Skybox Risk Control version 7.0.0 45
Chapter 9
This chapter explains how Exposure works in Skybox View.
In this chapter
Introduction to exposure ... 45 Automated IT security modeling ... 46 Attack simulation and visualization ... 47 Business impact analysis and risk metrics... 48 Regulation compliance ... 49 Risk exposure management workflow ... 49
Introduction to exposure
Exposure is one of the main features of Skybox Risk Control and you can see overview information in the bottom half of the Risk Control Summary page.
Figure 13: Analytics Center
Overview of the Exposure feature
Skybox Risk Control User’s Guide
Skybox Risk Control version 7.0.0 46
The exposure-related information shown on this page includes the direct vulnerability occurrences (vulnerability occurrences that are one or two steps away from any Threat Origin) and the Threat Origins that pose the most danger to your organization. To drill down to additional information, click any of the links; or use the Exposure Summary page to view additional information—including trends—before drilling down.
Figure 14: Exposure Summary page
The page displays information about critical exposure in your organization, and you can drill down to get additional information. The information shown on this page includes the direct vulnerability occurrences (vulnerability occurrences that are one or two steps away from any Threat Origin) and the Threat Origins that pose the most danger to your organization. You can also view additional
information about Threat Origin and Business Asset Groups using the tabs at the top of the Summary page.
Automated IT security modeling
To identify, quantify, and mitigate security exposure, Skybox Risk Control builds a model—a virtual map representing the security risk profile of your organization. The model consists of:
• Threat profiles
• Network access information
• Vulnerability occurrence data
• Business Asset Group classification
All four components are required to analyze business impacts completely and accurately.
Skybox Risk Control employs the open collection architecture of the Skybox View platform.
Information is collected by scheduling regular collection tasks that continuously supply the model with up-to-date information about changes to the network infrastructure.
Chapter 9 Overview of the Exposure feature
Skybox Risk Control version 7.0.0 47
Using Skybox View, organizations now have a single view of their security environment that is updated automatically and continuously. Subsequent attack simulation and What If analysis can now be performed safely on this model instead of on the actual networks and devices.
Figure 15: The Network Map provides a picture of the model
Attack simulation and visualization
Skybox Risk Control conducts exhaustive, nonintrusive attack simulations against the model to measure the effectiveness of potential threats in penetrating security defenses. Using scenarios that include human attackers and malicious code, the unique Skybox View Attack Simulation Engine ascertains which assets are reachable and exploitable, and which are secure.
Skybox Risk Control User’s Guide
Skybox Risk Control version 7.0.0 48
An Attack Map provides a visual, step-by-step analysis of attacks, based on simulations of possible attack paths. Skybox Risk Control graphically illustrates the multi-step path an attacker can take, identifying the specific vulnerability occurrences exploited and the network access traversed for each exploitable path.
Figure 16: Attack Map
This analysis allows IT departments to identify the top 2% of exploitable vulnerability occurrences that make up the primary risks to critical assets. Working from this analysis, security and IT
professionals can focus on critical exposures proactively, as soon as they appear and reduce the time to remediation from weeks to hours.
Business impact analysis and risk metrics
Based on the results of attack simulation, Skybox Risk Control analyzes the potential business impacts on assets in terms of potential breaches in confidentiality, integrity, and availability (CIA). Attack simulation computes the likelihood of attacks. Skybox Risk Control then calculates business and compliance risks by analyzing asset values and attack probabilities. To provide the most useful analysis, you can import business-impact rules and regulation compliance classifications from asset management databases or other predefined sources.
Chapter 9 Overview of the Exposure feature
Skybox Risk Control version 7.0.0 49
Risk metrics are automatically generated for every Business Asset Group. Metrics are consolidated for individual Business Units and for the organization overall. Managers can view the results of the risk analysis in reports built on flexible report templates. Working from these reports, they can select the most effective remediation processes to reduce critical risk exposure.
Figure 17: Business Impacts tabbed page
Regulation compliance
Security professionals can classify Business Asset Groups according to specific regulations to continuously monitor the risks facing regulated assets. Customers can choose from predefined
Regulation templates, such as SOX, HIPAA, FISMA, FIPS 199/200 and NIST. Compliance officers or risk managers can also specify Regulation templates for their own industry. Using these
classifications, Skybox Risk Control can analyze compliance risks and automatically generate executive and auditor reports.
Risk exposure management workflow
Before you can use Skybox View to manage risk exposure, you must build a model (see Building the model).
Managing risk exposure consists of the following steps:
1 Simulate attacks by running a task of type Analysis – Exposure, such as the Analyze - Simulate Attacks task (see Simulating attacks (on page 86)). This task simulates all scenarios for attacking your organization’s network from the specified Threat Origins and uses this information to compute risk levels and possible attacks. The derived data is stored in the database.
2 Review the results of the simulation by looking at the Exposure Summary page.
3 Use the summary information and the Attack Explorer to identify the cause or causes of the most critical risk to your organization (see Identifying the critical issues (on page 87)).
4 Reduce your risk by mitigating critical vulnerability occurrences and faulty access (see Reducing your risk (on page 93)).
5 Generate reports as necessary (see Reports (on page 118)). For example, you can generate reports to:
Show the current risk on all or specific parts of your organization
List the vulnerability occurrences on a specific scope, with or without detailed information and suggested solutions
List tickets issued for mitigation or a specific set of tickets, such as those that are open but have passed their due date
Perform this process after the model is built and whenever significant updates are made to the model.
Note: Risk Exposure Analysis is performed in the Exposure workspace and the Exposure tree.
Skybox Risk Control version 7.0.0 51
Chapter 10
In this section, it is assumed that your organizational model already includes the following:
• Assets and vulnerability occurrences
• An organizational hierarchy (Business Units and Business Asset Groups) This section focuses on the additional information needed for Exposure.
In this chapter
Building the network topology ... 51
Building the network topology
The network topology consists of networks and the gateways that connect them.
To build the network topology
1 Create and run tasks for collecting and importing data from the network devices that you defined in Preparing a list of network devices (on page 203).
For information about importing device data, see Import tasks, in the Skybox View Reference Guide.
For information about device-specific collection tasks, see the section relating to the task in the Tasks part of the Skybox View Reference Guide.
Workflow for importing a single device (on page 51) contains a detailed workflow for importing (and validating) a single device.
2 After you run each task, check that it succeeded:
a) In the Operational Console, open Tasks > All Tasks.
b) In the Table pane, locate the task and check that the value of the task’s Exit Code is Success.
If a task did not succeed, check the Messages tab of the Details pane for information about what went wrong.
3 Create clouds (see page 53) to represent networks that are connected to the model but are not themselves modeled, such as the internet, partners, or parts of your organization’s network that should not be modeled.
4 Create locations (see page 58) to group the networks in your organization and simplify how you see the model in Skybox View.
Note: This step is optional but recommended—especially for large networks.
Workflow for importing a Cisco IOS router
The following is the workflow for importing one Cisco router using an Import – Directory task. The same basic workflow is used to import other network devices, although the data files (and the commands that produce them) and data format differ from device to device.
Building the model
Skybox Risk Control User’s Guide
Skybox Risk Control version 7.0.0 52
1 Connect to the device.
2 Create the following files:
run.txt: Output of either of the following Cisco commands: show running-config or show config
route.txt: Routing table information; output of the Cisco command: show ip route vrf
*
3 Download the files to your computer.
4 (If they are not already running) Start the Skybox View Server and Manager.
5 Create a task to import the router configuration:
a) Click .
b) In the Operational Console tree, select the Tasks node.
c) Click .
d) Type a Name for the task, such as Import Cisco router.
e) In the Task Type drop-down list, select Import – Directory.
f) In the Set 1 section, in the Directory field, type the full path to the directory where you saved the files in step 3.
6 Click Launch.
7 Verify that the task finished successfully:
a) Select the task in the Table pane of the All Tasks node.
b) Check that the value of the Exit Code is Success.
If the task did not succeed, look in the Messages tab of the Details pane for information about what went wrong. This tab displays a log of the task; you can view the errors there to
understand the problem. For example, a necessary file was deleted for some reason or moved to a different location.
8 Close the Operational Console.
9 Validate that the import is correct and complete:
a) In the Model tree select All Network Devices > Routers.
b) Do one of the following to confirm that the import succeeded:
• For a new device (one imported for the first time), check whether the imported device is now part of the list in the Table pane.
• For an existing device, check that the modification time of the device is the time of the current import, rather than that of a previous import.
Chapter 10 Building the model
Skybox Risk Control version 7.0.0 53
c) Check that the network interfaces were imported correctly.
Right-click the device and select Firewall Map. You can see all imported network interfaces and the networks to which they are attached.
Close the firewall map when you finished.
d) Right-click the device and select Routing Rules. Check that the routing rules were imported (that is, Skybox View contains a list of routing rules for this device.)
e) Use a sample routing rule to confirm that it was imported correctly: take one routing rule that exists on the device and try to find its logical match in the routing rules in Skybox View.
Note: A correctly imported set of routing rules (or access rules) logically matches the set of rules on the device. However, some individual rules may not be modeled in exactly the same way as they are in the device.
f) If the device has access rules, right-click the device and select Access Rules. Confirm that the access rules were imported.
g) Take one access rule that exists on the device and try to find its logical match in the access rules in Skybox View.
h) Click . The device is highlighted in the Network Map. Make sure that the imported device is visible and that it is correctly connected.
Clouds
Clouds are special network objects that represent networks that are connected to the model but are not modeled completely, such as the internet, partners, or parts of your organization’s network that are not modeled. A network over which your organization has no control or for which it is unable to obtain device configurations and scan data, should be modeled as a cloud.
Clouds are used to model missing areas so that you can analyze access between the surrounding areas or to and from the missing areas.
There are two types of clouds:
• Perimeter Clouds: Perimeter Clouds (commonly referred to as clouds) represent networks or areas in your network at the perimeter of the network, such as partner networks and the internet.
Skybox Risk Control User’s Guide
Skybox Risk Control version 7.0.0 54
• Connecting Clouds: Connecting Clouds represent missing areas in the middle of your
organization’s network. These may be parts of your network for which you are unable to obtain data or Multiprotocol Label Switching (MPLS) networks between various parts of your
organization’s network.
Perimeter Clouds are usually user-defined, but may be created automatically using tasks of type Model – Completion and Validation (Convert Perimeter Networks to Clouds option). For information about these tasks, see Model completion and validation tasks, in the Skybox View Reference Guide.
Connecting Clouds are always user-defined.
For cloud parameters, see Clouds, in the Skybox View Reference Guide.
Creating and editing Perimeter Clouds
You can create Perimeter Clouds manually or automatically.
Creating Perimeter Clouds automatically
To create Perimeter Clouds automatically, use a Model – Completion and Validation task and select the Convert Perimeter Clouds to Networks option before running the task. For additional information, see Model completion and validation tasks, in the Skybox View Reference Guide. You can also create Perimeter Clouds manually.
Creating Perimeter Clouds manually
The easiest way to create a Perimeter Cloud is to define an existing network as a Perimeter Cloud.
However, this is not sufficient when the Perimeter Cloud represents an area outside the boundaries of your organization’s network (such as the internet or a partner organization).
When you create a Perimeter Cloud that is not based on an existing network, include and exclude IP addresses as appropriate for the network that you are configuring. The following are some examples of IP addresses to include or exclude:
• If you are configuring an internet cloud, exclude the IANA reserved addresses (click Private in the Network Properties dialog box).
• If you are configuring a public network, you must exclude public IP addresses used by your organization. Failure to do so might produce erroneous results in access analysis queries due to spoofed access.
If you know the specific IP addresses for the Perimeter Cloud, configure them in the Cloud Addresses tab.
To define a network as a Perimeter Cloud
1 In the Model tree, expand the Locations & Networks node and locate the network that you wish to define as a cloud.
2 Right-click the network and select Define Network as Cloud from the shortcut menu.
Note: If the cloud is connected to multiple networks, set the IP Address and Mask fields to 0.0.0.0 / 0.0.0.0.
To create a Perimeter Cloud
1 In the Model tree, expand the Locations & Networks node and locate the parent node for the cloud.
If the cloud belongs at the top level, the parent node is the Locations & Networks node.
2 Right-click the parent node and select New > Perimeter Cloud.
3 In the New Perimeter Cloud dialog box:
a) Type a Name for the cloud.
b) Set the IP Address and Mask fields to 0.0.0.0 / 0.0.0.0.
Chapter 10 Building the model
Skybox Risk Control version 7.0.0 55
This enables the cloud to be connected to network interfaces of multiple devices. (A cloud’s IP address has no influence on access analysis; the Cloud Addresses tab is used to define the scope of the cloud.)
c) Define the scope of the cloud using the two panes in the Cloud Addresses tab:
• Include: A list of IP address ranges to include in the scope of the cloud.
• Exclude: A list of IP addresses to be excluded from the scope of the cloud defined in the Include pane.
d) In the Routable from Cloud tab, define the IP address ranges that are allowed as destination addresses when access is checked from this cloud. These destination address ranges are used for all queries starting at the cloud in attack simulation and the Access Analyzer.
• Include: A list of IP address ranges to be used as destination addresses from this cloud.
• Exclude: A list of IP address ranges to be excluded from the destination address ranges.
e) Click OK.
For additional information about Perimeter Clouds, see Clouds, in the Skybox View Reference Guide.
Attaching Perimeter Clouds to the network
After you create Perimeter Clouds manually, you must attach each one to the routers or firewalls in your organization that border that cloud.
To attach a Perimeter Cloud to a router or firewall
1 Do one of the following: In the Network Map, right-click the device and select Network Interfaces.
In the tree, navigate to a node containing the device, such as All Network Devices > Firewalls; in the Table pane, right-click the device and select Network Interfaces.
Figure 18: Network Interfaces dialog box
Skybox Risk Control User’s Guide
Skybox Risk Control version 7.0.0 56
2 Select the network interface to be attached to the Perimeter Cloud network and click Modify.
Figure 19: Network Interface Properties dialog box 3 In the Network field, select the desired Perimeter Cloud.
4 Click OK.
Connecting Clouds
You use Connecting Clouds to represent missing networks (or groups of networks) between two entities in the model, such as sensitive areas in your organization which cannot be fully modeled. Once these networks are modeled, the Access Analyzer can analyze access through them.
Where are Connecting Clouds needed?
Connecting Clouds are often needed when you are creating the model and some parts of your organization’s network are not included. Sometimes, you know that certain areas were not imported.
Other times, you can use the Network Map to show all gateways that have missing next hops (that is, next routing hops that are mentioned in the routing table but are not connected to the gateway in the model) and then decide which of them must be connected.
Viewing gateways with missing next hops
To view gateways with missing next hops
1 Make sure that a task of type Model Completion and Validation has run since the last time any imports were done.
Among other things, this task checks all gateways for missing next hops.
Chapter 10 Building the model
Skybox Risk Control version 7.0.0 57
2 Open the Network Map. If necessary, open the map that displays the part of the model on which you want to focus.
3 In the Highlight pane, select Has Missing Next Hops.
All gateways with missing next hops are highlighted. When you move your mouse over one of these gateways, you can see a list of its missing next hops.
Creating Connecting Clouds
The easiest way to create a Connecting Cloud is to select two (or more) gateways and networks in the map that should be connected and then create a Connecting Cloud from them. You can also select two gateways, networks, or network interfaces in the Table pane and create the Connecting Cloud from there.
To create a Connecting Cloud
1 Select the gateways or networks in the map that are missing connections between them.
2 Right-click and select Connect via Cloud from the shortcut menu.
3 In the Connect Networks via Cloud wizard, type a Name for the new cloud and click Next.
4 In the top pane, review the list of gateways and networks.
If every item in the list includes a network, click Finish to create the cloud from the specified networks.
Otherwise (if there are gateways with unspecified networks): for each such gateway, select the network interface of the network to be used to connect to the cloud.
The following fields might be helpful in deciding which network interface to use:
The following fields might be helpful in deciding which network interface to use: