Régimen de compatibilidad e incompatibilidad entre servicios

Skybox Risk Control version 7.0.0 13

Chapter 2

You can automate the collection of vulnerability occurrence information from multiple disparate systems and calculate security metrics, which are risk indicators based on vulnerability occurrences.

Security metrics provide threat indicators for your organization as a whole and for specific Business Units, enabling the security team to help management understand which threats pose the greatest risk and what your organization is doing about them.

Figure 1: Security Metrics Summary page

The Security Metrics feature uses vulnerability occurrence data collected on the network to calculate security metrics for each unit in your organization’s hierarchy. The security metrics scores allow you to assess the current security and vulnerability status of your organization, track trends, and identify key contributors to poor performance.

In this chapter

About security metrics in Skybox View ... 13 Predefined security metrics ... 14 Workflow for security metrics ... 16

About security metrics in Skybox View

Skybox View uses security metrics to measure the security status of your organization. Skybox View includes predefined security metrics as well as the ability to create new security metrics and customize the existing ones.

Overview of the Security Metrics feature

Skybox Risk Control User’s Guide

Skybox Risk Control version 7.0.0 14

Most security metrics in Skybox View measure the status of vulnerability occurrences in your

organization. However, some security metrics—such as MS-VLI, MS-RLI, and Cisco-RLI—measure the status of applying security bulletins from vendor based catalogs.

The following are the main parameters that define security metrics:

Type

• Vulnerability Level Indicators: These security metrics measure the security status of your organization (or a part thereof) based on the status of its vulnerability occurrences or missing security updates. The more critical vulnerability occurrences or critical security updates in your organization, the higher the score.

Vulnerability Level Indicators measure the average rate of vulnerability occurrences residing on assets in a group of assets, such as a Business Asset Group or a Business Unit. In simple terms, the rate is the average number of vulnerability occurrences per asset.

• Remediation Latency Indicators: These security metrics measure the remediation performance of your organization. The more time it takes to fix the critical vulnerability occurrences or missing security updates, the higher the score.

Remediation Latency Indicators measure the rate of overdue vulnerability occurrences:

 The Remediation Latency Indicator score for an asset represents the number of overdue (or relatively old) vulnerability occurrences residing on the asset, where each vulnerability occurrence is weighted. The weighting is calculated from the remediation priority of the vulnerability occurrence and its delay; high-priority vulnerability occurrences with a large delay have the highest weight.

 The Remediation Latency Indicator score for a group of assets (Business Asset Group or Business Unit), is the average of the Remediation Latency Indicator score of each asset in the group.

Use the Remediation Latency Indicator metric to identify entities (vulnerability definitions or groups of assets) whose remediation latency is relatively high and to examine trends of remediation latency.

View

• Security View: Security View shows the status of vulnerability occurrences in your organization.

Note: This is the standard view for most security metrics.

• Vendor Solution View: Vendor solution view shows the status of applying security bulletins from vendor-based catalogs and the prioritization of the bulletins that need to be applied. Whenever possible, results are displayed in terms of security bulletins, each of which is usually correlated to multiple vulnerability definitions. Vulnerability definitions that are not part of a security bulletins are displayed independently.

Vendor solution View is used by default for security metrics such as MS-VLI, MS-RLI, and Cisco-RLI, which measure the status of applying security bulletins from vendor based catalogs.

Scope

The scope defines which vulnerability definitions are used in each security metric. This can include all vulnerability definitions, only vulnerability definitions or security bulletins from specific vendor-based catalogs (Microsoft, Cisco, Adobe, and/or Oracle), or a custom-defined set. You can also exclude specific groups of vulnerability definitions or products.

Predefined security metrics

Skybox View includes the following predefine security metrics, some of which are used to track vulnerability occurrence status and some to track remediation progress.

Chapter 2 Overview of the Security Metrics feature

Skybox Risk Control version 7.0.0 15

Security

This security metric measures the security status of your organization based on Adobe Security Bulletins.

The more critical missing security bulletins, the higher the score.

This security metric measures your organization’s remediation performance of Cisco Security Advisories.

The more time it takes you to apply the missing security advisories, the higher the score.

This security metric measures the security status of your organization based on Microsoft Security Bulletins.

The more critical missing security bulletins, the higher the score.

This security metric measures your organization’s remediation performance of Microsoft Security Bulletins.

The more time it takes you to apply the missing security bulletins, the higher the score.

This security metric measures the security status of your organization based Oracle Security Bulletins.

The more time it takes you to apply the missing security bulletins, the higher the score.

Any This security metric measures the remediation performance of your organization.

The more time it takes you to fix the critical vulnerability occurrences, the higher the score.

This security metric measures the security status of your organization based on the alerts (vulnerability occurrences) on antivirus applications.

The more unhandled critical alerts (vulnerability occurrences) you have on antivirus applications, the higher the score.

Skybox Risk Control User’s Guide

Skybox Risk Control version 7.0.0 16

Mobile – Vul

This security metric measures the security status of your organization based on the alerts (vulnerability occurrences) on one or more of the following mobile devices:

• Apple

• Android

• Blackberry

The more unhandled critical alerts (vulnerability occurrences) you have on mobile devices, the higher the score.

New

This security metric measures the security status of your organization based on the vulnerability definitions that were published in the last 30 days.

The more unhandled new critical vulnerability occurrences you have, the higher the score.

Overall – Vul Level

Vulnerability Level Indicator

Any This security metric measures the security status of your organization based on its vulnerability occurrences.

The more critical vulnerability occurrences you have, the higher the score.

Web

This security metric measures the security status of your organization based on the alerts (vulnerability occurrences) on any of the following web browsers:

• Internet Explorer

• Mozilla Firefox

• Google Chrome

• Apple Safari.

The more unhandled critical alerts

(vulnerability occurrences) you have on web browsers, the higher the score.

Workflow for security metrics

The following is the basic workflow for security metrics.

1 Analyze the security metrics (see page 29).

2 After you finish the setup, you can view the security metrics (on page 30) by organization hierarchy.

3 Make any necessary changes, such as changing the names, number of levels, or SLA periods of the security metrics (see Customizing the security metrics (on page 36)), and reanalyze.

4 In Skybox View, decide which vulnerability definitions or security bulletins to fix first and create tickets (on page 41) for them. If your organization handles the remediation process externally, export (on page 122) the relevant data to CSV.

Skybox Risk Control version 7.0.0 17

Chapter 3

The Skybox View model (the model) is a schema in the Skybox View database that represents all or part of your organization’s network; it is used for vulnerability occurrence profiling, attack simulation, risk analysis, and planning mitigation.

When you have gathered as much information about your network as possible, you can begin building the model. It is recommended that you start with a relatively small first phase (for additional

information, see First phase (on page 205)).

Use the Model workspace and the Model tree to build the model.

Note: Before collecting data from your organization’s network the first time, the model must be empty. If you loaded the demo model for tutorial purposes, you must clear it (File > Models > Reset Model).

In this chapter

Updating the dictionary ... 17

Obtaining asset and vulnerability occurrence data ... 18

Discovery Center ... 23

Adding organizational hierarchy (Business Units) ... 23

Updating the dictionary

The Skybox View Vulnerability Dictionary contains information about vulnerability definitions. When a vulnerability occurrence is found by a scanner (or by any other means), Skybox View uses the Vulnerability Dictionary to normalize the vulnerability occurrence and add all the vulnerability definition’s information—including its description, cross-references from various sources, and external URLs—to the model.

Skybox View includes the most up-to-date dictionary at the time of release, but new updates are issued periodically. If the Vulnerability Dictionary is more than a week old, update it before running

vulnerability detection, calculating security metrics, or simulating attacks.

To check the date and version of the Vulnerability Dictionary

 Select File > Dictionary > Show Dictionary Info.

Update the dictionary by running the Dictionary Update – Daily task.

Note: This task is scheduled to run daily, but is not actually enabled to do so.

To enable the Dictionary Update – Daily task to run as scheduled

1 Click .

2 In the Operational Console tree, select Tasks > All Tasks.

3 In the Table pane, right-click the Dictionary Update – Daily task and select Properties.

4 In the Properties dialog box, make sure that Enable Auto-launch is selected.

5 Click OK.

Building the model

Skybox Risk Control User’s Guide

Skybox Risk Control version 7.0.0 18

To verify that the task is running correctly

1 In the Table pane, look at the Dictionary Update – Daily task.

2 If there are timestamps in the Started at and Finished at columns, the task has run successfully and you can skip the other instructions here.

If there are no timestamps in the Started at and Finished at columns, the task has not run, and you must launch it manually ( ).

3 After the task is launched, check its messages. The task may fail if:

 The internet connection was not set correctly.

 There is no internet connection. In this case, you must download the dictionary and update it manually as specified in the Updating the dictionary topic in the Skybox View Installation and Administration Guide.

Obtaining asset and vulnerability occurrence data

Asset and vulnerability occurrence data is a necessary component of security metrics analysis and Exposure analysis. You can obtain this data from:

• Scanners: Organizations that use scanners on their networks can use Skybox View tasks to either read the scanned data via APIs (online collection) or import the data from files generated by the scanner.

• Other data sources: In many cases, areas in the network are not scanned or not scanned frequently because of deployment issues. In this case, obtain asset data from other sources, such as:

 Microsoft Active Directory: Skybox View can import Active Directory data to obtain your organization’s Business Unit and Business Asset Group hierarchy and assets (but not asset products).

 Microsoft System Center Configuration Manager (SCCM): Skybox View can import SCCM data to obtain your organization’s assets, products, and patches.

Note: SCCM data for Microsoft technologies includes missing patches that are directly equivalent to vulnerability occurrences in Skybox View (for example: MS12-017).

 Other patch management and asset management systems: Skybox View can connect to these data sources (usually via iXML) and obtain information about assets, products, and sometimes missing patches for vulnerability occurrences.

Import data from these other sources as often as necessary; the import is not dependent on the scheduling of specific scans.

Note: Whichever sources are used, it is important to make sure that the Skybox View Vulnerability Dictionary is up-to-date (see Updating the dictionary (on page 17)) before you start.

When asset data is imported from data sources that are not scanners and that do not include missing patches, it does not include any vulnerability occurrence data. Skybox View’s Analysis – Vulnerability Detector tasks analyze the asset data to extract vulnerability occurrences from it.

For additional information, see:

• Retrieving scanner data (see "Retrieving the data" on page 19)

• Tasks, in the Skybox View Reference Guide

• Vulnerability detection (on page 19)

For information about iXML, see the Integration part of the Skybox View Developer’s Toolkit.

Chapter 3 Building the model

Skybox Risk Control version 7.0.0 19

Retrieving the data

Scanner data provides information about assets and services, and information about the vulnerability occurrences that exist on scanned assets. You can add this data to the model using tasks. For

information about tasks that collect scanner data and add it to the model, see Scanner tasks, in the Skybox View Reference Guide. For a sample workflow, see Workflow for importing a Qualys vulnerabilities scan (on page 20).

Skybox View supports many scanners, such as Qualys QualysGuard and nCircle. A complete list of directly supported scanners is available at http://www.skyboxsecurity.com/support/supported-devices.

If your scanner is not supported, create an integration script that converts the source data to Skybox Integration XML (iXML) and import it to Skybox View. For information about iXML, see the Integration part of the Skybox View Developer’s Toolkit.

Patch data is an important component of the model that provides additional information about IT assets and vulnerability occurrences that is usually quite accurate and helps Skybox View to model your organization’s network more accurately. You can retrieve patch data from asset management systems and patch management systems. You can use this data instead of, or in addition to,

information collected from network vulnerabilities scanners. This is necessary when the vulnerabilities scanners do not cover the whole network, are not activated very often, or are not deployed at all. You can import data from asset and patch repositories as often as necessary; the import is not dependent on the scheduling of specific scans.

Patch data is retrieved using collection tasks for supported patch management systems (such as Shavlik NetChk Protect), import tasks for Active Directory and SCCM, or using iXML to import patch information from other data sources (such as BigFix). For additional information about importing data from ActiveDirectory and SCCM, see Vulnerability detection (on page 19). For information about iXML, see the Integration part of the Skybox View Developer’s Toolkit.

Vulnerability detection

Asset data is imported directly from patch management and asset management systems (such as Active Directory and SCCM) to Skybox View using tasks. After the asset data is imported, an additional task (of type Analysis – Vulnerability Detector) must be run to infer the vulnerability occurrences from service banners imported as part of the asset data.

Basic workflow for detecting vulnerability occurrences

1 (Optional) Import information from Active Directory to obtain your organization’s hierarchy. For additional information, see Importing Microsoft Active Directory data, in the Skybox View Reference Guide.

2 View the imported Business Units, and Business Asset Groups in the Model workspace:

Organization > Business Units & Asset Groups. When you select a Business Asset Group in the tree, you can see its assets in the workspace.

3 Run an Asset Management – SCCM task to obtain asset information. For additional information, see Microsoft SCCM, in the Skybox View Reference Guide.

4 View the imported assets in the Model workspace: Organization > Model Analyses > New Entities >

New Assets, or in any other appropriate analysis.

5 View the generated products (services) of all newly imported assets by selecting an asset and then viewing the Services tab in the Details pane.

Note: You can also create operational analyses of type Services in the Model Analyses tree and, for example, set the value of the Discovery Method field to Vulnerability Detector.

However, this analysis does not display the services for each asset separately.

Until this point, there are assets with products, but no vulnerability occurrences.

Skybox Risk Control User’s Guide

Skybox Risk Control version 7.0.0 20

6 Run a task of type Analysis – Vulnerability Detector.

For information about these tasks, see Vulnerability Detector tasks, in the Skybox View Reference Guide.

7 View the generated vulnerability occurrences in any vulnerability occurrences analysis, such as Risk Control > Analytics Center > Analyses > Public Analyses > Vulnerabilities > New Vulnerability Occurrences (in the Risk Control workspace).

The Discovery Method field of a vulnerability occurrence generated by this task is Vulnerability Detector. If necessary, you can display the Created Time field in the Table pane to make sure you are looking at vulnerability occurrences from the correct run of the task.

Unidentified services

There may be cases where an asset has services that Skybox View cannot identify based on their banner. This may occur because the banner format is new to the system or because the product is not yet supported (such as a new minor version of Windows). Sending unidentified banners to Skybox Security, as explained in the next section, can help speed up the identification.

You can see these services in two places:

• Analyses of type Services (such as a New Services analysis).

• Asset analyses, in the Services tab of the Details pane, when the Show Unidentified Services check box is selected.

Look at the Banner field (available as a column in Services analyses and by right-clicking the Service and selecting Properties) to see which product is involved.

To send information about unidentified services to Skybox Security for identification (and inclusion in product updates)

1 Right-click the analysis that includes unidentified services and then select Export to CSV.

2 Create a ticket in Skybox View’s support portal and add the CSV file as an attachment.

Workflow for importing a Qualys vulnerability scan

When imported into Skybox View, vulnerability scans provide information about the assets and services in your organization including their vulnerability occurrences. If the scan includes assets that are not already part of the model, they are added to the model. The following explains how to import a Qualys vulnerability scan.

To import a Qualys vulnerability scan

1 In the Operational Console tree, select the Tasks node.

2 Click .

3 Type a Name for the task, such as Import Qualys Collection.

Chapter 3 Building the model

Skybox Risk Control version 7.0.0 21

4 In the Task Type field, select Scanners – Qualys Collection.

Figure 2: Scanners - Qualys Collection task parameters 5 Fill in the Username and Password.

6 Define the Network Scope—the locations and networks in the model to include in the task.

When the collection data is imported, only data from the specified locations and network is merged with the existing model. If the network scope is empty, the entire collection is merged.

7 The Recency field defines how many days back to search for scans. To obtain the most recent scan, fill in this field according to how often scans are run. For example, if scans are run on a daily basis, “1” finds yesterday’s scan. If scans are run on a weekly basis, “7” finds the most recent scan.

For information about additional parameters in the task, see Qualys QualysGuard collection tasks, in the Skybox View Reference Guide.

8 Click Launch.

9 Verify that the task finished successfully:

a) Select the task in the Table pane of the All Tasks node.

b) Check that the value of the Exit Code is Success.

If the task did not succeed, look in the Messages tab of the Details pane for information about what went wrong. This tab displays a log of the task; you can view the errors there to

understand the problem. For example, a necessary file was deleted for some reason or moved

understand the problem. For example, a necessary file was deleted for some reason or moved

In document DEPARTAMENTO SERVICIOS SOCIALES (página 34-39)