a user. User status is affected only by direct userdecisions about the vulnerability occurrence.

Scheduling task sequences.htm



The displayed life-cycle status is a value derived from the internal status:

l Found: The vulnerability occurrence is in the model

l Ignored: The vulnerability occurrence is in the model but is to be ignored

l Fixed: The vulnerability occurrence is in the model, but is fixed

Attack simulation and reports use only vulnerability occurrences whose displayed life-cyclestatus is Found.

Initial vulnerability occurrence life-cycle statuses

When data is imported into the model, all detected vulnerability occurrences are assigned theinternal life-cycle status Found by system (equivalent to the displayed life-cycle status ofFound).

During the merging process, another internal status, Suspected False Positive, might beassigned to vulnerability occurrences. This occurs when there is a mismatch between theasset and the preconditions for the vulnerability occurrence’s existence. For example, if ascanner decides (based on the Windows registry) that there is a vulnerability occurrence forthe Microsoft IIS HTTP service, but Skybox does not find HTTP ports open on the asset,Skybox changes the status of that vulnerability occurrence to Suspected False Positive.

Suspected False Positive is equivalent to a displayed life-cycle status of Ignored. Skyboxdoes not use Vulnerability occurrences marked as Suspected False Positive in attacksimulation.

For information about the predefined False Positive Reduction task, see False positivereduction.

User-defined statuses

Users can change the status of vulnerability occurrences. A user might decide to ignore avulnerability occurrence (not use it in attack simulation) because:

l It is not very important (no impact)

l It does not exist (false positive)

l Its risk is acceptable

Vulnerability occurrence aging

Scanned vulnerability occurrences go through a process of aging. If the life-cycle status of ascanned vulnerability occurrence has not changed in a specified number of days, thevulnerability occurrence receives a system status of Not Found. After another specifiednumber of days, the vulnerability occurrence is deleted. If the vulnerability occurrence isrediscovered, it is assigned a system status of Found. For additional information, see Deletingoutdated entities.

How does the scan policy influence the vulnerability life cycle?

A scan policy is a list of settings and directions used by a vulnerability scanner that defineswhat and how to scan.

When a vulnerability occurrence is found by a scanner, Skybox uses the scanner ID and thescan policy as the vulnerability occurrence’s scan source. When a vulnerability occurrence isfound by several scans, Skybox uses the last scan as the scan source. The life cycle status of

Chapter 20


a vulnerability occurrence can only be changed by information from scans that use the samescan source, because this indicates that the scanner ran the same scan as before.

False positive reduction

Note: False positive reduction is relevant only when working with Skybox Vulnerability Control.

The False Positive Reduction task checks the model for vulnerability occurrences that are notexploitable because they do not match their assigned service well enough. The task changesthe life-cycle status of these vulnerability occurrences to False Positive. Skybox does not usefalse positive vulnerability occurrences in attack simulation.

For example, a vulnerability occurrence is detected on an asset running Microsoft IIS. If theFalse Positive Reduction task decides (based on the Skybox Vulnerability Dictionary) thatthis Vulnerability Definition is only on version 8.5 of IIS, but the asset on which the vulnerabilityoccurrence is found uses a higher version, the vulnerability occurrence is marked as a falsepositive.

The task also checks for patches that fix the detected vulnerability occurrences. If a patch isfound on an asset and the patch is listed in the Vulnerability Dictionary as mitigating avulnerability occurrence found on the asset, the life-cycle status of the vulnerability occurrenceis set to Fixed and Skybox does not use it in attack simulation.

Run the task:

l After adding data to the model

l After updating the Vulnerability Dictionary

For information about the properties of this task, see the False positive reduction tasks topic inthe Skybox Reference Guide.

Deleting outdated entities

Network entities (assets, services, vulnerability occurrences, and network interfaces) areadded to the model during online collection and offline file import. These entities can becomeoutdated or no longer used as the model is updated, but they remain in the model until they areexplicitly deleted. For example, a fixed vulnerability occurrence has its status changed toFixed, but it is not deleted from the model even though it is no longer used for risk analysis.

Model – Outdated Removal tasks delete network entities that were not updated recently fromthe model. When the task runs, it compares the scan time of each entity with the current dateand time to establish the entity age. Entities of a specified age are marked as Down and olderentities (of a different specified age) are deleted from the model.

The predefined Model – Outdated Removal task is named Model – Remove Outdated. Runthis task on a regular basis to keep the model ‘clean’.

For each network in the model, the task:

1. Decides whether to check the network for outdated entities:

l If a network was not scanned in the past <n> days (the number of days is configurableand set in the task), it is not checked by this task for outdated entities.

l If a network was scanned in the past <n> days, it is checked by this task for outdatedentities.



Note: You can configure networks and assets so that they are not checked for outdatedentities, see Using the Do Not Outdate option.

Manually created networks (and networks created by iXML import) are usually not updatedon a regular basis, so should not be outdated.

2. (For networks that are checked) Calculates the age of each entity in the network, changesthe status of entities of the specified age to Down (or Not Found, for vulnerabilityoccurrences), and deletes older entities from the model. If all network interfaces of an assetare deleted (due to aging), the asset is also deleted from the model.

You can identify the entities that are aged by this task by selecting Dry Run in the Advancedtab. In a dry run, a list of entities that would be aged by the task is written to the log file, but theentities are not aged.

You can run the task but exclude all gateways (and their services, vulnerability occurrences,and network interfaces) from the aging process by selecting Exclude Gateways in theAdvanced tab.

For information about the properties of this task, see the Delete outdated entities tasks topic inthe Skybox Reference Guide.

Using the Do Not Outdate option

Use the Do Not Outdate option in the Properties dialog box of a selected network (orPerimeter Cloud) or asset so that the network is not checked for outdated entities.

l If an asset is excluded from the aging process, the asset’s network interfaces, services, andvulnerability occurrences are not aged.

l If a network is excluded from the aging process, the network’s assets (together with theirnetwork interfaces, services, and vulnerability occurrences) are not aged.

Important: Mark entities created manually or by iXML import to protect them from aging, asthese entities are usually not scanned or reimported.

General maintenanceThis section describes general maintenance tasks.

Updating the Skybox Vulnerability Dictionary

Skybox releases an updated version of the Skybox Vulnerability Dictionary 6 days a week;additional Dictionary updates are released whenever there is an important VulnerabilityDefinition release—we recommend that you check for Dictionary updates daily.

There are 2 ways to update the Vulnerability Dictionary:

l (Recommended) Use the predefined Dictionary Update – Daily task, which takes the mostup-to-date Vulnerability Dictionary from the Skybox Dictionary Server. You can schedulethe task.

l Download the Vulnerability Dictionary fromhttps://dictionary.skyboxsecurity.com/dictionary/11.0.0/LatestDictionary.sbd

Note: Only Admins can update the Skybox Vulnerability Dictionary.

https://dictionary.skyboxsecurity.com/dictionary/11.0.0/LatestDictionary.sbd

Chapter 20


For instructions about updating the Vulnerability Dictionary, see the Dictionary updateschapter in the Skybox Installation and Administration Guide.

Model integrity

Use the predefined Model Integrity task to update the following associations between entitiesin the model:

l Business Asset Groups and their members

l Threat alert tickets and networks

If your model does not include Business Asset Groups that contain networks and you do nothave threat alert tickets for specific network scopes, there is no reason to run this task.

When the task runs:

l For each Business Asset Group, it creates an association between the assets that meet theBusiness Asset Group’s membership criteria and the Business Asset Group.

l For each threat alert ticket created for a network scope (rather than for vulnerabilityoccurrences of the Vulnerability Definition), it translates the network scopes for the ticketinto assets, so that all vulnerability occurrences of the Vulnerability Definition that match theticket can be associated with the ticket.

You can turn off threat alert ticket mapping. See the Model integrity tasks topic in theSkybox Reference Guide.

Run this task on a regular basis after you update the model, before running attack simulationor security metrics analysis tasks.

Validating the model when working on a continuous basis

You can set up updates to Skybox to run on a continuous and automated basis, as discussedin Updating the model. However, you must monitor the update process on a regular basis tomake sure that all tasks succeeded and that all data was successfully imported.

Validate the model after each set of information is added by making manual checks as a wayof verifying the correctness and completeness of the model. For example:

l View the model in the Network Map to make sure that there are no unconnected networksor nodes.

l In the Model Analyses node of the Model tree, check the New Entities analyses if youexpect that entities were added to the model. Also check the appropriate model validationanalyses.

l Check that the item counts for the model (File > Model Properties) are not significantlydifferent from the numbers of items in your network.

For additional information about model validation, see Validating the model.

Backing up the model

The model is backed up to a file in XML or encrypted XML format. You can load backed-upversions and use them for analyses in the What If or Forensics model.

Note: Only Admins can back up and load data.

When you back up or load the model, the data is divided into components. Make sure that youback up or load the correct components.

Backup and restore scenarios.htm



Deployed product listIn Skybox, you can create a list of products used by your organization—the deployed productlist. Use this list to analyze the threat alerts to help you to decide whether they are relevant(that is, whether they affect deployed products).

The deployed product list is created from several sources. The main source is the productcatalog for the alert service used by your organization, which is downloaded with the threatalerts. The product catalog includes all products supported by the alert service. You can createproducts that have no connection to the product catalog.

We recommend that you base the products in the deployed product list on the product catalogbecause only products in the catalog are recognized by the alert source as affected by threatalerts.

After Skybox receives a threat alert, you can check whether its affected products are mappedto the deployed product list. If any are, the threat alert affects your organization.

Setting up the deployed product list

The deployed product list can be a flat list of products used by your organization or theproducts that you select can be classified into product groups (represented by folders in theproduct list). For example, you can create a separate product group for each operating systemfamily used in your organization.

You can add products to the product list:

l Select common products from the alert service product catalog

l Manually add products that are missing from the catalog

Creating product groups

We recommend that you create product groups before adding products. However, you cancreate additional product groups at any time.

To create a product group

1. Click .

The Skybox Admin window opens with the deployed product list displayed in the Tablepane.

2. In the tree, right-click the Deployed Product List node and select New Product Group.

3. In the New Product Group dialog box, type a Name for the product group. You can add acomment.

4. Click OK.

Adding products

You can add a product from the alert service by mapping it to an appropriate catalog product.

You can add products:

l Directly from the product catalog, so that for every selected catalog product, a product withthe same name is created in the deployed product list

l One-by-one, either with or without mapping to the product catalog

Chapter 20


This is useful when you are adding a single product.o You can map catalog products to the new product, so that it receives an alert whenever acatalog product is affected. For example, you could group all versions of MySQLtogether, if one person is responsible for dealing with all databases.

o You can add proprietary applications and deployed products that are not in the productcatalog. Unmapped products do not get alerts; you must update them manually.

If you are working with product groups, you can add products:

l Directly to a product group

l To the product list without adding them to a product group

Adding products from the product catalog

To add products from the product catalog

1. Right-click the main Deployed Product List node or a Product Group folder and selectNew Products from <Catalog name>.

2. In the New Products from <Catalog name> dialog box, in Search for Products, type a stringto use for the product search and click Search.

Note: The search is not case-sensitive.

Products in the catalog that contain the string as part of their name are listed in a table in thedialog box. The list contains all the products that you can add to the deployed product list.Products that are already included have a check mark in the Mapped in DP List column.

3. From the table, select the products to add to the product list and click .

Tip: To display the mapping of a product, select the product and click Show References.

Each selected catalog product is added to the deployed product list as a separate product withthe same vendor name and product name as the catalog product. Each selected catalogproduct is mapped to the corresponding new product.

Adding single products

There are 2 ways to add a single product:

l Create it from scratch

l Copy a product from the product list

To create a product from scratch

1. Right-click the Deployed Product List node or a Product Group folder and select NewProduct.

2. In the New Product from <Vulnerability database name> dialog box, fill in the fields in theProduct Details pane. (Only Vendor and Product are mandatory).

In Installed Versions, add multiple, comma-separated versions.

3. Click Add.



(If you are creating a product for an application that is not part of the product list, click OKand skip to the end of this procedure (the product will not be mapped to a vulnerabilitydatabase product).)

4. In the Add Products from <Vulnerability database name> dialog box, in Search forProducts, type a string to use for the product search and click Search.

Note: The search is not case-sensitive.

Products in the vulnerability database that contain the string as part of their name are listedin a table in the dialog box. The list contains all the products that you can add to thedeployed product list. Products that are already included have a check mark in the Mappedto Deployed Product List column.

5. From the table, select the vulnerability database products to map to the new product andclick Add.

The selected vulnerability database products are mapped to the new deployed product.

6. Click Close.

7. Click OK.

The new product is added to the deployed product list with the mapping that you selected.

To copy a product

1. Right-click the product to copy and select Create Product Like.

All fields are copied from the selected product to the new product (except for Change Log(History)).

Copied from <vendor product> (<Original ID>) is added as a comment.

2. Make necessary changes to the product.

3. Click OK.

The new product is added to the deployed product list with the mapping that you selected.

Adding business attributes to products

You can add business attributes (for example, product owner) to products in the deployedproduct list.

l To set up: Add the necessary business attributes via Tools > Options > Server Options >Business Attributes > Products.

l To use: Right-click on one or more products, select Set Business Attributes, and add theinformation.

Maintaining the deployed product list

After the deployed product list is set up, you can, from the Skybox Admin window:

l Add or update information about a product (for example, the version numbers of the productthat are installed or the number of installations).

l Delete products from the list

Chapter 20


l Add, rename, or delete product groups

If you delete a product group, products in this product group that do not belong to otherproduct groups are also deleted.

l Add products

l Add products to product groups

A product can belong to multiple product groups. (To add a product to a product group,right-click the product, select Add Product(s) to Product Group and then select the productgroup to which to add the product.)

Note: Privileged users can add products when a Vulnerability Definition is selected in theTable pane; in the Details pane, click the <catalog name> Products tab, right-click theproduct, and select New Product.

Deployed products analyses

To create a deployed products analysis

1. In the tree, right-click Prioritization Center > Analyses > Private Analyses and then selectNew > Analysis.

2. In the New Analysis dialog box:

a. Type a Name for the analysis.

b. Select Deployed Product List as the analysis type.

The Properties pane of the dialog box changes to display the deployed product listfields.

c. Fill in the fields.

d. Click OK.

The analysis is created.



Advanced topicsThis part includes advanced topics, including advanced modeling, modeling IPS devices,using Access Analyzer, modifying security metric properties, optimizing performance, andtuning issues.


Chapter 21

Advanced modelingThis chapter explains how to model entities that need additional configuration.

In this chapter

Modeling VPNs 147

Modeling L2 networks 151

Mapping overlapping networks 154

Virtual routers 156

Virtual firewalls 157

Virtualization and clouds 157

Clusters 160

Modeling multihomed assets 161

Merging data 162

Using clouds as Threat Origins 168

Advanced dependency rules 168

Modeling VPNsA VPN is a private network that uses a public network to connect remote sites or users:

l Site to Site VPN: Connects multiple sites over a public network

l Remote Access VPN: Connects a user to a LAN from a remote location

Skybox supports Site to Site VPNs and models them as a direct link between the participatinggateways. This link is represented as a special tunnel network. VPN configuration details arerepresented by VPN entities on each gateway. A VPN entity includes protected networks andservices, and an interface that connects the gateway to the secure VPN.

Creating VPNs

You can create VPNs in Skybox using online collection or offline file import tasks or manually,as described in this section.

Automated modeling

When a VPN is created by online collection or offline file import, the configuration of thegateways provides the information necessary to create the tunnel network and the VPNentities, including the interfaces that connect the VPN entities to the tunnel network.

Skybox supports online collection and offline file import of VPN information for:

l Check Point VPN-1 firewalls

l Cisco IOS routers



l Cisco PIX/ASA/FWSM firewalls

l Juniper Networks NetScreen firewalls

You can model VPN information for other devices manually from Skybox Manager or by usingiXML. For information about iXML, see the Integration part of the Skybox Developer Guide.

Usually, VPNs are imported as a tunnel of type VpnTunnel with a Vpn network interface. ForVPNs from specific vendors, the tunnel can be of type Tunnel with a Tunnel network interface.

Note: This issue is vendor-dependent; both configurations model the VPN equally well.

Manual modeling

If you create a VPN manually, use the VpnTunnel tunnel type and the Vpn interface type.

There are 3 steps to creating a VPN:

1. Create the (VPN) tunnel network: Each endpoint of the tunnel is the IP address of aconnected gateway (see Creating VPN tunnels)

2. Create a VPN entity for each of the 2 gateways that are connected by the VPN tunnel:Connect the VPN interface of each VPN entity to the (VPN) tunnel network created in theprevious step (see Creating VPN entities)

3. On each gateway, create access rules that specify that data travels over the VPN tunnel: Inthe VPN pane of each access rule, specify the VPN entity to use (see Creating access rulesfor the VPN)

If part of the VPN is updated using a task, the manually created entities and connections arepreserved.

Creating VPN tunnels

If you model a VPN manually, create the VPN tunnel and then connect the gateways to thetunnel via their network interfaces. For information about VPN tunnels, see Creating VPNentities.

To create a VPN tunnel

1. In the Locations & Networks node of the Model tree, right-click the parent node for thetunnel. The parent node can be a location in the hierarchy or the Locations & Networksnode.

2. Select New > Network.

l For information about network properties, see the Networks topic in the SkyboxReference Guide.

3. In the New Network dialog box, fill in the fields of the tunnel network:

l Ignore the values in the IP Address and Mask fields; these fields are not used for tunnelnetworks.

l In Type, select Secure VPN or Tunnel. If you are not sure which to select, use SecureVPN.

Note: The tunnel type and the network interface type must match (either Tunnel / Tunnelor Secure VPN / Secure VPN).

Creating access rules for the VPN.htm

Creating access rules for the VPN.htm

Chapter 21


l In the Endpoint 1 and Endpoint 2 fields, type the IP addresses of the connectedgateways.

4. Click OK.

Creating VPN entities

You create a VPN entity by:

l Defining the networks and services (in your network) that are protected by the VPN

l Selecting or creating the interface that connects the gateway of the VPN to the tunnelnetwork

To create a VPN entity

1. Right-click a gateway of the tunnel and select Manage VPNs.

2. In the Manage Host VPNs dialog box, click Add.

3. In the New VPN dialog box, fill in the fields according to the following table. If there is noappropriate network interface for the VPN entity, create an interface:

a. Click New.

b. In the New Network Interface dialog box, fill in the fields.

Type of network interface:

l For tunnels modeled using the Secure VPN type, select Secure VPN as the networkinterface Type.

l For tunnels modeled using the Tunnel type, select Tunnel as the network interfaceType.

Note: The type of network interface is vendor-specific. Both configurations model VPNtunnels equally well.

Network:

l In Network, select the tunnel network to which the VPN entity is connected.

l If the tunnel network was not created, leave Network set to None until you create thetunnel network and then set the field to the tunnel network. For instructions, seeConnecting VPN gateways to the tunnel network.

For information about network interface properties, see the Network interfaces topic inthe Skybox Reference Guide.

c. Click OK.

VPN entity properties are described in the following table.


Name The name of the VPN entity

Original Text The name of the original object from which this entity was created.

My Domain The networks protected by this gateway.

Peer Domain The networks protected by the endpoint gateway.Only packets with networks that match these domains can pass thought the VPN




tunnel.

Note: This field is the encryption domain in Check Point terminology and the proxyin Cisco terminology.

Services The protected services.

NetworkInterface

The network interface that connects the VPN entity to the tunnel network.

Connecting VPN gateways to the tunnel network

If the VPN entities were created before the tunnel network, connect each VPN gateway to thetunnel network.

To connect a VPN gateway to the tunnel network

1. In the Table pane, select the gateway.

2. If necessary, in the Details pane, click to display the Network Interfaces tab.

3. Click the Network Interfaces tab.

4. Right-click the VPN interface and select Properties.

5. In Network in the <Network interface> Properties dialog box, select the tunnel network.

6. Click OK.

Creating access rules for the VPN

After you create the VPN, create an access rule on each gateway that permits data to passthrough the VPN.

To create an access rule

1. Right-click the gateway and select Access Rules.

2. In the Access Control List Editor, click New to create an access rule

3. Fill in the fields in the New Access Rule dialog box according to how the data behaves in theactual device (for a description of each field, see the Access rule properties topic in theSkybox Reference Guide).

a. In VPN Usage, select:

l Specific (to send the data via a specific VPN entity)

l Any (to send the data over any VPN entity of this gateway)

b. If you selected Specific in VPN Usage, click the Browse button next to Specific andselect a VPN entity.

4. Click OK.

5. If necessary, move the access rule to its correct location in relationship to the other rulesusing Move Up, Move Down, and Move To. If you created the rule in the wrong rule chain,click Move To Other Chain to move it to the correct chain.

6. Click OK.

Chapter 21


Modeling L2 networksL3 routers, firewalls, load balancers, and proxies control traffic between different parts of yournetwork and between your network and the outside world.

L2 gateways (bridges, switches, and transparent firewalls) add additional segmentation orprotection to a network. In Skybox, L2 gateways are only modeled when they affect networkaccessibility by splitting networks into segments.

L2 gateways are modeled in Skybox in almost the same way as L3 gateways, except that anL2 gateway is marked as Layer 2 and must have an L2 network interface. Access rules for L2gateways are the same as those for regular (L3) gateways.

L2 network interfaces are similar to regular (L3) network interfaces, except:

l No IP address is required (the value 0.0.0.0 represents the IP address).

l Because an L2 interface has no IP address, it must be connected to a segment and not to anetwork.

After the L2 gateway is created, you divide the network into segments and attach the networkinterface of the L2 device to the segments.

The following figures illustrate the difference between a regular (L3) network and an L2network.



Creating L2 devices

You can create L2 devices using online collection tasks, offline file import tasks, or manually.

You create an L2 device manually in the same way that you create a regular (L3) device,except that you must:

l Select Layer 2.

l Create L2 network interfaces for the device. Each L2 network interface connects the deviceto a network segment. The L2 device might have L3 network interfaces.

If device configuration data is collected from a device or imported from a file, L2 networkinterfaces are created but they are not attached to the network because they do not have IPaddresses; attach the interfaces to the network (and segment the network) manually.

Segmenting networks

In Skybox, a network segment is a portion of an IP network that is physically separated fromother parts of the network by an L2 gateway. You create network segments manually—onesegment for each part of the network that is behind a different network interface of the device—and then assign each asset in the network and each network interface of the L2 device to theappropriate segment.

You can segment the network and assign the L2 network interfaces using iXML. Forinformation about iXML, see the Integration part of the Skybox Developer Guide.

Creating network segments

Usually, an L2 device splits a network into 2 segments. However, it can split a network intomultiple segments or split multiple networks. You must create each segment manually in themodel. When you create a segment, you assign the appropriate assets in the network to thesegment via their network interfaces.

Chapter 21


To create a network segment

1. In the Model tree, right-click the network to segment and select Manage Segments.

2. In the Manage network segments dialog box, click Add.

3. In the New Segment dialog box:

a. Type a Name for the segment.

b. You can define the IP address ranges for the segment.

c. The Available field lists the network interfaces of all assets in this network.

For each asset that is in the segment, select a network interface in the Available field

and click to move it to the Selected field.

d. Click OK.

In the Tree pane, the network contains the segments that you created and anUnsegmented Assets node.

Assets that are not assigned to a segment in the segmented network are displayed whenyou select the Unsegmented Assets node.

4. Repeat this process for each segment that you need.

If the L2 device has a management (L3) network interface, the L3 interface should not belongto a segment. The L2 device is listed in every segment and it is also listed in the UnsegmentedAssets node because of the L3 network interface.

Note: When you delete a network segment, all assets (according to their network interfaces)that are part of that segment become unsegmented assets in the network.

Configuring the L2 network interfaces

After the network is segmented, assign the L2 network interfaces of the L2 device to theappropriate segments.

To assign an L2 network interface to a network segment

1. Select the L2 device in the Table pane.

2. In the Network Interfaces tab of the Details pane, select the interface to be connected andopen its Properties dialog box.

3. In Network, select the network segment to which the interface is attached.

4. Click OK.



If this L2 device is updated using a task, the connection between the L2 interfaces and theirnetwork segments is preserved.

Mapping overlapping networksOverlapping networks are networks that have identical or overlapping IP addresses andsubnets. These networks are usually in different parts of your organization, separated bynetwork devices.

These networks are discovered or collected as part of the topology. For Skybox to distinguishbetween 2 overlapping networks, define locations so that you can assign each such network toa unique location. Skybox uses these locations to ensure that the networks are kept separatewhen data from the networks is imported into the Skybox model.

Importing overlapping networks

Before importing network information:

l If there are no overlapping networks, you do not need to make special preparations beforeimporting information.

l If there are overlapping networks:

1. Make sure that each overlapping network is in a unique location; you can add locationsto the model before importing the data.

l For information about defining unique locations in Skybox, see Defining uniquelocations for overlapping networks.

2. Create a definition file for an Import – Advanced task. This file must contain locationhints for each overlapping network (see Adding location hints to the definition file).

l If overlapping networks are identified after the model is built, these networks are merged inthe model and might include assets from both overlapping networks. Delete these networksmanually from the model, create an input file with location hints, and import the data again.

Merging overlapping networks

If a network is imported with a location hint, Skybox attempts to find an identical network underthe same location as the location hint as explained in the following table.

IF... THEN...

An identical network was found under the same location The imported network ismerged with the networkin the base model

No identical network was found A network is created inthe specified location

Identical networks were foundThis can happen if the location hint is not clear enough. For example, ifthere are identical networks in the US/New York location and theUS/Boston location, and the location hint is [US].

A warning message isissued; a network is notcreated

If a network is imported without a location hint, outcomes listed in the following table arepossible.

Chapter 21


IF... THEN...

There are no identical networks A new network is created

There is one other identical network inthe model

The imported network is merged into the base

There are multiple identical networksunder different locations

The merge cannot solve the conflict. A warning message isissued; a network is not created

If a network cannot be merged for any of the preceding reasons, no network is created (and nonetwork is changed).

Assets that are part of overlapping networks are handled in a similar manner. If there areidentical assets under different locations, the merge cannot solve the conflict and the asset isnot imported.

Defining unique locations for overlapping networks

To work with overlapping networks in Skybox, define a unique location for each network in themodel.

Note: Location names must be unique throughout the model even when there are nooverlapping networks.

Overlapping networks cannot exist in 2 locations if 1 location is a direct descendant of theother in the Locations & Networks tree.

For example, in the hierarchy in the following figure:

l Floor1 and Floor2 might hold overlapping networks but Floor1 and Commonwealthcannot, because Floor1 is a direct descendant of Commonwealth.

l Overlapping networks can exist under US and Europe but not under US and Boston.



Adding location hints to the definition file

To add overlapping networks to the model

1. Create a definition file for an Import – Advanced task.

For information about creating this file, see the Definition file for advanced file import taskstopic in the Skybox Reference Guide.

2. Add location hints to the definition file.

Each line that imports an overlapping network must have the format <import formattype> <source file | directory> [<location hint>]

Note: The brackets ([ and ]) are part of the format of the line; they do not mean that anelement is optional.

For permitted values of <import format type>, see the Data formats for file import taskstopic in the Skybox Reference Guide.

Examples

l NMAP_XML c:\sample\result.xml [London\Bakers]

l PIX_CONF c:\sample\file.cfg [Paris]

You can use “\” and “/” as delimiters in the location hint.

To preserve whitespace in location names, place the location inside double quotationmarks. For example:

l PIX_CONF c:\sample\file.cfg [North America/New York]: The location is read asNorthAmerica >> NewYork

l PIX_CONF c:\sample\file.cfg ["North America/New York"]: The location is readas North America >> New York

3. Using an Import – Advanced task, import the overlapping networks into the model.

If the location does not exist in the model, it is created during the file import.

Note: For overlapping networks, the files to import using the Import – Advanced task mustbe on the Skybox Server machine. Location hints are not identified when you run the taskon a Skybox Collector machine.

Virtual routersVirtual routing is a technology that enables multiple instances of a routing table on the sameasset at the same time. Each network interface is associated with a single virtual router.

When data packets arrive through an interface, the asset uses the routing table associatedwith that interface to route the packets. Packets arriving from other interfaces can takedifferent paths to the same destination. Because each router is independent, the same oroverlapping IP addresses can be used without conflicting with each other.

In Skybox, each virtual router is modeled as a section in the asset’s routing table. Virtualrouters are supported for a variety of devices including Juniper Networks Junos routers andfirewalls, and Palo Alto Networks firewalls.

Chapter 21


Virtual firewallsMost vendors offer virtual firewalls, which can run multiple firewalls on a single physicaldevice. Each virtual firewall is associated with (inherits) network interfaces from the physicaldevice but has a separate ACL and routing table defined for it.

In Skybox, virtual firewalls are modeled as separate firewalls with separate configurations.

All virtual firewalls derived from the same physical device share a common prefix in theirnames so that you can easily identify them in the model (for example, if the system is namedAlex, the virtual firewalls are named Alex:vsys1, Alex:vsys2, and so on). Skybox also createsan asset group with the name of the system and the virtual firewalls are part of this assetgroup.

In Skybox, virtual firewalls are supported for a variety of firewalls, including Check Point VSX,Fortinet VDOM, and Palo Alto Networks.

Virtualization and cloudsSkybox supports virtual domains for modeling software-defined networking (SDN). Virtualdomains can be modeled in Skybox and access analysis can be performed. The model tree(Virtual Domains folder) shows virtual domains and their security tags, and security groups.Access Policy rules of each security tag can be viewed on the security tag and each virtualasset shows its entire Access Policy as derived from its security tags.

Skybox includes connectors for Amazon Web Services (AWS), VMware NSX, Microsoft AzureCloud Services, and Cisco ACI.

l Data from Amazon Web Services data centers can be collected using Cloud &Virtualization – Amazon Web Services Collection tasks.

l Data from VMware NSX Manager servers can be collected using Cloud & Virtualization –NSX and vSphere Collection tasks.

l Data from Microsoft Azure servers can be collected using Cloud & Virtualization – AzureCloud Services Collection tasks.

l Data from Cisco ACI servers can be collected using Cloud & Virtualization – Cisco ACICollection tasks.



Additional information about these tasks is provided in Cloud and virtualization tasks in theSkybox Reference Guide.

The mappings between Skybox terminology and Azure, AWS, and Cisco ACI terminologiesare listed in the following table.

SKYBOX AZURE AWS CISCO ACI

Asset VM EC2 VM

Virtualdomain

VNet (Virtual Network) VPC (Virtual PrivateCloud)

Tenant

Securitygroup

Application security group -- EPG (endpoint group)

Security tag Network security group Scalable group (wassecurity group)

Contract

Network Subnet Subnet Subnet

LB rules Load balancer Load Balancer --

ACL Network security group Network ACL Filter

NAT rule Public IP Elastic IP --

VRF Routing table Route table VRF (virtual routing andforwarding)

VPN ExpressRoute (not yetsupported by Skybox)

Direct Connect --

l In NSX, virtual domains are named tenants.

l Security tags are Access Policy templates used for assets.

Security tags are modeled as Tag asset groups that also have access rules.

l Security groups are collections of assets.

Security groups are modeled as security group asset groups.

l In Cisco ACI, there are 2 types of Scalable (Security) Groups: Internal EPGs and ExternalEPGs. External EPGs are modeled as security group asset groups, but their only asset isthe virtual router of the tenant.

l You cannot create or edit virtual domains, security tags, or security groups manually, butyou can add comments to them and change their owners.

If you select a virtual domain in the tree, you can view its security tags and security groups, orits assets in the Table pane. If you select a security tag or security group, you can view itsassets in the Table pane.

Chapter 21


You can view the access rules of a security tag by right-clicking it and selecting Access Rules.

You can also view the access rules of each virtual asset. The access rules of a virtual asset arethe access rules from each of its security tags.

The properties of a virtual asset include the properties of a regular (non-virtual) asset and theasset’s virtualization environment—the virtual domain, security tags, and security groups towhich it belongs.



Note: You cannot create virtual assets manually, but you can edit and delete them. However,you cannot change their virtualization information.

Clusters

Cisco HSRP clusters

Multiple Cisco routers can form a cluster and communicate using HSRP protocol. Theredundancy works by declaring a virtual IP address that is always connected to a router in thecluster. Another router in the cluster takes over the virtual IP address if the 1st router fails.Skybox models these virtual IP addresses as virtual network interfaces with the namingconvention of standby_n (starting at standby_0).

In Skybox, 2 routers belong to the same cluster if they have a virtual interface connected to thesame network, with the same name and same IP address. These routers are supposed tohave the same access rules for each shared virtual interface.

Check Point clusters

Skybox adds members of a Check Point cluster to a Cluster asset group, with the cluster nameas the name of the asset group. The shared IP addresses in the cluster are modeled as virtualinterfaces in each cluster member.

Other clusters

Skybox adds members of a NetScreen, Junos, Cisco ASA, Cisco FWSM, Palo Alto, orFortiGate cluster to a Cluster asset group, with the cluster name as the name of the assetgroup.

Chapter 21


Modeling multihomed assetsA multihomed asset is an asset that is connected to more than one network via multiplenetwork interfaces. Unlike gateways, multihomed assets do not forward packets between thenetworks to which they are connected. Typically, there is a management network and variousother networks.

In Skybox, a multihomed asset is a regular non-forwarding asset (usually of type Asset,Workstation, or Server), which has multiple network interfaces. Because the asset isconnected to multiple networks, you can see it in each network to which it is connected. In theNetwork Map, each multihomed asset is in all networks to which it is connected.

When a multihomed asset is scanned using a network scanner or vulnerability scanner, it isusually seen from one side only—only one network interface is detected and the asset is addedto the model as a regular (single-interface) asset. When it is scanned as part of anothernetwork, another side (network interface) is detected; however, no connection between the 2IP addresses can be made. Network scans do not usually provide enough information toconnect 2 IP addresses into a multihomed asset.

If multihomed assets are not modeled correctly, the attack simulation results might not beaccurate because Skybox cannot show attack steps between the networks that are connectedto this asset.

To model a multihomed asset correctly, inform Skybox that the asset has multiple networkinterfaces by defining multihomed assets in iXML and importing them into the model. Skyboxthen merges the previously created separate assets into the multihomed assets.

Importing a subsequent vulnerabilities scan updates the multihomed assets withoutdisassembling them.

To merge multihomed assets

1. Create a list of all multihomed assets in iXML format, defining each of the multihomedassets as an <asset> element with an IP address and multiple <interface> elements (seethe <asset> element topic in the Skybox Developer Guide).

For help in creating this list, contact Skybox Support.

2. Import this list into the model using an offline file import task.

The process locates every ‘piece’ of each asset and connects them together intomultihomed assets.

If a multihomed asset is modeled as described, subsequent data imports are merged correctlywith the multihomed asset. If there are problems with subsequent data imports, seeTroubleshooting multihomed assets.

Troubleshooting multihomed assets

As stated in the preceding section, multihomed asset definitions are not changed bysubsequent imports. However, there can be data conflict. For example, if:

l Multiple assets share the same IP address

l A newly imported asset does not exactly match any asset in the model

This section explains how Skybox processes these situations.




Tip: If you end up with multiple assets, but these represent a single asset in the network, youcan merge the assets manually.

Assets with multiple candidates in the model

When you import a multihomed asset and there are multiple similar assets in the model,Skybox tries to find the best match for the incoming asset by finding the asset that has thegreatest number of matching interfaces (same IP address).

For example, there are 2 assets in the model:

l Asset X with IP address 1 and IP address 2

l Asset Y with IP address 1 and IP address 3

A new asset named Asset Z is imported into the model, with IP address 1 and IP address 3.Skybox tries to find the asset with the greatest number of matching IP addresses and Asset Zis merged with Asset Y.

A new asset named Asset A is imported into the model, with IP address 1 and IP address 4.Skybox does not have enough information to decide between Asset X and Asset Y for themerge; Asset A is added to the model as a new asset but is not merged with either existingasset.

Assets with one candidate asset in the model

If there is only one candidate asset in the model with an interface that has the same IP addressas the incoming asset, Skybox determines whether to merge the incoming asset with theexisting asset or to add the incoming asset to the model as a new asset.

To determine whether the assets match, Skybox:

1. Counts the number of matching interfaces (of the asset in the model and the incomingasset)

2. Divides by the number of relevant interfaces in the asset that is in the model.

l If this number is larger than the heuristic threshold, the assets are merged.

l If this number is smaller than the heuristics threshold, the assets are not merged.

The heuristics threshold is set bycom.skybox.view.logic.discovery.ModelsMerger.multi_home_heuristics_

threshold in:

l <Skybox_Home>\server\conf\sb_common.properties on the Server machine

l <Skybox_Home>\collector\conf\sb_common.properties on Collector machines

The default value of the heuristics threshold is 0.5.

l If an asset that should merge does not merge, decrease the heuristics threshold.

l If an asset merges when it should not, increase the heuristics threshold.

Merging dataAll data that is imported, collected, discovered, or scanned into the model goes through aprocess named merging, which refines the data and merges the information into the currentmodel. Only data that is added to the model manually does not go through this process.

Chapter 21


When data is retrieved for Skybox, it is collected into an update model. This data is normalizedinto the format in which it is stored in Skybox (see Normalizing the network information) andmerged into the base model (usually the Live model) on a per-entity basis:

1. Identify the entity in the base model (see Identifying entities in the base model). If the entityis new (does not exist in the base model), add the entity to the base model and skip the nextstep.

2. Merge the entity data from the update model to the base model (see Merging entities).

You should understand the criteria that Skybox uses for merging each type of entity; what datais merged into the model and what data is discarded. Usually, merging is a transparentprocess; sometimes, you must prepare the model to enable merging to proceed correctly.

Normalizing the network information

Skybox does the following to normalize the update model:

l Network status: If the network status is UNKNOWN, the status is set to UP. If the interfacetype is unknown and it is a Loopback interface, its type is set to LOOPBACK; otherwise, theinterface type is set to ETHERNET.

l Discovery method for assets, and for access and routing rules: If the discovery method isnull, it is set to UNKNOWN.

l Scan time for assets and services: If the scan time of an asset or a service is null, it is set tothe current time.

l Network interfaces for devices and assets:o Every interface is attached to the correct networko Access rules that are attached only to empty interfaces are deletedo Empty (0.0.0.0) interfaces are deletedo Assets that do not have an interface that can be primary are deletedo If a network interface has no name, Skybox generates a name of the form nif<n>

l Routing rule gateways:o If a routing rule has a zero gateway (0.0.0.0) and non-zero gateways, the zero gateway isdeleted

o If a routing rule does not have gateways, a zero gateway is added

l Assets:o If an asset has no name, Skybox generates a name of the form host<n>

o If an asset has duplicate services, the duplicates are deleted

After the data in the update model is normalized, Skybox performs the following resolutions:

l Patch identification: Each patch is assigned to a service product (using product bannermatching)

l Asset type deduction: The type of each asset is deduced from the services running on theasset

l Operating system fingerprints translation: The operating system banner is matched to theappropriate service definition



l Product banner translation: Service banners are analyzed to find a match in the SkyboxVulnerability Dictionary

l Product catalog ID resolution: Product catalog IDs are resolved using the SkyboxVulnerability Dictionary

l Vulnerability occurrence matching:o Some vulnerability occurrences are discovered indirectly by scanners and then assignedincorrectly. For example, a scanner grabs information about an asset’s services viaSNMP and assigns the vulnerability occurrences found to SNMP; these vulnerabilityoccurrences must be matched to the correct service.

o Some scanners do not report which services are vulnerable; they provide 2 separatelists—all vulnerability occurrences found on the asset and all services found on the asset—you must create the link between services and vulnerability occurrences.

Identifying entities in the base model

Each type of entity has different criteria for identification. For example:

l Most types of networks are identified by IP address and netmask.

l Assets are identified by their network interfaces.

When you import an asset, Skybox decides whether the asset is already in the model bylooking for an asset with a network interface with the same IP address that is not of typeVirtual, Loopback, Tunnel, or LoadBalancer.

l Services on the same asset are identified by their ports.

If an entity in the update model is new (is not in the base model), it is added directly to the basemodel, without going through the final step (entity merge).

Merging entities

If an entity in the update model is already in the base model, there are 2 ways to merge thedata:

l The information in the 2 models is combined

l The information in the base model is replaced by the information in the update model

Although the methods for merging each entity type are different, the main criteria for the mergeare:

l Reliability of source

For example, imported gateway configurations are considered the most reliable source.Data retrieved from SNMP is considered more reliable than data retrieved by a networkscan because it usually contains more detailed information about service and networkconfiguration of the asset.

If the source of the base model data is more reliable (more accurate and more complete)than the source of the update data, either no data is merged or only new information fromthe update model is merged.

The properties in the discovery properties (Server & Collector) section of<Skybox_Home>\<component>\conf\sb_common.properties (<component> is server orcollector) define the order of source reliability for different entities.

Chapter 21


l Time

Newer data is preferred to older data. Time is measured according to the Scan Timetimestamp.

l Completeness

Some data is better than none.

If the data in the update model for an entity is older, less reliable, or less complete than thedata in the base model, the data from the update model is discarded and the entity in the basemodel is not changed.

Merging assets

Skybox uses the following network interface types to identify assets:

l NAT

l Ethernet

l WLAN

l TokenRing

l PPP

l Slip

l Other

l Serial

l Tunnel

Skybox does not use Virtual, Loopback, and LoadBalancer network interfaces foridentification.

Note: When you import asset information, an asset that has different (dynamic) IP addressesin the 2 models is not merged. To ensure that all asset data is merged, use Merge assets byWINS name in the offline file import and online collection tasks. If you select this option, theprocess looks for identical WINS names for merged assets and, only if not found, falls back tocomparing IP addresses.

When Skybox decides that an asset in the base model and an asset in the update model arethe same asset, all elements of the asset are merged, including:

l Network interfaces

l Routing rules

l Access rules

l Services


Each element is merged separately, based on reliability, time, and completeness (see Mergingentities).

Network interfaces

Interfaces are merged according to reliability and time. If the discovery method in the updatemodel uses CONFIG or SNMP, which are considered the most reliable sources, the interfaces



in the update model overwrite those in the base model. Otherwise, the interfaces are mergedwith those in the base model.

Note: If you are work with routers, the default behavior of the merge is to disconnect manuallyconnected network interfaces. To prevent this, set the Network of the network interface to

Locked ( ) before the routers are updated.

Routing rules

When routing rules are merged, the whole routing table is considered; single routing rules arenot merged separately. Routing tables are merged according to reliability and time.

l If the routing table in the update model is more reliable or newer, it overwrites the routingtable in the base model.

l If the base asset does not have a routing table, the routing table of the asset in the updatemodel is merged.

Access rules

When access rules are merged, only ACLs are considered; single access rules are not mergedseparately. ACLs are merged according to reliability and time.

If the ACL in the update model asset is more reliable or newer, its access rules overwrite thosein the base model.

Persistent access rules

Persistent access rules are manually created access rules that are used to compensate foraccess rules that Skybox cannot model (for example, iRules). You add them directly after therule that they follow on the device. Persistent rules are not overwritten when access rules aremerged.

A persistent access rule is enabled while the access rule that it follows on the device (theparent rule) is enabled. If the parent rule is disabled or deleted during an import, the persistentaccess rule is also disabled.

Services

When the services of 2 assets are merged, the process adds services that are not in the baseasset and merges the data of services that are in the base model. The vulnerabilityoccurrences attached to the services are also merged.

Vulnerability occurrences

New vulnerability occurrences on the updated asset’s services are added to the base model. Ifa vulnerability occurrence is in the base model, the vulnerability occurrence data is merged.

Merging assets manually

Rarely, Skybox cannot identify that a scanned asset is an existing asset; Skybox creates anasset in the model. This usually occurs if:

l An asset is renamed: If Skybox cannot verify that the new asset matches the existing assetwith the previous name, it creates an asset with the new name.

l An asset is scanned at different times by different interfaces: On the original scan, thisasset was created in the model with a single IP address. On a subsequent scan it was

Chapter 21


identified with a different IP address, and a separate asset is created. In fact, it is 1 assetwith 2 IP addresses.

If an asset is merged incorrectly, you can merge it manually.

To merge 2 assets manually

1. Display both assets in the workspace. For example, if both assets are firewalls, use the AllNetwork Devices > Firewalls node.

2. Select both assets, right-click, and select Merge to Single Asset.

The asset with the older modification date is selected as primary, and the secondary assetis merged with it in the standard way.

Note: When assets are merged manually, Rule Usage Analysis information is not merged; theRule Usage information from the 1st asset that is imported into the model is retained.

Merging networks

Regular and link networks are identified by IP address and netmask.

Some types of networks have slightly different rules for identification because an IP addressand netmask cannot identify them:

l Tunnel networks and Secure VPNs are identified by the IP addresses of their endpoints.o For information about tunnel properties, see the Networks topic in the Skybox ReferenceGuide.

l Connecting Clouds are identified by name.

l Perimeter Clouds are identified by IP address and netmask. If necessary, the cloud nameis also used.

The following rules are applied when merging networks:

l New networks are added directly to the base model.

l If the network in the base model contains the updated network, the network is not added.

l Network segments are merged in the context of their networks. Network segments areidentified by their network and their name.

l When merging networks, the scan time and the discovery method are ignored.

Skybox uses a different method to handle networks that have identical or overlappingaddresses or netmasks, so that the networks are not accidentally merged. For informationabout how overlapping networks are merged, see Merging overlapping networks.

Merging link networks when each part is in a separate location

A link network is a network whose only assets are gateways (network devices) that connectnetworks. If a link network consists of gateways that are in 2 different locations and wereimported with different location hints, the merge assigns each part of the link network to its ownlocation as a separate (but incomplete) network and does not know how to connect them. Ineffect, overlapping networks are created instead of a single network.

Manual action is required when merging link networks.



To merge a link network

1. Manually delete all duplicate overlapping link networks.

2. Move the remaining network to the parent location.

If the network has no parent location, move it to the root location.

3. Run the import again.

Using clouds as Threat OriginsPossible access from Threat Origins to Business Asset Groups and assets is translated by theattack simulator into attacks and risk. Under normal circumstances, when Skybox uses cloudsas Threat Origins, the risk is not affected by the number of source IP addresses in the cloudthat can initiate the attack; a possible attack from any IP address and a possible attack from asingle IP address are assigned the same risk.

You can differentiate between these 2 types of attacks in 2 different ways:

l You can configure Threat Origins that are in clouds so that during attack simulation, Skyboxassigns a lower risk for few source IP addresses and a higher risk for many sourceaddresses.

l You can create 2 Threat Origins for a cloud, one that develops attacks from wide ranges ofsource IP addresses of the cloud and one that develops attacks only from specificaddresses (that is, from small address ranges; for example, IP addresses permitted forsecure protocols over the internet). The 1st Threat Origin (wide address ranges) is typicallyassigned a relatively high likelihood; the 2nd Threat Origin (specific addresses only) istypically assigned a lower likelihood. If you assign each Threat Origin to a different ThreatOrigin Category, the exposure and risk for each Threat Origin is separate.

To specify cloud addresses to use for a Threat Origin

1. In the Table pane, right-click the Threat Origin and select Properties.

2. In the Advanced tab, select the type of cloud IP address ranges to use in an attack from thisThreat Origin from Cloud Source Addresses.

3. If you select All addresses and you want attacks from specific IP addresses to have a lowerrisk than those from wide address ranges, select Lower Likelihood for Attacks fromSpecific Addresses.

Advanced dependency rulesThis section explains how advanced dependency rules work in Skybox.

Implicit dependencies

Implicit dependency means that both:

l A security loss (confidentiality, integrity, or availability) on a Business Asset Group memberimplies the same type of security loss on the Business Asset Group

l An integrity loss on a Business Asset Group member implies an availability andconfidentiality security loss on the Business Asset Group

Chapter 21


An implicit dependency is created when you assign assets to a Business Asset Group.However, you can change the dependency between the Business Asset Group and its assetsto:

l Simple: A security loss (confidentiality, integrity, or availability) on a member implies thesame type of security loss on the Business Asset Group.

l None: This method of describing the dependency is not sufficient and you want to specify(using explicit dependency rules) how a security loss on each of the Business Asset Groupmembers affects the Business Asset Group.

To change the implicit dependency of a Business Asset Group

1. In the Business Units & Asset Groups folder of the Model tree, locate the Business AssetGroup.


3. In the <Business Asset Group name> Properties dialog box, set Member Dependency.

If you change the value to None, define explicit dependency rules for each Business AssetGroup.

4. Click OK.

Explicit dependency rules

You can use explicit dependency rules for the following purposes:

l To define a dependency of Business Asset Groups on infrastructure elements

For example, when an e-business application depends on the DNS server

l To define dependencies between Business Asset Groups

For example, when the availability of one Business Asset Group depends on the availabilityof another Business Asset Group

l To define dependencies between assets (or between assets and Business Asset Groups)

For example, to express that the confidentiality loss of a sensitive server potentiallycompromises a different server in your organization

l To define explicit dependency rules for each asset, if one implicit dependency rule does notmatch all assets on a Business Asset Group

You can use simple dependency rules to create complex dependency situations. For example:

l Z depends on Y.

l Y depends on W and X.

l Based on these 2 rules, a security loss on X indirectly causes a security loss on Z.

To create explicit dependency rulesl In the Model tree, right-click the Dependency Rules node and select New DependencyRule.


Chapter 22

Additional information about exposureThis chapter provides advanced information about exposure in Skybox.

In this chapter

About attack simulation 170

About risk 171

Risk profiles 175

Risk factors 176

PCI DSS support in Skybox Vulnerability Control 177

About attack simulationThis section provides advanced information about attack simulation.

Data used for attack simulation

Data for simulation is collected from the model and includes:

l Network and routing informationo Network interfaceso Routing ruleso NAT ruleso Access rules

l Business informationo Business Impact rules relating to confidentiality, integrity, and availabilityo Regulations assigned to each Business Asset Group


Note: Skybox only uses vulnerability occurrences with status Found in attack simulation;Skybox does not use Vulnerability occurrences with status Ignored or Fixed.

Output of attack simulation

The output of attack simulation is:

l An attack graph, which captures all attack scenarios on your network to the specifiedBusiness Asset Groups. Use the Attack Explorer to view maps for selected entities in themodel, based on the attack graph.

l Risk levels for Business Asset Groups according to the likelihood and impact of their beingattacked.

l Imposed risk levels for Threat Origins and vulnerability occurrences.



l Exposure levels for vulnerability occurrences, including:o Direct: Vulnerability occurrences that a Threat Origin can exploit in a single stepo Indirect: Vulnerability occurrences that a Threat Origin can exploit, but only in multiplesteps

o Protected: Vulnerability occurrences that an attacker cannot access because they areprotected by an IPS device

o Potential: Vulnerability occurrences that have an accessible service, but might not beaccessible because of other exploit conditions that cannot be guaranteed (for example,authentication might be required)

o Inaccessible: Vulnerability occurrences that an attacker cannot access (for example, thevulnerable service is disabled, or the vulnerability occurrence is blocked by a firewall).

o Excluded: Vulnerability occurrences excluded from attack simulation. (Attack simulationexcludes vulnerability occurrences with False Positive, Fixed, or Ignored statuses.)

o Unknown: Vulnerability occurrences with unknown exposure. The exploit conditions areirrelevant for attack simulation (for example, a browser weakness that might causedamage to a workstation if its user surfs to a hostile website).

o User interaction: Vulnerability occurrences which require user interaction via email orXSS. Exposure for these vulnerability occurrences is unknown.

l A list of attacks. An attack is a high-level representation of attack scenarios. Each attackhas a single Threat Origin and a single destination, which are the starting and ending pointsof the attack scenarios that it represents. The destination can be an asset or a BusinessAsset Group.

The Attack Explorer is based on the attack graph and enables you to understand the steps thatwould be taken in specific attacks. Skybox’s summary graphs and tables, analyses, andreports about exposure are also based on the output of attack simulation.

Attack simulation from clouds

Sometimes, access from clouds is permitted for a few source IP addresses. This access ispermitted for management purposes or for providing services for specific users (for example,IP addresses that are permitted for secure protocols over the internet).

If you use such a cloud as a Threat Origin, access from these IP addresses is translated by theattack simulator into attacks and risk.

Note: The default settings for Threat Origins assign the same risk to an attack from any IPaddress and an attack from a few addresses.

You can configure Threat Origins in clouds so that during attack simulation, Skybox assigns alower risk for few source IP addresses and a higher risk for many source addresses.

About riskThis section provides advanced information about risk on various entities, including theinformation that Skybox uses to calculate the risk and options for displaying the risk values.

Chapter 22


Risk formula

This section describes the risk formula for a Business Asset Group—risk for most other entitiesis based on the risk to the Business Asset Groups.

The risk for a Business Asset Group depends on 2 factors:

l The likelihood of successfully attacking the Business Asset Group

l The potential damage caused by the security loss

Formally, Risk = Impact * Likelihood.

Impact

The impact of a security loss is part of the user input to the security model. The impact can bea Business Impact or a Regulation (a compromise to a security-related regulation) andincludes damage rules for each type of security loss (confidentiality, integrity, and availability),associating with the loss type an estimation of the potential damage. You can specify thedamage as an explicit monetary value or as a level on a 5-level scale (very low, low, medium,high, critical); each level represents the monetary value of the damage.

Likelihood of attack

The likelihood of an attack damaging a Business Asset Group is calculated separately for eachof the impact rules of the Business Asset Group.

To compute the likelihood of causing the damage specified by an impact rule on a BusinessAsset Group, the system examines every attack path from the Threat Origins that can causethe security loss specified by the impact rule (for example, an availability loss of the BusinessAsset Group). Each attack path starts at a Threat Origin and includes a sequence of attacksteps that can cause the security loss. An attack step is either the exploitation of a vulnerabilityoccurrence or the legitimate use of a service. The computation of the attack path likelihoodconsiders:

l The likelihood that an attack is initiated from the Threat Origin (as estimated by the userwho defined the Threat Origin)

l The number of attack steps in the attack path

l The likelihood of success of each of the attack steps

The likelihood of successfully exploiting a vulnerability occurrence is calculated using:o The difficulty of exploiting the vulnerability occurrence. Greater difficulty leads to a lowersuccess probability. The exploitation difficulty is a property of each VulnerabilityDefinition in the Skybox Vulnerability Dictionary.

o The skill of the attacker (as estimated by the definer of the Threat Origin). A higher skilllevel has a higher probability of success.

o The prevalence of the vulnerability occurrence. A Vulnerability Definition that is known tobe popular among hackers has a higher success probability.

Computing the likelihood of an attack path involves multiplying the Threat Origin likelihood bythe probabilities of the attack steps along the attack path.

If a damage specified by a Business Impact or Regulation can be caused by multiple attackpaths, the likelihood of causing the damage is set as the likelihood of the most probable attackpath (the path with the highest likelihood).



How risk is defined for each type of entity

Business Asset Groups

A Business Asset Group might be at risk because of attack paths leading to exploitablevulnerability occurrences that are found on the Business Asset Group’s assets or on assets onwhich the Business Asset Group depends. The risk for a Business Asset Group is themaximum of all risks of attack on that Business Asset Group.

In the risk formula (Risk = Impact * Likelihood), the impact for a Business Asset Group isderived from the Business Impacts and Regulations configured for that Business Asset Group.The likelihood to attack a Business Asset Group is considered very low if no attacks are found.If attacks are found, the likelihood depends on the difficulty of the attacks (for example, thenumber of attacks steps and the existence of tools for exploiting the vulnerability occurrences).

Business Units

Risk for a Business Unit is the aggregated risk (sum) of attack for all Business Asset Groups ofthe Business Unit.

Business Impacts and Regulations

Risk for a Business Impact or Regulation is the risk to the Business Impact or Regulationbased on the risk of its Business Asset Groups. The risk is calculated by aggregating the risksof the Business Asset Groups affected by this Impact.

Threat Origins

Risk for a Threat Origin is the risk that the Threat Origin poses to your organization due to itsability to exploit vulnerability occurrences and attack Business Asset Groups.

The risk (imposed risk) is the sum of all risks imposed by the selected Threat Origin on allBusiness Asset Groups configured in the system.

Note: A Threat Origin can impose a risk on a Business Asset Group only if an attack pathleads from the Threat Origin to the Business Asset Group.

Attacks

Risk for an attack is the risk that a Threat Origin poses to a Business Asset Group. Each attackconsists of a source Threat Origin and a destination Business Asset Group or asset. Factorsthat make up the attack risk include the different ways to attack the destination from the source(the attack scenarios), the likelihood that these attack scenarios might be used, and thedifferent damages that the attack scenarios can cause.

Vulnerability occurrences

Risk for a vulnerability occurrence (or a Vulnerability Definition) is the risk that the vulnerabilityoccurrence poses to your organization because it has the potential to be exploited to damageBusiness Asset Groups.

Each vulnerability occurrence is assigned an imposed risk derived from 2 factors:

l Risk imposed because the vulnerability occurrence participates in attacks

l Risk imposed because the vulnerability occurrences are on assets, even though there areno attack paths that can be exploited

The combination of these factors is the total risk of the vulnerability occurrence.

Chapter 22


Note: Even vulnerability occurrences that are not on an asset in a Business Asset Group posea risk to that Business Asset Group if they can be used as part of an attack on it.

The imposed risk creates a differentiation between vulnerability occurrences:

l Exposed vulnerability occurrences (directly or indirectly) that do not cause security loss ofBusiness Asset Groups are usually assigned a very low risk.

l Vulnerability occurrences that are exposed and can cause damage are assigned a highrisk, based on the damage values and the likelihood of achieving these damages.

For example, a vulnerability occurrence is directly exposed to a Threat Origin, but its imposedrisk is very limited because it does not cause a subsequent attack on a major IT asset; anothervulnerability occurrence has a high imposed risk because it can be used to attack a paymentsystem. Both vulnerability occurrences have high severity (the attacker can use them toachieve control), but the consequences of achieving control are very different.

Display of risk values

Risk values in Skybox are usually displayed as levels (undefined, very low, low, medium, high,or critical), using a color scale.

Instead of displaying the risk values as levels, you can display them:



l As monetary values

Monetary risk values are approximate values that enable comparison between risks ofdifferent entities at a higher resolution than with levels or scores. They are not intended torepresent actual monetary values.

l Using a score of 0-100

Note: Admins can modify the mapping between levels or scores and monetary values tomatch your organization’s range of damage values.

Specify how risk values are displayed in the Options dialog box (navigate to Tools > Options >Manager Options > Risks Configuration and then set Risk Value Style).

Risk profilesThe risk profile for an entity shows the major components that contribute to the risk for thatentity.

You can view risk profiles for:

Chapter 22


l Business Units and Business Asset Groups

l Business Impacts and Regulations


To view the risk profile for an entityl Select the entity in the Table pane and click the Risk Profile tab in the Details pane.

Risk for Business Units and Business Asset Groups is caused by attacks from Threat Origins.The risk profile of a Business Unit or a Business Asset Group shows the risk from all sources(that is, the total risk), followed by the risk from each Threat Origin Category.

Risk for Business Impacts and Regulations is caused by Business Asset Groups that areaffected by the Business Impact or Regulation. The risk profile of a Business Impact orRegulation shows the risk from all sources, followed by the risk from each Business AssetGroup.

The risk profile of a vulnerability occurrence shows:

l The Business Asset Groups (and Business Units) that the vulnerability occurrence could beused to attack.

l The risk from each Threat Origin Category that could be used to exploit the vulnerabilityoccurrence.

Risk factorsA risk factor is a risk either to an entity or imposed by an entity. Risk for entities is calculated bycomputing the maximum risk from all risk factors for the entity. Each risk factor involves asource (Threat Origin), a destination (Business Asset Group or asset), and a Business Impactor Regulation that explains the potential loss from the risk factor.

Risk factors are an advanced property of:

l Business Units

l Business Asset Groups

l Threat Origins

l Attacks

To view the risk factors for an entityl Select the entity in the Table pane and click the Risk Factors tab in the Details pane. (If

necessary, click to display the Risk Factors tab.)



In this example, the Source of the 1st risk factor is Internet Hacker, the Target is Back EndFinance Application Servers, the Business Impact Name is Financial InformationConfidentiality, and it is high risk. The source and target of all the risk factors are the same,but, because the Business Impact is different for each, the risk is different.

PCI DSS support in Skybox Vulnerability ControlSkybox Vulnerability Control supports PCI DSS Requirement 6.1 (6.2 in PCI DSS v3.2):“Ensure that all system components and software have the latest vendor-supplied securitypatches installed. Install critical security patches within one month of release.”

The Skybox PCI DSS Requirement 6.1 report shows how the network for which the report isissued meets this requirement using compensating controls.

The report includes the following sections:

l Introduction: Describes the requirement, including the compensating controls form. Thistext follows PCI DSS, Appendix C: Compensating Controls Worksheet.

l System Components: Lists the scope of the report (which Business Asset Groups,networks, and network devices are included).

l Vulnerabilities: Lists the vulnerability occurrences that must be remediated for the networkto become compliant with this standard.

l Host Lists: Lists the assets in the scope of the report and states whether the assets arecompliant (that is, have no direct, indirect, or unknown vulnerability occurrences) with thisstandard.

For additional information about this report, see PCI DSS reports.

For information about defining these reports, see the PCI DSS reports topic in the SkyboxReference Guide.


Chapter 23

Skybox analysesA Skybox analysis is a query about entities in your network.

This chapter describes predefined risk analyses and explains how to create analyses.

In this chapter

Analyses overview 178

Risk analyses 179

Creating an analysis 179

Analyses overviewA Skybox analysis is a query about a type of entity in your network. When you select ananalysis, Skybox checks all entities of the selected type to determine whether they meet thespecified criteria. Entities that meet the criteria specified in the analysis are listed in the Tablepane.

Skybox includes many predefined analyses for common issues; you can create customanalyses to suit your requirements.

The Exposure workspace includes an Analyses node, which you can use to view informationabout attacks, Business Asset Groups, Business Units, assets, locations, networks, BusinessImpacts, Regulations, Threat Origins, vulnerability occurrences, Vulnerability Definitions, andproducts in the deployed product list.



There are also analyses in other workspaces. For example, the Model workspace includesanalyses related to the model and analyses that provide validation information about entities inthe model.

Risk analysesSkybox includes predefined risk analyses for all entities that are affected by risk, includingattacks, Business Asset Groups, Business Units, vulnerability occurrences, Threat Origins,and Regulations and Business Impacts.

Each predefined risk analysis shows risk for all entities of its type. You can modify predefinedanalyses or you can create analyses that, for example, focus on specific network scopes oronly show risk higher than a specific level.

Each risk analysis shows information about the entities that match the analysis criteria andtheir associated risk. The information varies according to the type of entity. For example,Business Impacts by Risk shows the name and loss types specified for each BusinessImpact; Threat Origins by Risk shows attacker information, including location, likelihood toattack, skill, and initial privilege on the attacking machine.

Creating an analysisAnalyses display sets of related data. For example, you might want to list all high-riskvulnerability occurrences on assets that belong to a network, all assets or locations that havevulnerability occurrences, or all Business Asset Groups that have at least a specific number ofassets and a specific risk level.

Chapter 23


To create an analysis in the Vulnerability Control workspace

1. In the tree, right-click Prioritization Center > Analyses > Private Analyses and then selectNew > Analysis.

2. In the New Analysis dialog box:

a. Type a Name for the analysis.

b. Select the analysis type.

The Properties pane of the dialog box changes to display the fields for the selectedanalysis type.

c. Fill in the fields.

d. Click OK.

The analysis is created.

Sometimes, when you create an analysis, the table in which the analysis is displayed ismissing information that you want to view. You can display additional columns in the table.

To display additional columns in a table

1. With the analysis open, right-click in the header row of the Table pane and selectCustomize Current View.

2. In the Customize Current View dialog box, select the information to display and click OK.

A column with this information is added to the right-hand side of the table. You can drag thecolumn header to a more convenient location in the table.


Chapter 24

Access AnalyzerAccess Analyzer analyzes access in the network, taking into account access rules, routingrules, assets, and services.

You can use Access Analyzer for many purposes, including verifying connectivity and securityin your network (Live model) and in test scenarios (What If model), and for troubleshooting thenetwork.

This chapter explains how to use Access Analyzer.

In this chapter

Creating queries 181

Access Analyzer output 185

Creating queriesAccess Analyzer works by answering queries about access in your network.

Use the Access Query pane to create queries. The pane contains input fields (includingsource, destination, and access properties) that tell Access Analyzer the access to verify andthe additional factors to consider in the analysis.

Queries created in Access Analyzer are intended for 1-time use only. You cannot reuse aquery if you create a different query or close Access Analyzer.

To define a query

1. Click on the toolbar.

2. In Access Analyzer, define the source and the destination.

Note: Source and Destination cannot both be Any.

l For information about all query fields, see the Access Analyzer query fields topic in theSkybox Reference Guide.

3. (For advanced users) To configure additional settings, click next to Advanced.

To analyze a query

l After filling the query fields, click .

Access Analyzer analyzes access from the source to the destination. The results of theanalysis are displayed in the results tree.

Defining the source and the destination

The source and destination of access queries are defined by their scope and the services onwhich access is verified. The destination can have other defining information.



Defining the scope

The scope of the source specifies the source points for access analysis; the scope of thedestination specifies the destination points for access analysis.

Either scope can include:

l Simple entities, container entities, or a mixture of both

l The value Any:o Use this value in the source when analyzing the source points that can access adestination.

o Use this value in the destination when analyzing the destinations that can be reachedfrom the specified source point.

To use the Source and Destination Scope dialog box

1. Click the Browse button next to a Scope field.

You must define a specific scope for the source or destination; they cannot both have thedefault value of Any.

2. Define the source and destination scopes (as explained in the following procedures).

3. Click OK.

To specify the source scope

1. To use specific entities in the source scope: In Available Entities, select all entities that are

part of the scope and click to move them to Selected Source.

Note: If you query from a network or a location containing networks, access is analyzedusing the IP address ranges of the networks instead of using the assets in the networks. Toanalyze access using routing rules or access rules on specific assets, select the assets andnot the networks containing the assets.

2. To use IP address ranges in the source scope:

Chapter 24


a. Click IP Ranges (in the Source area).

b. Specify IP addresses:

l Type an IP address range (or an IP address) directly in Use IP Ranges

l Click the Browse button next to Use IP Ranges to select IP address ranges

c. If you are using an IP address or an IP address range and you want to include the entityto which the IP address or IP address range belongs, click Find Networks. Select amatching network and click Select.

If you select an entity and specify alternate IP address ranges, the analysis starts from theselected entities, but Skybox uses the alternate IP addresses instead of the entity IPaddresses.

Note: If you specify IP address ranges without selecting a Source entity, you must select atleast one entity in Destination Scope and Skybox uses the specified IP addresses assource addresses for analyzing access to the selected Destination entity.

To specify the destination scope

1. To use specific entities in the destination scope: In Available Entities, select all entities that

are part of the scope and click to move them to Selected Destination.

2. To use IP address ranges in the destination scope:

a. Click IP Ranges (in the Destination area).

b. Specify IP addresses:

l Type an IP address range (or an IP address) directly in Use IP Ranges

l Click the Browse button next to Use IP Ranges to select IP address ranges

c. If you are using an IP address or an IP address range and you want to include the entityto which the IP address or IP address range belongs, click Find Networks. Select amatching network and click Select.

Defining the services

By default, access from the source to the destination is verified on all available services.However, you can specify services on which access is verified for the source or thedestination.

To specify services through which access is checked

1. (To specify services for the source) Click in the Source area.

2. Click the Browse button next to Services.



l By default, the Available Services list is sorted by ports. To sort it alphabetically, click .

l By default, common service families are displayed. To display all service families, click

.

3. In the Services dialog box:

l In Available Services, select the source or destination ports and click to movethem to Selected Services.

l Click the Browse button next to Additional Services to specify additional ports to usewhen checking access.

4. Click OK.

5. To use all services except those selected, select NOT.

Chapter 24


Additional destination options

Usually, you use the destination Scope field to specify the destination scope—a collection ofassets or networks that should be reachable by all packets. You can define a Sending Toscope, consisting of IP address ranges. Skybox uses all IP addresses in the ranges that youspecify in IP Ranges as destination addresses at the beginning of the access analysis, beforenetwork addresses are translated. Services specified in the related Services field are handledsimilarly.

Note: When you define Sending To properties, the destination Scope and Services fields arenamed the Arriving At scope and services.

For example, you select Internet as the source Scope, you do not select a destination Scope,and you set the destination IP Ranges to 1.2.3.40-1.2.3.50. This query means “Whatnetworks, assets, and services are reached if a packet with a destination in the IP addressrange 1.2.3.40 to 1.2.3.50 is sent from the internet?”

If you select Arriving At entities and Sending To ranges, access is analyzed using theselected IP address ranges, but only the selected entities are displayed (that is, the selectedentities filter the results).

To use the additional destination options

1. In the Access Query pane, click to expand the Destination area.

The original destination scope and services are shown in the Arriving At area and anotherarea, Sending To, is displayed in the dialog box.

2. Click the Browse button next to IP Ranges.

3. In the IP Ranges dialog box, for each IP address range to use, click Add, type the IPaddresses of the range, and click OK.

4. (Optional) Specify services through which to check access:

a. Click the Browse button next to Sending To – Services.

b. In the Services dialog box:

l In Available Services, select services and click to move them to SelectedServices.

l Click the Browse button next to Additional Services to specify additional destinationservices to use when checking access.

c. Click OK.

d. To use all services except those selected, select NOT.

Access Analyzer outputThe results of the analysis are displayed as a tree in the Results pane (top-right) of AccessAnalyzer. Use the display filters at the top of the pane to specify how the results are displayedin the tree. You can view detailed information for access routes in the Access Route pane(bottom right).



Display filters

The toolbar at the top of the Results pane includes the following display filters:

l Show: The type of entities to display:o Accessible Destinations: The accessible destinations when using the specified serviceso Blocked Destinations: The destinations for which there are blocked routes from thesource when using the specified services

When blocked destinations are displayed in the results tree, all names in the tree areitalicized.

o Sources Accessing the Destination: The assets that can access the selecteddestination when using the specified services

o Blocked Sources: The assets for which there are blocked routes to the destination whenusing the specified services

When blocked sources are displayed in the results tree, all names in the tree areitalicized.

l Group by: Specifies whether to group the entities displayed in the results tree by services orby network interfaces.

Chapter 24


l Authentication:o No: Non-authenticated traffico Yes: Authenticated traffico N/A (Both): Authenticated and non-authenticated traffic

l Entities:

o Model Entities Only: Assets and services that are part of the current model. If theseentities are hidden, only the IP address and port ranges are shown.

o Possible IP Ranges: All IP addresses and port ranges that are exposed by firewallaccess rules, even if they are not in the model.

l Show / Hide locations: Specifies whether to group networks into locations.

l Save Results:

o Save Results as XML: Saves the displayed access results as an XML file.

o Save Results as CSV: Saves the displayed access results as a CSV file.

o Save Route as HTML: Saves the selected access route as an HTML file.

l : Specifies whether to include the reply route when an Access Route is displayed.

Understanding the results

Most of the analyses of Access Analyzer involve connectivity or security.

l Connectivity queries ascertain whether there is a connection between 2 points in yourorganization and the route between them.

If there is connectivity between the 2 points, the Results pane shows the assets andservices that can be connected, and the Details pane shows how the connection is made. Ifthere is no connectivity, a message to that effect is displayed in the Results pane.

l Security queries verify access restrictions applied in your organization.

For a security query, the accessible results should contain only the assets and services thatare permitted to be exposed. If there are additional assets in the results, these assets canalso open a connection to the Destination entity.

For example, to check that no developers have access to finance information (that is, tomachines in the Finance Department), analyze access from R&D to the FinanceDepartment (Source = R&D, Destination = Finance Department). If the accessible resultsare empty, there is no access (as required). If there are results, there is unwanted access;check the Details pane to find the access path, so that you can fix the problem.

Results tree

The top pane of the analysis results contains a results tree. Assets (and IP address ranges)are grouped in the tree by location and then by network. You can expand each asset or IPaddress range to display its services.



The content of the results tree depends on the display filters that you select.

If you display destinations, you can drill down from a destination asset to display accessible orblocked services on that asset. If you display source points, you can drill down from a sourcenetwork to display the gateways that enable or block access.

If you select an asset or a service in the results tree, the Details pane that is below the resultstree shows all potential routes from the source to the destination for the selected entity. Ifinaccessible entities are displayed in the results tree, the Details pane shows the blockedroutes.

Canceling analyses and display of details

You can cancel any action that causes the Results pane or the Details pane to refresh.

To cancel analysis

l Click (Cancel) at the bottom of the Results pane.

is displayed only while Access Analyzer is analyzing results or details.

Viewing the access route

The Details pane displays the Access Route from the selected source to the destination (orfrom the source to the selected destination, if displaying results by destination). You can viewthe route in step-by-step text format or in the Network Map. For each route, the 1st step is thesource and the final step is the destination; all hops are shown.

You can use the following controls to specify how the results are displayed:

l

: Enables you to switch between multiple routes.

l

: Specifies the display format of the results.

l

: Specifies the map in which the route is displayed. Click ShowRoute Map to display a map of only the selected route.

If you switch to a different map, highlighting of the selected route is lost. Switch to a differentroute or a different result to view the route in the Map pane.

Chapter 24


l

: Displays the properties of the route map so that you can change thesettings.

Viewing the Access Route in text format

Example of an access route displayed in text format

For each route, the source and destination are listed in full outside the table. The table lists theexact route taken.

l The 1st step is the source point.

If the source point is a subset of the source specified in Source, the source IP addressranges are listed.

l Intermediary steps show gateways passed on the way, with their access rules and addresstranslation rules.

Rules are shown with their direction, rule number, ruleset name and rule action. Eachintermediary step includes an inbound rule and an outbound rule. Click the link in a rule toopen the Access Control List Editor, where you can view or change the rule.



If access goes through a VPN tunnel, the step is marked as Encrypted.

l The final point is the destination, including asset name and IP address.

For information about inaccessible routes, see Inaccessible entities.

Inaccessible entities

Access Analyzer might show that there is no access from the source to the destination.

There are 2 basic reasons why a network or asset is inaccessible:

l The route is blocked: An access rule denies access from the source to the destination (themost common reason).

l The route is broken: There is no routing from the source to the destination.

Use Show Blocked Sources or Show Blocked Destinations to discover why there is noaccess.

Blocked routes

If routes from the source to the destination are blocked, the Access Route lists all hops fromthe source to the point where the route is blocked. The final entry in the table shows what isblocking the route—usually an access rule on a firewall. The full destination is displayed afterthe table.

In the following figure, the route between the Development network and the Finance Serverswas checked for access and no access was found. To display where access is blocked, useShow Blocked Destinations.

Chapter 24


The Access Route shows that access is denied (blocked) by the finance FW firewall and thatthe rule used is access rule 6.

Broken routes

If an entity is inaccessible for routing reasons (for example, routers are missing in the model),the route is not blocked. Instead, it is shown as broken (incomplete). This can happen if:

l The source knows the destination by a different name or IP address (because of NATrules).

l The model is incomplete and gateways that connect the source and destination aremissing.

l Routing rules are missing in gateways between the source and the destination.

l There is a route to a null (black hole) in a gateway between the source and the destination.

If a route is broken, the Access Route provides an explanation of what happened, as in thefollowing figure.



Saving the results

You can save the results of access analysis in 3 different formats:

As a CSV file

This saves a list of the source-destination-port combinations through which the specifiedaccess can be achieved, as in the following example.

SOURCE DESTINATION SERVICE AUTHENTICATED

192.170.17.0-192.170.19.255

192.170.33.0-192.170.33.255

1-65535/20-21/TCP;1-65535/53-53/TCP;1-65535/79-80/TCP;1-65535/179-179/TCP;1-65535/443-443/TCP;1-65535/535-535/TCP

FALSE

192.170.25.0-192.170.27.255

192.170.33.0-192.170.33.255

1-65535/20-21/TCP;1-65535/53-53/TCP;1-65535/79-80/TCP;

FALSE

Chapter 24


SOURCE DESTINATION SERVICE AUTHENTICATED

1-65535/179-179/TCP;1-65535/443-443/TCP;1-65535/535-535/TCP

As an XML file

This saves the results tree as an XML file, as in the following example.

<ExplainTree><Location name="US">

<Location name="New York"><Network name="dmz [192.170.33.0 / 24]" count_description="256

IPs;6 TCP/UDP ports"><IpRange name="192.170.33.0-192.170.33.255" count_

description="256 IPs; 6 TCP/UDP ports"><PortRange name="21 (TCP)" count_description="0 IPs" /><PortRange name="25 (TCP)" count_description="0 IPs" /><PortRange name="53 (TCP)" count_description="0 IPs" /><PortRange name="80 (TCP)" count_description="0 IPs" /><PortRange name="443 (TCP)" count_description="0 IPs" /><PortRange name="53 (UDP)" count_description="0 IPs" />

</IpRange></Network>

</Location></Location>

</ExplainTree>

As an HTML file showing the route

This saves the route displayed in the Details pane as an HTML file, as in the followingexample.


Chapter 25

Modifying security metric propertiesYou can modify the default values of many security metrics properties to suit yourrequirements. This chapter explains:

l How the security metrics are analyzed

l The properties that might need changing and how to change them

In this chapter

Calculation of scores for VLI security metrics 195

Calculation of scores for RLI security metrics 196

Impact levels 198

Additional security metrics properties 199

Calculation of scores for VLI security metricsThe Vulnerability Level Indicator (VLI) measures the rate of vulnerability occurrences found onassets in a group of assets (for example, a Business Asset Group or Business Unit). The rateis the weighted average number of vulnerability occurrences per asset.

l vli_weight(v) = severity_weight(v)

The severity weight is a configurable numeric value associated with the different severitylevels; the default values are Critical=1, High=0.3, Medium=0.03, and Low=0 (ignored). Forexample, 3 high-severity and 3 medium-severity vulnerability occurrences on an asset areconsidered to be 1 critical equivalent vulnerability occurrence.

The VLI value of an asset is the sum of the weights of all vulnerability occurrences on thatasset. The VLI value is then mapped to a score between 0 and 100 and to a level. You canconfigure the score mappings for each security metric separately from the Manage SecurityMetrics dialog box.

The VLI value for a group of assets is the average vli_weight per asset.

VLI calculation for a sample Business Asset Group

A sample Business Asset Group consisting of 5 assets is shown in the following table witheach asset’s associated vulnerability occurrence count.

ASSET CRITICALOCCURRENCES

HIGHOCCURRENCES

MEDIUMOCCURRENCES

TOTALOCCURRENCESON ASSET

asset1 2 3 14 3.32

asset2 1 4 8 2.44

asset3 0 1 6 0.48



ASSET CRITICALOCCURRENCES

HIGHOCCURRENCES

MEDIUMOCCURRENCES

TOTALOCCURRENCESON ASSET

asset4 3 4 11 4.53

asset5 1 3 13 2.29

AVERAGEPERASSET

1.4 3 10.4 2.612

The VLI value for this Business Asset Group (that is, the average number of critical-equivalentvulnerability occurrences per asset) is approximately 2.6. When this VLI value is mapped to aVLI score, the VLI score is approximately 46 (which corresponds to the medium level and tothe color ).

For additional information about the mapping, see Initial customization.

Note: You can include Business Impacts and Regulations in the vulnerability occurrenceweight formula (see Additional security metrics properties).

Calculation of scores for RLI security metricsThe Remediation Latency Indicator (RLI) measures the rate of over-due vulnerabilityoccurrences on an asset, based on remediation SLA criteria.

The RLI score for an asset indicates the number of over-due or relatively old vulnerabilityoccurrences found on the asset. Each vulnerability occurrence is weighted to consider theremediation priority of the vulnerability occurrence and its delay; high priority vulnerabilityoccurrences that have long delays are assigned the highest weight.

The RLI score for a Business Asset Group is the average of the RLI scores for all assets in theBusiness Asset Group.

Use the RLI metric to identify hot spots whose remediation latency is relatively high; you canexamine trends in remediation by how quickly the vulnerability occurrences are being fixed.

Some properties used for the RLI calculation (Vulnerability Occurrence age and SLA) aredefined per security metric in the Security Metric Properties dialog box.

The properties in the following table are defined globally for all Remediation Latency Indicator-type security metrics, and are in <Skybox_Home>\server\conf\sb_server.properties

PROPERTY DEFINITION IN PROPERTIESFILE AS…

RemediationPriority

The importance of remediating vulnerability occurrences ofthis severity level:l Critical=P1l High=P2l Medium=P3

KPI_NO_HOST_IMPACT_VUL_SEVERITY_PRIORITIESThe default value isP1,P2,P3,NA,NA

LatencyPenalty

You can associate each priority with a different latencypenalty in the RLI formula. Higher priorities typically gethigher penalties, because the remediation latency of a higher

LATENCY_PANELTY_P1 …LATENCY_

Chapter 25



priority vulnerability occurrence is more severe than theremediation latency of a lower priority vulnerabilityoccurrence.

PANELTY_P5The default valuesare:l LATENCY_PANELTY_P1=1

l LATENCY_PANELTY_P2=0.5

l LATENCY_PANELTY_P3=0.1

l LATENCY_PANELTY_P4=0

l LATENCY_PANELTY_P5=0

Delay period The delay in the remediation of a vulnerability occurrence isspecified by a grace period. Period 0 means no grace period,period 1 means a small grace period, and so on.The grace period of a vulnerability occurrence is the periodthat matches its age.The grace periods are defined for the different priorities as afunction of their SLA values in days:l Period 0 (no delay): 0 days to 1 SLAl Period 1 (small delay): 1-2 SLAsl Period 2 (large delay): 2-3 SLAsl Period 3 (very large delay): 3 or more SLAs

AMOUNT_OF_DELAY_PERIOD_0 … AMOUNT_OF_DELAY_PERIOD_3The default valuesare:l AMOUNT_OF_DELAY_PERIOD_0=0

l AMOUNT_OF_DELAY_PERIOD_1=1



For example, for anSLA of 30 day:l Period 0=0-30days—there is nograce period

l Period 1=31-60days

l Period 2=61-90days

l Period 3=91+days




Delay factor The delay factor for a vulnerability occurrence is the latencypenalty specified for the vulnerability occurrence according toits priority, multiplied by a factor according to its delay period(small delay – low factor; big delay – higher factor).

DELAY_FACTOR_PERIOD_0 …DELAY_FACTOR_PERIOD_3The default valuesare:l Period 0=0l Period 1=1l Period 2=1.5l Period 3=2

The SLA values provided in the file are default values for all security metrics. Values set inSkybox Manager for security metrics overwrite the default values.

The formula for calculating the RLI of a vulnerability occurrence or security bulletin is:

rli_weight(v) = latency_penalty(priority(v)) * delay_factor(delay_period(v))

Examplesl If Critical Microsoft Security Bulletins must be addressed in 14 days according to your SLA,change the Critical SLA in the MS-RLI security metric to 14.

l If High Importance Microsoft Security Bulletins must be addressed in 42 days, change theHigh SLA in the MS-RLI security metric to 42.

Impact levelsThe asset impact weight is an optional weight that is determined by Business Impacts andRegulations. Business Impacts and Regulations specify (for Business Asset Groups andgroups of assets) the expected impact level (Very Low to Very High) of security loss. DMZassets and critical servers are typically associated with High or Critical Business Impacts andRegulations; desktops are usually associated with Very Low or Low Business Impacts andRegulations. Each impact level is mapped to a (configurable) numeric weight. That weight(asset_impact_weight) is then used in computing the vulnerability occurrence weight togetherwith the severity, so that the vulnerability occurrence weight formula is:

vli_weight(v) = severity_weight(v) * asset_impact_weight(h)

By default, Skybox does not consider impact levels for security metrics analysis. For thesecurity metrics analysis to include the impact levels:

1. Specify the impact levels.

Note: If you are working with Exposure, this step is part of building the model. If you areworking only with security metrics, see Business Impacts and Regulations.

2. In <Skybox_Home>\server\conf\sb_server.properties, set:

l (VLI) KPI_VLI_USE_HOST_IMPACT_FACTOR=true

l (RLI) KPI_RLI_USE_HOST_IMPACT_FACTOR=true

Chapter 25


Additional security metrics propertiesSecurity metric properties are set in the kpi properties section of <Skybox_Home>\server\conf\sb_server.properties

The properties in the following table might be useful in setting up the behavior of the securitymetrics.

PROPERTY DEFAULTVALUE

DESCRIPTION

KPI_SEVERITY_THRESHOLD

Medium The minimum severity of vulnerability occurrences toinclude in the security metrics analyses.

KPI_SEVERITY_FACTOR_FOR_<level>_VULNERABILITY

The weight of the different vulnerability occurrenceseverities in security metrics analyses.

KPI_VLI_USE_HOST_IMPACT

false Specifies whether to use the impact factor of assets (whichbelong to Business Asset Groups that have BusinessImpacts or Regulations) in VLI analyses.l If this property is set to true, the KPI_HOST_IMPACT_properties might need modifying.

KPI_RLI_USE_HOST_IMPACT

false Specifies whether to use the impact factor of assets (whichbelong to Business Asset Groups that have BusinessImpacts or Regulations) in RLI analyses.l If this property is set to true, the properties in therelevant only for RLI section of this file mightneed modifying.

After changing a property, restart the Skybox Server for the change to take effect.


Chapter 26

Skybox Vulnerability DictionaryThe Skybox Vulnerability Dictionary contains an extensive list of vulnerabilities that areupdated daily, consolidated from tens of data sources. Each entry includes descriptiveinformation about each Vulnerability Definition and structured information that enables Skyboxanalytics. For additional information about the data feed used in the dictionary, see SkyboxIntelligence Feed

In this chapter

Skybox Vulnerability Dictionary information 200

CVE compliance 202

Skybox Vulnerability Dictionary informationThe information for each Vulnerability Definition in the Vulnerability Dictionary includes:

l SBV ID: Identification number assigned by Skybox

l Existence preconditions: Services that must be on an asset for an occurrence of theVulnerability Definition to exist

l Exploitation preconditions: Preconditions for exploiting an occurrence of the VulnerabilityDefinition

l Exploitation effects: Achievements an attacker could gain from a successful exploitation ofan occurrence of the Vulnerability Definition

l Attributes: Attributes that might affect the likelihood of a successful exploitation of anoccurrence of the Vulnerability Definition, including:o Difficulty: An estimated difficulty level for exploiting occurrences of the VulnerabilityDefinition. The difficulty of exploiting a vulnerability occurrence is largely dependent onthe existence or nonexistence of known exploit code for exploiting the VulnerabilityDefinition, or a detailed description of how to exploit it.

o Commonality: An estimation of how frequently attackers exploit this VulnerabilityDefinition.

SBV ID

In the Vulnerability Dictionary, each Vulnerability Definition is defined on a single service; ifthere are similar Vulnerability Definitions on multiple services, they are usually defined asdifferent Vulnerability Definitions with different ID numbers.

Note: If a Vulnerability Definition is defined on multiple services with the same ID by CVE andmultiple scanners, the Vulnerability Dictionary also defines it as a single VulnerabilityDefinition with a single ID.

Exploitation preconditions

Exploitation preconditions define 2 values:



l The access that the attacker must have to exploit occurrences of the Vulnerability Definition

l The authentication required on the attacked service: Whether the attacker must pass theservice authentication requirement to exploit occurrences of the Vulnerability Definition

For example:

l Remote Access without Authentication: The attacker has remote access to the service onwhich the vulnerability occurrence is found and no authentication is required to successfullyexploit the vulnerability occurrence. Most attackers can gain access to most vulnerableservices.

l Local Access with Authentication: The attacker has local control over the vulnerable asset.This precondition is typical for vulnerability occurrences that enable privilege escalation onan attacked asset.

The remote access precondition has several variations that you should model. For example,for some DoS attacks, it is sufficient for the attacker to have a 1-way UDP connection to thevulnerable service. This limited requirement for 1-way access could enable an attacker tocreate spoofing attacks that succeed in passing through firewalls and arrive at the vulnerabilityoccurrence because of its spoofed source IP address.

Exploitation effects

Exploitation effects formally describe the achievements that an attacker could gain fromsuccessful exploitation of a vulnerability occurrence. Achievements include:

l DoS: The attacker could cause a denial of service to the attacked services on the asset.

l User Control: The attacker could gain user (non-root) control on the attacked asset.

l Root Control: The attacker could gain root control on the attacked asset.

l File System Read: The attacker could read arbitrary files on the file system of the attackedasset.

l Information Leakage: The attacker could cause information leakage, including leakage ofuser names, passwords, and source code.

During attack simulation, a vulnerability occurrence can be exploited only if all its preconditionsare matched. In a multistep attack, achievements gained by exploiting a vulnerabilityoccurrence help to fulfill the preconditions of the next vulnerability occurrence.

The Vulnerability Dictionary is continuously updated by the Skybox research lab. It models allnew Vulnerability Definitions as they are released and updates Vulnerability Definitionsthroughout their life cycle.

Admins can configure the Vulnerability Dictionary for automatic updates to keep your securitymodel up to date.

Severity

The severity of a vulnerability occurrence in Skybox is based on the CVSS (CommonVulnerability Scoring System) base score, a standard rating system for vulnerabilities (from 1to 10). The values for the CVSS fields are filled using the exploitation preconditions andexploitation effects of the Vulnerability Definition. If any of this information is not in theVulnerability Dictionary, the severity is set using an average of CVSS or severity values fromexternal sources. Skybox supports CVSS version 3.

Chapter 26


The CVSS base score is translated to a scale (Critical, High, Medium, Low, or Information),and the severity is displayed in Skybox as a scale value followed by the score.

External data sources

The Vulnerability Dictionary also supports most common external vulnerability databases andother external data sources. For each Vulnerability Definition in the Vulnerability Dictionarythat is also in external sources, Skybox can display the names and IDs of the VulnerabilityDefinition in the external data sources. The full list of data sources can be found here; sourcesinclude:

l Adobe

l CVE

l Cisco PSIRT

l McAfee Foundstone

l Microsoft Security Bulletins

l Oracle

l Qualys Cloud Platform

l Rapid7 Nexpose

l Retina

l Symantec SecurityFocus

l Tenable Nessus

l Tripwire IP360

CVE complianceCommon Vulnerabilities and Exposures (CVE®) is a dictionary of common names (that is,CVE IDs) for publicly known information security Vulnerability Definitions. CVE is the industrystandard for vulnerability and exposure names. CVE IDs make it easier to share data acrossseparate network security databases and tools, and provide a baseline for evaluating thecoverage of an organization’s security tools.

If the information from Skybox’s external sources includes CVE IDs for VulnerabilityDefinitions, this information is added to the information in the Skybox Vulnerability Dictionary.CVE updates are also included in the Vulnerability Dictionary.

To ensure CVE compliance, the Vulnerability Dictionary includes a Vulnerability Definition(that is, an SBV ID) for every CVE ID. The SBV ID can include IDs from scanners and otherdictionaries. If a vulnerability occurrence of a Vulnerability Definition that is not in CVE isreported by a scanner that is supported by Skybox, it is assigned an SBV ID. If a CVE ID isassigned to a Vulnerability Definitions later, the CVE ID is then added to the VulnerabilityDefinition data in the Vulnerability Dictionary.

https://lp.skyboxsecurity.com/rs/skyboxsecurity/images/Skybox_DS_Intelligence_Feed_Description_SLA.pdf


Chapter 27

Skybox Intelligence Feed

About the Skybox intelligence feedThe Skybox™ Security intelligence feed currently contains more than 130,000 vulnerabilities.The intelligence feed is a collection of information from leading public and private security datasources and is built as a superset of vulnerabilities. As a state-of-the-art vulnerability dataservice, it is CVE-compliant and implements CVSS v3 standards.

How it worksSkybox Security has a dedicated team focused on threat intelligence and vulnerabilityresearch. The Skybox™ Research Lab continuously tracks multiple data sources to detect newalerts as well as changes in already reported alerts (for example, report on new exploits orsolutions). The Lab uses a vast set of automated tools to collect and consolidate information,as well as human analysis and detailed modeling to ensure accuracy. Such work also ensuresthe information required for the analytical engines of Skybox products is complete.

Data sourcesThe Skybox intelligence feed is information correlated from various leading public and privatesecurity feeds as well as independent researchers. The intelligence feed fully supportsvulnerabilities published by the advisories and scanners covered in this document. The feedalso includes references to IPS signatures and other sources by cross-referencing with a CVEID.

Data sources in use

Databasesl NIST NVD

l Red Hat CVE Database

l ExploitDB

Scannersl Qualys Cloud Platform

l Rapid7 Nexpose

l Tenable Nessus

l Tripwire IP360

IPSl Cisco Sourcefire

l HP Tipping-Point



l McAfee IPS

l Palo Alto Networks

Additional Information

In addition to the data sources listed previously, the Skybox™ Research Lab monitors socialmedia and news sites to collect information on newly discovered or exploited vulnerabilities.Our sources include:

l AlienVault OTX

l X-Force Exchange

l Leading security researchers via social media (over 100 specially selected Twitteraccounts)

l Vulnerabilities and exploits published in leading security news sites.

Vendor advisories

Some vendors report vulnerabilities on their products long before any detail is available onpublic databases (for example, NVD). The Skybox™ Research Lab follows the securityannouncements of a selected group of vendors.

This also serves a 2nd purpose: Many of today’s vulnerabilities affect multiple importantproducts by virtue of some common library or component integrated within them. In suchcases, the Skybox intelligence feed reports not only the originally affected component (as itwould be reported, for example, in NVD), but also the indirectly affected products, as reportedby their vendors.

The following are the main vendor advisories currently used , though the list is constantlyupdated.

l Adobe

l Apple

l Avaya

l Check Point

l CloudBees

l Cisco

l F5

l Google Chrome

l Google Android

l IBM

l Microsoft

l Mozilla

l Oracle

l Red Hat

l SAP

Chapter 27


l Siemens

l VMware

Merging from multiple sourcesThe Skybox intelligence feed contains a superset of vulnerabilities from all the supportedsources. The intelligence feed is CVE compliant, and the CVE number, and manual analysiswhen required, is used to cross-reference between the various sources. In addition, theintelligence feed contains vulnerabilities from various other data sources, even if thosesources do not have a CVE reference.

This approach allows an organization to consolidate information from multiple scanners ormanagement/patch systems to the Skybox platform, creating a single, normalized view ofvulnerabilities. After import into Skybox, this view yields a comprehensive risk matrix analytics.

While the intelligence feed contains vulnerabilities, it does not include compliance issues (forexample, the use of default user name or password) or end-of-life notifications. If such itemsare reported by a scanner, they are created as custom vulnerabilities.

Vulnerability informationThe Skybox intelligence feed is a central repository for all relevant information aboutvulnerabilities.

The following information is available for every vulnerability:

l A textual description of the vulnerability

l Vulnerability IDs from all available sources, including CVE (if it exists)

l Affected products and affected versions, including framework dependencies.

l Published solutions, remediation, and workaround information, originating in vendoradvisories or IPS vendors cross-referenced by CVE-ID. The information includes areference to the official solution in the advisory (patch ID or fixed version), where available.

l Severity vectors (CVSS v3 compliant)

l Vulnerability effect and attack precondition

l Exploit difficulty and authentication requirements

l References to public sources for additional information

l Exploitability level

Sample vulnerability

The following information is taken from SBV- 132598 (CVE-2021-29951) to show theinformation that is available for a vulnerability.

FIELD INFORMATION

Vulnerability title Mozilla Firefox <87, Firefox ESR <78.10.1 and Thunderbird <78.10.1 RemoteSecurity Compromise Vulnerability - CVE-2021-29951

Vulnerabilitydescription

Mozilla Firefox before 87, Firefox ESR before 78.10.1 and Thunderbird before78.10.1 when running on Windows OS before Windows 10 1709, is affected by asecurity compromise vulnerability. The Mozilla Maintenance Service allows



FIELD INFORMATION

normal remote users to start or stop the service, which could be used to preventbrowser update.

Affectedproducts

Mozilla Firefox <87, Mozilla Firefox ESR <78.10.1, and Mozilla Thunderbird<78.10.1 running on Microsoft Windows 7, Windows 8, Windows 10 versions 1703and lower, Windows Server 2008, Windows Server 2008 R2, Windows Server2012, and Windows Server 2016.

Publishedsolutions

This issue was solved in Mozilla Thunderbird version 78.10.1 It is recommendedto upgrade to this version or a later one. See Mozilla website for download details.https://www.thunderbird.net/en-US/This issue was solved in Mozilla Firefox version 78.10.1 ESR. It is recommendedto upgrade to this version or a later one. See Mozilla website for download details.https://www.mozilla.org/en-US/firefox/enterprise/

Severity vectors CVSS v3 base score: 6.5CVSS v3 temporal score: 5.9AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NE:P/RL:O/RC:C

External sources CVE-2021-29951Qualys IDs: 375529, 375531, 750123, 750141, 750166, 296053, 750810, 750823Rapid7 IDs: suse-cve-2021-29951, mfsa2021-10-cve-2021-29951, mfsa2021-18-cve-2021-29951, mozilla-thunderbird-cve-2021-29951, oracle-solaris-cve-2021-29951nCircle IDs: 487234, 487237, 487305Nessus IDs: 149254, 149255, 149256, 149257, 150397, 150404, 150455,150456, 150587, 150685, 151707

Effect andprecondition

Effect: Security Compromise(Restrictions Bypass)Access Precondition: Remote

Authentication Authentication required: None

Related sourcesinformation

http://nvd.nist.gov/vuln/detail/CVE-2021-29951http://www.mozilla.org/security/announce/2021/mfsa2021-10.htmlhttps://www.mozilla.org/en-US/security/advisories/mfsa2021-18/https://www.mozilla.org/en-US/security/advisories/mfsa2021-19/(and many more)

Exploitability A PoC code was published (https://bugs.chromium.org/p/project-zero/issues/detail?id=2148)

ExploitsExploitability data regarding vulnerabilities and malware is an important aspect of vulnerabilityprioritization. In addition to the exploitation information from the CVSS temporal vector,exploited vulnerabilities in the intelligence feed also include exploitability level and informationabout which malware or exploit kit can attack them.

l Vulnerabilities with a proof-of-concept exploit: A sample exploit code is available in open orclosed forums

https://www.thunderbird.net/en-US/

https://www.mozilla.org/en-US/firefox/enterprise/

http://nvd.nist.gov/vuln/detail/CVE-2021-29951

http://www.mozilla.org/security/announce/2021/mfsa2021-10.html

https://www.mozilla.org/en-US/security/advisories/mfsa2021-18/

https://www.mozilla.org/en-US/security/advisories/mfsa2021-19/

https://bugs.chromium.org/p/project-zero/issues/detail?id=2148

https://bugs.chromium.org/p/project-zero/issues/detail?id=2148

Chapter 27


l Vulnerabilities exploited in the wild: In targeted or distributed attack, related or not to aspecific malware or exploit kit

ProductsThe Skybox intelligence feed contains vulnerabilities published by the supported sources.These vulnerabilities are associated with more than 14,000 products. The vulnerabilities areadded to the intelligence feed according to the affected product’s priority. P1 is a list of criticalor common products, P2 holds a larger group of enterprise-grade products, and P3 holds thelong tail of other products.

See Skybox Intelligence Feed Supported Products and SLA under Appendices for a list of P1and P2 products.

P1 products include the most important products of the following vendors and types (this is anon-exhaustive list):

l Operating systems: Microsoft Windows, Red Hat Linux, VMware, Citrix, Mac OS X and Unix

l Network devices: Routers, switches, firewalls, and load balancers of the following vendors:Cisco, Check Point, Juniper Networks, Big-IP, and Juniper

l Databases: Oracle Database, Microsoft SQL Server, and Oracle MySQL

l Web servers, application servers, mail servers, and DNS servers

l Real-time running frameworks: Oracle Java, Microsoft .NET, and PHP

l Antivirus: McAfee and Symantec

l Popular workstation apps: Web browsers, Microsoft Office, Adobe Flash Player, AdobeReader, and Microsoft Lync

l Other popular enterprise-level software: IBM products, Samba, and Splunk

P2 products include additional common enterprise products from over 700 vendors including:Adobe, Apple, Apache, Avaya, Cisco, CA, Elasticsearch, EMC, HP, IBM, Oracle, Pivotal, SAP,TIBCO and VMware.

These lists are updated from time to time, to meet our customers’ needs.

Banner translator and Skybox Vulnerability Detector

Skybox’s capabilities include the identification of services from asset data that is imported frompatch management and asset management systems, or from configuration files of devices,and detection of vulnerabilities on these services using a ‘virtual scan’ (Skybox VulnerabilityDetector).

Skybox provides virtual scanning for a set of products that were found to be most important toour customers and the industry at large.

There is a list of products that are identified and translated by our banner translator. Otherproducts appear in the model as unidentified or generic OS. The list is updatedperiodically. Most of these products allow vulnerability detection, meaning that vulnerabilitieson these products, which appear in the dictionary, are discovered by VD.

The scope and speed of coverage of published vulnerabilities for these products depends onthe priority (P1-P3) of each vulnerability.



Skybox Vulnerability CenterSkybox™ Vulnerability Center is a public website presenting our vulnerability information,including basic search options and a notification service.

The Vulnerability Center includes the same vulnerabilities as our intelligence feed, althoughless information is available per vulnerability.

After the intelligence feed is released, the Vulnerability Center is updated to include the latestdictionary information.

Skybox intelligence feed SLAThe intelligence feed is released by 11 a.m. Eastern Standard Time every day exceptSaturday. You can configure the Skybox Server to automatically update the data service fromthe internet on a scheduled basis.

The intelligence feed is released with vulnerability updates according to the following policy:

1. Vulnerabilities affecting P1 products: Published within one business day from publicdisclosure of vulnerabilities by the supported vendors or NVD

2. Vulnerabilities affecting P2 products: Published within 7 days from public disclosure byNVD

3. Vulnerabilities affecting P3 products: Published gradually, after disclosure by NVD

4. Exploitability: Published daily, includes proof-of-concept exploits, vulnerabilities exploited inthe wild, and popular malware


Chapter 28

IPS support in SkyboxThis chapter explains how to model and use intrusion prevention system (IPS) devices inSkybox.

Skybox directly supports the following IPS devices:

l IBM Proventia G Appliance

l Trend Micro TippingPoint

l Palo Alto Networks (firewalls with IPS capacity)

You can model other devices manually or using iXML.

In this chapter

IPS Dictionary 209

Working with IPS in Skybox 209

IPS DictionaryThe IPS rules (issue IDs) of supported IPS devices are included in the Skybox VulnerabilityDictionary. The rules are modeled by associating each rule with the Vulnerability Definitionsthat it handles.

Note: Only signature rules that handle specific Vulnerability Definitions are modeled. Rulesthat identify and handle more general packet anomalies are not modeled.

Dictionary updates include updates of vendor IPS rule definitions.

Working with IPS in SkyboxThis section explains how to:

l Add supported IPS devices to your model

l Validate supported IPS devices

l View and manage IPS devices in Skybox

l Simulate the effects of IPS devices

l Add other IPS devices to your model

l Test what-if scenarios involving IPS devices

Adding supported devices

To add an IPS device io the model

1. Collect the device data

l IBM Proventia G appliances: Use IPS – ISS SiteProtector IPS Collection tasks (see theIBM SiteProtector IPS collection tasks topic in the Skybox Reference Guide)



l Trend Micro TippingPoint IPS devices: Use IPS – Trend Micro TippingPoint Collectiontasks (see the Trend Micro TippingPoint collection tasks topic in the Skybox ReferenceGuide)

l Palo Alto Networks firewalls: Use Firewalls – Palo Alto Networks Collection tasks, or bycollecting the data offline (see the Palo Alto Networks firewall section in the SkyboxReference Guide)

2. For L2 devices, Configure the network interfaces

Note: Skybox connects the network interfaces of L3 devices.

Configuring the network interfaces of L2 devices

After collecting the device data, the new device in Skybox has several pairs of L2 networkinterfaces and one management (L3) network interface. Each pair of L2 interfaces connectsthe IPS device to a different network. Each interface of a pair connects one side of the networkto the IPS device. In Skybox, this is modeled by splitting the network into segments (manually)and manually attaching each L2 interface to the appropriate network segment. Skyboxattaches the L3 interface to its network.

To configure the network interfaces in Skybox

1. Discover which networks (lines) are monitored by the IPS device and which network ismonitored by which pair of adaptors (network interfaces).

2. For each network that the IPS device monitors, create 2 network segments: 1 for eachendpoint of the line (that is, each network interface).

To create network segments:

a. In the Model tree, right-click the network to segment and select Manage Segments.

b. In the Manage network segments dialog box, click Add.

c. In the New Segment dialog box, type a Name for the segment and click OK.

d. Repeat steps b and c for the 2nd segment.

3. Assign each necessary L2 interface to its corresponding network segment:

a. In the tree, select All Network Devices > IPS Devices.

b. In the Table pane, select the IPS device.

c. In the Network Interfaces tab of the Details pane, right-click the interface to beconnected and select Properties.

d. In the <network interface name> Properties dialog box, in Network, select the networksegment to which to attach the interface and click OK.

When the IPS device is updated using the task, the connection between the L2 interfaces andtheir network segments is created automatically.

Terminology for working with IPS devices

Skybox works with devices from many vendors and does not use vendor-specific terminologywhen modeling the devices. However, because the terms can be confusing, Skyboxterminology for IPS is mapped to IBM (Proventia G) and Trend Micro (TippingPoint)terminology in the following table.

Chapter 28


SKYBOX TERM IBM TERM TREND MICROTIPPINGPOINT TERM

Asset of type IPS with Firewall Type setto ISS Proventia

Proventia G appliance N/A

Asset of type IPS with Firewall Type setto TippingPoint

N/A TippingPoint device

IPS rule group Protection domain Profile

IPS rule Security event Filter

Rule ID Issue ID (ID of thesecurity event)

Filter number

(Network) interface Adaptor Segment

Validating IPS devices in the model

After you add an IPS to your model, validate that it is modeled correctly using the techniquesexplained in the following sections.

Validating the IPS rules

After you import an IPS device and (for L2 devices) attach every network interface to thecorrect segments or networks, validate that the IPS rules were imported correctly.

To validate the IPS rules

1. In the Table pane, right-click the device and select Manage IPS Rule Groups.

2. Double-click each rule group to view its rules.

3. Verify that the rules are in the Skybox Vulnerability Dictionary (that is, there is a check markin the Dictionary column of the table).

If many of the rules are not in the Vulnerability Dictionary, you might be using an outdatedversion of the Vulnerability Dictionary. (If only a few rules are not in the VulnerabilityDictionary, they might be custom defined on the device.)

l For information about updating your Vulnerability Dictionary, see the Dictionary updateschapter in the Skybox Installation and Administration Guide.

4. Verify that the rule groups of the device in Skybox match the rule groups of the actualdevice.

l For Proventia G appliances, you can find the device rules and their rule group (protectiondomain) in SiteProtector, in the Security Event section.

You can view the IPS rule groups and rules in the Details pane, in the IPS Rule Groups tab.

Validating the access rules

After you validate the IPS rules, validate that the access rules were imported correctly.

To validate the access rules

1. In the Table pane, right-click the device and select Access Rules.

2. In the Access Control List Editor, verify that there are 2 rule chains: ACCESS and IPS.



3. Verify that access rules in the ACCESS chain do not permit packets to move betweendifferent lines (networks) that are monitored by the IPS or between the management (L3)interface and the L2 interfaces.

Important: For supported devices, these rules are created during the import and should bechecked briefly. However, this step is very important for devices defined using SkyboxManager or iXML.

4. Verify that the (IPS) access rules in the IPS chain contain references to IPS rule groups.

Verifying the effects of the IPS device

If an attack path attempts to goes through an IPS device, the attack is blocked (or has a lowerprobability of success) if it matches a preventing IPS rule.

After verifying that the IPS device was imported correctly, verify that Skybox correctlysimulates the effect of the IPS device on the risk levels of your network.

Vulnerability occurrences that become inaccessible due to IPS prevention rules are assignedthe Protected exposure status (not the Inaccessible status).

Note: There is no special status to show whether a vulnerability occurrence became indirectlyexposed due to an IPS prevention rule or an access rule on a non-IPS gateway, or whether avulnerability occurrence is partially prevented by IPS devices (from Threat Origins or in accessroutes).

To verify the effects of the IPS device

1. Enable the IPS device (in the Table pane, right-click the device and select Enable IPS).

2. Run the Analyze Simulate Attacks task.

In the Analyses tree (Public Analyses > Vulnerabilities > By Exposure > Protected),check whether exposed vulnerability occurrences (of the Vulnerability Definitions that theIPS device is configured to prevent) became Protected or Indirect.

Note: Sometimes, the IPS is supposed to protect a vulnerability occurrence from only oneThreat Origin or one Threat Origin Category. The following procedure explains how tocheck this.

3. As an additional check, disable the IPS device (right-click the device and select DisableIPS), simulate attacks again, and check whether the exposure status of the vulnerabilityoccurrences changes back to Exposed.

Verifying the effects of an IPS device against a threat

If the IPS device is supposed to protect against one Threat Origin Category, the vulnerabilityoccurrences that it blocks can be vulnerable to other Threat Origin Categories and they do nothave the Protected exposure. However, you can check the exposure of these vulnerabilityoccurrences to the specific Threat Origin Category.

To verify the effects of the IPS device against one Threat Origin Category

1. Open a vulnerability occurrences analysis that contains the vulnerability occurrences to beblocked by the IPS device.

Chapter 28


2. Add the <Category name> – Exposure field to the displayed columns for this table (right-click in the header row of the table and select Customize Current View).

3. Check whether the status of the vulnerability occurrences in the new column is Protected.

If you are not interested in all the Threat Origins in the Threat Origin Category, temporarilydisable the irrelevant Threat Origins, rerun the attack simulation, and repeat steps 1through 3.

Viewing and managing IPS devices in Skybox

The Model tree (All Network Devices > IPS Devices) contains a list of all IPS devices in themodel. IPS devices are modeled using:

l IPS rules and rule groups

l IPS access rules, which define the scope of each rule group

IPS rules are configured to either prevent (block) or detect (and then, for example, log or senda message) malicious packets.

Note: Firewalls with supported IPS capability are listed in All Network Devices > Firewalls.

Working with IPS rules and rule groups

To access the IPS rules

1. In the Table pane, right-click the IPS device and select Manage IPS Rule Groups.

2. In the Manage IPS Rule Groups dialog box, double-click an IPS rule group or select thegroup and click Modify.

3. In the <IPS rule group name> Properties dialog box, you can add, delete, and modify IPSrules.

When you add rules, you can:

l Search for vendor-specific rules in the Skybox Vulnerability Dictionary and add them toan IPS rule group (see Adding vendor-defined IPS rules).

l Define new rules and specify the Vulnerability Definitions on which they act (see Addingcustom IPS rules).



Working with access rules

To access the access rules for the IPS devicel In the Table pane, right-click the IPS device and select Access Rules.

Each IPS device has at least 2 rule chains: IPS and ACCESS.o In the IPS chain, each access rule relates to one rule group (in Proventia, each rulegroup represents a protection domain). The rules are of type IPS. There are usually 2rules for each rule group: 1 inbound and 1 outbound.

IPS access rules include the regular scope properties (source, destination, and networkinterfaces) and a reference to an IPS rule group of the device.

o The ACCESS chain can include rules created by Skybox or by a user to ensure thecorrect flow of packets through the device, and access rules imported from the device (ifit has filtering capabilities).

Note: For Proventia G appliances, access rules are not imported from the device. Therules in the ACCESS chain are created according to the configuration of the device. Therules ensure the correct flow of data packets through the device, preventing packets frommoving between L3 and L2 interfaces and between different lines (networks) monitoredby the device.

For additional information about working with access rules, see the Access Control List Editorchapter in the Skybox Reference Guide.

Adding vendor-defined IPS rules

You can add any vendor-defined rule that is in the Skybox Vulnerability Dictionary to an IPSrule group.

Note: Vendor-defined rules that you add must match the device type.

To add vendor-defined rules to an IPS rule group

1. In the Rule Group Properties dialog box, click Add.

2. In the Add Vendor IPS Rules dialog box:

a. Specify search criteria in the Search Criteria pane. You can search for rules using:

l A string in the rule title

l The vendor rule ID

The string displayed at the beginning of Vendor Rule ID is based on the vendorvulnerability database used by the device. For IBM Proventia G appliances, the stringis ISS_IPS/.

l Vulnerability Definitions

b. To search for rules that handle a Vulnerability Definition, click the Browse button next toVulnerability Definition.

Use the Vulnerability Definition Finder dialog box to select the Vulnerability Definitionsto block.

Chapter 28


c. Click Search.

The results of the search are listed in Search Results.

d. Select rules in Search Results and click to move them to Selected Rules.

e. Select the action that this rule takes when it encounters vulnerability occurrences ofthese Vulnerability Definitions.

f. Click OK to add the rules.

Adding custom IPS rules

You can add custom rules to an IPS rule group by specifying the rule and the VulnerabilityDefinitions on which the rule acts.

To add a custom rule to an IPS rule group

1. In the Rule Group Properties dialog box, click Add Custom.

2. In the New IPS Rule dialog box:

a. In the General tab, fill in:

l Title

l Action

l Severity

l (Recommended) Description

b. To ignore the rule when analyzing risk, select Disabled.

Note: Other fields are disabled either because you cannot edit them using the RuleGroup box or because they are applicable only for vendor IPS rules.

c. Click the Vulnerability Definitions tab.

d. Click Add.

e. In the Add Vulnerability Occurrences dialog box (which is similar to the Add VulnerabilityDefinition Finder dialog box):

i. Fill in the search fields and click Search.

The results are listed in Search Results.

ii. In Search Results, select the Vulnerability Definitions on which this IPS rule is to actand click to move them to Selected Vulnerability Definitions.

iii. Click OK.

The selected Vulnerability Definitions are added to the list of Vulnerability Definitionsfor the IPS rule.

iv. Click OK to save the rule.

Simulating the effects of IPS devices

The Analyze Simulate Attacks task takes enabled IPS devices into account whenascertaining possible attacks and the security risks.



An attack action is considered prevented if all access routes required for the action are blockedby IPS devices. More specifically, an attempt to exploit remotely from source x to vulnerabilityoccurrence v on destination y is considered to be prevented if:

l The access route from the source to the destination necessarily passes through an IPSdevice

l The device is configured to block attack attempts on vulnerability occurrence v (for sourcesthat include x and destinations that include y)

Note: Skybox only uses IPS prevention rules in attack simulation; Skybox does not usedetection rules.

Vulnerability occurrences that become inaccessible due to IPS prevention rules are assignedthe Protected exposure status (not the Inaccessible status). For additional information aboutthe effects of IPS devices on vulnerability occurrences and risk, see Verifying the effects of theIPS device.

To simulate the effects of IPS devices

1. Enable all IPS devices that you are using in attack simulation.

(To enable an IPS device, right-click the device and select Enable IPS.)

2. Run the Analyze Simulate Attacks task.

Additional ways to model IPS devices

You can model IPS devices that are not supported directly by Skybox via Skybox Manager orby using iXML.

To define an IPS device

1. Create an IPS device in the model.

2. Assign the network interfaces of the IPS device to network segments in the model.

3. Create IPS rule groups with the appropriate rules.

4. Create IPS access rules.

5. Create other access rules.

Defining IPS devices using Skybox Manager

You can define IPS devices that are not supported by Skybox (custom devices) manuallyusing Skybox Manager. You can also use this method to define IPS devices that are directlysupported.

Creating an IPS device in the model

An IPS device is modeled as an asset of type IPS.

To create an IPS device

1. In the Model tree, expand All Network Devices.

2. Right-click IPS Devices and select New IPS.

3. In the New Asset dialog box:

Chapter 28


a. Type a Name for the IPS device.

b. Select the device type:

l For IBM Proventia appliances: In Firewall Type, select ISS Proventia.

l For Trend Micro TippingPoint devices: In Firewall Type, select TippingPoint.

l For custom devices: In Firewall Type, select Custom.

c. Provide values for other fields:

l Select Layer 2.

l In Network Interfaces, define the device network interfaces.

l (Recommended) Select values for Operating System and Platform.

l The values in other fields do not need to be changed.

d. Click OK.

Configuring the network interfaces

After you add the device to the model, assign the network interfaces in the model to the correctnetworks.

To configure the network interfaces

1. Discover which networks (lines) are monitored by the IPS device and which network ismonitored by which pair of adaptors (network interfaces).

2. For each network that the IPS device monitors, create 2 network segments: 1 for eachendpoint of the line (that is, each network interface).

3. Assign each L2 interface to its corresponding network segment.

For more detailed instructions, see Configuring the network interfaces.

Creating IPS rule groups

In Skybox, each IPS rule group monitors a different type of event. Each rule in the groupspecifies a single type of event to block.

To create an IPS rule group and IPS rules

1. In the Table pane, right-click the device and select Manage IPS Rule Groups.

2. In the Manage Host IPS Rule Groups dialog box, click Add.

3. In the New IPS Rule Group dialog box:

a. Type a Name for the rule group.

b. Add IPS rules:

l To add custom rules, see Adding custom IPS rules.

l To add vendor-defined rules (for IBM Proventia appliances), see Adding vendor-defined IPS rules.

Creating access rules

An IPS device requires access rules of (at least) 2 types:



l IPS: Access rules that define the scope of the IPS rule group

There must be at least one IPS access rule for each IPS rule group, or one for inboundtraffic and one for outbound traffic. The action of these access rules must be IPS.

l ACCESS: Access rules that define the movement of packets in the device.

Define rules so that packets cannot move between different lines (networks) that aremonitored by the IPS device nor between the management (L3) interface and the L2interfaces.

For additional information about access rules, see the Access Control List Editor chapter in theSkybox Reference Guide.

Order of applying IPS access rules in IPS devices

The IPS access rules in a rule chain are applied in either of 2 ways, depending on thepredefined behavior of the device:

l Use all rules that match the data. This method is usually used for IPS access rules.

l Use (only) the 1st rule that matches the data. This method is used for access-relatedaccess rules, but it is not often used for IPS access rules.

For supported IPS device types, the method used is according to the behavior on the device;you cannot change the method.

For device types that are not directly supported (that is, devices whose Firewall Type is set toCustom), Use all rules that match the data method is used by default.

To change the method of applying IPS access rules for a custom IPS device

1. Open the Properties dialog box for the device.

2. Click the Browse button next to Firewall Type (which contains the value Custom).

3. In the ACL Management dialog box, in Applied IPS Rules, select a behavior.

Defining IPS devices using iXML

Skybox supports definition of IPS devices using iXML:

1. Use iXML to define IPS rule groups, IPS rules and the Vulnerability Definitions that theyhandle, and IPS access rules that define the scope of the IPS rule groups.

2. Import the iXML file into the model.

You can create iXML files manually or by using Perl scripts to translate the mapping andconfiguration files of unsupported IPS devices to iXML.

To model IPS devices using iXML, see the following in the Skybox Developer Guide:

l iXML elements: For general information about iXML elements

l Example of iXML code for an IPS device: For an example iXML code for an IPS device

l AddIpsRuleGroup method: For information about Perl API methods for supporting IPSdevices

Testing the effects of an IPS device using Skybox

You can experiment with different IPS device setups in your network using the What If model.

Chapter 28


Testing IPS devices

You can simulate the effects of an IPS device at a location in your network to establish whetheran IPS device at that location would improve network security.

After you add the device, you can create custom rules (or add vendor-defined rules from theSkybox Vulnerability Dictionary) that handle the problem that you are addressing (for example,critical web server Vulnerability Definitions). You can then check whether the IPS devicelowers the risk and risk of attack on the network.

To test an IPS device

1. If you do not have a What If model: Select File > Models > Create Model.

2. In Source Model, select Live.

3. In Target Model, select What If.

4. Select Switch to target model after creation.

This copies the Live model to the What If model and switches to the What If model.

5. Add the IPS device to the What If model using:

l An online collection task

l Skybox Manager

l iXML

6. Run an Analysis – Exposure task to simulate attacks.

7. Check the results of the attack simulation.

Testing enhanced coverage of an IPS device

If an IPS device has limited coverage of Vulnerability Definitions in Prevention mode, you canexplore the effects of adding rules to cover additional Vulnerability Definitions.

You can create custom rules (or add vendor-defined rules from the Skybox VulnerabilityDictionary) that handle the problem that you are addressing (for example, critical web serverVulnerability Definitions). You can then check whether the new rules lower the exposure of theVulnerability Definitions and the risk of attack on the network.

To test enhanced coverage of an IPS device

1. Switch to the What If model:

l If there is a What If model:

a. Select the IPS device in the Live model.

b. Right-click the device and select Advanced > Copy To > What If.

c. Switch to the What If model.

This copies the IPS device to your What If model.

l To create a What If model:

a. Select File > Models > Create Model.

b. In the dialog box:



l Set Source Model to Live

l Set Target Model to What If

l Select Switch to target model after creation

c. Click OK.

This copies the Live model (including the IPS device) to the What If model and switchesto the What If model.

2. In the IPS device in the What If model, create the necessary custom rules. For IBMProventia appliances, you can add vendor-defined rules.

3. Simulate attacks.

4. Check the results of the attack simulation.


Chapter 29

OptimizationThis chapter explains how to optimize attack simulation and access analysis, which areresource-intensive operations.

In this chapter

Performance considerations 221

Optimizing Access Analyzer analysis 222

Performance considerationsSimulating attacks is a resource-intensive operation. This section discusses performanceconsiderations to be aware of when running attack simulation and Access Analyzer.

Performance considerations can be grouped into the following categories:

l Model size and complexity

l Routing rule issues

l Hardware issues

Model size and complexityl Attack simulation performance is affected by the size and complexity of the model. Themore assets, access rules, and vulnerability occurrences that there are in the model, thelonger it takes to run attack simulation. (This does not mean that you should not model yourwhole network, but that you should be aware that as the size of the model grows attacksimulation takes longer to run.)

l The number of Threat Origins affects performance; the system might suffer performancedegradation when using more than several tens of Threat Origins.

To reduce the number of Threat Origins, consider grouping multiple starting points into asingle Threat Origin. For example, multiple connections to the internet can be representedas one Threat Origin on the internet cloud. You can include multiple networks or clouds in aThreat Origin.

l Setting the Simulate Full IP Spoofing option of the Analyze Simulate Attacks task (orwhichever Analysis – Exposure task you use) to true significantly slows performance.

Routing rule issues

If Access Analyzer identifies that routing rules are missing, it assumes that packets tounspecified destinations are forwarded to each neighbor of a router; this increases thecalculation time of Access Analyzer (and of attack simulation) and creates false positives. Ifthere are routing rules, Access Analyzer knows the router’s neighbors to which packets areforwarded.



Hardware issues

Attack simulation can consume a significant amount of memory on the Skybox Server(depending on the size and complexity of the model). To improve performance, make surethat:

l You are using the recommended hardware setup for your project size (see the SkyboxServer system requirements topic in the Skybox Installation and Administration Guide)

l Your server is configured for Skybox

Attack simulation performance benefits from multiprocessors on the Skybox Server machine.

Note: If you get an Out of Memory warning, attack simulation does not run.

Performance considerations for Access Analyzer

Access Analyzer is not as resource intensive as attack simulation, but it can be slow,especially for multiple sources and destinations. Performance considerations that affect attacksimulation also affect Access Analyzer, except the number of vulnerability occurrences(Access Analyzer does not work with vulnerability occurrences). Setting the Explain Routeoption of Access Analyzer to false might improve performance, but Access Analyzer onlychecks for access without providing any explanation.

Optimizing Access Analyzer analysisAccess Analyzer analysis is a resource-intensive computational process. It analyzes accessroutes from a source to a destination, based on network topology, access and routing rules,address translation, and port translation.

Analyses of a single source asset or network and a single destination asset or network take theleast time. An analysis might take longer if:

l Source or Destination has a value of Any

l IP address spoofing is used

l There are no routing rules in the model

l The source or the destination contains groups of networks or assets

l Routing rules are completely ignored (Ignore All Routing Rules) or partially ignored (UseDynamic Routing Rules)

When routing rules are not used (because they are ignored or because they do not exist),the analysis results might be less accurate.

For large organization networks, this analysis can take time, because of the large number ofassets, networks, and gateways. The analysis is also affected by the number of access andaddress translation rules, and by the size of routing tables.



DeploymentThis part explains how to plan a deployment of Skybox and prepare the necessary data for themodel.

The information in this part is relevant when planning a model to use with the Exposure featureof Skybox Vulnerability Control. Some information is not relevant if you are working with theSecurity Metrics feature only.


Chapter 30

Planning deploymentBefore you begin deployment on a large network, create a deployment plan and put together adeployment team from all departments involved in the project. Then prepare the data.

In this chapter

Deployment plan 224

Deployment team 225

Deployment planBefore you begin deploying Skybox on a large network, create a deployment plan. This planshould include:

l The deployment team

A list of the people who should be involved in the deployment project, their contactinformation, and the time required from them.

l A scope for the deployment

The parts of the network and the Business Units that the deployment is to cover.

l The network data required for deploying Skybox

1. Understand the structure of your network, by using network diagrams and interviewingnetwork administrators.

2. Prepare the network data for Skybox, including scan results, network diagrams, andfirewall configuration files.

l A project timeline

If this is a large deployment, we recommend that you divide it into phases that have clearvalue-adding milestones as their endpoints (see Phases of deployment).

l The hardware required for deploying Skybox

This includes a dedicated server for the Skybox Server and, probably, machines for theSkybox Collector nodes (not necessarily dedicated). For additional information, see theSkybox Server system requirements topic in the Skybox Installation and AdministrationGuide.

For small networks, a complete plan is not crucial, but facilitates the deployment. At aminimum, a plan for a small network should include the deployment team and the scope ofdeployment, as much network data as possible, and a dedicated server for Skybox.

Skybox Professional Services personnel, certified resellers, and implementation partners aretrained to assist you in building a deployment plan. For information about contacting Skybox,see Technical support.



Deployment teamDeploying Skybox in a large organization might involve people from several departments,sometimes from different business units.

Getting the support and cooperation of these people is important for a quick and successfuldeployment of Skybox; involve them from the early stages of deployment.

Some of these people will use the product directly, some will receive output (reports andalerts), and some will only provide required information. Product users might benefit fromtraining; to set up training sessions, contact Skybox Support.



Chapter 31

Phases of deploymentIf you are deploying Skybox in a large organization, it is useful to divide the project into phasesand to define clear milestones for each phase in both of the following aspects:

l Organizational

Complete deployment for a business unit or division and then continue to the next.

l Geographical

Complete deployment for a site or location and then continue to the next.

These aspects are not mutually exclusive and can sometimes be used in parallel.


Chapter 32

Preparing data for SkyboxThis chapter explains the data that is required for Skybox and how to prepare it.

In this chapter

Information requirements 227

Preparing a list of network devices 227

Defining the data collection strategy 228

Preparing scanning information 229

Preparing the data 229

Modeling unsupported devices 230

Information requirementsGetting all required information is a crucial part of Skybox deployment. The requiredinformation includes:

l Network information, including basic architecture and which networks host the productionservers

l Device information (for example, the credentials required to access the devices; the SkyboxCollector to use; whether collection is online or by file import)

l Scanning information (for example, which scanners are used and how often the networksare scanned)

l Business information, including a list of the most important Business Asset Groups

The more information that is ready in advance, the faster your deployment project will go.However, you do not need to wait for all the information to start the deployment; additionalinformation can be discovered during the deployment project.

The following sections provide details about preparing the necessary information.

Preparing a list of network devicesAfter you decide the scope of the network to include in the model, you must get data abouteach network device in the selected scope.

Prepare a list of the network devices in the scope, including all firewalls, routers, and other L3devices, and all filtering devices (L2 or L3).



Example list

Supported data sources

The Skybox platform is compatible with many data sources, including:

l Firewallso Check Point FireWall-1 NG and NGXo Check Point Provider-1o Cisco PIX/ASA/FWSM

l Routerso Cisco IOS

ll Cloud platformso Amazon Web Serviceso Azure Cloudo VMware NSX-T

l Vulnerability scanners (for importing vulnerability occurrence information)o Qualyso Tenableo Rapid 7

Refer to the Skybox website for a list of supported devices.

Defining the data collection strategyDefine a collection strategy for each network device to be modeled. Refer to the Skyboxwebsite for a list of supported devices, which lists the network devices that are directlysupported by Skybox. Note devices that are not supported directly; each device must bemodeled separately (see Modeling unsupported devices).

Skybox supports the following methods of retrieving data from directly supported devices:

l Offline file import: Extract the data from files written by the device. The data files areimported into the model using an offline file import task.

l Online collection: Retrieve the data directly from the device or the device managementsystem. You create a task in Skybox, which instructs a Skybox Collector to retrieve the datafrom the device. This data is then added to the model.

The primary reasons for selecting a strategy are the presence of a data repository, deviceaccessibility, and the rate of changes to the device.



Chapter 32


Offline file import is usually used for:

l Devices whose information is stored in a repository.

If your organization has a repository that contains the necessary data for specific devices,you can import data from the repository into the model.

l Devices that a Skybox Collector cannot access easily.

If the device is in a segmented network, the alternative is to install an additional SkyboxCollector in that network segment.

l Devices for which you do not have the necessary access permissions retrieving theconfiguration and routing data.

l Devices managed by a team that does not permit you continuous access.

l Infrequently updated devices.

For infrequently updated devices, you could receive an alert (reminder) and then import thedata manually instead of including the devices in the automated collection.

Online collection is usually used for:

l Devices that are easily accessible and whose configuration and routing information is notstored in a central repository.

l Devices managed by management servers that are supported by Skybox.

l Frequently updated devices.

Preparing scanning informationScanning information is necessary to build the model. It provides information about assets andservices, and information about the vulnerability occurrences that are on scanned assets.Assets are not scanned by Skybox, but by external sources.

Skybox scanner tasks add scan data to the model. Refer to the Skybox website for a list ofsupported devices.

The following scanning decisions affect Skybox:

l Are the networks scanned regularly? How often?

l Using which scanners?

l What level of scanning is used?

l Who is responsible for running network scans?

Plan the collection of scan data for Skybox according to the answers to these questions.

Important: Skybox requires unrestricted scanning output (that is, output with a minimum ofcontrol devices blocking the route between the scanner and the scanned assets). Skybox lateranalyses permitted and blocked access. To achieve unrestricted scans, you might need toinstall additional scanning agents in your network.

Preparing the dataFor each network device that will be imported, ascertain the files that Skybox requires to modelthe device and make sure that these files are available. For example, for a Cisco router,Skybox requires the output of the show running-config and show ip route vrf *





commands, stored in separate files. For detailed information, see the Data formats for fileimport tasks topic in the Skybox Reference Guide.

Devices whose data is actively collected might require advanced preparation. For detailedinformation, see the Tasks part of the Skybox Reference Guide.

Asset tags are not case-sensitive

Asset tags in Skybox (including security tags from cloud assets) are not case-sensitive. Tomodel tags that are identical except for capitalization correctly in Skybox (channel andChannel, for example), change the data source to distinguish between tags using a differentnaming convention.

Modeling unsupported devicesYou can model devices that are not directly supported by Skybox:

l Create a script to translate the device configuration to iXML and import the device data.o For information about iXML, see the Integration part of the Skybox Developer Guide.o Contact Skybox Support for help creating the script.

l Model the device manually in Skybox.

This is the simplest method to use if you have only a few devices that are not directlysupported. However, if you make changes to a device, you must update it manually inSkybox.



Chapter 33

Starting deploymentHowever you divide the network, we recommend that you start the deployment with a 1stphase of a relatively small number of nodes (approximately 100 to 1000). Select a completenetwork environment of approximately this size and import the environment.

First phase of deploymentThis is a basic workflow for the 1st phase of deployment when working with Exposure.

1. Add network information.

Collect the network information for this phase offline, using Skybox offline file import tasks(we recommend that you use Import – Directory tasks wherever possible). Before you runthese tasks, make sure that the necessary data for each device is stored in the correctlocation.

l For information about importing the network environment, see Building the networktopology.

l For information about preparing the data for each device, see the Tasks part of theSkybox Reference Guide.

2. Add security information.

The model must include asset and vulnerability occurrence information to analyze risk andattacks.

3. Validate the model.

After the network and security information is added to the model, check the information forcorrectness.

4. Set up the Business Unit hierarchy.

The 1st phase of adding business information should include 3 to 5 top Business AssetGroups.

5. Add Threat Origins.

The 1st phase should include 1 or 2 major threats (Skybox includes the internet as a threat).We recommend that you start with external threats rather than threats that are inside yourorganization and begin by defining the threats that pose the greatest risk.

6. Simulate attacks (to provide exposure information).

7. Identify critical issues.

8. Mitigate critical risks.

After you finish this phase, you will have a better idea how Skybox works with your networkand how to use it to lower risk. At this point, you can plan the scope of additional phases ofdeployment and prepare Skybox to work in a more automated manner.



Appendices

Skybox Security, Inc. | 2077 Gateway Place, Suite 200, San Jose, California 95110 USA | +1 866 675 9269 | skyboxsecurity.com

Skybox Intelligence Feed Supported Products and SLA

December 2021

https://www.skyboxsecurity.com/

skyboxsecurity.com 1

Table of Contents Products ........................................................................................................................................................2

Banner Translator and Vulnerability Detector ........................................................................................ 2

Skybox Intelligence Feed SLA ..........................................................................................................................3

Appendix A – P1 Products List ........................................................................................................................4

Appendix B – P2 Products List.........................................................................................................................7

Appendix C – Banner Translator Products ..................................................................................................... 64


Products The Skybox intelligence feed contains vulnerabilities published by the supported sources. These vulnerabilities are associated with more than 14,000 products. The vulnerabilities are added to the intelligence feed according to the affected product’s priority. P1 is a list of critical or common products, P2 holds a larger group of enterprise-grade products, and P3 holds the long tail of other products. P1 products (see Appendix A – P1 Product List) include the most important products of the following vendors/types (this is a non-exhaustive list):

• Operating systems: Microsoft Windows, RedHat Linux, VMWare, Citrix, Mac OS X and Unix

• Network devices: routers, switches, firewalls and load balancers of the following vendors: Cisco, Check Point, Juniper Networks, Big-IP and Juniper

• Databases: Oracle Database, Microsoft SQL Server and Oracle MySQL

• Web servers, application servers, mail servers and DNS servers

• Real-time running frameworks: Oracle Java, Microsoft .NET and PHP

• Antiviruses: McAfee and Symantec

• Popular workstation apps: web browsers, Microsoft Office, Adobe Flash Player, Adobe Reader and Microsoft Lync

• Other popular enterprise-level software: IBM products, Samba, Splunk P2 products (see Appendix B – P2 Product List) include additional common enterprise products from over 700 vendors including: Adobe, Apple, Apache, Avaya, Cisco, CA, Elasticsearch, EMC, HP, IBM, Oracle, Pivotal, SAP, TIBCO and VMWare. Please note that the lists are updated from time to time, to meet our customers’ needs.

Banner Translator and Vulnerability Detector Skybox’s capabilities include the identification of services from asset data that is imported from patch management and asset management systems, or from configuration files of devices, and detection of vulnerabilities on these services using a “virtual scan” (known as Vulnerability Detector or VD). Skybox provides virtual scanning for a set of products that were found most important to our customers and the industry at large. The list in Appendix C – Banner Translator Products specifies the products that are identified and translated by our banner translator (other products appear in the model as "unidentified" or "generic OS"). The list of supported products is updated periodically. Most of these products allow vulnerability detection1: vulnerabilities on these products, which appear in the dictionary, are discovered by VD. The scope and speed of coverage of published vulnerabilities for these products is according to the SLA of their priority (P1, P2, or P3).

1 The exception is a small number of products that were added for model display purposes only,

and we cannot vouch for the exact modeling of their versions to allow accurate matching. These

are mostly network devices.


Skybox Intelligence Feed SLA The intelligence feed is released by 11 a.m. Eastern Standard Time every day except Saturday. The Skybox Server can be configured to automatically update the data service from the internet on a scheduled basis.

The intelligence feed is released with vulnerability updates according to the following policy: 1. Vulnerabilities affecting P1 products: published within one business day from public disclosure

of vulnerabilities by the supported vendors or NVD 2. Vulnerabilities affecting P2 products: published within seven days from public disclosure by

NVD 3. Vulnerabilities affecting P3 products: published gradually, after disclosure by NVD 4. Exploitability: Published daily, to include proof-of-concept exploits and vulnerabilities exploited

in the wild and popular malware


Appendix A – P1 Products List Vendor Name Product Name

Apache Software Foundation Apache

Apache Software Foundation Struts

Apache Software Foundation Tomcat

Apple iOS

Apple iPadOS

Apple iTunes

Apple iTunes for Windows

Apple MacOS X

BlueCoat Systems ProxySG

Check Point Software Gaia OS

Check Point Software Security Gateway

Check Point Software VPN-1

Cisco ASA

Cisco IOS

Cisco PIX

Citrix XenServer

F5 BigIP

FreeBSD FreeBSD

GNU GnuTLS

Google Chrome

HP HP-UX

IBM AIX

IBM HTTP Server

IBM Lotus Domino

IBM WebSphere Application Server

ISC BIND

Juniper Networks JUNOS

Juniper Networks Junos OS Evolved

Juniper Networks ScreenOS

Linux Linux Kernel

McAfee VirusScan Enterprise

Microsoft .NET Framework

Microsoft Active Directory

Microsoft Edge

Microsoft Edge Chromium

Microsoft Excel

Microsoft Exchange Server

Microsoft IIS

Microsoft Internet Explorer


Vendor Name Product Name

Microsoft Lync Server

Microsoft Office

Microsoft Outlook

Microsoft PowerPoint

Microsoft SQL Server

Microsoft Surface Book

Microsoft Windows 10

Microsoft Windows 10 Mobile

Microsoft Windows 7

Microsoft Windows 8

Microsoft Windows Server 2003

Microsoft Windows Server 2003 R2







Microsoft Windows Vista

Microsoft Word

Microsoft XML Core Services

Microsoft Yammer Desktop App

Mozilla Firefox

OpenBSD OpenSSH

OpenLDAP OpenLDAP

OpenSSL OpenSSL

Oracle JRE

Oracle MySQL

Oracle Oracle Application Server

Oracle Oracle Database

Oracle Oracle E-Business Suite (Oracle Applications)

Oracle Oracle HTTP Server

Oracle Server JRE

Oracle Solaris

Palo Alto PAN-OS

PHP PHP

RealVNC RealVNC

RealVNC VNC Server

RedHat Enterprise Linux

RedHat Enterprise Linux Server

RedHat Enterprise Linux Server AUS



RedHat Enterprise Linux Virtualization

RedHat Enterprise Linux Workstation

RedHat Enterprise Virtualization (RHEV)

RedHat JBoss Enterprise Application Platform

RedHat JBoss Enterprise Web Server

RedHat JBoss Fuse

RedHat JBoss Fuse Integration Services (FIS)

RedHat JBoss Fuse Service Works

RedHat JBoss Web Server

RedHat Migration Toolkit for Containers

RedHat Network Satellite Server

RedHat OpenShift

RedHat Openshift Container Storage

RedHat OpenShift Enterprise

RedHat OpenShift GitOps

RedHat OpenShift Logging

RedHat OpenShift Serverless

RedHat OpenShift Service Mesh

RedHat OpenShift Virtualization

RedHat Red Hat Virtualization Host

RedHat Red Hat Virtualization Manager

Samba Samba

Skype Technologies Skype

Splunk Splunk

Sun Java System Application Server

Sun SunOS

Sybase Adaptive Server Enterprise

Symantec Endpoint Protection

Symantec Endpoint Protection Manager

Symantec Norton Antivirus

TIBCO Enterprise Message Service

TIBCO Rendezvous

VMWare NSX-T Data Center

VMWare NSX-V (NSX for vSphere)

VMWare VMware ESX Server

VMWare VMware ESXi Server

XenProject Xen


Appendix B – P2 Products List Vendor Name Product Name

.NET Foundation IronPython

10Web Form Maker Plugin

10Web Photo Gallery Plugin

1E Nightwatchman

2Checkout 2Checkout Add-on for iThemes Exchange

3T Software Labs Robo 3T

3T Software Labs Studio 3T

7-Zip 7-Zip

Ab Initio Co>Operating System

Ab Initio Control Center

Ab Initio Enterprise Meta>Environment (EME)

Ab Initio Express>IT

Ab Initio Graphical Development Environment (GDE)

Ab Initio Metadata Hub

Ab Initio Technical Repository Management Console

ABBYY Recognition Server

Accenture Accelerate

Access Solutions TSSAdmin

Actiance Vantage

Actifio CDS

Adaptiva OneSite

Adobe Acrobat DC Classic

Adobe After Effects

Adobe After Effects CC 2019

Adobe Animate

Adobe Audition

Adobe Bridge

Adobe Captivate

Adobe Character Animator

Adobe Character Animator CC 2019

Adobe Digital Editions

Adobe Dreamweaver

Adobe Flash Media Server

Adobe Flash Player Installer

Adobe Illustrator

Adobe Incopy

Adobe InDesign

Adobe Lightroom Classic

Adobe LiveCycle

Adobe Media Encoder



Adobe PhoneGap Push Plugin

Adobe PhotoShop

Adobe Prelude

Adobe Prelude CC 2019

Adobe Premiere Pro

Adobe Premiere Pro CC 2019

Adobe Reader DC Classic

Adobe Reader DC Continuous

Adobe XD

ADPAC SVCommands

Advanced Custom Fields Project Advanced Custom Fields

Affinite Profiler

AFNetworking Project AFNetworking

Ai Squared Window-Eyes

Ai Squared ZoomText

Ailleron LiveBank

Ajv Ajv

Alexander Schneider User Access Manager Plugin

Ali Mirzaei Ajax BootModal Login

Altair Altair Panopticon

Amazon AWS Command Line Interface (CLI)

Amazon AWS Schema Conversion Tool

Amazon DynamoDB

Amazon SageMaker

AmberPoint HyperSonic

AMD A Series

AMD Athlon

AMD CPU

AMD E Series

AMD FX Series

AMD Phenom

AMD Turion

Anaconda Anaconda Enterprise

Anaconda Miniconda

Angoss KnowledgeSEEKER

Angoss KnowledgeSTUDIO

AngularJS Angular CLI

AngularJS AngularJS

AngularJS Protractor

Ansible Ansible

AOL AOL Instant Messenger



Apache Cordova

Apache PDFBox

Apache Software Foundation ActiveMQ

Apache Software Foundation Ant

Apache Software Foundation Apache Livy

Apache Software Foundation Apache Zookeeper

Apache Software Foundation APR

Apache Software Foundation APR-util

Apache Software Foundation Axis

Apache Software Foundation Axis2

Apache Software Foundation Cassandra

Apache Software Foundation Commons Collections

Apache Software Foundation Commons FileUpload

Apache Software Foundation Cordova Android

Apache Software Foundation Geronimo

Apache Software Foundation Hadoop

Apache Software Foundation HBase

Apache Software Foundation Hive

Apache Software Foundation Ignite

Apache Software Foundation JMeter

Apache Software Foundation Kafka

Apache Software Foundation Log4j

Apache Software Foundation Maven

Apache Software Foundation Mesos

Apache Software Foundation OpenOffice

Apache Software Foundation Sentry

Apache Software Foundation Solr

Apache Software Foundation Spark

Apache Software Foundation Traffic Server

Apcon IntellaPatch 3000

Appian Appian

Apple CPU

Apple CUPS

Apple Safari

Apple Swift for Ubuntu

Appneta Network Performance Monitoring

AppSense Management Suite

AppViewX AppViewX Platform

Aprelium Technologies Abyss Web Server

Aram Kocharyan Crayon Syntax Highlighter Plugin

Arbor Networks Pravail Network Security Intelligence (NSI)



Arcadia Data Arcadia Enterprise

Arcserve Arcserve RHA

ArcSight Enterprise Security Manager

ArcSight SmartConnector

Arista EOS

ARM Cortex-A

ARM Cortex-R

Artezio Artezio Kanban Board for Jira

Artifex Software SmartOffice

asaquzzaman WP Human Resource Management

ASG ASG-TMON Change Manager for CICS TS (CATS)

ASG ASG-Zebb

Aspect Provisioning Server

Aspect Unified IP

ASPG MegaCryption

ASPG SMFUtil

Atlassian Bitbucket

Atlassian Bitbucket Data Center

Atlassian Bitbucket Server

Atlassian Confluence

Atlassian JIRA

Atlassian Jira Data Center

AUTOMATION ANYWHERE ENTERPRISE

AUTOMATTIC Akismet Anti-Spam Plugin

Avahi Avahi

Avaya 9600 Series IP Deskphones

Avaya Access Security Gateway Defender

Avaya Access Security Gateway Guard

Avaya Aura Application Enablement Services

Avaya Aura Experience Portal

Avaya Aura Session Manager

Avaya Aura System Manager

Avaya Aura System Platform

Avaya Call Management System (CMS)

Avaya Communication Manager (CM)

Avaya G430 Media Gateway

Avaya G450 Media Gateway

Avaya IP Soft Phone

Avaya One-X Agent

Avaya One-X Attendant

Avaya One-X Communicator



Avaya Proactive Contact

Avaya Secure Access Link (SAL)

Avaya SIP Conference Phone

Avaya Virtualization Platform

AvePoint DocAve

Avi Networks Avi Vantage

Awesome Support Team Awesome Support Plugin

Axis Network Camera

Axway SecureTransport

Azul Systems Zing

B&L Associates BL/LIB

Babel Project Babel

BackupGuard Backup Guard Plugin

Balabit syslog-ng

BearDev JoomSport

Bedford Associates Step By Step Trace (SST)

Bernie Jenny Color Oracle

BeyondTrust PowerBroker

BeyondTrust Privilege Management for Mac (PMM)

BeyondTrust Privilege Management for Unix & Linux (PMUL)

biscom Faxom

Bjorn Rosell WebP Express

Black Duck Hub

Blackberry Access

Blackberry Docs To Go

Blackberry Enterprise BRIDGE

Blackberry Unified Endpoint Management (UEM)

BlueCoat Systems BCAAA

BlueData Elastic Private Instant Clusters (EPIC)

BMC Software Atrium CMDB

BMC Software BMC Application Automation (BAA)

BMC Software BMC Atrium Orchestrator (BAO)

BMC Software BMC BladeLogic Server Automation Suite (BSA)

BMC Software BMC Middleware Automation (BMA)

BMC Software BMC Patrol

BMC Software Performance Assurance

BMC Software Release Lifecycle Management

BMC Software SQL-BackTrack for IBM Tivoli Storage Manager

BMC Software SQL-BackTrack for Oracle

BoldThemes Bold Page Builder Plugin

Bologer AnyComment Plugin



Bootstrapped Ventures WP Ultimate Recipe

Bradmark Technologies Surveillance DB

Brainstorm Force Schema – All In One Schema Rich Snippets

Branchfire iAnnotate

BrightSign XT1143 Expanded I/O Player

Brocade Brocade Director

Brocade SANnav Management Portal

Brocade ServerIron ADX 1000

Brocade ServerIron ADX 4000

BT MeetMe Services with Cisco WebEx

BT MeetMe with Dolby Voice

bTrade TDCommunity Manager

BuddyBoss BuddyBoss Media

Business Objects Crystal Reports

CA Technologies Application Performance Monitoring Introscope

CA Technologies BrightStor ARCServe Backup

CA Technologies CA DADS Plus for CICS

CA Technologies CA Database Management

CA Technologies CA Datacom

CA Technologies CA Deliver

CA Technologies CA Directory

CA Technologies CA Dynam/T

CA Technologies CA Email Supervision

CA Technologies CA Explore Performance Management for z/VM

CA Technologies CA Filesave RCS Automated Recovery

CA Technologies CA IDMS

CA Technologies CA InterTest

CA Technologies CA LDAP Server for z/OS

CA Technologies CA Mainframe VM Product Manager

CA Technologies CA Output Management Web Viewer

CA Technologies CA Single Sign-On Web Agent Option Pack

CA Technologies CA SymDump

CA Technologies CA Top Secret

CA Technologies CA Top Secret for z/VM

CA Technologies CA View

CA Technologies CA VM:Account

CA Technologies CA VM:Archiver

CA Technologies CA VM:Backup for z/VM

CA Technologies CA VM:Batch

CA Technologies CA VM:Director for z/VM

CA Technologies CA VM:Operator



CA Technologies CA VM:Schedule

CA Technologies CA VM:Secure for z/VM

CA Technologies CA VM:Sort

CA Technologies CA VM:Spool

CA Technologies CA VM:Spool VSEG Plus Component

CA Technologies CA VM:Tape for z/VM

CA Technologies CA Workload Automation

CA Technologies CA Workload Automation AE (AutoSys)

CA Technologies CA Workload Automation iDash

CA Technologies Data Protection

CA Technologies Easytrieve

CA Technologies Faver

CA Technologies Gen

CA Technologies MIM

CA Technologies NetMaster Network Management for TCP/IP

CA Technologies Optimizer/II

CA Technologies PDSMAN

CA Technologies Roscoe

CA Technologies Single Sign-On

CA Technologies SiteMinder Cookie Provider

CA Technologies SiteMinder Policy Server

CA Technologies SiteMinder Web Agent

CA Technologies SYSVIEW

CA Technologies Teleview Session Management

CA Technologies Telon

CA Technologies TPX Session Management for z/OS

CA Technologies Unicenter Output Management

CA Technologies Vantage

CA Technologies Vision:Builder

CA Technologies Vision:Excel

CA Technologies Vision:Results

CA Technologies VM HiDRO

Cambium Learning Kurzweil 1000

Canon imageRUNNER

Canon iR Printer

Capax Discovery Enterprise Archive Solution

Carts Guru Carts Guru

CentOS CentOS

CGI FASTWIRE Open

Chai Project Chai as Promised

Chai Project Chai Assertion Library



Check Email Project Check Email

Check Point Software Endpoint Security

Check Point Software Gaia Embedded

Check Point Software Maestro

Check Point Software Pointsec Protector

Check Point Software Pointsec WebRH

Check Point Software Provider-1

Check Point Software SecurePlatform

Check Point Software SecurePlatform NG

Check Point Software SecurePlatform NGX

Check Point Software SmartConsole

Check Point Software SmartDashboard

Check Point Software SmartDomain Manager

Chef Chef Server

Chicago-Soft MVS/QuickRef

Chocolatey Chocolatey GUI

Christopher Finke Feed Statistics

Chromium chromium

Cisco Adaptive Security Virtual Appliance (ASAv)

Cisco AnyConnect VPN Client

Cisco AnyRes Live

Cisco AppDynamics

Cisco CAT OS

Cisco Catalyst

Cisco Cloud Services

Cisco Cloud Services Platform

Cisco Cloud Services Router 1000V Series

Cisco Common Services Platform Collector (CSPC)

Cisco DX Series

Cisco Enterprise License Manager (ELM)

Cisco Firmware for ASA

Cisco Identity Services Engine (ISE)

Cisco Integrated Management Controller

Cisco IOS-XE

Cisco IOS-XE SD-WAN

Cisco IOS-XR

Cisco IOx Application Framework

Cisco IP Communicator

Cisco IP Phone

Cisco IP Phone Firmware

Cisco IP Phone HW



Cisco Jabber for Android

Cisco Jabber for iOS

Cisco Jabber for iPhone and iPad

Cisco Jabber for Mac

Cisco Jabber for Windows

Cisco License Manager

Cisco MDS

Cisco Meeting Management

Cisco Meeting Server

Cisco NAC Guest Server

Cisco NetFlow Collection Engine

Cisco Nexus

Cisco Nexus 9000 Series Leaf Switches - ACI Mode HW

Cisco NX-OS

Cisco Prime Infrastructure

Cisco Prime License Manager

Cisco SD-WAN

Cisco Spark

Cisco TelePresence C Series

Cisco TelePresence Conductor

Cisco Telepresence Integrator C Series

Cisco TelePresence Multipoint Switch (CTMS)

Cisco TelePresence Server

Cisco TelePresence Supervisor MSE

Cisco TelePresence SX Series

Cisco TelePresence System

Cisco TelePresence TC Software

Cisco TelePresence Video Communication Server

Cisco Unified Attendant Console Standard

Cisco Unified Communications Manager (CUCM)

Cisco Unified Communications Manager IM and Presence

Cisco Unified IP Phone

Cisco Unified Presence Server (CUPS)

Cisco Unity Connection

Cisco WebEx ARF Player

Cisco WebEx Business Suite

Cisco WebEx Extension

Cisco Webex Meetings Player

Cisco Webex Network Recording Player

Cisco WebEx Player

Cisco WebEx Productivity Tools



Cisco WebEx Recorder and Player

Cisco Webex Teams

Cisco WebEx WRF Player

Cisco Wireless LAN Controller

Citibank Citi AZ Web Service

Citibank Citi Mobile

Citrix Application Delivery Controller (ADC)

Citrix HDX RealTime Optimization Pack

Citrix NetScaler

Citrix Presentation Server

Citrix Provisioning Services

Citrix Receiver for Windows

Citrix StoreFront

Citrix XenApp

Claro Software ClaroRead

Click Click

Cloud Foundry Foundation CAPI-release

Cloud Foundry Foundation cf-deployment

Cloud Foundry Foundation cf-release

Cloud Foundry Foundation Python Buildpack

Cloud Foundry Foundation Routing (OSS)

Cloud Foundry Foundation Staticfile Buildpack

Cloud Foundry Foundation UAA Release

Cloud Native Computing Foundation (CNCF) Prometheus

CloudBees Jenkins Enterprise

Cloudera CDH

Cloudera Key Trustee Server

Cloudera Manager

Cloudera Navigator

CocoaLumberjack Project CocoaLumberjack

CodeArt Google MP3 Player

codection Clean Login Plugin

codemenschen Gift Voucher

CodePeople Appointment Booking Calendar Plugin

CodePeople Appointment Hour Booking Plugin

CodePeople Booking Calendar Contact Form

CodePeople Contact Form Email Plugin

CodePeople CP Poll Plugin

CollabNet GitEye

CollabNet Subversion

CollabNet TeamForge



comforte MR-Win6530

comforte Remote Proxy

Comm-Pro X25 Host NAS

ComponentOne ActiveReports

Compuware Abend-AID

Compuware Abend-AID for CICS

Compuware FILE-AID

Compuware Strobe

Compuware Thruput Manager

Compuware Xpediter

Confio Ignite

Confluent Confluent Enterprise

Contentsquare Clicktale Experience Management

Context Media Interchange Suite

Continuity Software AvailabilityGuard

Contrast Security Contrast Assess

Contrast Security Contrast Protect

ConvertPlus ConvertPlus

copyfiles Project copyfiles

Core Security Core Impact

CoreOS Tectonic

Cortado ThinPrint Engine

Corvil Corvil

Couchbase Autonomous Operator

Couchbase Couchbase Server

CounterPath Bria SIP Phone

Crawford Technologies Sunrise

Crelly Slider Project Crelly Slider

CRUDLab wp-like-button

Cryptography Cryptography

Cucumber Cucumber

cURL cURL

Custom Field Suite Custom Field Suite Plugin

Cyara Solutions Cyara Platform

CyberArk Application Identity Manager

CyberArk Password Vault Web Access

CyberArk Privileged Account Security Solution

CyberArk Privileged Session Manager (PSM)

Cyrus SASL

Dallmeier IPS 10000 SMAVIA Network Video Recorder

Dallmeier IPS 2400 II SMAVIA Network Video Recorder



Dallmeier SMAVIA Viewing Client

Dan Zarrella Virim

Danikoo Custom Simple Rss Plugin

Datadobi DobiMiner

Dataiku Data Science Studio

DataKinetics tableBASE

Datameer Datameer

DataRobot DataRobot

Datawatch Visualization SDK

David Lingren Media Library Assistant

Debian Linux

Debian OpenSSH Server

Decision Technology Decision Analyzer

Decru DataFort FC-Series

Decru DataFort S-Series

Dell Inc. ChangeBASE

Dell Inc. DRAC (Dell Remote Access Controller)

Dell Inc. EMC Centera Management Server

Dell Inc. EMC Disk Library for Mainframe

Dell Inc. EMC Storage Resource Manager (SRM)

Dell Inc. EMC Symmetrix

Dell Inc. iDRAC

Dell Inc. OpenManage

Dell Inc. PowerEdge Server

Dell Inc. The Privileged Appliance and Modules (TPAM)

Dell Inc. Wyse

Denodo Denodo

Deque Systems axe DevTools

Deque Systems Worldspace

Derek Herman OptionTree Plugin

Design Chemical Social Network Tabs

Designmodo WP Maintenance Mode

Diebold Nixdorf Agilis XFS for Nexgen

Diebold Nixdorf Agilis XFS for Opteva

Diebold Nixdorf CDM

Diebold Nixdorf DN ProBase

Diebold Nixdorf Electronic Cash Recycler

Diebold Nixdorf VISTA

Diebold Nixdorf Vynamic Security

Diebold Nixdorf Vynamic Transaction Engine

DigiCert Digicert PKI Client



Dignus DBTE

Dignus Systems/ASM

Dino Software T-REX

Dion Hulse Add From Server Plugin

Ditium Technologies Umero

Django Django

DMP Entre

DMP Remote Link

DMP SCS-VR

DMP XR Series Panels

Docker Desktop Enterprise

Docker Desktop for Windows

Docker Desktop for Windows Edge

Docker Docker

Docker docker-credential-helpers

Docker Vault

DocuSign Security Appliance

Dropbear SSH Server

Drupal Drupal

Dtex Systems Dtex Advanced User Behavior Intelligence Platform

Duxbury Systems DBT

Dyadic Security Enterprise Key Management

e-DMZ Security Password Auto Repository (PAR)

Easy Digital Downloads Easy Digital Downloads Plugin

Easy Property Listings Easy Property Listings Plugin

Easy Updates Manager Team Easy Updates Manager Plugin

Eclipse Eclipse IDE

Eclipse Jetty

Elasticsearch Elasticsearch

Elasticsearch Kibana

Elasticsearch Logstash

Elasticsearch Logstash Forwarder

EmbedThis GoAhead

EMC Avamar Data Store (ADS)

EMC Avamar Virtual Edition (AVE)

EMC Celerra

EMC Centera Universal Access

EMC CentraStar

EMC Dart

EMC Data Domain OS

EMC Documentum D2



EMC RecoverPoint

EMC Replication Manager

EMC RSA Adaptive Authentication

EMC RSA Archer GRC

EMC RSA Security Analytics

EMC RSA Web Threat Detection

EMC ScaleIO

EMC Secure Remote Support

EMC Solutions Enabler Virtual Appliance

EMC TimeFinder

EMC Unisphere

EMC Unisphere for PowerMax

EMC Unisphere for VMAX

EMC Unity All-Flash Array

EMC ViPR SRM

EMC VMAX

EMC VNX

EMC VNX1 OE for Block

EMC VNX1 OE for File

EMC VNX2

EMC VNX2 OE for Block

EMC VNX2 OE for File

EMC VNXe1600 OE

EMC VNXe3100 OE

EMC VNXe3150 OE

EMC VNXe3200 OE

EMC VNXe3300 OE

EMC XtremIO

Emerson Aperture VISTA

Enov8 Environment Management

Entrust Authority GSS-API Toolkit for C

Entrust Authority Security Toolkit for Java

Entrust Entelligence Security Provider

Entrust Entrust Authority Security Manager

Entrust PKCS Toolkit for C/C++

Entrust Web Connector

Epson DS-530 Printer

Epson PLQ-50 Printer

Epson TM-T70 Printer

Epson TM-T88V Series Printer

Epson TM-U675 Series Printer



Erlang Open Telecom Platform (OTP)

Erlang Run-Time System Application (ERTS)

Erwin Data Modeler

Erwin Mart Server

ESLint Project ESLint

ESLint-teamcity Project ESLint-teamcity

ESLint-Utils Project ESLint-Utils

ESRI ArcGIS for Desktop

ESRI ArcGIS License Manager

ESRI ArcGIS Pro

Ethan Galstad Nagios

Ethan Galstad Nagios XI

Etoile Web Design Ultimate FAQ Plugin

Evolven Evolven

F-Droid F-Droid

F5 BigIP Access Policy Manager (APM)

F5 Container Ingress Services

F5 NGINX Controller

F5 Nginx Plus

FeedWordPress FeedWordPress

FEPWeb FEPWeb CMS Digital Signature

FFmpeg FFmpeg

FICO Debt Manager

Flexera Software AdminStudio

Fluke Networks Netflow Tracker

ForeScout CounterACT

FormBuilder FormBuilder

FortiNet FortiClient

FortiNet FortiDB

Forum Systems Forum Sentry API Security Gateway

Frederick Townes W3 Total Cache

Freedom Scientific Job Access With Speech (JAWS)

Freedom Scientific MAGic

FreeImage Project FreeImage

Fuji Xerox Apeosport

Fuji Xerox Multifunction Device (MFD)

Fuji Xerox Printing Systems

Fundtech Global PAYplus (GPP)

Galera Cluster Galera Cluster for MySQL

Ganglia Ganglia

gasplugin Google AdSense Plugin



Gemalto Ezio Confirm Authentication Server

Gemalto SafeNet Luna SA

Gemalto SafeNet MobilePASS+

Gemalto SafeNet ProtectServer

Gemalto SafeNet ProtectToolkit

Gemalto SafeWord

Generic haveged

Generic Mockito

Generic Nsubstitute

Generic Nunit

Generic syncserver

Generic timestenbroker

Genesis Global Low Code Application Platform (LCAP)

Genesys Customer Interaction Management

Genesys Framework

Genesys Outbound Contact

Genesys Proactive Contact

Genesys Voice Platform (GVP)

Gentoo logrotate

GetWooPlugins Additional Variation Images for WooCommerce

GIT GIT

git-diff-apply git-diff-apply

GitHub Git LFS

GitHub GitHub Desktop

GitHub Grafeas

Glory Global Solutions Teller Cash Recycler RBG-100

Glory Global Solutions Teller Cash Recycler RBG-200

GNU Bash

GNU GLibC

GNU M4

GNU Make

GNU zebra

GoDaddy Email Marketing Plugin

Golang Go

Gold Plugins Easy Testimonials

Good Good for Enterprise

GoodTech Systems Good Access for Android

GoodTech Systems Good Access for iOS

GoodTech Systems Good Dynamics

GoodTech Systems Good Mobile Messaging server for Exchange

Google AI Platform



Google Android

Google Android One

Google Android Studio

Google BigQuery

Google BigTable

Google Cloud Dataproc

Google CloudSQL for PostgreSQL

Google DataLab

Google gRPC

Google Kubernetes

Google Nexus

Google Protocol Buffers (protobuf)

Gopiplus Email Newsletter Plugin

graceful-readlink Project graceful-readlink

Grafana Grafana

GraphicsMagick GraphicsMagick

Gravitate Gravitate QA Tracker

GreenTreeLabs Gallery PhotoBlocks Plugin

Greg Mulhauser Gregs High Performance SEO Plugin

Groundhogg Groundhogg Plugin

Gtranslate Google Language Translator Plugin

Guidance Software EnCase

Gunicorn Gunicorn

H20 H2O Enterprise Steam

H20 H2O Sparkling Water

H2O H2O

HahnCreativeGroup ReFlex Gallery

Hall WooCommerce Address Book

Hancom Hangul Word Processor

Hanwha Techwin SmartViewer

Hanwha Techwin SRD-1676D

Hanwha Techwin Webviewer Plugin

HAProxy HAProxy

harmon.ie harmon.ie for Outlook

Harness Harness

Harness Harness Delegate

HashiCorp Consule

HashiCorp Sentinel

HashiCorp Terraform

HashiCorp Terraform Enterprise

HashiCorp Vault



HashiCorp Vault Enterprise

Heed Software Heed

Highsoft Highcharts

Hitachi Automated Director

Hitachi Automation Director

Hitachi Business Continuity Manager

Hitachi Command Suite

Hitachi Compute Systems Manager

Hitachi HNAS

Hitachi Replication Manager

Hitachi Tiered Storage Manager

Hitachi Tuning Manager

Hitachi Unified Storage VM (HUS VM)

Hitachi Virtual Storage Platform

Hive Font Organizer

Holest Breadcrumbs by menu

Honeywell Pro-Watch

Honeywell PW-6000 Intelligent Controller



Honeywell Xenon

Hooper Software Principle

HORIZONT IWS/Audit

HORIZONT IWS/BatchAD

HORIZONT IWS/Graph

HP 1200w NFC/Wireless Mobile Print Accessory

HP Apollo

HP Apollo HW

HP Arcsight Connector Appliance

HP ArcSight ESM

HP ArcSight Management Center

HP Asset Manager

HP Atalla Network Security Processors (NSP)

HP BladeSystem c-Class Virtual Connect (VC)

HP Connect IT

HP Database and Middleware Automation

HP DDMI

HP Device Connect

HP Device Manager (DevMgr)

HP ESQ Automated Operator (AO)

HP Ezmeral Container Platform



HP FutureSmart

HP ILO Amplifier Pack

HP iMC PLAT

HP Integrated Lights-Out (iLO)

HP Integrity Server

HP JetAdmin

HP JetAdvantage Management Connector

HP JetAdvantage Security Manager

HP Lights-Out Online Configuration Utility

HP LoadRunner

HP Network Automation

HP NonStop Software

HP OneView

HP OpenView Storage Data Protector

HP Performance Center

HP ProLiant Server

HP ProLiant Server Firmware

HP ProLiant Support Pack (PSP)

HP Remote Monitoring and Management

HP ScanJet Enterprise

HP Server Management

HP Synergy Compute Module

HP Synergy Compute Module HW

HP WebInspect

ibericode Mailchimp for WordPress

IBM Advanced Developer Portal

IBM AFP Toolbox for MVS

IBM API Connect

IBM APL2

IBM Application Client for IBM WebSphere

IBM Application Support Facility

IBM AppScan Source for Analysis

IBM BigFix Client

IBM BigFix Inventory

IBM BigFix Platform

IBM BigFix WebUI Profile Management

IBM BigFix WebUI Software Distribution

IBM Block Storage

IBM Business Automation Workflow

IBM Business Process Manager

IBM C/370 Compiler and Library



IBM Candle Management Server

IBM CICS Batch Application Control

IBM CICS Explorer

IBM CICS Time Machine

IBM CICS Transaction Gateway

IBM CICS Transaction Gateway SDK

IBM CICS Transaction Server

IBM CICS TS Feature Pack for Dynamic Scripting

IBM CICS TS Feature Pack for Modern Batch

IBM CL/SuperSession

IBM ClevOS

IBM Cloud Object Storage

IBM Cloud Pak for Multicloud Management

IBM Cognos Analytics

IBM Cognos Business Intelligence Server

IBM Cognos Enterprise

IBM Cognos PowerPlay Enterprise Server

IBM Connect Direct

IBM Content Manager

IBM Content Manager OnDemand

IBM Control Center for VSE and VM

IBM DataPower Operations Dashboard

IBM DataStage

IBM DB2

IBM DB2 High Performance Unload (HPU)

IBM DB2 Universal Database

IBM DB2 Utilities Suite

IBM Director Agent

IBM Distributed Key Management System (DKMS)

IBM DITTO/ESA for MVS

IBM Environmental Record Editing and Printing

IBM FlashSystem V9000

IBM General Parallel File System (GPFS)

IBM Gentran

IBM GPFS Storage Server

IBM Graphical Data Display Manager

IBM HACMP

IBM High Level Assembler

IBM HMC

IBM Host On-Demand

IBM HourGlass



IBM Hyper-Scale Manager

IBM i5/OS

IBM IBM I

IBM ILOG CPLEX Optimization Studio

IBM IMS Database Manager

IBM IMS/ESA Transaction Manager

IBM Informix

IBM InfoSphere Data Architect

IBM InfoSphere Data Replication

IBM InfoSphere Master Data Management

IBM InfoSphere Optim Data Growth for DB2

IBM InfoSphere Optim Data Growth for Oracle E-Business

IBM Integration Bus

IBM Integration Designer

IBM Java

IBM Lotus Notes

IBM MQ Appliance

IBM MQ for HPE NonStop

IBM MVS

IBM Netezza for Cloud Pak for Data

IBM Notes

IBM Operational Decision Manager

IBM Planning Analytics

IBM Platform Symphony

IBM PowerVP

IBM PureData System for Analytics

IBM Rational AppScan Standard

IBM Rational Asset Manager

IBM Rational ClearCase

IBM Rational Team Concert

IBM Resource Access Control Facility (RACF)

IBM Resource Measurement Facility (RMF)

IBM Screen Definition Facility II

IBM Security AppScan Enterprise

IBM Security AppScan Source

IBM Security Guardium

IBM Security Guardium Big Data Intelligence (SonarG)

IBM Security Guardium Database Activity Monitor

IBM Security zSecure CICS Toolkit

IBM SolidDB

IBM Spectrum Accelerate



IBM Spectrum Archive

IBM Spectrum Control

IBM Spectrum Protect Backup-Archive Client

IBM Spectrum Protect Server

IBM Spectrum Scale

IBM Spectrum Symphony

IBM SPSS Collaboration and Deployment Services

IBM SPSS Data Access Pack

IBM SPSS Modeler

IBM Sterling B2B Integrator

IBM Sterling Connect:Direct

IBM Sterling Control Center

IBM Sterling File Gateway

IBM Tivoli AF/OPERATOR

IBM Tivoli Application Dependency Discovery Manager

IBM Tivoli Asset Discovery for Distributed

IBM Tivoli Directory Integrator (TDI)

IBM Tivoli Directory Server

IBM Tivoli Monitoring

IBM Tivoli Netcool Impact

IBM Tivoli Netcool/OMNIbus

IBM Tivoli NetView

IBM Tivoli OMEGACENTER Gateway for MVS

IBM Tivoli OMEGAMON II for CICS

IBM Tivoli OMEGAMON XE for DB2 Performance Expert

IBM Tivoli Omegaview

IBM Tivoli Storage Manager

IBM Tivoli Workload Scheduler

IBM Tivoli Workload Scheduler Distributed

IBM TotalNET Advanced Server (TAS)

IBM TPF Operations Server (TOS)

IBM TS3100 Tape Library






IBM UrbanCode Deploy

IBM Virtual I/O Server

IBM WebSphere DataPower

IBM WebSphere Host On-Demand



IBM WebSphere Liberty

IBM WebSphere MQ

IBM Websphere Process Server

IBM XIV Storage System

IBM z/OS

IBM z/OS Connect Enterprise Edition

IBM z/Transaction Processing Facility (z/TPF)

IBM z/VM

IBM zPCR (Process Capacity Reference)

Icegram Popups, Welcome Bar, Optins and Lead Generation

Icinga Icinga

IDEMIA Morpho Fingerprint Scanner

IDEMIA Morpho MSO Drivers

ierror Django JS Reverse

Ignite Realtime Spark

Igor Funa Ad Inserter

Igor Sysoev nginx

IHS Markit Eviews

IHS Markit Petra

Illumio Illimuio ASP

Image Access ImageTrust

ImageMagick GraphicsMagick

ImageMagick ImageMagick

Immunity CANVAS

Index Engines Unified Discovery Platform

Informatica Data Quality

Informatica Enterprise Data Catalog (EDC)

Informatica Informatica Developer Tool

Informatica Multidomain Master Data Management (MD MDM)

Informatica PowerCenter

Information Builders FOCUS Package

Infosys AssistEdge

InfoVista InfoVista

Innovation FDR/UPSTREAM

Instamojo Instamojo for WooCommerce

Integrated Research Prognosis

Intel Acceleration Stack

Intel Active Management Technology (AMT)

Intel Core Processor

Intel Data Exchange Layer (DXL)

Intel Graphics Driver



Intel Threat Intelligence Exchange

Intel vPro

Intel Xeon Processor

Intellimagic Intellimagic Performance Management

Intercope BOX Messaging Hub

Intralinks Connector for Microsoft SharePoint

InVision Enterprise

IPC Alliance MX System Center

IPC IQ/MAX

IPC IQ/MAX Edge

IPC IQ/MAX Touch

IPC Pulse

IPC SIPX Line Card

IPC Unigy

Iris ID Systems iCAM7 series

iSigner iSigner

Istanbul Project nyc

iThemes Builder Style Manager Plugin

iThemes Builder Theme Depot Plugin

iThemes Builder Theme Market Plugin

iThemes Custom URL Tracking Add-on for iThemes Exchange

iThemes Easy Canadian Sales Taxes Add-on

iThemes Easy EU Value Added Taxes (VAT) iThemes Exchange

iThemes Invoices Add-on for iThemes Exchange

iThemes iThemes Exchange

iThemes iThemes Mobile Plugin

iThemes Manual Purchases Add-on for iThemes Exchange

iThemes Membership Add-on for iThemes Exchange

iThemes Stripe Add-on for iThemes Exchange

iThemes Table Rate Shipping Add-on for iThemes Exchange

Jacques Malgrange Rencontre

Jamf Jamf Pro

JaQuan Wechat Broadcast

Jasmine Project Jasmine

JasPer JasPer

Jenkins CI AppDynamics Dashboard Plugin

Jenkins CI Audit Trail Plugin

Jenkins CI Azure Container Service Plugin

Jenkins CI Azure VM Agents Plugin

Jenkins CI Cobertura Plugin

Jenkins CI Copy Data to Workspace Plugin



Jenkins CI Docker Plugin

Jenkins CI ElasTest Plugin

Jenkins CI Embeddable Build Status Plugin

Jenkins CI Git Client

Jenkins CI Gogs Plugin

Jenkins CI Google Calendar Plugin

Jenkins CI Google OAuth Credentials

Jenkins CI JClouds

Jenkins CI Jenkins

Jenkins CI Job DSL Plugin

Jenkins CI Logstash Plugin

Jenkins CI Mac Plugin

Jenkins CI Matrix Project Plugin

Jenkins CI OpenShift Pipeline Plugin

Jenkins CI Oracle Cloud Infrastructure Compute Classic

Jenkins CI P4 Plugin

Jenkins CI Pipeline: AWS Steps Plugin

Jenkins CI Puppet Enterprise Pipeline Plugin

Jenkins CI Queue Cleanup Plugin

Jenkins CI Repository Connector Plugin

Jenkins CI Selection Tasks Plugin

Jenkins CI Storable Configs Plugin

Jenkins CI Timestamper Plugin

Jesper Johansen Jayj Quicktag Plugin

Jetbrains IntelliJ

Jetty Jetty

Jfrog Artifactory

JimHu JSmol2WP

Jive Software Jive

Joel James 404 to 301 Plugin

joomsky JS Job Manager Plugin

JoomUnited WP Latest Posts Plugin

Joseph Dolson My Calendar Plugin

jQuery jQuery

jsdom Project jsdom

jsdom-global Project jsdom-global

julianburr Localize My Post

Juniper Networks CTPOS

Juniper Networks NetScreen

Juniper Networks Secure Services Gateway

Juniper Networks SRX Series



Jxplorer Jxplorer

KAL Kalignite K3A

kaltura Kaltura MediaSpace

kaltura kaltura server

Kama Democracy Poll Plugin

Kenton Hirowatari WP Business Intelligence Lite Plugin

Kiboko Labs Arigato Autoresponder and Newsletter

Kiboko Labs Chained Quiz Plugin

Kiboko Labs Hostel

Kieran OShea Calendar Plugin

Kinetica DB Kinetica

King Theme KingComposer

KNIME KNIME Analytics Platform

Kofax Analytics for Capture

Kofax Insight

Kofax Intelligent Capture & Exchange

Kofax Mobile ID and Verification

Kofax Tranformation Module

Kore Kore.ai

Kroll Ontrack Ontrack PowerControls for Exchange

Lakeside Software SysTrack Workspace Analytics

Lantronix UDS2100

Larry Wall Perl

Lenovo ThinkPad X

Levi Ray & Shoup DRS/OutputManager

Levi Ray & Shoup VPSX Enterprise

Lexmark Color Multifunction Device (MFD)

Lexmark CX725 Series

Lexmark Data Collection Manager (LDCM)

Libin V Babu Erident Custom Login and Dashboard Plugin

LibTiff LibTiff

libxslt libxslt

Liferay Liferay Portal

LifterLMS LifterLMS Plugin

Lighttpd Lighttpd

Limb Limb Gallery Plugin

LINDO Systems What'sBest!

Little CMS Little CMS

Lopo.it Duplicate Post Plugin

Lua Lua

Lucent Technologies QIP Enterprise



M&Wise wiseU

MacKinney Systems Easy Help for CICS

MacKinney Systems SM/SWAP

MagTek MT-215

Mail.Ru Group Mail.Ru Calendar

ManageEngine Application Manager

MANTA MANTA

Marc Schieferdecker article2pdf

Marcus Sykes Events Manager

MariaDB MariaDB

Mark Wilkinson WP Front End Profile

MarvinLabs WP Customer Area Plugin

Matchbox Design Group Universal Analytics Plugin

McAfee Agent

McAfee Agent for Mac

McAfee Anti-Malware Scan Engine for Mac

McAfee Content Scanning Engine

McAfee Data Exchange Layer

McAfee Data Loss Prevention (DLP) Endpoint

McAfee Device Control

McAfee Endpoint Encryption for Files and Folders

McAfee Endpoint Security

McAfee Endpoint Security for Linux

McAfee Endpoint Security for Mac (ENSM)

McAfee ePolicy Orchestrator

McAfee File and Removable Media Protection

McAfee Internet Security for Mac

McAfee Management of Native Encryption

McAfee Risk Advisor

McAfee Rogue System Detection

McAfee Security for Microsoft Exchange

McAfee Threat Intelligence Exchange Server

McAfee TIE

McAfee VirusScan

McAfee VirusScan Command Line

McAfee VirusScan Enterprise for Storage

McAfee Vulnerability Manager

Mediaburst Clockwork SMS Plugin

Mega Menu Max Mega Menu Plugin

MemSQL MemSQL

Merrill Consultants MXG



Meta Box Meta Box Plugin

Micro Focus ArcSight User Behavior Analytics

Micro Focus Fortify Static Code Analyzer

Micro Focus Net Express

Micro Focus Server Express

Micro Information Systems Dump Analyzer

Microfocus Startool FDM

Microsoft .NET

Microsoft .NET Core

Microsoft .NET Core Hosting Bundle

Microsoft .NET Core SDK

Microsoft .NET SDK

Microsoft Access

Microsoft Active Directory Certificate Services

Microsoft Application Compatibility Toolkit

Microsoft ASP.NET

Microsoft ASP.NET Core

Microsoft ASP.NET MVC

Microsoft Azure AD Connect

Microsoft Azure AD Connect Provisioning Agent

Microsoft Azure AD Password Protection

Microsoft Azure DevOps Server

Microsoft Bot Framework SDK for .NET Framework

Microsoft Bot Framework SDK for JavaScript

Microsoft Bot Framework SDK for Python

Microsoft Command Line Utilities for SQL Server

Microsoft Data Protection Manager

Microsoft DirectX

Microsoft Dynamics CRM

Microsoft Forefront Identity Manager Certificate Manager

Microsoft FSLogix

Microsoft Intune Company Portal

Microsoft Intune Endpoint Protection

Microsoft JDBC Driver for SQL Server

Microsoft Lync

Microsoft Lync for Mac

Microsoft Machine Learning Server

Microsoft Malicious Software Removal Tool (MSRT)

Microsoft Management OData IIS Extension

Microsoft MDAC

Microsoft Media Player



Microsoft Microsoft Identity Integration Server (MIIS)

Microsoft Microsoft Operations Manager

Microsoft Microsoft.AspNetCore.All

Microsoft Microsoft.AspNetCore.Mvc.Core

Microsoft ODBC Driver

Microsoft Office 365

Microsoft Office Communicator

Microsoft Office for Mac

Microsoft Office InfoPath

Microsoft Office InfoPath 2007

Microsoft Office InfoPath 2010

Microsoft Office Online Server

Microsoft Office SharePoint Server

Microsoft Office Web Apps Server

Microsoft OLE DB Driver for DB2

Microsoft OLE DB Driver for SQL Server

Microsoft OneDrive

Microsoft OneNote

Microsoft Online Responder

Microsoft Outlook for Android

Microsoft Outlook for iOS

Microsoft Power BI Desktop

Microsoft Power BI Report Server

Microsoft PowerShell Core

Microsoft Project

Microsoft Publisher

Microsoft Publisher 2010

Microsoft Remote Desktop App

Microsoft Remote Desktop Client for Windows Desktop (MSRDC)

Microsoft Remote Desktop Connection Client

Microsoft Remote Desktop Connection Server

Microsoft Report Viewer

Microsoft SharePoint Client Components

Microsoft SharePoint Designer

Microsoft SharePoint Services

Microsoft Silverlight

Microsoft Skype

Microsoft Skype for Android

Microsoft Skype for Business

Microsoft Skype for Business Server

Microsoft SQL Server 2008 Upgrade Advisor



Microsoft SQL Server Integration Services (SSIS)

Microsoft SQL Server Management Studio (SSMS)

Microsoft SQL Server Management Studio Express(SSMSE)

Microsoft SQL Server Migration for SAP ASE

Microsoft SQL Server Reporting Services (SSRS)

Microsoft System Center Configuration Manager

Microsoft System Center Operations Manager

Microsoft Team Foundation Server

Microsoft Teams

Microsoft Teams for iOS

Microsoft VBScript

Microsoft Visio

Microsoft Visio 2007

Microsoft Visual C++

Microsoft Visual Studio

Microsoft Visual Studio Code

Microsoft Visual Studio Code npm-script Extension

Microsoft Visual Studio for Mac

Microsoft Visual Studio Team Foundation Server

Microsoft Windows Host Compute Service Shim

Microsoft Windows XP

Microsoft Wireless Desktop 2000 for Business

Microsoft Yammer for Android

MicroStrategy HyperIntelligence for Web

MicroStrategy MicroStrategy Platform

MicroStrategy Narrowcast Server

Miklos Szeredi FUSE

miniOrange Single Sign-On plugin

Mitek CheckReader

mndpsingh287 File Manager

Mocha Project Mocha

mocha-teamcity-reporter Project mocha-teamcity-reporter

Mod_ssl Mod_ssl

Modern Tribe Event Tickets

Modern Tribe GigPress

mongoDB Compass

mongoDB mongoDB

mongoDB Monitoring Service (MMS)

Mongoose Mongoose

MontaVista Linux Professional Edition

Moodys Analytics CDOEdge



Morpho MorphoSmart 1300

Morpho MorphoWave Tower

MyThemeShop Launcher Plugin

MyThemeShop My WP Translate Plugin

Nahapet N Quizlord

Namith Jawahar Wp-Insert

Narrative Science Quill

Nasdanika Tool Suite

Nastel Nastel AutoPilot for MQ

Nautilus Hyosung Ubitus 8300H

NBS Xpressi Print Server

NBS Xpressi Suite

NCR Aptra XFS

NCR Self-Service ATM

nCrafts FormCraft Plugin

Nelio Software Nelio AB Testing Plugin

Neo4j Neo4j

Net-SNMP Net-SNMP

NetApp Active IQ Unified Manager

NetApp Clustered Data ONTAP

NetApp Data ONTAP

NetApp FAS Array

NetApp Lifetime Key Management KM500

NetApp OnCommand System Manager

NetApp Trident

NetBrain NetBrain

NetBSD NetBSD

Never5 Download Monitor Plugin

Never5 Post Connector

Never5 Related Posts Plugin

New Era Image Focus

New Era Stand Alone Environment

NextScripts Social Networks Auto-Poster

NICE Communication Surveillance

NICE Compliance Center

NICE Engage

NICE Interaction Management (NIM)

NICE Nexidia Interaction Analytics

NICE NICE COMPASS

NICE Perform

NICE Playback Portal



NICE Real-Time Authentication (RTA)

NICE Sentinel

NICE Trade Recording

Nickel Pro Jibu Pro

Nmap Nmap

node-uuid Project node-uuid

Node.js Foundation Node.js

Nortel Networks Meridian

NPM NPM

NTP NTP

Nuance Dragon NaturallySpeaking

Nuance eCopy ShareScan

Nuance Equitrac Office

Nuance FreeSpeech

Nuance Loquendo Customer Support Portal

Nuance Recognizer

Nuance Security Suite

Nuance Vocalizer

Nuix eDiscovery

NV Access NonVisual Desktop Access (NVDA)

Nvidia Quadro Graphics Driver

Oliver Shingler Olimometer Plugin

OneLogin OneLogin SAML SSO

Open Software Technologies REXXTOOLS/MVS

Open Text Documentum Content Server

Open Text Documentum D2

OpenJDK OpenJDK

Opensource DBD::Sybase

OpenText Documentum Administrator

OpenText IAS/CICS

OpenText Information Hub (iHub)

OpenText OpenDeploy

OpenText Output Transformation

OpenText Rightfax

OpenText TeamSite

Opsol Integrators OmniCrypto

Opsol Integrators OpenCrypto

Oracle Acme Packet

Oracle BI Publisher

Oracle Business Process Management

Oracle Business Transaction Management



Oracle Communications Operations Monitor

Oracle Communications Session Border Controller

Oracle Communications Session Delivery Management Suite

Oracle Directory Server Enterprise Edition

Oracle Enterprise Manager Grid Control

Oracle Essbase

Oracle Essbase Administration Services

Oracle Essbase Analytic Provider Services

Oracle Essbase Studio

Oracle Glassfish

Oracle GoldenGate

Oracle GoldenGate for Big Data

Oracle GoldenGate Veridata

Oracle Hyperion

Oracle Hyperion Essbase

Oracle Hyperion Smart View for Office

Oracle Identity Analytics

Oracle Integrated Lights Out Manager(ILOM)

Oracle iPlanet Web Server

Oracle JDK

Oracle Jumpstart Enterprise Toolkit

Oracle Knowledge

Oracle Management Pack for Oracle GoldenGate

Oracle Oracle CRM

Oracle Oracle Enterprise Manager

Oracle Oracle Forms

Oracle Oracle Fusion Middleware

Oracle Oracle Linux

Oracle Oracle Outside In Technology

Oracle PeopleSoft Enterprise

Oracle PeopleSoft Enterprise Customer Relationship Manage

Oracle PeopleSoft Enterprise EPM

Oracle PeopleSoft Enterprise FMS

Oracle PeopleSoft Enterprise HRMS Human Resources

Oracle PeopleSoft Enterprise Performance Management

Oracle PeopleSoft HRMS

Oracle PeopleSoft PeopleTools

Oracle PeopleSoft Portal

Oracle Secure Global Desktop

Oracle Solaris Security Toolkit (JASS)



Oracle Tuxedo

Oracle VM Server for SPARC

Oracle Waveset

Oracle WebLogic Server

owent wp-code-highlightjs

p7zip p7zip

Packet Design Route Explorer

Palisade @RISK

Palo Alto Cortex XSOAR

Palo Alto Demisto Enterprise

Palo Alto GlobalProtect VPN

Palo Alto Next-Generation Firewall

Palo Alto Palo Alto Firewall

Palo Alto Panorama

Palo Alto Prisma Cloud Compute

Pan Pan

Papin Schipper Companion Sitemap Generator Plugin

Pascal Casier bbPress Move Topics Plugin

Patreon Patreon WordPress

Paxata Paxata

Pegasystems Pega Infinity

Peter Keung Peter’s Login Redirect Plugin

PetersPlugins Link Log

Pexip Pexip Infinity

PgAdmin PgAdmin

PhpMailer PhpMailer

Ping Identity PingFederate

PingIdentity PingAccess

Pippin Plugins Featured Comments Plugin

Pitney Bowes Code-1 Plus

Pitney Bowes Spectrum

Pitney Bowes StreamWeaver

Pivotal AppDynamics Application Performance Monitoring

Pivotal Application Service

Pivotal BOSH Backup and Restore (BBR)

Pivotal BOSH CLI

Pivotal Cloud Foundry (PCF)

Pivotal Cloud Foundry (PCF) Elastic Runtime

Pivotal Cloud Foundry (PCF) Ops Manage

Pivotal Cloud Foundry CLI

Pivotal Cloud Foundry Event Alerts



Pivotal Cloud Foundry Healthwatch

Pivotal Cloud Foundry Service Broker for AWS

Pivotal CredHub Service Broker for PCF

Pivotal GemFire Enterprise

Pivotal Greenplum

Pivotal Java Buildpack

Pivotal JMX Bridge (Ops Metrics)

Pivotal Metric Registrar

Pivotal Node.js Buildpack

Pivotal Operations Manager

Pivotal PCF Metrics

Pivotal RabbitMQ

Pivotal RabbitMQ amqp-client

Pivotal Splunk Firehose Nozzle for PCF

Pivotal Spring Batch

Pivotal Spring Boot

Pivotal Spring Cloud Consul

Pivotal Spring Cloud Gateway

Pivotal Spring Cloud Loadbalancer

Pivotal Spring Cloud Services for PCF

Pivotal Spring Cloud SSO Connector

Pivotal Spring Data Commons

Pivotal Spring Data Couchbase

Pivotal Spring Data JDBC Extensions

Pivotal Spring Data JPA

Pivotal Spring Data REST

Pivotal Spring Framework

Pivotal Spring Integration

Pivotal Spring Integration Zip

Pivotal Spring IO Platform

Pivotal Spring Security

Pivotal Spring Security OAuth

Pivotal Spring Session

Pivotal Spring Statemachine

Pivotal spring web flow

Pivotal Spring Web Services

Pivotal Staticfile Buildpack

Pivotal User Account and Authentication (UAA)

Piwik PRO Piwik PRO

Pixman Pixman

PKWare SecureZIP



Platfora Platfora

Podman Podman

Pointsharp Pointsharp

Polaris Consulting & Services CitiSAFE

Polarsoft BacNET Quick Test

Poly Poly Studio

Poly Poly Studio X30

Poly Poly Studio X50

PortSwigger Burp Suite Community

PortSwigger Burp Suite Professional

PostgreSQL JDBC Driver

PostgreSQL ODBC Driver

PostgreSQL PostgreSQL

PPR iCommunicator

PressTigers Simple Job Board Plugin

Prevoty Runtime Application Self Protection (RASP)

PrinterOn Embedded Agent for Samsung

PRIVITAR Privitar Publisher

privoxy privoxy

ProfileGrid ProfileGrid Plugin

PROGRESSSOFT ps-ecc

Protegrity Data Security Platform

Provisio SiteKiosk

Provisio SiteRemote Server

PulseAudio PulseAudio

PulseSecure Pulse Connect Secure

PyJWT PyJWT

Python Software Foundation Paramiko

Python Software Foundation Python

Python Software Foundation Requests

Qlik NPrinting Designer

Qlik NPrinting Server

Qlik Qlik Sense Enterprise

Qlik Qlikview

Qlik Sense

QlikTech QlikView

QOS.CH SLF4J

QSM Team Quiz And Survey Master

Quadlayers WP Social Feed Gallery Plugin

Qualys Cloud Agent

Qualys Qualys Gateway Service (QGS)



Quest GPOADmin

Quest LiteSpeed for SQL Server

Quest Migration Manager for Active Directory

Quest One Application Password Virtual Cache

Quest One Privileged Account Management

Quest Recovery Manager for Active Directory

Qumu Video Control Center

Qumu VideoNet Edge

Quotium Spitab+

R-project R

Rancher Labs Rancher

Rank Math SEO Plugin

Raritan Dominion KX III

Raritan Dominion KX IV-101

Realtime Soft UltraMon

RedHat Advanced Cluster Management for Kubernetes

RedHat Ansible Tower

RedHat Cluster Suite

RedHat Decision Manager

RedHat JBoss AMQ

RedHat JBoss BPM Suite

RedHat JBoss WildFly Application Server

RedHat Linux

RedHat Mailcap

RedHat openshift-ansible

RedHat tcpdump

Redirection Redirection Plugin

Redis Redis

redis-store Redis Store

Redsky E911 Manager

Relational Architects International Smart/CAF

Repute InfoSystems ARPrice Lite Plugin

Ribbon Communications Insight EMS

Ribbon Communications PSX

Ribbon Communications SBC 5400

Ribbon Communications SBC Swe

Ricoh Device Manager NX Enterprise

RIM Blackberry Desktop Manager

RIM Blackberry Device Service

RIM Blackberry Device Software

RIM BlackBerry Enterprise Server



Rio Karma

Riverbed SteelCentral NetProfiler

Riverbed SteelCentral NetShark

Riverbed SteelCentral Transaction Analyzer

Rocket Software Performance Essential

Rocket Software Rocket Mainstar MXI

RSA Security Adaptive Authentication

RSA Security Security Analytics

RSA Security Web Threat Detection

RStudio RStudio

RStudio RStudio Server

Rsyslog Rsyslog

Ruby on Rails Ruby on Rails

RubyGems active support

RubyGems paranoid2

RubyGems Sprockets

Rust-Lang Rust

Ryan Tracker Pro

S21 Lookwise device manager for ATM

S21sec Lookwise Device Manager

SafeNet Luna Network HSM

SafeNet SecureStorage

SailPoint IdentityIQ

Samsung smartviewer

SanDisk Cruzer Enterprise USB

SAP Adaptive Server Enterprise

SAP BusinessObjects

SAP BusinessObjects XI

SAP Crystal Reports

SAP Crystal Reports for VS

SAP NetWeaver

SAP NetWeaver Application Server Java systems

SAP NetWeaver AS ABAP Business Server Pages

SAS Institute ACCESS Interface to Oracle

SAS Institute Add-In for Microsoft Office

SAS Institute Data Integration Studio

SAS Institute Enterprise Guide

SAS Institute Enterprise Miner

SAS Institute Grid Manager

SAS Institute IML Studio

SAS Institute Information Map Studio



SAS Institute Office Analytics

SAS Institute OLAP Cube Studio

SAS Institute SAS Language

SBJSON Project SBJSON

Scala Digital Signage Enterprise Content Manager

Schneider Electric EcoStruxure Building Operation

Schneider Electric ION Setup

SDS CICS Application File Control (CAFC)

SEA Software JCL PlusPack

Selenium Selenium IDE

Selenium Selenium Standalone Server

Sell Downloads Project Sell Downloads

Sendmail Consortium Sendmail

Sendmail Inc. Sentrion MP

Sensu Enterprise

Sensu Sensu

Seproban Seproban

ServiceNow ServiceNow Platform

Servion Global Solutions GED-125 Connector

Shafer Systems Notate

Shanghai AMARSOFT Digital Lending Platform

Siemens ABT Site

Siemens APE

Siemens Automation License Manager

Siemens Climatix POL908

Siemens Climatix POL909

Siemens CP1543-1

Siemens CP1604

Siemens CP1616

Siemens Datamate Advanced

Siemens Desigo CC

Siemens DIGSI 5

Siemens EN100 Module

Siemens Extension Unit PROFINET

Siemens IE/AS-i Link PN IO

Siemens IE/PB Link PN IO

Siemens IE/WSN-PA Link

Siemens IEC 61850 system configurator

Siemens JT2Go

Siemens MindConnect

Siemens Nucleus ReadyStart



Siemens Nucleus RTOS

Siemens OpenPCS 7

Siemens OZW Web Server

Siemens OZW Web Server HW

Siemens PDM

Siemens Polarion Subversion Webclient

Siemens Primary Setup Tool (PST)

Siemens PROFINET Driver for Controller

Siemens RFID 181EIP

Siemens RUGGEDCOM RM1224

Siemens RUGGEDCOM RMC8388

Siemens RUGGEDCOM ROS

Siemens RUGGEDCOM ROS HW

Siemens RUGGEDCOM ROX

Siemens RUGGEDCOM RS900W

Siemens RUGGEDCOM RS950G

Siemens RUGGEDCOM RSG2488

Siemens RUGGEDCOM RSG900

Siemens RUGGEDCOM RSG920P

Siemens RUGGEDCOM RSL910

Siemens RUGGEDCOM RST2228

Siemens RUGGEDCOM RX1400

Siemens RUGGEDCOM RX1400 VPE Debian Linux

Siemens RUGGEDCOM RX1400 VPE Linux CloudConnect

Siemens RUGGEDCOM WIN

Siemens RUGGEDCOM WIN Subscriber Station

Siemens SCALANCE

Siemens SCALANCE LPE9403

Siemens SCALANCE M-800

Siemens SCALANCE M875

Siemens SCALANCE S600

Siemens SCALANCE S600 HW





Siemens SCALANCE S627-2M

Siemens SCALANCE SC-600

Siemens SCALANCE W1700

Siemens SCALANCE W1700 IEEE 802.11ac

Siemens SCALANCE W1750D



Siemens SCALANCE W700

Siemens SCALANCE W700 IEEE 802.11a/b/g

Siemens SCALANCE W700 IEEE 802.11ax

Siemens SCALANCE W700 IEEE 802.11n



Siemens SCALANCE WLC711

Siemens SCALANCE WLC712

Siemens SCALANCE X200

Siemens SCALANCE X200 HW

Siemens SCALANCE X200 IRT

Siemens SCALANCE X200 IRT HW

Siemens SCALANCE X200 RNA

Siemens SCALANCE X204 RNA


Siemens SCALANCE X300 HW



Siemens SCALANCE XB-200

Siemens SCALANCE XC-200

Siemens SCALANCE XF-200

Siemens SCALANCE XF-200 HW

Siemens SCALANCE XF-200 IRT

Siemens SCALANCE XF-200 IRT HW

Siemens SCALANCE XF-200BA

Siemens SCALANCE XM400

Siemens SCALANCE XP-200

Siemens SCALANCE XR300-WG

Siemens SCALANCE XR324

Siemens SCALANCE XR324 HW

Siemens SCALANCE XR500

Siemens Security Configuration Tool (SCT)

Siemens SENTRON 3VA COM100/800

Siemens SENTRON 3VA DSP800

Siemens SENTRON 3WA COM190

Siemens SENTRON 3WL COM35

Siemens SENTRON PAC2200


Siemens SENTRON PAC3200T





Siemens SICAM 230

Siemens SICLOCK TC100

Siemens SICLOCK TC400

Siemens SIMARIS configuration

Siemens SIMATIC Automation Tool

Siemens SIMATIC BATCH

Siemens SIMATIC CloudConnect 712

Siemens SIMATIC CM 1542-1

Siemens SIMATIC CM 1542SP-1

Siemens SIMATIC Compact Field Unit

Siemens SIMATIC Compact Field Unit PA

Siemens SIMATIC CP 1242-7

Siemens SIMATIC CP 1242-7 GPRS


Siemens SIMATIC CP 1243-1 DNP3

Siemens SIMATIC CP 1243-1 IEC

Siemens SIMATIC CP 1243-1 IRC

Siemens SIMATIC CP 1243-7 LTE/EU

Siemens SIMATIC CP 1243-7 LTE/US


Siemens SIMATIC CP 1243-8 IRC

Siemens SIMATIC CP 1542SP-1

Siemens SIMATIC CP 1542SP-1 IRC


Siemens SIMATIC CP 1543SP-1


Siemens SIMATIC CP 1604



Siemens SIMATIC CP 1623 HW







Siemens SIMATIC CP 343-1 Advanced

Siemens SIMATIC CP 343-1 ERPC

Siemens SIMATIC CP 343-1 Lean

Siemens SIMATIC CP 343-1 Standard

Siemens SIMATIC CP 442-1 RNA



Siemens SIMATIC CP 443-1 Advanced

Siemens SIMATIC CP 443-1 OPC-UA

Siemens SIMATIC CP 443-1 RNA

Siemens SIMATIC CP 443-1 Standard

Siemens SIMATIC CP 443-5 Basic

Siemens SIMATIC CP 443-5 Extended

Siemens SIMATIC DK-16xx PN IO

Siemens SIMATIC Drive Controller

Siemens SIMATIC Drive Controller HW

Siemens SIMATIC ET 200 Open Controller CPU 1515SP PC

Siemens SIMATIC ET 200 Open Controller CPU 1515SP PC2

Siemens SIMATIC ET 200AL

Siemens SIMATIC ET 200AL IM 157-1 PN

Siemens SIMATIC ET 200eco PN

Siemens SIMATIC ET 200M

Siemens SIMATIC ET 200M IM153-4 PN IO HF

Siemens SIMATIC ET 200M IM153-4 PN IO ST

Siemens SIMATIC ET 200MP

Siemens SIMATIC ET 200MP IM155-5 PN BA

Siemens SIMATIC ET 200MP IM155-5 PN HF

Siemens SIMATIC ET 200MP IM155-5 PN ST

Siemens SIMATIC ET 200pro

Siemens SIMATIC ET 200pro IM154-3 PN HF

Siemens SIMATIC ET 200pro IM154-4 PN HF

Siemens SIMATIC ET 200pro IM154-6 PN IWLAN

Siemens SIMATIC ET 200S

Siemens SIMATIC ET 200SP

Siemens SIMATIC ET 200SP IM 155-6 PN/2 HF

Siemens SIMATIC ET 200SP IM 155-6 PN/3 HF

Siemens SIMATIC ET 200SP IM155-6 PN BA

Siemens SIMATIC ET 200SP IM155-6 PN HA

Siemens SIMATIC ET 200SP IM155-6 PN HF

Siemens SIMATIC ET 200SP IM155-6 PN HS

Siemens SIMATIC ET 200SP IM155-6 PN ST

Siemens SIMATIC ET 200SP Open Controller

Siemens SIMATIC ET 200SP Open Controller CPU 1515SP PC

Siemens SIMATIC ET 200SP Open Controller CPU 1515SP PC2

Siemens SIMATIC Field PG

Siemens SIMATIC Field PG HW

Siemens SIMATIC HMI Basic Panels 1st Generation

Siemens SIMATIC HMI Basic Panels 2nd Generation



Siemens SIMATIC HMI Classic Devices

Siemens SIMATIC HMI Comfort Outdoor Panels

Siemens SIMATIC HMI Comfort Panels

Siemens SIMATIC HMI Comfort Panels PRO

Siemens SIMATIC HMI Mobile Panel 277

Siemens SIMATIC HMI Mobile Panels

Siemens SIMATIC HMI Mobile Panels HW

Siemens SIMATIC HMI Multi Panels

Siemens SIMATIC HMI Panels

Siemens SIMATIC HMI United Comfort Panels

Siemens SIMATIC HMI WinCC

Siemens SIMATIC Information Server

Siemens SIMATIC IPC

Siemens SIMATIC IPC DiagBase

Siemens SIMATIC IPC DiagMonitor

Siemens SIMATIC IPC HW

Siemens SIMATIC IPC Support Package for VxWorks

Siemens SIMATIC IT Production Suite

Siemens SIMATIC IT UA Discrete Manufacturing

Siemens SIMATIC ITC

Siemens SIMATIC IWLAN-PB/LINK

Siemens SIMATIC Logon

Siemens SIMATIC Manager

Siemens SIMATIC Mobile Panel 277(F) IWLAN

Siemens SIMATIC MV400

Siemens SIMATIC MV500

Siemens SIMATIC NET PC-Software

Siemens SIMATIC PCS 7 TeleControl

Siemens SIMATIC PCS neo

Siemens SIMATIC PCS7

Siemens SIMATIC PCS7 IPC

Siemens SIMATIC PCS7 Web Server

Siemens SIMATIC PN/PN Coupler

Siemens SIMATIC Power Line Booster (PLB)

Siemens SIMATIC Power Line Booster (PLB) HW

Siemens SIMATIC Process Historian

Siemens SIMATIC ProSave

Siemens SIMATIC RF166C


Siemens SIMATIC RF181-EIP






Siemens SIMATIC RF186CI


Siemens SIMATIC RF188CI

Siemens SIMATIC RF350M

Siemens SIMATIC RF360R

Siemens SIMATIC RF600



Siemens SIMATIC RF650M




Siemens SIMATIC RF68XR

Siemens SIMATIC Route Control

Siemens SIMATIC S7 Series

Siemens SIMATIC S7-1200


Siemens SIMATIC S7-1500 HW

Siemens SIMATIC S7-1500 Software Controller

Siemens SIMATIC S7-1518-4 PN/DP MFP

Siemens SIMATIC S7-1518-4 PN/DP ODK

Siemens SIMATIC S7-1518F-4 PN/DP MFP

Siemens SIMATIC S7-1518F-4 PN/DP ODK

Siemens SIMATIC S7-200 SMART

Siemens SIMATIC S7-200 SMART HW


Siemens SIMATIC S7-300 HW

Siemens SIMATIC S7-300 PN/DP


Siemens SIMATIC S7-400 PN


Siemens SIMATIC S7-400 PN/DP HW

Siemens SIMATIC S7-400-H


Siemens SIMATIC S7-PLCSIM Advanced

Siemens SIMATIC S7-SCL

Siemens SIMATIC STEP 7

Siemens SIMATIC STEP 7 (TIA Portal)

Siemens SIMATIC STEP 7 - Micro/WIN SMART



Siemens SIMATIC TDC CP51M1

Siemens SIMATIC TDC CPU555

Siemens SIMATIC Teleservice Adapter IE

Siemens SIMATIC WinAC RTX

Siemens SIMATIC WinCC

Siemens SIMATIC WinCC (TIA Portal)

Siemens SIMATIC WinCC Flexible

Siemens SIMATIC WinCC Historian CONNECT ALARM

Siemens SIMATIC WinCC OA

Siemens SIMATIC WinCC OA Operator

Siemens SIMATIC WinCC OA UI

Siemens SIMATIC WinCC PI CONNECT ALARM

Siemens SIMATIC WinCC PI CONNECT AUDIT TRAIL

Siemens SIMATIC WinCC PM-AGENT

Siemens SIMATIC WinCC PM-ANALYZE

Siemens SIMATIC WinCC PM-CONTROL

Siemens SIMATIC WinCC PM-MAINT

Siemens SIMATIC WinCC PM-OPEN EXPORT

Siemens SIMATIC WinCC PM-OPEN HOST-S

Siemens SIMATIC WinCC PM-OPEN IMPORT

Siemens SIMATIC WinCC PM-OPEN PI

Siemens SIMATIC WinCC PM-OPEN PV02

Siemens SIMATIC WinCC PM-OPEN TCP/IP

Siemens SIMATIC WinCC PM-QUALITY

Siemens SIMATIC WinCC Runtime Advanced

Siemens SIMATIC WinCC Runtime Comfort

Siemens SIMATIC WinCC Runtime HSP Comfort

Siemens SIMATIC WinCC Runtime Mobile

Siemens SIMATIC WinCC Runtime Professional

Siemens SIMATIC WinCC SICEMENT IT MIS

Siemens SIMATIC WinCC SIPAPER IT MIS

Siemens SIMATIC WinCC Sm@rtClient for Android

Siemens SIMATIC WinCC Sm@rtClient Lite for Android

Siemens SIMATIC WinCC TeleControl

Siemens SINAMICS Connect 300

Siemens SINAMICS Control Unit PN

Siemens SINAMICS Control Unit PN HW

Siemens SINAMICS GH150

Siemens SINAMICS GH150 with PN

Siemens SINAMICS GL150

Siemens SINAMICS GL150 with PN



Siemens SINAMICS GM150

Siemens SINAMICS GM150 with PN

Siemens SINAMICS PERFECT HARMONY GH180

Siemens SINAMICS SH150

Siemens SINAMICS SL150

Siemens SINAMICS SL150 with PN

Siemens SINAMICS SM120

Siemens SINAMICS SM120 with PN

Siemens sinamics sm150

Siemens SINAMICS SM150 with SIMOTION and PN

Siemens SINAMICS SM150i

Siemens SINAMICS Startdrive

Siemens SINAMICS STARTER Commissioning Tool

Siemens SINEC PNI (Primary Network Initialization)

Siemens SINEC-INS

Siemens SINEC-NMS

Siemens SINUMERIK 808D

Siemens SINUMERIK 808D Programming Tool

Siemens SINUMERIK 828D

Siemens SINUMERIK 840D sl

Siemens SINUMERIK 840D sl HW

Siemens SINUMERIK Handheld Terminal HT 10

Siemens SINUMERIK Integrate Access MyMachine

Siemens SINUMERIK Integrate Operate Client

Siemens SINUMERIK MCU 1720

Siemens SINUMERIK OPC UA Server

Siemens SINUMERIK Operate

Siemens SINUMERIK Operator Panel with TCU

Siemens SINUMERIK PCU

Siemens SINUMERIK PCU50.5

Siemens SINUMERIK PCU50.5-C

Siemens SINUMERIK PCU50.5-P

Siemens SINUMERIK TCU30.3

Siemens SIPROTEC

Siemens SIPROTEC HW

Siemens SIPROTEC Plug-in Communication Module

Siemens SIRIUS 3RW5

Siemens SIRIUS ACT 3SU1 interface module PROFINET

Siemens SIRIUS Motor starter M200D PROFINET

Siemens SIRIUS Soft starter 3RW44 PN

Siemens SITOP Manager



Siemens SITOP PSU8600

Siemens SITOP PSU8600 PROFINET

Siemens SITOP UPS1600

Siemens SITOP UPS1600 PROFINET

Siemens SMART PC Access

Siemens Softnet PROFINET IO

Siemens SOFTNET Security Client

Siemens Spectrum Power

Siemens Spectrum Power Telegyr Software

Siemens SWT 3000 Teleprotection

Siemens TALON TC Controller

Siemens Teamcenter Visualization

Siemens Tecnomatix Plant Simulation

Siemens TeleControl Server Basic

Siemens TIA Administrator

Siemens Tia Portal

Siemens TIM 1531 IRC

Siemens TIM 3V-IE

Siemens TIM 3V-IE Advanced

Siemens TIM 3V-IE DNP3

Siemens TIM 4R-IE

Siemens TIM 4R-IE DNP3

Siemens WCIS

Sierra Wireless ALEOS

Sightline Systems Sightline

Simba Hosting Two Factor Authentication Plugin

Simplenia Pages

Sinon Project Sinon

SiteGround SG Optimizer Plugin

SL Corporation RTView

SlideDeck SlideDeck2 Plugin

Slido Slido

SlowCheetah SlowCheetah

SMA Solutions OpCon

SmartBear SoapUI

Snowflake Snowflake

Socket Socket.IO

Socket.IO-File Socket.IO-File

Software AG ADABAS

Software AG Natural

Solace Corporation 3260 Content Router



SolarWinds Database Performance Analyzer (DPA)

Solix Technologies Big Data Suite

SonarSource SonaQube

Sonatype Component Lifecycle Management (CLM)

SonicWALL Global VPN Client

SonicWALL Scrutinizer

SourceForge Monkey HTTP Daemon

Sovrn Search Everything Plugin

SparkJava Spark

SPC Systems RW2

Spot.IM Spot.IM Comments Plugin

Spring Boot

Spring Core

Spring Spring AMQP

Spring Spring Integration

SQISOFT ssBridge

SQLite SQLite

SSH Communications Security Tectia Client

SSH Communications Security Tectia Manager

SSH Communications Security Tectia Server

STEALTHbits StealthAUDIT Management Platform

Stewart DataTech dbaTOOLS

StrataCloud Virtualization Management Center (VMC)

Sun Connection

Sun LDAP Access Daemon (LAD)

Sun ONE Directory Server

Sun Solaris

Sun Solaris Cluster

Sun SPARC

Sun System Management Services (SMS)

Supsystic Photo Gallery Plugin

Supsystic Popup Plugin

SVG SVG Sanitizer

Swift Alliance Access

Swift Alliance Gateway

Swift Alliance WebPlatform

Swift Connecteur RAHA FileAct

Swift Integration Layer (SIL)

Swift SWIFTNet Link

Sybase Adaptive Server

Sybase IQ



Sybase MFC/DC

Sybase Open Server

Sybase OpenSwitch

Sybase Replication Server

Sybase SDK

Sybase Software Dev Kit

Sybase Sybase Control Center

Symantec Control Compliance Suite (CCS)

Symantec Data Loss Prevention (DLP)

Symantec Data Loss Prevention Detection Server

Symantec Data Loss Prevention Endpoint Agent

Symantec Encryption Management Server

Symantec Enforce

Symantec Enterprise Security Manager

Symantec NetBackup

Symantec NetBackup Appliance

Symantec Storage Foundation for RHEL Linux

Symantec Symantec Data Insight

Symantec Symantec Storage Foundation for Windows

Symantec Symantec Veritas Cluster Server

Symantec Symantec Veritas NetBackup Operations Manager

Symantec Veritas Disaster Recovery Advisor

Symantec Veritas Operations Manager (VOM)

Symantec Veritas Storage Foundation

Symantec Web Isolation

Symmetricom SyncServer S300

Syncsort EZ-Reorg

Synopsys SecureAssist

Tableau Public Desktop

Tableau Reader

Tableau Server

Tableau Tableau

Tableau Tableau Desktop

Talend Talend Administration Center2

Talend Talend Data Preparation

Tandberg MXP

Tanium Client

Tanium Server

Tasktop Tasktop Sync

Tcpdump Tcpdump

TCPWave DNS Appliance



TCPWave IPAM (IP Address Management)

TECHNETRON DB/DYNAM

TECHNETRON DB/INFO

TechSmith Snagit

Telerik Fiddler

Telerik ui for asp.net ajax

Temenos Avoka Journey SDK

Temenos Multifonds Global Accounting

Tenable Network Security Nessus

Tenebraex Eyepilot

TestNG TestNG

Text Help Systems Browse Aloud

Text Help Systems Read&Write

Thales nShield Connect

The Paciello Group Colour Contrast Analyser

Theme Forest Carspot Plugin

Theme Forest NativeChurch

ThemeAlien Variation Swatches for WooCommerce Plugin

ThemeFusion Avada

Themeist I Recommend This Plugin

Third Pillar Systems Loan Path

Thomson Reuters Reuters Messaging

TIBCO ActiveMatrix Adapter for LDAP Software

TIBCO ActiveMatrix Adapter for MQ Series

TIBCO ActiveMatrix Adapter for Siebel

TIBCO ActiveMatrix Adapter for SWIFT

TIBCO ActiveMatrix Adapter for Tuxedo

TIBCO ActiveMatrix BPM

TIBCO ActiveMatrix BusinessWorks

TIBCO ActiveMatrix BusinessWorks for TIBCO Silver Fabric

TIBCO ActiveMatrix BusinessWorks for z/Linux

TIBCO Administrator

TIBCO Business Studio

TIBCO BusinessEvents

TIBCO BusinessWorks COBOL Copybook Plug-in

TIBCO BusinessWorks Container Edition

TIBCO BusinessWorks EJB Plug-In

TIBCO BusinessWorks XA Transaction Manager

TIBCO Enterprise Administrator

TIBCO Hawk

TIBCO iProcess Engine



TIBCO Jaspersoft Studio

TIBCO RTView

TIBCO Runtime Agent

TIBCO Smart Mapper Plugin

TIBCO Spotfire S+

TIBCO Spotfire Server

TIBCO TIBCO ActiveMatrix Adapter for Files

TIBCO XML Canon

Timo Sirainen Dovecot

Tips and Tricks HQ All In One WP Security and Firewall Plugin

TMD Security Active Dip Kit

TMD Security Card Protection Kit

TMD Security TMS

TobyU Simple Mail Address Encoder Plugin

Todd Miller Sudo

Transmit Security Transmit Security HUB

Triangle Systems Interactive Output Facility

Tribulant Software Newsletters Plugin

Tribulant Software One Click SSL

Trustwave AppDetectivePRO

TubePress TubePress

Turbonomic Turbonomic

Twisted Matrix Labs Twisted

Twistlock Twistlock

Ubuntu LXC

Ubuntu Ubuntu Linux

UnboundID UnboundID Identity Data Store

UnboundID Unboundid Identity Data Sync

Unisys Agile Business Suite (AB Suite)

Unisys ClearPath MCP

Unisys Database Operation Center

Unisys Enterprise Application Environment (EAE)

Unisys MCP File Copier

Unisys Programmer’s WorkBench for ClearPath MCP

Unisys Web Enabler for ClearPath MCP

University of Southern California Karma

University of Washington Alpine

UpdraftPlus UpdraftPlus Plugin

Uplogix Control Center

Uplogix Uplogix Envoy

Upper Themes Swape



UpSlide UpSlide Enterprise

Valor Software ngx-bootstrap

Van Dyke Technologies SecureCRT

Van Dyke Technologies SecureFX

Varonis Systems DatAdvantage for Windows

Velocity Software ESALPS

Venafi Trust Protection Platform

Verifone Verifone Driver for Pinpad

Verint EdgeVR

Verint Impact 360

Veritas Software Cluster Server

Veritas Software NetBackup

Veritas Software NetBackup Appliance

Veritas Software Veritas Filesystem

Veritas Software Volume Manager

Verizon Business Hosted IP Centrex (HIPC)

VeronaLabs WP Statistics Plugin

VeryDOC DOC to Any Converter

VideoLAN VLC media player

VIRTUAL SOFTWARE SYSTEMS VPARS

VIRTUAL SOFTWARE SYSTEMS VTAPE

Virtusa Polaris Satellite Application for Messaging

Visser Labs WooCommerce Store Exporter

VMWare Horizon Agents Installer

VMWare Horizon View

VMWare Horizon View Agent

VMWare Horizon View Client

VMWare Identity Manager

VMWare NSX Advanced Load Balancer

VMWare Photon OS

VMWare Skyline Collector

VMWare ThinApp

VMWare Unified Access Gateway

VMWare Unified Access Manager

VMWare Update Manager

VMWare vCenter Operations Manager

VMWare vCenter Server

VMWare vCenter Update Manager

VMWare vCloud Automation Cente (vCAC)

VMWare VirtualCenter

VMWare VMWare



VMWare VMWare Tools

VMWare VMWare Workstation

VMWare VMWare Workstation Pro

VMWare vRealize Automation

VMWare vRealize Log Insight

VMWare vRealize Network Insight

VMWare vRealize Operations Manager

VMWare vRealize Orchestrator

VMWare vRealize Suite Lifecycle Manager

VMWare vSphere Replication

Volante Composer

Volante Designer

VSI OpenVMS

Vsourz Digital Advanced Contact form 7 DB Plugin

Vsourz Digital CF7 Invisible reCAPTCHA

Vyopta vAnalytics

Warren Harrison User Domain Whitelist Plugin

WaspThemes Visual CSS Style Editor

WaspThemes Yellow Pencil Plugin

Watchful RightsWatch

WC Marketplace WC Catalog Enquiry Plugin

Webcraftic Woody Ad Snippets Plugin

WebDorado Contact Form Builder Plugin

Webpack json-loader

Webpack UglifyJS

Webpack Webpack

WebToffee Import Export WordPress Users

WhiteCanyon WipeDrive Pro

Wietse Venema Postfix

William Stucky & Associates Stucky Net Link

WindRiver VXWORKS

WinstonJS Winston

WinTECH Software Design ModScan64

Wipro Holmes

Wirecard FINSim

Wireshark Wireshark

Wolters Kluwer CCH Medici Documenter

WooCommerce PayPal Checkout Payment Gateway

WordPress ACF Better Search Plugin

WordPress Ad Buttons Plugin

WordPress Admin Renamer Extended Plugin



WordPress Advanced AJAX Page Loader Plugin

WordPress Custom 404 Pro Plugin

WordPress Deny All Firewall Plugin

WordPress Easy PDF Restaurant Menu Upload

WordPress EELV Newsletter Plugin

WordPress ESB CSV-Import-Export Plugin

WordPress Flickr Justified Gallery Plugin

WordPress FlightLog Plugin

WordPress HandL UTM Grabber

WordPress Lightbox Plus ColorBox Plugin

WordPress Live Forms

WordPress Login Or Logout Menu Item

WordPress Memphis Documents Library Plugin

WordPress ND Booking

WordPress ND Shortcodes Plugin

WordPress Newsletter by Supsystic Plugin

WordPress Page Flip Book Plugin

WordPress Post Indexer

WordPress Print My Blog Plugin

WordPress Rating Plugin

WordPress Search Exclude

WordPress Share on Diaspora Plugin

WordPress Sharebar Plugin

WordPress Simple Fields Plugin

WordPress SiteBuilder Dynamic Components

WordPress SmokeSignal Plugin

WordPress Time Sheets Plugin

WordPress WassUp Plugin

WordPress WebP Converter for Media

WordPress Woocommerce Products Price Bulk Edit Plugin

WordPress WordPress

WordPress WordPress Uninstall Plugin

WordPress WP Private Content Plus

WordPress ZX_CSV Upload

Workfusion Workfusion

WP Affiliates Manager Affiliates Manager

WP Booking System WP Booking System

WP Google Maps WP Google Maps

WP Payeezy Pay Project WP Payeezy Pay

WP Polls Project WP-Polls

WP Support Plus Responsive Ticket System Plugin



wp-jobhunt project wp-jobhunt

WP-ViperGB WP-ViperGB Plugin

WPBrigade LoginPress

WPCharitable Charitable

WPChef Widget Logic Plugin

wpecommerce Easy WP SMTP

wpgform project wpgform

WPGraphQL WPGraphQL

WPMadeasy Shortcode Factory

Wpmanage Uji Countdown

WPMU DEV Forminator

WPServeur WPS Child Theme Generator Plugin

Wyse Enhanced SuSE Linux Enterprise

Wyse TCX Multi-display

Wyse TCX-Multimedia

Wyse TCX-USB Virtualizer

Wyse Wyse ThinOS

X.org libXfixes

X.org libXfont

X.org libXi

X.org libXinerama

X.org libXrandr

X.org libXt

X.org libXtst

X.org libXv

Xakuro System XO Security Plugin

Xceptor Data Hub

Xerox Altalink

Xerox Altalink HW

Xerox ColorQube

Xerox Device Manager (XDM)

Xerox Phaser

Xerox VersaLink

Xerox WorkCentre

Xerox WorkCentre 5675



Xerox WorkCentre 75






Xerox WorkCentre HW

Xilinx Ethernet Adapters

xiph Libvorbis

XLPlugins User Email Verification for WooCommerce

XMLSoft Libxml2

XPECTRA Remote Management S.A. de C.V. netMATRIX

XpoLog XpoLog Center

XYPRO XYGATE Access Control (XAC)

Yahoo Instant Messenger

Yahoo Messenger

YIKES Easy Forms for Mailchimp Plugin

yourownprogrammer YOP Poll

Yukihiro Matsumoto Ruby

Yuzo Related Posts Plugin

Zantaz First Archive

zlib zlib

Zoho SalesIQ Plugin

Zoho Zoho SalesIQ

Zoom Video Communications Zoom Client

Zoom Video Communications ZOOM Cloud Meetings

Zoom Video Communications Zoom Rooms


Appendix C – Banner Translator Products Vendor Product Name

7-Zip 7-Zip

A10 Networks ACOS

ABB AC 800M

Adobe Acrobat

Adobe Acrobat DC Classic

Adobe Acrobat DC Continuous

Adobe AIR

Adobe AIR SDK

Adobe Flash Player

Adobe Reader

Adobe Shockwave Player

Alcatel AOS

Alpine Linux

Amazon Linux

Amazon Linux 2

Apache Software Foundation Apache

Apache Software Foundation Struts

Apache Software Foundation Tomcat

Apple iTunes

Apple MacOS X

Apple MacOS X Server

Apple QuickTime

Apple Quicktime Streaming Server

Apple Safari

Arista EOS

Aruba ArubaOS

Barco wePresent WiPG

BlueCoat Systems Advanced Secure Gateway (ASG)

BlueCoat Systems ProxySG

Brocade IronWare OS

Brocade Network OS

CentOS CentOS

Check Point Software Gaia OS

Check Point Software Provider-1

Check Point Software Security Gateway

Check Point Software VPN-1

Cisco Aironet Access Point

Cisco Application Control Engine (ACE)

Cisco ASA

Cisco Firepower Threat Defense (FTD)


Vendor Product Name

Cisco FWSM

Cisco IOS

Cisco IOS-XE

Cisco IOS-XR

Cisco NX-OS

Cisco PIX

Cisco VPN Client

Cisco WebEx Productivity Tools

Cisco WebNS (CSS)

Citrix NetScaler

Citrix Receiver for iOS

Citrix Receiver for iPhone

Citrix Receiver for Linux

Citrix Receiver for Mac

Citrix Receiver for Windows

Citrix Receiver for Windows Mobile

Citrix Xen Windows PV Drivers

Citrix XenServer

Debian Linux

Dell Inc. DRAC (Dell Remote Access Controller)

Dptech ConPlat OS

F5 BigIP

Factor-TS DionisNX

Fanuc Collaborative Robot

Fanuc Collaborative Robot HW

ffdshow ffdshow

Forcepoint Next Generation Firewall (NGFW)

FortiNet FortiGate 1000

FortiNet FortiOS

FreeBSD FreeBSD

FrontMotion Firefox CE

Generic Unix

Git for Windows Git for Windows

Google Chrome

Google Chrome OS

Google Google Update Helper

H3C Comware

Honeywell Experion PKS Controller

Honeywell Experion PKS Controller HW

HP Color LaserJet

HP Integrated Lights-Out (iLO)


Vendor Product Name

HP JetDirect

HP ProCurve Switch

HP SMH (System Management Homepage)

Huawei Eudemon1000E

Huawei Router Firmware

IBM BigFix Client

IBM BigFix Platform

IBM IBM I

IBM Lotus Notes

IBM TAM ESSO

IBM Tivoli Directory Server

IBM WebSphere Application Server

IBM z/OS

Joomla! Joomla!

Juniper Networks IVE OS

Juniper Networks JUNOS

Juniper Networks Junos Pulse Desktop

Juniper Networks ScreenOS

KeePass KeePass Password Safe

Konica Minolta Printer

Lenovo Auto Scroll Utility

Lenovo Communications Utility

Lenovo Lenovo Patch Utility (LPU)

Lenovo UltraNav Utility

Linux Linux Kernel

Macromedia Shockwave Player

MariaDB MariaDB

McAfee Agent

McAfee AntiVirus

McAfee Antivirus Engine

McAfee Common Management Agent

McAfee Endpoint Security

McAfee ePolicy Orchestrator

McAfee Host Intrusion Prevention

McAfee SecureOS

McAfee VirusScan Enterprise

Microsoft .NET Framework

Microsoft Access

Microsoft Active Directory

Microsoft Active Directory Application Mode (ADAM)


Vendor Product Name

Microsoft Active Directory Lightweight Directory Service

Microsoft Edge Chromium

Microsoft Excel

Microsoft Excel for Mac

Microsoft Exchange Server

Microsoft IIS

Microsoft Internet Explorer

Microsoft Lync

Microsoft Lync Server

Microsoft Office

Microsoft Office for Mac

Microsoft Office SharePoint Server

Microsoft OneNote

Microsoft OneNote for Mac

Microsoft Outlook

Microsoft Outlook Express

Microsoft Outlook for Mac

Microsoft PowerPoint

Microsoft PowerPoint for Mac

Microsoft Silverlight

Microsoft Silverlight for Mac

Microsoft SQL Server

Microsoft SQL Server Compact Edition

Microsoft SQL Server Management Studio (SSMS)

Microsoft SQL Server Management Studio Express(SSMSE)

Microsoft System Center Operations Manager

Microsoft Visual C++



Microsoft Windows 7

Microsoft Windows 8

Microsoft Windows NT










Vendor Product Name

Microsoft Windows Vista

Microsoft Windows XP

Microsoft Word

Microsoft Word for Mac

Microsoft XML Core Services

Mozilla Firefox

Mozilla SeaMonkey

Mozilla Thunderbird

MySQL AB MySQL

NetBSD NetBSD

Node.js Foundation Node.js

Nortel Networks Alteon

Notepad plus plus Notepad plus plus

OKI LAN7130E

Omron CJ2M Series PLC

Omron CJ2M Series PLC HW

Omron Controller NJ Series

Omron Controller NJ Series HW

OpenBSD OpenSSH

OpenSSL OpenSSL

Opera Software Opera Web Browser

Oracle Application Express

Oracle Application Server Portal

Oracle Glassfish

Oracle JDK

Oracle JRE

Oracle MySQL

Oracle Oracle Application Server

Oracle Oracle Database

Oracle Oracle Linux

Oracle PeopleSoft Enterprise

Oracle PeopleSoft PeopleTools

Oracle Server JRE

Oracle Solaris

Oracle WebLogic Server

Palo Alto PAN-OS

Palo Alto User-ID Agent

PHP PHP

Printronix PrintNet Enterprise

PuTTY PuTTY

Python Software Foundation Python


Vendor Product Name

Qualys Cloud Agent

RARLAB WinRAR

RedHat Enterprise Linux Desktop

RedHat Enterprise Linux Server

RedHat Enterprise MRG

RedHat Linux

RedHat RedHat OS

Rockwell Automation CompactLogix

Rockwell Automation ControlLogix

Rockwell Automation ControlLogix Communications Module

Rockwell Automation MicroLogix

Rockwell Automation PanelView 800

Rockwell Automation PanelView 800 HW

Rockwell Automation PanelView Plus 6

Rockwell Automation PanelView Plus 6 HW

Rockwell Automation PanelView Plus 7

Rockwell Automation PanelView Plus 7 HW

Rockwell Automation PLC-5

Rockwell Automation PowerFlex

Rockwell Automation PowerFlex HW

Rockwell Automation RSLinx Classic

Rockwell Automation RSLinx Classic HW

Rockwell Automation SLC 500

S.u.S.E. Linux Enterprise Server

S.u.S.E. OpenSUSE

Salesforce Chatter Desktop

Samba Samba

Samsung iPOLiS Device Manager

Samsung SL-M4070FR

SAP NetWeaver

SAP SAP GUI

Schneider Electric M340 BMXP342020

Schneider Electric M580 BMEP581020

Schneider Electric Momentum 171CBU98091

Schneider Electric Quantum 140NOE77101

Scientific Linux Scientific Linux

Siemens Siemens Device




Siemens SIMATIC S7-400-H


Vendor Product Name

Skype Technologies Skype

SonicWALL SonicOS

Sophos UTM

SourceForge FileZilla Server

Splunk Splunk

Stormshield Stormshield Network Security (SNS)

Sun Glassfish Enterprise Server

Sun Java System Application Server

Sun Solaris

Sun SunOS

Symantec Endpoint Protection

Symantec Endpoint Protection Manager

Symantec LiveUpdate

Symantec LiveUpdate Administrator

Symantec NetBackup

Symantec Norton Antivirus

TallyGenicom TGNet

TortoiseSVN TortoiseSVN

Trendnet Print Server

Ubuntu Ubuntu Linux

Unidentified Unidentified

Unisys OS 2200

Unspecified Banner

VMWare VMware ESX Server

VMWare VMware ESXi Server

VMWare VMWare Player

VMWare VMWare Workstation

WatchGuard Fireware

WinSCP WinSCP

WinZip Computing WinZip

Wireshark Wireshark

XenProject Xen

Yokogawa AFV10D

Yokogawa AFV30D

Yokogawa SSC60D-F

Yokogawa SSC60D-S

Zebra ZebraNet Print Server

Zscaler Zscaler Internet Access (ZIA)

My Document - Skybox Security

Documents

Transcript of My Document - Skybox Security