Skybox Security recently announced a ‘next-generation’ solution for vulnerability management that detects network vulnerabilities in an automated and non-disruptive manner, without an active scan. Since then, industry analysts and media have asked many questions about this feature, its advantages, and how it works. Here is Dr. Amnon Lotem, CTO at Skybox Security, to address these questions.
Q: There are many vulnerability scanners in the market – why would Skybox Security offer a vulnerability detection capability?
Skybox Vulnerability Control product is used by a wide variety of organizations, including financial institutions, government and defense, energy and utilities, telecommunications, retails and many others, to manage and prioritize vulnerabilities and reduce cyber-attack risks on a daily basis. Until now, the source for vulnerabilities was the vulnerability scanner (or scanners) installed in the organization. Vulnerability Control applies strong analytics to the volumes of vulnerability data to enable security and IT to prioritize vulnerabilities and automate remediation.
However, in deploying Vulnerability Control at more than 300 customers, we found that relying on vulnerability scanner data as the main source for vulnerability discovery was problematic. For example, scans only covers a portion of the network, many segments are not scanned at all, or are scanned infrequently (weeks and sometime months in between scans). This does not address the dynamic nature of the network and the fast development of new threats, leaving a too wide window of exposure for the attackers.
To solve these issues we came up with a new approach for vulnerability discovery.
Q: Can you explain the new Skybox approach?
We observed that almost all organizations already deployed system and network operations management solutions that know a lot about the hosts of the organization. Examples are, the Active Directory, Configuration and Patch Management systems (like MS/SSCM and MS/WSUS), and CMDBs.
These systems don’t report on vulnerabilities but they have accurate information on the OS of the host, the installed products, the installed patches and the missing patches. More importantly, this information is typically refreshed daily. Using this data, Vulnerability Detector deducts the vulnerabilities of each host, and this becomes a source for vulnerabilities in Skybox Vulnerability Control.
Vulnerability Detector can be used on a daily basis for a wide scope of the organizational network. It imposes no disruption to the network and its deployment is easy.
Q: Others have tried similar detection in the past, what makes Vulnerability Detector different?
Although the deployment is simple, the complexity stems from the challenge in deducting the vulnerabilities in reliable way using product and patch information. For that purpose Skybox developed a unique approach called rule-driven profiling technology, which formalizes the product and version information in an accurate way (patent pending), and then determines the vulnerabilities associated with each product, considering the exact product version, service pack, OS version, and patch information. Rule-driven profiling uses extraction rules that are available in Skybox’s proprietary Vulnerability Dictionary, which is distributed to customers on an on-going basis.
Q: Do you suggest augmenting or replacing already installed scanners in the organization?
Skybox Vulnerability Detector has been successfully deployed and used daily by Skybox customers since 2012.
Vulnerability Control consolidates data from all available sources in the organization into a single holistic picture of vulnerabilities and risks. Continuing to use data feed from already deployed scanners in the organization makes a lot of sense, leveraging existing investments. Vulnerability Detector in that situation will be used for:
(1) Extending the scope of the vulnerability management program to include non-scanned networks
(2) Increasing the frequency in which vulnerabilities are detected in already scanned networks (from weeks to daily detection cycles).
When the organization considers replacing its current vulnerability scanner, it should definitely consider Skybox Vulnerability Detector as a central source for detecting vulnerabilities.
Q: But how could Security and IT cope with a daily detection of vulnerabilities in a wide network scope?
That is exactly the focus of Skybox Vulnerability Control. Our goal is to make vulnerability management happen in a practical and effective way. Each organization can decide on its own focus and policy for vulnerability management. Some organizations might focus only on critical Microsoft vulnerabilities, while others might include additional central products in their policy (Adobe products, browsers, Java, databases, application servers, etc.), and other organizations might deal with every risky-enough vulnerability with wide impact on the organization. Vulnerability Control provides a simple way to define what is in focus, automatically run strong analytics for prioritization, and then monitor status, changes, and progress.