My Document - Skybox Security
-
Upload
khangminh22 -
Category
Documents
-
view
2 -
download
0
Transcript of My Document - Skybox Security
Skybox Vulnerability ControlUser Guide
12.0.100.00
Revision: 11
Skybox Security, Inc. | 2077 Gateway Place, Suite 200, San Jose, CA 95110 USA | +1 866 675 9269 | skyboxsecurity.com
Proprietary and Confidential to Skybox Security. © 2022 Skybox Security, Inc. All rightsreserved.
Due to continued product development, the information contained in this document maychange without notice. The information and intellectual property contained herein areconfidential and remain the exclusive intellectual property of Skybox Security. If you find anyproblems in the documentation, please report them to us in writing. Skybox Security does notwarrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted inany form or by any means—electronic, mechanical, photocopying, recording, or otherwise—without the prior written permission of Skybox Security.
Skybox®, Skybox® Security, Skybox Firewall Assurance, Skybox Network Assurance, SkyboxVulnerability Control, Skybox Change Manager, Skybox Appliance6000/7000/8000/8050/11000/12100/12200, and the Skybox Security logo are either registeredtrademarks or trademarks of Skybox Security, Inc., in the United States and/or other countries.All other trademarks are the property of their respective owners.
Skybox version 12.0.100.00 3
ContentsContents3
Preface 8Intended audience 8
How this manual is organized 8
Related documentation 8
Technical support 9
Overview of Skybox Vulnerability Control 10Skybox Security Posture Management Platform 10
Basic architecture 11
About Skybox Vulnerability Control 11
Vulnerability Control process 12
About the Skybox Vulnerability Dictionary 13
Threat-Centric Vulnerability Management 14Overview of Threat-Centric Vulnerability Management 15
About Threat-Centric Vulnerability Management 15
Workflow for Threat-Centric Vulnerability Management 16
Discovery 17
Updating the Vulnerability Dictionary 17
Getting asset and vulnerability occurrence data 18
Discovery Center 26
Adding organizational hierarchy (Business Units) 27
Adding additional information about a vulnerability 30
Prioritization 31
Prioritization overview 31
Prioritization Center 31
Using the Prioritization Center 33
Security metrics 34
Understanding security metrics information 36
Remediation 40
About remediation levels 40
Remediation Center 41
Workflow for remediation 42
Creating tickets for remediation 42
Customizing the security metrics 43
About security metrics in Skybox 43
Initial customization 43
Security metric properties 44
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 4
Additional customization 46
Continuous usage for Threat Centric Vulnerability Management 47
Security Metric triggers 47
Recalculating the security metrics 48
Creating other triggers 48
Exposure 50Overview of the Exposure feature 51
Introduction to exposure 51
Automated IT security modeling 52
Attack simulation and visualization 53
Business impact analysis and risk metrics 54
Regulation compliance 55
Risk exposure management workflow 55
Building the model 57
Building the network topology 57
Validating the model 65
Overview of validating the model 65
Best practices for model validation 67
Model validation tasks and analyses 68
Access Analyzer test queries 76
Network Map visualization 77
Task error messages 78
Item counts 78
Creating Perimeter Clouds automatically 79
Validating the setup for attack simulation 79
Model Booster 80
Why use Model Booster? 80
How does Model Booster Work? 80
Minimum network requirements 80
How to run Model Booster 81
Model Booster limitations 81
What are connecting routers? 81
Excluding networks 82
Use cases 82
FAQs 83
Network visualization (maps) 85
Network Map 85
Creating and saving dedicated maps 86
Navigating the Network Map 86
Map Groups 89
Adding Threat Origins 92
Threat Origins overview 92
Threat Origins 92
Threat Origin Categories 93
Skybox version 12.0.100.00 5
Defining Threat Origins 94
Disabling and enabling Threat Origins 95
Using Business Asset Groups for risk metrics 96
Business Impacts and Regulations 96
Adding dependency rules 98
Explicit dependency rules 98
Implicit dependency 99
Simulating attacks 100
Attack simulation 100
Understanding Skybox risk 100
Viewing risk 101
Identifying the critical issues 102
Workflow 102
Reviewing directly exposed vulnerability occurrences 103
Reviewing Threat Origins 104
Reviewing Business Asset Groups 105
Reviewing attacks 105
Checking whether the problem is access-related 107
Remediation 109
Marking vulnerability occurrences as ignored 109
Mitigating critical vulnerability occurrences 110
Reviewing Vulnerability Definitions 110
Creating tickets manually 111
Updating the model after fixing vulnerability occurrences 119
Using the What If model to test changes 119
Continuous risk management 121
Attack simulation for continuous risk management 121
Monitoring the risk status 121
Automating ticket creation 122
Tickets and workflow 124
Model maintenance 128
Continuous usage 129Using tasks for automation 130
Reports 131
Reports overview 131
Security Metric reports 131
Risks reports 132
FISMA/NIST and Risk Assessment reports 132
PCI DSS reports 133
Tickets reports 133
Vulnerability Management reports 134
Vulnerabilities reports 134
Exporting data to CSV files 135
Exporting vulnerability occurrence data to Qualys format 136
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 6
Model maintenance 137
Updating the model 137
General maintenance 140
Deployed product list 142
Advanced topics 146Advanced modeling 147
Modeling VPNs 147
Modeling L2 networks 151
Mapping overlapping networks 154
Virtual routers 156
Virtual firewalls 157
Virtualization and clouds 157
Clusters 160
Modeling multihomed assets 161
Merging data 162
Using clouds as Threat Origins 168
Advanced dependency rules 168
Additional information about exposure 170
About attack simulation 170
About risk 171
Risk profiles 175
Risk factors 176
PCI DSS support in Skybox Vulnerability Control 177
Skybox analyses 178
Analyses overview 178
Risk analyses 179
Creating an analysis 179
Access Analyzer 181
Creating queries 181
Access Analyzer output 185
Modifying security metric properties 195
Calculation of scores for VLI security metrics 195
Calculation of scores for RLI security metrics 196
Impact levels 198
Additional security metrics properties 199
Skybox Vulnerability Dictionary 200
Skybox Vulnerability Dictionary information 200
CVE compliance 202
Skybox Intelligence Feed 203
About the Skybox intelligence feed 203
How it works 203
Data sources 203
Merging from multiple sources 205
Vulnerability information 205
Skybox version 12.0.100.00 7
Exploits 206
Products 207
Skybox Vulnerability Center 208
Skybox intelligence feed SLA 208
IPS support in Skybox 209
IPS Dictionary 209
Working with IPS in Skybox 209
Optimization 221
Performance considerations 221
Optimizing Access Analyzer analysis 222
Deployment 223Planning deployment 224
Deployment plan 224
Deployment team 225
Phases of deployment 226
Preparing data for Skybox 227
Information requirements 227
Preparing a list of network devices 227
Defining the data collection strategy 228
Preparing scanning information 229
Preparing the data 229
Modeling unsupported devices 230
Starting deployment 231
First phase of deployment 231
Appendices 232Skybox Intelligence Feed Supported Products and SLA 233
Skybox version 12.0.100.00 8
Preface
Intended audienceThe Skybox Vulnerability Control User Guide explains how to work with Skybox VulnerabilityControl. Use this document in conjunction with:
l Skybox Installation and Administration Guide, which explains Skybox installation, andconfiguration and maintenance tasks
The intended audience is users of Skybox Vulnerability Control.
How this manual is organizedThis manual includes the following parts:
l Overview of Skybox Vulnerability Control
l Threat-Centric Vulnerability Management
l Exposure
l Continuous usage
l Advanced topics
l Deployment
Related documentationSkybox documentation includes:
l Skybox Installation and Administration Guide
l Skybox Reference Guide
l Skybox Developer Guide
l Skybox Release Notes
l User Guides for other Skybox products
The entire documentation set (in PDF format) is here
Note: If you are not using the latest version of Skybox, you can find the documentation for yourversion at https://downloads.skyboxsecurity.com/files/Installers/Skybox_View/<your major version/<your minor version>/Docs. For example,https://downloads.skyboxsecurity.com/files/Installers/Skybox_View/11.5/11.5.100/Docs
You can access a comprehensive Help file from anywhere in Skybox Manager by using theHelp menu or by pressing F1.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 9
Technical supportYou can contact Skybox using the form on our website or by [email protected].
Customers and partners can contact Skybox technical support via the Skybox Support portal.
When you open a case, you need:
l Your contact information (telephone number and email address)
l Skybox version and build numbers
l Platform (Windows or Linux)
l Problem description
l Any documentation or relevant logs
You can compress logs before attaching them by using the Pack Logs tool (see the Packinglog files for technical support topic in the Skybox Installation and Administration Guide).
Skybox version 12.0.100.00 10
Chapter 1
Overview of Skybox Vulnerability ControlThis chapter is an overview of Skybox Vulnerability Control.
In this chapter
Skybox Security Posture Management Platform 10
Basic architecture 11
About Skybox Vulnerability Control 11
Vulnerability Control process 12
About the Skybox Vulnerability Dictionary 13
Skybox Security Posture Management PlatformOver 500 of the largest and most security-conscious enterprises in the world rely on Skybox®
Security for the insights and assurance required to stay ahead of dynamically changing attacksurfaces. At Skybox, we don’t just serve up data and information. We provide the intelligenceand context to make informed decisions, taking the guesswork out of securely enablingenterprises at scale and speed. Our Security Posture Management Platform delivers completevisibility, analytics, and automation to quickly map, prioritize, and remediate vulnerabilitiesacross your organization. The vendor-agnostic platform intelligently optimizes securitypolicies, actions, and change processes across all corporate networks and cloudenvironments. With Skybox, security teams can now focus on the most strategic businessinitiatives while ensuring enterprises remain protected.
For additional information visit the Skybox website.
Skybox Security Posture Management Platform includes:
l Skybox Vulnerability Control: Powers threat-centric vulnerability management bycorrelating intelligence on vulnerabilities in your environment, the surrounding network andsecurity controls and exploits in the wild focusing remediation on your most critical threats
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 11
l Skybox Firewall Assurance: Brings multivendor firewall environments into a single view andcontinuously monitors policy compliance, optimizes firewall rulesets, and finds attackvectors that others miss
l Skybox Network Assurance: Analyzes hybrid environments end to end across physical,virtual and cloud – even operational technology – networks, illuminating complex securityzones, access paths and policy compliance violations
l Skybox Change Manager: Ends risky changes with network-aware planning and riskassessments, making firewall changes a secure, consistent process with customizableworkflows and automation
The products share common services, including modeling, simulation, analytics, reporting,and automated workflow management.
Basic architectureThe Skybox platform consists of a 3-tiered architecture with a centralized server (SkyboxServer), data collectors (Skybox Collectors), and a user interface (Skybox Manager). Skyboxcan be scaled to suit the complexity and size of any infrastructure.
See the Skybox architecture topic in the Skybox Installation and Administration Guide.
About Skybox Vulnerability ControlVulnerability Control harnesses total attack surface visibility and threat-centric vulnerabilityintelligence to spot vulnerabilities that are most likely to be used in an attack against yourorganization. Eliminate risks 100-times faster than traditional scanning and manual analysiswith on-demand vulnerability discovery, threat-centric prioritization and remediation guidancebased on the context of your attack surface and threats in the wild. Reduce false positives tonear-zero levels, streamline workflows, optimize gradual risk reduction, and respond toimminent threats within hours—not days.
l Finds vulnerability exposures and exploitable attack vectors on-demand with intelligenceon exploits in the wild
l Prioritizes vulnerabilities based on threats and the risk imposed to your network
l Detects vulnerabilities on network devices and unscannable systems
l Targets imminent threats for immediate response and systematically reduces potentialthreats with context-aware remediation guidance
Highlightsl On-demand vulnerability assessments
o Combines data from vulnerability scanners, patch management systems and endpointagents—including those running in virtual and cloud environments—with scanlessassessments from Skybox Vulnerability Detector
o Discovers vulnerabilities on network and security devices and in traditionallyunscannable zones, including virtual and cloud environments
o Uses network and security control context to identify exposed vulnerabilities
l Threat-centric vulnerability intelligence and exposure analysis
Chapter 1 Overview of Skybox Vulnerability Control
Skybox version 12.0.100.00 12
o Identifies exposed vulnerabilities using the network model, attack vector analytics andmulti–step attack simulations
o Discovers potential attack scenarios and detects bypassed or compromised securitymeasures
o Highlights vulnerabilities with exploits available, used in active attack campaigns, ordistributed on the dark web
o Improves change management by evaluating proposed changes for new vulnerabilityexposures
l Prioritization in the context of threats and your attack surfaceo Puts exposed vulnerabilities and vulnerabilities most likely to be exploited at the top ofyour priorities list
o Analyzes attack vectors in the context of the network, mitigating controls and SkyboxResearch Lab investigations of the threat landscape
o Prioritizes imminent threats for immediate remediation and identifies potential threats forongoing, gradual risk reduction
l Same-day imminent threat responseo Recommends best remediation actions to eliminate imminent threats in hours, instead ofdays
o Optimizes gradual risk reduction to systematically reduce the attack surface and ensurepotential threats do not escalate
o Tracks remediation progress and closureo Measures remediation effectiveness with customized risk metrics
l Comprehensive device support
Refer to the Skybox website for a list of supported devices
Vulnerability Control processThe main Vulnerability Control process, Threat-Centric Vulnerability Management, is:
1. Discover: Gather and assess information about assets, network topology, security controls,and vulnerabilities in your environment, including physical, virtual, and cloud networks.
2. Prioritize: Correlate vulnerability data with exploit availability and use. Analyze potentialattack paths and business impacts to prioritize remediation according to imminent andpotential threats.
3. Remediate: Apply patches or use IPS signatures, access rules, segmentation, and so on toblock attack paths. Address imminent threats first and deal with potential threats over time.
4. Track: Track progress and analyze trends to find areas that need more attention orresources. Monitor remaining vulnerabilities for changes in exposure or use in the wild.
You can get additional information by analyzing your network for exposure to threats:
1. Import network devices to get the topology (if you have not yet done this).
2. Define the potential threats.
3. Analyze the exposure of the network to these threats.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 13
About the Skybox Vulnerability DictionaryThe Skybox Vulnerability Dictionary consolidates vulnerability data for more than 2000products that are used extensively in enterprise network environments, including servers anddesktop operating systems, business and desktop applications, databases, runtimeframeworks, networking hardware and software, and security software. This data selection istailored to Skybox’s enterprise customers, according to the most relevant products and theircorresponding vulnerabilities in a large enterprise network.
The Skybox Vulnerability Dictionary supports more than 100,000 vulnerabilities. The SkyboxVulnerability Dictionary is a collection of information from leading public and private securitydata sources, and built as a superset of vulnerabilities. As a state-of-the-art vulnerabilitydatabase, the Skybox Vulnerability Dictionary is CVE compliant and implements CVSS v3standards.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 14
Threat-Centric Vulnerability ManagementThis part explains how to work with Threat-Centric Vulnerability Management.
Skybox version 12.0.100.00 15
Chapter 2
Overview of Threat-Centric Vulnerability ManagementThis chapter provides an overview of Threat-Centric Vulnerability Management.
In this chapter
About Threat-Centric Vulnerability Management 15
Workflow for Threat-Centric Vulnerability Management 16
About Threat-Centric Vulnerability ManagementVulnerability Control uses a variety of factors to prioritize vulnerabilities—from baselineinformation (for example, security advisories and CVSS scores) through the unique context ofyour network, security controls, and business, to Skybox Research Lab intelligence on thethreat landscape.
Skybox correlates this vast and diverse data set to divide vulnerabilities in your environmentinto 2 main categories—those that pose a potential threat to your organization and those thatpose an imminent threat. Vulnerability Control streamlines management of potential threats’gradual risk reduction, and monitors changes in the threat landscape to ensure such threats donot escalate. Imminent threats are prioritized for immediate remediation.
Threat information is filtered by security metrics, which are risk indicators based onvulnerability occurrences. The default view takes into account all vulnerability types, but youcan view data for a set of vulnerabilities, including Microsoft, Adobe, and web-browser related.Threat-Centric Vulnerability Management enables you to assess the security and vulnerabilitystatus of your organization, track trends, and identify key contributors to poor performance.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 16
Workflow for Threat-Centric Vulnerability Management
Basic workflow for Vulnerability Control
1. Discover
a. Collect data about the assets in your model. This data includes information aboutvulnerability occurrences on all collected assets.
b. Look at the Discovery Center to understand the security of your inventory.
c. If they were not organized automatically, organize the assets into Business Units tomake it easier to understand the security status of different parts of your organization.
2. Prioritize
a. Analyze the data (click ). This correlates the vulnerability and asset data withexploit availability and use.
b. In the Prioritization Center, see how your organization is affected by exposure todifferent vulnerabilities, how likely it is to be exploited by malware and ransomware, andto determine the order in which vulnerability occurrences should be fixed.
3. Remediate
l Block attack paths by applying patches or using IPS signatures, access rules,segmentation, and so on. Address imminent threats first and deal with potential threatsover time.
In some organizations, the Skybox user is responsible for either creating tickets for themost urgent issues or exporting data to a CSV file. In others, another department isresponsible for remediation, and the user implementing this workflow is responsible formaking sure that remediation proceeds at an acceptable speed.
4. Track
l Use the Remediation Center to track progress and analyze trends, to find areas thatneed more attention or resources. Monitor remaining vulnerabilities for changes inexposure or use in the wild.
Repeat the cycle on a regular basis to keep your security status up to date.
Skybox version 12.0.100.00 17
Chapter 3
DiscoveryWhen you start using Skybox Vulnerability Control, the 1st step is to discover which assets andproducts, and (consequentially) which vulnerabilities your organization includes and how theassets are organized—connect to your repositories, management servers, and scanners, andimport their data into the model. The import process creates the Skybox model (the model),which is a normalized database stored as a CMDB.
We recommend that you start with a small part of your network—not more than 1000 assets,understand how Skybox works, and then expand your model to the entire network.
Important: Before collecting data from your network the 1st time, the model must be empty. Ifyou loaded the demo model, clear it (File > Models > Reset Model).
In this chapter
Updating the Vulnerability Dictionary 17
Getting asset and vulnerability occurrence data 18
Discovery Center 26
Adding organizational hierarchy (Business Units) 27
Adding additional information about a vulnerability 30
Updating the Vulnerability DictionaryThe Skybox Vulnerability Dictionary contains information about Vulnerability Definitions.Skybox uses the Vulnerability Dictionary to normalize vulnerability occurrences found byscanners, adding information—including description, cross-references from various sources,and external URLs—to the model.
Skybox includes the most up-to-date Vulnerability Dictionary at the time of release, butupdates are released 6 days a week. We recommend that you check for Dictionary updatesdaily; update the Dictionary before importing vulnerability data or working with vulnerabilities.
To check the date and version of the Vulnerability Dictionaryl Select File > Dictionary > Show Dictionary Info.
To enable the Dictionary Update – Daily task to run automatically
1. Click .
2. In the Operational Console tree, select Tasks > All Tasks.
3. In the Table pane, right-click the Dictionary Update – Daily task and select Properties.
4. In the Properties dialog box, select Enable Auto-launch.
5. Click OK.
6. (Optional) Run the task.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 18
To verify that the task is running correctly
1. In the Table pane, select the Dictionary Update – Daily task.
2. Look at the task’s most recent run time and status, and in the task messages for success orerror messages.
Getting asset and vulnerability occurrence dataAsset and vulnerability occurrence data is a necessary component of security metrics analysisand Exposure analysis. You can retrieve this data from:
l Vulnerability scanners
l Patch and system management solutions
l Skybox Vulnerability Detector, which you can use to detect vulnerability occurrences basedon product-version-patch information
To retrieve asset and vulnerability information, create tasks in the Operational Console thatcollect information from these data sources via their API or by reading files, and then normalizethe data and add it the model.
Scanners
Skybox supports many scanners. There is a complete list of directly supported scanners atQuick reference: Scanners in the Skybox Reference Guide. If your scanner is not directlysupported, you can create an integration script that converts the source data to iXML and thenimport the iXML file into the model.
l For information about iXML, see the Integration part of the Skybox Developer Guide.
Some information found by vulnerability scanners is not required for attack simulation. Skyboxsupports blacklists—lists of scanner IDs that contain irrelevant information that Skybox ignores.When merging vulnerability occurrences into the model, scanner IDs on the blacklists are nottranslated into vulnerability occurrences in the model. For additional information, see theBlacklists topic in the Skybox Reference Guide.
Skybox Vulnerability Detector
If there is no vulnerability occurrences data (for example, no scanners are available), but yourorganization has an asset repository, you can use Skybox Vulnerability Detector to retrievevulnerability occurrences. Vulnerability Detector deducts vulnerability occurrences on assets,thereby creating vulnerability occurrences in the model. For additional information, seeDetecting assets and vulnerability occurrences.
Workflow for importing a Qualys vulnerability scan
Vulnerability scans provide information about the assets and services in your organization,including their vulnerability occurrences. If the scan includes assets that are not part of themodel, these assets are added to the model.
To import a Qualys vulnerability scan
1. In the Operational Console tree, select the Tasks node.
2. Click .
Chapter 3
Skybox version 12.0.100.00 19
3. Type a Name for the task.
4. In Task Type, select Scanners – Qualys Collection.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 20
l For information about the task properties, see the Qualys QualysGuard collection taskstopic in the Skybox Reference Guide.
5. Fill in Username and Password.
6. Define the Network Scope—the assets and container entities in the model to include in thetask.
When the collection data is imported, only data from the specified locations and network ismerged with the model. If the network scope is empty, all collected data is merged.
7. Recency specifies how many days before today to search for scans. To retrieve the mostrecent scan, type a value in this field according to how often scans are run. For example, ifscans are run daily, a value of 1 finds yesterday’s scan. If scans are run on a weekly basis,a value of 7 finds the most recent scan.
8. Click Launch.
9. Verify that the task finished successfully:
a. Select the task in the Table pane of the All Tasks node.
b. Check that the Exit Code is set to Success.
If the task failed, check the Messages tab of the Details pane. This tab displays a log ofthe task; you can view the errors to understand the problem. For example, a necessaryfile was deleted or moved to a different location.
10. Close the Operational Console.
11. Check the results of the import:
a. Open the Vulnerability Control workspace.
b. Navigate to Analyses > Public Analyses > Vulnerabilities.
c. Right-click the New Vulnerability Occurrences folder and select New > Analysis.
d. Type a Name for the analysis.
e. Set Vulnerability Type to Vulnerability Occurrences.
f. Fill in:
l Scan Time
l (Operational tab) Discovery Method=QUALYS
Detecting assets and vulnerability occurrences
Asset data is imported directly from patch management and asset management systems intothe Skybox model using tasks. After the asset data is imported, run an additional Analysis –Vulnerability Detector task. These tasks infer the vulnerability occurrences from servicebanners imported as part of the asset data.
The supported management systems are:
l Microsoft SCCM (with or without additional information from Microsoft Active Directory)
l Red Hat Satellite
Chapter 3
Skybox version 12.0.100.00 21
Detecting assets and vulnerability occurrences using Microsoft SCCM data
Typical workflow for detecting assets and vulnerability occurrences using SCCMdata
1. Add hierarchy information by doing one of:
l Import the information from Microsoft Active Directory (see the Microsoft Active Directorysection in the Skybox Reference Guide)
l Add the information manually
2. View the imported Business Units, and Business Asset Groups in the Model workspace;select Business Units & Asset Groups. When you select a Business Asset Group in thetree, its assets are listed in the workspace.
3. Run an Asset Management – SCCM Collection task to retrieve asset information. Forinformation about these tasks, see the Microsoft SCCM section in the Skybox ReferenceGuide.
4. View the imported assets in the Model workspace: Model Analyses > New Entities > NewAssets or in another relevant analysis.
5. View the products (services) of all newly imported assets by selecting an asset and thenselecting the Services tab in the Details pane.
Note: You can create Services operational analyses in the Model Analyses tree and, forexample, set Discovery Method to SCCM. However, these analyses do not display theservices for each asset separately.
Up to this point, there are assets with products, but no vulnerability occurrences.
6. Run an Analysis – Vulnerability Detector task; set Service Source to SCCM.
l For information about these tasks, see the Vulnerability detection tasks: Patch data topicin the Skybox Reference Guide.
7. View the created vulnerability occurrences in a vulnerability occurrences analysis (forexample, Vulnerability Control > Prioritization Center > Analyses > Public Analyses >Vulnerabilities > New Vulnerability Occurrences in the Vulnerability Control workspace).
The Discovery Method of a vulnerability occurrence created by this task has a value ofVulnerability Detector. Display Created Time in the Table pane to confirm that you arelooking at vulnerability occurrences from the correct run of the task.
Detecting assets and vulnerability occurrences using Red Hat Satellite data
Typical workflow for detecting assets and vulnerability occurrences using Red HatSatellite data
1. Run an Asset Management – Red Hat Satellite task to retrieve asset information. Forinformation about these tasks, see the Red Hat Satellite section in the Skybox ReferenceGuide.
2. View the imported assets in the Model workspace: Model Analyses > New Entities > NewAssets or in another relevant analysis.
3. View the products (services) of all newly imported assets by selecting an asset and thenviewing the Services tab in the Details pane.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 22
Note: You can create Services operational analyses in the Model Analyses tree and, forexample, set Discovery Method to Satellite. However, these analyses do not display theservices for each asset separately.
Up to this point, there are assets with products, but no vulnerability occurrences.
4. Run an Analysis – Vulnerability Detector task; set Service Source to SATELLITE.
l For information about these tasks, see the Vulnerability detection tasks topic in theSkybox Reference Guide.
5. View the created vulnerability occurrences in a vulnerability occurrences analysis (forexample, Vulnerability Control > Prioritization Center > Analyses > Public Analyses >Vulnerabilities > New Vulnerability Occurrences in the Vulnerability Control workspace).
The Discovery Method of a vulnerability occurrence created by this task has a value ofVulnerability Detector. Display Created Time in the Table pane to confirm that you arelooking at vulnerability occurrences from the correct run of the task.
Continuous detection
Run Skybox Vulnerability Detector on a frequent basis to analyze updated vulnerability data.For example, you can include it in a task sequence with either Asset Management – SCCMCollection or Asset Management – Red Hat Satellite Collection tasks.
After you run the task, the average age of vulnerability occurrences (and other relevantinformation) is displayed in the Discovery Center.
Detecting vulnerability occurrences from previous scans
Skybox can discover recently published Microsoft vulnerabilities on assets based on previousscans. This is useful after updates are made to a vulnerability source—for example, after PatchTuesday—but the scans are recent. Scanning is intrusive and resource intensive; using theVulnerability Detector task is neither.
To detect vulnerability occurrences from a previous scan
1. Run an Analysis – Vulnerability Detector task.
l For information about these tasks, see the Vulnerability detection tasks topic in theSkybox Reference Guide.
2. View the new vulnerability occurrences in analyses or via the Discovery Center.
Custom Vulnerability Definitions
There might be Vulnerability Definitions that affect your organization even before they arereported by your alert service or Vulnerability Definitions that affect proprietary products thatare not supported by the alert service.
These Vulnerability Definitions are supported in Skybox as custom Vulnerability Definitions.
l Uncataloged Vulnerability Definitions from Qualys, Tenable, Rapid7 Nexpose, and Tripwirescans are added and managed by Skybox automatically.
l Uncataloged Vulnerability Definitions from other sources and formats must be added andmanaged manually.
Chapter 3
Skybox version 12.0.100.00 23
Changing the source name and prefix
By default, the source name for custom Vulnerability Definitions is Internal, and the sourceprefix is INT. You can change the source name and source prefix if necessary.
To change the source name of custom Vulnerability Definitions
1. Navigate to Tools > Options > Server Options > Threat Management.
2. Change Source Name and Source Prefix for these Vulnerability Definitions.
3. Click OK.
Creating and managing custom Vulnerability Definitions manually
You create and manage custom Vulnerability Definitions in the Custom VulnerabilityDefinitions dialog box. Make all necessary changes and then submit the changes to theVulnerability Dictionary. After custom Vulnerability Definitions are created (and submitted),they are stored in the Skybox database and function in the same way as other VulnerabilityDefinitions, except that they are managed separately. If you created custom VulnerabilityDefinitions manually and they are not updated automatically, you can update them manually.
Note: The Custom Vulnerability Definitions dialog box is the only place where you can modifycustom Vulnerability Definitions.
Vulnerability Definitions added or changed after the most recent time that changes weresubmitted to the Vulnerability Dictionary have a status of Pending.
Creating custom Vulnerability Definitions
To create a custom Vulnerability Definition
1. On the toolbar, click .
2. In the Custom Vulnerability Definitions dialog box, click Add.
3. In the New Custom Vulnerability Definition dialog box, fill in the fields as described inProperties of custom Vulnerability Definitions.
4. Click OK.
The Vulnerability Definition is listed in the table as Pending. It is not yet available for useoutside this dialog box. After submitting the changes, the Vulnerability Definition becomesavailable for general use.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 24
Editing custom Vulnerability Definitions
When you modify a custom Vulnerability Definition, the changed version has Pending status,but the original version remains available for general use. After the changes are submitted theupdated version replaces the previous version.
Submitting the changes
When you submit changes for custom Vulnerability Definitions, Skybox adds the new customVulnerability Definitions and the changes to existing custom Vulnerability Definitions to theSkybox database. This can take several minutes.
Changes are submitted every time that an alert service or Dictionary update task runs. Youcan submit changes manually by clicking Submit Changes in the dialog box.
Properties of custom Vulnerability Definitions
The properties of custom Vulnerability Definitions are described in the following table.
PROPERTY DESCRIPTION
General
Title The title of the Vulnerability Definition.
Severity (Read-only) The severity of the Vulnerability Definition. The severity is calculatedfrom the scanner severity information and the information that you provide in theCVSS tab.
Source (Read-only) The source of the Vulnerability Definition.
CVE The CVE ID of the Vulnerability Definition, if known.
ID (Read-only) The ID of the Vulnerability Definition, including the prefix for customVulnerability Definitions.
BID The Bugtraq ID of the Vulnerability Definition.
Published Date The date on which the Vulnerability Definition was published.
Created by (Read-only) The user who created the Vulnerability Definition. For automaticallycreated Vulnerability Definitions, the value is System.
ModificationDate
(Read-only) The date that the Vulnerability Definition was most recently modified.
Description A free-form description of the Vulnerability Definition.
UserComments
Additional information or comments about the Vulnerability Definition.
CVSS The CVSS version to use, and the CVSS base score and temporal score metrics.After filling in this information, click Calculate to get the CVSS base and temporalscores for the Vulnerability Definition.
AffectedProducts
Use this tab to select deployed products that are affected by this VulnerabilityDefinition and, optionally, to edit the versions that are affected by the VulnerabilityDefinition.
History Lists changes to the Vulnerability Definition (for example, information added bysubsequent scans).
Chapter 3
Skybox version 12.0.100.00 25
Automatic creation of custom Vulnerability Definitions
When vulnerability occurrences are imported from scanners, they are associated with theappropriate Vulnerability Definition in the Vulnerability Dictionary.
New custom Vulnerability Definitions
If a vulnerability occurrence does not match any Vulnerability Definition in the VulnerabilityDictionary, Skybox checks the list of custom Vulnerability Definitions:
l If the vulnerability occurrence matches a custom Vulnerability Definition, the definition ofthe matching custom Vulnerability Definition is updated.
l If the vulnerability occurrence does not match any custom Vulnerability Definition, Skyboxcreates a custom Vulnerability Definition based on the information in the vulnerabilityoccurrence, and the vulnerability occurrence is associated with it. The new customVulnerability Definition includes the scanner name and scanner ID; together, these 2 fieldsprovide a unique way to identify the Vulnerability Definition.
Skybox cannot create a custom Vulnerability Definition unless the vulnerability occurrencecontains the following fields:
l Common Info
l Last Modification Time
l System Description
l Title
Note: These are the Skybox names for the fields; different scanners often have differentnames for these fields.
Supported scans
This feature is supported for scans from the following device types:
l Qualys
Regular Qualys scans are supported; Qualys HostDetection (Host List VM Detection) filesare not supported because they do not contain the necessary vulnerability data.
l Tenable
l Rapid7 Nexpose
Regular Nexpose reports are supported; NexposeSimpleXML reports are not supportedbecause they do not contain the necessary vulnerability data.
l Tripwire
Merging custom Vulnerability Definitions with Vulnerability Dictionary definitions
Whenever the Vulnerability Dictionary is updated, Skybox checks whether any newVulnerability Definition matches a custom Vulnerability Definition. Matching is based on thescanner name and scanner ID.
If there is a match, Skybox:
1. Moves vulnerability occurrences from the custom Vulnerability Definition to the newVulnerability Definition and adds a comment to the history of the new VulnerabilityDefinition
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 26
2. Moves tickets on the custom Vulnerability Definition to the new Vulnerability Definition
3. Disables the custom Vulnerability Definition and adds a comment to its history; the customVulnerability Definition is no longer part of KPI calculations
Vulnerability occurrences in the model
When a vulnerability occurrence is found, Skybox uses the Skybox Vulnerability Dictionary toformally model the vulnerability occurrence in the model. The following information isdisplayed for each vulnerability occurrence:
l Exploitability: Exploitability, which is taken from the Vulnerability Dictionary. can be NoExploit, Exploit Available (there are published exploits), or Exploited In The Wild (thepublished exploits—malware or ransomware—are already used by threat actors).
l Severity: Severity is taken from the CVSS base score, as listed in the VulnerabilityDictionary.
l CVSS information: The Vulnerability Dictionary provides CVSS information for the base andtemporal vector of each vulnerability occurrence.
CVSS information enables users to analyze the impact of a vulnerability occurrence,including how it can be exploited (for example, locally or remotely, with or withoutauthentication) and its impact in terms of CIA (confidentiality, integrity, and availability).
l Commonality: Commonality, which is generated by the Vulnerability Dictionary, specifieshow frequently attackers exploit vulnerability occurrences of this Vulnerability Definition.
l Life-cycle status: Skybox assigns an initial status of Found to each vulnerability occurrencedetected. Later, Skybox or a user can change this to Ignored or Fixed. Attack simulationuses only vulnerability occurrences with the Found status.
When you run attack simulation, the exposure level of each vulnerability occurrence in themodel is analyzed. The exposure level states how many steps a Threat Origin needs to accessthe vulnerability occurrence; direct exposure means that there are Threat Origins that canreach the vulnerability occurrence in only 1 step.
Discovery CenterThe Discovery Center provides a high-level view of the information Skybox has about theassets and vulnerability occurrences in the model. At the top of the page, you can see:
l The number of vulnerability occurrences in your organization (that is, in the parts of yourorganization that are modeled) and their average age
l The number of Vulnerability Definitions
l The number of assets in your organization, including assets that were not scanned recently
Chapter 3
Skybox version 12.0.100.00 27
The other charts and tables in the page provide a high-level view of the inventory of yourorganization, showing your organization from a Skybox point of view.
When you start using Skybox, use this inventory to check that all information that you expect isin the model and that, for example, you did not miss a location or a critical network. Later, youcan view assets from various perspectives in the inventory—for example, how many assets areup to date and how many are overdue.
Adding organizational hierarchy (Business Units)This section explains how to add Business Units and Business Asset Groups to the model.
Including information about your organization hierarchy (Business Units and Business AssetGroups) to the model enables Skybox to display the inventory and findings in a logical way foryour organization. You add this information after the network and security information iscollected for your model. We recommend that you start with a 1st phase consisting of about 5Business Asset Groups.
You can add your organizational hierarchy manually or by using a tool (for example, ActiveDirectory; for information about importing Active Directory data, see the Microsoft ActiveDirectory section in the Skybox Reference Guide).
We recommend that when you define your organization hierarchy, you use names that matchyour organization. Create a naming convention that is understandable and meets yourrequirements. This makes it easier to maintain the names and to add names when necessary.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 28
Business Units
Business Units enable you to group Business Asset Groups into a hierarchy for managementpurposes. This is especially useful for large organizations.
When you create analyses and reports, you can use the Business Units to organize(aggregate or filter) the results. You can compare the risk levels of different Business Units.
Defining Business Units
To define a Business Unit
1. In the Model tree, select the Business Units & Asset Groups node. (To make the newBusiness Unit part of an existing Business Unit, select the parent Business Unit.)
2. Right-click the node and select New > Business Unit.
3. In the New Business Unit dialog box, fill in the fields and click OK.
l Members (other Business Units and Business Asset Groups) are optional when creatingthe Business Unit but you must fill them in later.
l Selecting an owner is optional.
Managing Business Units
After you create a Business Unit, you can create a hierarchy by creating Business AssetGroups or other Business Units inside the 1st Business Unit, or by attaching Business AssetGroups or Business Units to the new Business Unit. You can also detach Business AssetGroups or Business Units from a parent Business Unit.
To attach a Business Asset Group or a Business Unit to another Business Unit
1. In the Model tree, locate the Business Asset Group or Business Unit that is to become apart of another Business Unit.
2. Right-click the Business Asset Group or Business Unit and select Attach to Business Unit.
3. In the Attach Business Units to another Business Unit dialog box:
l If the parent Business Unit exists, select it and click OK.
l To make this entity part of a new Business Unit:
a. Select the position in the tree for the new (parent) Business Unit.
b. Click New.
c. In the New Business Unit dialog box, fill in the fields.
The entity that you are attaching becomes a child of the new parent Business Unitand you can add other member entities using Members.
d. Click OK.
The new Business Unit is created in the selected position in the tree and the selectedentity becomes a child node, as do all member entities selected in step c.
To detach a Business Asset Group or Business Unit from a Business Unitl In the Model tree, right-click the Business Asset Group or Business Unit and select Detachfrom Business Unit.
Chapter 3
Skybox version 12.0.100.00 29
If the Business Asset Group or Business Unit is attached to multiple Business Units, youmust select the correct instance (that is, you are detaching it from the correct BusinessUnit).
If a Business Asset Group is no longer attached to any Business Units, Skybox moves it tothe bottom of the Business Units & Asset Groups node in the Model tree.
Business Asset Groups
A Business Asset Group is a group of assets that serve a common business purpose. UseBusiness Asset Groups to model your organization according to functions provided by your ITinfrastructure.
A Business Asset Group can either contain assets or have a list of criteria (for example, “allfirewalls in the Boston network”, “all assets with the Windows operating system”, or “all assetswith an <xxx> tag”).
Use Model – Integrity tasks to continuously update Business Asset Groups with the assets thatmatch the group’s criteria. This ensures that the scope of each Business Asset Group issynchronized with changes in your network.
To add a Business Asset Group
1. In the Model tree, select the Business Unit to which the Business Asset Group is to belong.If you did not create the Business Unit yet, select the Business Units & Asset Groupsnode.
2. Right-click the node and select New > Business Asset Group.
3. In the New Business Asset Group dialog box:
a. Type a Name for the Business Asset Group.
b. Click the Browse button next to Members to select the Business Asset Group members:
i. Specify the assets that are to be members of the Business Asset Group—selectnetworks or assets, and properties that the assets must have to belong to this group.For example, all assets whose name starts with FW_ or all assets that have a service,operating system, or product.
For additional information, see the Business Asset Group members topic in theSkybox Reference Guide.
ii. Click Preview to list the assets that are included according to the current definition.
iii. Click OK to save the definition.
c. (Optional) Select an Owner for the Business Asset Group.
d. Click OK.
Skybox selects the assets to include in the Business Asset Group based on yourdefinition. The Business Asset Group is added in the Model tree under its parent node.
For information about the properties of Business Asset Groups, see the Business AssetGroups section in the Skybox Reference Guide.
How Business Asset Groups are updated
Business Asset Groups are updated by Model – Integrity tasks. We recommend that you runthis task whenever you run an import task, because it might change the composition of some
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 30
Business Asset Groups.
You can run the update on an ad hoc basis by right-clicking the Business Units & AssetGroups node and selecting Calculate Asset Group members.
If Business Asset Groups in the model were not updated in a relatively long time (the defaultvalue is 30 days), a warning message is shown.
Other ways of adding organizational hierarchy information
You can add information about your organization hierarchy to the model:
l Import an iXML file
Retrieve hierarchy information from a proprietary source of information (for example, acustomized asset database). A script converts the proprietary information into a format(iXML) that Skybox can import.o For information about iXML, see the Integration part of the Skybox Developer Guide.
l Import a Skybox model (in XML or encrypted XML format)
Importing a model adds the model’s entities to the current model. In this manner, you canjoin multiple partial models representing different sections of your network into a singlemodel.
Adding additional information about a vulnerabilityBusiness attributes are business information about Vulnerability Definitions that can be storedwith the Vulnerability Definition in the model. You can use this information to provide additionalbusiness context for the Vulnerability Definitions and for integration with other systems; theadditional information can be cross-referenced by the other system. Business attributes areaccessible anywhere Vulnerability Definitions are displayed in Vulnerability Control.
Admins create business attributes in Tools > Options > Server Options > Business Attributes> Vulnerability Definitions.
You must add business attribute information manually, but you can add information to multipleVulnerability Definitions together.
To view the business attributes of a Vulnerability Definitionl In a list of Vulnerability Definitions, right-click a definition and select Set BusinessAttributes.
To set or edit the business attributes of selected Vulnerability Definitions
1. In a list of Vulnerability Definitions, right-click the rules and select Set Business Attributes.
2. Make the necessary changes.
Skybox version 12.0.100.00 31
Chapter 4
PrioritizationSkybox prioritizes vulnerabilities according to their threat level.
In this chapter
Prioritization overview 31
Prioritization Center 31
Using the Prioritization Center 33
Security metrics 34
Understanding security metrics information 36
Prioritization overviewSkybox uses exposure and exploitability to prioritize vulnerabilities by threat level. Imminentthreats (for example, exposed vulnerabilities and vulnerabilities that are exploited in the wild)should be remediated promptly; potential threats (for example, exploit available and no exploit)can be remediated in a business-as-usual time frame.
l Exposed vulnerabilities are vulnerabilities that are 1 or 2 steps away from a Threat Origin(location of potential attackers).
l Exploitable vulnerabilities are vulnerabilities that can be targeted by malware, ransomware,exploit kits, and threat actors. Exploited in the wild refers to vulnerabilities that are targetedin the wild. Exploit available means that there are published exploits available for thevulnerabilities, but these exploits are not yet in use.
You can prioritize on a regular (daily) basis by scheduling Analysis – Security Metrics tasks or
manually by clicking . During analysis, Skybox analyzes each vulnerabilityoccurrence on each Business Unit and Business Asset Group for exposure to threats andexploitability. Skybox then assigns risk levels and scores for your organization. Scores canrange from 0 to 100; 0 is the least critical—there are no vulnerability occurrences—and 100 isthe most critical.
Prioritization CenterThe left-hand side of the Prioritization Center overview page displays the Risk by ThreatLevels chart.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 32
Vulnerabilities that are exposed to a Threat Origin and vulnerabilities that are exploited in thewild are considered imminent threats and should be fixed first. Vulnerabilities for whichexploits are available but have not been used and vulnerabilities for which there are noexploits are considered potential threats. The occurrences and definitions links for each leveldrill down to the corresponding list. For example, clicking the occurrences link for Exploited inthe Wild brings you to a tab that lists the Exploited in the Wild vulnerability occurrences.
The right-hand side of the page provides additional information about the selected layer of thegraph on the left. You can see how this layer (in the preceding example, Exploited in the Wild)is divided across your organization, and how many assets are involved in each. The TopVulnerability Definitions by Contribution list shows the Vulnerability Definitions that contributethe most risk. These are the Vulnerability Definitions to fix first.
Chapter 4
Skybox version 12.0.100.00 33
You can use the links on the right-hand side to drill down to information about a subunit orVulnerability Definition.
Note: You can also view the prioritization in Security Metrics reports.
Using the Prioritization CenterWhen you view the Prioritization Center for part of your organization, the Summary tab issimilar to the Priority Center overview page.
The other pages include:
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 34
l Exposure: A list of the exposed vulnerability occurrences in this part of your organization
l Exploitability: A list of the vulnerability occurrences in this part of your organization groupedby exploitability level
l All Security Metrics: A list of the supported security metrics for your organization, withinformation about how each metric impacts this part of your organization
Security metrics measure the security status of your organization based on the selected setof Vulnerability Definitions or security bulletins. The more critical unhandled vulnerabilityoccurrences or missing security bulletins, the higher the score.
Security metricsInformation in the Prioritization Center is displayed according to the selected security metric.
You can switch the focus to a different security metric from the Prioritization Center Summarytab, so that you can see how vulnerabilities related to that security metric affect yourorganization.
To view information about a different security metric
1. At the top of the Summary tab for an entity, click to view the list of security metrics.
2. Select the security metric to display.
The scores for that security metric are shown in the tree and the information displayed inthe workspace is based on that security metric.
Predefined security metrics
Skybox includes the predefined security metrics described in the following table. Somesecurity metrics track vulnerability occurrence status; others track remediation progress.
Chapter 4
Skybox version 12.0.100.00 35
SECURITYMETRIC NAME
SECURITYMETRIC LONGNAME
SCOPE DESCRIPTION
Security Bulletin View
Adobe – BulletinLevel
Adobe – BulletinLevel Indicator
Security BulletinVendors =Adobe SecurityBulletins
This security metric measures the securitystatus of your organization based on AdobeSecurity Bulletins.The more critical missing security bulletins,the higher the score.
Cisco – AdvisoryLevel
Cisco SecurityAdvisories –VulnerabilityLevel Indicator
Security BulletinVendors = CiscoSecurityAdvisory
This security metric measures yourorganization’s remediation performance ofCisco Security Advisories.The more critical missing securityadvisories, the higher the score.
MS – BulletinLevel
MicrosoftSecurityBulletins –VulnerabilityLevel Indicator
Security BulletinVendors =MicrosoftSecurityBulletins
This security metric measures the securitystatus of your organization based onMicrosoft Security Bulletins.The more critical missing security bulletins,the higher the score.
Oracle – BulletinLevel
Oracle –VulnerabilityLevel Indicator
Security BulletinVendors =Oracle SecurityBulletins
This security metric measures the securitystatus of your organization based on OracleSecurity Bulletins.The more critical missing security bulletins,the higher the score.
Red Hat –Advisory Level
Red Hat SecurityAdvisories –VulnerabilityLevel Indicator
Security BulletinVendors = RedHat SecurityAdvisory
This security metric measures the securitystatus of your organization based on RedHat Security Advisories.The more critical missing securityadvisories, the higher the score.
Security View
AntivirusIntegrity – VulLevel
AntivirusIntegrity –VulnerabilityLevel Indicator
Custom = Anti-Virus Integrity
This security metric measures the securitystatus of your organization based on thealerts (Vulnerability Definitions) on antivirusapplications.The more unhandled critical alerts onantivirus applications, the higher the score.
Mobile – VulLevel
Mobile DevicesAlerts –VulnerabilityLevel Indicator
Custom =Mobile device –Vulnerabilities
This security metric measures the securitystatus of your organization based on thealerts (Vulnerability Definitions) on Apple,Android, and Blackberry mobile devices.The more unhandled critical alerts onmobile devices, the higher the score.
NewVulnerabilities
NewVulnerabilities(Last 30 Days) –VulnerabilityLevel Indicator
Custom = NewVulnerabilities –last 30 days
This security metric measures the securitystatus of your organization based onVulnerability Definitions published in thepast 30 days.The more unhandled new critical
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 36
SECURITYMETRIC NAME
SECURITYMETRIC LONGNAME
SCOPE DESCRIPTION
vulnerability occurrences, the higher thescore.
Overall – VulLevel
VulnerabilityLevel Indicator
Any This security metric measures the securitystatus of your organization based on itsvulnerability occurrences.The more critical vulnerability occurrences,the higher the score.
Web BrowserVulnerabilities
Web BrowserAlerts –VulnerabilityLevel Indicator
Custom =WebBrowsers
This security metric measures the securitystatus of your organization based on thealerts (Vulnerability Definitions) on:l Microsoft Internet Explorerl Mozilla Firefoxl Google Chromel Apple SafariThe more unhandled critical alerts on webbrowsers, the higher the score.
Understanding security metrics informationAfter you understand the factors that contributed the most to a unit’s security metric score, youcan decide how to proceed.
The right half of the Prioritization Center Summary tab is divided into sections; each sectionprovides a different way to understand the information:
l Top subunits
Top subunits can be displayed as a chart or as a table. Click (chart) or (table).
The chart shows the contribution of the selected unit’s subunits to the unit’s total securitymetrics score.o The color of each entity corresponds to its risk level.o The height of each subunit represents the size (in number of assets) of the subunitrelative to the other subunits.
o The chart displays the largest 5 subunits.
The table shows the risk level of the top 3 subunits and how much each contributes to thescore of the parent entity.
Double-click a subunit to drill down to the Summary tab for that entity.
l Top Vulnerability Definitions or Security Bulletins
This table contains a list of the 5 Vulnerability Definitions or Security Bulletins (dependingon which security metric is used) with the greatest contribution towards a unit’s securitymetrics score. Drill down to the vulnerability occurrences to display additional information.o For Microsoft Security Bulletins, you can view information about bulletin supersedence(see Superseding Security Bulletins).
Chapter 4
Skybox version 12.0.100.00 37
l Trends
If enough information was collected to create security metrics trend graphs, you can viewthe trends of a unit to track remediation progress relative to earlier security metrics scoresof that unit.
Start by looking at the top subunits; try and identify factors with a high contribution to the unit’ssecurity metrics.
If you lower the security metrics scores of these factors (that is, fix what is causing the securitymetric to be high), the security metrics score of the parent unit is decreased significantly.
l If you find units with a high contribution to the security metrics score of the parent unit, youcan use the top-down approach to search for the cause.
A unit can have a high security metrics score but not contribute significantly to the securitymetrics score of its parent unit. Fixing such units is usually not a high priority—even asignificant lowering of their security metrics scores does not have much impact on thesecurity metrics score of the parent unit.
l If you find Vulnerability Definitions with a high contribution to the security metrics score, youcan start the process of mitigating their vulnerability occurrences (for example, by creatingtickets).
Properties of security metricsl Type
o Vulnerability Level Indicators: These security metrics measure the security status of all orpart of your organization based on the status of its vulnerability occurrences or missingsecurity bulletins. The more critical vulnerability occurrences or critical security bulletinsin your organization, the higher the score.
Vulnerability Level Indicators measure the rate of vulnerability occurrences found onassets in a group of assets. In simple terms, the rate is the average number ofvulnerability occurrences per asset.
o Remediation Latency Indicators: These security metrics measure the remediationperformance of your organization. The more time it takes to fix the critical vulnerabilityoccurrences or missing security updates, the higher the score.
Remediation Latency Indicators measure the rate of overdue vulnerability occurrences:
l The Remediation Latency Indicator score for an asset represents the number ofoverdue (or relatively old) vulnerability occurrences found on the asset. Eachvulnerability occurrence is weighted; the weighting is calculated from the remediationpriority of the vulnerability occurrence and its delay; high-priority vulnerabilityoccurrences with a large delay have the highest weight.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 38
l The Remediation Latency Indicator score for a group of assets (Business Asset Groupor Business Unit), is the average of the Remediation Latency Indicator score of eachasset in the group.
Use the Remediation Latency Indicator metric to identify entities (vulnerabilityoccurrences or groups of assets) whose remediation latency is relatively high and toexamine trends of remediation latency.
l Viewo Security View: Shows the status of vulnerability occurrences in your organization.o Security Bulletin View: Shows the status of applying security bulletins from vendor-basedcatalogs and the prioritization of the security bulletins that have not been applied. Ifpossible, results are displayed in terms of security bulletins, each of which is usuallycorrelated to multiple Vulnerability Definitions. Vulnerability occurrences that are not partof a security bulletin are displayed separately.
l Scope
The scope defines the Vulnerability Definitions that Skybox uses in each security metric.This can include all Vulnerability Definitions, only Vulnerability Definitions or securitybulletins from vendor-based catalogs, or a custom-defined set. You can exclude groups ofVulnerability Definitions or products.
The following security bulletin vendors are supported:o Adobeo Appleo Ciscoo Googleo Microsofto Mozillao Oracleo Red Hat
Superseding Microsoft Security Bulletins
For security metrics using Microsoft Security Bulletins, information about patch supersedenceis available. When you select a Microsoft Security Bulletin, you can see the bulletins that arecompletely or partially replaced by this bulletin and the newer bulletins that replace it. AMicrosoft Security Bulletin completely or partially replaces another bulletin if patches includedin the newer bulletin replace patches included in the older bulletin.
The estimated contribution to solving vulnerability occurrences for the selected Business Unitfor each Microsoft Security Bulletin is displayed. This includes the direct contribution of theselected bulletin and the direct contribution of all bulletins it supersedes. The SupersedingBulletins tab in the Details pane lists the bulletins that the selected bulletin supersedes andthose that supersede it, including the same information about each of those as for the selectedbulletin (for example, reported date and affected assets). Bulletins that supersede the selectedbulletin might be in a gray font. These bulletins supersede the selected bulletin but are not inthe scope of the selected node. This information is provided so that you are aware of thenewest relevant Microsoft Security Bulletins and can decide whether to apply them.
Skybox version 12.0.100.00 40
Chapter 5
RemediationAfter viewing the Prioritization Center, you understand what needs fixing and can startremediation.
Use the Remediation Center to track the remediation status of your organization, including thenumbers of found vulnerability occurrences and fixed vulnerability occurrences in each part ofyour organization, and to understand how remediation is progressing over time.
You can remediate with or without using Skybox. You can create Skybox tickets onVulnerability Definitions and assign them to users for detailed tracking.
In this chapter
About remediation levels 40
Remediation Center 41
Workflow for remediation 42
Creating tickets for remediation 42
About remediation levelsSkybox monitors remediation levels according to the remediation pace of your organization foreach security metric. For example, critical Microsoft Security Bulletins might have an SLA of 20days (that is, all critical Microsoft vulnerability occurrences should be fixed within 20 days) butcritical Adobe Security Bulletins might have an SLA of 30 days.
Vulnerability occurrences that have time to be fixed are in SLA. After that, they are out of SLAwith various delay levels. For example, if the SLA for critical vulnerability occurrences in theselected security metric is 30 days, a vulnerability occurrence is in minor delay if it is not fixedwithin 60 days, in medium delay if it is not fixed within 90 days, and in major delay after that.
By default, the SLAs for each security metric are:
l Critical vulnerability occurrences: 30 days to fix
l High vulnerability occurrences: 60 days to fix
l Medium vulnerability occurrences: 90 days to fix
l Low and Info vulnerability occurrences: No SLA
You can:
l Change SLAs per security metric, according to the most urgent security metrics for yourorganization
l Change the SLAs for security metrics
For information about changing the SLAs of a security metric, see Defining the SLA perseverity level. You can change the default SLAs in Tools > Options > Server Options >Vulnerability Control.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 41
Remediation CenterThe purpose of the Remediation Center is to help you to understand the pace of vulnerabilityoccurrence remediation in your organization, and to know the vulnerabilities that require themost urgent remediation.
At the top of the page is a short overview of the state of remediation for the selected securitymetric.
The color of each status specifies its ranking (excellent, good, fair, or poor). You can switch theview to a different security metric from here.
In the next section (Remediation Overview):
l The 1st chart shows the remediation rate of vulnerability occurrences in your organization.
l The 2nd chart shows how many high and critical vulnerability occurrences are out of SLA,and by how much.
l The 3rd chart shows a comparison of how many high and critical vulnerability occurrenceswere found in the past months or weeks vs. how many were fixed. This helps you tounderstand whether you are keeping pace with the rate at which vulnerability occurrencesare found in your organization.
At the bottom of the page is a summary of the remediation information for each security metric.
The main column is In SLA Vulnerabilities, which lists the security metrics that have a lowpercentage of vulnerability occurrences that are in SLA.
Chapter 5
Skybox version 12.0.100.00 42
Workflow for remediation
Typical workflow for remediation
1. Select Remediation Center (above the tree).
2. In the tree, click the Security Metrics node.
3. Select a technology to explore and select its security metric.
4. The 1st chart (Found Vulnerabilities by SLA) gives you an idea of the scope of the delay invulnerability occurrences that need fixing.
5. The 2nd chart enables you to focus on the high and critical vulnerability occurrences withthe most delay.
6. Click in the part of the chart that interests you (for example, Critical > Major Delay); thisbrings you to a list of Vulnerability Definitions in the Vulnerability Definitions / SecurityBulletins tab.
7. You can look at the Vulnerability Definitions, see how many vulnerability occurrences eachVulnerability Definition has, and determine those that most need fixing. If your organizationremediates using Skybox tickets, you can open tickets.
Creating tickets for remediationYou can use tickets to handle the remediation process. You can create tickets on eitherVulnerability Definitions or security bulletins. You can create tickets on each VulnerabilityDefinition or security bulletin, so that you can have separate tickets for the same VulnerabilityDefinition or security bulletin in different settings.
To create a ticketl Right-click the Vulnerability Definition or security bulletin in the Table pane and selectCreate Ticket.
A threat alert ticket is created.
The scope of these tickets depends on what you selected in the Security Metrics tree whencreating the ticket. For example, if a ticket is created on a security bulletin when the EuropeOperations Business Unit is selected in the tree, the Network Scope of the ticket includes onlythis Business Unit.
When you close a ticket for a Vulnerability Definition or security bulletin, its related vulnerabilityoccurrences are marked as Fixed.
For additional information about the ticket workflow, see Tickets and workflow.
Skybox version 12.0.100.00 43
Chapter 6
Customizing the security metricsThe security metrics scores are intended to provide information about the security status ofyour organization. Because security status is determined by your policy and other factors, youmight need to modify properties that Skybox uses in displaying and calculating the securitymetrics scores.
You can customize the predefined security metrics and you can add additional securitymetrics. Each security metric is managed separately.
To manage the security metrics, right-click the top-level node in the tree and select ManageSecurity Metrics.
In this chapter
About security metrics in Skybox 43
Initial customization 43
Security metric properties 44
Additional customization 46
About security metrics in SkyboxSkybox uses security metrics to measure the security status of your organization. Skyboxincludes predefined security metrics; you can customize predefined metrics and create newsecurity metrics.
Some security metrics in Skybox measure the status of vulnerability occurrences in yourorganization. Other security metrics measure the status of applying security bulletins fromvendor-based catalogs.
Initial customizationThe default values for security metrics display properties and calculation values are usuallyadequate as a starting point. We recommend that you do only minimal customization beforethe 1st analysis of security metrics.
You might want to change the following to match your naming conventions and SLAs:
l The names (long and short) of the security metrics
l The security metric scale of security metrics (see Changing the security metrics scale)
l The SLA per severity level (SLAs are used in the remediation process) (see Defining theSLA per severity level)
To customize a security metric
1. Right-click the Vulnerability Control node and select Manage Security Metrics.
2. In the Manage Security Metrics dialog box, select the security metric to customize and clickModify.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 44
3. Make the necessary changes and click OK.
The Security metric properties topic includes information about the properties.
4. After making changes to a security metric, reanalyze (click Analyze on the toolbar).
Changing the security metrics scale
By default, the security metrics scale includes 5 levels, which map the number of foundvulnerability occurrences (or missing security bulletins) to a 0-100 score, a named level, and acolor scheme similar to that used in Skybox for risk levels.
The default values for all VLI-type security metrics are listed in the following table. Each High-level vulnerability occurrence is worth 0.3 of a Critical-level vulnerability occurrence, and eachMedium-level vulnerability occurrence is worth 0.03 of a Critical-level vulnerability occurrence.
NUMBER OF CRITICAL-EQUIVALENT VULNERABILITYOCCURRENCES OR MISSING SECURITY BULLETINS
VLISCORE
LEVELNAME
COLOR
0 to 0.5 0 to 20 Very Low
0.5 to 2 20 to 40 Low
2 to 4 40 to 60 Medium
4 to 6 60 to 80 High
6 to 1,000,000 80 to 100 Critical
You might need to:
l Change the number of critical vulnerability occurrences or critical missing security bulletins
l Delete levels to match your SLA
If you delete levels, you might also need to change information about the remaining levelsaccording to your SLAs and naming conventions.
l Change the level names
For additional information, see Security metric properties.
Defining the SLA per severity level
You can define the SLA for each severity level of a security metric. The SLA is the expectednumber of days for the remediation of vulnerability occurrences.
The default SLAs are:
l Critical: 30 days
l High: 60 days
l Medium: 90 days
l Low: None
l Info: None
Security metric propertiesAll security metrics have the same properties. These properties are described in the followingtable.
Chapter 6
Skybox version 12.0.100.00 45
PROPERTY DESCRIPTION
Basic tab
Enable Specifies whether the security metric is visible to users.
Highlight insummary page
Specifies whether the security metric is highlighted in the Vulnerability ControlSummary tab.l Up to 3 security metrics can be highlighted in the Vulnerability ControlSummary tab.
Short Name An abbreviation for the name of the security metric. The short name is used inSkybox Manager and in Security Metric reports.
Long Name The full name of the security metric. The long name is used in Security Metricreports.
Description A description of the security metric.
Type The security metric category:l Vulnerability Level Indicator: Measures the security status of yourorganization based on its vulnerability occurrences or on the update level ofsecurity bulletins. The more critical vulnerability occurrences or criticalmissing security bulletins, the higher the score.
l Remediation Latency Indicator: Measures the remediation performance ofyour organization. The more time it takes you to fix the critical vulnerabilityoccurrences, the higher the score.
Scope The scope of the security metric:l Any: The scope is all Vulnerability Definitions and all catalogs of securitybulletins.
l Security Bulletin Vendors: The scope is defined by security bulletin vendors;entries are displayed as missing security bulletins.
l Custom: The scope is defined by a customized set of Vulnerability Definitionsand security bulletins. Select a set from the drop-down list.
To edit a Vulnerability Definition set or to define a set, click .
Excluded:VulnerabilityDefinitions
Vulnerability Definitions to exclude from the security metric scope.
Excluded:Products
Products in the selected Product List to exclude from the security metric scope.
View How the security metric is displayed.l Security View: A prioritized list of vulnerability occurrences.l Security Bulletin View: A prioritized list of security bulletins and vulnerabilityoccurrences.
VulnerabilityOccurrence AgeCriteria
Specifies whether the age of vulnerability occurrences analyzed for the securitymetric type is determined by publication date or by the date of discovery on yournetwork.
SLA SLA per severity level
Critical The SLA in days for vulnerability occurrences with Critical severity.
High The SLA in days for vulnerability occurrences with High severity.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 46
PROPERTY DESCRIPTION
Medium The SLA in days for vulnerability occurrences with Medium severity.
Low The SLA in days for vulnerability occurrences with Low severity.
Info The SLA in days for vulnerability occurrences with Info severity.
Advanced tab
Automaticallynormalizesecurity metriclevels on nextsecurity metricsanalysis
By default, this option is hidden.Specifies whether Skybox refactors the security metrics scores so that thedistribution of scores across the Business Units is according to the normaldistribution. The score is adjusted according to the number of vulnerabilityoccurrences per asset in your organization, which removes the problem of onlyhigh scores or only low scores.l This action is intended to create a basis for comparison of the security metricslevels. Refactoring is only performed once per security metric.
Security Metricsscale
The security metric scale is divided into 3 to 5 levels. Skybox includes defaultvalues for mapping the number of critical vulnerability occurrences per asset to asecurity metric score (and level); you can change these to suit your organization.Each level includes:l Name: The name of the levell Level Color: The color to represent this level in Skybox Manager (using RGBvalues)
l Value (Upper Bound): The highest number of critical vulnerability occurrencesin this level
l Score (Upper Bound): The highest score for this level (from 0-100)
The lowest level in the security metric scale.
The 2nd-lowest level in the security metric scale.
The middle level in the security metric scale.
The 2nd-to-highest level in the security metric scale.
The highest level in the security metric scale.
For the default values of each predefined security metric, see Predefined security metrics.
Additional customizationBecause security status is determined by multiple properties, you might need to makeadditional changes to the security metric scales. For example, both the size of yourorganization and the number of vulnerability occurrences or missing security bulletins that isacceptable influence the mapping. In some organizations, 2 critical vulnerability occurrenceson an asset is unacceptable; in other organizations 2 critical vulnerability occurrences on anasset is acceptable and 4 or 5 critical vulnerability occurrences on an asset is unacceptable.
For a table of security metric properties, see Security metric properties.
For detailed information about the scale values, how the security status is calculated, andadvanced security metric properties that are not configurable in Skybox Manager, seeModifying security metric properties.
Skybox version 12.0.100.00 47
Chapter 7
Continuous usage for Threat Centric Vulnerability ManagementYou can automate Skybox by setting up the necessary tasks to run on a regular basis (seeUsing tasks for automation).
You can schedule many processes in Skybox to run automatically, including:
l Model updates
l Recalculation of the security metrics scores
l Notifications of changes to security metrics scores
l Reports (documented in the Skybox Reference Guide)
l General maintenance of the model (including saving and loading backup versions)
In this chapter
Security Metric triggers 47
Recalculating the security metrics 48
Creating other triggers 48
Security Metric triggersA Security Metric trigger is a rule that defines the conditions under which security metric(email) notifications are created. For example, “Notify the owner of the Corporate Services unitwhenever the security metrics score of that unit becomes greater than Medium.”
Notifications for security metrics events are created (based on the triggers) when Analysis –Security Metrics tasks are run.
Setting up Security Metric triggers
Admins can set up triggers to send email notifications when security metric levels change.
To create a trigger
1. Select Tools > Administrative Tools > Triggers.
2. In the Skybox Admin window, right-click the Triggers node and select New Trigger.
3. In the New Trigger dialog box, set Trigger Type to Security Metric.
4. Fill in the fields according to the table in the Security Metric trigger properties topic in theSkybox Reference Guide.
5. Click OK.
When Analysis – Security Metrics tasks are run, the triggers are checked, and emailnotifications are sent according to your definition.
Note: Triggers can be disabled and re-enabled by right-clicking the trigger.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 48
Recalculating the security metricsSecurity metric scores are sensitive to changes in the model. Actions that might affect securitymetrics scores include:
l Data import or collection
l Skybox Vulnerability Dictionary update
l Aging (running a Model – Outdated task)
l Running an Analysis – Vulnerability Detector task
l User changes to the model (for example, deleting, adding, or modifying vulnerabilityoccurrences or assets)
You can recalculate security metrics scores manually after a change or you can schedule anAnalysis – Security Metrics task to run as part of a task sequence after tasks that might affectthe security metrics scores. As part of the security metrics analysis task, alerts can be sent tousers when the security metric levels change. For information about these tasks, see theSecurity Metrics calculation tasks topic in the Skybox Reference Guide.
The RLI scores for critical vulnerability occurrences increase over time—recalculate the RLI ona regular basis even if no other changes were made, either manually or by scheduling anAnalysis – Security Metrics task to run on a regular basis.
Creating other triggersYou can also create event-based rules (triggers) that send email notifications for:
l Tickets: A notification is sent when a ticket changes in a way that matches a trigger fortickets.
For example, you can create a trigger that sends notifications to all members of the DevelopSolutions group when a ticket is promoted to the Develop Solutions phase.
Note: For tickets, you can also trigger Skybox tasks that run a script. For information aboutthese triggers, see the Ticket trigger properties topic in the Skybox Reference Guide.
l Threat alerts: A notification can be sent for a single threat alert or for multiple threat alerts.
For example, after collecting threat alerts, Skybox checks the Threat Alert triggers for threatalerts that meet their criteria. If multiple threat alerts meet the criteria for a trigger, it sends asingle notification with multiple threat alerts. However, a separate notification is sent foreach trigger. If, for example, a trigger sends notifications to the person responsible forWindows products every time that threat alerts affecting a Windows product are receivedand 5 Windows threat alerts are received from a collection, a single notification containingall the newWindows threat alerts is sent. If other threat alerts that match additional triggersare received during the same collection, separate notifications are sent for those threatalerts.
To create a trigger
1. Select Tools > Administrative Tools > Triggers.
2. In the Skybox Admin window, right-click the Triggers node and select New Trigger.
Chapter 7
Skybox version 12.0.100.00 49
3. Select the Trigger Type.
4. Fill in the fields as described in the Skybox Reference Guide:
l Ticket trigger properties
l Threat Alert trigger properties
5. Click OK.
Notifications are triggered and sent (according to the selected properties).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 50
ExposureThis part explains how to work with the Exposure feature of Skybox Vulnerability Control.
Skybox version 12.0.100.00 51
Chapter 8
Overview of the Exposure featureThis chapter explains how Exposure works in Skybox.
In this chapter
Introduction to exposure 51
Automated IT security modeling 52
Attack simulation and visualization 53
Business impact analysis and risk metrics 54
Regulation compliance 55
Risk exposure management workflow 55
Introduction to exposureExposure is a main feature of Skybox Vulnerability Control. You can view overview informationin the Summary tab of the Exposure by Threat node.
The exposure-related information displayed on this tab includes the direct vulnerabilityoccurrences (vulnerability occurrences that are 1 or 2 steps away from a Threat Origin) andthe Threat Origins that pose the most danger to your organization.
The tab displays information about critical exposure in your organization; you can drill down toget additional information. The information displayed on this tab includes the directvulnerability occurrences (vulnerability occurrences that are 1 or 2 steps away from a ThreatOrigin) and the Threat Origins that pose the most danger to your organization. You can viewadditional information about Threat Origin and Business Asset Groups using the tabs at thetop of the Summary tab.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 52
Automated IT security modelingTo identify, quantify, and mitigate security exposure, Skybox Vulnerability Control builds amodel—a virtual map representing the security risk profile of your organization. The modelconsists of:
l Threat profiles
l Network access information
l Vulnerability occurrence data
l Business Asset Group classification
All 4 components are required to analyze business impacts completely and accurately.
Skybox Vulnerability Control uses the open collection architecture of the Skybox platform.Information is collected by scheduling regular data collection tasks that continuously providethe model with up-to-date information about changes to the network infrastructure.
Using Skybox, you can have a single view of your security environment that is updatedautomatically and continuously. Subsequent attack simulation and what-if analysis can be runsafely on this model instead of on your networks and devices.
Chapter 8
Skybox version 12.0.100.00 53
Attack simulation and visualizationSkybox Vulnerability Control conducts exhaustive, nonintrusive attack simulations against themodel to measure the effectiveness of potential threats in penetrating security defenses. Theunique Skybox Attack Simulation Engine ascertains which assets are reachable andexploitable, and which assets are secure.
An Attack Map provides a visual, step-by-step analysis of attacks, based on simulations ofattack paths. Skybox Vulnerability Control graphically illustrates the multistep path an attackercan take, identifying the vulnerability occurrences exploited and the network traversed for eachexploitable path.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 54
This analysis enables IT departments to identify the top few percent of exploitable vulnerabilityoccurrences that make up the primary risks to critical assets. Working from this analysis,security and IT professionals can focus on critical exposures when they occur and reduce thetime to remediation from weeks to hours.
Business impact analysis and risk metricsBased on the results of attack simulation, Skybox Vulnerability Control analyzes the potentialbusiness impacts on assets in terms of potential breaches in confidentiality, integrity, andavailability (CIA). Attack simulation computes the likelihood of attacks. Skybox VulnerabilityControl then calculates business and compliance risks by analyzing asset values and attackprobabilities. To provide the most useful analysis, you can import business-impact rules andregulation compliance classifications from asset management databases or other predefinedsources.
Risk metrics are calculated for every Business Asset Group. Metrics are consolidated for eachBusiness Unit and for the organization. Managers can view the results of risk analysis inreports built on flexible report templates and select the most effective remediation processesto reduce critical risk exposure.
Chapter 8
Skybox version 12.0.100.00 55
Regulation complianceSecurity professionals can classify Business Asset Groups according to specific regulations tocontinuously monitor the risks facing regulated assets. You can select from predefinedRegulation templates, including SOX, HIPAA, FISMA, FIPS 199/200, and NIST. Complianceofficers or risk managers can also specify Regulation templates for their own industry. Usingthese classifications, Skybox Vulnerability Control can analyze compliance risks and generateexecutive and auditor reports.
Risk exposure management workflowBefore you can use Skybox to manage risk exposure, you must add information to the model(see Building the model).
To manage risk exposure
1. Simulate attacks by running an Analysis – Exposure task (for example, the predefinedAnalyze Simulate Attacks task). This task simulates all scenarios for attacking yournetwork from the specified Threat Origins and uses this information to compute risk levelsand attacks. The derived data is stored in the Skybox model.
2. Review the results of the simulation in the Summary tab of the Exposure by Threat node.
3. Use the summary information and the Attack Explorer to identify the causes of the mostcritical risk to your organization.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 56
4. Reduce your risk by mitigating critical vulnerability occurrences and faulty access.
5. Generate reports (see Reports). For example, you can generate reports to:
l Show the risk on all or part of your organization
l List the vulnerability occurrences on a scope, with or without detailed information andsuggested solutions
l List tickets issued for mitigation
l List a set of tickets (for example, tickets that are open but have passed their due date)
Implement this process after you build the model and every time that you make significantchanges to the model.
Note: Risk Exposure Analysis is performed in the Exposure workspace and the Exposure tree.
Skybox version 12.0.100.00 57
Chapter 9
Building the modelIn this chapter, we assume that your organizational model includes:
l Assets and vulnerability occurrences (see Updating the Vulnerability Dictionary and Gettingasset and vulnerability occurrence data)
l An organizational hierarchy of Business Units and Business Asset Groups (see Addingorganizational hierarchy)
This chapter focuses on the additional information that Exposure requires, including networks,gateways, clouds, and locations.
Building the network topologyThe network topology consists of networks and the gateways that connect them.
To build the network topology, create and run tasks for collecting and importing data from thenetwork devices that you specified in Preparing a list of network devices.
To build the network topology
1. Click .
2. In the Operational Console tree, select the Tasks node.
3. For each set of devices to import, create a task to import their configurations:
Click .
l For information about importing device data offline, see the File import tasks chapter inthe Skybox Reference Guide.
l For information about device-specific online collection tasks, see the Tasks part of theSkybox Reference Guide.
4. After you run each task, check that it succeeded:
a. In the Operational Console, open Tasks > All Tasks.
b. In the Table pane, locate the task and check that the task Exit Code is Success.
If a task fails, check the Messages tab of the Details pane.
5. Verify that the import is correct and complete:
a. In the Model tree select the correct node for the imported devices.
b. Check that:
l (For a new device) The imported device is in the list in the Table pane
l (For an existing device) The device modification time is the time of this import, notthat of a previous import
c. Review the device’s network interfaces:
l Right-click the device in the Table pane and select Network Interfaces.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 58
d. If the device has routing rules:
i. Right-click the device and select Routing Rules. Check that the routing rules wereimported.
ii. Use a sample routing rule to confirm that it was imported correctly—select a routingrule on the device and look for its logical match in the routing rules in Skybox.
Note: A correctly imported set of routing rules (or access rules) logically matches the setof rules on the device. However, rules might not be modeled in the same way that theyoccur on the device.
e. If the device has access rules:
i. Right-click the device and select Access Rules. Confirm that the access rules wereimported.
ii. Select an access rule on the device and look for its logical match in the access rulesin Skybox.
f. On the toolbar, click . Make sure that the imported device is in themap and that it is correctly connected.
6. (Recommended—especially for large networks) Create locations. Locations group networksand simplify how Skybox displays the model.
Locations
A large organization can include hundreds of networks. Locations are container entities thatcreate a hierarchic structure for networks in your organization, to make it easier to navigateand view the network structure.
A location can include networks and other locations. For example, a Europe location mightcontain networks and London and Paris locations. These locations, in turn, might includenetworks and other locations.
Define locations manually in the Model workspace and then add networks or additionallocations to them.
Note: You can create locations using iXML. For information about iXML, see the Integrationpart of the Skybox Developer Guide.
Chapter 9
Skybox version 12.0.100.00 59
If you are working with a large network, define a location for each physical location that youdiscover and add to it the networks discovered in that network segment. A location can be avery broad grouping (for example, Europe) or a much more local grouping (for example, ITRoom or 2nd Floor).
For a gateway to be contained in a location, all its networks must be in that location. If evenone network belongs to another location (or is not associated with a location), the gateway isdisplayed in the map even when all locations are collapsed. We recommend that you includegateways that are internal to a location as part of the location; do not include gateways thatconnect multiple locations in a location.
To create a location and add it to the tree
1. In the tree, expand the Locations & Networks node and locate the parent node for thelocation.
If the location belongs at the top level, select the Locations & Networks node as the parentnode.
2. Right-click the parent node and select New > Location.
3. In the New Location dialog box:
a. Type a Location Name for the location.
Location names must be unique throughout the model. You cannot use the characters“/” and “\” as part of a location name.
b. (Optional) Click the Browse button next to Members to specify the location’s members.
Note: If you define the location before you discover the topology, you cannot selectmembers for the location.
c. (For a Skybox user to receive notifications about entities in this location) Click theBrowse button next to Owner to specify the location owner from all authorized Skyboxusers.
To add a network or location to a location
1. In the tree, right-click the network or location to add to an existing location and select Attachto Location or Move to Location.
2. In the Attach networks to location or Move locations to location dialog box, as required:
l Select the parent location for the selected entity and click OK.
l To make this entity part of a new location:
a. Select the position in the tree for the new (parent) Business Unit.
b. In New (which contains a list of parent types), click Location.
c. In the New Location dialog box, type a name and other relevant information.
The entity that you are attaching becomes a child of the new parent location; you canadd locations and networks using the Members field.
Note: Repeat steps b and c to create a hierarchy of locations. The entity that youattach becomes a child of the most recently selected location in the tree.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 60
For example, you have a network named Operations Center and it belongs in Miami,but there is no location named Miami. The 1st time that you click New, create alocation named US. Inside the US location, create a location named Florida; insidethe Florida location, create a location named Miami. The Operations Center networkbecomes a member of the Miami location.
d. Click OK.
The location is created in the selected position in the tree and the selected entitybecomes a child node, as do members selected in step c.
Clouds
Clouds model areas that are missing in the model so that you can analyze access between thesurrounding areas or to and from the missing areas.
Clouds are special network objects that represent networks that are connected to the modelbut are not modeled completely (for example, the internet, partners, or parts of your networkthat are not modeled). Model as a cloud any network over which your organization has nocontrol or for which it cannot retrieve device configurations and scan data.
There are 2 types of clouds:
l Perimeter Clouds: Perimeter Clouds (often referred to as clouds) represent networks orareas in your network that are at the perimeter of the network (for example, partnernetworks and the internet).
Multiple network interfaces can be connected to the same Perimeter Cloud, but PerimeterClouds do not include routing abilities—2 devices connected to the same Perimeter Cloudare connected in the Network Map but access queries (using Access Analyzer) are blocked.Access queries that include a Perimeter Cloud always end in the cloud.
l Connecting Clouds: Connecting Clouds represent missing areas in the middle of yournetwork. These might be parts of your network for which you cannot retrieve data or MPLSnetworks between parts of your network.
Unlike Perimeter Clouds, Connecting Clouds have routing abilities. Multiple networkinterfaces can be connected to the same cloud—they are connected in the Network Map (viathe Connecting Cloud), and access queries work between the devices connected to theConnecting Cloud.
Perimeter Clouds are usually user-defined but can be created automatically as part of modelvalidation.
Connecting Clouds are user-defined except for MPLS networks, which can be createdautomatically as part of model validation.
Creating and editing Perimeter Clouds
You can create Perimeter Clouds manually or automatically.
Creating Perimeter Clouds manually
The easiest way to create a Perimeter Cloud is to define a network as a Perimeter Cloud.However, this is not sufficient when the Perimeter Cloud represents an area outside theboundaries of your network.
If you create a Perimeter Cloud that is not based on a network in the model, include andexclude IP addresses for the network that you are configuring. For example:
Chapter 9
Skybox version 12.0.100.00 61
l If you are configuring an internet cloud, exclude the IANA reserved addresses (click Privatein the Network Properties dialog box).
l If you are configuring a public network, exclude public IP addresses used by yourorganization. Otherwise, Skybox might produce erroneous results in access analysisqueries due to spoofed access.
If you know the IP addresses for the Perimeter Cloud, configure them in the Cloud Addressestab.
To define a network as a Perimeter Cloud
1. In the Model tree, expand the Locations & Networks node and locate the network that youwant to define as a cloud.
2. Right-click the network and select Define Network as Cloud.
Note: If the cloud is connected to multiple networks, set IP Address and Mask to 0.0.0.0 /0.0.0.0.
To create a Perimeter Cloud
1. In the Model tree, expand the Locations & Networks node and locate the parent node forthe cloud.
If the cloud belongs at the top level, the parent node is the Locations & Networks node.
2. Right-click the parent node and select New > Perimeter Cloud.
l For information about the properties of Perimeter Clouds, see the Perimeter Clouds topicin the Skybox Reference Guide.
3. In the New Perimeter Cloud dialog box:
a. Type a Name for the cloud.
b. Set IP Address and Mask to 0.0.0.0 / 0.0.0.0.
This enables the cloud to be connected to network interfaces of multiple devices. (Acloud’s IP address has no influence on access analysis; use the Cloud Addresses tabto specify the scope of the cloud.)
c. Specify the scope of the cloud using the 2 panes in the Cloud Addresses tab:
l Include: A list of IP address ranges to include in the scope of the cloud.
l Exclude: A list of IP addresses to exclude from the scope of the cloud specified in theInclude pane.
d. In the Routable from Cloud tab, define the IP address ranges that are permitted asdestination addresses when access is checked from this cloud. Skybox uses theseaddress ranges for all queries starting at the cloud in attack simulation and in AccessAnalyzer.
l Include: A list of IP address ranges to use as destination addresses from this cloud.
l Exclude: A list of IP address ranges to exclude from the destination address ranges.
e. Click OK.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 62
Creating Perimeter Clouds automatically
We recommend that you create Perimeter Clouds automatically only after the model is ascomplete as possible, as part of model validation.
Attaching Perimeter Clouds to the network
After you create a Perimeter Cloud manually, attach it to the network devices in yourorganization that border the cloud.
To attach a Perimeter Cloud to a device
1. Open the Network Interfaces dialog box:
l In the Network Map, right-click the device and select Network Interfaces.
l In the tree:
a. Navigate to a node that contains the device (for example, All Network Devices >Firewalls).
b. In the Table pane, right-click the device and select Network Interfaces.
2. In the Network Interfaces dialog box, select the network interface to attach to the PerimeterCloud network and click Modify.
3. In the <network interface name> Properties dialog box, in Network, select a PerimeterCloud.
4. Click OK.
Connecting Clouds
Connecting Clouds represent missing networks (or groups of networks) between 2 entities inthe model (for example, sensitive areas in your organization that cannot be fully modeled).When these networks are added to the model, Access Analyzer can analyze access throughthem.
When and where are Connecting Clouds required?
Connecting Clouds are often required when you are creating the model and parts of yournetwork are missing from the model. Sometimes, specific areas are missing; sometimes, youcan use the Network Map to display all gateways that have missing next hops (that is, nextrouting hops that are mentioned in the routing table but are not connected to the gateway in themodel) and decide which of them must be connected.
Viewing gateways with missing next hops
To view gateways with missing next hops
1. Confirm that a Model Completion and Validation task ran after importing the latestupdates.
This task checks all gateways for missing next hops.
2. Open the Network Map. If necessary, open the map that displays the part of the model onwhich you want to focus.
Chapter 9
Skybox version 12.0.100.00 63
3. In the Highlight pane, select Has Missing Next Hops.
All gateways with missing next hops are highlighted. Each such gateway has a tooltip listingits missing next hops.
Creating Connecting Clouds
The easiest way to create a Connecting Cloud is to select multiple gateways and networks inthe map that should be connected and create a Connecting Cloud from them. Or you canselect 2 gateways, networks, or network interfaces in the Table pane and create theConnecting Cloud from there.
To create a Connecting Cloud
1. Select the gateways or networks in the map that are missing connections between them.
2. Right-click and select Connect via Cloud.
l For information about the properties of Connecting Clouds, see the Connecting Cloudstopic in the Skybox Reference Guide.
3. In the Connect networks via cloud wizard, type a Name for the cloud and click Next.
4. In the top pane, review the list of gateways and networks:
5. For each gateway with unspecified networks, select the network interface of the network touse to connect to the cloud.
The following fields might be helpful in deciding the network interface to use:
l Missing Neighbors shows the network interfaces that have missing neighbors.
l Potential Match specifies whether the network interface is a good match for theconnection.
When you select a network interface for the gateway, the network to which that networkinterface is connected is shown next to the gateway in the top pane.
6. Click Finish to create the cloud.
Adding connections
You can add gateways and networks to a cloud.
To add entities to a Connecting Cloud
1. Select the gateways and networks to add to the cloud; right-click and select Connect viaCloud.
2. In the Connect networks via cloud wizard:
a. Select Existing Connecting Cloud, select a cloud, and click Next.
b. In the top pane, review the list of gateways and networks.
c. For each gateway with unspecified networks, select the network interface to use toconnect to the cloud.
The following fields might be helpful in deciding the network interface to use:
l Missing Neighbors shows the network interfaces that have missing neighbors.
l Potential Match specifies whether the network interface is a good match for the newconnection.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 64
When you select a network interface for the gateway, the network to which that networkinterface is connected is shown next to the gateway in the top pane.
d. Repeat steps a through c until every item in the list includes a network.
e. Click Finish to add the selected entities to the selected cloud.
Skybox version 12.0.100.00 65
Chapter 10
Validating the modelModel validation is an ongoing process to verify that the model is complete and correct.
In this chapter
Overview of validating the model 65
Best practices for model validation 67
Model validation tasks and analyses 68
Access Analyzer test queries 76
Network Map visualization 77
Task error messages 78
Item counts 78
Creating Perimeter Clouds automatically 79
Validating the setup for attack simulation 79
Overview of validating the modelModel validation verifies that the model meets the following criteria:
l Completeness: There are no missing elements in the model.
l Correctness: The model reflects your network (for example, the topology is correct; externalclouds are connected to the correct interfaces).
Inconsistencies can occur because data is collected using different methods. For example,routing rules on a gateway might point to a router that is not in the model; add the missingdevice to the model.
If the model is not accurate, performance, accuracy, and usability suffer. An invalid modelcauses accuracy issues in the following Skybox analyses:
l Access Analyzer
l Access Policy Analysis
l Network Map
l Access Compliance
l Path Analysis (in Change Manager)
l Attack Simulation (in Vulnerability Control)
Validate the model:
l After every milestone (for example, after adding a segment of your network to the model), toensure that the model represents access in your network.
l After collecting data and building the model, before you move on to the analysis stage.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 66
We recommend that initial validation be done with assistance from a Skybox ProfessionalServices engineer. Your organization’s networking team should also be involved.
Common problems to solve during the model validation process include:
l Missing devices
l Missing routes
l Inaccessible environments (for example, MPLS networks or the internet)
l Network device misconfiguration
l Modeling inaccuracies
l Disconnected gateways
Model validation is not a 1-time job—it is a continuous process to make sure that every changein the network is reflected and validated. For example, adding a device in the real networkmight cause issues in the model.
Basic validation methods
Validation methods to use while building the model (and on a continuous basis) include:
1. Discovery Center: Check that the numbers match what you expect; check whether themodel needs updating.
2. Model validation task and analyses
Model – Completion and Validation tasks run various tests to check the health of themodel. Their results are displayed in the built-in model validation analyses, which listentities that you might need to fix, including gateways, network interfaces, and assets. Themost important analyses to check at this stage are those that list gateway issues andnetwork interfaces with problems.
3. Access Analyzer test queries
Check the access to your network from different external locations. If there is insufficientaccess, gateways might be missing in the model. If there is too much access, sets of accessrules might be missing.
Note: Access Analyzer test queries that you want to use regularly to check access can beconverted to access validation tests and run by Model – Completion and Validation tasks.
4. Network Map visualization
After you have built the basic topology of the network, use the Network Map to make surethat the network is connected. Unconnected nodes or network segments are a sign ofmissing information.
5. Task error messages
Error messages from online collection tasks and offline file import tasks might mean thatsomething went wrong.
6. Item counts
Check that the number of assets added to the model is what you expect, and that theelement names and types are correct.
These methods are explained in more detail in the following sections.
Chapter 10
Skybox version 12.0.100.00 67
Best practices for model validation
Recommended best practices in the model validation process
1. Inventory comparison: Compare the model’s assets and networks with information fromother systems, including asset management systems, configuration management systems,and IP Address Management (IPAM) systems.
2. Use networking resources: People that know the network well and can identify issuesquickly.
3. Concentrate on completing the model before checking the model’s accuracy. Tests withAccess Analyzer can work, but only after all network devices are in the model. Anincomplete model leads to inaccuracy.
4. Complete the model as much as possible before you run Model – Completion andValidation tasks that includes actions that change the model (for example, convertingperimeter networks to clouds or adding connecting routers).
5. Look at missing neighbors of network interfaces to find missing devices in the model.
Identify the missing neighbors that are out of your network by checking that their IPaddresses match the internal IP addresses or IP address ranges that your organizationuses. An IP address that is out of the internal ranges might be used by 3rd-partyconnections or MPLS networks managed by external providers, or mean that the missingdevice is managed by an ISP (for internet connections).
Such missing neighbors can be identified and converted to Perimeter Clouds (internet or3rd-party) or assigned to Connecting Clouds (MPLS networks). (You can use a Model –Completion and Validation task to create Connecting Clouds for MPLS networksautomatically (see the Model completion and validation tasks in the Skybox ReferenceGuide).)
6. Use naming conventions: Skybox uses a naming convention for clouds. When Skyboxidentifies a cloud or a network, we recommend that you change its name to match thenaming conventions of your organization. This enables you to distinguish clouds in themodel that were recently created by Skybox (which require review and validation) fromthose created previously that are already validated.
7. Use Mark as viewed to ignore acknowledged model validation issues.
8. Create analyses: Create model analyses to split the information and get a betterunderstanding of what is happening. For example, you could filter the list of duplicatenetwork interfaces (or another model validation issue) by creating an analysis of duplicatenetwork interfaces that were not marked as viewed.
9. Use the Skybox model to gain knowledge of the network or device. Use the routing tableor addresses behind interfaces, to identify networks that are behind an interface and tounderstand the context of the device. For example, an interface with ABI that includes manyIP addresses but does not include internal IP addresses is configured as the defaultgateway interface. This might mean that the interface is connected to the internet.
10. Most organizations have defined processes to decommission network devices or to installdevices in their network. Make sure that, as part of this process, the team responsible formaintaining Skybox is aware of network changes and applies them to the Skybox model (for
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 68
example, delete decommissioned devices and associated tasks; add a task to collectrecently installed devices).
11. After finishing the model validation during deployment, we strongly recommend that youreview and remediate new issues at least once a week. There are analyses for new assetsand interfaces in the model that you can review.
Model validation tasks and analysesThe built-in model validation analyses list entities that might need fixing. The most importantanalyses to check at this stage are those that list gateway issues and network interfaces withproblems.
The Model Validation task finds model validation issues about entities including gateways,network interfaces, and assets.
Issues found by the Model Validation task are listed under Model Analyses > ModelValidation.
Validating gateways
The following sections explain how to validate gateways in the model.
Disconnected gateways
Diagnosis
Standalone devices (devices that are not connected to other devices in the model) are shownas islands in the Network Map.
If no network interfaces of a device are connected to other network devices, the device is adisconnected gateway.
Unless the gateway has no routing rules (which can be identified using the Gateways with noRouting Rules analysis), at least one network interface of a disconnected gateway has amissing neighbor.
Usually, disconnected gateways are addressed when fixing other issues (using the NetworkInterfaces Validation analyses).
Root causes and their solutions
ROOT CAUSE SOLUTION
Missing device in themodel (next hop)
Collect or import the missing neighbor.
Device not mapped toConnecting Cloud
Map the network interface to a Connecting Cloud.
Decommissioneddevice
Delete the gateway from the model. Add the gateway to the collection taskexclude list.
Overlapping networks l Fix the device configuration by configuring the network interface netmaskand re-collecting or re-importing the device into the model
l Assign the network interface in Skybox to the correct network (affects theSkybox model only)
Chapter 10
Skybox version 12.0.100.00 69
Firewalls with no access rules
Diagnosis
There are Firewall assets in the Skybox model that have no access rules—the list of accessrules is empty. A normal firewall in a production network should have at least one rule (explicitDeny rule).
Root causes and their solutions
ROOT CAUSE SOLUTION
Import or collection issue Check the import or collection task messages for errors.Make sure that the access rules are in the configuration inSkybox.
Firewall has no access rules (forexample, a new firewall or firewall notconfigured)
Check with the firewall administrator if this is correct. Canbe ignored if acknowledged by the firewall administrator.
Gateways with no routing rules
Diagnosis
There are network devices in the Skybox model with no routing rules—the list of routing rules isempty. Normal network devices in production with routing abilities should have at least onerule. Gateways with no routing rules can cause speculation (giving less accurate results andpoor performance) in access analysis and inaccurate Access Compliance results.
Root causes and their solutions
ROOT CAUSE SOLUTION
Collection issueThe device was collected by aSkybox Collector using anonline collection task
l Check the collection task messages for errors. Check theconfiguration in Skybox and make sure that the routing rules fileis there.
l Check the Routing Table Collection command in the task’sAdvanced tab.
l Check that you have authorization to run the command with thetask’s credentials.
After fixing, re-collect the device.
Import issueThe device was imported intothe model from rawconfiguration files
l Check the collection task messages for errors. Check theconfiguration in Skybox and make sure that the routing rules fileis there.
l Make sure that routing information is in the same file as theconfiguration data or that both files are in a separate 1st-levelsubdirectory of the specified directory.
l Make sure that the routing file includes routing rules.After fixing, re-import the device configuration and routing data.
Validating network interfaces
The following sections explain how to validate network interfaces on assets in the model.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 70
Disconnected interfaces
Diagnosis
There are device interfaces that are not connected to a network. This can cause missingconnectivity, incorrect visualization, and incorrect access results.
Root causes and their solutions
ROOT CAUSE SOLUTION
Interfaces for sync between clusters l (Normal behavior) Acknowledge (“Mark asViewed”)
l Create a networkl Assign interfaces to the correct network
Interface with netmask /32(255.255.255.255)
l (Normal behavior) Acknowledge (“Mark asViewed”)
l Create a networkl Assign interfaces to the correct network
Merging issue when there are 2 networksthat are both candidates for the networkinterface (misconfiguration of netmask indevices)
Investigate the root cause and act accordingly. Look atthe modeled networks to find the networks that matchthe interface (assign them to locations if overlapping).
Next hop and destination networks not in model
Diagnosis
“Next hop and destination networks not in model” issues highlight gateways that are missing inthe Skybox model.
Examine the routing rules for each device. A typical entry includes:
l Destination network: “Where am I trying to get to?”
l Gateway: “How do I get there?” (that is, Next Hop – IP Address)
The Model Validation task examines each routing rule to find the gateway (an IP address) andchecks whether the gateway is in the Skybox model. The task also looks for the destinationnetwork and checks whether the destination network is in the Skybox model. If an entry has agateway that is not in the Skybox model and the destination network is not in the Skybox modeleither, the Model Validation task adds an interface issue of “Next hop and destinationnetworks not in model”.
If the destination network is not in the model, no other network device in the model holds thenetwork. If the network should indeed not be in the model (use an IP address management toolto look for the network and confirm that it is not part of your networks), the most likelyremediation is to convert the network to a Perimeter Cloud.
Chapter 10
Skybox version 12.0.100.00 71
Root causes and their solutions
ROOT CAUSE SOLUTION
Missing device (the gateway should be in the Skybox model) Import or collect the missing next hopdevice
Out of scope deviceA device that is not managed by your organization and youcannot get the configuration
l Convert the network to aPerimeter Cloud
l Assign the network interface to aConnecting Cloud
l Run Model Booster to createconnecting routers
Old routing rule (no longer in use)There is a routing rule, but it is old (the gateway might bedecommissioned)
l Fix the routing issue (deviceconfiguration)
l Acknowledge the issue in Skybox(“Mark as Viewed”)
Next hop is in a separate network
Diagnosis
The routing rules for each device are examined. The networks and gateway are in the model.However, the gateway is connected to another network.
Root causes and their solutions
ROOT CAUSE SOLUTION
Network devices can bemisconfigured (differentnetmask assignments) butwork in real life
Fix the network device configuration (assign the same netmask forinterfaces).Determine the network that contains the gateway and then open theinterface properties and assign the correct network (this isapplicable for Skybox only and has no impact on the networkdevice).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 72
Potential matching network for interface assigned to cloud
Diagnosis
An interface is connected to a cloud but has a missing next hop that is in another network ofthe model.
Root causes and their solutions
ROOT CAUSE SOLUTION
The Model Validation task created the cloudbefore importing the missing next hop
Assign the interface to the regular networkinstead of the cloud.
The interface is locked to the cloud Unlock the interface from the cloud. Assign theinterface to the regular network.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 74
VPN or tunnel endpoint is missing
Diagnosis
In a VPN or tunnel interface with peer-to-peer configuration, one peer is in the Skybox modelas part of the asset or interface that has the issue, but the other peer is not in the Skyboxmodel.
Treat this issue as a “Missing next hop” issue. A missing peer points to a missing interface on adevice that is missing in the model.
Root causes and their solutions
ROOT CAUSE SOLUTION
Missing deviceThe missing peer is part of an in-scope network device that isnot in the Skybox model
Import or collect the missing device
Out of scope deviceThe missing peer is part of a network device that is not in theSkybox model and the device is out of scope
Convert the device to a PerimeterCloud
Old VPN or tunnel configurationThe VPN or tunnel is configured on the device, but the otherpeer does not exist because it was decommissioned
Fix the device configurationDelete the network assignment fromthe network interface and lock itAcknowledge (“Mark as Viewed”)
Duplicated network device
Diagnosis
There is an interface that is part of a duplicate network device. The Model Validation taskchecks duplication of devices based on name and network interfaces. If multiple devices havethe same name and the same interface configurations, interfaces that are part of the duplicatedevices have this issue.
Root causes and their solutions
ROOT CAUSE SOLUTION
Merging issueSkybox did not merge thedevices
Consult with Skybox Support. You must specify differences betweenthe devices.Merge manually.
Duplicated IP address in network
Diagnosis
There are multiple interfaces with the same IP addresses in the same network entity. In normalnetwork behavior, there should be no duplicate IP addresses in the same network (except forvirtual addresses and interfaces). An organization can have overlapping IP addresses, butthese should be configured in the Skybox model as different networks, each in a differentlocation.
Chapter 10
Skybox version 12.0.100.00 75
Root causes and their solutions
ROOT CAUSE SOLUTION
An old network deviceAn old interface entry in Skybox
Delete the asset from the model.Exclude the asset from the task, using the collection taskexclude list.
A merging issue in assets with the sameinterface that creates the same interfacemultiple times in the same network
Consult with Skybox Professional Services / SkyboxSupport. You must specify differences between thedevices.Merge manually.
Overlapping networksOverlapping networks exist in the realnetwork, but their locations were notspecified
Create locations and move the overlapping networks todifferent locations. Assign each network interface to adifferent network entity (in a different location).
Overlapping networks
Diagnosis
There are multiple overlapping networks—1 network is covered by another. This causesconnectivity issues (2 devices that should be connected are not).
Root causes and their solutions
ROOT CAUSE SOLUTION
Network devices can bemisconfigured (different netmaskassignments)
Determine the network that contains the gatewayFix the network device configuration (assigning the samenetmask for interfaces)Open the interface properties and assign the correct network(applicable in Skybox only – has no impact on the networkdevice)
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 76
Access Analyzer test queriesCheck the access to your network from different external locations. If there is insufficientaccess, gateways or network segments might be missing in the model. If there is too muchaccess, sets of access rules might be missing.
Check access by creating real-world queries and results (5 to 10 samples) in Access Analyzer.
Test queries can include:
l A spectrum of test types
l Internet inbound
l User environment to internet
l User environment to user environment
l Customer-specific and network-specific
Start with simple queries and progress to more complex.
We recommend that you convert queries that validate your model into access validation tests.These tests are run by Model – Completion and Validation tasks to validate the model on acontinuous basis, as explained here.
Access validation tests
The main goal of the deployment phase is to collect the full network and model it in Skybox. Tomake it easier, you can add a ‘safety net’ to catch collections that break the network topologyand decide if these collections are valid.
This safety net consists of a group of access queries that are saved as access validation tests.The tests can be run automatically after every collection as part of the Model Validation task,to ensure that the model is stable. Broken access is visible in the Model Analyses > ModelValidation area, making it easy to pinpoint the root cause and fix it.
Chapter 10
Skybox version 12.0.100.00 77
To convert an access query into an access validation test
1. Open the access query in Access Analyzer.
2. Click Analyze.
3. In the menu above the results, click (Save Access Validation Test).
To run access validation tests as part of the Model Validation task
1. In the task parameters, select Run Access Validation Tests.
2. Make sure that the Limitation Type parameter is not set to No precalculation.
To view the results of access validation testsl In the Model workspace, in the tree, select Access Validation Tests.
Network Map visualizationSkybox creates a map of the interconnections in your network named the Network Map. Afteryou have built the basic topology of the network, use the Network Map to make sure that thewhole network is connected. Unconnected nodes or network segments are a sign of missinginformation. Search for islands—parts of the networks that are disconnected.
To open the Network Map from Skybox Manager, click on the toolbar. Whenyou open the Network Map, it is redrawn according to the most recent information in yourmodel. You can create and save maps of sections of your network.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 78
Note: If this is the 1st time that you are opening the map, either open Organizational Map toload the map of your entire model or select a different map that someone else created.
For additional information, see Network Map.
Task error messagesError messages from tasks might mean that something went wrong.
Note: Successful import or collection of a device does not necessarily mean that Skyboxretrieved all required information. For example, if you import a device without its routing file,Skybox models the device, but the dynamic routing rules are missing.
Item countsCheck that the number of assets added to the model is what you expect, and that the elementnames and types are correct.
Chapter 10
Skybox version 12.0.100.00 79
Creating Perimeter Clouds automaticallyModel – Completion and Validation tasks can create Perimeter Clouds automatically; thiscompletes the model with clouds, and fixes missing parts of the model. This feature is disabledin the Model Validation task; we recommend that you enable it only after you are sure that alldevices are in the model, to avoid creating unnecessary Perimeter Clouds.
The task converts perimeter networks to Perimeter Clouds for:
l A VPN or tunnel network, peer-to-peer, for which a peer is missing.
Skybox changes the name to %PEER1-IP%_%PEER2-IP%.
l A regular network that is a perimeter network. A perimeter network is a network withmissing next hops.
Skybox changes the name to Accessible Via %LIST-OF-MISSING-NEXT-HOPS-FROM-THE-SAME-INTERFACE% or leaves the Perimeter Cloud name as the network name.
Running the Model Validation task with automatic creation of Perimeter Clouds fixes thefollowing model validation issues:
l Next hop not in model
l Next hop and its destination networks not in model
l VPN or tunnel endpoint is missing
The Model Validation task cannot always complete the model or create Perimeter Cloudsautomatically. For example:
l Skybox cannot create a Perimeter Cloud for a perimeter network that is configured on adevice that is not in the model
l A device without routing information
Missing next hop analysis is based on routing rules; if these do not exist, Skybox cannotconvert networks to clouds.
The Model Validation task can be run to Connect Perimeter Networks As ConnectingRouters. This runs Model Booster, which creates virtual connecting routers to connectbetween missing next hops in the network model. Any existing Perimeter Clouds areconverted to connecting routers if possible. See Model Booster for additional information.
For additional information about these tasks, see the Model completion and validation taskstopic in the Skybox Reference Guide.
Validating the setup for attack simulationSkybox attack simulation produces accurate results only if attack locations are definedthroughout the network. Define a Threat Origin for every external link from which an attackmight originate.
Attack simulation is also dependent on the definition of important internal resources. Everyserver that provides a revenue or productivity function should be a member of a BusinessAsset Group; associate at least one Business Impact with every Business Asset Group.
Manual verification is the only method available for checking the configuration of BusinessAsset Groups and Business Impacts.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 80
To validate the business information
1. Compare the list of Business Asset Groups in the model with the list provided during thedeployment-planning phase.
2. Compare the model with access rules:
a. Look through the firewall rulebase that protects the server networks.
b. For each inbound service rule, verify the importance of the service.
c. In the model, check that the service’s asset belongs to a Business Asset Group.
3. Most organizations maintain separate networks for servers. Examine the server networks:
a. Check that all members of the server network are providing services.
b. Check that every server is inactive, unimportant, or part of a Business Asset Group.
Model BoosterModel Booster creates virtual connecting routers to connect between missing next hops in thenetwork model. It takes as input the network model created by Skybox.
Important: Model Booster is an innovative feature in an experimental phase. Use it with careand preferably with the assistance of Skybox Professional Services. Make sure to back up themodel before using this feature.
Why use Model Booster?If a network model exists but not all layer-3 devices were imported, the model might beincomplete. This, in turn, causes end-to-end access analysis to fail on many queries due tobroken routes. The affected use cases include Access Analyzer, Access Compliance, ChangeManager in network mode, and attack simulation (exposure analysis).
Use cases describe several scenarios for when you would want to implement Model Booster.
How does Model Booster Work?Model Booster creates virtual connecting routers between perimeter networks. For 2 perimeternetworks to be connected, the router leading to the 1st perimeter network must be accessiblefrom the router leading to the 2nd perimeter network and vice versa. If a perimeter networkcannot be connected to another perimeter network, it is transformed into a Perimeter Cloud.
Minimum network requirementsl For Model Booster to work, at least 2 network devices with routing rules must exist in themodel. Model Booster connects networks only if the routing rules from both sides can routeto the other router.
l Model Booster connects a model with only firewalls (no routers), provided all the firewallshave routing rules, both static and dynamic.
Note: Model Booster cannot replace NAT devices (like load balancers); they are required forthe Skybox model to be NAT aware.
Chapter 10
Skybox version 12.0.100.00 81
How to run Model BoosterModel Booster is part of the Model completion and validation task. Model Booster can be runas often as necessary.
1. Initially, complete the model with as many firewall and NAT-capable devices as possible.This process is described in Building the model.
2. After this is done, run Model Booster and Validate the model.
3. Continue to add additional devices and run Model Booster to increase model accuracy.
l Connect Perimeter Networks As Clouds converts networks to Perimeter Clouds.
l Connect Perimeter Networks As Connecting Routers runs the Model Booster and createsPerimeter Clouds for networks that cannot be connected by virtual routers.
For additional information, see the Model completion and validation tasks topic in the SkyboxReference Guide.
Model Booster limitationsl Policy-based routing rules (PBRs) are currently not considered by Model Booster. ModelBooster calculations and connectivity can only be based on routing rules.
l Model Booster cannot generate access rules on connecting routers, only routing rules.Where routers have ACLs, we recommend that you import those devices into Skybox.
l Model Booster cannot deduce NAT rules. Therefore, it is important for the accuracy of theSkybox model to import NAT devices (for example, load balancers).
l Assets imported from scanners are, by default, created without networks. For assets to beconnected to networks, you must import the network device configurations that have thosenetworks configured on them, so that their networks are created and the assets attached.
l Model Booster is not supposed to complete connectivity in internal or external cloudenvironments, because such environments usually model all the involved devices.
l Model Booster cannot connect L2 firewalls as they lack routing rules.
l MPLS connectivity replacement by Model Booster is still in the experimental stage.
What are connecting routers?A connecting router is created by the Model Booster and connects between missing next hopsin the model.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 82
Connecting router naming convention
Connecting routers receive a name similar to connecting_router_10.0.0.0 / 28, where10.0.0.0 / 28 is the address of the perimeter network that was selected as the anchor of therouter.
If, for example, there should be connectivity between (N1, N2) and (N1, N3), then N1 isselected as an anchor and a router connecting (N1, N2, N3) is created with N1 as its name.
Viewing connecting routers
To see all the connecting routers, create a Host analysis and put connecting_router* in assetnames.
Another option is to view them as regular routers under All Network Devices > Routers in theModel workspace.
In an extreme case, the Model Booster creates a connecting router between every pair ofperimeter networks in the model. However, in practice, the Model Booster unifies manyconnections into one connecting router with multiple interfaces.
Editing Connecting routers
Connecting routers are read-only. You cannot edit any of its data.
Excluding networksYou can define hosts, host groups, or networks to exclude from the Model Booster calculation.
In sb_server.properties, add the following:
#hosts to exclude: host name, host name, host name, ...
perimeter_completer_exclude_hosts=
#networks to exclude: network address 1, network address 2, networkaddress 3, ...
perimeter_completer_exclude_networks=
#locations to exclude: location name 1, location name 2, location name 3,...
perimeter_completer_exclude_locations=
#business units to exclude: business unit name 1, business unit name 2,business unit name 3, ...
perimeter_completer_exclude_business_units=
Use casesThe use cases for implementing Model Booster include:
Chapter 10
Skybox version 12.0.100.00 83
Access Analyzer and Network Assurance
A user runs Model Booster to automatically connect as many perimeter networks in the modelas possible to facilitate Access Analyzer and network access compliance.
Vulnerability Control
A user with only Vulnerability Control can import only firewalls and network devices that aredirectly connected to the endpoints (used as their default gateways) and use this functionalityto complete the model gaps resulting from missing network devices. This allows them to runexposure analysis on the model.
FAQs
Does Model Booster introduce speculation into the model?
All connecting routers are created with routing rules from the routers that lead to the networksthe router is associated with. No speculation is introduced.
The Model Booster connection is based on existing routing rules only. Therefore, it does notassume connectivity based on speculation.
How do the new connecting routers affect the performance of the model?
From an access calculation perspective, because there is no speculation, there is nosignificant impact on access calculations.
Due to an increase in the size of the model and greater save and load time, there will be animpact on performance proportional to the number of additional connecting routers and routingrules.
Can Model Booster also complete access rules in the model?
No. Model Booster can only deduce the routing rules on the connecting router. The router willnot have any access rules.
What happens when the real router, currently modeled by one or more connectingrouters, is imported?
If a new device is brought into the model, the connecting routers representing it are deleted inthe next run of model validation.
When Model Booster runs, it deletes and recreates all connecting routers. Therefore, if a realrouter is brought into the model, Model Booster does not recreate the connecting routers thatpreviously represented it. If the new router itself has networks with missing next hops, ModelBooster will try to connect them.
If there is a connecting router already in the model, why import the actual routerconfiguration?
The Model Booster can simulate the routing capabilities of one or more routers. However, toincrease the accuracy of the model and to analyze the configuration of these routers or theiraccess rules, you must to import the actual router configuration into the model.
Does Model Booster complete cloud environments?
In general, Model Booster is designed for completing traditional data centers. With cloudenvironments, because all the information is gathered from the network management solution,
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 84
there is no need for Model Booster to be applied.
Is a connecting router checked for compliance in Configuration, Rule, or AccessCompliance analysis?
Connecting routers are excluded automatically from any Skybox analysis.
Skybox version 12.0.100.00 85
Chapter 11
Network visualization (maps)After the model is built, Skybox creates a map of the interconnections—the Network Map.
This chapter describes the Network Map.
In this chapter
Network Map 85
Creating and saving dedicated maps 86
Navigating the Network Map 86
Map Groups 89
Network Map
To open the Network Map from Skybox Manager, click on the toolbar. Whenyou open the Network Map, it is redrawn according to the most recent information in yourmodel. You can create and save maps of sections of your network.
Note: If this is the 1st time that you are opening the map, either open Organizational Map toload the map of your entire model or select a different map that someone else created.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 86
Creating and saving dedicated mapsBy default, the Network Map displays the entire model. However, it is easier if you creatededicated maps for specific scopes. We recommend that you create a separate map for eachnetwork scope that you want to view in detail.
Creating a dedicated map
To create a map
1. In the File pane of the control panel, click .
2. In the New Network Map dialog box, define the scope of the map.
l For information about the properties of Network Maps, see the Map properties section inthe Skybox Reference Guide.
3. Click OK.
Saving maps
To save a mapl To save the map (including changes that you made): In the File pane of the control panel,
click .
l To save the map (including changes) with a different name: In the File pane of the control
panel, click .
Viewing changes to the map
Changes to the model that occur while the Network Map window is open are not reflected in
the map. If changes were made, click at the top of the control panel. You are prompted tosave all unsaved maps, the map definitions from the Server are refreshed, and the selectedmap is reloaded to the Map pane.
Navigating the Network MapNavigate the Network Map using the control panel.
Chapter 11
Skybox version 12.0.100.00 87
Map layout
Skybox lays out the nodes of the selected map. You can:
l Select and move nodes of the map to make the map easier for you to work with.
l Click to redraw the map using the same calculation formula. This is useful if youchanged the display (for example, if you created map groups or hid nodes).
If you did not change the display or if relayout does not make the map easier for you to use,
tune the layout properties using the Layout pane ( ) to change thevalues used in the calculation formula (see the Layout properties topic in the SkyboxReference Guide).
l Click . Skybox redraws the map to fit the size of the window.
l Click inside the white space of the map and scroll to resize the map or move the mouse toreposition the map in the window.
Highlighting parts of the map
Skybox can highlight specific nodes or sets of nodes in the map to help you to understand yournetwork. Highlighting is temporary—when you change maps or save a map, all highlighting iscleared.
l Highlighting neighbors: By default, when you select a node in the map, the node ishighlighted; its immediate neighbors are highlighted in a lighter color than the selectednode. You can change the number of neighbors highlighted by changing
.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 88
Note: This property is saved with the map.
l Highlighting different types of nodes: Use the Highlight pane to specify the node types tohighlight in the map (automatically, not by selection). For example, you can highlight allPerimeter Clouds, a location, or nodes that have missing next hops. Each type of node ishighlighted in a different color; you can select multiple nodes type to highlight at the sametime.
Filtering the map
You can filter the map to display only specific nodes. To display the filter pane, click in thecontrol panel.
Note: Use Ctrl-F to display the filter pane, and Esc (in the Show field or in the white space ofthe Map pane) to close it.
l Show: Select nodes in the map by typing in the (full or partial) name or IP address of thenodes. Only these nodes (and their neighbors) are displayed.
You can use the characters ? and * for standard pattern matching in the filter; you can alsouse regular expression syntaxes:o ^X: Specifies an expression (X) that is at the beginning of the name or IP addresso X$: Specifies an expression (X) that is at the end of the name or IP addresso [xyz]: Specifies a character that is either x, y, or zo [^abc]: Specifies a character that is anything except a, b, or c
l Show Only Highlighted: Filters the map to display only highlighted nodes.
l Regular Mouse Mode: When you select nodes in the map, the selected nodes and theirneighbors are highlighted.
l Focus: Only selected nodes and their neighbors (within a radius of NeighborsDistance) are displayed.
l Extend: When you select nodes in the map, the map expands (if parts of it are hidden)by adding all neighbors of the selected node up to a radius of Neighbors Distance.
l Display All Nodes: Restores all hidden nodes to the map but keeps the magnification(so that nodes might not be displayed). Also clears all highlighting.
Exporting maps
You can export maps as graphic files or Visio files.
l Export image: Saves the visible portion of the map as a graphic file to the directoryspecified in the Export dialog box.
Note: You can change the resolution of the saved image in the Export dialog box for easierviewing outside Skybox.
Chapter 11
Skybox version 12.0.100.00 89
l Export to Visio: Exports the visible portion of the map as a Microsoft Visio VDX file sothat non-Skybox users can view or print the map.
For additional information about the control panel and the filter pane, see the Network Mapcontrol panel topic in the Skybox Reference Guide.
Map GroupsA Map Group ( ) represents a region or area in the network. Map Groups can includegateways, networks, and other Map Groups. Usually, map group members are topologicallyrelated, so that a collapsed group makes sense.
Defining Map Groups reduces the complexity of the model in the Network Map and providesbetter orientation in large networks. Each Map Group can be highlighted in a different color,enabling you to distinguish between entities that belong to different groups. You can collapse aMap Group so that only a representative node is displayed in the map.
Map Groups are stored globally in the model; creating or changing a Map Group in one mapaffects all other maps that contain that Map Group.
Map Group scopes
Each Map Group has a set of defining members (usually the group’s gateways) and additionalmembers. The additional members are the neighbor nodes of the defining member nodes.
The user specifies the defining member nodes. Skybox completes the additional membernodes. This makes the Map Group definition more compact and eliminates the need toexplicitly attach newly discovered networks to Map Groups; newly discovered networks areadded to the Map Groups of their gateway neighbors.
Creating Map Groups
Before defining Map Groups:
l Set the Highlight mode of Map Groups to All (in the Map Group pane, in Highlight, selectAll).
This highlights each Map Group in a separate color and highlights new groups in differentcolors when the groups are created.
l Set the Highlight Neighbor distance (at the top of the control panel) to 0.
This prevents highlighting neighbor nodes when selecting nodes for a Map Group.
To create a Map Group
1. Select the set of nodes that define the scope of the Map Group.
Nodes (gateways and networks, but not Perimeter Clouds) whose neighbors are all in thescope of the Map Group are automatically added to the group as members—it is usuallysufficient to select a set of gateway nodes as the defining members. You only need to selectnetwork nodes explicitly if they are to be part of the group but some neighbor gateways arenot part of the group.
2. Right-click in the selection and select New Map Group.
3. In the Map Group dialog box:
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 90
a. Type a Name for the group.
b. (Optional) Change the highlight color of the group.
c. (Optional) To display the group in collapsed form after it is created, select Collapse.
d. Click OK to create the Map Group.
Note: Map Groups have labels; use the View pane of the control panel to toggle whether todisplay these labels.
Map Group hierarchies
To create a hierarchy of Map Groups, you can work top-down (for example, by creating a ParisMap Group when a Europe Map Group already exists) or bottom-up (for example, by creatinga Europe Map Group when Paris and London Map Groups already exist).
To create a Map Group inside a Map Group
1. Select the nodes of the Map Group to include in the new Map Group.
2. Right-click in the selection and select New Map Group.
To create a Map Group that contains Map Groups
1. Select the labels of the Map Groups (and other gateway or network nodes to include in thenew Map Group).
2. Right-click in the selection and select New Map Group.
To view the hierarchy of Map Groups
1. Right-click a node in the map and select Attach to Map Group.
2. In the Attach to Map Group dialog box, view the Map Group hierarchy; then click Cancel toclose the dialog box (without attaching anything).
Working with Map Groups
The following options in the Map Groups pane of the control panel are useful:
l Highlight All: Highlights each Map Group in a different color
l Collapse All / Expand All: Collapse or expand all Map Groups. Collapse replaces themembers of a map group by a representative node.
The following options on the shortcut menu are useful when you edit a Map Group:
l Collapse Map Group: Right-click a member of the Map Group or the group label, and thenselect Collapse Map Group.
l Expand Map Group: To display the member of a collapsed Map Group, right-click the noderepresenting the Map Group and select Expand Map Group.
To attach nodes to a Map Group
1. Select a set of nodes or labels of Map Groups to attach to another Map Group.
2. Right-click in the selection and select Attach to Map Group.
3. Specify the target Map Group in the dialog box. The selected nodes or Map Groups aredetached from other Map Groups and attached to the selected target Map Group.
Chapter 11
Skybox version 12.0.100.00 91
To detach nodes from a Map Group
1. Select a set of nodes or labels of Map Groups to detach from the Map Groups to which theyare attached.
2. Right-click in the selection and select Detach from Map Group.
To delete a Map Group
1. Select a Map Group (by selecting either the Map Group’s collapsed node or its label).
2. Right-click the selection and select Delete Map Group.
Note: This command deletes the map group definition but does not delete the membernodes of the map group nor subgroups of the selected group.
Skybox version 12.0.100.00 92
Chapter 12
Adding Threat OriginsA Threat Origin is a potential starting point for an attack.
This chapter explains Threat Origins and how to add them to the model.
In this chapter
Threat Origins overview 92
Threat Origins 92
Threat Origin Categories 93
Defining Threat Origins 94
Disabling and enabling Threat Origins 95
Threat Origins overviewThreat Origins are specified by defining the network entities (assets, networks, or locations)where an attacker might be located. Threat Origins are indicated in Skybox by .
Typical locations for Threat Originsl Perimeter Clouds
o For information about defining Perimeter Clouds, see Creating and editing PerimeterClouds.
l Locations where you expect mobile devices to be connected
l Points inside your organization that you suspect could be the source of an internal attack
l Locations in which security is limited (for example, DMZ networks or workstation networks(which are prone to infection via email))
For effective risk analysis of your network, specify the Threat Origins that seem most probablefor your organization.
Tip: In First phase, we recommend that you start with a 1st phase consisting of 1 or 2 threats.
Attack simulation tests all scenarios for attacking the network starting from the Threat Originsdefined in the model and it uses this information to analyze risk.
Threat OriginsProperties of Threat Origins include the estimated skill level of the attackers and the attacker’sprivilege on the attacking machine.
For example, for Threat Origins from the internet, you assume that there are highly skilledattackers, but for Threat Origins inside your organization, you assume that the attackers areless skilled. The skill level is taken into account when analyzing the likelihood of successfulattacks and the risks imposed by these attacks.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 93
You can specify the Business Asset Groups that a Threat Origin can attack. When you define aBusiness Asset Group, you can define the Threat Origins that you expect might attack it. Bydefault, Threat Origins attack all Business Asset Groups.
Threat Origin CategoriesThreat Origins are classified into Threat Origin Categories, so that they can be groupedwhenever risk is displayed or reported. For example, you can show risk for, or generate areport about, all Threat Origins that originate outside your organization (usually namedExternal Threats).
To view risk from specific threats in an analysis or a report, add those threats to a Threat OriginCategory and select that category to filter the analysis or report.
Skybox includes 4 Threat Origin Categories with the following default names:
l External Threats
l Internal Threats
l B2B Threats
l Other Threats
The Other Threats category is disabled by default. You can enable it if required.
A Threat Origin can belong to multiple categories. For example, an attacker from the internetcould be classified as external and B2B. You can create analyses that return only ThreatOrigins in selected categories.
Managing Threat Origin Categories
Only Admins can manage Threat Origin Categories.
Renaming Threat Origin Categories
Although you cannot define additional categories, you can rename categories to suit yourorganization. For example, you can change 2 of the Threat Origin Categories to Internet andCompetitors, and define each Threat Origin accordingly.
To rename a Threat Origin Category
1. In the Threat Origin Categories folder of the Model tree, right-click the category and selectRename.
2. Type a name for the category.
Skybox uses the new name wherever this Threat Origin Category is mentioned (forexample, in the column names of specific analyses, the Risk Profile tab of Business Units,Business Asset Groups, and vulnerability occurrences, and the filtering fields of analysesand reports about Threat Origins).
Enabling and disabling Threat Origin Categories
You can enable or disable Threat Origin Categories.
To enable or disable a Threat Origin Categoryl In the Threat Origin Categories folder of the Model tree, right-click the category and selectEnable or Disable.
Chapter 12
Skybox version 12.0.100.00 94
Enabling or disabling a Threat Origin Category does not affect the status of Threat Originsin that category. Threat Origins are always accessible from the All Threat Origins node ofthe Model tree. However, you can only view the risk from Threat Origins in a category aspart of the total risk for that category.
Defining Threat OriginsWhen you define a Threat Origin, remember that a Threat Origin does not attack itself. That is,Skybox does not analyze attacks between assets or networks that are part of the same ThreatOrigin—if you define a Threat Origin with multiple locations, Skybox does not analyze attacksbetween the assets or networks in those locations.
Many Threat Origins can make it harder to understand the risk; use a small number of ThreatOrigins.
To define a Threat Origin
1. In the Model tree, expand the Threat Origin Categories node.
2. Right-click All Threat Origins and select New > Human Threat Origin.
l For information about the properties of Threat Origins, see the Threat Origins section inthe Skybox Reference Guide.
3. In the New Human Threat Origin dialog box:
a. Type a name for the Threat Origin.
b. Click the Browse button next to Threat Location to specify the location of the ThreatOrigin.
c. Select the required Threat Origin Categories.
d. Specify Attacker Skill and Likelihood to Attack.
Important: Specify the likelihood in a way that differentiates between more probable andless probable attack sources.
e. Click OK.
The Threat Origin is saved. It is listed in the Table pane when you select its ThreatOrigin Category node in the Model tree.
Properties in the Advanced tab include:
l Attacker Privilege
l Cloud Source Addresses: Risk for Threat Origins is usually assigned an equal valuefrom all source IP addresses. Sometimes, the risk for attacks from wide address rangesand the risk for attacks from specific addresses is different; for information abouthandling this issue, see Using clouds as Threat Origins.
l Business Asset Groups: By default, each Threat Origin can attack all Business AssetGroups. If there are Business Asset Groups that this Threat Origin does not attack,configure the Threat Origin so that Skybox ignores them during risk analysis:
o Select all such Business Asset Groups in Analyze for risk and click to movethem to Ignore.
You can usually leave the default values for these properties.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 95
Disabling and enabling Threat OriginsBy default, Threat Origins are enabled.
Disabling Threat Origins can be useful:
l If (while building the model) not all firewalls are included in the model, the Threat Originshave access to large parts of the network. This can slow down attack simulation and mightalso mean that Skybox shows very high risk on all Business Asset Groups (some groupswould not be accessible if the firewalls were included). Disabling Threat Origins speeds upattack simulation and cuts down on the amount of risk displayed.
l To evaluate the risk from a Threat Origin, you can disable the others.
To disable or enable a Threat Originl In the Table pane, right-click the Threat Origin and select Disable or Enable.
Disabled Threat Origins are displayed with a grayed-out icon ( ).
Skybox version 12.0.100.00 96
Chapter 13
Using Business Asset Groups for risk metricsAs defined in Business Asset Groups, a Business Asset Group is a group of assets that servea common business purpose.
This chapter describes the additional information that is required to use Business AssetGroups for risk metrics.
In this chapter
Business Impacts and Regulations 96
Adding dependency rules 98
Explicit dependency rules 98
Implicit dependency 99
Business Impacts and RegulationsAn impact is a way of measuring the loss on a Business Asset Group. Impacts involve damageto Business Asset Groups:
l As a Business Impact (for example, mission-critical damage or low-level financial damage)
l As a compromise to a security Regulation with which organizations must comply (forexample, SOX or GLBA).
Skybox uses Business Impacts and Regulations to calculate the risk on the Business AssetGroup. You define them separately and attach them to Business Asset Groups.
Note: By default, Skybox ignores the impact level for security metrics analysis.
Skybox comes with predefined Business Impact and Regulation templates, and predefinedBusiness Impacts and Regulations for the most common Business Impacts and Regulations.Use the templates as the basis for creating Business Impacts and Regulations to suit yourrequirements.
Adding Business Impacts and Regulations
You can add Business Impacts and Regulations directly from a Business Asset Group byclicking New or you can add them from Tools > Administrative Tools > Business ImpactTypes (or Tools > Administrative Tools > Regulations). You must specify the Loss Type,Damage Level, and attached Business Asset Groups.
Only Admins can create Business Impacts and Regulations.
Best practice for working with Business Impacts
Use different Business Impacts for different types of loss or at least to differentiate betweenconfidentiality and integrity versus availability. If you do not find an appropriate BusinessImpact (or Regulation) for a Business Asset Group, add a Business Impact (or ask an Adminto add one for you).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 97
Attaching Business Impacts and Regulations to Business Asset Groups
The following instructions explain how to attach a Business Impact or Regulation to a BusinessAsset Group.
To attach Business Impacts or Regulations to a Business Asset Group
1. Expand the Business Units & Asset Groups node of the Model tree and locate theBusiness Asset Group.
2. Right-click the Business Asset Group and select Properties.
3. In the properties dialog box click the Business Impacts tab or, to attach Regulations, clickthe Regulations tab.
4. Select the Business Impacts to attach to the Business Asset Group.
5. You can change the Damage of a Business Impact for this Business Asset Group:
a. Click the Browse button next to the Damage.
b. In the Damage dialog box, you can:
l Change the Level by selecting a different value from the drop-down list.
Levels are mapped internally to monetary values for risk analysis.
l Click Rate and type the damage in monetary units.
Chapter 13
Skybox version 12.0.100.00 98
Rates need not be exact values, but they should approximate the magnitude of thedamage.
c. Click OK.
6. Click OK.
To detach Business Impacts or Regulations from a Business Asset Group
1. Expand the Business Units & Asset Groups node of the Model tree and locate theBusiness Asset Group.
2. Right-click the Business Asset Group and select Properties.
3. In the <Business Asset Group name> Properties dialog box:
a. Click the Business Impacts tab or, to detach Regulations, click the Regulations tab.
b. Clear each Business Impact or Regulation to detach from the Business Asset Group.
c. Click OK.
Adding dependency rulesThe security of a Business Asset Group depends on the security of its members. It can alsodepend on the security of infrastructure servers and on the security of other assets.
Dependency rules enable you to define these dependencies and specify how attacks onassets affect the security of the Business Asset Groups. The Skybox Attack Simulation Engine(exposure analysis) uses dependency rules when computing the effects of an attack.
Dependency rules relate to the type of security loss. For example, an availability loss of a DNSserver might imply an availability loss for a Business Asset Group; a confidentiality loss of adatabase server usually implies a confidentiality loss for the application that uses thatdatabase.
Skybox has 2 types of dependency rules:
l Explicit dependency rules
l Implicit dependency rules
Viewing dependency rules
You can view dependency rules directly from the Model tree (Dependency Rules node).
By default, only explicit dependency rules are listed.
To view implicit dependency rules
1. Navigate to Tools > Options > Manager Options > Risks Configuration.
2. Select Show Implicit Dependency Rules.
Explicit dependency rulesExplicit dependency rules express dependency if:
l The security of a Business Asset Group depends on the security of its members in a waythat is not covered by the implicit dependency
l A Business Asset Group depends on an infrastructure server that is not a member of theBusiness Asset Group
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 99
An explicit dependency rule specifies how security loss on a set of assets affects the securityloss on another set of assets or Business Asset Groups. Dependency rules relate to the type ofthe security loss (confidentiality, integrity, or availability) and to the type of the dependency:
l At Least One: A security loss suffered by any asset affects the destinations.
l All: Only a security loss suffered by all assets in the set affects the destinations.
For suggestions about when and how to use explicit dependency rules, see Explicitdependency rules (advanced).
To define a dependency rule
1. In the Model tree, right-click Dependency Rules and select New Dependency Rule.
2. In the New Dependency Rule dialog box:
a. Type a Name for the dependency rule and, optionally, a description in User Comments.
b. In the Cause pane, use Loss Type, On, and Network Entities to describe the cause ofthe damage (for example, an Integrity or Availability loss on All web servers in yoursystem).
c. In the Effect pane, use the same fields to describe the effect of the damage (forexample, an Availability loss on a payment system).
Implicit dependencyAn implicit dependency defines how the security of a Business Asset Group depends on thesecurity of its member assets. By default, an implicit dependency means that:
l A security loss (confidentiality, integrity, or availability) on a member implies the same typeof security loss on the Business Asset Group
l An integrity loss on a member implies an availability and confidentiality security loss on theBusiness Asset Group
The dependency is created when you assign assets to a Business Asset Group.
For information about changing implicit dependency, see Advanced dependency rules.
Skybox version 12.0.100.00 100
Chapter 14
Simulating attacksAttack simulation simulates an attack on your network from a set of Threat Origins andanalyzes the results.
This chapter explains how to run attack simulation and how to understand the results.
In this chapter
Attack simulation 100
Understanding Skybox risk 100
Viewing risk 101
Attack simulationAttack simulation simulates all attack scenarios for attacking your network from a set of ThreatOrigins and analyzes the results. The derived data is stored in the Skybox database.
An attack scenario represents a set of actions that an attacker can execute from a specifiedstarting point towards a specified destination, for the context of your network—deviceconfigurations, network topology, and vulnerability occurrences.
Attack simulation examines the ability of potential attackers to attack your network and assets.Because attack simulation is invoked on a model of your network, it can initiate attacks fromevery Threat Origin, trying all attack paths without adding load or causing damage to thenetwork.
Attack simulation is run using the Analyze Simulate Attacks task.
You can run this task manually, after you have built or changed the model (including changingthe status of a vulnerability occurrence to Fixed) or you can schedule it to run at predefinedtimes. Changes to the risk of an entity or exposure of vulnerability occurrences are onlyreflected in the analyses after you run attack simulation.
Note: Attack simulation requires heavy computations. The task can run for minutes or evenhours, depending on the size and complexity of the network. For large, complex networks,schedule this task at off hours.
For information about scheduling tasks, see the Scheduling task sequences topic in theSkybox Reference Guide.
To run attack simulation manuallyl Select Tasks > Analyze Simulate Attacks.
Understanding Skybox riskAttack simulation provides information about possible attacks on your network, taking intoaccount the network access constraints and the behavior of each vulnerability occurrence.Risk analysis assesses the likelihood of attacks and the potential damage that they can cause.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 101
As part of attack simulation, Skybox calculates risk for:
l Business Asset Groups and Business Units
l Business Impacts and Regulations
l Vulnerability occurrences
l Attacks
l Threat Origins
For information about the calculation of risk, see About risk.
Viewing riskYou can view risk information:
l On the Summary tab of the Exposure by Threat node:o In the Direct Vulnerability Occurrences by Risk grapho In the Threat Origins by Risk table
l From a table in the Exposure area that includes a Risk column
l Risk profiles: The major components that contribute to the risk for a selected entity
l Risk factors: How the combination of a source (Threat Origin), a destination (BusinessAsset Group or asset), and a Business Impact or Regulation (explaining the potential lossfrom the risk factor) can affect the selected entity.
l In the Attack Explorer: Information about the assets, services, and vulnerability occurrencesin the system, in the context of specific attacks
l Risks reports: Information about high-risk entities of a specified type
l Risk analyses: Risk for all entities that meet the analysis criteria—for example, one analysislists all critical vulnerability occurrences and another lists all critical Business Units
Skybox version 12.0.100.00 102
Chapter 15
Identifying the critical issuesAfter attacks are simulated, the Summary tab of the Exposure by Threat node highlights thecritical exposure issues, including the vulnerability occurrences that are most likely to beexploited and the Threat Origins that have the highest risk. You can drill down from this tab tofind additional information about each issue.
In this chapter
Workflow 102
Reviewing directly exposed vulnerability occurrences 103
Reviewing Threat Origins 104
Reviewing Business Asset Groups 105
Reviewing attacks 105
Checking whether the problem is access-related 107
WorkflowThe basic workflow to identify the critical issues is:
Note: The order of the first 2 steps is not important; they are different starting points forlocating the critical issues. If you find the critical issues with the 1st step, you might not need touse the 2nd.
1. Review the exposed vulnerability occurrences to see whether a limited set of high-riskvulnerability occurrences are enabling most of the attacks.
2. Review the list of high-risk Threat Origins to determine whether there are Threat Originsthat are causing a great deal of the risk.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 103
3. If there are no indications that specific threats or vulnerability occurrences are causing highrisk, check the Business Asset Groups. You can also check whether the problem is causedby access-related issues (for example, an access rule that is passing too much traffic).
Reviewing directly exposed vulnerability occurrencesDirectly exposed vulnerability occurrences are a single step away from a Threat Origin.
To review the directly exposed vulnerability occurrences
1. The Vulnerability Occurrences by Threat graph (on the Prioritization Center page and onthe Summary tab of the Exposure by Threat node) shows the numbers of directly exposedand 2nd-step vulnerability occurrences for each Threat Origin. Click a link in the graph toview the vulnerability occurrences.
2. In the list, select a vulnerability occurrence to view additional information in the Detailspane.
3. The Direct Vulnerability Occurrences by Risk graph (on the Summary tabs) shows thenumber of direct vulnerability occurrences for each risk or severity level. Select a ThreatOrigin to view the number of direct vulnerability occurrences for each risk or severity level,and then click a link in the graph to view the vulnerability occurrences.
4. Expand the group of critical or high-risk vulnerability occurrences to view the problematicvulnerability occurrences.
5. In either graph, you can change the filter to include only direct vulnerability occurrences or2nd-step vulnerability occurrences.
6. Select a vulnerability occurrence in the table and view additional information about it in theDetails pane.
Chapter 15
Skybox version 12.0.100.00 104
Each tab contains different information about the vulnerability occurrence. Someinformation relates to this vulnerability occurrence (for example, the asset and service onwhich the vulnerability occurrence is found) and some is general information about theVulnerability Definition (for example, the CVSS metrics and known solutions for thisVulnerability Definition).
7. As required:
l Mitigate the high-risk vulnerability occurrences by opening tickets on them.
l Drill down into high-risk vulnerability occurrences using the Attack Explorer.
Obviously, the vulnerability occurrences must be mitigated, but this step might give youadditional information to help in your selection of solutions for them.
Note: You can open vulnerability occurrence tickets from the Attack Explorer.
Reviewing Threat OriginsHigh risk on a small number of Threat Origins indicates that these Threat Origins might be themajor cause of risk for your organization.
To review the Threat Origins
1. The Top 3 Threat Origins table (on the Prioritization Center and Exposure Summary tabs)shows risk levels and numbers of vulnerability occurrences for the 3 Threat Origins that putyour organization at the highest risk. Click a link to view more details about a Threat Origin.
The Attacks tab is displayed in the Table pane. You can view the attacks that this ThreatOrigin can perpetrate on your organization.
2. Select the attack with the highest risk.
3. Right-click the attack and select Attack Explorer.
The Attack Explorer opens with the selected attack displayed visually in the Map pane. Youcan see how many steps it takes to get from the Threat Origin to the destination BusinessAsset Group and a topological overview of the attack.
4. Look at the width of the arrows in the attack.
A wide arrow shows that there are many ways to perform the step. If the arrow of one step ismuch wider than the others, this often indicates a root cause that is enabling the access.The cause can be:
l Entities that need patching or other remediation (for example, risky services, aVulnerability Definition, or a group of assets that need updating).
l An access issue (usually, a firewall that is permitting too much access).
5. Select the widest arrow and check the statistics in the Information pane.
For example, many vulnerability occurrences but only a few Vulnerability Definitions orports could mean that patching the affected services would significantly reduce the risk onyour network.
After you identify the problem, create a ticket.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 105
Reviewing Business Asset GroupsHigh risk on a small number of Business Asset Groups might mean that these Business AssetGroups are the major cause of risk for your organization.
To review the Business Asset Groups
1. In the tree, select the Exposure node.
2. In the workspace, click the Business Asset Groups tab.
For each Business Asset Group in the table, you can see its risk, and how many assets andvulnerability occurrences it has. (The vulnerability occurrence count includes allvulnerability occurrences found on assets of the Business Asset Group, not only the directlyexposed vulnerability occurrences.)
3. In the Table pane, select the Business Asset Group with the highest risk.
4. In the Details pane, click the Attacks tab.
5. Select the attack with the highest risk.
6. Right-click the attack and select Attack Explorer.
The Attack Explorer opens with the selected attack displayed visually in the Map pane. Youcan see how many steps it takes to get from the Threat Origin to the destination BusinessAsset Group and a topological overview of the attack.
7. Look at the width of the arrows in the attack.
A wide arrow shows that there are many ways to perform the step. If the arrow of one step ismuch wider than the others, this often indicates that a root cause is enabling the access.The cause can be:
l Entities that require patching or other remediation (for example, risky services, aVulnerability Definition, or a group of assets that need updating).
l An access issue (usually, a firewall that is permitting too much access).
8. Select the widest arrow and check the statistics in the Information pane, to check whetheranything looks odd.
For example, many vulnerability occurrences but only a few Vulnerability Definitions orports could mean that patching the affected services would significantly reduce the risk onyour network.
After you identify the problems, create a ticket.
Reviewing attacks
Note: The Attack Explorer does not display results until you run attack simulation (exposureanalysis) at least once on the model that you are using. The information displayed in the AttackMap is based on the analyses made during attack simulation. If you changed information thatmight affect the analyses, rerun attack simulation before using the Attack Explorer.
The Attack Explorer displays information about the assets, services, and vulnerabilityoccurrences in the system, in the context of specific attacks. Use the Attack Explorer to:
Chapter 15
Skybox version 12.0.100.00 106
l View potential attacks
l Drill down into the causes of potential attacks
l Define strategies to block potential attacks
l Create tickets
The Attack Explorer consists of 3 panes:
l Information: Initially, the left-hand pane contains information about the entity on which youopened the Attack Explorer. When you select an entity in the Map pane, information aboutthat entity is displayed. There are additional options in this pane that enable you to drilldown into the information.
l Map: The upper-right pane contains an Attack Map for the selected attack (or other selectedentity).
l Vulnerability occurrences: In the lower-right pane, select the vulnerability occurrences forwhich to create tickets.
To open the Attack Explorer
1. In the Exposure workspace, locate the entity to view in the Attack Explorer:
l Threat Origin
l Business Asset Group
l Vulnerability occurrence
l Attack
Note: Especially in large models, it is often most useful to open the Attack Explorer on anasset, vulnerability occurrence, or attack. Otherwise, it might be difficult to read the largeamount of data displayed in the Map pane.
2. Open the Attack Explorer:
l Select the entity and then click at the top of the table (for example, forThreat Origins or Business Asset Groups).
l Right-click the entity and select Advanced > Attack Explorer.
The Attack Explorer opens with the selected entity displayed in the Map pane and
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 107
information about the entity displayed in the Information pane.
Checking whether the problem is access-relatedRisk might be caused by unnecessary access on firewalls. In the Attack Explorer, a wide arrowfrom one point (Point A) to another (Point B) means that there are many ways to access PointB from Point A. The solution might be to mitigate all vulnerability occurrences on Point B, but itcould be that changing the filtering rules on a firewall between Point A and Point B would meanthat the vulnerability occurrences are not directly exposed, thus lowering the risk.
To check whether a problem is access-related
1. Open the Attack Explorer on an entity.
2. In the Map pane of the Attack Explorer, right-click a link and select Show Access Route.
You might need to drill down to an entity inside the destination of that link.
3. In the Information pane, check the Access Route to see the firewalls that are used.
4. Drill down into the access rules to check for unnecessary access:
a. In the Access Route, click a rule link to examine it.
The selected rule is highlighted in the Rule Match Details dialog box.
b. Check the access rule to determine whether it permits unnecessary access (you candouble-click the rule to display its properties). For example:
l An Any-Any rule that must be limited
l Access must be limited to specific services
c. Repeat steps a and b until you find the access rule that needs modifying.
5. (Optional) Use the What If model to check whether restricting access by modifying theaccess rule has the required effect (fewer attacks using the same attack path).
Chapter 15
Skybox version 12.0.100.00 108
6. Create a ticket on a vulnerability occurrence on Point B that is affected by this access rule.Typically, in Possible Solutions, select Block or User-Defined. You can explain theproblem in User Comments.
Skybox version 12.0.100.00 109
Chapter 16
RemediationAfter you find an important issue, you can start the remediation process by issuing thenecessary tickets.
If a vulnerability occurrence seems irrelevant, you can mark it as Ignored. Ignored vulnerabilityoccurrences are not checked for exposure, so the results of exposure analysis are cleaner.
In this chapter
Marking vulnerability occurrences as ignored 109
Mitigating critical vulnerability occurrences 110
Reviewing Vulnerability Definitions 110
Creating tickets manually 111
Updating the model after fixing vulnerability occurrences 119
Using the What If model to test changes 119
Marking vulnerability occurrences as ignoredYou can specify to not use a vulnerability occurrence during risk analysis. You might do thisbecause:
l Your organization is aware of the vulnerability occurrence risk, but has decided to acceptthis risk for its own reasons
l Your organization has decided that the vulnerability occurrence is not important in riskanalysis
l The vulnerability occurrence does not exist (that is, incomplete scanner information causedSkybox to mistakenly define a service as vulnerable)
To specify that a vulnerability occurrence is not used during risk analysis, mark it as ignored.
To see changes in the risk values after marking vulnerability occurrences as ignored, rerun theAnalyze Simulate Attacks task.
To mark a vulnerability occurrence as ignored from the Attack Explorer
1. Select the vulnerability occurrence in the Vulnerabilities pane.
2. Click the appropriate icon:
l : Mark as ignored because the vulnerability occurrence does not exist
l : Mark as ignored because the vulnerability occurrence is not important
l : Mark as ignored because the risk of the vulnerability occurrence is accepted by yourorganization
3. Click Apply to save the vulnerability occurrence status to the model.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 110
To mark a vulnerability occurrence as ignored from Skybox Manager
1. Select the vulnerability occurrence in the Table pane or in the Details pane.
2. Right-click the vulnerability occurrence and select Change Status.
3. In Change Status to, select Ignored and then click OK.
4. Select the reason for ignoring the vulnerability occurrence and click OK.
Mitigating critical vulnerability occurrencesAfter you validate a vulnerability occurrence and decide that it is important, you have a betteridea of the type of fix that is required. You can mitigate critical vulnerability occurrences:
l Patch or upgrade the vulnerable service
l Delete the vulnerable service if it is not required on the vulnerable asset
l Change access on the firewalls so that the vulnerability occurrence is not accessible
In most organizations, especially large organizations, the people who identify the criticalissues are not those who fix the issues. In Skybox, the 1st step of mitigation is to assign ticketsto the appropriate staff members to make them aware of the problem. A ticket can include asuggested solution for fixing the problem.
Reviewing Vulnerability Definitions
Vulnerability Definition statuses
Vulnerability Definitions have statuses that help to classify them:
l Unassigned: Vulnerability Definitions that are waiting for review. The initial status of allVulnerability Definitions.
l In Process: Vulnerability Definitions that have tickets with status New, In Progress, orReopened.
l Resolved: Vulnerability Definitions that have tickets with status Closed, Resolved, orVerified.
l Irrelevant: Vulnerability Definitions that are not relevant for your organization. This status isassigned to Vulnerability Definitions that are marked as irrelevant by the user and toVulnerability Definitions that have tickets with status Rejected or Ignored.
To view the status of your Vulnerability Definitions, display the Status column in the Tablepane. (Right-click a column heading and select Customize Current View.)
Vulnerability Definitions also have a review indicator that can be set. To view the reviewindicators, display the For Review column.
Marking Vulnerability Definitions as irrelevant
If you decide that a Vulnerability Definition is not relevant, you can manually change its statusto Irrelevant. Vulnerability Definitions that have tickets with a status of Ignored or Rejectedare also assigned a status of Irrelevant.
If a Vulnerability Definition has a status of Irrelevant and there are updates to the VulnerabilityDefinition from the Skybox Vulnerability Dictionary or the alert service, the Vulnerability
Chapter 16
Skybox version 12.0.100.00 111
Definition is updated and marked as for review (in the For Review column of the analysis), butits status does not change.
To mark a Vulnerability Definition as irrelevant
1. Right-click the Vulnerability Definition and select Mark as Irrelevant.
Note: If the Vulnerability Definition has Open tickets, marking the Vulnerability Definition asIrrelevant closes its tickets automatically.
2. In the Mark Vulnerability Definition as Irrelevant dialog box, type a comment in Enter acomment and click OK.
Marking Vulnerability Definitions as for review
To mark or clear the review status of a threat alertl Right-click the threat alert and select Set (or Clear) Review Indication.
Creating tickets manuallyTickets in Skybox represent action items that must be implemented in your network.
After you ascertain the critical issues, you can create tickets and assign them to staffmembers.
Ticket types
You can create tickets for:
l Vulnerability occurrences
Vulnerability occurrence tickets are vulnerability occurrence specific. These tickets caninclude a proposed solution for remediating the vulnerability occurrence.
l Vulnerability Definitions
Threat alert tickets are not vulnerability occurrence specific. These tickets can includeproposed solutions for remediation.
l Business Asset Groups
Open a Business Asset Group ticket if the risk of a Business Asset Group is too high. Thesetickets are less useful for specific issues and are usually used as alerts.
Each ticket is assigned to an owner (someone responsible for making sure that the action itemis implemented); you can assign each ticket a due date so that you can track its status. Selectan owner—in most organizations, the IT Systems team is responsible for solutions for specificvulnerability occurrences (for example, patches and upgrades) and the Network Operationsteam is responsible for access-related solutions (for example, fixing access rules).
Note: Tickets can only be assigned to Skybox users.
You can set up ticket phases, which define different steps for remediation (see the Definingticket phases topic in the Skybox Reference Guide).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 112
Creating tickets
To create a ticket from Skybox Managerl In the Table pane, right-click the selected entity and select Create Ticket or Create ThreatAlert Ticket.
For information about creating:o A single vulnerability occurrence, see Creating tickets for a vulnerability occurrence
You can create a threat alert ticket for the vulnerability occurrence’s VulnerabilityDefinition; when a patch is created that solves vulnerability occurrences of a VulnerabilityDefinition, you can use a vulnerability occurrence to create a threat alert ticket thatcovers all vulnerability occurrences of that Vulnerability Definition (see Creating threatalert tickets).
o Multiple vulnerability occurrences, see Creating threat alert ticketso A set of separate vulnerability occurrence tickets, see Creating sets of tickets for multiplevulnerability occurrences
For information about creating tickets from the Attack Explorer, see Creating vulnerabilityoccurrence tickets in the Attack Explorer.
Tip: Tickets can be created automatically using tasks (see Automating tickets).
Viewing tickets
After a ticket is created, you can view it and manage it from the Tickets tree.
Creating tickets for a vulnerability occurrence
To create a ticket for a vulnerability occurrence
1. In the Tree pane, open a vulnerability occurrences analysis for which the results in theTable pane are vulnerability occurrences.
2. In the Table pane, right-click the vulnerability occurrence for which you are creating a ticketand select Create Ticket.
Chapter 16
Skybox version 12.0.100.00 113
3. Fill in the fields according to the table in the Vulnerability occurrence ticket properties topicin the Skybox Reference Guide:
l Select an owner for the ticket.
l Other fields are optional or have default values.
4. To recommend solutions to the ticket owner:
a. Click the Solutions tab.
Solutions from the Skybox Vulnerability Dictionary are listed; the list might also includecustom solutions prepared in your organization.
b. Select the appropriate solutions or add custom solutions.
The ticket is created and added to the list of new tickets for the selected owner.
Creating vulnerability occurrence tickets in the Attack Explorer
To create vulnerability occurrence tickets in the Attack Explorer
1. In the Map pane, find a set of links such that by blocking them all you block the attacks onthe Business Asset Group.
For example, if you are most concerned about a specific Threat Origin, find the set of linksthat blocks all attacks from that Threat Origin.
2. Examine the entry (or exit) vulnerability occurrences associated with these links.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 114
The entry vulnerability occurrences associated with a link are vulnerability occurrences inthe link’s destination that can be exploited directly from the link’s source.
l To list a link’s entry vulnerability occurrences in the Vulnerability Occurrences pane,double-click the link in the Map pane or right-click the link in the Map pane and select ListEntry Vulnerability Occurrences.
The exit vulnerability occurrences associated with a link are vulnerability occurrences in thelink’s source whose exploitation enables access to the link’s destination in an attack.
l To list a link’s exit vulnerability occurrences in the Vulnerability Occurrences pane, right-click the link in the Map pane and select List Exit Vulnerability Occurrences.
The selected vulnerability occurrences are listed in the Vulnerability Occurrences pane, inthe Attack Steps tab. Vulnerability occurrences that have vulnerability occurrence ticketsare listed, but you cannot select them. Because they have tickets you cannot create newtickets for them in the Attack Explorer, but you can create tickets for them manually.
Tip: To view the Access Route of a link, right-click the link and select Explain Access.
3. Block each link by marking its entry or exit vulnerability occurrences as To be Solved.
4. Review the To be Solved vulnerability occurrences and create tickets.
At this point, the requests for new tickets are only in the Attack Explorer.
5. Click OK to save your remediation decisions (assigned tickets, and vulnerabilityoccurrences marked as Ignored) to the Skybox database.
A separate ticket is created for each of the selected vulnerability occurrences.
Example
In this Attack Map, blocking: (a) links 1, 3, and 4; (b) links 2, 3, and 4; or (c) link 5, blocksattacks on the selected Business Asset Group (named Finance Application).
Marking vulnerability occurrences
To mark vulnerability occurrences as To be Solvedl In the Vulnerability Occurrences pane, mark each vulnerability occurrence as To be Solvedby selecting its S check box.
Chapter 16
Skybox version 12.0.100.00 115
After vulnerability occurrences are marked as To be Solved, nodes that can no longerparticipate in attacks become gray in the upper pane, representing the post-fix situation.
Creating tickets
You can create tickets for a set of entry or exit vulnerability occurrences directly from theVulnerabilities pane and go on to the next set of vulnerability occurrences. Or, in each set,select the vulnerability occurrences to use to create tickets and click the Selected Solutionstab to display the To be Solved vulnerability occurrences.
Note: When you select a link in the Map pane and list its vulnerability occurrences, theselected vulnerability occurrences overwrite the previous vulnerability occurrences in theVulnerabilities tab of the Vulnerabilities and solutions pane. However, the Selected Solutionstab contains an aggregation of all vulnerability occurrences marked as To be Solved until thelink is selected.
To review vulnerability occurrences and create tickets
1. In the Vulnerability Occurrences pane (in the Attack Steps tab or Selected Solutions tab),display the To be Solved vulnerability occurrences.
2. Select vulnerability occurrences for which you want to assign a ticket with the same solution(or with no suggested solution) to an owner.
3. Click .
l For information about the ticket fields, see the Vulnerability occurrence ticket propertiestopic in the Skybox Reference Guide.
4. Fill in the fields of the ticket.
l If you are creating tickets for multiple vulnerability occurrences, type a string in TitlePrefix. This string is prepended to the vulnerability occurrence name and location tocreate the title of the vulnerability occurrence ticket.
l In User Comments, type an explanation of how to mitigate the vulnerability occurrences.
5. Click OK to create the ticket.
Note: Tickets created in the Attack Explorer are not added to the model until you click Apply(or click OK close the Attack Explorer).
6. Repeat steps 2 through 5 until all necessary tickets are created.
7. Save your changes:
l Click Apply to save the tickets (and vulnerability occurrences that you marked forignoring) without closing the Attack Explorer.
l Click OK to save your changes and close the Attack Explorer.
Creating threat alert tickets
You can create threat alert tickets in different ways to meet specific needs:
l You can create a ticket for a Vulnerability Definition instead of for a vulnerability occurrence.For example, if a security patch is released for a Vulnerability Definition, you could create athreat alert ticket instead of creating a ticket for each vulnerability occurrence.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 116
l You can create a threat alert ticket for specific vulnerability occurrences of the VulnerabilityDefinition.
l You can create a threat alert ticket for a group of Vulnerability Definitions so that they are allhandled in a single ticket
To create a ticket for all vulnerability occurrences of a Vulnerability Definition
1. In the Vulnerability Control tree, select Prioritization Center > Analyses > Public Analyses> Vulnerabilities and then select an analysis that displays Vulnerability Definitions (forexample, Miscellaneous > Vulnerabilities by Definition or Dictionary > VulnerabilityDictionary).
2. In the Table pane, right-click the Vulnerability Definition for which you are creating a ticketand select Create Ticket.
3. In the New Threat Alert Ticket dialog box:
a. Fill in the fields according to the table in the Threat alert ticket properties topic in theSkybox Reference Guide.
The default Network Scope for the ticket is all vulnerability occurrences of the selectedVulnerability Definition.
b. To recommend solutions for the vulnerability occurrences:
i. Click the Solutions tab.
Solutions from the Skybox Vulnerability Dictionary are listed; the list might alsoinclude custom solutions prepared in your organization.
ii. Select the appropriate solutions or add custom solutions.
c. Click OK.
The ticket is created and added to the list of new tickets for the selected owner.
To create a threat alert ticket for specific vulnerability occurrences
1. In the Vulnerability Control tree, open a vulnerability occurrence analysis (underPrioritization Center > Analyses > Public Analyses > Vulnerabilities) for which the resultsin the Table pane are vulnerability occurrences (and not Vulnerability Definitions).
2. In the Table pane, select vulnerability occurrences of the threat alert for which you arecreating the ticket.
3. Right-click the vulnerability occurrences and select Create Threat Alert Ticket.
4. In the New Threat Alert Ticket dialog box:
a. Fill in the fields according to the table in the Threat alert ticket properties topic in theSkybox Reference Guide.
The selected vulnerability occurrences are the default Network Scope for the ticket.
b. To recommend a solution for the vulnerability occurrences:
i. Click the Solutions tab.
Solutions from the Skybox Vulnerability Dictionary are listed; the list might alsoinclude custom solutions prepared in your organization.
Chapter 16
Skybox version 12.0.100.00 117
ii. Select a solution or click Add Custom to specify a custom solution.
You can add multiple custom solutions.
c. Click OK.
The ticket is created and added to the list of new tickets for the selected owner.
To create a threat alert ticket for multiple Vulnerability Definitions
These tickets can only be created for Vulnerability Definitions, not Security Bulletins.
1. Open a list of Vulnerability Definitions from anywhere in Vulnerability Control.
2. In the Table pane, select the Vulnerability Definitions to manage together.
3. Right-click the Vulnerability Definitions and select Create Ticket.
The name of the ticket includes the SBV IDs of the included Vulnerability Definitions.
4. Continue as in the previous procedures. In the Solutions tab, all solutions for the selectedVulnerability Definitions are included. The solutions are labelled according to theirVulnerability Definition. You can select multiple solutions and add custom solutions.
Creating sets of tickets for multiple vulnerability occurrences
You can select multiple vulnerability occurrences and create separate but similar tickets foreach vulnerability occurrence. The ticket names all have the same prefix (which you specify),followed by the name of the Vulnerability Definition and the IP address of its asset.
Note: This is not the same as creating a threat alert ticket for multiple vulnerability occurrencesof the same Vulnerability Definition (see Creating threat alert tickets).
Each set of tickets that you create has a single owner. For example, if Joe is responsible forvulnerability occurrences of a Vulnerability Definition in one part of your network and Jane isresponsible for similar vulnerability occurrences in another part of your network, you define aset of tickets for Joe and a different set for Jane, even if there is no other reason to split thesevulnerability occurrences.
To create a set of tickets for multiple vulnerability occurrences
1. In the Tree pane, as required:
l Select the Vulnerability Occurrences node of the Model tree.
The Table pane displays all vulnerability occurrences.
l Open a vulnerability occurrences analysis for which the results in the Table pane arevulnerability occurrences (and not Vulnerability Definitions).
The Table pane displays the vulnerability occurrences.
2. In the Table pane, sort the list of vulnerability occurrences to make it easier to select asubset.
3. Select the vulnerability occurrences. Right-click in the selection and select Create Ticket.
In the New Vulnerability Occurrence Ticket dialog box, the field label Title is replaced byTitle Prefix. The title of each ticket consists of the prefix that you type here, followed by thename of the Vulnerability Definition and the IP address of its asset. (In the precedingexample, you could use the prefix Jane for one set and Joe for the other set.)
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 118
4. Fill in the fields according to the table in the Vulnerability occurrence ticket properties topicin the Skybox Reference Guide.
5. Recommend solutions to the owner for the vulnerability occurrences:
a. Click the Solutions tab.
Solutions from the Skybox Vulnerability Dictionary are listed; the list might also includecustom solutions prepared in your organization.
b. Select the appropriate solutions or add custom solutions.
6. Click OK.
The tickets are created and added to the list of new tickets for the selected owner.
Adding custom solutions
You can add custom solutions for threat alert and vulnerability occurrence tickets, and usethem in the same way as predefined solutions.
You can add custom solutions:
l From within a ticket for that ticket and all other tickets for the same Vulnerability Definition
l From a list of tickets for those tickets and all other tickets for the same VulnerabilityDefinitions
To add a custom solution from within a ticket
1. In the Solutions tab, click Add Custom.
2. In the New Custom Solution dialog box:
a. Type a Name for the solution.
b. In Solution Type, select the type.
c. In Description, type your solution.
d. If your organization added additional fields, fill in their values also. Mandatory fields aremarked with an asterisk.
e. Click OK.
To add a custom solution for selected tickets from a list of tickets
1. Right-click the ticket or tickets and select Add Custom Solution.
2. In the New Custom Solution dialog box:
a. Type a Name for the solution.
b. In Solution Type, select the type.
c. In Description, type your solution.
d. If your organization added additional fields, fill in their values also. Mandatory fields aremarked with an asterisk.
e. Click OK.
Chapter 16
Skybox version 12.0.100.00 119
Updating the model after fixing vulnerability occurrencesWhen a vulnerability occurrence is fixed in your network, you must update the model to reflectthe new life-cycle status of the vulnerability occurrence and attack simulation run on the newdata. Otherwise, the analysis is no longer accurate.
There are various ways to update the model:
l Wait for the next scanner task to detect the changes.
l Run a selective scan to detect or verify whether vulnerability occurrences marked as Fixedare fixed.
l Manually mark vulnerability occurrences as Fixed in the model based on approval fromstaff members. This is useful if no offline file import or online collection of network data isplanned in the near future.
To mark a vulnerability occurrence as Fixed
1. Find the vulnerability occurrence in the Table pane of an analysis (or the VulnerabilityOccurrences node of the Model tree).
2. Right-click the vulnerability occurrence and select Change Status.
3. Change the status to Fixed and click OK.
4. In the confirmation dialog box, select a fixed status (I’m sure the vulnerability occurrencewas fixed or The vulnerability occurrence was probably fixed) and click OK.
If you select The vulnerability occurrence was probably fixed, the vulnerability occurrenceis checked during the next vulnerability occurrence scan (which changes the status toFound if the vulnerability occurrence is rediscovered). Until then, Skybox considers thevulnerability occurrence as Fixed and does not use it for attack simulation.
Using the What If model to test changesSkybox supports a What If model that allows you to simulate the effect of solutions beforeapplying them to your network. Use this model to test planned changes to architecture or todevice configurations. You can simulate the changes to your system and then check thepotential effects on your system without making the changes. You can analyze potential risksdue to the changes without harming your system; the changes you make to the What If modeldo not affect the Live model or your network.
To use the What If model for testing
1. Open the What If model:
l If there is a What If model, select What If from the drop-down list on the toolbar.
l To create a What If model:
a. Select File > Models > Create Model.
b. In the dialog box:
l Set Source Model to Live
l Set Target Model to What If
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 120
l Select Switch to target model after creation
c. Click OK.
This copies the Live model to the What If model and switches to the What If model.
2. Modify the What If model.
3. Run the Analyze Simulate Attacks task on the What If model.
4. Check the analyses to make sure that you get the required results and then recommendthat these network or security changes are made in your network. If the changes relate tovulnerability occurrences or Business Asset Groups, switch to the Live model and open theappropriate tickets there.
5. You can return to the Live model to view the security situation in your network. Skyboxsaves the What If model.
Skybox version 12.0.100.00 121
Chapter 17
Continuous risk managementThis chapter explains how to ensure the continued security of your network on a proactive(continuous and automated) basis, instead of checking and securing the system on a reactivebasis every several months.
The benefits of continuous risk management include:
l A shorter window of exposure to new vulnerabilities
l A continuous view of the security status of your network
l A small effort every day or week, compared to a large project on a quarterly or semiannualbasis
In this chapter
Attack simulation for continuous risk management 121
Monitoring the risk status 121
Automating ticket creation 122
Tickets and workflow 124
Model maintenance 128
Attack simulation for continuous risk managementRun the Analyze Simulate Attacks task:
l After data is added to the model, because new data influences the risk
l After other changes to the model (for example, Dictionary updates or aging)
Include this task at the end of every task sequence that includes tasks that make changes tothe model.
Monitoring the risk statusWhen data is added to the model, you can monitor the risk status:
l Review risk metrics to identify security problems in your network
You can view risk metrics from the Summary tab of the Exposure by Threat node or fromanother Exposure node that displays risk
l View risk trends to understand changes to your network in a broader context
You can view risk trends for vulnerability occurrences in the Trend of Direct VulnerabilityOccurrences graph on the Summary tab of the Exposure by Threat node. For ThreatOrigins, the Top 3 Threat Origins table includes the delta values for direct and 2nd-stepvulnerability occurrences from the current number of vulnerability occurrences to theprevious number (from the most recent time that exposure was analyzed).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 122
l Check whether assets or services were added to your network
l Check whether new vulnerability occurrences were detected
Checking for new entities
You can add assets to your network, add services on assets, and vulnerability occurrencesmight be detected on these new assets and services, and on existing assets.
If these entities cause high risk or if the vulnerability occurrences are directly exposed, theyaffect the exposure results. Skybox provides analyses that identify new entities and provideinformation about them.
Use the following analyses to identify new entities:
l In the Model Analyses > New Entities node of the Model tree:o New Assets: Recently discovered assetso Assets with New Services: Assets with newly discovered services
l In Vulnerability Control > Prioritization Center > Analyses > Public Analyses >Vulnerabilities > New Vulnerability Occurrences:o New Vulnerability Occurrences: Recently discovered vulnerability occurrenceso Uncataloged Vulnerability Occurrences: Vulnerability occurrences detected byscanners but not yet modeled in Skybox
Note: Keeping your Skybox Vulnerability Dictionary up to date usually eliminates mostuncataloged vulnerability occurrences.
You can add or change analyses. For example, to view the changes in different majorlocations, make copies of the analysis and then change the name and network scope of eachcopy.
Automating ticket creationThis section explains how to set up and use automated ticketing in Skybox.
Tip: You can integrate Skybox with other ticketing systems (see the Tickets API chapter in theSkybox Developer Guide or contact Skybox technical support).
Setting up ticket automation
This section explains how to set up policies for automatic ticket creation.
A policy defines the conditions under which tickets of a specified ticket type are createdautomatically. Tickets are not created when the conditions of a policy are met, but only whenyou run a Tickets – Auto Generation task.
The following predefined policies are included as part of the Skybox installation:
l New Direct Externally Exposed vulnerability occurrences: Creates tickets for new directlyexposed vulnerability occurrences and for existing vulnerability occurrences that havebecome directly exposed.
l New High/Critical Vulnerability Definitions: Creates tickets for new high or critical severityVulnerability Definitions.
Chapter 17
Skybox version 12.0.100.00 123
l (Disabled) Vulnerability Definitions Subject to Worm Attack: Creates tickets forVulnerability Definitions that have many vulnerability occurrences in your network. TheseVulnerability Definitions are prone to exploitation by attackers and worms.
You can use these policies as is or edit them, and you can create policies to meet the needs ofyour organization.
Creating policies
A policy includes filters for the entities for which tickets to create. A ticket is created for anentity only if it matches every filter. Policies also include information about the ticket—who theowner will be and how to define the ticket priority.
To create a policy
1. Select Tools > Administrative Tools > Policies.
2. On the toolbar of the Skybox Admin window, select Policy > New <Policy Type>Generation Policy.
3. In the dialog box, fill in the fields.
l For property definitions of Vulnerability Definitions ticket policies, see the Threat alertsticket policies topic in the Skybox Reference Guide.
l For property definitions of vulnerability occurrences ticket policies, see the Vulnerabilityoccurrences ticket policies topic in the Skybox Reference Guide.
4. Click OK.
The policy is added to the list of policies.
Creating tickets from policies
Usually, tickets are created from policies using Tickets – Auto Generation tasks. By default,these tasks create tickets for all policies. However, you can create separate tasks for eachpolicy type if that is helpful to your organization.
When you create tickets (using a ticket task or manually for a policy), Skybox:
l Evaluates all relevant policies
l Creates tickets
We recommend that you create tickets automatically every time that changes are made to themodel. For example, after devices are updated or after running a vulnerability detection taskyou can schedule a ticket creation task for the policy that checks for new directly exposedvulnerability occurrences.
For information about task sequences, see Using tasks for automation.
To create tickets manually from a policy
1. Select Tools > Administrative Tools > Policies.
2. In the Table pane of the Skybox Admin window, right-click the policy to run and selectGenerate Tickets.
Skybox searches the model for entities that meet the policy requirements and creates aticket for each such entity.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 124
Tickets and workflowTickets in Skybox represent action items that must be implemented in your network. They canbe created manually or from policies that are configured to create tickets for entities on whichspecified thresholds are reached.
Managing Skybox tickets is a way of ensuring that all security issues found by Skybox areresolved correctly and within the designated time frame.
Tip: You can set up ticket phases, which define different steps for remediation (see theDefining ticket phases topic in the Skybox Reference Guide).
Monitoring tickets
To make sure that all tickets are handled correctly, monitor the status of tickets.
Verifying that tickets are being acted on
You can check the status of tickets using:
l Tickets reports
l Tickets analyses
Overdue tickets have a status of New or In Progress but have passed their assigned due date.You can contact the ticket owners to find out why they did not handle the ticket.
The ticketing workflow provides a history of compliance to security requirements; update thestatus of tickets to reflect the status of the solutions applied.
Working with tickets
Tickets can be:
l Viewed
l Assigned to different owners
l Edited
l Changed to a different status
l Promoted or demoted
l Closed
To view and handle tickets, select the ticketed entity in the appropriate workspace and accessthe ticket in the Tickets tab of the Details pane. You can also access them in the Ticketsworkspace.
You view and handle groups of tickets in the Tickets workspace. For example, to view alltickets created within the past week, use the Public Tickets > All Tickets > Open Tickets >New analysis.
Viewing tickets
Folders in the Tickets tree contain analyses related to tickets.
The top-level nodes of the Tickets tree are:
l Public Ticket Analyses: Contains the tickets analyses available to everyone who logs in toSkybox Manager.
Chapter 17
Skybox version 12.0.100.00 125
o The All Tickets folder contains tickets in the system distributed by status.o The My Tickets folder contains only tickets that are owned by the logged-in user.
l Private Ticket Analyses: Contains analyses that are not available to other users of thesystem. Use this folder to create your own tickets analyses.
You can view additional properties of a ticket:
l Select the ticket in the Table pane and view the information in the Details pane.
l Double-click the ticket in the Table pane to open it.
Searching for tickets
You can search for tickets without creating an analysis for them. The search is based on amatch between a text string and a selection of the following ticket fields:
l Title
l ID
l User Comments
l Status
l Priority
l Owner
l Solution Name
To search for tickets
1. With the Ticket workspace open, click (on the toolbar).
2. In the Search panel, type a string in Find What.
3. In Look In, select the ticket field in which to search for the string.
4. Click .
Tickets that include the search string in the specified field are listed in the Table pane.
Changing ticket statuses
Skybox supports the following predefined ticket statuses:
l New: The default status for all new tickets.
l In Progress: The owner has seen the ticket and is in the process of handling it.
l Ignored: The ticket is not important, and the owner has decided to ignore it. Skybox usesthis status, for example, if the vulnerability occurrence for which the ticket was created is afalse positive.
l Rejected: The problem for which the ticket was created exists, but the solution is irrelevantor cannot be applied. This can happen, for example, if the suggested solution is to changean access rule to block access, but changing that rule also blocks access to an importantapplication.
l Resolved: The problem was handled by its user, but the fix is not verified.
l Closed: The task was completed and verified. The final ticket status.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 126
Admins can add up to 5 custom ticket statuses in Skybox (see the Custom Ticket Statusestopic in the Skybox Installation and Administration Guide).
Except for automatically created tickets, which are closed when their conditions are no longermet, ticket status does not change automatically. Status must be changed manually by theticket owner or by an Admin.
To change the status of a ticket
1. Find an analysis containing the ticket.
2. In the Table pane, right-click the ticket and select Change Status.
3. In the dialog box, select the New status for the ticket and click OK.
The status of the ticket changes. Although the ticket might no longer match the currentanalysis (for example, a ticket whose status was changed from New to In Progress nolonger matches the criteria of the New analysis), the ticket is listed in the old analysis untilyou refresh the screen or navigate from the current analysis.
Note: Changing the status of a vulnerability occurrence ticket to Resolved or Closed changesthe status of the vulnerability occurrence in the model to Fixed and the vulnerabilityoccurrence is no longer used for attack simulation (see Closing vulnerability occurrencetickets).
Working with multiple tickets
To perform an action on several tickets together
1. Select the tickets.
2. Right-click and select the action.
You can perform the following actions on a group of vulnerability occurrence tickets:
l Reassign
l Change the status
l Change the priority
l Change the due date
l Add an attachment
l Add a custom solution
You can perform the following actions on a group of threat alert tickets:
l Request to close
l Change the priority
l Promote
l Demote
l Add an attachment
l Add a custom solution
Chapter 17
Skybox version 12.0.100.00 127
Closing tickets
You close a ticket by changing its status to Closed. When you close a vulnerability occurrenceticket, the status of the vulnerability occurrence changes in the model; see Closingvulnerability occurrence tickets.
When you delete a policy, you are asked whether to close all tickets created by the policy orleave them unchanged.
Important: When you finish working with a ticket, close it; if you delete a ticket, you lose thehistory of the problem that caused the ticket.
Automatic closure of threat alert tickets
By default, threat alert tickets must be closed manually. However, you can configure Skybox toclose threat alert tickets automatically when all vulnerability occurrences related to the threatalert are fixed.
To configure automatic closurel Set close_vt_tickets_in_last_phase_enabled=true in <Skybox_Home>\server\conf\sb_server.properties
Closing vulnerability occurrence tickets
Usually, tickets affect entities in the model only when the ticket owner implements thechanges. However, some changes to the status of a vulnerability occurrence ticket affect thevulnerability occurrence for which the ticket was opened.
Note: Admins can configure Skybox so that closing a ticket does not affect the vulnerabilityoccurrence in Tools > Options > Server Options > Ticket Configuration.
l When you manually change the status of a vulnerability occurrence ticket to Resolved, thestatus of the vulnerability occurrence changes to Fixed.
These vulnerability occurrences are checked during the next scan to confirm that they arefixed.
l When you manually close a vulnerability occurrence ticket, the status of the vulnerabilityoccurrence changes to Fixed.
Skybox does not use Fixed vulnerability occurrences for attack simulation.
If you select a solution for a vulnerability occurrence ticket, when you close the ticket the modelchanges according to the solution that you selected:
l Upgrade: The service version found by the scanner is overwritten with the version providedin the solution.
l Patch: The patch is recorded as applied on the asset.
l Remove: The service is marked as down.
For example, if the selected solution is to upgrade the service on which the vulnerabilityoccurrence is found, the service is upgraded on the asset in the model.
Tickets that are closed automatically do not change the model or affect the vulnerabilityoccurrences for which they were created.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 128
Managing tickets analyses
You can edit or copy analyses in the Tickets tree to meet your requirements, you can createanalyses from scratch, and you can delete irrelevant analyses.
You can sort the results of a tickets analysis by various properties, including status, priority,ticket type, and ticket owner. You can display additional columns of information (for example,operating system, service, or the policy that created the ticket) or hide columns to focus onspecific aspects of the analysis.
Note: Users can create and edit analyses only in the Private Ticket Analyses folder.
If you are working with phases, you can create a separate analysis for each phase.
Model maintenanceYou can automate the process of maintaining and updating the model, including:
l Model updates
l Data monitoring
l General maintenance
For information, see Model maintenance.
You can schedule reports to run on an automated basis and sent to selected recipients (seethe Automating reports topic in the Skybox Reference Guide).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 129
Continuous usageThis part explains how to work with Skybox Vulnerability Control on a continuous basis.
Skybox version 12.0.100.00 130
Chapter 18
Using tasks for automationYou can use scheduled task sequences and tasks in Skybox to automate processes, includingdata updates, model maintenance, and reports.
For information about:
l Managing tasks, see Managing tasks in the Skybox Reference Guide.
l Creating task sequences, scheduling tasks and task sequences, and best practices forsetting up task sequences, see Working with tasks in the Skybox Reference Guide.
l Specific tasks, see the Tasks part of the Skybox Reference Guide.
Skybox version 12.0.100.00 131
Chapter 19
ReportsReports in Skybox are detailed accounts of data in the model.
This chapter describes the report types in Skybox Vulnerability Control.
In this chapter
Reports overview 131
Security Metric reports 131
Risks reports 132
FISMA/NIST and Risk Assessment reports 132
PCI DSS reports 133
Tickets reports 133
Vulnerability Management reports 134
Vulnerabilities reports 134
Exporting data to CSV files 135
Exporting vulnerability occurrence data to Qualys format 136
Reports overviewReports in Skybox are detailed accounts of data in the model (for example, high-risk entities,firewall changes, overdue tickets, or top 10 entities). You can schedule report generation andsend reports to designated Skybox users.
You can generate reports in standard report formats (PDF, HTML, and RTF). Some reporttypes are saved in CSV format. CSV files can be used by 3rd-party applications for additionalprocessing.
There are several ways to work with reports:
l Generate reports while you are working:
1. Right-click an entity in the Tree pane
2. Save the table in CSV format
l Schedule report generation via tasks (including Report – Auto Generation tasks and CSVexport tasks)
l View (and generate) reports in the Reports workspace, and customize their content
Security Metric reportsSecurity Metric reports contain security metrics information for the selected security metrictype (VLI or RLI) and information about:
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 132
l The contribution of Vulnerability Definitions to the security metrics
l The contribution of subentities to the security metrics scores
l Trends
These reports are usually used for reviewing security metrics in a specific entity. To avoidinformation overload, Security Metric reports can show data about a single entity only or aboutan entity and its child subentities (1 level down).
To generate a Security Metric report, specify the scope and the security metric type.
For information about defining Security Metric reports and the sections that can be included inthe reports, see the Security Metric reports topic in the Skybox Reference Guide.
Risks reportsDepending on the scope of the report, risks reports can contain information about:
l The Business Units with the highest potential risk of being compromised.
l The Business Asset Groups with the highest potential risk of being compromised byattacks and vulnerability occurrences.
l The Regulations and Business Impacts with the highest potential risk of beingcompromised.
l The Threat Origins in your network that impose the highest potential risk on high-valueBusiness Asset Groups.
These reports are usually used to highlight the Business Asset Groups with the highest riskand to provide the risk factors that caused the risk on these Business Asset Groups.
For additional information about defining risks reports and the sections that can be included inthe reports, see the Risks reports topic in the Skybox Reference Guide.
Predefined risks reports
Skybox includes the following predefined risks report definitions:
l Risks – Details: Details of the top entities of each selected entity type. Entities with no riskare not included in the report. Risks are displayed qualitatively (on a scale of Very Low toCritical).
l Risks – Overview: An overview of the top entities of each selected type. Entities with no riskare not included in the report. Risks are displayed qualitatively (on a scale of Very Low toCritical).
l Regulation Compliance Risk – Details: Information about the top Regulations that are atrisk of being compromised including detailed explanations of how the risk of each entity iscalculated.
FISMA/NIST and Risk Assessment reportsFISMA/NIST reports and Risk Assessment reports provide information about systems, threatstatements, risk assessment, and actions with milestones.
Use these reports to meet FISMA risk reporting requirements. FISMA Risk Managementreports use US Government nomenclature; Risk Assessment reports use standardnomenclature.
Chapter 19
Skybox version 12.0.100.00 133
Note: The text fields in the Properties dialog box for Risk Assessment reports and FISMA RiskManagement reports contain placeholder text; change this text before generating the reportsfor the 1st time. The information in these fields is used in the introductory section of the report.
For additional information about defining these reports and the sections that can be included inthe reports, see the FISMA/NIST reports and Risk Assessment reports topics in the SkyboxReference Guide.
PCI DSS reportsPCI DSS reports provide information about vulnerability occurrences found on systemcomponents, including Business Asset Groups, networks, and network devices. Thevulnerability occurrences are listed as action items according to their exposure.
These reports are usually used to show compliance with PCI DSS Requirement 6.1 (6.2 in PCIDSS v3.2).
Note: The Introductory Text in the Properties dialog box that defines this report is used as theintroduction to the report. By default, it contains text that explains how the report demonstratescompliance with PCI DSS Requirement 6.1. If you use the report for other purposes (forexample, to show compliance with a different standard), change this text before generatingthese reports.
For additional information about defining PCI DSS reports and the sections that can beincluded in the reports, see the PCI DSS reports topic in the Skybox Reference Guide.
Predefined PCI DSS report
Skybox includes the following predefined PCI DSS report definitions:
l PCI DSS – Requirement 6.1: Presents vulnerabilities in your network as action items inaccordance with PCI DSS Requirement 6.1.
Tickets reportsTickets reports contain summary and detailed information about tickets.
l Overview tickets reports are usually used to review and monitor ticket progress, and to listtask assignments.
l Detailed tickets reports are usually used to implement the changes specified in the tickets.
Tickets reports show the status, priority, and assigned owner of tickets that meet the reportcriteria. You can filter these reports according to many different properties.
For additional information about defining tickets reports and the sections that can be includedin the reports, see the Tickets reports topic in the Skybox Reference Guide.
Predefined tickets reports
Skybox includes the following predefined tickets report definitions:
l Open Tickets – Overview: An overview of open Skybox tickets, including the priority,status, and owner for each ticket. The tickets are grouped by priority.
l Open Tickets – Details: Detailed information about all open Skybox tickets. The tickets aregrouped by Priority.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 134
l Overdue Tickets – Details: Detailed information about all Skybox tickets that have passedtheir due dates, including the status, priority, and owner for each ticket. The tickets aregrouped by owner.
Vulnerability Management reportsVulnerability Management reports are high-level reports that provide an overview of thevulnerability and risk management process. This is similar to the overview in the VulnerabilityControl workspace. These reports contain information about:
l Discovery: The age and status of vulnerability occurrences and assets (including anindication of overdue assets)
l Analytics: Security metrics that need remediation and exposed vulnerability occurrences
You can configure the report to include only discovery or only analytics information.
For additional information about defining Vulnerability Management reports and the sectionsthat can be included in the reports, see the Vulnerability Management reports topic in theSkybox Reference Guide.
Vulnerabilities reportsVulnerabilities reports are technical reports that contain summary and detailed informationabout vulnerability occurrences found in the model.
Use these reports to review the vulnerability occurrences in a specific network segment orlocation, to filter exposed vulnerability occurrences, to show vulnerability occurrences with aspecified severity level, or to show vulnerability occurrences that impose the highest risk onyour organization. The reports can include trends in vulnerability occurrence statistics.
l Overview reports contain counts of vulnerability occurrences that meet the report criteria.You can group the vulnerability occurrences by operating system, location, Business Unitsand Business Asset Groups that they affect, and Vulnerability Definitions.
l Detailed reports contain all information about each vulnerability occurrence that meets thereport criteria.
l Reports that provide solutions contain all information about each vulnerability occurrenceand known solutions for mitigating that vulnerability occurrence.
For additional information about defining vulnerabilities reports and the sections that can beincluded in the reports, see the Vulnerabilities reports topic in the Skybox Reference Guide.
Limiting the scope of vulnerabilities reports
We recommend that you define vulnerabilities reports with limited scopes to avoid excessivelylong reports. By default, reports of vulnerability occurrences are limited to 5000 vulnerabilityoccurrences for Overview reports and 1000 vulnerability occurrences for Details (and Details &Solutions) reports—for detailed reports, the report is based on the first 1000 vulnerabilityoccurrences that Skybox finds that match the report definition criteria. The detailed informationin a detailed report is limited to the first 50 vulnerability occurrences.
You can limit the scope of a vulnerabilities report by changing any of the following properties ofthe definition on which the report is based:
Chapter 19
Skybox version 12.0.100.00 135
l The scope of the network to include in these reports
l The type of operating systems to include in these reports
l The vulnerability occurrence properties, including:o Imposed risko Statuso Severityo Commonalityo Vulnerability Definitiono Scan time
To change the scope of a vulnerabilities report definition
1. Right-click the report definition name in the Tree pane and select Properties.
2. Make scope changes.
l For information about defining the properties of vulnerabilities reports, see theVulnerabilities reports topic in the Skybox Reference Guide.
Note: An Admin can change the maximum number of vulnerability occurrences to includein reports (not recommended).
3. Click OK to save the information and close the Properties dialog box.
Predefined vulnerabilities report definitions
Skybox includes the following predefined vulnerabilities report definitions:
l Vulnerabilities – Details: Detailed information about the vulnerability occurrences in themodel.
l Vulnerabilities – Overview: An overview of the vulnerability occurrences in the model.
l Vulnerabilities – Solutions: Detailed information about the vulnerability occurrences in themodel and suggested solutions for each vulnerability occurrence.
Exporting data to CSV filesYou can export much of the information in Skybox in CSV format. The CSV files can then beopened with an application for additional processing.
There are 3 ways to export Skybox data to a CSV file:
l Via the Tree pane
l By selecting the table
l Using tasks
To export information about an entity in the Tree pane to a CSV file
1. Select an entity in the Tree pane.
2. Right-click the entity.
Usually, there is either a Reports submenu or an Export to CSV option.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 136
3. Select the relevant option.
To export a table to a CSV file
1. Display a table in the Table pane or in a tab of the Details pane.
For example, to save a list of the Vulnerability Definitions that contribute to the securitymetrics score of a Business Unit, select the Business Unit in the tree and then click theVulnerability Definitions tab in the workspace.
2. To save specific columns only, display the columns to save and hide other columns.
l To display or hide columns, right-click in the header row of the table, select CustomizeCurrent View and then select or clear columns.
3. Select a row in the table.
This focuses the Save operation on the selected table.
4. From the File menu, select Export Table to CSV.
5. In the Save dialog box, navigate to the required location and click Save.
Using tasks to export data to CSV files
Model data can be exported to CSV (character-separated values) files using tasks. If you use atask, you can export the data on a regular basis. The following CSV export tasks are availablefor Skybox Vulnerability Control (for information about these tasks, see the Skybox ReferenceGuide):
l CSV – Security Metrics Export
l CSV – Analysis Export
Exporting vulnerability occurrence data to Qualys formatVulnerability occurrence analyses (lists of vulnerability occurrences) can be exported to XMLfiles in Qualys format for integration with SIEM solutions.
To export an analysis to Qualys formatl Right-click the name of the analysis in the tree and select Export to XML – VulnerabilityOccurrences.
To create a Qualys vulnerability occurrence export task for an analysis
1. Create an XML Vulnerability Occurrence (Qualys Format) Export task.
l For information about these tasks, see the Qualys format XML vulnerability occurrencesexport tasks topic in the Skybox Reference Guide.
2. Use Analysis Definition to select the analysis for which you want to create the task.
3. (Optional) Change properties of the task.
When you run the task, the table is saved to <analysis name>_<date>--<time>.xml in theselected directory.
Skybox version 12.0.100.00 137
Chapter 20
Model maintenanceModel maintenance includes:
l Updating the model
l Confirming that offline file import and online collection tasks ran successfully
l Validating the model to check for missing or incorrect information
l Deleting entities that are no longer required
l General maintenance procedures, including updating the Skybox Vulnerability Dictionaryand saving the model
In this chapter
Updating the model 137
General maintenance 140
Deployed product list 142
Updating the modelThis section explains activities that keep the model up to date.
Automating data collection
Run online collection and offline file import tasks for all devices according to the schedule onwhich each device is updated.
l For information about scheduling tasks, see Scheduling task sequences.
l For information about the properties of tasks, see the sections relating to the tasks in theTasks part of the Skybox Reference Guide.
Vulnerability occurrence maintenance
This section explains how to maintain vulnerability occurrences in the model.
Vulnerability occurrence life cycle
Every vulnerability occurrence has a life-cycle status from the time that it is found by a scannerand merged into the model, or created by a user, until it is finally deleted by the system or by auser. The life-cycle status changes according to user decisions, merges of scanning results,and ticket processing.
Internal life-cycle statuses include:
l System status: Computed by Skybox. System status is affected by system algorithms,which take user decisions into account.
l User-defined status: Assigned by a user. User status is affected only by direct userdecisions about the vulnerability occurrence.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 138
The displayed life-cycle status is a value derived from the internal status:
l Found: The vulnerability occurrence is in the model
l Ignored: The vulnerability occurrence is in the model but is to be ignored
l Fixed: The vulnerability occurrence is in the model, but is fixed
Attack simulation and reports use only vulnerability occurrences whose displayed life-cyclestatus is Found.
Initial vulnerability occurrence life-cycle statuses
When data is imported into the model, all detected vulnerability occurrences are assigned theinternal life-cycle status Found by system (equivalent to the displayed life-cycle status ofFound).
During the merging process, another internal status, Suspected False Positive, might beassigned to vulnerability occurrences. This occurs when there is a mismatch between theasset and the preconditions for the vulnerability occurrence’s existence. For example, if ascanner decides (based on the Windows registry) that there is a vulnerability occurrence forthe Microsoft IIS HTTP service, but Skybox does not find HTTP ports open on the asset,Skybox changes the status of that vulnerability occurrence to Suspected False Positive.
Suspected False Positive is equivalent to a displayed life-cycle status of Ignored. Skyboxdoes not use Vulnerability occurrences marked as Suspected False Positive in attacksimulation.
For information about the predefined False Positive Reduction task, see False positivereduction.
User-defined statuses
Users can change the status of vulnerability occurrences. A user might decide to ignore avulnerability occurrence (not use it in attack simulation) because:
l It is not very important (no impact)
l It does not exist (false positive)
l Its risk is acceptable
Vulnerability occurrence aging
Scanned vulnerability occurrences go through a process of aging. If the life-cycle status of ascanned vulnerability occurrence has not changed in a specified number of days, thevulnerability occurrence receives a system status of Not Found. After another specifiednumber of days, the vulnerability occurrence is deleted. If the vulnerability occurrence isrediscovered, it is assigned a system status of Found. For additional information, see Deletingoutdated entities.
How does the scan policy influence the vulnerability life cycle?
A scan policy is a list of settings and directions used by a vulnerability scanner that defineswhat and how to scan.
When a vulnerability occurrence is found by a scanner, Skybox uses the scanner ID and thescan policy as the vulnerability occurrence’s scan source. When a vulnerability occurrence isfound by several scans, Skybox uses the last scan as the scan source. The life cycle status of
Chapter 20
Skybox version 12.0.100.00 139
a vulnerability occurrence can only be changed by information from scans that use the samescan source, because this indicates that the scanner ran the same scan as before.
False positive reduction
Note: False positive reduction is relevant only when working with Skybox Vulnerability Control.
The False Positive Reduction task checks the model for vulnerability occurrences that are notexploitable because they do not match their assigned service well enough. The task changesthe life-cycle status of these vulnerability occurrences to False Positive. Skybox does not usefalse positive vulnerability occurrences in attack simulation.
For example, a vulnerability occurrence is detected on an asset running Microsoft IIS. If theFalse Positive Reduction task decides (based on the Skybox Vulnerability Dictionary) thatthis Vulnerability Definition is only on version 8.5 of IIS, but the asset on which the vulnerabilityoccurrence is found uses a higher version, the vulnerability occurrence is marked as a falsepositive.
The task also checks for patches that fix the detected vulnerability occurrences. If a patch isfound on an asset and the patch is listed in the Vulnerability Dictionary as mitigating avulnerability occurrence found on the asset, the life-cycle status of the vulnerability occurrenceis set to Fixed and Skybox does not use it in attack simulation.
Run the task:
l After adding data to the model
l After updating the Vulnerability Dictionary
For information about the properties of this task, see the False positive reduction tasks topic inthe Skybox Reference Guide.
Deleting outdated entities
Network entities (assets, services, vulnerability occurrences, and network interfaces) areadded to the model during online collection and offline file import. These entities can becomeoutdated or no longer used as the model is updated, but they remain in the model until they areexplicitly deleted. For example, a fixed vulnerability occurrence has its status changed toFixed, but it is not deleted from the model even though it is no longer used for risk analysis.
Model – Outdated Removal tasks delete network entities that were not updated recently fromthe model. When the task runs, it compares the scan time of each entity with the current dateand time to establish the entity age. Entities of a specified age are marked as Down and olderentities (of a different specified age) are deleted from the model.
The predefined Model – Outdated Removal task is named Model – Remove Outdated. Runthis task on a regular basis to keep the model ‘clean’.
For each network in the model, the task:
1. Decides whether to check the network for outdated entities:
l If a network was not scanned in the past <n> days (the number of days is configurableand set in the task), it is not checked by this task for outdated entities.
l If a network was scanned in the past <n> days, it is checked by this task for outdatedentities.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 140
Note: You can configure networks and assets so that they are not checked for outdatedentities, see Using the Do Not Outdate option.
Manually created networks (and networks created by iXML import) are usually not updatedon a regular basis, so should not be outdated.
2. (For networks that are checked) Calculates the age of each entity in the network, changesthe status of entities of the specified age to Down (or Not Found, for vulnerabilityoccurrences), and deletes older entities from the model. If all network interfaces of an assetare deleted (due to aging), the asset is also deleted from the model.
You can identify the entities that are aged by this task by selecting Dry Run in the Advancedtab. In a dry run, a list of entities that would be aged by the task is written to the log file, but theentities are not aged.
You can run the task but exclude all gateways (and their services, vulnerability occurrences,and network interfaces) from the aging process by selecting Exclude Gateways in theAdvanced tab.
For information about the properties of this task, see the Delete outdated entities tasks topic inthe Skybox Reference Guide.
Using the Do Not Outdate option
Use the Do Not Outdate option in the Properties dialog box of a selected network (orPerimeter Cloud) or asset so that the network is not checked for outdated entities.
l If an asset is excluded from the aging process, the asset’s network interfaces, services, andvulnerability occurrences are not aged.
l If a network is excluded from the aging process, the network’s assets (together with theirnetwork interfaces, services, and vulnerability occurrences) are not aged.
Important: Mark entities created manually or by iXML import to protect them from aging, asthese entities are usually not scanned or reimported.
General maintenanceThis section describes general maintenance tasks.
Updating the Skybox Vulnerability Dictionary
Skybox releases an updated version of the Skybox Vulnerability Dictionary 6 days a week;additional Dictionary updates are released whenever there is an important VulnerabilityDefinition release—we recommend that you check for Dictionary updates daily.
There are 2 ways to update the Vulnerability Dictionary:
l (Recommended) Use the predefined Dictionary Update – Daily task, which takes the mostup-to-date Vulnerability Dictionary from the Skybox Dictionary Server. You can schedulethe task.
l Download the Vulnerability Dictionary fromhttps://dictionary.skyboxsecurity.com/dictionary/11.0.0/LatestDictionary.sbd
Note: Only Admins can update the Skybox Vulnerability Dictionary.
Chapter 20
Skybox version 12.0.100.00 141
For instructions about updating the Vulnerability Dictionary, see the Dictionary updateschapter in the Skybox Installation and Administration Guide.
Model integrity
Use the predefined Model Integrity task to update the following associations between entitiesin the model:
l Business Asset Groups and their members
l Threat alert tickets and networks
If your model does not include Business Asset Groups that contain networks and you do nothave threat alert tickets for specific network scopes, there is no reason to run this task.
When the task runs:
l For each Business Asset Group, it creates an association between the assets that meet theBusiness Asset Group’s membership criteria and the Business Asset Group.
l For each threat alert ticket created for a network scope (rather than for vulnerabilityoccurrences of the Vulnerability Definition), it translates the network scopes for the ticketinto assets, so that all vulnerability occurrences of the Vulnerability Definition that match theticket can be associated with the ticket.
You can turn off threat alert ticket mapping. See the Model integrity tasks topic in theSkybox Reference Guide.
Run this task on a regular basis after you update the model, before running attack simulationor security metrics analysis tasks.
Validating the model when working on a continuous basis
You can set up updates to Skybox to run on a continuous and automated basis, as discussedin Updating the model. However, you must monitor the update process on a regular basis tomake sure that all tasks succeeded and that all data was successfully imported.
Validate the model after each set of information is added by making manual checks as a wayof verifying the correctness and completeness of the model. For example:
l View the model in the Network Map to make sure that there are no unconnected networksor nodes.
l In the Model Analyses node of the Model tree, check the New Entities analyses if youexpect that entities were added to the model. Also check the appropriate model validationanalyses.
l Check that the item counts for the model (File > Model Properties) are not significantlydifferent from the numbers of items in your network.
For additional information about model validation, see Validating the model.
Backing up the model
The model is backed up to a file in XML or encrypted XML format. You can load backed-upversions and use them for analyses in the What If or Forensics model.
Note: Only Admins can back up and load data.
When you back up or load the model, the data is divided into components. Make sure that youback up or load the correct components.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 142
Deployed product listIn Skybox, you can create a list of products used by your organization—the deployed productlist. Use this list to analyze the threat alerts to help you to decide whether they are relevant(that is, whether they affect deployed products).
The deployed product list is created from several sources. The main source is the productcatalog for the alert service used by your organization, which is downloaded with the threatalerts. The product catalog includes all products supported by the alert service. You can createproducts that have no connection to the product catalog.
We recommend that you base the products in the deployed product list on the product catalogbecause only products in the catalog are recognized by the alert source as affected by threatalerts.
After Skybox receives a threat alert, you can check whether its affected products are mappedto the deployed product list. If any are, the threat alert affects your organization.
Setting up the deployed product list
The deployed product list can be a flat list of products used by your organization or theproducts that you select can be classified into product groups (represented by folders in theproduct list). For example, you can create a separate product group for each operating systemfamily used in your organization.
You can add products to the product list:
l Select common products from the alert service product catalog
l Manually add products that are missing from the catalog
Creating product groups
We recommend that you create product groups before adding products. However, you cancreate additional product groups at any time.
To create a product group
1. Click .
The Skybox Admin window opens with the deployed product list displayed in the Tablepane.
2. In the tree, right-click the Deployed Product List node and select New Product Group.
3. In the New Product Group dialog box, type a Name for the product group. You can add acomment.
4. Click OK.
Adding products
You can add a product from the alert service by mapping it to an appropriate catalog product.
You can add products:
l Directly from the product catalog, so that for every selected catalog product, a product withthe same name is created in the deployed product list
l One-by-one, either with or without mapping to the product catalog
Chapter 20
Skybox version 12.0.100.00 143
This is useful when you are adding a single product.o You can map catalog products to the new product, so that it receives an alert whenever acatalog product is affected. For example, you could group all versions of MySQLtogether, if one person is responsible for dealing with all databases.
o You can add proprietary applications and deployed products that are not in the productcatalog. Unmapped products do not get alerts; you must update them manually.
If you are working with product groups, you can add products:
l Directly to a product group
l To the product list without adding them to a product group
Adding products from the product catalog
To add products from the product catalog
1. Right-click the main Deployed Product List node or a Product Group folder and selectNew Products from <Catalog name>.
2. In the New Products from <Catalog name> dialog box, in Search for Products, type a stringto use for the product search and click Search.
Note: The search is not case-sensitive.
Products in the catalog that contain the string as part of their name are listed in a table in thedialog box. The list contains all the products that you can add to the deployed product list.Products that are already included have a check mark in the Mapped in DP List column.
3. From the table, select the products to add to the product list and click .
Tip: To display the mapping of a product, select the product and click Show References.
Each selected catalog product is added to the deployed product list as a separate product withthe same vendor name and product name as the catalog product. Each selected catalogproduct is mapped to the corresponding new product.
Adding single products
There are 2 ways to add a single product:
l Create it from scratch
l Copy a product from the product list
To create a product from scratch
1. Right-click the Deployed Product List node or a Product Group folder and select NewProduct.
2. In the New Product from <Vulnerability database name> dialog box, fill in the fields in theProduct Details pane. (Only Vendor and Product are mandatory).
In Installed Versions, add multiple, comma-separated versions.
3. Click Add.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 144
(If you are creating a product for an application that is not part of the product list, click OKand skip to the end of this procedure (the product will not be mapped to a vulnerabilitydatabase product).)
4. In the Add Products from <Vulnerability database name> dialog box, in Search forProducts, type a string to use for the product search and click Search.
Note: The search is not case-sensitive.
Products in the vulnerability database that contain the string as part of their name are listedin a table in the dialog box. The list contains all the products that you can add to thedeployed product list. Products that are already included have a check mark in the Mappedto Deployed Product List column.
5. From the table, select the vulnerability database products to map to the new product andclick Add.
The selected vulnerability database products are mapped to the new deployed product.
6. Click Close.
7. Click OK.
The new product is added to the deployed product list with the mapping that you selected.
To copy a product
1. Right-click the product to copy and select Create Product Like.
All fields are copied from the selected product to the new product (except for Change Log(History)).
Copied from <vendor product> (<Original ID>) is added as a comment.
2. Make necessary changes to the product.
3. Click OK.
The new product is added to the deployed product list with the mapping that you selected.
Adding business attributes to products
You can add business attributes (for example, product owner) to products in the deployedproduct list.
l To set up: Add the necessary business attributes via Tools > Options > Server Options >Business Attributes > Products.
l To use: Right-click on one or more products, select Set Business Attributes, and add theinformation.
Maintaining the deployed product list
After the deployed product list is set up, you can, from the Skybox Admin window:
l Add or update information about a product (for example, the version numbers of the productthat are installed or the number of installations).
l Delete products from the list
Chapter 20
Skybox version 12.0.100.00 145
l Add, rename, or delete product groups
If you delete a product group, products in this product group that do not belong to otherproduct groups are also deleted.
l Add products
l Add products to product groups
A product can belong to multiple product groups. (To add a product to a product group,right-click the product, select Add Product(s) to Product Group and then select the productgroup to which to add the product.)
Note: Privileged users can add products when a Vulnerability Definition is selected in theTable pane; in the Details pane, click the <catalog name> Products tab, right-click theproduct, and select New Product.
Deployed products analyses
To create a deployed products analysis
1. In the tree, right-click Prioritization Center > Analyses > Private Analyses and then selectNew > Analysis.
2. In the New Analysis dialog box:
a. Type a Name for the analysis.
b. Select Deployed Product List as the analysis type.
The Properties pane of the dialog box changes to display the deployed product listfields.
c. Fill in the fields.
d. Click OK.
The analysis is created.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 146
Advanced topicsThis part includes advanced topics, including advanced modeling, modeling IPS devices,using Access Analyzer, modifying security metric properties, optimizing performance, andtuning issues.
Skybox version 12.0.100.00 147
Chapter 21
Advanced modelingThis chapter explains how to model entities that need additional configuration.
In this chapter
Modeling VPNs 147
Modeling L2 networks 151
Mapping overlapping networks 154
Virtual routers 156
Virtual firewalls 157
Virtualization and clouds 157
Clusters 160
Modeling multihomed assets 161
Merging data 162
Using clouds as Threat Origins 168
Advanced dependency rules 168
Modeling VPNsA VPN is a private network that uses a public network to connect remote sites or users:
l Site to Site VPN: Connects multiple sites over a public network
l Remote Access VPN: Connects a user to a LAN from a remote location
Skybox supports Site to Site VPNs and models them as a direct link between the participatinggateways. This link is represented as a special tunnel network. VPN configuration details arerepresented by VPN entities on each gateway. A VPN entity includes protected networks andservices, and an interface that connects the gateway to the secure VPN.
Creating VPNs
You can create VPNs in Skybox using online collection or offline file import tasks or manually,as described in this section.
Automated modeling
When a VPN is created by online collection or offline file import, the configuration of thegateways provides the information necessary to create the tunnel network and the VPNentities, including the interfaces that connect the VPN entities to the tunnel network.
Skybox supports online collection and offline file import of VPN information for:
l Check Point VPN-1 firewalls
l Cisco IOS routers
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 148
l Cisco PIX/ASA/FWSM firewalls
l Juniper Networks NetScreen firewalls
You can model VPN information for other devices manually from Skybox Manager or by usingiXML. For information about iXML, see the Integration part of the Skybox Developer Guide.
Usually, VPNs are imported as a tunnel of type VpnTunnel with a Vpn network interface. ForVPNs from specific vendors, the tunnel can be of type Tunnel with a Tunnel network interface.
Note: This issue is vendor-dependent; both configurations model the VPN equally well.
Manual modeling
If you create a VPN manually, use the VpnTunnel tunnel type and the Vpn interface type.
There are 3 steps to creating a VPN:
1. Create the (VPN) tunnel network: Each endpoint of the tunnel is the IP address of aconnected gateway (see Creating VPN tunnels)
2. Create a VPN entity for each of the 2 gateways that are connected by the VPN tunnel:Connect the VPN interface of each VPN entity to the (VPN) tunnel network created in theprevious step (see Creating VPN entities)
3. On each gateway, create access rules that specify that data travels over the VPN tunnel: Inthe VPN pane of each access rule, specify the VPN entity to use (see Creating access rulesfor the VPN)
If part of the VPN is updated using a task, the manually created entities and connections arepreserved.
Creating VPN tunnels
If you model a VPN manually, create the VPN tunnel and then connect the gateways to thetunnel via their network interfaces. For information about VPN tunnels, see Creating VPNentities.
To create a VPN tunnel
1. In the Locations & Networks node of the Model tree, right-click the parent node for thetunnel. The parent node can be a location in the hierarchy or the Locations & Networksnode.
2. Select New > Network.
l For information about network properties, see the Networks topic in the SkyboxReference Guide.
3. In the New Network dialog box, fill in the fields of the tunnel network:
l Ignore the values in the IP Address and Mask fields; these fields are not used for tunnelnetworks.
l In Type, select Secure VPN or Tunnel. If you are not sure which to select, use SecureVPN.
Note: The tunnel type and the network interface type must match (either Tunnel / Tunnelor Secure VPN / Secure VPN).
Chapter 21
Skybox version 12.0.100.00 149
l In the Endpoint 1 and Endpoint 2 fields, type the IP addresses of the connectedgateways.
4. Click OK.
Creating VPN entities
You create a VPN entity by:
l Defining the networks and services (in your network) that are protected by the VPN
l Selecting or creating the interface that connects the gateway of the VPN to the tunnelnetwork
To create a VPN entity
1. Right-click a gateway of the tunnel and select Manage VPNs.
2. In the Manage Host VPNs dialog box, click Add.
3. In the New VPN dialog box, fill in the fields according to the following table. If there is noappropriate network interface for the VPN entity, create an interface:
a. Click New.
b. In the New Network Interface dialog box, fill in the fields.
Type of network interface:
l For tunnels modeled using the Secure VPN type, select Secure VPN as the networkinterface Type.
l For tunnels modeled using the Tunnel type, select Tunnel as the network interfaceType.
Note: The type of network interface is vendor-specific. Both configurations model VPNtunnels equally well.
Network:
l In Network, select the tunnel network to which the VPN entity is connected.
l If the tunnel network was not created, leave Network set to None until you create thetunnel network and then set the field to the tunnel network. For instructions, seeConnecting VPN gateways to the tunnel network.
For information about network interface properties, see the Network interfaces topic inthe Skybox Reference Guide.
c. Click OK.
VPN entity properties are described in the following table.
PROPERTY DESCRIPTION
Name The name of the VPN entity
Original Text The name of the original object from which this entity was created.
My Domain The networks protected by this gateway.
Peer Domain The networks protected by the endpoint gateway.Only packets with networks that match these domains can pass thought the VPN
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 150
PROPERTY DESCRIPTION
tunnel.
Note: This field is the encryption domain in Check Point terminology and the proxyin Cisco terminology.
Services The protected services.
NetworkInterface
The network interface that connects the VPN entity to the tunnel network.
Connecting VPN gateways to the tunnel network
If the VPN entities were created before the tunnel network, connect each VPN gateway to thetunnel network.
To connect a VPN gateway to the tunnel network
1. In the Table pane, select the gateway.
2. If necessary, in the Details pane, click to display the Network Interfaces tab.
3. Click the Network Interfaces tab.
4. Right-click the VPN interface and select Properties.
5. In Network in the <Network interface> Properties dialog box, select the tunnel network.
6. Click OK.
Creating access rules for the VPN
After you create the VPN, create an access rule on each gateway that permits data to passthrough the VPN.
To create an access rule
1. Right-click the gateway and select Access Rules.
2. In the Access Control List Editor, click New to create an access rule
3. Fill in the fields in the New Access Rule dialog box according to how the data behaves in theactual device (for a description of each field, see the Access rule properties topic in theSkybox Reference Guide).
a. In VPN Usage, select:
l Specific (to send the data via a specific VPN entity)
l Any (to send the data over any VPN entity of this gateway)
b. If you selected Specific in VPN Usage, click the Browse button next to Specific andselect a VPN entity.
4. Click OK.
5. If necessary, move the access rule to its correct location in relationship to the other rulesusing Move Up, Move Down, and Move To. If you created the rule in the wrong rule chain,click Move To Other Chain to move it to the correct chain.
6. Click OK.
Chapter 21
Skybox version 12.0.100.00 151
Modeling L2 networksL3 routers, firewalls, load balancers, and proxies control traffic between different parts of yournetwork and between your network and the outside world.
L2 gateways (bridges, switches, and transparent firewalls) add additional segmentation orprotection to a network. In Skybox, L2 gateways are only modeled when they affect networkaccessibility by splitting networks into segments.
L2 gateways are modeled in Skybox in almost the same way as L3 gateways, except that anL2 gateway is marked as Layer 2 and must have an L2 network interface. Access rules for L2gateways are the same as those for regular (L3) gateways.
L2 network interfaces are similar to regular (L3) network interfaces, except:
l No IP address is required (the value 0.0.0.0 represents the IP address).
l Because an L2 interface has no IP address, it must be connected to a segment and not to anetwork.
After the L2 gateway is created, you divide the network into segments and attach the networkinterface of the L2 device to the segments.
The following figures illustrate the difference between a regular (L3) network and an L2network.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 152
Creating L2 devices
You can create L2 devices using online collection tasks, offline file import tasks, or manually.
You create an L2 device manually in the same way that you create a regular (L3) device,except that you must:
l Select Layer 2.
l Create L2 network interfaces for the device. Each L2 network interface connects the deviceto a network segment. The L2 device might have L3 network interfaces.
If device configuration data is collected from a device or imported from a file, L2 networkinterfaces are created but they are not attached to the network because they do not have IPaddresses; attach the interfaces to the network (and segment the network) manually.
Segmenting networks
In Skybox, a network segment is a portion of an IP network that is physically separated fromother parts of the network by an L2 gateway. You create network segments manually—onesegment for each part of the network that is behind a different network interface of the device—and then assign each asset in the network and each network interface of the L2 device to theappropriate segment.
You can segment the network and assign the L2 network interfaces using iXML. Forinformation about iXML, see the Integration part of the Skybox Developer Guide.
Creating network segments
Usually, an L2 device splits a network into 2 segments. However, it can split a network intomultiple segments or split multiple networks. You must create each segment manually in themodel. When you create a segment, you assign the appropriate assets in the network to thesegment via their network interfaces.
Chapter 21
Skybox version 12.0.100.00 153
To create a network segment
1. In the Model tree, right-click the network to segment and select Manage Segments.
2. In the Manage network segments dialog box, click Add.
3. In the New Segment dialog box:
a. Type a Name for the segment.
b. You can define the IP address ranges for the segment.
c. The Available field lists the network interfaces of all assets in this network.
For each asset that is in the segment, select a network interface in the Available field
and click to move it to the Selected field.
d. Click OK.
In the Tree pane, the network contains the segments that you created and anUnsegmented Assets node.
Assets that are not assigned to a segment in the segmented network are displayed whenyou select the Unsegmented Assets node.
4. Repeat this process for each segment that you need.
If the L2 device has a management (L3) network interface, the L3 interface should not belongto a segment. The L2 device is listed in every segment and it is also listed in the UnsegmentedAssets node because of the L3 network interface.
Note: When you delete a network segment, all assets (according to their network interfaces)that are part of that segment become unsegmented assets in the network.
Configuring the L2 network interfaces
After the network is segmented, assign the L2 network interfaces of the L2 device to theappropriate segments.
To assign an L2 network interface to a network segment
1. Select the L2 device in the Table pane.
2. In the Network Interfaces tab of the Details pane, select the interface to be connected andopen its Properties dialog box.
3. In Network, select the network segment to which the interface is attached.
4. Click OK.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 154
If this L2 device is updated using a task, the connection between the L2 interfaces and theirnetwork segments is preserved.
Mapping overlapping networksOverlapping networks are networks that have identical or overlapping IP addresses andsubnets. These networks are usually in different parts of your organization, separated bynetwork devices.
These networks are discovered or collected as part of the topology. For Skybox to distinguishbetween 2 overlapping networks, define locations so that you can assign each such network toa unique location. Skybox uses these locations to ensure that the networks are kept separatewhen data from the networks is imported into the Skybox model.
Importing overlapping networks
Before importing network information:
l If there are no overlapping networks, you do not need to make special preparations beforeimporting information.
l If there are overlapping networks:
1. Make sure that each overlapping network is in a unique location; you can add locationsto the model before importing the data.
l For information about defining unique locations in Skybox, see Defining uniquelocations for overlapping networks.
2. Create a definition file for an Import – Advanced task. This file must contain locationhints for each overlapping network (see Adding location hints to the definition file).
l If overlapping networks are identified after the model is built, these networks are merged inthe model and might include assets from both overlapping networks. Delete these networksmanually from the model, create an input file with location hints, and import the data again.
Merging overlapping networks
If a network is imported with a location hint, Skybox attempts to find an identical network underthe same location as the location hint as explained in the following table.
IF... THEN...
An identical network was found under the same location The imported network ismerged with the networkin the base model
No identical network was found A network is created inthe specified location
Identical networks were foundThis can happen if the location hint is not clear enough. For example, ifthere are identical networks in the US/New York location and theUS/Boston location, and the location hint is [US].
A warning message isissued; a network is notcreated
If a network is imported without a location hint, outcomes listed in the following table arepossible.
Chapter 21
Skybox version 12.0.100.00 155
IF... THEN...
There are no identical networks A new network is created
There is one other identical network inthe model
The imported network is merged into the base
There are multiple identical networksunder different locations
The merge cannot solve the conflict. A warning message isissued; a network is not created
If a network cannot be merged for any of the preceding reasons, no network is created (and nonetwork is changed).
Assets that are part of overlapping networks are handled in a similar manner. If there areidentical assets under different locations, the merge cannot solve the conflict and the asset isnot imported.
Defining unique locations for overlapping networks
To work with overlapping networks in Skybox, define a unique location for each network in themodel.
Note: Location names must be unique throughout the model even when there are nooverlapping networks.
Overlapping networks cannot exist in 2 locations if 1 location is a direct descendant of theother in the Locations & Networks tree.
For example, in the hierarchy in the following figure:
l Floor1 and Floor2 might hold overlapping networks but Floor1 and Commonwealthcannot, because Floor1 is a direct descendant of Commonwealth.
l Overlapping networks can exist under US and Europe but not under US and Boston.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 156
Adding location hints to the definition file
To add overlapping networks to the model
1. Create a definition file for an Import – Advanced task.
For information about creating this file, see the Definition file for advanced file import taskstopic in the Skybox Reference Guide.
2. Add location hints to the definition file.
Each line that imports an overlapping network must have the format <import formattype> <source file | directory> [<location hint>]
Note: The brackets ([ and ]) are part of the format of the line; they do not mean that anelement is optional.
For permitted values of <import format type>, see the Data formats for file import taskstopic in the Skybox Reference Guide.
Examples
l NMAP_XML c:\sample\result.xml [London\Bakers]
l PIX_CONF c:\sample\file.cfg [Paris]
You can use “\” and “/” as delimiters in the location hint.
To preserve whitespace in location names, place the location inside double quotationmarks. For example:
l PIX_CONF c:\sample\file.cfg [North America/New York]: The location is read asNorthAmerica >> NewYork
l PIX_CONF c:\sample\file.cfg ["North America/New York"]: The location is readas North America >> New York
3. Using an Import – Advanced task, import the overlapping networks into the model.
If the location does not exist in the model, it is created during the file import.
Note: For overlapping networks, the files to import using the Import – Advanced task mustbe on the Skybox Server machine. Location hints are not identified when you run the taskon a Skybox Collector machine.
Virtual routersVirtual routing is a technology that enables multiple instances of a routing table on the sameasset at the same time. Each network interface is associated with a single virtual router.
When data packets arrive through an interface, the asset uses the routing table associatedwith that interface to route the packets. Packets arriving from other interfaces can takedifferent paths to the same destination. Because each router is independent, the same oroverlapping IP addresses can be used without conflicting with each other.
In Skybox, each virtual router is modeled as a section in the asset’s routing table. Virtualrouters are supported for a variety of devices including Juniper Networks Junos routers andfirewalls, and Palo Alto Networks firewalls.
Chapter 21
Skybox version 12.0.100.00 157
Virtual firewallsMost vendors offer virtual firewalls, which can run multiple firewalls on a single physicaldevice. Each virtual firewall is associated with (inherits) network interfaces from the physicaldevice but has a separate ACL and routing table defined for it.
In Skybox, virtual firewalls are modeled as separate firewalls with separate configurations.
All virtual firewalls derived from the same physical device share a common prefix in theirnames so that you can easily identify them in the model (for example, if the system is namedAlex, the virtual firewalls are named Alex:vsys1, Alex:vsys2, and so on). Skybox also createsan asset group with the name of the system and the virtual firewalls are part of this assetgroup.
In Skybox, virtual firewalls are supported for a variety of firewalls, including Check Point VSX,Fortinet VDOM, and Palo Alto Networks.
Virtualization and cloudsSkybox supports virtual domains for modeling software-defined networking (SDN). Virtualdomains can be modeled in Skybox and access analysis can be performed. The model tree(Virtual Domains folder) shows virtual domains and their security tags, and security groups.Access Policy rules of each security tag can be viewed on the security tag and each virtualasset shows its entire Access Policy as derived from its security tags.
Skybox includes connectors for Amazon Web Services (AWS), VMware NSX, Microsoft AzureCloud Services, and Cisco ACI.
l Data from Amazon Web Services data centers can be collected using Cloud &Virtualization – Amazon Web Services Collection tasks.
l Data from VMware NSX Manager servers can be collected using Cloud & Virtualization –NSX and vSphere Collection tasks.
l Data from Microsoft Azure servers can be collected using Cloud & Virtualization – AzureCloud Services Collection tasks.
l Data from Cisco ACI servers can be collected using Cloud & Virtualization – Cisco ACICollection tasks.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 158
Additional information about these tasks is provided in Cloud and virtualization tasks in theSkybox Reference Guide.
The mappings between Skybox terminology and Azure, AWS, and Cisco ACI terminologiesare listed in the following table.
SKYBOX AZURE AWS CISCO ACI
Asset VM EC2 VM
Virtualdomain
VNet (Virtual Network) VPC (Virtual PrivateCloud)
Tenant
Securitygroup
Application security group -- EPG (endpoint group)
Security tag Network security group Scalable group (wassecurity group)
Contract
Network Subnet Subnet Subnet
LB rules Load balancer Load Balancer --
ACL Network security group Network ACL Filter
NAT rule Public IP Elastic IP --
VRF Routing table Route table VRF (virtual routing andforwarding)
VPN ExpressRoute (not yetsupported by Skybox)
Direct Connect --
l In NSX, virtual domains are named tenants.
l Security tags are Access Policy templates used for assets.
Security tags are modeled as Tag asset groups that also have access rules.
l Security groups are collections of assets.
Security groups are modeled as security group asset groups.
l In Cisco ACI, there are 2 types of Scalable (Security) Groups: Internal EPGs and ExternalEPGs. External EPGs are modeled as security group asset groups, but their only asset isthe virtual router of the tenant.
l You cannot create or edit virtual domains, security tags, or security groups manually, butyou can add comments to them and change their owners.
If you select a virtual domain in the tree, you can view its security tags and security groups, orits assets in the Table pane. If you select a security tag or security group, you can view itsassets in the Table pane.
Chapter 21
Skybox version 12.0.100.00 159
You can view the access rules of a security tag by right-clicking it and selecting Access Rules.
You can also view the access rules of each virtual asset. The access rules of a virtual asset arethe access rules from each of its security tags.
The properties of a virtual asset include the properties of a regular (non-virtual) asset and theasset’s virtualization environment—the virtual domain, security tags, and security groups towhich it belongs.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 160
Note: You cannot create virtual assets manually, but you can edit and delete them. However,you cannot change their virtualization information.
Clusters
Cisco HSRP clusters
Multiple Cisco routers can form a cluster and communicate using HSRP protocol. Theredundancy works by declaring a virtual IP address that is always connected to a router in thecluster. Another router in the cluster takes over the virtual IP address if the 1st router fails.Skybox models these virtual IP addresses as virtual network interfaces with the namingconvention of standby_n (starting at standby_0).
In Skybox, 2 routers belong to the same cluster if they have a virtual interface connected to thesame network, with the same name and same IP address. These routers are supposed tohave the same access rules for each shared virtual interface.
Check Point clusters
Skybox adds members of a Check Point cluster to a Cluster asset group, with the cluster nameas the name of the asset group. The shared IP addresses in the cluster are modeled as virtualinterfaces in each cluster member.
Other clusters
Skybox adds members of a NetScreen, Junos, Cisco ASA, Cisco FWSM, Palo Alto, orFortiGate cluster to a Cluster asset group, with the cluster name as the name of the assetgroup.
Chapter 21
Skybox version 12.0.100.00 161
Modeling multihomed assetsA multihomed asset is an asset that is connected to more than one network via multiplenetwork interfaces. Unlike gateways, multihomed assets do not forward packets between thenetworks to which they are connected. Typically, there is a management network and variousother networks.
In Skybox, a multihomed asset is a regular non-forwarding asset (usually of type Asset,Workstation, or Server), which has multiple network interfaces. Because the asset isconnected to multiple networks, you can see it in each network to which it is connected. In theNetwork Map, each multihomed asset is in all networks to which it is connected.
When a multihomed asset is scanned using a network scanner or vulnerability scanner, it isusually seen from one side only—only one network interface is detected and the asset is addedto the model as a regular (single-interface) asset. When it is scanned as part of anothernetwork, another side (network interface) is detected; however, no connection between the 2IP addresses can be made. Network scans do not usually provide enough information toconnect 2 IP addresses into a multihomed asset.
If multihomed assets are not modeled correctly, the attack simulation results might not beaccurate because Skybox cannot show attack steps between the networks that are connectedto this asset.
To model a multihomed asset correctly, inform Skybox that the asset has multiple networkinterfaces by defining multihomed assets in iXML and importing them into the model. Skyboxthen merges the previously created separate assets into the multihomed assets.
Importing a subsequent vulnerabilities scan updates the multihomed assets withoutdisassembling them.
To merge multihomed assets
1. Create a list of all multihomed assets in iXML format, defining each of the multihomedassets as an <asset> element with an IP address and multiple <interface> elements (seethe <asset> element topic in the Skybox Developer Guide).
For help in creating this list, contact Skybox Support.
2. Import this list into the model using an offline file import task.
The process locates every ‘piece’ of each asset and connects them together intomultihomed assets.
If a multihomed asset is modeled as described, subsequent data imports are merged correctlywith the multihomed asset. If there are problems with subsequent data imports, seeTroubleshooting multihomed assets.
Troubleshooting multihomed assets
As stated in the preceding section, multihomed asset definitions are not changed bysubsequent imports. However, there can be data conflict. For example, if:
l Multiple assets share the same IP address
l A newly imported asset does not exactly match any asset in the model
This section explains how Skybox processes these situations.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 162
Tip: If you end up with multiple assets, but these represent a single asset in the network, youcan merge the assets manually.
Assets with multiple candidates in the model
When you import a multihomed asset and there are multiple similar assets in the model,Skybox tries to find the best match for the incoming asset by finding the asset that has thegreatest number of matching interfaces (same IP address).
For example, there are 2 assets in the model:
l Asset X with IP address 1 and IP address 2
l Asset Y with IP address 1 and IP address 3
A new asset named Asset Z is imported into the model, with IP address 1 and IP address 3.Skybox tries to find the asset with the greatest number of matching IP addresses and Asset Zis merged with Asset Y.
A new asset named Asset A is imported into the model, with IP address 1 and IP address 4.Skybox does not have enough information to decide between Asset X and Asset Y for themerge; Asset A is added to the model as a new asset but is not merged with either existingasset.
Assets with one candidate asset in the model
If there is only one candidate asset in the model with an interface that has the same IP addressas the incoming asset, Skybox determines whether to merge the incoming asset with theexisting asset or to add the incoming asset to the model as a new asset.
To determine whether the assets match, Skybox:
1. Counts the number of matching interfaces (of the asset in the model and the incomingasset)
2. Divides by the number of relevant interfaces in the asset that is in the model.
l If this number is larger than the heuristic threshold, the assets are merged.
l If this number is smaller than the heuristics threshold, the assets are not merged.
The heuristics threshold is set bycom.skybox.view.logic.discovery.ModelsMerger.multi_home_heuristics_
threshold in:
l <Skybox_Home>\server\conf\sb_common.properties on the Server machine
l <Skybox_Home>\collector\conf\sb_common.properties on Collector machines
The default value of the heuristics threshold is 0.5.
l If an asset that should merge does not merge, decrease the heuristics threshold.
l If an asset merges when it should not, increase the heuristics threshold.
Merging dataAll data that is imported, collected, discovered, or scanned into the model goes through aprocess named merging, which refines the data and merges the information into the currentmodel. Only data that is added to the model manually does not go through this process.
Chapter 21
Skybox version 12.0.100.00 163
When data is retrieved for Skybox, it is collected into an update model. This data is normalizedinto the format in which it is stored in Skybox (see Normalizing the network information) andmerged into the base model (usually the Live model) on a per-entity basis:
1. Identify the entity in the base model (see Identifying entities in the base model). If the entityis new (does not exist in the base model), add the entity to the base model and skip the nextstep.
2. Merge the entity data from the update model to the base model (see Merging entities).
You should understand the criteria that Skybox uses for merging each type of entity; what datais merged into the model and what data is discarded. Usually, merging is a transparentprocess; sometimes, you must prepare the model to enable merging to proceed correctly.
Normalizing the network information
Skybox does the following to normalize the update model:
l Network status: If the network status is UNKNOWN, the status is set to UP. If the interfacetype is unknown and it is a Loopback interface, its type is set to LOOPBACK; otherwise, theinterface type is set to ETHERNET.
l Discovery method for assets, and for access and routing rules: If the discovery method isnull, it is set to UNKNOWN.
l Scan time for assets and services: If the scan time of an asset or a service is null, it is set tothe current time.
l Network interfaces for devices and assets:o Every interface is attached to the correct networko Access rules that are attached only to empty interfaces are deletedo Empty (0.0.0.0) interfaces are deletedo Assets that do not have an interface that can be primary are deletedo If a network interface has no name, Skybox generates a name of the form nif<n>
l Routing rule gateways:o If a routing rule has a zero gateway (0.0.0.0) and non-zero gateways, the zero gateway isdeleted
o If a routing rule does not have gateways, a zero gateway is added
l Assets:o If an asset has no name, Skybox generates a name of the form host<n>
o If an asset has duplicate services, the duplicates are deleted
After the data in the update model is normalized, Skybox performs the following resolutions:
l Patch identification: Each patch is assigned to a service product (using product bannermatching)
l Asset type deduction: The type of each asset is deduced from the services running on theasset
l Operating system fingerprints translation: The operating system banner is matched to theappropriate service definition
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 164
l Product banner translation: Service banners are analyzed to find a match in the SkyboxVulnerability Dictionary
l Product catalog ID resolution: Product catalog IDs are resolved using the SkyboxVulnerability Dictionary
l Vulnerability occurrence matching:o Some vulnerability occurrences are discovered indirectly by scanners and then assignedincorrectly. For example, a scanner grabs information about an asset’s services viaSNMP and assigns the vulnerability occurrences found to SNMP; these vulnerabilityoccurrences must be matched to the correct service.
o Some scanners do not report which services are vulnerable; they provide 2 separatelists—all vulnerability occurrences found on the asset and all services found on the asset—you must create the link between services and vulnerability occurrences.
Identifying entities in the base model
Each type of entity has different criteria for identification. For example:
l Most types of networks are identified by IP address and netmask.
l Assets are identified by their network interfaces.
When you import an asset, Skybox decides whether the asset is already in the model bylooking for an asset with a network interface with the same IP address that is not of typeVirtual, Loopback, Tunnel, or LoadBalancer.
l Services on the same asset are identified by their ports.
If an entity in the update model is new (is not in the base model), it is added directly to the basemodel, without going through the final step (entity merge).
Merging entities
If an entity in the update model is already in the base model, there are 2 ways to merge thedata:
l The information in the 2 models is combined
l The information in the base model is replaced by the information in the update model
Although the methods for merging each entity type are different, the main criteria for the mergeare:
l Reliability of source
For example, imported gateway configurations are considered the most reliable source.Data retrieved from SNMP is considered more reliable than data retrieved by a networkscan because it usually contains more detailed information about service and networkconfiguration of the asset.
If the source of the base model data is more reliable (more accurate and more complete)than the source of the update data, either no data is merged or only new information fromthe update model is merged.
The properties in the discovery properties (Server & Collector) section of<Skybox_Home>\<component>\conf\sb_common.properties (<component> is server orcollector) define the order of source reliability for different entities.
Chapter 21
Skybox version 12.0.100.00 165
l Time
Newer data is preferred to older data. Time is measured according to the Scan Timetimestamp.
l Completeness
Some data is better than none.
If the data in the update model for an entity is older, less reliable, or less complete than thedata in the base model, the data from the update model is discarded and the entity in the basemodel is not changed.
Merging assets
Skybox uses the following network interface types to identify assets:
l NAT
l Ethernet
l WLAN
l TokenRing
l PPP
l Slip
l Other
l Serial
l Tunnel
Skybox does not use Virtual, Loopback, and LoadBalancer network interfaces foridentification.
Note: When you import asset information, an asset that has different (dynamic) IP addressesin the 2 models is not merged. To ensure that all asset data is merged, use Merge assets byWINS name in the offline file import and online collection tasks. If you select this option, theprocess looks for identical WINS names for merged assets and, only if not found, falls back tocomparing IP addresses.
When Skybox decides that an asset in the base model and an asset in the update model arethe same asset, all elements of the asset are merged, including:
l Network interfaces
l Routing rules
l Access rules
l Services
l Vulnerability occurrences
Each element is merged separately, based on reliability, time, and completeness (see Mergingentities).
Network interfaces
Interfaces are merged according to reliability and time. If the discovery method in the updatemodel uses CONFIG or SNMP, which are considered the most reliable sources, the interfaces
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 166
in the update model overwrite those in the base model. Otherwise, the interfaces are mergedwith those in the base model.
Note: If you are work with routers, the default behavior of the merge is to disconnect manuallyconnected network interfaces. To prevent this, set the Network of the network interface to
Locked ( ) before the routers are updated.
Routing rules
When routing rules are merged, the whole routing table is considered; single routing rules arenot merged separately. Routing tables are merged according to reliability and time.
l If the routing table in the update model is more reliable or newer, it overwrites the routingtable in the base model.
l If the base asset does not have a routing table, the routing table of the asset in the updatemodel is merged.
Access rules
When access rules are merged, only ACLs are considered; single access rules are not mergedseparately. ACLs are merged according to reliability and time.
If the ACL in the update model asset is more reliable or newer, its access rules overwrite thosein the base model.
Persistent access rules
Persistent access rules are manually created access rules that are used to compensate foraccess rules that Skybox cannot model (for example, iRules). You add them directly after therule that they follow on the device. Persistent rules are not overwritten when access rules aremerged.
A persistent access rule is enabled while the access rule that it follows on the device (theparent rule) is enabled. If the parent rule is disabled or deleted during an import, the persistentaccess rule is also disabled.
Services
When the services of 2 assets are merged, the process adds services that are not in the baseasset and merges the data of services that are in the base model. The vulnerabilityoccurrences attached to the services are also merged.
Vulnerability occurrences
New vulnerability occurrences on the updated asset’s services are added to the base model. Ifa vulnerability occurrence is in the base model, the vulnerability occurrence data is merged.
Merging assets manually
Rarely, Skybox cannot identify that a scanned asset is an existing asset; Skybox creates anasset in the model. This usually occurs if:
l An asset is renamed: If Skybox cannot verify that the new asset matches the existing assetwith the previous name, it creates an asset with the new name.
l An asset is scanned at different times by different interfaces: On the original scan, thisasset was created in the model with a single IP address. On a subsequent scan it was
Chapter 21
Skybox version 12.0.100.00 167
identified with a different IP address, and a separate asset is created. In fact, it is 1 assetwith 2 IP addresses.
If an asset is merged incorrectly, you can merge it manually.
To merge 2 assets manually
1. Display both assets in the workspace. For example, if both assets are firewalls, use the AllNetwork Devices > Firewalls node.
2. Select both assets, right-click, and select Merge to Single Asset.
The asset with the older modification date is selected as primary, and the secondary assetis merged with it in the standard way.
Note: When assets are merged manually, Rule Usage Analysis information is not merged; theRule Usage information from the 1st asset that is imported into the model is retained.
Merging networks
Regular and link networks are identified by IP address and netmask.
Some types of networks have slightly different rules for identification because an IP addressand netmask cannot identify them:
l Tunnel networks and Secure VPNs are identified by the IP addresses of their endpoints.o For information about tunnel properties, see the Networks topic in the Skybox ReferenceGuide.
l Connecting Clouds are identified by name.
l Perimeter Clouds are identified by IP address and netmask. If necessary, the cloud nameis also used.
The following rules are applied when merging networks:
l New networks are added directly to the base model.
l If the network in the base model contains the updated network, the network is not added.
l Network segments are merged in the context of their networks. Network segments areidentified by their network and their name.
l When merging networks, the scan time and the discovery method are ignored.
Skybox uses a different method to handle networks that have identical or overlappingaddresses or netmasks, so that the networks are not accidentally merged. For informationabout how overlapping networks are merged, see Merging overlapping networks.
Merging link networks when each part is in a separate location
A link network is a network whose only assets are gateways (network devices) that connectnetworks. If a link network consists of gateways that are in 2 different locations and wereimported with different location hints, the merge assigns each part of the link network to its ownlocation as a separate (but incomplete) network and does not know how to connect them. Ineffect, overlapping networks are created instead of a single network.
Manual action is required when merging link networks.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 168
To merge a link network
1. Manually delete all duplicate overlapping link networks.
2. Move the remaining network to the parent location.
If the network has no parent location, move it to the root location.
3. Run the import again.
Using clouds as Threat OriginsPossible access from Threat Origins to Business Asset Groups and assets is translated by theattack simulator into attacks and risk. Under normal circumstances, when Skybox uses cloudsas Threat Origins, the risk is not affected by the number of source IP addresses in the cloudthat can initiate the attack; a possible attack from any IP address and a possible attack from asingle IP address are assigned the same risk.
You can differentiate between these 2 types of attacks in 2 different ways:
l You can configure Threat Origins that are in clouds so that during attack simulation, Skyboxassigns a lower risk for few source IP addresses and a higher risk for many sourceaddresses.
l You can create 2 Threat Origins for a cloud, one that develops attacks from wide ranges ofsource IP addresses of the cloud and one that develops attacks only from specificaddresses (that is, from small address ranges; for example, IP addresses permitted forsecure protocols over the internet). The 1st Threat Origin (wide address ranges) is typicallyassigned a relatively high likelihood; the 2nd Threat Origin (specific addresses only) istypically assigned a lower likelihood. If you assign each Threat Origin to a different ThreatOrigin Category, the exposure and risk for each Threat Origin is separate.
To specify cloud addresses to use for a Threat Origin
1. In the Table pane, right-click the Threat Origin and select Properties.
2. In the Advanced tab, select the type of cloud IP address ranges to use in an attack from thisThreat Origin from Cloud Source Addresses.
3. If you select All addresses and you want attacks from specific IP addresses to have a lowerrisk than those from wide address ranges, select Lower Likelihood for Attacks fromSpecific Addresses.
Advanced dependency rulesThis section explains how advanced dependency rules work in Skybox.
Implicit dependencies
Implicit dependency means that both:
l A security loss (confidentiality, integrity, or availability) on a Business Asset Group memberimplies the same type of security loss on the Business Asset Group
l An integrity loss on a Business Asset Group member implies an availability andconfidentiality security loss on the Business Asset Group
Chapter 21
Skybox version 12.0.100.00 169
An implicit dependency is created when you assign assets to a Business Asset Group.However, you can change the dependency between the Business Asset Group and its assetsto:
l Simple: A security loss (confidentiality, integrity, or availability) on a member implies thesame type of security loss on the Business Asset Group.
l None: This method of describing the dependency is not sufficient and you want to specify(using explicit dependency rules) how a security loss on each of the Business Asset Groupmembers affects the Business Asset Group.
To change the implicit dependency of a Business Asset Group
1. In the Business Units & Asset Groups folder of the Model tree, locate the Business AssetGroup.
2. Right-click the Business Asset Group and select Properties.
3. In the <Business Asset Group name> Properties dialog box, set Member Dependency.
If you change the value to None, define explicit dependency rules for each Business AssetGroup.
4. Click OK.
Explicit dependency rules
You can use explicit dependency rules for the following purposes:
l To define a dependency of Business Asset Groups on infrastructure elements
For example, when an e-business application depends on the DNS server
l To define dependencies between Business Asset Groups
For example, when the availability of one Business Asset Group depends on the availabilityof another Business Asset Group
l To define dependencies between assets (or between assets and Business Asset Groups)
For example, to express that the confidentiality loss of a sensitive server potentiallycompromises a different server in your organization
l To define explicit dependency rules for each asset, if one implicit dependency rule does notmatch all assets on a Business Asset Group
You can use simple dependency rules to create complex dependency situations. For example:
l Z depends on Y.
l Y depends on W and X.
l Based on these 2 rules, a security loss on X indirectly causes a security loss on Z.
To create explicit dependency rulesl In the Model tree, right-click the Dependency Rules node and select New DependencyRule.
Skybox version 12.0.100.00 170
Chapter 22
Additional information about exposureThis chapter provides advanced information about exposure in Skybox.
In this chapter
About attack simulation 170
About risk 171
Risk profiles 175
Risk factors 176
PCI DSS support in Skybox Vulnerability Control 177
About attack simulationThis section provides advanced information about attack simulation.
Data used for attack simulation
Data for simulation is collected from the model and includes:
l Network and routing informationo Network interfaceso Routing ruleso NAT ruleso Access rules
l Business informationo Business Impact rules relating to confidentiality, integrity, and availabilityo Regulations assigned to each Business Asset Group
l Vulnerability occurrences
Note: Skybox only uses vulnerability occurrences with status Found in attack simulation;Skybox does not use Vulnerability occurrences with status Ignored or Fixed.
Output of attack simulation
The output of attack simulation is:
l An attack graph, which captures all attack scenarios on your network to the specifiedBusiness Asset Groups. Use the Attack Explorer to view maps for selected entities in themodel, based on the attack graph.
l Risk levels for Business Asset Groups according to the likelihood and impact of their beingattacked.
l Imposed risk levels for Threat Origins and vulnerability occurrences.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 171
l Exposure levels for vulnerability occurrences, including:o Direct: Vulnerability occurrences that a Threat Origin can exploit in a single stepo Indirect: Vulnerability occurrences that a Threat Origin can exploit, but only in multiplesteps
o Protected: Vulnerability occurrences that an attacker cannot access because they areprotected by an IPS device
o Potential: Vulnerability occurrences that have an accessible service, but might not beaccessible because of other exploit conditions that cannot be guaranteed (for example,authentication might be required)
o Inaccessible: Vulnerability occurrences that an attacker cannot access (for example, thevulnerable service is disabled, or the vulnerability occurrence is blocked by a firewall).
o Excluded: Vulnerability occurrences excluded from attack simulation. (Attack simulationexcludes vulnerability occurrences with False Positive, Fixed, or Ignored statuses.)
o Unknown: Vulnerability occurrences with unknown exposure. The exploit conditions areirrelevant for attack simulation (for example, a browser weakness that might causedamage to a workstation if its user surfs to a hostile website).
o User interaction: Vulnerability occurrences which require user interaction via email orXSS. Exposure for these vulnerability occurrences is unknown.
l A list of attacks. An attack is a high-level representation of attack scenarios. Each attackhas a single Threat Origin and a single destination, which are the starting and ending pointsof the attack scenarios that it represents. The destination can be an asset or a BusinessAsset Group.
The Attack Explorer is based on the attack graph and enables you to understand the steps thatwould be taken in specific attacks. Skybox’s summary graphs and tables, analyses, andreports about exposure are also based on the output of attack simulation.
Attack simulation from clouds
Sometimes, access from clouds is permitted for a few source IP addresses. This access ispermitted for management purposes or for providing services for specific users (for example,IP addresses that are permitted for secure protocols over the internet).
If you use such a cloud as a Threat Origin, access from these IP addresses is translated by theattack simulator into attacks and risk.
Note: The default settings for Threat Origins assign the same risk to an attack from any IPaddress and an attack from a few addresses.
You can configure Threat Origins in clouds so that during attack simulation, Skybox assigns alower risk for few source IP addresses and a higher risk for many source addresses.
About riskThis section provides advanced information about risk on various entities, including theinformation that Skybox uses to calculate the risk and options for displaying the risk values.
Chapter 22
Skybox version 12.0.100.00 172
Risk formula
This section describes the risk formula for a Business Asset Group—risk for most other entitiesis based on the risk to the Business Asset Groups.
The risk for a Business Asset Group depends on 2 factors:
l The likelihood of successfully attacking the Business Asset Group
l The potential damage caused by the security loss
Formally, Risk = Impact * Likelihood.
Impact
The impact of a security loss is part of the user input to the security model. The impact can bea Business Impact or a Regulation (a compromise to a security-related regulation) andincludes damage rules for each type of security loss (confidentiality, integrity, and availability),associating with the loss type an estimation of the potential damage. You can specify thedamage as an explicit monetary value or as a level on a 5-level scale (very low, low, medium,high, critical); each level represents the monetary value of the damage.
Likelihood of attack
The likelihood of an attack damaging a Business Asset Group is calculated separately for eachof the impact rules of the Business Asset Group.
To compute the likelihood of causing the damage specified by an impact rule on a BusinessAsset Group, the system examines every attack path from the Threat Origins that can causethe security loss specified by the impact rule (for example, an availability loss of the BusinessAsset Group). Each attack path starts at a Threat Origin and includes a sequence of attacksteps that can cause the security loss. An attack step is either the exploitation of a vulnerabilityoccurrence or the legitimate use of a service. The computation of the attack path likelihoodconsiders:
l The likelihood that an attack is initiated from the Threat Origin (as estimated by the userwho defined the Threat Origin)
l The number of attack steps in the attack path
l The likelihood of success of each of the attack steps
The likelihood of successfully exploiting a vulnerability occurrence is calculated using:o The difficulty of exploiting the vulnerability occurrence. Greater difficulty leads to a lowersuccess probability. The exploitation difficulty is a property of each VulnerabilityDefinition in the Skybox Vulnerability Dictionary.
o The skill of the attacker (as estimated by the definer of the Threat Origin). A higher skilllevel has a higher probability of success.
o The prevalence of the vulnerability occurrence. A Vulnerability Definition that is known tobe popular among hackers has a higher success probability.
Computing the likelihood of an attack path involves multiplying the Threat Origin likelihood bythe probabilities of the attack steps along the attack path.
If a damage specified by a Business Impact or Regulation can be caused by multiple attackpaths, the likelihood of causing the damage is set as the likelihood of the most probable attackpath (the path with the highest likelihood).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 173
How risk is defined for each type of entity
Business Asset Groups
A Business Asset Group might be at risk because of attack paths leading to exploitablevulnerability occurrences that are found on the Business Asset Group’s assets or on assets onwhich the Business Asset Group depends. The risk for a Business Asset Group is themaximum of all risks of attack on that Business Asset Group.
In the risk formula (Risk = Impact * Likelihood), the impact for a Business Asset Group isderived from the Business Impacts and Regulations configured for that Business Asset Group.The likelihood to attack a Business Asset Group is considered very low if no attacks are found.If attacks are found, the likelihood depends on the difficulty of the attacks (for example, thenumber of attacks steps and the existence of tools for exploiting the vulnerability occurrences).
Business Units
Risk for a Business Unit is the aggregated risk (sum) of attack for all Business Asset Groups ofthe Business Unit.
Business Impacts and Regulations
Risk for a Business Impact or Regulation is the risk to the Business Impact or Regulationbased on the risk of its Business Asset Groups. The risk is calculated by aggregating the risksof the Business Asset Groups affected by this Impact.
Threat Origins
Risk for a Threat Origin is the risk that the Threat Origin poses to your organization due to itsability to exploit vulnerability occurrences and attack Business Asset Groups.
The risk (imposed risk) is the sum of all risks imposed by the selected Threat Origin on allBusiness Asset Groups configured in the system.
Note: A Threat Origin can impose a risk on a Business Asset Group only if an attack pathleads from the Threat Origin to the Business Asset Group.
Attacks
Risk for an attack is the risk that a Threat Origin poses to a Business Asset Group. Each attackconsists of a source Threat Origin and a destination Business Asset Group or asset. Factorsthat make up the attack risk include the different ways to attack the destination from the source(the attack scenarios), the likelihood that these attack scenarios might be used, and thedifferent damages that the attack scenarios can cause.
Vulnerability occurrences
Risk for a vulnerability occurrence (or a Vulnerability Definition) is the risk that the vulnerabilityoccurrence poses to your organization because it has the potential to be exploited to damageBusiness Asset Groups.
Each vulnerability occurrence is assigned an imposed risk derived from 2 factors:
l Risk imposed because the vulnerability occurrence participates in attacks
l Risk imposed because the vulnerability occurrences are on assets, even though there areno attack paths that can be exploited
The combination of these factors is the total risk of the vulnerability occurrence.
Chapter 22
Skybox version 12.0.100.00 174
Note: Even vulnerability occurrences that are not on an asset in a Business Asset Group posea risk to that Business Asset Group if they can be used as part of an attack on it.
The imposed risk creates a differentiation between vulnerability occurrences:
l Exposed vulnerability occurrences (directly or indirectly) that do not cause security loss ofBusiness Asset Groups are usually assigned a very low risk.
l Vulnerability occurrences that are exposed and can cause damage are assigned a highrisk, based on the damage values and the likelihood of achieving these damages.
For example, a vulnerability occurrence is directly exposed to a Threat Origin, but its imposedrisk is very limited because it does not cause a subsequent attack on a major IT asset; anothervulnerability occurrence has a high imposed risk because it can be used to attack a paymentsystem. Both vulnerability occurrences have high severity (the attacker can use them toachieve control), but the consequences of achieving control are very different.
Display of risk values
Risk values in Skybox are usually displayed as levels (undefined, very low, low, medium, high,or critical), using a color scale.
Instead of displaying the risk values as levels, you can display them:
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 175
l As monetary values
Monetary risk values are approximate values that enable comparison between risks ofdifferent entities at a higher resolution than with levels or scores. They are not intended torepresent actual monetary values.
l Using a score of 0-100
Note: Admins can modify the mapping between levels or scores and monetary values tomatch your organization’s range of damage values.
Specify how risk values are displayed in the Options dialog box (navigate to Tools > Options >Manager Options > Risks Configuration and then set Risk Value Style).
Risk profilesThe risk profile for an entity shows the major components that contribute to the risk for thatentity.
You can view risk profiles for:
Chapter 22
Skybox version 12.0.100.00 176
l Business Units and Business Asset Groups
l Business Impacts and Regulations
l Vulnerability occurrences
To view the risk profile for an entityl Select the entity in the Table pane and click the Risk Profile tab in the Details pane.
Risk for Business Units and Business Asset Groups is caused by attacks from Threat Origins.The risk profile of a Business Unit or a Business Asset Group shows the risk from all sources(that is, the total risk), followed by the risk from each Threat Origin Category.
Risk for Business Impacts and Regulations is caused by Business Asset Groups that areaffected by the Business Impact or Regulation. The risk profile of a Business Impact orRegulation shows the risk from all sources, followed by the risk from each Business AssetGroup.
The risk profile of a vulnerability occurrence shows:
l The Business Asset Groups (and Business Units) that the vulnerability occurrence could beused to attack.
l The risk from each Threat Origin Category that could be used to exploit the vulnerabilityoccurrence.
Risk factorsA risk factor is a risk either to an entity or imposed by an entity. Risk for entities is calculated bycomputing the maximum risk from all risk factors for the entity. Each risk factor involves asource (Threat Origin), a destination (Business Asset Group or asset), and a Business Impactor Regulation that explains the potential loss from the risk factor.
Risk factors are an advanced property of:
l Business Units
l Business Asset Groups
l Threat Origins
l Attacks
To view the risk factors for an entityl Select the entity in the Table pane and click the Risk Factors tab in the Details pane. (If
necessary, click to display the Risk Factors tab.)
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 177
In this example, the Source of the 1st risk factor is Internet Hacker, the Target is Back EndFinance Application Servers, the Business Impact Name is Financial InformationConfidentiality, and it is high risk. The source and target of all the risk factors are the same,but, because the Business Impact is different for each, the risk is different.
PCI DSS support in Skybox Vulnerability ControlSkybox Vulnerability Control supports PCI DSS Requirement 6.1 (6.2 in PCI DSS v3.2):“Ensure that all system components and software have the latest vendor-supplied securitypatches installed. Install critical security patches within one month of release.”
The Skybox PCI DSS Requirement 6.1 report shows how the network for which the report isissued meets this requirement using compensating controls.
The report includes the following sections:
l Introduction: Describes the requirement, including the compensating controls form. Thistext follows PCI DSS, Appendix C: Compensating Controls Worksheet.
l System Components: Lists the scope of the report (which Business Asset Groups,networks, and network devices are included).
l Vulnerabilities: Lists the vulnerability occurrences that must be remediated for the networkto become compliant with this standard.
l Host Lists: Lists the assets in the scope of the report and states whether the assets arecompliant (that is, have no direct, indirect, or unknown vulnerability occurrences) with thisstandard.
For additional information about this report, see PCI DSS reports.
For information about defining these reports, see the PCI DSS reports topic in the SkyboxReference Guide.
Skybox version 12.0.100.00 178
Chapter 23
Skybox analysesA Skybox analysis is a query about entities in your network.
This chapter describes predefined risk analyses and explains how to create analyses.
In this chapter
Analyses overview 178
Risk analyses 179
Creating an analysis 179
Analyses overviewA Skybox analysis is a query about a type of entity in your network. When you select ananalysis, Skybox checks all entities of the selected type to determine whether they meet thespecified criteria. Entities that meet the criteria specified in the analysis are listed in the Tablepane.
Skybox includes many predefined analyses for common issues; you can create customanalyses to suit your requirements.
The Exposure workspace includes an Analyses node, which you can use to view informationabout attacks, Business Asset Groups, Business Units, assets, locations, networks, BusinessImpacts, Regulations, Threat Origins, vulnerability occurrences, Vulnerability Definitions, andproducts in the deployed product list.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 179
There are also analyses in other workspaces. For example, the Model workspace includesanalyses related to the model and analyses that provide validation information about entities inthe model.
Risk analysesSkybox includes predefined risk analyses for all entities that are affected by risk, includingattacks, Business Asset Groups, Business Units, vulnerability occurrences, Threat Origins,and Regulations and Business Impacts.
Each predefined risk analysis shows risk for all entities of its type. You can modify predefinedanalyses or you can create analyses that, for example, focus on specific network scopes oronly show risk higher than a specific level.
Each risk analysis shows information about the entities that match the analysis criteria andtheir associated risk. The information varies according to the type of entity. For example,Business Impacts by Risk shows the name and loss types specified for each BusinessImpact; Threat Origins by Risk shows attacker information, including location, likelihood toattack, skill, and initial privilege on the attacking machine.
Creating an analysisAnalyses display sets of related data. For example, you might want to list all high-riskvulnerability occurrences on assets that belong to a network, all assets or locations that havevulnerability occurrences, or all Business Asset Groups that have at least a specific number ofassets and a specific risk level.
Chapter 23
Skybox version 12.0.100.00 180
To create an analysis in the Vulnerability Control workspace
1. In the tree, right-click Prioritization Center > Analyses > Private Analyses and then selectNew > Analysis.
2. In the New Analysis dialog box:
a. Type a Name for the analysis.
b. Select the analysis type.
The Properties pane of the dialog box changes to display the fields for the selectedanalysis type.
c. Fill in the fields.
d. Click OK.
The analysis is created.
Sometimes, when you create an analysis, the table in which the analysis is displayed ismissing information that you want to view. You can display additional columns in the table.
To display additional columns in a table
1. With the analysis open, right-click in the header row of the Table pane and selectCustomize Current View.
2. In the Customize Current View dialog box, select the information to display and click OK.
A column with this information is added to the right-hand side of the table. You can drag thecolumn header to a more convenient location in the table.
Skybox version 12.0.100.00 181
Chapter 24
Access AnalyzerAccess Analyzer analyzes access in the network, taking into account access rules, routingrules, assets, and services.
You can use Access Analyzer for many purposes, including verifying connectivity and securityin your network (Live model) and in test scenarios (What If model), and for troubleshooting thenetwork.
This chapter explains how to use Access Analyzer.
In this chapter
Creating queries 181
Access Analyzer output 185
Creating queriesAccess Analyzer works by answering queries about access in your network.
Use the Access Query pane to create queries. The pane contains input fields (includingsource, destination, and access properties) that tell Access Analyzer the access to verify andthe additional factors to consider in the analysis.
Queries created in Access Analyzer are intended for 1-time use only. You cannot reuse aquery if you create a different query or close Access Analyzer.
To define a query
1. Click on the toolbar.
2. In Access Analyzer, define the source and the destination.
Note: Source and Destination cannot both be Any.
l For information about all query fields, see the Access Analyzer query fields topic in theSkybox Reference Guide.
3. (For advanced users) To configure additional settings, click next to Advanced.
To analyze a query
l After filling the query fields, click .
Access Analyzer analyzes access from the source to the destination. The results of theanalysis are displayed in the results tree.
Defining the source and the destination
The source and destination of access queries are defined by their scope and the services onwhich access is verified. The destination can have other defining information.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 182
Defining the scope
The scope of the source specifies the source points for access analysis; the scope of thedestination specifies the destination points for access analysis.
Either scope can include:
l Simple entities, container entities, or a mixture of both
l The value Any:o Use this value in the source when analyzing the source points that can access adestination.
o Use this value in the destination when analyzing the destinations that can be reachedfrom the specified source point.
To use the Source and Destination Scope dialog box
1. Click the Browse button next to a Scope field.
You must define a specific scope for the source or destination; they cannot both have thedefault value of Any.
2. Define the source and destination scopes (as explained in the following procedures).
3. Click OK.
To specify the source scope
1. To use specific entities in the source scope: In Available Entities, select all entities that are
part of the scope and click to move them to Selected Source.
Note: If you query from a network or a location containing networks, access is analyzedusing the IP address ranges of the networks instead of using the assets in the networks. Toanalyze access using routing rules or access rules on specific assets, select the assets andnot the networks containing the assets.
2. To use IP address ranges in the source scope:
Chapter 24
Skybox version 12.0.100.00 183
a. Click IP Ranges (in the Source area).
b. Specify IP addresses:
l Type an IP address range (or an IP address) directly in Use IP Ranges
l Click the Browse button next to Use IP Ranges to select IP address ranges
c. If you are using an IP address or an IP address range and you want to include the entityto which the IP address or IP address range belongs, click Find Networks. Select amatching network and click Select.
If you select an entity and specify alternate IP address ranges, the analysis starts from theselected entities, but Skybox uses the alternate IP addresses instead of the entity IPaddresses.
Note: If you specify IP address ranges without selecting a Source entity, you must select atleast one entity in Destination Scope and Skybox uses the specified IP addresses assource addresses for analyzing access to the selected Destination entity.
To specify the destination scope
1. To use specific entities in the destination scope: In Available Entities, select all entities that
are part of the scope and click to move them to Selected Destination.
2. To use IP address ranges in the destination scope:
a. Click IP Ranges (in the Destination area).
b. Specify IP addresses:
l Type an IP address range (or an IP address) directly in Use IP Ranges
l Click the Browse button next to Use IP Ranges to select IP address ranges
c. If you are using an IP address or an IP address range and you want to include the entityto which the IP address or IP address range belongs, click Find Networks. Select amatching network and click Select.
Defining the services
By default, access from the source to the destination is verified on all available services.However, you can specify services on which access is verified for the source or thedestination.
To specify services through which access is checked
1. (To specify services for the source) Click in the Source area.
2. Click the Browse button next to Services.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 184
l By default, the Available Services list is sorted by ports. To sort it alphabetically, click .
l By default, common service families are displayed. To display all service families, click
.
3. In the Services dialog box:
l In Available Services, select the source or destination ports and click to movethem to Selected Services.
l Click the Browse button next to Additional Services to specify additional ports to usewhen checking access.
4. Click OK.
5. To use all services except those selected, select NOT.
Chapter 24
Skybox version 12.0.100.00 185
Additional destination options
Usually, you use the destination Scope field to specify the destination scope—a collection ofassets or networks that should be reachable by all packets. You can define a Sending Toscope, consisting of IP address ranges. Skybox uses all IP addresses in the ranges that youspecify in IP Ranges as destination addresses at the beginning of the access analysis, beforenetwork addresses are translated. Services specified in the related Services field are handledsimilarly.
Note: When you define Sending To properties, the destination Scope and Services fields arenamed the Arriving At scope and services.
For example, you select Internet as the source Scope, you do not select a destination Scope,and you set the destination IP Ranges to 1.2.3.40-1.2.3.50. This query means “Whatnetworks, assets, and services are reached if a packet with a destination in the IP addressrange 1.2.3.40 to 1.2.3.50 is sent from the internet?”
If you select Arriving At entities and Sending To ranges, access is analyzed using theselected IP address ranges, but only the selected entities are displayed (that is, the selectedentities filter the results).
To use the additional destination options
1. In the Access Query pane, click to expand the Destination area.
The original destination scope and services are shown in the Arriving At area and anotherarea, Sending To, is displayed in the dialog box.
2. Click the Browse button next to IP Ranges.
3. In the IP Ranges dialog box, for each IP address range to use, click Add, type the IPaddresses of the range, and click OK.
4. (Optional) Specify services through which to check access:
a. Click the Browse button next to Sending To – Services.
b. In the Services dialog box:
l In Available Services, select services and click to move them to SelectedServices.
l Click the Browse button next to Additional Services to specify additional destinationservices to use when checking access.
c. Click OK.
d. To use all services except those selected, select NOT.
Access Analyzer outputThe results of the analysis are displayed as a tree in the Results pane (top-right) of AccessAnalyzer. Use the display filters at the top of the pane to specify how the results are displayedin the tree. You can view detailed information for access routes in the Access Route pane(bottom right).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 186
Display filters
The toolbar at the top of the Results pane includes the following display filters:
l Show: The type of entities to display:o Accessible Destinations: The accessible destinations when using the specified serviceso Blocked Destinations: The destinations for which there are blocked routes from thesource when using the specified services
When blocked destinations are displayed in the results tree, all names in the tree areitalicized.
o Sources Accessing the Destination: The assets that can access the selecteddestination when using the specified services
o Blocked Sources: The assets for which there are blocked routes to the destination whenusing the specified services
When blocked sources are displayed in the results tree, all names in the tree areitalicized.
l Group by: Specifies whether to group the entities displayed in the results tree by services orby network interfaces.
Chapter 24
Skybox version 12.0.100.00 187
l Authentication:o No: Non-authenticated traffico Yes: Authenticated traffico N/A (Both): Authenticated and non-authenticated traffic
l Entities:
o Model Entities Only: Assets and services that are part of the current model. If theseentities are hidden, only the IP address and port ranges are shown.
o Possible IP Ranges: All IP addresses and port ranges that are exposed by firewallaccess rules, even if they are not in the model.
l Show / Hide locations: Specifies whether to group networks into locations.
l Save Results:
o Save Results as XML: Saves the displayed access results as an XML file.
o Save Results as CSV: Saves the displayed access results as a CSV file.
o Save Route as HTML: Saves the selected access route as an HTML file.
l : Specifies whether to include the reply route when an Access Route is displayed.
Understanding the results
Most of the analyses of Access Analyzer involve connectivity or security.
l Connectivity queries ascertain whether there is a connection between 2 points in yourorganization and the route between them.
If there is connectivity between the 2 points, the Results pane shows the assets andservices that can be connected, and the Details pane shows how the connection is made. Ifthere is no connectivity, a message to that effect is displayed in the Results pane.
l Security queries verify access restrictions applied in your organization.
For a security query, the accessible results should contain only the assets and services thatare permitted to be exposed. If there are additional assets in the results, these assets canalso open a connection to the Destination entity.
For example, to check that no developers have access to finance information (that is, tomachines in the Finance Department), analyze access from R&D to the FinanceDepartment (Source = R&D, Destination = Finance Department). If the accessible resultsare empty, there is no access (as required). If there are results, there is unwanted access;check the Details pane to find the access path, so that you can fix the problem.
Results tree
The top pane of the analysis results contains a results tree. Assets (and IP address ranges)are grouped in the tree by location and then by network. You can expand each asset or IPaddress range to display its services.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 188
The content of the results tree depends on the display filters that you select.
If you display destinations, you can drill down from a destination asset to display accessible orblocked services on that asset. If you display source points, you can drill down from a sourcenetwork to display the gateways that enable or block access.
If you select an asset or a service in the results tree, the Details pane that is below the resultstree shows all potential routes from the source to the destination for the selected entity. Ifinaccessible entities are displayed in the results tree, the Details pane shows the blockedroutes.
Canceling analyses and display of details
You can cancel any action that causes the Results pane or the Details pane to refresh.
To cancel analysis
l Click (Cancel) at the bottom of the Results pane.
is displayed only while Access Analyzer is analyzing results or details.
Viewing the access route
The Details pane displays the Access Route from the selected source to the destination (orfrom the source to the selected destination, if displaying results by destination). You can viewthe route in step-by-step text format or in the Network Map. For each route, the 1st step is thesource and the final step is the destination; all hops are shown.
You can use the following controls to specify how the results are displayed:
l
: Enables you to switch between multiple routes.
l
: Specifies the display format of the results.
l
: Specifies the map in which the route is displayed. Click ShowRoute Map to display a map of only the selected route.
If you switch to a different map, highlighting of the selected route is lost. Switch to a differentroute or a different result to view the route in the Map pane.
Chapter 24
Skybox version 12.0.100.00 189
l
: Displays the properties of the route map so that you can change thesettings.
Viewing the Access Route in text format
Example of an access route displayed in text format
For each route, the source and destination are listed in full outside the table. The table lists theexact route taken.
l The 1st step is the source point.
If the source point is a subset of the source specified in Source, the source IP addressranges are listed.
l Intermediary steps show gateways passed on the way, with their access rules and addresstranslation rules.
Rules are shown with their direction, rule number, ruleset name and rule action. Eachintermediary step includes an inbound rule and an outbound rule. Click the link in a rule toopen the Access Control List Editor, where you can view or change the rule.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 190
If access goes through a VPN tunnel, the step is marked as Encrypted.
l The final point is the destination, including asset name and IP address.
For information about inaccessible routes, see Inaccessible entities.
Inaccessible entities
Access Analyzer might show that there is no access from the source to the destination.
There are 2 basic reasons why a network or asset is inaccessible:
l The route is blocked: An access rule denies access from the source to the destination (themost common reason).
l The route is broken: There is no routing from the source to the destination.
Use Show Blocked Sources or Show Blocked Destinations to discover why there is noaccess.
Blocked routes
If routes from the source to the destination are blocked, the Access Route lists all hops fromthe source to the point where the route is blocked. The final entry in the table shows what isblocking the route—usually an access rule on a firewall. The full destination is displayed afterthe table.
In the following figure, the route between the Development network and the Finance Serverswas checked for access and no access was found. To display where access is blocked, useShow Blocked Destinations.
Chapter 24
Skybox version 12.0.100.00 191
The Access Route shows that access is denied (blocked) by the finance FW firewall and thatthe rule used is access rule 6.
Broken routes
If an entity is inaccessible for routing reasons (for example, routers are missing in the model),the route is not blocked. Instead, it is shown as broken (incomplete). This can happen if:
l The source knows the destination by a different name or IP address (because of NATrules).
l The model is incomplete and gateways that connect the source and destination aremissing.
l Routing rules are missing in gateways between the source and the destination.
l There is a route to a null (black hole) in a gateway between the source and the destination.
If a route is broken, the Access Route provides an explanation of what happened, as in thefollowing figure.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 192
Saving the results
You can save the results of access analysis in 3 different formats:
As a CSV file
This saves a list of the source-destination-port combinations through which the specifiedaccess can be achieved, as in the following example.
SOURCE DESTINATION SERVICE AUTHENTICATED
192.170.17.0-192.170.19.255
192.170.33.0-192.170.33.255
1-65535/20-21/TCP;1-65535/53-53/TCP;1-65535/79-80/TCP;1-65535/179-179/TCP;1-65535/443-443/TCP;1-65535/535-535/TCP
FALSE
192.170.25.0-192.170.27.255
192.170.33.0-192.170.33.255
1-65535/20-21/TCP;1-65535/53-53/TCP;1-65535/79-80/TCP;
FALSE
Chapter 24
Skybox version 12.0.100.00 193
SOURCE DESTINATION SERVICE AUTHENTICATED
1-65535/179-179/TCP;1-65535/443-443/TCP;1-65535/535-535/TCP
As an XML file
This saves the results tree as an XML file, as in the following example.
<ExplainTree><Location name="US">
<Location name="New York"><Network name="dmz [192.170.33.0 / 24]" count_description="256
IPs;6 TCP/UDP ports"><IpRange name="192.170.33.0-192.170.33.255" count_
description="256 IPs; 6 TCP/UDP ports"><PortRange name="21 (TCP)" count_description="0 IPs" /><PortRange name="25 (TCP)" count_description="0 IPs" /><PortRange name="53 (TCP)" count_description="0 IPs" /><PortRange name="80 (TCP)" count_description="0 IPs" /><PortRange name="443 (TCP)" count_description="0 IPs" /><PortRange name="53 (UDP)" count_description="0 IPs" />
</IpRange></Network>
</Location></Location>
</ExplainTree>
As an HTML file showing the route
This saves the route displayed in the Details pane as an HTML file, as in the followingexample.
Skybox version 12.0.100.00 195
Chapter 25
Modifying security metric propertiesYou can modify the default values of many security metrics properties to suit yourrequirements. This chapter explains:
l How the security metrics are analyzed
l The properties that might need changing and how to change them
In this chapter
Calculation of scores for VLI security metrics 195
Calculation of scores for RLI security metrics 196
Impact levels 198
Additional security metrics properties 199
Calculation of scores for VLI security metricsThe Vulnerability Level Indicator (VLI) measures the rate of vulnerability occurrences found onassets in a group of assets (for example, a Business Asset Group or Business Unit). The rateis the weighted average number of vulnerability occurrences per asset.
l vli_weight(v) = severity_weight(v)
The severity weight is a configurable numeric value associated with the different severitylevels; the default values are Critical=1, High=0.3, Medium=0.03, and Low=0 (ignored). Forexample, 3 high-severity and 3 medium-severity vulnerability occurrences on an asset areconsidered to be 1 critical equivalent vulnerability occurrence.
The VLI value of an asset is the sum of the weights of all vulnerability occurrences on thatasset. The VLI value is then mapped to a score between 0 and 100 and to a level. You canconfigure the score mappings for each security metric separately from the Manage SecurityMetrics dialog box.
The VLI value for a group of assets is the average vli_weight per asset.
VLI calculation for a sample Business Asset Group
A sample Business Asset Group consisting of 5 assets is shown in the following table witheach asset’s associated vulnerability occurrence count.
ASSET CRITICALOCCURRENCES
HIGHOCCURRENCES
MEDIUMOCCURRENCES
TOTALOCCURRENCESON ASSET
asset1 2 3 14 3.32
asset2 1 4 8 2.44
asset3 0 1 6 0.48
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 196
ASSET CRITICALOCCURRENCES
HIGHOCCURRENCES
MEDIUMOCCURRENCES
TOTALOCCURRENCESON ASSET
asset4 3 4 11 4.53
asset5 1 3 13 2.29
AVERAGEPERASSET
1.4 3 10.4 2.612
The VLI value for this Business Asset Group (that is, the average number of critical-equivalentvulnerability occurrences per asset) is approximately 2.6. When this VLI value is mapped to aVLI score, the VLI score is approximately 46 (which corresponds to the medium level and tothe color ).
For additional information about the mapping, see Initial customization.
Note: You can include Business Impacts and Regulations in the vulnerability occurrenceweight formula (see Additional security metrics properties).
Calculation of scores for RLI security metricsThe Remediation Latency Indicator (RLI) measures the rate of over-due vulnerabilityoccurrences on an asset, based on remediation SLA criteria.
The RLI score for an asset indicates the number of over-due or relatively old vulnerabilityoccurrences found on the asset. Each vulnerability occurrence is weighted to consider theremediation priority of the vulnerability occurrence and its delay; high priority vulnerabilityoccurrences that have long delays are assigned the highest weight.
The RLI score for a Business Asset Group is the average of the RLI scores for all assets in theBusiness Asset Group.
Use the RLI metric to identify hot spots whose remediation latency is relatively high; you canexamine trends in remediation by how quickly the vulnerability occurrences are being fixed.
Some properties used for the RLI calculation (Vulnerability Occurrence age and SLA) aredefined per security metric in the Security Metric Properties dialog box.
The properties in the following table are defined globally for all Remediation Latency Indicator-type security metrics, and are in <Skybox_Home>\server\conf\sb_server.properties
PROPERTY DEFINITION IN PROPERTIESFILE AS…
RemediationPriority
The importance of remediating vulnerability occurrences ofthis severity level:l Critical=P1l High=P2l Medium=P3
KPI_NO_HOST_IMPACT_VUL_SEVERITY_PRIORITIESThe default value isP1,P2,P3,NA,NA
LatencyPenalty
You can associate each priority with a different latencypenalty in the RLI formula. Higher priorities typically gethigher penalties, because the remediation latency of a higher
LATENCY_PANELTY_P1 …LATENCY_
Chapter 25
Skybox version 12.0.100.00 197
PROPERTY DEFINITION IN PROPERTIESFILE AS…
priority vulnerability occurrence is more severe than theremediation latency of a lower priority vulnerabilityoccurrence.
PANELTY_P5The default valuesare:l LATENCY_PANELTY_P1=1
l LATENCY_PANELTY_P2=0.5
l LATENCY_PANELTY_P3=0.1
l LATENCY_PANELTY_P4=0
l LATENCY_PANELTY_P5=0
Delay period The delay in the remediation of a vulnerability occurrence isspecified by a grace period. Period 0 means no grace period,period 1 means a small grace period, and so on.The grace period of a vulnerability occurrence is the periodthat matches its age.The grace periods are defined for the different priorities as afunction of their SLA values in days:l Period 0 (no delay): 0 days to 1 SLAl Period 1 (small delay): 1-2 SLAsl Period 2 (large delay): 2-3 SLAsl Period 3 (very large delay): 3 or more SLAs
AMOUNT_OF_DELAY_PERIOD_0 … AMOUNT_OF_DELAY_PERIOD_3The default valuesare:l AMOUNT_OF_DELAY_PERIOD_0=0
l AMOUNT_OF_DELAY_PERIOD_1=1
l AMOUNT_OF_DELAY_PERIOD_2=2
l AMOUNT_OF_DELAY_PERIOD_3=3
For example, for anSLA of 30 day:l Period 0=0-30days—there is nograce period
l Period 1=31-60days
l Period 2=61-90days
l Period 3=91+days
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 198
PROPERTY DEFINITION IN PROPERTIESFILE AS…
Delay factor The delay factor for a vulnerability occurrence is the latencypenalty specified for the vulnerability occurrence according toits priority, multiplied by a factor according to its delay period(small delay – low factor; big delay – higher factor).
DELAY_FACTOR_PERIOD_0 …DELAY_FACTOR_PERIOD_3The default valuesare:l Period 0=0l Period 1=1l Period 2=1.5l Period 3=2
The SLA values provided in the file are default values for all security metrics. Values set inSkybox Manager for security metrics overwrite the default values.
The formula for calculating the RLI of a vulnerability occurrence or security bulletin is:
rli_weight(v) = latency_penalty(priority(v)) * delay_factor(delay_period(v))
Examplesl If Critical Microsoft Security Bulletins must be addressed in 14 days according to your SLA,change the Critical SLA in the MS-RLI security metric to 14.
l If High Importance Microsoft Security Bulletins must be addressed in 42 days, change theHigh SLA in the MS-RLI security metric to 42.
Impact levelsThe asset impact weight is an optional weight that is determined by Business Impacts andRegulations. Business Impacts and Regulations specify (for Business Asset Groups andgroups of assets) the expected impact level (Very Low to Very High) of security loss. DMZassets and critical servers are typically associated with High or Critical Business Impacts andRegulations; desktops are usually associated with Very Low or Low Business Impacts andRegulations. Each impact level is mapped to a (configurable) numeric weight. That weight(asset_impact_weight) is then used in computing the vulnerability occurrence weight togetherwith the severity, so that the vulnerability occurrence weight formula is:
vli_weight(v) = severity_weight(v) * asset_impact_weight(h)
By default, Skybox does not consider impact levels for security metrics analysis. For thesecurity metrics analysis to include the impact levels:
1. Specify the impact levels.
Note: If you are working with Exposure, this step is part of building the model. If you areworking only with security metrics, see Business Impacts and Regulations.
2. In <Skybox_Home>\server\conf\sb_server.properties, set:
l (VLI) KPI_VLI_USE_HOST_IMPACT_FACTOR=true
l (RLI) KPI_RLI_USE_HOST_IMPACT_FACTOR=true
Chapter 25
Skybox version 12.0.100.00 199
Additional security metrics propertiesSecurity metric properties are set in the kpi properties section of <Skybox_Home>\server\conf\sb_server.properties
The properties in the following table might be useful in setting up the behavior of the securitymetrics.
PROPERTY DEFAULTVALUE
DESCRIPTION
KPI_SEVERITY_THRESHOLD
Medium The minimum severity of vulnerability occurrences toinclude in the security metrics analyses.
KPI_SEVERITY_FACTOR_FOR_<level>_VULNERABILITY
The weight of the different vulnerability occurrenceseverities in security metrics analyses.
KPI_VLI_USE_HOST_IMPACT
false Specifies whether to use the impact factor of assets (whichbelong to Business Asset Groups that have BusinessImpacts or Regulations) in VLI analyses.l If this property is set to true, the KPI_HOST_IMPACT_properties might need modifying.
KPI_RLI_USE_HOST_IMPACT
false Specifies whether to use the impact factor of assets (whichbelong to Business Asset Groups that have BusinessImpacts or Regulations) in RLI analyses.l If this property is set to true, the properties in therelevant only for RLI section of this file mightneed modifying.
After changing a property, restart the Skybox Server for the change to take effect.
Skybox version 12.0.100.00 200
Chapter 26
Skybox Vulnerability DictionaryThe Skybox Vulnerability Dictionary contains an extensive list of vulnerabilities that areupdated daily, consolidated from tens of data sources. Each entry includes descriptiveinformation about each Vulnerability Definition and structured information that enables Skyboxanalytics. For additional information about the data feed used in the dictionary, see SkyboxIntelligence Feed
In this chapter
Skybox Vulnerability Dictionary information 200
CVE compliance 202
Skybox Vulnerability Dictionary informationThe information for each Vulnerability Definition in the Vulnerability Dictionary includes:
l SBV ID: Identification number assigned by Skybox
l Existence preconditions: Services that must be on an asset for an occurrence of theVulnerability Definition to exist
l Exploitation preconditions: Preconditions for exploiting an occurrence of the VulnerabilityDefinition
l Exploitation effects: Achievements an attacker could gain from a successful exploitation ofan occurrence of the Vulnerability Definition
l Attributes: Attributes that might affect the likelihood of a successful exploitation of anoccurrence of the Vulnerability Definition, including:o Difficulty: An estimated difficulty level for exploiting occurrences of the VulnerabilityDefinition. The difficulty of exploiting a vulnerability occurrence is largely dependent onthe existence or nonexistence of known exploit code for exploiting the VulnerabilityDefinition, or a detailed description of how to exploit it.
o Commonality: An estimation of how frequently attackers exploit this VulnerabilityDefinition.
SBV ID
In the Vulnerability Dictionary, each Vulnerability Definition is defined on a single service; ifthere are similar Vulnerability Definitions on multiple services, they are usually defined asdifferent Vulnerability Definitions with different ID numbers.
Note: If a Vulnerability Definition is defined on multiple services with the same ID by CVE andmultiple scanners, the Vulnerability Dictionary also defines it as a single VulnerabilityDefinition with a single ID.
Exploitation preconditions
Exploitation preconditions define 2 values:
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 201
l The access that the attacker must have to exploit occurrences of the Vulnerability Definition
l The authentication required on the attacked service: Whether the attacker must pass theservice authentication requirement to exploit occurrences of the Vulnerability Definition
For example:
l Remote Access without Authentication: The attacker has remote access to the service onwhich the vulnerability occurrence is found and no authentication is required to successfullyexploit the vulnerability occurrence. Most attackers can gain access to most vulnerableservices.
l Local Access with Authentication: The attacker has local control over the vulnerable asset.This precondition is typical for vulnerability occurrences that enable privilege escalation onan attacked asset.
The remote access precondition has several variations that you should model. For example,for some DoS attacks, it is sufficient for the attacker to have a 1-way UDP connection to thevulnerable service. This limited requirement for 1-way access could enable an attacker tocreate spoofing attacks that succeed in passing through firewalls and arrive at the vulnerabilityoccurrence because of its spoofed source IP address.
Exploitation effects
Exploitation effects formally describe the achievements that an attacker could gain fromsuccessful exploitation of a vulnerability occurrence. Achievements include:
l DoS: The attacker could cause a denial of service to the attacked services on the asset.
l User Control: The attacker could gain user (non-root) control on the attacked asset.
l Root Control: The attacker could gain root control on the attacked asset.
l File System Read: The attacker could read arbitrary files on the file system of the attackedasset.
l Information Leakage: The attacker could cause information leakage, including leakage ofuser names, passwords, and source code.
During attack simulation, a vulnerability occurrence can be exploited only if all its preconditionsare matched. In a multistep attack, achievements gained by exploiting a vulnerabilityoccurrence help to fulfill the preconditions of the next vulnerability occurrence.
The Vulnerability Dictionary is continuously updated by the Skybox research lab. It models allnew Vulnerability Definitions as they are released and updates Vulnerability Definitionsthroughout their life cycle.
Admins can configure the Vulnerability Dictionary for automatic updates to keep your securitymodel up to date.
Severity
The severity of a vulnerability occurrence in Skybox is based on the CVSS (CommonVulnerability Scoring System) base score, a standard rating system for vulnerabilities (from 1to 10). The values for the CVSS fields are filled using the exploitation preconditions andexploitation effects of the Vulnerability Definition. If any of this information is not in theVulnerability Dictionary, the severity is set using an average of CVSS or severity values fromexternal sources. Skybox supports CVSS version 3.
Chapter 26
Skybox version 12.0.100.00 202
The CVSS base score is translated to a scale (Critical, High, Medium, Low, or Information),and the severity is displayed in Skybox as a scale value followed by the score.
External data sources
The Vulnerability Dictionary also supports most common external vulnerability databases andother external data sources. For each Vulnerability Definition in the Vulnerability Dictionarythat is also in external sources, Skybox can display the names and IDs of the VulnerabilityDefinition in the external data sources. The full list of data sources can be found here; sourcesinclude:
l Adobe
l CVE
l Cisco PSIRT
l McAfee Foundstone
l Microsoft Security Bulletins
l Oracle
l Qualys Cloud Platform
l Rapid7 Nexpose
l Retina
l Symantec SecurityFocus
l Tenable Nessus
l Tripwire IP360
CVE complianceCommon Vulnerabilities and Exposures (CVE®) is a dictionary of common names (that is,CVE IDs) for publicly known information security Vulnerability Definitions. CVE is the industrystandard for vulnerability and exposure names. CVE IDs make it easier to share data acrossseparate network security databases and tools, and provide a baseline for evaluating thecoverage of an organization’s security tools.
If the information from Skybox’s external sources includes CVE IDs for VulnerabilityDefinitions, this information is added to the information in the Skybox Vulnerability Dictionary.CVE updates are also included in the Vulnerability Dictionary.
To ensure CVE compliance, the Vulnerability Dictionary includes a Vulnerability Definition(that is, an SBV ID) for every CVE ID. The SBV ID can include IDs from scanners and otherdictionaries. If a vulnerability occurrence of a Vulnerability Definition that is not in CVE isreported by a scanner that is supported by Skybox, it is assigned an SBV ID. If a CVE ID isassigned to a Vulnerability Definitions later, the CVE ID is then added to the VulnerabilityDefinition data in the Vulnerability Dictionary.
Skybox version 12.0.100.00 203
Chapter 27
Skybox Intelligence Feed
About the Skybox intelligence feedThe Skybox™ Security intelligence feed currently contains more than 130,000 vulnerabilities.The intelligence feed is a collection of information from leading public and private security datasources and is built as a superset of vulnerabilities. As a state-of-the-art vulnerability dataservice, it is CVE-compliant and implements CVSS v3 standards.
How it worksSkybox Security has a dedicated team focused on threat intelligence and vulnerabilityresearch. The Skybox™ Research Lab continuously tracks multiple data sources to detect newalerts as well as changes in already reported alerts (for example, report on new exploits orsolutions). The Lab uses a vast set of automated tools to collect and consolidate information,as well as human analysis and detailed modeling to ensure accuracy. Such work also ensuresthe information required for the analytical engines of Skybox products is complete.
Data sourcesThe Skybox intelligence feed is information correlated from various leading public and privatesecurity feeds as well as independent researchers. The intelligence feed fully supportsvulnerabilities published by the advisories and scanners covered in this document. The feedalso includes references to IPS signatures and other sources by cross-referencing with a CVEID.
Data sources in use
Databasesl NIST NVD
l Red Hat CVE Database
l ExploitDB
Scannersl Qualys Cloud Platform
l Rapid7 Nexpose
l Tenable Nessus
l Tripwire IP360
IPSl Cisco Sourcefire
l HP Tipping-Point
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 204
l McAfee IPS
l Palo Alto Networks
Additional Information
In addition to the data sources listed previously, the Skybox™ Research Lab monitors socialmedia and news sites to collect information on newly discovered or exploited vulnerabilities.Our sources include:
l AlienVault OTX
l X-Force Exchange
l Leading security researchers via social media (over 100 specially selected Twitteraccounts)
l Vulnerabilities and exploits published in leading security news sites.
Vendor advisories
Some vendors report vulnerabilities on their products long before any detail is available onpublic databases (for example, NVD). The Skybox™ Research Lab follows the securityannouncements of a selected group of vendors.
This also serves a 2nd purpose: Many of today’s vulnerabilities affect multiple importantproducts by virtue of some common library or component integrated within them. In suchcases, the Skybox intelligence feed reports not only the originally affected component (as itwould be reported, for example, in NVD), but also the indirectly affected products, as reportedby their vendors.
The following are the main vendor advisories currently used , though the list is constantlyupdated.
l Adobe
l Apple
l Avaya
l Check Point
l CloudBees
l Cisco
l F5
l Google Chrome
l Google Android
l IBM
l Microsoft
l Mozilla
l Oracle
l Red Hat
l SAP
Chapter 27
Skybox version 12.0.100.00 205
l Siemens
l VMware
Merging from multiple sourcesThe Skybox intelligence feed contains a superset of vulnerabilities from all the supportedsources. The intelligence feed is CVE compliant, and the CVE number, and manual analysiswhen required, is used to cross-reference between the various sources. In addition, theintelligence feed contains vulnerabilities from various other data sources, even if thosesources do not have a CVE reference.
This approach allows an organization to consolidate information from multiple scanners ormanagement/patch systems to the Skybox platform, creating a single, normalized view ofvulnerabilities. After import into Skybox, this view yields a comprehensive risk matrix analytics.
While the intelligence feed contains vulnerabilities, it does not include compliance issues (forexample, the use of default user name or password) or end-of-life notifications. If such itemsare reported by a scanner, they are created as custom vulnerabilities.
Vulnerability informationThe Skybox intelligence feed is a central repository for all relevant information aboutvulnerabilities.
The following information is available for every vulnerability:
l A textual description of the vulnerability
l Vulnerability IDs from all available sources, including CVE (if it exists)
l Affected products and affected versions, including framework dependencies.
l Published solutions, remediation, and workaround information, originating in vendoradvisories or IPS vendors cross-referenced by CVE-ID. The information includes areference to the official solution in the advisory (patch ID or fixed version), where available.
l Severity vectors (CVSS v3 compliant)
l Vulnerability effect and attack precondition
l Exploit difficulty and authentication requirements
l References to public sources for additional information
l Exploitability level
Sample vulnerability
The following information is taken from SBV- 132598 (CVE-2021-29951) to show theinformation that is available for a vulnerability.
FIELD INFORMATION
Vulnerability title Mozilla Firefox <87, Firefox ESR <78.10.1 and Thunderbird <78.10.1 RemoteSecurity Compromise Vulnerability - CVE-2021-29951
Vulnerabilitydescription
Mozilla Firefox before 87, Firefox ESR before 78.10.1 and Thunderbird before78.10.1 when running on Windows OS before Windows 10 1709, is affected by asecurity compromise vulnerability. The Mozilla Maintenance Service allows
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 206
FIELD INFORMATION
normal remote users to start or stop the service, which could be used to preventbrowser update.
Affectedproducts
Mozilla Firefox <87, Mozilla Firefox ESR <78.10.1, and Mozilla Thunderbird<78.10.1 running on Microsoft Windows 7, Windows 8, Windows 10 versions 1703and lower, Windows Server 2008, Windows Server 2008 R2, Windows Server2012, and Windows Server 2016.
Publishedsolutions
This issue was solved in Mozilla Thunderbird version 78.10.1 It is recommendedto upgrade to this version or a later one. See Mozilla website for download details.https://www.thunderbird.net/en-US/This issue was solved in Mozilla Firefox version 78.10.1 ESR. It is recommendedto upgrade to this version or a later one. See Mozilla website for download details.https://www.mozilla.org/en-US/firefox/enterprise/
Severity vectors CVSS v3 base score: 6.5CVSS v3 temporal score: 5.9AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NE:P/RL:O/RC:C
External sources CVE-2021-29951Qualys IDs: 375529, 375531, 750123, 750141, 750166, 296053, 750810, 750823Rapid7 IDs: suse-cve-2021-29951, mfsa2021-10-cve-2021-29951, mfsa2021-18-cve-2021-29951, mozilla-thunderbird-cve-2021-29951, oracle-solaris-cve-2021-29951nCircle IDs: 487234, 487237, 487305Nessus IDs: 149254, 149255, 149256, 149257, 150397, 150404, 150455,150456, 150587, 150685, 151707
Effect andprecondition
Effect: Security Compromise(Restrictions Bypass)Access Precondition: Remote
Authentication Authentication required: None
Related sourcesinformation
http://nvd.nist.gov/vuln/detail/CVE-2021-29951http://www.mozilla.org/security/announce/2021/mfsa2021-10.htmlhttps://www.mozilla.org/en-US/security/advisories/mfsa2021-18/https://www.mozilla.org/en-US/security/advisories/mfsa2021-19/(and many more)
Exploitability A PoC code was published (https://bugs.chromium.org/p/project-zero/issues/detail?id=2148)
ExploitsExploitability data regarding vulnerabilities and malware is an important aspect of vulnerabilityprioritization. In addition to the exploitation information from the CVSS temporal vector,exploited vulnerabilities in the intelligence feed also include exploitability level and informationabout which malware or exploit kit can attack them.
l Vulnerabilities with a proof-of-concept exploit: A sample exploit code is available in open orclosed forums
Chapter 27
Skybox version 12.0.100.00 207
l Vulnerabilities exploited in the wild: In targeted or distributed attack, related or not to aspecific malware or exploit kit
ProductsThe Skybox intelligence feed contains vulnerabilities published by the supported sources.These vulnerabilities are associated with more than 14,000 products. The vulnerabilities areadded to the intelligence feed according to the affected product’s priority. P1 is a list of criticalor common products, P2 holds a larger group of enterprise-grade products, and P3 holds thelong tail of other products.
See Skybox Intelligence Feed Supported Products and SLA under Appendices for a list of P1and P2 products.
P1 products include the most important products of the following vendors and types (this is anon-exhaustive list):
l Operating systems: Microsoft Windows, Red Hat Linux, VMware, Citrix, Mac OS X and Unix
l Network devices: Routers, switches, firewalls, and load balancers of the following vendors:Cisco, Check Point, Juniper Networks, Big-IP, and Juniper
l Databases: Oracle Database, Microsoft SQL Server, and Oracle MySQL
l Web servers, application servers, mail servers, and DNS servers
l Real-time running frameworks: Oracle Java, Microsoft .NET, and PHP
l Antivirus: McAfee and Symantec
l Popular workstation apps: Web browsers, Microsoft Office, Adobe Flash Player, AdobeReader, and Microsoft Lync
l Other popular enterprise-level software: IBM products, Samba, and Splunk
P2 products include additional common enterprise products from over 700 vendors including:Adobe, Apple, Apache, Avaya, Cisco, CA, Elasticsearch, EMC, HP, IBM, Oracle, Pivotal, SAP,TIBCO and VMware.
These lists are updated from time to time, to meet our customers’ needs.
Banner translator and Skybox Vulnerability Detector
Skybox’s capabilities include the identification of services from asset data that is imported frompatch management and asset management systems, or from configuration files of devices,and detection of vulnerabilities on these services using a ‘virtual scan’ (Skybox VulnerabilityDetector).
Skybox provides virtual scanning for a set of products that were found to be most important toour customers and the industry at large.
There is a list of products that are identified and translated by our banner translator. Otherproducts appear in the model as unidentified or generic OS. The list is updatedperiodically. Most of these products allow vulnerability detection, meaning that vulnerabilitieson these products, which appear in the dictionary, are discovered by VD.
The scope and speed of coverage of published vulnerabilities for these products depends onthe priority (P1-P3) of each vulnerability.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 208
Skybox Vulnerability CenterSkybox™ Vulnerability Center is a public website presenting our vulnerability information,including basic search options and a notification service.
The Vulnerability Center includes the same vulnerabilities as our intelligence feed, althoughless information is available per vulnerability.
After the intelligence feed is released, the Vulnerability Center is updated to include the latestdictionary information.
Skybox intelligence feed SLAThe intelligence feed is released by 11 a.m. Eastern Standard Time every day exceptSaturday. You can configure the Skybox Server to automatically update the data service fromthe internet on a scheduled basis.
The intelligence feed is released with vulnerability updates according to the following policy:
1. Vulnerabilities affecting P1 products: Published within one business day from publicdisclosure of vulnerabilities by the supported vendors or NVD
2. Vulnerabilities affecting P2 products: Published within 7 days from public disclosure byNVD
3. Vulnerabilities affecting P3 products: Published gradually, after disclosure by NVD
4. Exploitability: Published daily, includes proof-of-concept exploits, vulnerabilities exploited inthe wild, and popular malware
Skybox version 12.0.100.00 209
Chapter 28
IPS support in SkyboxThis chapter explains how to model and use intrusion prevention system (IPS) devices inSkybox.
Skybox directly supports the following IPS devices:
l IBM Proventia G Appliance
l Trend Micro TippingPoint
l Palo Alto Networks (firewalls with IPS capacity)
You can model other devices manually or using iXML.
In this chapter
IPS Dictionary 209
Working with IPS in Skybox 209
IPS DictionaryThe IPS rules (issue IDs) of supported IPS devices are included in the Skybox VulnerabilityDictionary. The rules are modeled by associating each rule with the Vulnerability Definitionsthat it handles.
Note: Only signature rules that handle specific Vulnerability Definitions are modeled. Rulesthat identify and handle more general packet anomalies are not modeled.
Dictionary updates include updates of vendor IPS rule definitions.
Working with IPS in SkyboxThis section explains how to:
l Add supported IPS devices to your model
l Validate supported IPS devices
l View and manage IPS devices in Skybox
l Simulate the effects of IPS devices
l Add other IPS devices to your model
l Test what-if scenarios involving IPS devices
Adding supported devices
To add an IPS device io the model
1. Collect the device data
l IBM Proventia G appliances: Use IPS – ISS SiteProtector IPS Collection tasks (see theIBM SiteProtector IPS collection tasks topic in the Skybox Reference Guide)
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 210
l Trend Micro TippingPoint IPS devices: Use IPS – Trend Micro TippingPoint Collectiontasks (see the Trend Micro TippingPoint collection tasks topic in the Skybox ReferenceGuide)
l Palo Alto Networks firewalls: Use Firewalls – Palo Alto Networks Collection tasks, or bycollecting the data offline (see the Palo Alto Networks firewall section in the SkyboxReference Guide)
2. For L2 devices, Configure the network interfaces
Note: Skybox connects the network interfaces of L3 devices.
Configuring the network interfaces of L2 devices
After collecting the device data, the new device in Skybox has several pairs of L2 networkinterfaces and one management (L3) network interface. Each pair of L2 interfaces connectsthe IPS device to a different network. Each interface of a pair connects one side of the networkto the IPS device. In Skybox, this is modeled by splitting the network into segments (manually)and manually attaching each L2 interface to the appropriate network segment. Skyboxattaches the L3 interface to its network.
To configure the network interfaces in Skybox
1. Discover which networks (lines) are monitored by the IPS device and which network ismonitored by which pair of adaptors (network interfaces).
2. For each network that the IPS device monitors, create 2 network segments: 1 for eachendpoint of the line (that is, each network interface).
To create network segments:
a. In the Model tree, right-click the network to segment and select Manage Segments.
b. In the Manage network segments dialog box, click Add.
c. In the New Segment dialog box, type a Name for the segment and click OK.
d. Repeat steps b and c for the 2nd segment.
3. Assign each necessary L2 interface to its corresponding network segment:
a. In the tree, select All Network Devices > IPS Devices.
b. In the Table pane, select the IPS device.
c. In the Network Interfaces tab of the Details pane, right-click the interface to beconnected and select Properties.
d. In the <network interface name> Properties dialog box, in Network, select the networksegment to which to attach the interface and click OK.
When the IPS device is updated using the task, the connection between the L2 interfaces andtheir network segments is created automatically.
Terminology for working with IPS devices
Skybox works with devices from many vendors and does not use vendor-specific terminologywhen modeling the devices. However, because the terms can be confusing, Skyboxterminology for IPS is mapped to IBM (Proventia G) and Trend Micro (TippingPoint)terminology in the following table.
Chapter 28
Skybox version 12.0.100.00 211
SKYBOX TERM IBM TERM TREND MICROTIPPINGPOINT TERM
Asset of type IPS with Firewall Type setto ISS Proventia
Proventia G appliance N/A
Asset of type IPS with Firewall Type setto TippingPoint
N/A TippingPoint device
IPS rule group Protection domain Profile
IPS rule Security event Filter
Rule ID Issue ID (ID of thesecurity event)
Filter number
(Network) interface Adaptor Segment
Validating IPS devices in the model
After you add an IPS to your model, validate that it is modeled correctly using the techniquesexplained in the following sections.
Validating the IPS rules
After you import an IPS device and (for L2 devices) attach every network interface to thecorrect segments or networks, validate that the IPS rules were imported correctly.
To validate the IPS rules
1. In the Table pane, right-click the device and select Manage IPS Rule Groups.
2. Double-click each rule group to view its rules.
3. Verify that the rules are in the Skybox Vulnerability Dictionary (that is, there is a check markin the Dictionary column of the table).
If many of the rules are not in the Vulnerability Dictionary, you might be using an outdatedversion of the Vulnerability Dictionary. (If only a few rules are not in the VulnerabilityDictionary, they might be custom defined on the device.)
l For information about updating your Vulnerability Dictionary, see the Dictionary updateschapter in the Skybox Installation and Administration Guide.
4. Verify that the rule groups of the device in Skybox match the rule groups of the actualdevice.
l For Proventia G appliances, you can find the device rules and their rule group (protectiondomain) in SiteProtector, in the Security Event section.
You can view the IPS rule groups and rules in the Details pane, in the IPS Rule Groups tab.
Validating the access rules
After you validate the IPS rules, validate that the access rules were imported correctly.
To validate the access rules
1. In the Table pane, right-click the device and select Access Rules.
2. In the Access Control List Editor, verify that there are 2 rule chains: ACCESS and IPS.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 212
3. Verify that access rules in the ACCESS chain do not permit packets to move betweendifferent lines (networks) that are monitored by the IPS or between the management (L3)interface and the L2 interfaces.
Important: For supported devices, these rules are created during the import and should bechecked briefly. However, this step is very important for devices defined using SkyboxManager or iXML.
4. Verify that the (IPS) access rules in the IPS chain contain references to IPS rule groups.
Verifying the effects of the IPS device
If an attack path attempts to goes through an IPS device, the attack is blocked (or has a lowerprobability of success) if it matches a preventing IPS rule.
After verifying that the IPS device was imported correctly, verify that Skybox correctlysimulates the effect of the IPS device on the risk levels of your network.
Vulnerability occurrences that become inaccessible due to IPS prevention rules are assignedthe Protected exposure status (not the Inaccessible status).
Note: There is no special status to show whether a vulnerability occurrence became indirectlyexposed due to an IPS prevention rule or an access rule on a non-IPS gateway, or whether avulnerability occurrence is partially prevented by IPS devices (from Threat Origins or in accessroutes).
To verify the effects of the IPS device
1. Enable the IPS device (in the Table pane, right-click the device and select Enable IPS).
2. Run the Analyze Simulate Attacks task.
In the Analyses tree (Public Analyses > Vulnerabilities > By Exposure > Protected),check whether exposed vulnerability occurrences (of the Vulnerability Definitions that theIPS device is configured to prevent) became Protected or Indirect.
Note: Sometimes, the IPS is supposed to protect a vulnerability occurrence from only oneThreat Origin or one Threat Origin Category. The following procedure explains how tocheck this.
3. As an additional check, disable the IPS device (right-click the device and select DisableIPS), simulate attacks again, and check whether the exposure status of the vulnerabilityoccurrences changes back to Exposed.
Verifying the effects of an IPS device against a threat
If the IPS device is supposed to protect against one Threat Origin Category, the vulnerabilityoccurrences that it blocks can be vulnerable to other Threat Origin Categories and they do nothave the Protected exposure. However, you can check the exposure of these vulnerabilityoccurrences to the specific Threat Origin Category.
To verify the effects of the IPS device against one Threat Origin Category
1. Open a vulnerability occurrences analysis that contains the vulnerability occurrences to beblocked by the IPS device.
Chapter 28
Skybox version 12.0.100.00 213
2. Add the <Category name> – Exposure field to the displayed columns for this table (right-click in the header row of the table and select Customize Current View).
3. Check whether the status of the vulnerability occurrences in the new column is Protected.
If you are not interested in all the Threat Origins in the Threat Origin Category, temporarilydisable the irrelevant Threat Origins, rerun the attack simulation, and repeat steps 1through 3.
Viewing and managing IPS devices in Skybox
The Model tree (All Network Devices > IPS Devices) contains a list of all IPS devices in themodel. IPS devices are modeled using:
l IPS rules and rule groups
l IPS access rules, which define the scope of each rule group
IPS rules are configured to either prevent (block) or detect (and then, for example, log or senda message) malicious packets.
Note: Firewalls with supported IPS capability are listed in All Network Devices > Firewalls.
Working with IPS rules and rule groups
To access the IPS rules
1. In the Table pane, right-click the IPS device and select Manage IPS Rule Groups.
2. In the Manage IPS Rule Groups dialog box, double-click an IPS rule group or select thegroup and click Modify.
3. In the <IPS rule group name> Properties dialog box, you can add, delete, and modify IPSrules.
When you add rules, you can:
l Search for vendor-specific rules in the Skybox Vulnerability Dictionary and add them toan IPS rule group (see Adding vendor-defined IPS rules).
l Define new rules and specify the Vulnerability Definitions on which they act (see Addingcustom IPS rules).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 214
Working with access rules
To access the access rules for the IPS devicel In the Table pane, right-click the IPS device and select Access Rules.
Each IPS device has at least 2 rule chains: IPS and ACCESS.o In the IPS chain, each access rule relates to one rule group (in Proventia, each rulegroup represents a protection domain). The rules are of type IPS. There are usually 2rules for each rule group: 1 inbound and 1 outbound.
IPS access rules include the regular scope properties (source, destination, and networkinterfaces) and a reference to an IPS rule group of the device.
o The ACCESS chain can include rules created by Skybox or by a user to ensure thecorrect flow of packets through the device, and access rules imported from the device (ifit has filtering capabilities).
Note: For Proventia G appliances, access rules are not imported from the device. Therules in the ACCESS chain are created according to the configuration of the device. Therules ensure the correct flow of data packets through the device, preventing packets frommoving between L3 and L2 interfaces and between different lines (networks) monitoredby the device.
For additional information about working with access rules, see the Access Control List Editorchapter in the Skybox Reference Guide.
Adding vendor-defined IPS rules
You can add any vendor-defined rule that is in the Skybox Vulnerability Dictionary to an IPSrule group.
Note: Vendor-defined rules that you add must match the device type.
To add vendor-defined rules to an IPS rule group
1. In the Rule Group Properties dialog box, click Add.
2. In the Add Vendor IPS Rules dialog box:
a. Specify search criteria in the Search Criteria pane. You can search for rules using:
l A string in the rule title
l The vendor rule ID
The string displayed at the beginning of Vendor Rule ID is based on the vendorvulnerability database used by the device. For IBM Proventia G appliances, the stringis ISS_IPS/.
l Vulnerability Definitions
b. To search for rules that handle a Vulnerability Definition, click the Browse button next toVulnerability Definition.
Use the Vulnerability Definition Finder dialog box to select the Vulnerability Definitionsto block.
Chapter 28
Skybox version 12.0.100.00 215
c. Click Search.
The results of the search are listed in Search Results.
d. Select rules in Search Results and click to move them to Selected Rules.
e. Select the action that this rule takes when it encounters vulnerability occurrences ofthese Vulnerability Definitions.
f. Click OK to add the rules.
Adding custom IPS rules
You can add custom rules to an IPS rule group by specifying the rule and the VulnerabilityDefinitions on which the rule acts.
To add a custom rule to an IPS rule group
1. In the Rule Group Properties dialog box, click Add Custom.
2. In the New IPS Rule dialog box:
a. In the General tab, fill in:
l Title
l Action
l Severity
l (Recommended) Description
b. To ignore the rule when analyzing risk, select Disabled.
Note: Other fields are disabled either because you cannot edit them using the RuleGroup box or because they are applicable only for vendor IPS rules.
c. Click the Vulnerability Definitions tab.
d. Click Add.
e. In the Add Vulnerability Occurrences dialog box (which is similar to the Add VulnerabilityDefinition Finder dialog box):
i. Fill in the search fields and click Search.
The results are listed in Search Results.
ii. In Search Results, select the Vulnerability Definitions on which this IPS rule is to actand click to move them to Selected Vulnerability Definitions.
iii. Click OK.
The selected Vulnerability Definitions are added to the list of Vulnerability Definitionsfor the IPS rule.
iv. Click OK to save the rule.
Simulating the effects of IPS devices
The Analyze Simulate Attacks task takes enabled IPS devices into account whenascertaining possible attacks and the security risks.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 216
An attack action is considered prevented if all access routes required for the action are blockedby IPS devices. More specifically, an attempt to exploit remotely from source x to vulnerabilityoccurrence v on destination y is considered to be prevented if:
l The access route from the source to the destination necessarily passes through an IPSdevice
l The device is configured to block attack attempts on vulnerability occurrence v (for sourcesthat include x and destinations that include y)
Note: Skybox only uses IPS prevention rules in attack simulation; Skybox does not usedetection rules.
Vulnerability occurrences that become inaccessible due to IPS prevention rules are assignedthe Protected exposure status (not the Inaccessible status). For additional information aboutthe effects of IPS devices on vulnerability occurrences and risk, see Verifying the effects of theIPS device.
To simulate the effects of IPS devices
1. Enable all IPS devices that you are using in attack simulation.
(To enable an IPS device, right-click the device and select Enable IPS.)
2. Run the Analyze Simulate Attacks task.
Additional ways to model IPS devices
You can model IPS devices that are not supported directly by Skybox via Skybox Manager orby using iXML.
To define an IPS device
1. Create an IPS device in the model.
2. Assign the network interfaces of the IPS device to network segments in the model.
3. Create IPS rule groups with the appropriate rules.
4. Create IPS access rules.
5. Create other access rules.
Defining IPS devices using Skybox Manager
You can define IPS devices that are not supported by Skybox (custom devices) manuallyusing Skybox Manager. You can also use this method to define IPS devices that are directlysupported.
Creating an IPS device in the model
An IPS device is modeled as an asset of type IPS.
To create an IPS device
1. In the Model tree, expand All Network Devices.
2. Right-click IPS Devices and select New IPS.
3. In the New Asset dialog box:
Chapter 28
Skybox version 12.0.100.00 217
a. Type a Name for the IPS device.
b. Select the device type:
l For IBM Proventia appliances: In Firewall Type, select ISS Proventia.
l For Trend Micro TippingPoint devices: In Firewall Type, select TippingPoint.
l For custom devices: In Firewall Type, select Custom.
c. Provide values for other fields:
l Select Layer 2.
l In Network Interfaces, define the device network interfaces.
l (Recommended) Select values for Operating System and Platform.
l The values in other fields do not need to be changed.
d. Click OK.
Configuring the network interfaces
After you add the device to the model, assign the network interfaces in the model to the correctnetworks.
To configure the network interfaces
1. Discover which networks (lines) are monitored by the IPS device and which network ismonitored by which pair of adaptors (network interfaces).
2. For each network that the IPS device monitors, create 2 network segments: 1 for eachendpoint of the line (that is, each network interface).
3. Assign each L2 interface to its corresponding network segment.
For more detailed instructions, see Configuring the network interfaces.
Creating IPS rule groups
In Skybox, each IPS rule group monitors a different type of event. Each rule in the groupspecifies a single type of event to block.
To create an IPS rule group and IPS rules
1. In the Table pane, right-click the device and select Manage IPS Rule Groups.
2. In the Manage Host IPS Rule Groups dialog box, click Add.
3. In the New IPS Rule Group dialog box:
a. Type a Name for the rule group.
b. Add IPS rules:
l To add custom rules, see Adding custom IPS rules.
l To add vendor-defined rules (for IBM Proventia appliances), see Adding vendor-defined IPS rules.
Creating access rules
An IPS device requires access rules of (at least) 2 types:
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 218
l IPS: Access rules that define the scope of the IPS rule group
There must be at least one IPS access rule for each IPS rule group, or one for inboundtraffic and one for outbound traffic. The action of these access rules must be IPS.
l ACCESS: Access rules that define the movement of packets in the device.
Define rules so that packets cannot move between different lines (networks) that aremonitored by the IPS device nor between the management (L3) interface and the L2interfaces.
For additional information about access rules, see the Access Control List Editor chapter in theSkybox Reference Guide.
Order of applying IPS access rules in IPS devices
The IPS access rules in a rule chain are applied in either of 2 ways, depending on thepredefined behavior of the device:
l Use all rules that match the data. This method is usually used for IPS access rules.
l Use (only) the 1st rule that matches the data. This method is used for access-relatedaccess rules, but it is not often used for IPS access rules.
For supported IPS device types, the method used is according to the behavior on the device;you cannot change the method.
For device types that are not directly supported (that is, devices whose Firewall Type is set toCustom), Use all rules that match the data method is used by default.
To change the method of applying IPS access rules for a custom IPS device
1. Open the Properties dialog box for the device.
2. Click the Browse button next to Firewall Type (which contains the value Custom).
3. In the ACL Management dialog box, in Applied IPS Rules, select a behavior.
Defining IPS devices using iXML
Skybox supports definition of IPS devices using iXML:
1. Use iXML to define IPS rule groups, IPS rules and the Vulnerability Definitions that theyhandle, and IPS access rules that define the scope of the IPS rule groups.
2. Import the iXML file into the model.
You can create iXML files manually or by using Perl scripts to translate the mapping andconfiguration files of unsupported IPS devices to iXML.
To model IPS devices using iXML, see the following in the Skybox Developer Guide:
l iXML elements: For general information about iXML elements
l Example of iXML code for an IPS device: For an example iXML code for an IPS device
l AddIpsRuleGroup method: For information about Perl API methods for supporting IPSdevices
Testing the effects of an IPS device using Skybox
You can experiment with different IPS device setups in your network using the What If model.
Chapter 28
Skybox version 12.0.100.00 219
Testing IPS devices
You can simulate the effects of an IPS device at a location in your network to establish whetheran IPS device at that location would improve network security.
After you add the device, you can create custom rules (or add vendor-defined rules from theSkybox Vulnerability Dictionary) that handle the problem that you are addressing (for example,critical web server Vulnerability Definitions). You can then check whether the IPS devicelowers the risk and risk of attack on the network.
To test an IPS device
1. If you do not have a What If model: Select File > Models > Create Model.
2. In Source Model, select Live.
3. In Target Model, select What If.
4. Select Switch to target model after creation.
This copies the Live model to the What If model and switches to the What If model.
5. Add the IPS device to the What If model using:
l An online collection task
l Skybox Manager
l iXML
6. Run an Analysis – Exposure task to simulate attacks.
7. Check the results of the attack simulation.
Testing enhanced coverage of an IPS device
If an IPS device has limited coverage of Vulnerability Definitions in Prevention mode, you canexplore the effects of adding rules to cover additional Vulnerability Definitions.
You can create custom rules (or add vendor-defined rules from the Skybox VulnerabilityDictionary) that handle the problem that you are addressing (for example, critical web serverVulnerability Definitions). You can then check whether the new rules lower the exposure of theVulnerability Definitions and the risk of attack on the network.
To test enhanced coverage of an IPS device
1. Switch to the What If model:
l If there is a What If model:
a. Select the IPS device in the Live model.
b. Right-click the device and select Advanced > Copy To > What If.
c. Switch to the What If model.
This copies the IPS device to your What If model.
l To create a What If model:
a. Select File > Models > Create Model.
b. In the dialog box:
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 220
l Set Source Model to Live
l Set Target Model to What If
l Select Switch to target model after creation
c. Click OK.
This copies the Live model (including the IPS device) to the What If model and switchesto the What If model.
2. In the IPS device in the What If model, create the necessary custom rules. For IBMProventia appliances, you can add vendor-defined rules.
3. Simulate attacks.
4. Check the results of the attack simulation.
Skybox version 12.0.100.00 221
Chapter 29
OptimizationThis chapter explains how to optimize attack simulation and access analysis, which areresource-intensive operations.
In this chapter
Performance considerations 221
Optimizing Access Analyzer analysis 222
Performance considerationsSimulating attacks is a resource-intensive operation. This section discusses performanceconsiderations to be aware of when running attack simulation and Access Analyzer.
Performance considerations can be grouped into the following categories:
l Model size and complexity
l Routing rule issues
l Hardware issues
Model size and complexityl Attack simulation performance is affected by the size and complexity of the model. Themore assets, access rules, and vulnerability occurrences that there are in the model, thelonger it takes to run attack simulation. (This does not mean that you should not model yourwhole network, but that you should be aware that as the size of the model grows attacksimulation takes longer to run.)
l The number of Threat Origins affects performance; the system might suffer performancedegradation when using more than several tens of Threat Origins.
To reduce the number of Threat Origins, consider grouping multiple starting points into asingle Threat Origin. For example, multiple connections to the internet can be representedas one Threat Origin on the internet cloud. You can include multiple networks or clouds in aThreat Origin.
l Setting the Simulate Full IP Spoofing option of the Analyze Simulate Attacks task (orwhichever Analysis – Exposure task you use) to true significantly slows performance.
Routing rule issues
If Access Analyzer identifies that routing rules are missing, it assumes that packets tounspecified destinations are forwarded to each neighbor of a router; this increases thecalculation time of Access Analyzer (and of attack simulation) and creates false positives. Ifthere are routing rules, Access Analyzer knows the router’s neighbors to which packets areforwarded.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 222
Hardware issues
Attack simulation can consume a significant amount of memory on the Skybox Server(depending on the size and complexity of the model). To improve performance, make surethat:
l You are using the recommended hardware setup for your project size (see the SkyboxServer system requirements topic in the Skybox Installation and Administration Guide)
l Your server is configured for Skybox
Attack simulation performance benefits from multiprocessors on the Skybox Server machine.
Note: If you get an Out of Memory warning, attack simulation does not run.
Performance considerations for Access Analyzer
Access Analyzer is not as resource intensive as attack simulation, but it can be slow,especially for multiple sources and destinations. Performance considerations that affect attacksimulation also affect Access Analyzer, except the number of vulnerability occurrences(Access Analyzer does not work with vulnerability occurrences). Setting the Explain Routeoption of Access Analyzer to false might improve performance, but Access Analyzer onlychecks for access without providing any explanation.
Optimizing Access Analyzer analysisAccess Analyzer analysis is a resource-intensive computational process. It analyzes accessroutes from a source to a destination, based on network topology, access and routing rules,address translation, and port translation.
Analyses of a single source asset or network and a single destination asset or network take theleast time. An analysis might take longer if:
l Source or Destination has a value of Any
l IP address spoofing is used
l There are no routing rules in the model
l The source or the destination contains groups of networks or assets
l Routing rules are completely ignored (Ignore All Routing Rules) or partially ignored (UseDynamic Routing Rules)
When routing rules are not used (because they are ignored or because they do not exist),the analysis results might be less accurate.
For large organization networks, this analysis can take time, because of the large number ofassets, networks, and gateways. The analysis is also affected by the number of access andaddress translation rules, and by the size of routing tables.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 223
DeploymentThis part explains how to plan a deployment of Skybox and prepare the necessary data for themodel.
The information in this part is relevant when planning a model to use with the Exposure featureof Skybox Vulnerability Control. Some information is not relevant if you are working with theSecurity Metrics feature only.
Skybox version 12.0.100.00 224
Chapter 30
Planning deploymentBefore you begin deployment on a large network, create a deployment plan and put together adeployment team from all departments involved in the project. Then prepare the data.
In this chapter
Deployment plan 224
Deployment team 225
Deployment planBefore you begin deploying Skybox on a large network, create a deployment plan. This planshould include:
l The deployment team
A list of the people who should be involved in the deployment project, their contactinformation, and the time required from them.
l A scope for the deployment
The parts of the network and the Business Units that the deployment is to cover.
l The network data required for deploying Skybox
1. Understand the structure of your network, by using network diagrams and interviewingnetwork administrators.
2. Prepare the network data for Skybox, including scan results, network diagrams, andfirewall configuration files.
l A project timeline
If this is a large deployment, we recommend that you divide it into phases that have clearvalue-adding milestones as their endpoints (see Phases of deployment).
l The hardware required for deploying Skybox
This includes a dedicated server for the Skybox Server and, probably, machines for theSkybox Collector nodes (not necessarily dedicated). For additional information, see theSkybox Server system requirements topic in the Skybox Installation and AdministrationGuide.
For small networks, a complete plan is not crucial, but facilitates the deployment. At aminimum, a plan for a small network should include the deployment team and the scope ofdeployment, as much network data as possible, and a dedicated server for Skybox.
Skybox Professional Services personnel, certified resellers, and implementation partners aretrained to assist you in building a deployment plan. For information about contacting Skybox,see Technical support.
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 225
Deployment teamDeploying Skybox in a large organization might involve people from several departments,sometimes from different business units.
Getting the support and cooperation of these people is important for a quick and successfuldeployment of Skybox; involve them from the early stages of deployment.
Some of these people will use the product directly, some will receive output (reports andalerts), and some will only provide required information. Product users might benefit fromtraining; to set up training sessions, contact Skybox Support.
Skybox version 12.0.100.00 226
Chapter 31
Phases of deploymentIf you are deploying Skybox in a large organization, it is useful to divide the project into phasesand to define clear milestones for each phase in both of the following aspects:
l Organizational
Complete deployment for a business unit or division and then continue to the next.
l Geographical
Complete deployment for a site or location and then continue to the next.
These aspects are not mutually exclusive and can sometimes be used in parallel.
Skybox version 12.0.100.00 227
Chapter 32
Preparing data for SkyboxThis chapter explains the data that is required for Skybox and how to prepare it.
In this chapter
Information requirements 227
Preparing a list of network devices 227
Defining the data collection strategy 228
Preparing scanning information 229
Preparing the data 229
Modeling unsupported devices 230
Information requirementsGetting all required information is a crucial part of Skybox deployment. The requiredinformation includes:
l Network information, including basic architecture and which networks host the productionservers
l Device information (for example, the credentials required to access the devices; the SkyboxCollector to use; whether collection is online or by file import)
l Scanning information (for example, which scanners are used and how often the networksare scanned)
l Business information, including a list of the most important Business Asset Groups
The more information that is ready in advance, the faster your deployment project will go.However, you do not need to wait for all the information to start the deployment; additionalinformation can be discovered during the deployment project.
The following sections provide details about preparing the necessary information.
Preparing a list of network devicesAfter you decide the scope of the network to include in the model, you must get data abouteach network device in the selected scope.
Prepare a list of the network devices in the scope, including all firewalls, routers, and other L3devices, and all filtering devices (L2 or L3).
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 228
Example list
Supported data sources
The Skybox platform is compatible with many data sources, including:
l Firewallso Check Point FireWall-1 NG and NGXo Check Point Provider-1o Cisco PIX/ASA/FWSM
l Routerso Cisco IOS
ll Cloud platformso Amazon Web Serviceso Azure Cloudo VMware NSX-T
l Vulnerability scanners (for importing vulnerability occurrence information)o Qualyso Tenableo Rapid 7
Refer to the Skybox website for a list of supported devices.
Defining the data collection strategyDefine a collection strategy for each network device to be modeled. Refer to the Skyboxwebsite for a list of supported devices, which lists the network devices that are directlysupported by Skybox. Note devices that are not supported directly; each device must bemodeled separately (see Modeling unsupported devices).
Skybox supports the following methods of retrieving data from directly supported devices:
l Offline file import: Extract the data from files written by the device. The data files areimported into the model using an offline file import task.
l Online collection: Retrieve the data directly from the device or the device managementsystem. You create a task in Skybox, which instructs a Skybox Collector to retrieve the datafrom the device. This data is then added to the model.
The primary reasons for selecting a strategy are the presence of a data repository, deviceaccessibility, and the rate of changes to the device.
Chapter 32
Skybox version 12.0.100.00 229
Offline file import is usually used for:
l Devices whose information is stored in a repository.
If your organization has a repository that contains the necessary data for specific devices,you can import data from the repository into the model.
l Devices that a Skybox Collector cannot access easily.
If the device is in a segmented network, the alternative is to install an additional SkyboxCollector in that network segment.
l Devices for which you do not have the necessary access permissions retrieving theconfiguration and routing data.
l Devices managed by a team that does not permit you continuous access.
l Infrequently updated devices.
For infrequently updated devices, you could receive an alert (reminder) and then import thedata manually instead of including the devices in the automated collection.
Online collection is usually used for:
l Devices that are easily accessible and whose configuration and routing information is notstored in a central repository.
l Devices managed by management servers that are supported by Skybox.
l Frequently updated devices.
Preparing scanning informationScanning information is necessary to build the model. It provides information about assets andservices, and information about the vulnerability occurrences that are on scanned assets.Assets are not scanned by Skybox, but by external sources.
Skybox scanner tasks add scan data to the model. Refer to the Skybox website for a list ofsupported devices.
The following scanning decisions affect Skybox:
l Are the networks scanned regularly? How often?
l Using which scanners?
l What level of scanning is used?
l Who is responsible for running network scans?
Plan the collection of scan data for Skybox according to the answers to these questions.
Important: Skybox requires unrestricted scanning output (that is, output with a minimum ofcontrol devices blocking the route between the scanner and the scanned assets). Skybox lateranalyses permitted and blocked access. To achieve unrestricted scans, you might need toinstall additional scanning agents in your network.
Preparing the dataFor each network device that will be imported, ascertain the files that Skybox requires to modelthe device and make sure that these files are available. For example, for a Cisco router,Skybox requires the output of the show running-config and show ip route vrf *
Skybox Vulnerability Control User Guide
Skybox version 12.0.100.00 230
commands, stored in separate files. For detailed information, see the Data formats for fileimport tasks topic in the Skybox Reference Guide.
Devices whose data is actively collected might require advanced preparation. For detailedinformation, see the Tasks part of the Skybox Reference Guide.
Asset tags are not case-sensitive
Asset tags in Skybox (including security tags from cloud assets) are not case-sensitive. Tomodel tags that are identical except for capitalization correctly in Skybox (channel andChannel, for example), change the data source to distinguish between tags using a differentnaming convention.
Modeling unsupported devicesYou can model devices that are not directly supported by Skybox:
l Create a script to translate the device configuration to iXML and import the device data.o For information about iXML, see the Integration part of the Skybox Developer Guide.o Contact Skybox Support for help creating the script.
l Model the device manually in Skybox.
This is the simplest method to use if you have only a few devices that are not directlysupported. However, if you make changes to a device, you must update it manually inSkybox.
Skybox version 12.0.100.00 231
Chapter 33
Starting deploymentHowever you divide the network, we recommend that you start the deployment with a 1stphase of a relatively small number of nodes (approximately 100 to 1000). Select a completenetwork environment of approximately this size and import the environment.
First phase of deploymentThis is a basic workflow for the 1st phase of deployment when working with Exposure.
1. Add network information.
Collect the network information for this phase offline, using Skybox offline file import tasks(we recommend that you use Import – Directory tasks wherever possible). Before you runthese tasks, make sure that the necessary data for each device is stored in the correctlocation.
l For information about importing the network environment, see Building the networktopology.
l For information about preparing the data for each device, see the Tasks part of theSkybox Reference Guide.
2. Add security information.
The model must include asset and vulnerability occurrence information to analyze risk andattacks.
3. Validate the model.
After the network and security information is added to the model, check the information forcorrectness.
4. Set up the Business Unit hierarchy.
The 1st phase of adding business information should include 3 to 5 top Business AssetGroups.
5. Add Threat Origins.
The 1st phase should include 1 or 2 major threats (Skybox includes the internet as a threat).We recommend that you start with external threats rather than threats that are inside yourorganization and begin by defining the threats that pose the greatest risk.
6. Simulate attacks (to provide exposure information).
7. Identify critical issues.
8. Mitigate critical risks.
After you finish this phase, you will have a better idea how Skybox works with your networkand how to use it to lower risk. At this point, you can plan the scope of additional phases ofdeployment and prepare Skybox to work in a more automated manner.
Skybox Security, Inc. | 2077 Gateway Place, Suite 200, San Jose, California 95110 USA | +1 866 675 9269 | skyboxsecurity.com
Skybox Intelligence Feed Supported Products and SLA
December 2021
skyboxsecurity.com 1
Table of Contents Products ........................................................................................................................................................2
Banner Translator and Vulnerability Detector ........................................................................................ 2
Skybox Intelligence Feed SLA ..........................................................................................................................3
Appendix A – P1 Products List ........................................................................................................................4
Appendix B – P2 Products List.........................................................................................................................7
Appendix C – Banner Translator Products ..................................................................................................... 64
skyboxsecurity.com 2
Products The Skybox intelligence feed contains vulnerabilities published by the supported sources. These vulnerabilities are associated with more than 14,000 products. The vulnerabilities are added to the intelligence feed according to the affected product’s priority. P1 is a list of critical or common products, P2 holds a larger group of enterprise-grade products, and P3 holds the long tail of other products. P1 products (see Appendix A – P1 Product List) include the most important products of the following vendors/types (this is a non-exhaustive list):
• Operating systems: Microsoft Windows, RedHat Linux, VMWare, Citrix, Mac OS X and Unix
• Network devices: routers, switches, firewalls and load balancers of the following vendors: Cisco, Check Point, Juniper Networks, Big-IP and Juniper
• Databases: Oracle Database, Microsoft SQL Server and Oracle MySQL
• Web servers, application servers, mail servers and DNS servers
• Real-time running frameworks: Oracle Java, Microsoft .NET and PHP
• Antiviruses: McAfee and Symantec
• Popular workstation apps: web browsers, Microsoft Office, Adobe Flash Player, Adobe Reader and Microsoft Lync
• Other popular enterprise-level software: IBM products, Samba, Splunk P2 products (see Appendix B – P2 Product List) include additional common enterprise products from over 700 vendors including: Adobe, Apple, Apache, Avaya, Cisco, CA, Elasticsearch, EMC, HP, IBM, Oracle, Pivotal, SAP, TIBCO and VMWare. Please note that the lists are updated from time to time, to meet our customers’ needs.
Banner Translator and Vulnerability Detector Skybox’s capabilities include the identification of services from asset data that is imported from patch management and asset management systems, or from configuration files of devices, and detection of vulnerabilities on these services using a “virtual scan” (known as Vulnerability Detector or VD). Skybox provides virtual scanning for a set of products that were found most important to our customers and the industry at large. The list in Appendix C – Banner Translator Products specifies the products that are identified and translated by our banner translator (other products appear in the model as "unidentified" or "generic OS"). The list of supported products is updated periodically. Most of these products allow vulnerability detection1: vulnerabilities on these products, which appear in the dictionary, are discovered by VD. The scope and speed of coverage of published vulnerabilities for these products is according to the SLA of their priority (P1, P2, or P3).
1 The exception is a small number of products that were added for model display purposes only,
and we cannot vouch for the exact modeling of their versions to allow accurate matching. These
are mostly network devices.
skyboxsecurity.com 3
Skybox Intelligence Feed SLA The intelligence feed is released by 11 a.m. Eastern Standard Time every day except Saturday. The Skybox Server can be configured to automatically update the data service from the internet on a scheduled basis.
The intelligence feed is released with vulnerability updates according to the following policy: 1. Vulnerabilities affecting P1 products: published within one business day from public disclosure
of vulnerabilities by the supported vendors or NVD 2. Vulnerabilities affecting P2 products: published within seven days from public disclosure by
NVD 3. Vulnerabilities affecting P3 products: published gradually, after disclosure by NVD 4. Exploitability: Published daily, to include proof-of-concept exploits and vulnerabilities exploited
in the wild and popular malware
skyboxsecurity.com 4
Appendix A – P1 Products List Vendor Name Product Name
Apache Software Foundation Apache
Apache Software Foundation Struts
Apache Software Foundation Tomcat
Apple iOS
Apple iPadOS
Apple iTunes
Apple iTunes for Windows
Apple MacOS X
BlueCoat Systems ProxySG
Check Point Software Gaia OS
Check Point Software Security Gateway
Check Point Software VPN-1
Cisco ASA
Cisco IOS
Cisco PIX
Citrix XenServer
F5 BigIP
FreeBSD FreeBSD
GNU GnuTLS
Google Chrome
HP HP-UX
IBM AIX
IBM HTTP Server
IBM Lotus Domino
IBM WebSphere Application Server
ISC BIND
Juniper Networks JUNOS
Juniper Networks Junos OS Evolved
Juniper Networks ScreenOS
Linux Linux Kernel
McAfee VirusScan Enterprise
Microsoft .NET Framework
Microsoft Active Directory
Microsoft Edge
Microsoft Edge Chromium
Microsoft Excel
Microsoft Exchange Server
Microsoft IIS
Microsoft Internet Explorer
skyboxsecurity.com 5
Vendor Name Product Name
Microsoft Lync Server
Microsoft Office
Microsoft Outlook
Microsoft PowerPoint
Microsoft SQL Server
Microsoft Surface Book
Microsoft Windows 10
Microsoft Windows 10 Mobile
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
Microsoft Windows Server 2019
Microsoft Windows Vista
Microsoft Word
Microsoft XML Core Services
Microsoft Yammer Desktop App
Mozilla Firefox
OpenBSD OpenSSH
OpenLDAP OpenLDAP
OpenSSL OpenSSL
Oracle JRE
Oracle MySQL
Oracle Oracle Application Server
Oracle Oracle Database
Oracle Oracle E-Business Suite (Oracle Applications)
Oracle Oracle HTTP Server
Oracle Server JRE
Oracle Solaris
Palo Alto PAN-OS
PHP PHP
RealVNC RealVNC
RealVNC VNC Server
RedHat Enterprise Linux
RedHat Enterprise Linux Server
RedHat Enterprise Linux Server AUS
skyboxsecurity.com 6
Vendor Name Product Name
RedHat Enterprise Linux Virtualization
RedHat Enterprise Linux Workstation
RedHat Enterprise Virtualization (RHEV)
RedHat JBoss Enterprise Application Platform
RedHat JBoss Enterprise Web Server
RedHat JBoss Fuse
RedHat JBoss Fuse Integration Services (FIS)
RedHat JBoss Fuse Service Works
RedHat JBoss Web Server
RedHat Migration Toolkit for Containers
RedHat Network Satellite Server
RedHat OpenShift
RedHat Openshift Container Storage
RedHat OpenShift Enterprise
RedHat OpenShift GitOps
RedHat OpenShift Logging
RedHat OpenShift Serverless
RedHat OpenShift Service Mesh
RedHat OpenShift Virtualization
RedHat Red Hat Virtualization Host
RedHat Red Hat Virtualization Manager
Samba Samba
Skype Technologies Skype
Splunk Splunk
Sun Java System Application Server
Sun SunOS
Sybase Adaptive Server Enterprise
Symantec Endpoint Protection
Symantec Endpoint Protection Manager
Symantec Norton Antivirus
TIBCO Enterprise Message Service
TIBCO Rendezvous
VMWare NSX-T Data Center
VMWare NSX-V (NSX for vSphere)
VMWare VMware ESX Server
VMWare VMware ESXi Server
XenProject Xen
skyboxsecurity.com 7
Appendix B – P2 Products List Vendor Name Product Name
.NET Foundation IronPython
10Web Form Maker Plugin
10Web Photo Gallery Plugin
1E Nightwatchman
2Checkout 2Checkout Add-on for iThemes Exchange
3T Software Labs Robo 3T
3T Software Labs Studio 3T
7-Zip 7-Zip
Ab Initio Co>Operating System
Ab Initio Control Center
Ab Initio Enterprise Meta>Environment (EME)
Ab Initio Express>IT
Ab Initio Graphical Development Environment (GDE)
Ab Initio Metadata Hub
Ab Initio Technical Repository Management Console
ABBYY Recognition Server
Accenture Accelerate
Access Solutions TSSAdmin
Actiance Vantage
Actifio CDS
Adaptiva OneSite
Adobe Acrobat DC Classic
Adobe After Effects
Adobe After Effects CC 2019
Adobe Animate
Adobe Audition
Adobe Bridge
Adobe Captivate
Adobe Character Animator
Adobe Character Animator CC 2019
Adobe Digital Editions
Adobe Dreamweaver
Adobe Flash Media Server
Adobe Flash Player Installer
Adobe Illustrator
Adobe Incopy
Adobe InDesign
Adobe Lightroom Classic
Adobe LiveCycle
Adobe Media Encoder
skyboxsecurity.com 8
Vendor Name Product Name
Adobe PhoneGap Push Plugin
Adobe PhotoShop
Adobe Prelude
Adobe Prelude CC 2019
Adobe Premiere Pro
Adobe Premiere Pro CC 2019
Adobe Reader DC Classic
Adobe Reader DC Continuous
Adobe XD
ADPAC SVCommands
Advanced Custom Fields Project Advanced Custom Fields
Affinite Profiler
AFNetworking Project AFNetworking
Ai Squared Window-Eyes
Ai Squared ZoomText
Ailleron LiveBank
Ajv Ajv
Alexander Schneider User Access Manager Plugin
Ali Mirzaei Ajax BootModal Login
Altair Altair Panopticon
Amazon AWS Command Line Interface (CLI)
Amazon AWS Schema Conversion Tool
Amazon DynamoDB
Amazon SageMaker
AmberPoint HyperSonic
AMD A Series
AMD Athlon
AMD CPU
AMD E Series
AMD FX Series
AMD Phenom
AMD Turion
Anaconda Anaconda Enterprise
Anaconda Miniconda
Angoss KnowledgeSEEKER
Angoss KnowledgeSTUDIO
AngularJS Angular CLI
AngularJS AngularJS
AngularJS Protractor
Ansible Ansible
AOL AOL Instant Messenger
skyboxsecurity.com 9
Vendor Name Product Name
Apache Cordova
Apache PDFBox
Apache Software Foundation ActiveMQ
Apache Software Foundation Ant
Apache Software Foundation Apache Livy
Apache Software Foundation Apache Zookeeper
Apache Software Foundation APR
Apache Software Foundation APR-util
Apache Software Foundation Axis
Apache Software Foundation Axis2
Apache Software Foundation Cassandra
Apache Software Foundation Commons Collections
Apache Software Foundation Commons FileUpload
Apache Software Foundation Cordova Android
Apache Software Foundation Geronimo
Apache Software Foundation Hadoop
Apache Software Foundation HBase
Apache Software Foundation Hive
Apache Software Foundation Ignite
Apache Software Foundation JMeter
Apache Software Foundation Kafka
Apache Software Foundation Log4j
Apache Software Foundation Maven
Apache Software Foundation Mesos
Apache Software Foundation OpenOffice
Apache Software Foundation Sentry
Apache Software Foundation Solr
Apache Software Foundation Spark
Apache Software Foundation Traffic Server
Apcon IntellaPatch 3000
Appian Appian
Apple CPU
Apple CUPS
Apple Safari
Apple Swift for Ubuntu
Appneta Network Performance Monitoring
AppSense Management Suite
AppViewX AppViewX Platform
Aprelium Technologies Abyss Web Server
Aram Kocharyan Crayon Syntax Highlighter Plugin
Arbor Networks Pravail Network Security Intelligence (NSI)
skyboxsecurity.com 10
Vendor Name Product Name
Arcadia Data Arcadia Enterprise
Arcserve Arcserve RHA
ArcSight Enterprise Security Manager
ArcSight SmartConnector
Arista EOS
ARM Cortex-A
ARM Cortex-R
Artezio Artezio Kanban Board for Jira
Artifex Software SmartOffice
asaquzzaman WP Human Resource Management
ASG ASG-TMON Change Manager for CICS TS (CATS)
ASG ASG-Zebb
Aspect Provisioning Server
Aspect Unified IP
ASPG MegaCryption
ASPG SMFUtil
Atlassian Bitbucket
Atlassian Bitbucket Data Center
Atlassian Bitbucket Server
Atlassian Confluence
Atlassian JIRA
Atlassian Jira Data Center
AUTOMATION ANYWHERE ENTERPRISE
AUTOMATTIC Akismet Anti-Spam Plugin
Avahi Avahi
Avaya 9600 Series IP Deskphones
Avaya Access Security Gateway Defender
Avaya Access Security Gateway Guard
Avaya Aura Application Enablement Services
Avaya Aura Experience Portal
Avaya Aura Session Manager
Avaya Aura System Manager
Avaya Aura System Platform
Avaya Call Management System (CMS)
Avaya Communication Manager (CM)
Avaya G430 Media Gateway
Avaya G450 Media Gateway
Avaya IP Soft Phone
Avaya One-X Agent
Avaya One-X Attendant
Avaya One-X Communicator
skyboxsecurity.com 11
Vendor Name Product Name
Avaya Proactive Contact
Avaya Secure Access Link (SAL)
Avaya SIP Conference Phone
Avaya Virtualization Platform
AvePoint DocAve
Avi Networks Avi Vantage
Awesome Support Team Awesome Support Plugin
Axis Network Camera
Axway SecureTransport
Azul Systems Zing
B&L Associates BL/LIB
Babel Project Babel
BackupGuard Backup Guard Plugin
Balabit syslog-ng
BearDev JoomSport
Bedford Associates Step By Step Trace (SST)
Bernie Jenny Color Oracle
BeyondTrust PowerBroker
BeyondTrust Privilege Management for Mac (PMM)
BeyondTrust Privilege Management for Unix & Linux (PMUL)
biscom Faxom
Bjorn Rosell WebP Express
Black Duck Hub
Blackberry Access
Blackberry Docs To Go
Blackberry Enterprise BRIDGE
Blackberry Unified Endpoint Management (UEM)
BlueCoat Systems BCAAA
BlueData Elastic Private Instant Clusters (EPIC)
BMC Software Atrium CMDB
BMC Software BMC Application Automation (BAA)
BMC Software BMC Atrium Orchestrator (BAO)
BMC Software BMC BladeLogic Server Automation Suite (BSA)
BMC Software BMC Middleware Automation (BMA)
BMC Software BMC Patrol
BMC Software Performance Assurance
BMC Software Release Lifecycle Management
BMC Software SQL-BackTrack for IBM Tivoli Storage Manager
BMC Software SQL-BackTrack for Oracle
BoldThemes Bold Page Builder Plugin
Bologer AnyComment Plugin
skyboxsecurity.com 12
Vendor Name Product Name
Bootstrapped Ventures WP Ultimate Recipe
Bradmark Technologies Surveillance DB
Brainstorm Force Schema – All In One Schema Rich Snippets
Branchfire iAnnotate
BrightSign XT1143 Expanded I/O Player
Brocade Brocade Director
Brocade SANnav Management Portal
Brocade ServerIron ADX 1000
Brocade ServerIron ADX 4000
BT MeetMe Services with Cisco WebEx
BT MeetMe with Dolby Voice
bTrade TDCommunity Manager
BuddyBoss BuddyBoss Media
Business Objects Crystal Reports
CA Technologies Application Performance Monitoring Introscope
CA Technologies BrightStor ARCServe Backup
CA Technologies CA DADS Plus for CICS
CA Technologies CA Database Management
CA Technologies CA Datacom
CA Technologies CA Deliver
CA Technologies CA Directory
CA Technologies CA Dynam/T
CA Technologies CA Email Supervision
CA Technologies CA Explore Performance Management for z/VM
CA Technologies CA Filesave RCS Automated Recovery
CA Technologies CA IDMS
CA Technologies CA InterTest
CA Technologies CA LDAP Server for z/OS
CA Technologies CA Mainframe VM Product Manager
CA Technologies CA Output Management Web Viewer
CA Technologies CA Single Sign-On Web Agent Option Pack
CA Technologies CA SymDump
CA Technologies CA Top Secret
CA Technologies CA Top Secret for z/VM
CA Technologies CA View
CA Technologies CA VM:Account
CA Technologies CA VM:Archiver
CA Technologies CA VM:Backup for z/VM
CA Technologies CA VM:Batch
CA Technologies CA VM:Director for z/VM
CA Technologies CA VM:Operator
skyboxsecurity.com 13
Vendor Name Product Name
CA Technologies CA VM:Schedule
CA Technologies CA VM:Secure for z/VM
CA Technologies CA VM:Sort
CA Technologies CA VM:Spool
CA Technologies CA VM:Spool VSEG Plus Component
CA Technologies CA VM:Tape for z/VM
CA Technologies CA Workload Automation
CA Technologies CA Workload Automation AE (AutoSys)
CA Technologies CA Workload Automation iDash
CA Technologies Data Protection
CA Technologies Easytrieve
CA Technologies Faver
CA Technologies Gen
CA Technologies MIM
CA Technologies NetMaster Network Management for TCP/IP
CA Technologies Optimizer/II
CA Technologies PDSMAN
CA Technologies Roscoe
CA Technologies Single Sign-On
CA Technologies SiteMinder Cookie Provider
CA Technologies SiteMinder Policy Server
CA Technologies SiteMinder Web Agent
CA Technologies SYSVIEW
CA Technologies Teleview Session Management
CA Technologies Telon
CA Technologies TPX Session Management for z/OS
CA Technologies Unicenter Output Management
CA Technologies Vantage
CA Technologies Vision:Builder
CA Technologies Vision:Excel
CA Technologies Vision:Results
CA Technologies VM HiDRO
Cambium Learning Kurzweil 1000
Canon imageRUNNER
Canon iR Printer
Capax Discovery Enterprise Archive Solution
Carts Guru Carts Guru
CentOS CentOS
CGI FASTWIRE Open
Chai Project Chai as Promised
Chai Project Chai Assertion Library
skyboxsecurity.com 14
Vendor Name Product Name
Check Email Project Check Email
Check Point Software Endpoint Security
Check Point Software Gaia Embedded
Check Point Software Maestro
Check Point Software Pointsec Protector
Check Point Software Pointsec WebRH
Check Point Software Provider-1
Check Point Software SecurePlatform
Check Point Software SecurePlatform NG
Check Point Software SecurePlatform NGX
Check Point Software SmartConsole
Check Point Software SmartDashboard
Check Point Software SmartDomain Manager
Chef Chef Server
Chicago-Soft MVS/QuickRef
Chocolatey Chocolatey GUI
Christopher Finke Feed Statistics
Chromium chromium
Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco AnyConnect VPN Client
Cisco AnyRes Live
Cisco AppDynamics
Cisco CAT OS
Cisco Catalyst
Cisco Cloud Services
Cisco Cloud Services Platform
Cisco Cloud Services Router 1000V Series
Cisco Common Services Platform Collector (CSPC)
Cisco DX Series
Cisco Enterprise License Manager (ELM)
Cisco Firmware for ASA
Cisco Identity Services Engine (ISE)
Cisco Integrated Management Controller
Cisco IOS-XE
Cisco IOS-XE SD-WAN
Cisco IOS-XR
Cisco IOx Application Framework
Cisco IP Communicator
Cisco IP Phone
Cisco IP Phone Firmware
Cisco IP Phone HW
skyboxsecurity.com 15
Vendor Name Product Name
Cisco Jabber for Android
Cisco Jabber for iOS
Cisco Jabber for iPhone and iPad
Cisco Jabber for Mac
Cisco Jabber for Windows
Cisco License Manager
Cisco MDS
Cisco Meeting Management
Cisco Meeting Server
Cisco NAC Guest Server
Cisco NetFlow Collection Engine
Cisco Nexus
Cisco Nexus 9000 Series Leaf Switches - ACI Mode HW
Cisco NX-OS
Cisco Prime Infrastructure
Cisco Prime License Manager
Cisco SD-WAN
Cisco Spark
Cisco TelePresence C Series
Cisco TelePresence Conductor
Cisco Telepresence Integrator C Series
Cisco TelePresence Multipoint Switch (CTMS)
Cisco TelePresence Server
Cisco TelePresence Supervisor MSE
Cisco TelePresence SX Series
Cisco TelePresence System
Cisco TelePresence TC Software
Cisco TelePresence Video Communication Server
Cisco Unified Attendant Console Standard
Cisco Unified Communications Manager (CUCM)
Cisco Unified Communications Manager IM and Presence
Cisco Unified IP Phone
Cisco Unified Presence Server (CUPS)
Cisco Unity Connection
Cisco WebEx ARF Player
Cisco WebEx Business Suite
Cisco WebEx Extension
Cisco Webex Meetings Player
Cisco Webex Network Recording Player
Cisco WebEx Player
Cisco WebEx Productivity Tools
skyboxsecurity.com 16
Vendor Name Product Name
Cisco WebEx Recorder and Player
Cisco Webex Teams
Cisco WebEx WRF Player
Cisco Wireless LAN Controller
Citibank Citi AZ Web Service
Citibank Citi Mobile
Citrix Application Delivery Controller (ADC)
Citrix HDX RealTime Optimization Pack
Citrix NetScaler
Citrix Presentation Server
Citrix Provisioning Services
Citrix Receiver for Windows
Citrix StoreFront
Citrix XenApp
Claro Software ClaroRead
Click Click
Cloud Foundry Foundation CAPI-release
Cloud Foundry Foundation cf-deployment
Cloud Foundry Foundation cf-release
Cloud Foundry Foundation Python Buildpack
Cloud Foundry Foundation Routing (OSS)
Cloud Foundry Foundation Staticfile Buildpack
Cloud Foundry Foundation UAA Release
Cloud Native Computing Foundation (CNCF) Prometheus
CloudBees Jenkins Enterprise
Cloudera CDH
Cloudera Key Trustee Server
Cloudera Manager
Cloudera Navigator
CocoaLumberjack Project CocoaLumberjack
CodeArt Google MP3 Player
codection Clean Login Plugin
codemenschen Gift Voucher
CodePeople Appointment Booking Calendar Plugin
CodePeople Appointment Hour Booking Plugin
CodePeople Booking Calendar Contact Form
CodePeople Contact Form Email Plugin
CodePeople CP Poll Plugin
CollabNet GitEye
CollabNet Subversion
CollabNet TeamForge
skyboxsecurity.com 17
Vendor Name Product Name
comforte MR-Win6530
comforte Remote Proxy
Comm-Pro X25 Host NAS
ComponentOne ActiveReports
Compuware Abend-AID
Compuware Abend-AID for CICS
Compuware FILE-AID
Compuware Strobe
Compuware Thruput Manager
Compuware Xpediter
Confio Ignite
Confluent Confluent Enterprise
Contentsquare Clicktale Experience Management
Context Media Interchange Suite
Continuity Software AvailabilityGuard
Contrast Security Contrast Assess
Contrast Security Contrast Protect
ConvertPlus ConvertPlus
copyfiles Project copyfiles
Core Security Core Impact
CoreOS Tectonic
Cortado ThinPrint Engine
Corvil Corvil
Couchbase Autonomous Operator
Couchbase Couchbase Server
CounterPath Bria SIP Phone
Crawford Technologies Sunrise
Crelly Slider Project Crelly Slider
CRUDLab wp-like-button
Cryptography Cryptography
Cucumber Cucumber
cURL cURL
Custom Field Suite Custom Field Suite Plugin
Cyara Solutions Cyara Platform
CyberArk Application Identity Manager
CyberArk Password Vault Web Access
CyberArk Privileged Account Security Solution
CyberArk Privileged Session Manager (PSM)
Cyrus SASL
Dallmeier IPS 10000 SMAVIA Network Video Recorder
Dallmeier IPS 2400 II SMAVIA Network Video Recorder
skyboxsecurity.com 18
Vendor Name Product Name
Dallmeier SMAVIA Viewing Client
Dan Zarrella Virim
Danikoo Custom Simple Rss Plugin
Datadobi DobiMiner
Dataiku Data Science Studio
DataKinetics tableBASE
Datameer Datameer
DataRobot DataRobot
Datawatch Visualization SDK
David Lingren Media Library Assistant
Debian Linux
Debian OpenSSH Server
Decision Technology Decision Analyzer
Decru DataFort FC-Series
Decru DataFort S-Series
Dell Inc. ChangeBASE
Dell Inc. DRAC (Dell Remote Access Controller)
Dell Inc. EMC Centera Management Server
Dell Inc. EMC Disk Library for Mainframe
Dell Inc. EMC Storage Resource Manager (SRM)
Dell Inc. EMC Symmetrix
Dell Inc. iDRAC
Dell Inc. OpenManage
Dell Inc. PowerEdge Server
Dell Inc. The Privileged Appliance and Modules (TPAM)
Dell Inc. Wyse
Denodo Denodo
Deque Systems axe DevTools
Deque Systems Worldspace
Derek Herman OptionTree Plugin
Design Chemical Social Network Tabs
Designmodo WP Maintenance Mode
Diebold Nixdorf Agilis XFS for Nexgen
Diebold Nixdorf Agilis XFS for Opteva
Diebold Nixdorf CDM
Diebold Nixdorf DN ProBase
Diebold Nixdorf Electronic Cash Recycler
Diebold Nixdorf VISTA
Diebold Nixdorf Vynamic Security
Diebold Nixdorf Vynamic Transaction Engine
DigiCert Digicert PKI Client
skyboxsecurity.com 19
Vendor Name Product Name
Dignus DBTE
Dignus Systems/ASM
Dino Software T-REX
Dion Hulse Add From Server Plugin
Ditium Technologies Umero
Django Django
DMP Entre
DMP Remote Link
DMP SCS-VR
DMP XR Series Panels
Docker Desktop Enterprise
Docker Desktop for Windows
Docker Desktop for Windows Edge
Docker Docker
Docker docker-credential-helpers
Docker Vault
DocuSign Security Appliance
Dropbear SSH Server
Drupal Drupal
Dtex Systems Dtex Advanced User Behavior Intelligence Platform
Duxbury Systems DBT
Dyadic Security Enterprise Key Management
e-DMZ Security Password Auto Repository (PAR)
Easy Digital Downloads Easy Digital Downloads Plugin
Easy Property Listings Easy Property Listings Plugin
Easy Updates Manager Team Easy Updates Manager Plugin
Eclipse Eclipse IDE
Eclipse Jetty
Elasticsearch Elasticsearch
Elasticsearch Kibana
Elasticsearch Logstash
Elasticsearch Logstash Forwarder
EmbedThis GoAhead
EMC Avamar Data Store (ADS)
EMC Avamar Virtual Edition (AVE)
EMC Celerra
EMC Centera Universal Access
EMC CentraStar
EMC Dart
EMC Data Domain OS
EMC Documentum D2
skyboxsecurity.com 20
Vendor Name Product Name
EMC RecoverPoint
EMC Replication Manager
EMC RSA Adaptive Authentication
EMC RSA Archer GRC
EMC RSA Security Analytics
EMC RSA Web Threat Detection
EMC ScaleIO
EMC Secure Remote Support
EMC Solutions Enabler Virtual Appliance
EMC TimeFinder
EMC Unisphere
EMC Unisphere for PowerMax
EMC Unisphere for VMAX
EMC Unity All-Flash Array
EMC ViPR SRM
EMC VMAX
EMC VNX
EMC VNX1 OE for Block
EMC VNX1 OE for File
EMC VNX2
EMC VNX2 OE for Block
EMC VNX2 OE for File
EMC VNXe1600 OE
EMC VNXe3100 OE
EMC VNXe3150 OE
EMC VNXe3200 OE
EMC VNXe3300 OE
EMC XtremIO
Emerson Aperture VISTA
Enov8 Environment Management
Entrust Authority GSS-API Toolkit for C
Entrust Authority Security Toolkit for Java
Entrust Entelligence Security Provider
Entrust Entrust Authority Security Manager
Entrust PKCS Toolkit for C/C++
Entrust Web Connector
Epson DS-530 Printer
Epson PLQ-50 Printer
Epson TM-T70 Printer
Epson TM-T88V Series Printer
Epson TM-U675 Series Printer
skyboxsecurity.com 21
Vendor Name Product Name
Erlang Open Telecom Platform (OTP)
Erlang Run-Time System Application (ERTS)
Erwin Data Modeler
Erwin Mart Server
ESLint Project ESLint
ESLint-teamcity Project ESLint-teamcity
ESLint-Utils Project ESLint-Utils
ESRI ArcGIS for Desktop
ESRI ArcGIS License Manager
ESRI ArcGIS Pro
Ethan Galstad Nagios
Ethan Galstad Nagios XI
Etoile Web Design Ultimate FAQ Plugin
Evolven Evolven
F-Droid F-Droid
F5 BigIP Access Policy Manager (APM)
F5 Container Ingress Services
F5 NGINX Controller
F5 Nginx Plus
FeedWordPress FeedWordPress
FEPWeb FEPWeb CMS Digital Signature
FFmpeg FFmpeg
FICO Debt Manager
Flexera Software AdminStudio
Fluke Networks Netflow Tracker
ForeScout CounterACT
FormBuilder FormBuilder
FortiNet FortiClient
FortiNet FortiDB
Forum Systems Forum Sentry API Security Gateway
Frederick Townes W3 Total Cache
Freedom Scientific Job Access With Speech (JAWS)
Freedom Scientific MAGic
FreeImage Project FreeImage
Fuji Xerox Apeosport
Fuji Xerox Multifunction Device (MFD)
Fuji Xerox Printing Systems
Fundtech Global PAYplus (GPP)
Galera Cluster Galera Cluster for MySQL
Ganglia Ganglia
gasplugin Google AdSense Plugin
skyboxsecurity.com 22
Vendor Name Product Name
Gemalto Ezio Confirm Authentication Server
Gemalto SafeNet Luna SA
Gemalto SafeNet MobilePASS+
Gemalto SafeNet ProtectServer
Gemalto SafeNet ProtectToolkit
Gemalto SafeWord
Generic haveged
Generic Mockito
Generic Nsubstitute
Generic Nunit
Generic syncserver
Generic timestenbroker
Genesis Global Low Code Application Platform (LCAP)
Genesys Customer Interaction Management
Genesys Framework
Genesys Outbound Contact
Genesys Proactive Contact
Genesys Voice Platform (GVP)
Gentoo logrotate
GetWooPlugins Additional Variation Images for WooCommerce
GIT GIT
git-diff-apply git-diff-apply
GitHub Git LFS
GitHub GitHub Desktop
GitHub Grafeas
Glory Global Solutions Teller Cash Recycler RBG-100
Glory Global Solutions Teller Cash Recycler RBG-200
GNU Bash
GNU GLibC
GNU M4
GNU Make
GNU zebra
GoDaddy Email Marketing Plugin
Golang Go
Gold Plugins Easy Testimonials
Good Good for Enterprise
GoodTech Systems Good Access for Android
GoodTech Systems Good Access for iOS
GoodTech Systems Good Dynamics
GoodTech Systems Good Mobile Messaging server for Exchange
Google AI Platform
skyboxsecurity.com 23
Vendor Name Product Name
Google Android
Google Android One
Google Android Studio
Google BigQuery
Google BigTable
Google Cloud Dataproc
Google CloudSQL for PostgreSQL
Google DataLab
Google gRPC
Google Kubernetes
Google Nexus
Google Protocol Buffers (protobuf)
Gopiplus Email Newsletter Plugin
graceful-readlink Project graceful-readlink
Grafana Grafana
GraphicsMagick GraphicsMagick
Gravitate Gravitate QA Tracker
GreenTreeLabs Gallery PhotoBlocks Plugin
Greg Mulhauser Gregs High Performance SEO Plugin
Groundhogg Groundhogg Plugin
Gtranslate Google Language Translator Plugin
Guidance Software EnCase
Gunicorn Gunicorn
H20 H2O Enterprise Steam
H20 H2O Sparkling Water
H2O H2O
HahnCreativeGroup ReFlex Gallery
Hall WooCommerce Address Book
Hancom Hangul Word Processor
Hanwha Techwin SmartViewer
Hanwha Techwin SRD-1676D
Hanwha Techwin Webviewer Plugin
HAProxy HAProxy
harmon.ie harmon.ie for Outlook
Harness Harness
Harness Harness Delegate
HashiCorp Consule
HashiCorp Sentinel
HashiCorp Terraform
HashiCorp Terraform Enterprise
HashiCorp Vault
skyboxsecurity.com 24
Vendor Name Product Name
HashiCorp Vault Enterprise
Heed Software Heed
Highsoft Highcharts
Hitachi Automated Director
Hitachi Automation Director
Hitachi Business Continuity Manager
Hitachi Command Suite
Hitachi Compute Systems Manager
Hitachi HNAS
Hitachi Replication Manager
Hitachi Tiered Storage Manager
Hitachi Tuning Manager
Hitachi Unified Storage VM (HUS VM)
Hitachi Virtual Storage Platform
Hive Font Organizer
Holest Breadcrumbs by menu
Honeywell Pro-Watch
Honeywell PW-6000 Intelligent Controller
Honeywell PW-6101 Intelligent Controller
Honeywell PW-7000 Intelligent Controller
Honeywell Xenon
Hooper Software Principle
HORIZONT IWS/Audit
HORIZONT IWS/BatchAD
HORIZONT IWS/Graph
HP 1200w NFC/Wireless Mobile Print Accessory
HP Apollo
HP Apollo HW
HP Arcsight Connector Appliance
HP ArcSight ESM
HP ArcSight Management Center
HP Asset Manager
HP Atalla Network Security Processors (NSP)
HP BladeSystem c-Class Virtual Connect (VC)
HP Connect IT
HP Database and Middleware Automation
HP DDMI
HP Device Connect
HP Device Manager (DevMgr)
HP ESQ Automated Operator (AO)
HP Ezmeral Container Platform
skyboxsecurity.com 25
Vendor Name Product Name
HP FutureSmart
HP ILO Amplifier Pack
HP iMC PLAT
HP Integrated Lights-Out (iLO)
HP Integrity Server
HP JetAdmin
HP JetAdvantage Management Connector
HP JetAdvantage Security Manager
HP Lights-Out Online Configuration Utility
HP LoadRunner
HP Network Automation
HP NonStop Software
HP OneView
HP OpenView Storage Data Protector
HP Performance Center
HP ProLiant Server
HP ProLiant Server Firmware
HP ProLiant Support Pack (PSP)
HP Remote Monitoring and Management
HP ScanJet Enterprise
HP Server Management
HP Synergy Compute Module
HP Synergy Compute Module HW
HP WebInspect
ibericode Mailchimp for WordPress
IBM Advanced Developer Portal
IBM AFP Toolbox for MVS
IBM API Connect
IBM APL2
IBM Application Client for IBM WebSphere
IBM Application Support Facility
IBM AppScan Source for Analysis
IBM BigFix Client
IBM BigFix Inventory
IBM BigFix Platform
IBM BigFix WebUI Profile Management
IBM BigFix WebUI Software Distribution
IBM Block Storage
IBM Business Automation Workflow
IBM Business Process Manager
IBM C/370 Compiler and Library
skyboxsecurity.com 26
Vendor Name Product Name
IBM Candle Management Server
IBM CICS Batch Application Control
IBM CICS Explorer
IBM CICS Time Machine
IBM CICS Transaction Gateway
IBM CICS Transaction Gateway SDK
IBM CICS Transaction Server
IBM CICS TS Feature Pack for Dynamic Scripting
IBM CICS TS Feature Pack for Modern Batch
IBM CL/SuperSession
IBM ClevOS
IBM Cloud Object Storage
IBM Cloud Pak for Multicloud Management
IBM Cognos Analytics
IBM Cognos Business Intelligence Server
IBM Cognos Enterprise
IBM Cognos PowerPlay Enterprise Server
IBM Connect Direct
IBM Content Manager
IBM Content Manager OnDemand
IBM Control Center for VSE and VM
IBM DataPower Operations Dashboard
IBM DataStage
IBM DB2
IBM DB2 High Performance Unload (HPU)
IBM DB2 Universal Database
IBM DB2 Utilities Suite
IBM Director Agent
IBM Distributed Key Management System (DKMS)
IBM DITTO/ESA for MVS
IBM Environmental Record Editing and Printing
IBM FlashSystem V9000
IBM General Parallel File System (GPFS)
IBM Gentran
IBM GPFS Storage Server
IBM Graphical Data Display Manager
IBM HACMP
IBM High Level Assembler
IBM HMC
IBM Host On-Demand
IBM HourGlass
skyboxsecurity.com 27
Vendor Name Product Name
IBM Hyper-Scale Manager
IBM i5/OS
IBM IBM I
IBM ILOG CPLEX Optimization Studio
IBM IMS Database Manager
IBM IMS/ESA Transaction Manager
IBM Informix
IBM InfoSphere Data Architect
IBM InfoSphere Data Replication
IBM InfoSphere Master Data Management
IBM InfoSphere Optim Data Growth for DB2
IBM InfoSphere Optim Data Growth for Oracle E-Business
IBM Integration Bus
IBM Integration Designer
IBM Java
IBM Lotus Notes
IBM MQ Appliance
IBM MQ for HPE NonStop
IBM MVS
IBM Netezza for Cloud Pak for Data
IBM Notes
IBM Operational Decision Manager
IBM Planning Analytics
IBM Platform Symphony
IBM PowerVP
IBM PureData System for Analytics
IBM Rational AppScan Standard
IBM Rational Asset Manager
IBM Rational ClearCase
IBM Rational Team Concert
IBM Resource Access Control Facility (RACF)
IBM Resource Measurement Facility (RMF)
IBM Screen Definition Facility II
IBM Security AppScan Enterprise
IBM Security AppScan Source
IBM Security Guardium
IBM Security Guardium Big Data Intelligence (SonarG)
IBM Security Guardium Database Activity Monitor
IBM Security zSecure CICS Toolkit
IBM SolidDB
IBM Spectrum Accelerate
skyboxsecurity.com 28
Vendor Name Product Name
IBM Spectrum Archive
IBM Spectrum Control
IBM Spectrum Protect Backup-Archive Client
IBM Spectrum Protect Server
IBM Spectrum Scale
IBM Spectrum Symphony
IBM SPSS Collaboration and Deployment Services
IBM SPSS Data Access Pack
IBM SPSS Modeler
IBM Sterling B2B Integrator
IBM Sterling Connect:Direct
IBM Sterling Control Center
IBM Sterling File Gateway
IBM Tivoli AF/OPERATOR
IBM Tivoli Application Dependency Discovery Manager
IBM Tivoli Asset Discovery for Distributed
IBM Tivoli Directory Integrator (TDI)
IBM Tivoli Directory Server
IBM Tivoli Monitoring
IBM Tivoli Netcool Impact
IBM Tivoli Netcool/OMNIbus
IBM Tivoli NetView
IBM Tivoli OMEGACENTER Gateway for MVS
IBM Tivoli OMEGAMON II for CICS
IBM Tivoli OMEGAMON XE for DB2 Performance Expert
IBM Tivoli Omegaview
IBM Tivoli Storage Manager
IBM Tivoli Workload Scheduler
IBM Tivoli Workload Scheduler Distributed
IBM TotalNET Advanced Server (TAS)
IBM TPF Operations Server (TOS)
IBM TS3100 Tape Library
IBM TS3200 Tape Library
IBM TS3310 Tape Library
IBM TS3500 Tape Library
IBM TS4300 Tape Library
IBM TS4500 Tape Library
IBM UrbanCode Deploy
IBM Virtual I/O Server
IBM WebSphere DataPower
IBM WebSphere Host On-Demand
skyboxsecurity.com 29
Vendor Name Product Name
IBM WebSphere Liberty
IBM WebSphere MQ
IBM Websphere Process Server
IBM XIV Storage System
IBM z/OS
IBM z/OS Connect Enterprise Edition
IBM z/Transaction Processing Facility (z/TPF)
IBM z/VM
IBM zPCR (Process Capacity Reference)
Icegram Popups, Welcome Bar, Optins and Lead Generation
Icinga Icinga
IDEMIA Morpho Fingerprint Scanner
IDEMIA Morpho MSO Drivers
ierror Django JS Reverse
Ignite Realtime Spark
Igor Funa Ad Inserter
Igor Sysoev nginx
IHS Markit Eviews
IHS Markit Petra
Illumio Illimuio ASP
Image Access ImageTrust
ImageMagick GraphicsMagick
ImageMagick ImageMagick
Immunity CANVAS
Index Engines Unified Discovery Platform
Informatica Data Quality
Informatica Enterprise Data Catalog (EDC)
Informatica Informatica Developer Tool
Informatica Multidomain Master Data Management (MD MDM)
Informatica PowerCenter
Information Builders FOCUS Package
Infosys AssistEdge
InfoVista InfoVista
Innovation FDR/UPSTREAM
Instamojo Instamojo for WooCommerce
Integrated Research Prognosis
Intel Acceleration Stack
Intel Active Management Technology (AMT)
Intel Core Processor
Intel Data Exchange Layer (DXL)
Intel Graphics Driver
skyboxsecurity.com 30
Vendor Name Product Name
Intel Threat Intelligence Exchange
Intel vPro
Intel Xeon Processor
Intellimagic Intellimagic Performance Management
Intercope BOX Messaging Hub
Intralinks Connector for Microsoft SharePoint
InVision Enterprise
IPC Alliance MX System Center
IPC IQ/MAX
IPC IQ/MAX Edge
IPC IQ/MAX Touch
IPC Pulse
IPC SIPX Line Card
IPC Unigy
Iris ID Systems iCAM7 series
iSigner iSigner
Istanbul Project nyc
iThemes Builder Style Manager Plugin
iThemes Builder Theme Depot Plugin
iThemes Builder Theme Market Plugin
iThemes Custom URL Tracking Add-on for iThemes Exchange
iThemes Easy Canadian Sales Taxes Add-on
iThemes Easy EU Value Added Taxes (VAT) iThemes Exchange
iThemes Invoices Add-on for iThemes Exchange
iThemes iThemes Exchange
iThemes iThemes Mobile Plugin
iThemes Manual Purchases Add-on for iThemes Exchange
iThemes Membership Add-on for iThemes Exchange
iThemes Stripe Add-on for iThemes Exchange
iThemes Table Rate Shipping Add-on for iThemes Exchange
Jacques Malgrange Rencontre
Jamf Jamf Pro
JaQuan Wechat Broadcast
Jasmine Project Jasmine
JasPer JasPer
Jenkins CI AppDynamics Dashboard Plugin
Jenkins CI Audit Trail Plugin
Jenkins CI Azure Container Service Plugin
Jenkins CI Azure VM Agents Plugin
Jenkins CI Cobertura Plugin
Jenkins CI Copy Data to Workspace Plugin
skyboxsecurity.com 31
Vendor Name Product Name
Jenkins CI Docker Plugin
Jenkins CI ElasTest Plugin
Jenkins CI Embeddable Build Status Plugin
Jenkins CI Git Client
Jenkins CI Gogs Plugin
Jenkins CI Google Calendar Plugin
Jenkins CI Google OAuth Credentials
Jenkins CI JClouds
Jenkins CI Jenkins
Jenkins CI Job DSL Plugin
Jenkins CI Logstash Plugin
Jenkins CI Mac Plugin
Jenkins CI Matrix Project Plugin
Jenkins CI OpenShift Pipeline Plugin
Jenkins CI Oracle Cloud Infrastructure Compute Classic
Jenkins CI P4 Plugin
Jenkins CI Pipeline: AWS Steps Plugin
Jenkins CI Puppet Enterprise Pipeline Plugin
Jenkins CI Queue Cleanup Plugin
Jenkins CI Repository Connector Plugin
Jenkins CI Selection Tasks Plugin
Jenkins CI Storable Configs Plugin
Jenkins CI Timestamper Plugin
Jesper Johansen Jayj Quicktag Plugin
Jetbrains IntelliJ
Jetty Jetty
Jfrog Artifactory
JimHu JSmol2WP
Jive Software Jive
Joel James 404 to 301 Plugin
joomsky JS Job Manager Plugin
JoomUnited WP Latest Posts Plugin
Joseph Dolson My Calendar Plugin
jQuery jQuery
jsdom Project jsdom
jsdom-global Project jsdom-global
julianburr Localize My Post
Juniper Networks CTPOS
Juniper Networks NetScreen
Juniper Networks Secure Services Gateway
Juniper Networks SRX Series
skyboxsecurity.com 32
Vendor Name Product Name
Jxplorer Jxplorer
KAL Kalignite K3A
kaltura Kaltura MediaSpace
kaltura kaltura server
Kama Democracy Poll Plugin
Kenton Hirowatari WP Business Intelligence Lite Plugin
Kiboko Labs Arigato Autoresponder and Newsletter
Kiboko Labs Chained Quiz Plugin
Kiboko Labs Hostel
Kieran OShea Calendar Plugin
Kinetica DB Kinetica
King Theme KingComposer
KNIME KNIME Analytics Platform
Kofax Analytics for Capture
Kofax Insight
Kofax Intelligent Capture & Exchange
Kofax Mobile ID and Verification
Kofax Tranformation Module
Kore Kore.ai
Kroll Ontrack Ontrack PowerControls for Exchange
Lakeside Software SysTrack Workspace Analytics
Lantronix UDS2100
Larry Wall Perl
Lenovo ThinkPad X
Levi Ray & Shoup DRS/OutputManager
Levi Ray & Shoup VPSX Enterprise
Lexmark Color Multifunction Device (MFD)
Lexmark CX725 Series
Lexmark Data Collection Manager (LDCM)
Libin V Babu Erident Custom Login and Dashboard Plugin
LibTiff LibTiff
libxslt libxslt
Liferay Liferay Portal
LifterLMS LifterLMS Plugin
Lighttpd Lighttpd
Limb Limb Gallery Plugin
LINDO Systems What'sBest!
Little CMS Little CMS
Lopo.it Duplicate Post Plugin
Lua Lua
Lucent Technologies QIP Enterprise
skyboxsecurity.com 33
Vendor Name Product Name
M&Wise wiseU
MacKinney Systems Easy Help for CICS
MacKinney Systems SM/SWAP
MagTek MT-215
Mail.Ru Group Mail.Ru Calendar
ManageEngine Application Manager
MANTA MANTA
Marc Schieferdecker article2pdf
Marcus Sykes Events Manager
MariaDB MariaDB
Mark Wilkinson WP Front End Profile
MarvinLabs WP Customer Area Plugin
Matchbox Design Group Universal Analytics Plugin
McAfee Agent
McAfee Agent for Mac
McAfee Anti-Malware Scan Engine for Mac
McAfee Content Scanning Engine
McAfee Data Exchange Layer
McAfee Data Loss Prevention (DLP) Endpoint
McAfee Device Control
McAfee Endpoint Encryption for Files and Folders
McAfee Endpoint Security
McAfee Endpoint Security for Linux
McAfee Endpoint Security for Mac (ENSM)
McAfee ePolicy Orchestrator
McAfee File and Removable Media Protection
McAfee Internet Security for Mac
McAfee Management of Native Encryption
McAfee Risk Advisor
McAfee Rogue System Detection
McAfee Security for Microsoft Exchange
McAfee Threat Intelligence Exchange Server
McAfee TIE
McAfee VirusScan
McAfee VirusScan Command Line
McAfee VirusScan Enterprise for Storage
McAfee Vulnerability Manager
Mediaburst Clockwork SMS Plugin
Mega Menu Max Mega Menu Plugin
MemSQL MemSQL
Merrill Consultants MXG
skyboxsecurity.com 34
Vendor Name Product Name
Meta Box Meta Box Plugin
Micro Focus ArcSight User Behavior Analytics
Micro Focus Fortify Static Code Analyzer
Micro Focus Net Express
Micro Focus Server Express
Micro Information Systems Dump Analyzer
Microfocus Startool FDM
Microsoft .NET
Microsoft .NET Core
Microsoft .NET Core Hosting Bundle
Microsoft .NET Core SDK
Microsoft .NET SDK
Microsoft Access
Microsoft Active Directory Certificate Services
Microsoft Application Compatibility Toolkit
Microsoft ASP.NET
Microsoft ASP.NET Core
Microsoft ASP.NET MVC
Microsoft Azure AD Connect
Microsoft Azure AD Connect Provisioning Agent
Microsoft Azure AD Password Protection
Microsoft Azure DevOps Server
Microsoft Bot Framework SDK for .NET Framework
Microsoft Bot Framework SDK for JavaScript
Microsoft Bot Framework SDK for Python
Microsoft Command Line Utilities for SQL Server
Microsoft Data Protection Manager
Microsoft DirectX
Microsoft Dynamics CRM
Microsoft Forefront Identity Manager Certificate Manager
Microsoft FSLogix
Microsoft Intune Company Portal
Microsoft Intune Endpoint Protection
Microsoft JDBC Driver for SQL Server
Microsoft Lync
Microsoft Lync for Mac
Microsoft Machine Learning Server
Microsoft Malicious Software Removal Tool (MSRT)
Microsoft Management OData IIS Extension
Microsoft MDAC
Microsoft Media Player
skyboxsecurity.com 35
Vendor Name Product Name
Microsoft Microsoft Identity Integration Server (MIIS)
Microsoft Microsoft Operations Manager
Microsoft Microsoft.AspNetCore.All
Microsoft Microsoft.AspNetCore.Mvc.Core
Microsoft ODBC Driver
Microsoft Office 365
Microsoft Office Communicator
Microsoft Office for Mac
Microsoft Office InfoPath
Microsoft Office InfoPath 2007
Microsoft Office InfoPath 2010
Microsoft Office Online Server
Microsoft Office SharePoint Server
Microsoft Office Web Apps Server
Microsoft OLE DB Driver for DB2
Microsoft OLE DB Driver for SQL Server
Microsoft OneDrive
Microsoft OneNote
Microsoft Online Responder
Microsoft Outlook for Android
Microsoft Outlook for iOS
Microsoft Power BI Desktop
Microsoft Power BI Report Server
Microsoft PowerShell Core
Microsoft Project
Microsoft Publisher
Microsoft Publisher 2010
Microsoft Remote Desktop App
Microsoft Remote Desktop Client for Windows Desktop (MSRDC)
Microsoft Remote Desktop Connection Client
Microsoft Remote Desktop Connection Server
Microsoft Report Viewer
Microsoft SharePoint Client Components
Microsoft SharePoint Designer
Microsoft SharePoint Services
Microsoft Silverlight
Microsoft Skype
Microsoft Skype for Android
Microsoft Skype for Business
Microsoft Skype for Business Server
Microsoft SQL Server 2008 Upgrade Advisor
skyboxsecurity.com 36
Vendor Name Product Name
Microsoft SQL Server Integration Services (SSIS)
Microsoft SQL Server Management Studio (SSMS)
Microsoft SQL Server Management Studio Express(SSMSE)
Microsoft SQL Server Migration for SAP ASE
Microsoft SQL Server Reporting Services (SSRS)
Microsoft System Center Configuration Manager
Microsoft System Center Operations Manager
Microsoft Team Foundation Server
Microsoft Teams
Microsoft Teams for iOS
Microsoft VBScript
Microsoft Visio
Microsoft Visio 2007
Microsoft Visual C++
Microsoft Visual Studio
Microsoft Visual Studio Code
Microsoft Visual Studio Code npm-script Extension
Microsoft Visual Studio for Mac
Microsoft Visual Studio Team Foundation Server
Microsoft Windows Host Compute Service Shim
Microsoft Windows XP
Microsoft Wireless Desktop 2000 for Business
Microsoft Yammer for Android
MicroStrategy HyperIntelligence for Web
MicroStrategy MicroStrategy Platform
MicroStrategy Narrowcast Server
Miklos Szeredi FUSE
miniOrange Single Sign-On plugin
Mitek CheckReader
mndpsingh287 File Manager
Mocha Project Mocha
mocha-teamcity-reporter Project mocha-teamcity-reporter
Mod_ssl Mod_ssl
Modern Tribe Event Tickets
Modern Tribe GigPress
mongoDB Compass
mongoDB mongoDB
mongoDB Monitoring Service (MMS)
Mongoose Mongoose
MontaVista Linux Professional Edition
Moodys Analytics CDOEdge
skyboxsecurity.com 37
Vendor Name Product Name
Morpho MorphoSmart 1300
Morpho MorphoWave Tower
MyThemeShop Launcher Plugin
MyThemeShop My WP Translate Plugin
Nahapet N Quizlord
Namith Jawahar Wp-Insert
Narrative Science Quill
Nasdanika Tool Suite
Nastel Nastel AutoPilot for MQ
Nautilus Hyosung Ubitus 8300H
NBS Xpressi Print Server
NBS Xpressi Suite
NCR Aptra XFS
NCR Self-Service ATM
nCrafts FormCraft Plugin
Nelio Software Nelio AB Testing Plugin
Neo4j Neo4j
Net-SNMP Net-SNMP
NetApp Active IQ Unified Manager
NetApp Clustered Data ONTAP
NetApp Data ONTAP
NetApp FAS Array
NetApp Lifetime Key Management KM500
NetApp OnCommand System Manager
NetApp Trident
NetBrain NetBrain
NetBSD NetBSD
Never5 Download Monitor Plugin
Never5 Post Connector
Never5 Related Posts Plugin
New Era Image Focus
New Era Stand Alone Environment
NextScripts Social Networks Auto-Poster
NICE Communication Surveillance
NICE Compliance Center
NICE Engage
NICE Interaction Management (NIM)
NICE Nexidia Interaction Analytics
NICE NICE COMPASS
NICE Perform
NICE Playback Portal
skyboxsecurity.com 38
Vendor Name Product Name
NICE Real-Time Authentication (RTA)
NICE Sentinel
NICE Trade Recording
Nickel Pro Jibu Pro
Nmap Nmap
node-uuid Project node-uuid
Node.js Foundation Node.js
Nortel Networks Meridian
NPM NPM
NTP NTP
Nuance Dragon NaturallySpeaking
Nuance eCopy ShareScan
Nuance Equitrac Office
Nuance FreeSpeech
Nuance Loquendo Customer Support Portal
Nuance Recognizer
Nuance Security Suite
Nuance Vocalizer
Nuix eDiscovery
NV Access NonVisual Desktop Access (NVDA)
Nvidia Quadro Graphics Driver
Oliver Shingler Olimometer Plugin
OneLogin OneLogin SAML SSO
Open Software Technologies REXXTOOLS/MVS
Open Text Documentum Content Server
Open Text Documentum D2
OpenJDK OpenJDK
Opensource DBD::Sybase
OpenText Documentum Administrator
OpenText IAS/CICS
OpenText Information Hub (iHub)
OpenText OpenDeploy
OpenText Output Transformation
OpenText Rightfax
OpenText TeamSite
Opsol Integrators OmniCrypto
Opsol Integrators OpenCrypto
Oracle Acme Packet
Oracle BI Publisher
Oracle Business Process Management
Oracle Business Transaction Management
skyboxsecurity.com 39
Vendor Name Product Name
Oracle Communications Operations Monitor
Oracle Communications Session Border Controller
Oracle Communications Session Delivery Management Suite
Oracle Directory Server Enterprise Edition
Oracle Enterprise Manager Grid Control
Oracle Essbase
Oracle Essbase Administration Services
Oracle Essbase Analytic Provider Services
Oracle Essbase Studio
Oracle Glassfish
Oracle GoldenGate
Oracle GoldenGate for Big Data
Oracle GoldenGate Veridata
Oracle Hyperion
Oracle Hyperion Essbase
Oracle Hyperion Smart View for Office
Oracle Identity Analytics
Oracle Integrated Lights Out Manager(ILOM)
Oracle iPlanet Web Server
Oracle JDK
Oracle Jumpstart Enterprise Toolkit
Oracle Knowledge
Oracle Management Pack for Oracle GoldenGate
Oracle Oracle CRM
Oracle Oracle Enterprise Manager
Oracle Oracle Forms
Oracle Oracle Fusion Middleware
Oracle Oracle Linux
Oracle Oracle Outside In Technology
Oracle PeopleSoft Enterprise
Oracle PeopleSoft Enterprise Customer Relationship Manage
Oracle PeopleSoft Enterprise EPM
Oracle PeopleSoft Enterprise FMS
Oracle PeopleSoft Enterprise HRMS Human Resources
Oracle PeopleSoft Enterprise Performance Management
Oracle PeopleSoft HRMS
Oracle PeopleSoft PeopleTools
Oracle PeopleSoft Portal
Oracle Secure Global Desktop
Oracle Solaris Security Toolkit (JASS)
skyboxsecurity.com 40
Vendor Name Product Name
Oracle Tuxedo
Oracle VM Server for SPARC
Oracle Waveset
Oracle WebLogic Server
owent wp-code-highlightjs
p7zip p7zip
Packet Design Route Explorer
Palisade @RISK
Palo Alto Cortex XSOAR
Palo Alto Demisto Enterprise
Palo Alto GlobalProtect VPN
Palo Alto Next-Generation Firewall
Palo Alto Palo Alto Firewall
Palo Alto Panorama
Palo Alto Prisma Cloud Compute
Pan Pan
Papin Schipper Companion Sitemap Generator Plugin
Pascal Casier bbPress Move Topics Plugin
Patreon Patreon WordPress
Paxata Paxata
Pegasystems Pega Infinity
Peter Keung Peter’s Login Redirect Plugin
PetersPlugins Link Log
Pexip Pexip Infinity
PgAdmin PgAdmin
PhpMailer PhpMailer
Ping Identity PingFederate
PingIdentity PingAccess
Pippin Plugins Featured Comments Plugin
Pitney Bowes Code-1 Plus
Pitney Bowes Spectrum
Pitney Bowes StreamWeaver
Pivotal AppDynamics Application Performance Monitoring
Pivotal Application Service
Pivotal BOSH Backup and Restore (BBR)
Pivotal BOSH CLI
Pivotal Cloud Foundry (PCF)
Pivotal Cloud Foundry (PCF) Elastic Runtime
Pivotal Cloud Foundry (PCF) Ops Manage
Pivotal Cloud Foundry CLI
Pivotal Cloud Foundry Event Alerts
skyboxsecurity.com 41
Vendor Name Product Name
Pivotal Cloud Foundry Healthwatch
Pivotal Cloud Foundry Service Broker for AWS
Pivotal CredHub Service Broker for PCF
Pivotal GemFire Enterprise
Pivotal Greenplum
Pivotal Java Buildpack
Pivotal JMX Bridge (Ops Metrics)
Pivotal Metric Registrar
Pivotal Node.js Buildpack
Pivotal Operations Manager
Pivotal PCF Metrics
Pivotal RabbitMQ
Pivotal RabbitMQ amqp-client
Pivotal Splunk Firehose Nozzle for PCF
Pivotal Spring Batch
Pivotal Spring Boot
Pivotal Spring Cloud Consul
Pivotal Spring Cloud Gateway
Pivotal Spring Cloud Loadbalancer
Pivotal Spring Cloud Services for PCF
Pivotal Spring Cloud SSO Connector
Pivotal Spring Data Commons
Pivotal Spring Data Couchbase
Pivotal Spring Data JDBC Extensions
Pivotal Spring Data JPA
Pivotal Spring Data REST
Pivotal Spring Framework
Pivotal Spring Integration
Pivotal Spring Integration Zip
Pivotal Spring IO Platform
Pivotal Spring Security
Pivotal Spring Security OAuth
Pivotal Spring Session
Pivotal Spring Statemachine
Pivotal spring web flow
Pivotal Spring Web Services
Pivotal Staticfile Buildpack
Pivotal User Account and Authentication (UAA)
Piwik PRO Piwik PRO
Pixman Pixman
PKWare SecureZIP
skyboxsecurity.com 42
Vendor Name Product Name
Platfora Platfora
Podman Podman
Pointsharp Pointsharp
Polaris Consulting & Services CitiSAFE
Polarsoft BacNET Quick Test
Poly Poly Studio
Poly Poly Studio X30
Poly Poly Studio X50
PortSwigger Burp Suite Community
PortSwigger Burp Suite Professional
PostgreSQL JDBC Driver
PostgreSQL ODBC Driver
PostgreSQL PostgreSQL
PPR iCommunicator
PressTigers Simple Job Board Plugin
Prevoty Runtime Application Self Protection (RASP)
PrinterOn Embedded Agent for Samsung
PRIVITAR Privitar Publisher
privoxy privoxy
ProfileGrid ProfileGrid Plugin
PROGRESSSOFT ps-ecc
Protegrity Data Security Platform
Provisio SiteKiosk
Provisio SiteRemote Server
PulseAudio PulseAudio
PulseSecure Pulse Connect Secure
PyJWT PyJWT
Python Software Foundation Paramiko
Python Software Foundation Python
Python Software Foundation Requests
Qlik NPrinting Designer
Qlik NPrinting Server
Qlik Qlik Sense Enterprise
Qlik Qlikview
Qlik Sense
QlikTech QlikView
QOS.CH SLF4J
QSM Team Quiz And Survey Master
Quadlayers WP Social Feed Gallery Plugin
Qualys Cloud Agent
Qualys Qualys Gateway Service (QGS)
skyboxsecurity.com 43
Vendor Name Product Name
Quest GPOADmin
Quest LiteSpeed for SQL Server
Quest Migration Manager for Active Directory
Quest One Application Password Virtual Cache
Quest One Privileged Account Management
Quest Recovery Manager for Active Directory
Qumu Video Control Center
Qumu VideoNet Edge
Quotium Spitab+
R-project R
Rancher Labs Rancher
Rank Math SEO Plugin
Raritan Dominion KX III
Raritan Dominion KX IV-101
Realtime Soft UltraMon
RedHat Advanced Cluster Management for Kubernetes
RedHat Ansible Tower
RedHat Cluster Suite
RedHat Decision Manager
RedHat JBoss AMQ
RedHat JBoss BPM Suite
RedHat JBoss WildFly Application Server
RedHat Linux
RedHat Mailcap
RedHat openshift-ansible
RedHat tcpdump
Redirection Redirection Plugin
Redis Redis
redis-store Redis Store
Redsky E911 Manager
Relational Architects International Smart/CAF
Repute InfoSystems ARPrice Lite Plugin
Ribbon Communications Insight EMS
Ribbon Communications PSX
Ribbon Communications SBC 5400
Ribbon Communications SBC Swe
Ricoh Device Manager NX Enterprise
RIM Blackberry Desktop Manager
RIM Blackberry Device Service
RIM Blackberry Device Software
RIM BlackBerry Enterprise Server
skyboxsecurity.com 44
Vendor Name Product Name
Rio Karma
Riverbed SteelCentral NetProfiler
Riverbed SteelCentral NetShark
Riverbed SteelCentral Transaction Analyzer
Rocket Software Performance Essential
Rocket Software Rocket Mainstar MXI
RSA Security Adaptive Authentication
RSA Security Security Analytics
RSA Security Web Threat Detection
RStudio RStudio
RStudio RStudio Server
Rsyslog Rsyslog
Ruby on Rails Ruby on Rails
RubyGems active support
RubyGems paranoid2
RubyGems Sprockets
Rust-Lang Rust
Ryan Tracker Pro
S21 Lookwise device manager for ATM
S21sec Lookwise Device Manager
SafeNet Luna Network HSM
SafeNet SecureStorage
SailPoint IdentityIQ
Samsung smartviewer
SanDisk Cruzer Enterprise USB
SAP Adaptive Server Enterprise
SAP BusinessObjects
SAP BusinessObjects XI
SAP Crystal Reports
SAP Crystal Reports for VS
SAP NetWeaver
SAP NetWeaver Application Server Java systems
SAP NetWeaver AS ABAP Business Server Pages
SAS Institute ACCESS Interface to Oracle
SAS Institute Add-In for Microsoft Office
SAS Institute Data Integration Studio
SAS Institute Enterprise Guide
SAS Institute Enterprise Miner
SAS Institute Grid Manager
SAS Institute IML Studio
SAS Institute Information Map Studio
skyboxsecurity.com 45
Vendor Name Product Name
SAS Institute Office Analytics
SAS Institute OLAP Cube Studio
SAS Institute SAS Language
SBJSON Project SBJSON
Scala Digital Signage Enterprise Content Manager
Schneider Electric EcoStruxure Building Operation
Schneider Electric ION Setup
SDS CICS Application File Control (CAFC)
SEA Software JCL PlusPack
Selenium Selenium IDE
Selenium Selenium Standalone Server
Sell Downloads Project Sell Downloads
Sendmail Consortium Sendmail
Sendmail Inc. Sentrion MP
Sensu Enterprise
Sensu Sensu
Seproban Seproban
ServiceNow ServiceNow Platform
Servion Global Solutions GED-125 Connector
Shafer Systems Notate
Shanghai AMARSOFT Digital Lending Platform
Siemens ABT Site
Siemens APE
Siemens Automation License Manager
Siemens Climatix POL908
Siemens Climatix POL909
Siemens CP1543-1
Siemens CP1604
Siemens CP1616
Siemens Datamate Advanced
Siemens Desigo CC
Siemens DIGSI 5
Siemens EN100 Module
Siemens Extension Unit PROFINET
Siemens IE/AS-i Link PN IO
Siemens IE/PB Link PN IO
Siemens IE/WSN-PA Link
Siemens IEC 61850 system configurator
Siemens JT2Go
Siemens MindConnect
Siemens Nucleus ReadyStart
skyboxsecurity.com 46
Vendor Name Product Name
Siemens Nucleus RTOS
Siemens OpenPCS 7
Siemens OZW Web Server
Siemens OZW Web Server HW
Siemens PDM
Siemens Polarion Subversion Webclient
Siemens Primary Setup Tool (PST)
Siemens PROFINET Driver for Controller
Siemens RFID 181EIP
Siemens RUGGEDCOM RM1224
Siemens RUGGEDCOM RMC8388
Siemens RUGGEDCOM ROS
Siemens RUGGEDCOM ROS HW
Siemens RUGGEDCOM ROX
Siemens RUGGEDCOM RS900W
Siemens RUGGEDCOM RS950G
Siemens RUGGEDCOM RSG2488
Siemens RUGGEDCOM RSG900
Siemens RUGGEDCOM RSG920P
Siemens RUGGEDCOM RSL910
Siemens RUGGEDCOM RST2228
Siemens RUGGEDCOM RX1400
Siemens RUGGEDCOM RX1400 VPE Debian Linux
Siemens RUGGEDCOM RX1400 VPE Linux CloudConnect
Siemens RUGGEDCOM WIN
Siemens RUGGEDCOM WIN Subscriber Station
Siemens SCALANCE
Siemens SCALANCE LPE9403
Siemens SCALANCE M-800
Siemens SCALANCE M875
Siemens SCALANCE S600
Siemens SCALANCE S600 HW
Siemens SCALANCE S602
Siemens SCALANCE S612
Siemens SCALANCE S615
Siemens SCALANCE S623
Siemens SCALANCE S627-2M
Siemens SCALANCE SC-600
Siemens SCALANCE W1700
Siemens SCALANCE W1700 IEEE 802.11ac
Siemens SCALANCE W1750D
skyboxsecurity.com 47
Vendor Name Product Name
Siemens SCALANCE W700
Siemens SCALANCE W700 IEEE 802.11a/b/g
Siemens SCALANCE W700 IEEE 802.11ax
Siemens SCALANCE W700 IEEE 802.11n
Siemens SCALANCE W740 IEEE 802.11n
Siemens SCALANCE W780 IEEE 802.11n
Siemens SCALANCE WLC711
Siemens SCALANCE WLC712
Siemens SCALANCE X200
Siemens SCALANCE X200 HW
Siemens SCALANCE X200 IRT
Siemens SCALANCE X200 IRT HW
Siemens SCALANCE X200 RNA
Siemens SCALANCE X204 RNA
Siemens SCALANCE X300
Siemens SCALANCE X300 HW
Siemens SCALANCE X408
Siemens SCALANCE X414
Siemens SCALANCE XB-200
Siemens SCALANCE XC-200
Siemens SCALANCE XF-200
Siemens SCALANCE XF-200 HW
Siemens SCALANCE XF-200 IRT
Siemens SCALANCE XF-200 IRT HW
Siemens SCALANCE XF-200BA
Siemens SCALANCE XM400
Siemens SCALANCE XP-200
Siemens SCALANCE XR300-WG
Siemens SCALANCE XR324
Siemens SCALANCE XR324 HW
Siemens SCALANCE XR500
Siemens Security Configuration Tool (SCT)
Siemens SENTRON 3VA COM100/800
Siemens SENTRON 3VA DSP800
Siemens SENTRON 3WA COM190
Siemens SENTRON 3WL COM35
Siemens SENTRON PAC2200
Siemens SENTRON PAC3200
Siemens SENTRON PAC3200T
Siemens SENTRON PAC3220
Siemens SENTRON PAC4200
skyboxsecurity.com 48
Vendor Name Product Name
Siemens SICAM 230
Siemens SICLOCK TC100
Siemens SICLOCK TC400
Siemens SIMARIS configuration
Siemens SIMATIC Automation Tool
Siemens SIMATIC BATCH
Siemens SIMATIC CloudConnect 712
Siemens SIMATIC CM 1542-1
Siemens SIMATIC CM 1542SP-1
Siemens SIMATIC Compact Field Unit
Siemens SIMATIC Compact Field Unit PA
Siemens SIMATIC CP 1242-7
Siemens SIMATIC CP 1242-7 GPRS
Siemens SIMATIC CP 1243-1
Siemens SIMATIC CP 1243-1 DNP3
Siemens SIMATIC CP 1243-1 IEC
Siemens SIMATIC CP 1243-1 IRC
Siemens SIMATIC CP 1243-7 LTE/EU
Siemens SIMATIC CP 1243-7 LTE/US
Siemens SIMATIC CP 1243-8
Siemens SIMATIC CP 1243-8 IRC
Siemens SIMATIC CP 1542SP-1
Siemens SIMATIC CP 1542SP-1 IRC
Siemens SIMATIC CP 1543-1
Siemens SIMATIC CP 1543SP-1
Siemens SIMATIC CP 1545-1
Siemens SIMATIC CP 1604
Siemens SIMATIC CP 1616
Siemens SIMATIC CP 1623
Siemens SIMATIC CP 1623 HW
Siemens SIMATIC CP 1626
Siemens SIMATIC CP 1626 HW
Siemens SIMATIC CP 1628
Siemens SIMATIC CP 1628 HW
Siemens SIMATIC CP 342-5
Siemens SIMATIC CP 343-1
Siemens SIMATIC CP 343-1 Advanced
Siemens SIMATIC CP 343-1 ERPC
Siemens SIMATIC CP 343-1 Lean
Siemens SIMATIC CP 343-1 Standard
Siemens SIMATIC CP 442-1 RNA
skyboxsecurity.com 49
Vendor Name Product Name
Siemens SIMATIC CP 443-1 Advanced
Siemens SIMATIC CP 443-1 OPC-UA
Siemens SIMATIC CP 443-1 RNA
Siemens SIMATIC CP 443-1 Standard
Siemens SIMATIC CP 443-5 Basic
Siemens SIMATIC CP 443-5 Extended
Siemens SIMATIC DK-16xx PN IO
Siemens SIMATIC Drive Controller
Siemens SIMATIC Drive Controller HW
Siemens SIMATIC ET 200 Open Controller CPU 1515SP PC
Siemens SIMATIC ET 200 Open Controller CPU 1515SP PC2
Siemens SIMATIC ET 200AL
Siemens SIMATIC ET 200AL IM 157-1 PN
Siemens SIMATIC ET 200eco PN
Siemens SIMATIC ET 200M
Siemens SIMATIC ET 200M IM153-4 PN IO HF
Siemens SIMATIC ET 200M IM153-4 PN IO ST
Siemens SIMATIC ET 200MP
Siemens SIMATIC ET 200MP IM155-5 PN BA
Siemens SIMATIC ET 200MP IM155-5 PN HF
Siemens SIMATIC ET 200MP IM155-5 PN ST
Siemens SIMATIC ET 200pro
Siemens SIMATIC ET 200pro IM154-3 PN HF
Siemens SIMATIC ET 200pro IM154-4 PN HF
Siemens SIMATIC ET 200pro IM154-6 PN IWLAN
Siemens SIMATIC ET 200S
Siemens SIMATIC ET 200SP
Siemens SIMATIC ET 200SP IM 155-6 PN/2 HF
Siemens SIMATIC ET 200SP IM 155-6 PN/3 HF
Siemens SIMATIC ET 200SP IM155-6 PN BA
Siemens SIMATIC ET 200SP IM155-6 PN HA
Siemens SIMATIC ET 200SP IM155-6 PN HF
Siemens SIMATIC ET 200SP IM155-6 PN HS
Siemens SIMATIC ET 200SP IM155-6 PN ST
Siemens SIMATIC ET 200SP Open Controller
Siemens SIMATIC ET 200SP Open Controller CPU 1515SP PC
Siemens SIMATIC ET 200SP Open Controller CPU 1515SP PC2
Siemens SIMATIC Field PG
Siemens SIMATIC Field PG HW
Siemens SIMATIC HMI Basic Panels 1st Generation
Siemens SIMATIC HMI Basic Panels 2nd Generation
skyboxsecurity.com 50
Vendor Name Product Name
Siemens SIMATIC HMI Classic Devices
Siemens SIMATIC HMI Comfort Outdoor Panels
Siemens SIMATIC HMI Comfort Panels
Siemens SIMATIC HMI Comfort Panels PRO
Siemens SIMATIC HMI Mobile Panel 277
Siemens SIMATIC HMI Mobile Panels
Siemens SIMATIC HMI Mobile Panels HW
Siemens SIMATIC HMI Multi Panels
Siemens SIMATIC HMI Panels
Siemens SIMATIC HMI United Comfort Panels
Siemens SIMATIC HMI WinCC
Siemens SIMATIC Information Server
Siemens SIMATIC IPC
Siemens SIMATIC IPC DiagBase
Siemens SIMATIC IPC DiagMonitor
Siemens SIMATIC IPC HW
Siemens SIMATIC IPC Support Package for VxWorks
Siemens SIMATIC IT Production Suite
Siemens SIMATIC IT UA Discrete Manufacturing
Siemens SIMATIC ITC
Siemens SIMATIC IWLAN-PB/LINK
Siemens SIMATIC Logon
Siemens SIMATIC Manager
Siemens SIMATIC Mobile Panel 277(F) IWLAN
Siemens SIMATIC MV400
Siemens SIMATIC MV500
Siemens SIMATIC NET PC-Software
Siemens SIMATIC PCS 7 TeleControl
Siemens SIMATIC PCS neo
Siemens SIMATIC PCS7
Siemens SIMATIC PCS7 IPC
Siemens SIMATIC PCS7 Web Server
Siemens SIMATIC PN/PN Coupler
Siemens SIMATIC Power Line Booster (PLB)
Siemens SIMATIC Power Line Booster (PLB) HW
Siemens SIMATIC Process Historian
Siemens SIMATIC ProSave
Siemens SIMATIC RF166C
Siemens SIMATIC RF180C
Siemens SIMATIC RF181-EIP
Siemens SIMATIC RF182C
skyboxsecurity.com 51
Vendor Name Product Name
Siemens SIMATIC RF185C
Siemens SIMATIC RF186C
Siemens SIMATIC RF186CI
Siemens SIMATIC RF188C
Siemens SIMATIC RF188CI
Siemens SIMATIC RF350M
Siemens SIMATIC RF360R
Siemens SIMATIC RF600
Siemens SIMATIC RF600R
Siemens SIMATIC RF615R
Siemens SIMATIC RF650M
Siemens SIMATIC RF650R
Siemens SIMATIC RF680R
Siemens SIMATIC RF685R
Siemens SIMATIC RF68XR
Siemens SIMATIC Route Control
Siemens SIMATIC S7 Series
Siemens SIMATIC S7-1200
Siemens SIMATIC S7-1500
Siemens SIMATIC S7-1500 HW
Siemens SIMATIC S7-1500 Software Controller
Siemens SIMATIC S7-1518-4 PN/DP MFP
Siemens SIMATIC S7-1518-4 PN/DP ODK
Siemens SIMATIC S7-1518F-4 PN/DP MFP
Siemens SIMATIC S7-1518F-4 PN/DP ODK
Siemens SIMATIC S7-200 SMART
Siemens SIMATIC S7-200 SMART HW
Siemens SIMATIC S7-300
Siemens SIMATIC S7-300 HW
Siemens SIMATIC S7-300 PN/DP
Siemens SIMATIC S7-400
Siemens SIMATIC S7-400 PN
Siemens SIMATIC S7-400 PN/DP
Siemens SIMATIC S7-400 PN/DP HW
Siemens SIMATIC S7-400-H
Siemens SIMATIC S7-410
Siemens SIMATIC S7-PLCSIM Advanced
Siemens SIMATIC S7-SCL
Siemens SIMATIC STEP 7
Siemens SIMATIC STEP 7 (TIA Portal)
Siemens SIMATIC STEP 7 - Micro/WIN SMART
skyboxsecurity.com 52
Vendor Name Product Name
Siemens SIMATIC TDC CP51M1
Siemens SIMATIC TDC CPU555
Siemens SIMATIC Teleservice Adapter IE
Siemens SIMATIC WinAC RTX
Siemens SIMATIC WinCC
Siemens SIMATIC WinCC (TIA Portal)
Siemens SIMATIC WinCC Flexible
Siemens SIMATIC WinCC Historian CONNECT ALARM
Siemens SIMATIC WinCC OA
Siemens SIMATIC WinCC OA Operator
Siemens SIMATIC WinCC OA UI
Siemens SIMATIC WinCC PI CONNECT ALARM
Siemens SIMATIC WinCC PI CONNECT AUDIT TRAIL
Siemens SIMATIC WinCC PM-AGENT
Siemens SIMATIC WinCC PM-ANALYZE
Siemens SIMATIC WinCC PM-CONTROL
Siemens SIMATIC WinCC PM-MAINT
Siemens SIMATIC WinCC PM-OPEN EXPORT
Siemens SIMATIC WinCC PM-OPEN HOST-S
Siemens SIMATIC WinCC PM-OPEN IMPORT
Siemens SIMATIC WinCC PM-OPEN PI
Siemens SIMATIC WinCC PM-OPEN PV02
Siemens SIMATIC WinCC PM-OPEN TCP/IP
Siemens SIMATIC WinCC PM-QUALITY
Siemens SIMATIC WinCC Runtime Advanced
Siemens SIMATIC WinCC Runtime Comfort
Siemens SIMATIC WinCC Runtime HSP Comfort
Siemens SIMATIC WinCC Runtime Mobile
Siemens SIMATIC WinCC Runtime Professional
Siemens SIMATIC WinCC SICEMENT IT MIS
Siemens SIMATIC WinCC SIPAPER IT MIS
Siemens SIMATIC WinCC Sm@rtClient for Android
Siemens SIMATIC WinCC Sm@rtClient Lite for Android
Siemens SIMATIC WinCC TeleControl
Siemens SINAMICS Connect 300
Siemens SINAMICS Control Unit PN
Siemens SINAMICS Control Unit PN HW
Siemens SINAMICS GH150
Siemens SINAMICS GH150 with PN
Siemens SINAMICS GL150
Siemens SINAMICS GL150 with PN
skyboxsecurity.com 53
Vendor Name Product Name
Siemens SINAMICS GM150
Siemens SINAMICS GM150 with PN
Siemens SINAMICS PERFECT HARMONY GH180
Siemens SINAMICS SH150
Siemens SINAMICS SL150
Siemens SINAMICS SL150 with PN
Siemens SINAMICS SM120
Siemens SINAMICS SM120 with PN
Siemens sinamics sm150
Siemens SINAMICS SM150 with SIMOTION and PN
Siemens SINAMICS SM150i
Siemens SINAMICS Startdrive
Siemens SINAMICS STARTER Commissioning Tool
Siemens SINEC PNI (Primary Network Initialization)
Siemens SINEC-INS
Siemens SINEC-NMS
Siemens SINUMERIK 808D
Siemens SINUMERIK 808D Programming Tool
Siemens SINUMERIK 828D
Siemens SINUMERIK 840D sl
Siemens SINUMERIK 840D sl HW
Siemens SINUMERIK Handheld Terminal HT 10
Siemens SINUMERIK Integrate Access MyMachine
Siemens SINUMERIK Integrate Operate Client
Siemens SINUMERIK MCU 1720
Siemens SINUMERIK OPC UA Server
Siemens SINUMERIK Operate
Siemens SINUMERIK Operator Panel with TCU
Siemens SINUMERIK PCU
Siemens SINUMERIK PCU50.5
Siemens SINUMERIK PCU50.5-C
Siemens SINUMERIK PCU50.5-P
Siemens SINUMERIK TCU30.3
Siemens SIPROTEC
Siemens SIPROTEC HW
Siemens SIPROTEC Plug-in Communication Module
Siemens SIRIUS 3RW5
Siemens SIRIUS ACT 3SU1 interface module PROFINET
Siemens SIRIUS Motor starter M200D PROFINET
Siemens SIRIUS Soft starter 3RW44 PN
Siemens SITOP Manager
skyboxsecurity.com 54
Vendor Name Product Name
Siemens SITOP PSU8600
Siemens SITOP PSU8600 PROFINET
Siemens SITOP UPS1600
Siemens SITOP UPS1600 PROFINET
Siemens SMART PC Access
Siemens Softnet PROFINET IO
Siemens SOFTNET Security Client
Siemens Spectrum Power
Siemens Spectrum Power Telegyr Software
Siemens SWT 3000 Teleprotection
Siemens TALON TC Controller
Siemens Teamcenter Visualization
Siemens Tecnomatix Plant Simulation
Siemens TeleControl Server Basic
Siemens TIA Administrator
Siemens Tia Portal
Siemens TIM 1531 IRC
Siemens TIM 3V-IE
Siemens TIM 3V-IE Advanced
Siemens TIM 3V-IE DNP3
Siemens TIM 4R-IE
Siemens TIM 4R-IE DNP3
Siemens WCIS
Sierra Wireless ALEOS
Sightline Systems Sightline
Simba Hosting Two Factor Authentication Plugin
Simplenia Pages
Sinon Project Sinon
SiteGround SG Optimizer Plugin
SL Corporation RTView
SlideDeck SlideDeck2 Plugin
Slido Slido
SlowCheetah SlowCheetah
SMA Solutions OpCon
SmartBear SoapUI
Snowflake Snowflake
Socket Socket.IO
Socket.IO-File Socket.IO-File
Software AG ADABAS
Software AG Natural
Solace Corporation 3260 Content Router
skyboxsecurity.com 55
Vendor Name Product Name
SolarWinds Database Performance Analyzer (DPA)
Solix Technologies Big Data Suite
SonarSource SonaQube
Sonatype Component Lifecycle Management (CLM)
SonicWALL Global VPN Client
SonicWALL Scrutinizer
SourceForge Monkey HTTP Daemon
Sovrn Search Everything Plugin
SparkJava Spark
SPC Systems RW2
Spot.IM Spot.IM Comments Plugin
Spring Boot
Spring Core
Spring Spring AMQP
Spring Spring Integration
SQISOFT ssBridge
SQLite SQLite
SSH Communications Security Tectia Client
SSH Communications Security Tectia Manager
SSH Communications Security Tectia Server
STEALTHbits StealthAUDIT Management Platform
Stewart DataTech dbaTOOLS
StrataCloud Virtualization Management Center (VMC)
Sun Connection
Sun LDAP Access Daemon (LAD)
Sun ONE Directory Server
Sun Solaris
Sun Solaris Cluster
Sun SPARC
Sun System Management Services (SMS)
Supsystic Photo Gallery Plugin
Supsystic Popup Plugin
SVG SVG Sanitizer
Swift Alliance Access
Swift Alliance Gateway
Swift Alliance WebPlatform
Swift Connecteur RAHA FileAct
Swift Integration Layer (SIL)
Swift SWIFTNet Link
Sybase Adaptive Server
Sybase IQ
skyboxsecurity.com 56
Vendor Name Product Name
Sybase MFC/DC
Sybase Open Server
Sybase OpenSwitch
Sybase Replication Server
Sybase SDK
Sybase Software Dev Kit
Sybase Sybase Control Center
Symantec Control Compliance Suite (CCS)
Symantec Data Loss Prevention (DLP)
Symantec Data Loss Prevention Detection Server
Symantec Data Loss Prevention Endpoint Agent
Symantec Encryption Management Server
Symantec Enforce
Symantec Enterprise Security Manager
Symantec NetBackup
Symantec NetBackup Appliance
Symantec Storage Foundation for RHEL Linux
Symantec Symantec Data Insight
Symantec Symantec Storage Foundation for Windows
Symantec Symantec Veritas Cluster Server
Symantec Symantec Veritas NetBackup Operations Manager
Symantec Veritas Disaster Recovery Advisor
Symantec Veritas Operations Manager (VOM)
Symantec Veritas Storage Foundation
Symantec Web Isolation
Symmetricom SyncServer S300
Syncsort EZ-Reorg
Synopsys SecureAssist
Tableau Public Desktop
Tableau Reader
Tableau Server
Tableau Tableau
Tableau Tableau Desktop
Talend Talend Administration Center2
Talend Talend Data Preparation
Tandberg MXP
Tanium Client
Tanium Server
Tasktop Tasktop Sync
Tcpdump Tcpdump
TCPWave DNS Appliance
skyboxsecurity.com 57
Vendor Name Product Name
TCPWave IPAM (IP Address Management)
TECHNETRON DB/DYNAM
TECHNETRON DB/INFO
TechSmith Snagit
Telerik Fiddler
Telerik ui for asp.net ajax
Temenos Avoka Journey SDK
Temenos Multifonds Global Accounting
Tenable Network Security Nessus
Tenebraex Eyepilot
TestNG TestNG
Text Help Systems Browse Aloud
Text Help Systems Read&Write
Thales nShield Connect
The Paciello Group Colour Contrast Analyser
Theme Forest Carspot Plugin
Theme Forest NativeChurch
ThemeAlien Variation Swatches for WooCommerce Plugin
ThemeFusion Avada
Themeist I Recommend This Plugin
Third Pillar Systems Loan Path
Thomson Reuters Reuters Messaging
TIBCO ActiveMatrix Adapter for LDAP Software
TIBCO ActiveMatrix Adapter for MQ Series
TIBCO ActiveMatrix Adapter for Siebel
TIBCO ActiveMatrix Adapter for SWIFT
TIBCO ActiveMatrix Adapter for Tuxedo
TIBCO ActiveMatrix BPM
TIBCO ActiveMatrix BusinessWorks
TIBCO ActiveMatrix BusinessWorks for TIBCO Silver Fabric
TIBCO ActiveMatrix BusinessWorks for z/Linux
TIBCO Administrator
TIBCO Business Studio
TIBCO BusinessEvents
TIBCO BusinessWorks COBOL Copybook Plug-in
TIBCO BusinessWorks Container Edition
TIBCO BusinessWorks EJB Plug-In
TIBCO BusinessWorks XA Transaction Manager
TIBCO Enterprise Administrator
TIBCO Hawk
TIBCO iProcess Engine
skyboxsecurity.com 58
Vendor Name Product Name
TIBCO Jaspersoft Studio
TIBCO RTView
TIBCO Runtime Agent
TIBCO Smart Mapper Plugin
TIBCO Spotfire S+
TIBCO Spotfire Server
TIBCO TIBCO ActiveMatrix Adapter for Files
TIBCO XML Canon
Timo Sirainen Dovecot
Tips and Tricks HQ All In One WP Security and Firewall Plugin
TMD Security Active Dip Kit
TMD Security Card Protection Kit
TMD Security TMS
TobyU Simple Mail Address Encoder Plugin
Todd Miller Sudo
Transmit Security Transmit Security HUB
Triangle Systems Interactive Output Facility
Tribulant Software Newsletters Plugin
Tribulant Software One Click SSL
Trustwave AppDetectivePRO
TubePress TubePress
Turbonomic Turbonomic
Twisted Matrix Labs Twisted
Twistlock Twistlock
Ubuntu LXC
Ubuntu Ubuntu Linux
UnboundID UnboundID Identity Data Store
UnboundID Unboundid Identity Data Sync
Unisys Agile Business Suite (AB Suite)
Unisys ClearPath MCP
Unisys Database Operation Center
Unisys Enterprise Application Environment (EAE)
Unisys MCP File Copier
Unisys Programmer’s WorkBench for ClearPath MCP
Unisys Web Enabler for ClearPath MCP
University of Southern California Karma
University of Washington Alpine
UpdraftPlus UpdraftPlus Plugin
Uplogix Control Center
Uplogix Uplogix Envoy
Upper Themes Swape
skyboxsecurity.com 59
Vendor Name Product Name
UpSlide UpSlide Enterprise
Valor Software ngx-bootstrap
Van Dyke Technologies SecureCRT
Van Dyke Technologies SecureFX
Varonis Systems DatAdvantage for Windows
Velocity Software ESALPS
Venafi Trust Protection Platform
Verifone Verifone Driver for Pinpad
Verint EdgeVR
Verint Impact 360
Veritas Software Cluster Server
Veritas Software NetBackup
Veritas Software NetBackup Appliance
Veritas Software Veritas Filesystem
Veritas Software Volume Manager
Verizon Business Hosted IP Centrex (HIPC)
VeronaLabs WP Statistics Plugin
VeryDOC DOC to Any Converter
VideoLAN VLC media player
VIRTUAL SOFTWARE SYSTEMS VPARS
VIRTUAL SOFTWARE SYSTEMS VTAPE
Virtusa Polaris Satellite Application for Messaging
Visser Labs WooCommerce Store Exporter
VMWare Horizon Agents Installer
VMWare Horizon View
VMWare Horizon View Agent
VMWare Horizon View Client
VMWare Identity Manager
VMWare NSX Advanced Load Balancer
VMWare Photon OS
VMWare Skyline Collector
VMWare ThinApp
VMWare Unified Access Gateway
VMWare Unified Access Manager
VMWare Update Manager
VMWare vCenter Operations Manager
VMWare vCenter Server
VMWare vCenter Update Manager
VMWare vCloud Automation Cente (vCAC)
VMWare VirtualCenter
VMWare VMWare
skyboxsecurity.com 60
Vendor Name Product Name
VMWare VMWare Tools
VMWare VMWare Workstation
VMWare VMWare Workstation Pro
VMWare vRealize Automation
VMWare vRealize Log Insight
VMWare vRealize Network Insight
VMWare vRealize Operations Manager
VMWare vRealize Orchestrator
VMWare vRealize Suite Lifecycle Manager
VMWare vSphere Replication
Volante Composer
Volante Designer
VSI OpenVMS
Vsourz Digital Advanced Contact form 7 DB Plugin
Vsourz Digital CF7 Invisible reCAPTCHA
Vyopta vAnalytics
Warren Harrison User Domain Whitelist Plugin
WaspThemes Visual CSS Style Editor
WaspThemes Yellow Pencil Plugin
Watchful RightsWatch
WC Marketplace WC Catalog Enquiry Plugin
Webcraftic Woody Ad Snippets Plugin
WebDorado Contact Form Builder Plugin
Webpack json-loader
Webpack UglifyJS
Webpack Webpack
WebToffee Import Export WordPress Users
WhiteCanyon WipeDrive Pro
Wietse Venema Postfix
William Stucky & Associates Stucky Net Link
WindRiver VXWORKS
WinstonJS Winston
WinTECH Software Design ModScan64
Wipro Holmes
Wirecard FINSim
Wireshark Wireshark
Wolters Kluwer CCH Medici Documenter
WooCommerce PayPal Checkout Payment Gateway
WordPress ACF Better Search Plugin
WordPress Ad Buttons Plugin
WordPress Admin Renamer Extended Plugin
skyboxsecurity.com 61
Vendor Name Product Name
WordPress Advanced AJAX Page Loader Plugin
WordPress Custom 404 Pro Plugin
WordPress Deny All Firewall Plugin
WordPress Easy PDF Restaurant Menu Upload
WordPress EELV Newsletter Plugin
WordPress ESB CSV-Import-Export Plugin
WordPress Flickr Justified Gallery Plugin
WordPress FlightLog Plugin
WordPress HandL UTM Grabber
WordPress Lightbox Plus ColorBox Plugin
WordPress Live Forms
WordPress Login Or Logout Menu Item
WordPress Memphis Documents Library Plugin
WordPress ND Booking
WordPress ND Shortcodes Plugin
WordPress Newsletter by Supsystic Plugin
WordPress Page Flip Book Plugin
WordPress Post Indexer
WordPress Print My Blog Plugin
WordPress Rating Plugin
WordPress Search Exclude
WordPress Share on Diaspora Plugin
WordPress Sharebar Plugin
WordPress Simple Fields Plugin
WordPress SiteBuilder Dynamic Components
WordPress SmokeSignal Plugin
WordPress Time Sheets Plugin
WordPress WassUp Plugin
WordPress WebP Converter for Media
WordPress Woocommerce Products Price Bulk Edit Plugin
WordPress WordPress
WordPress WordPress Uninstall Plugin
WordPress WP Private Content Plus
WordPress ZX_CSV Upload
Workfusion Workfusion
WP Affiliates Manager Affiliates Manager
WP Booking System WP Booking System
WP Google Maps WP Google Maps
WP Payeezy Pay Project WP Payeezy Pay
WP Polls Project WP-Polls
WP Support Plus Responsive Ticket System Plugin
skyboxsecurity.com 62
Vendor Name Product Name
wp-jobhunt project wp-jobhunt
WP-ViperGB WP-ViperGB Plugin
WPBrigade LoginPress
WPCharitable Charitable
WPChef Widget Logic Plugin
wpecommerce Easy WP SMTP
wpgform project wpgform
WPGraphQL WPGraphQL
WPMadeasy Shortcode Factory
Wpmanage Uji Countdown
WPMU DEV Forminator
WPServeur WPS Child Theme Generator Plugin
Wyse Enhanced SuSE Linux Enterprise
Wyse TCX Multi-display
Wyse TCX-Multimedia
Wyse TCX-USB Virtualizer
Wyse Wyse ThinOS
X.org libXfixes
X.org libXfont
X.org libXi
X.org libXinerama
X.org libXrandr
X.org libXt
X.org libXtst
X.org libXv
Xakuro System XO Security Plugin
Xceptor Data Hub
Xerox Altalink
Xerox Altalink HW
Xerox ColorQube
Xerox Device Manager (XDM)
Xerox Phaser
Xerox VersaLink
Xerox WorkCentre
Xerox WorkCentre 5675
Xerox WorkCentre 5687
Xerox WorkCentre 6400
Xerox WorkCentre 75
Xerox WorkCentre 7655
Xerox WorkCentre 7665
Xerox WorkCentre 7675
skyboxsecurity.com 63
Vendor Name Product Name
Xerox WorkCentre HW
Xilinx Ethernet Adapters
xiph Libvorbis
XLPlugins User Email Verification for WooCommerce
XMLSoft Libxml2
XPECTRA Remote Management S.A. de C.V. netMATRIX
XpoLog XpoLog Center
XYPRO XYGATE Access Control (XAC)
Yahoo Instant Messenger
Yahoo Messenger
YIKES Easy Forms for Mailchimp Plugin
yourownprogrammer YOP Poll
Yukihiro Matsumoto Ruby
Yuzo Related Posts Plugin
Zantaz First Archive
zlib zlib
Zoho SalesIQ Plugin
Zoho Zoho SalesIQ
Zoom Video Communications Zoom Client
Zoom Video Communications ZOOM Cloud Meetings
Zoom Video Communications Zoom Rooms
skyboxsecurity.com 64
Appendix C – Banner Translator Products Vendor Product Name
7-Zip 7-Zip
A10 Networks ACOS
ABB AC 800M
Adobe Acrobat
Adobe Acrobat DC Classic
Adobe Acrobat DC Continuous
Adobe AIR
Adobe AIR SDK
Adobe Flash Player
Adobe Reader
Adobe Shockwave Player
Alcatel AOS
Alpine Linux
Amazon Linux
Amazon Linux 2
Apache Software Foundation Apache
Apache Software Foundation Struts
Apache Software Foundation Tomcat
Apple iTunes
Apple MacOS X
Apple MacOS X Server
Apple QuickTime
Apple Quicktime Streaming Server
Apple Safari
Arista EOS
Aruba ArubaOS
Barco wePresent WiPG
BlueCoat Systems Advanced Secure Gateway (ASG)
BlueCoat Systems ProxySG
Brocade IronWare OS
Brocade Network OS
CentOS CentOS
Check Point Software Gaia OS
Check Point Software Provider-1
Check Point Software Security Gateway
Check Point Software VPN-1
Cisco Aironet Access Point
Cisco Application Control Engine (ACE)
Cisco ASA
Cisco Firepower Threat Defense (FTD)
skyboxsecurity.com 65
Vendor Product Name
Cisco FWSM
Cisco IOS
Cisco IOS-XE
Cisco IOS-XR
Cisco NX-OS
Cisco PIX
Cisco VPN Client
Cisco WebEx Productivity Tools
Cisco WebNS (CSS)
Citrix NetScaler
Citrix Receiver for iOS
Citrix Receiver for iPhone
Citrix Receiver for Linux
Citrix Receiver for Mac
Citrix Receiver for Windows
Citrix Receiver for Windows Mobile
Citrix Xen Windows PV Drivers
Citrix XenServer
Debian Linux
Dell Inc. DRAC (Dell Remote Access Controller)
Dptech ConPlat OS
F5 BigIP
Factor-TS DionisNX
Fanuc Collaborative Robot
Fanuc Collaborative Robot HW
ffdshow ffdshow
Forcepoint Next Generation Firewall (NGFW)
FortiNet FortiGate 1000
FortiNet FortiOS
FreeBSD FreeBSD
FrontMotion Firefox CE
Generic Unix
Git for Windows Git for Windows
Google Chrome
Google Chrome OS
Google Google Update Helper
H3C Comware
Honeywell Experion PKS Controller
Honeywell Experion PKS Controller HW
HP Color LaserJet
HP Integrated Lights-Out (iLO)
skyboxsecurity.com 66
Vendor Product Name
HP JetDirect
HP ProCurve Switch
HP SMH (System Management Homepage)
Huawei Eudemon1000E
Huawei Router Firmware
IBM BigFix Client
IBM BigFix Platform
IBM IBM I
IBM Lotus Notes
IBM TAM ESSO
IBM Tivoli Directory Server
IBM WebSphere Application Server
IBM z/OS
Joomla! Joomla!
Juniper Networks IVE OS
Juniper Networks JUNOS
Juniper Networks Junos Pulse Desktop
Juniper Networks ScreenOS
KeePass KeePass Password Safe
Konica Minolta Printer
Lenovo Auto Scroll Utility
Lenovo Communications Utility
Lenovo Lenovo Patch Utility (LPU)
Lenovo UltraNav Utility
Linux Linux Kernel
Macromedia Shockwave Player
MariaDB MariaDB
McAfee Agent
McAfee AntiVirus
McAfee Antivirus Engine
McAfee Common Management Agent
McAfee Endpoint Security
McAfee ePolicy Orchestrator
McAfee Host Intrusion Prevention
McAfee SecureOS
McAfee VirusScan Enterprise
Microsoft .NET Framework
Microsoft Access
Microsoft Active Directory
Microsoft Active Directory Application Mode (ADAM)
skyboxsecurity.com 67
Vendor Product Name
Microsoft Active Directory Lightweight Directory Service
Microsoft Edge Chromium
Microsoft Excel
Microsoft Excel for Mac
Microsoft Exchange Server
Microsoft IIS
Microsoft Internet Explorer
Microsoft Lync
Microsoft Lync Server
Microsoft Office
Microsoft Office for Mac
Microsoft Office SharePoint Server
Microsoft OneNote
Microsoft OneNote for Mac
Microsoft Outlook
Microsoft Outlook Express
Microsoft Outlook for Mac
Microsoft PowerPoint
Microsoft PowerPoint for Mac
Microsoft Silverlight
Microsoft Silverlight for Mac
Microsoft SQL Server
Microsoft SQL Server Compact Edition
Microsoft SQL Server Management Studio (SSMS)
Microsoft SQL Server Management Studio Express(SSMSE)
Microsoft System Center Operations Manager
Microsoft Visual C++
Microsoft Windows 10
Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows NT
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
Microsoft Windows Server 2019
skyboxsecurity.com 68
Vendor Product Name
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Word
Microsoft Word for Mac
Microsoft XML Core Services
Mozilla Firefox
Mozilla SeaMonkey
Mozilla Thunderbird
MySQL AB MySQL
NetBSD NetBSD
Node.js Foundation Node.js
Nortel Networks Alteon
Notepad plus plus Notepad plus plus
OKI LAN7130E
Omron CJ2M Series PLC
Omron CJ2M Series PLC HW
Omron Controller NJ Series
Omron Controller NJ Series HW
OpenBSD OpenSSH
OpenSSL OpenSSL
Opera Software Opera Web Browser
Oracle Application Express
Oracle Application Server Portal
Oracle Glassfish
Oracle JDK
Oracle JRE
Oracle MySQL
Oracle Oracle Application Server
Oracle Oracle Database
Oracle Oracle Linux
Oracle PeopleSoft Enterprise
Oracle PeopleSoft PeopleTools
Oracle Server JRE
Oracle Solaris
Oracle WebLogic Server
Palo Alto PAN-OS
Palo Alto User-ID Agent
PHP PHP
Printronix PrintNet Enterprise
PuTTY PuTTY
Python Software Foundation Python
skyboxsecurity.com 69
Vendor Product Name
Qualys Cloud Agent
RARLAB WinRAR
RedHat Enterprise Linux Desktop
RedHat Enterprise Linux Server
RedHat Enterprise MRG
RedHat Linux
RedHat RedHat OS
Rockwell Automation CompactLogix
Rockwell Automation ControlLogix
Rockwell Automation ControlLogix Communications Module
Rockwell Automation MicroLogix
Rockwell Automation PanelView 800
Rockwell Automation PanelView 800 HW
Rockwell Automation PanelView Plus 6
Rockwell Automation PanelView Plus 6 HW
Rockwell Automation PanelView Plus 7
Rockwell Automation PanelView Plus 7 HW
Rockwell Automation PLC-5
Rockwell Automation PowerFlex
Rockwell Automation PowerFlex HW
Rockwell Automation RSLinx Classic
Rockwell Automation RSLinx Classic HW
Rockwell Automation SLC 500
S.u.S.E. Linux Enterprise Server
S.u.S.E. OpenSUSE
Salesforce Chatter Desktop
Samba Samba
Samsung iPOLiS Device Manager
Samsung SL-M4070FR
SAP NetWeaver
SAP SAP GUI
Schneider Electric M340 BMXP342020
Schneider Electric M580 BMEP581020
Schneider Electric Momentum 171CBU98091
Schneider Electric Quantum 140NOE77101
Scientific Linux Scientific Linux
Siemens Siemens Device
Siemens SIMATIC S7-1500
Siemens SIMATIC S7-300
Siemens SIMATIC S7-400 PN/DP
Siemens SIMATIC S7-400-H
skyboxsecurity.com 70
Vendor Product Name
Skype Technologies Skype
SonicWALL SonicOS
Sophos UTM
SourceForge FileZilla Server
Splunk Splunk
Stormshield Stormshield Network Security (SNS)
Sun Glassfish Enterprise Server
Sun Java System Application Server
Sun Solaris
Sun SunOS
Symantec Endpoint Protection
Symantec Endpoint Protection Manager
Symantec LiveUpdate
Symantec LiveUpdate Administrator
Symantec NetBackup
Symantec Norton Antivirus
TallyGenicom TGNet
TortoiseSVN TortoiseSVN
Trendnet Print Server
Ubuntu Ubuntu Linux
Unidentified Unidentified
Unisys OS 2200
Unspecified Banner
VMWare VMware ESX Server
VMWare VMware ESXi Server
VMWare VMWare Player
VMWare VMWare Workstation
WatchGuard Fireware
WinSCP WinSCP
WinZip Computing WinZip
Wireshark Wireshark
XenProject Xen
Yokogawa AFV10D
Yokogawa AFV30D
Yokogawa SSC60D-F
Yokogawa SSC60D-S
Zebra ZebraNet Print Server
Zscaler Zscaler Internet Access (ZIA)