Risk Modeling and Attack Simulation
Transcription
Risk Modeling and Attack Simulation
case study Skybox® Actionable Intelligence with Risk Modeling and Attack Simulation National Federal Credit Union Customer Profile Customer Profile A large national federal credit union implemented Skybox solutions for risk modeling and attack simulation to identify risk, plan safe countermeasures, and optimize patching. The credit union has more than 400 employees worldwide and generates annual revenues in excess of $500M, with more than $20B in financial assets. Business Problem and Scope It’s nearly impossible to comprehend the complexity of today’s business technology systems. Even a distributed organization of modest size will command thousands of application and network interdependencies. And the continuous flow of application and network changes—as well as software vulnerabilities—all converge to create enormous risk that must be mitigated daily. Consider this: Based on data from the National Vulnerability Database (NVD), an alarming 4,347 new security vulnerabilities were reported in 2012—that’s nearly 12 new vulnerabilities discovered every day—that place applications and networked resources at risk to attack. What’s more, 35% were rated as having a high severity level, with 55% rated “medium” severity. That’s why security managers struggle to continuously identify, assess, and remedy each exposure that impacts their systems before critical applications and information are compromised. But the complexity of their architecture—and the lack of insight into the true business value of their digital assets—forces them to base their remediation plans on vague software vendor prescribed risk severity such as low, medium, and high. As a result, administrators waste countless hours rushing to brute-force patch every so-called highly critical flaw based on these blurred perceptions of risk. Security managers need the ability to correlate vulnerabilities and threats posed against their infrastructure, their vital intellectual property, and customer information, with the actual business impact a cyber-breach would inflict on their enterprise. Only through such a solid understanding of the actual value of business systems, and the real-world likelihood of a successful attack, can enterprises move from a security posture of reactive firefighting to a proactive approach that effectively reduces risk, maximizes www.skyboxsecurity.com Large national federal credit union Industry Financial Services IT Environment • Global organization with a complex architecture Challenges • No network visibility • Unable to prioritize vulnerabilities into meaningful action • Comply with government and financial industry regulations Skybox Solution • Network Assurance • Risk Control Results • Significant reduced vulnerability exposure window • Automated the vulnerability management process to prioritize risks based on security infrastructure and focus on real business risks • Complete network visibility and access path / connectivity analysis • Secured the change management process using modeling and simulation on virtual network • Ensured continuous compliance • Implementing a Security Risk Management (SRM) program as recommended by most analysts, compliance regulations and industry associations Actionable Intelligence with Risk Modeling and Attack Simulation: case study Skybox uses predictive analytics and attack simulation to prioritize and eliminate security risks. investment in existing security applications, and more ensures continuous compliance. That’s exactly where the Chief Information Security Officer (CISO) is leading this national credit union. Recent security breaches and soaring cases of identity theft have heightened concerns over the information security due diligence of financial services firms to an all-time high. Understanding Real Business Risk The credit union is in midst of transforming its information security practice from inexact vulnerability management to a precise business risk management approach. They started by moving from manual and sporadic scans to automated vulnerability scans. While that action reduced the window of vulnerability caused by software flaws to the credit union’s systems, the CISO and his team still had no clear way to see what their vulnerability reports meant when it came to actual business risk. “You get scan reports that tell that you have 5,000 highly critical vulnerabilities. But what does that actually mean?” says the CISO. In the past, the IT team would download, test, and deploy patches throughout their infrastructure. “We still had to manually correlate whether we should patch all of our vulnerable systems and accept the business impact that meant to the organization,” he says. The credit union turned to Skybox Security to better understand the risks and vulnerabilities to its business technology infrastructure. Skybox Network Assurance collects network infrastructure, access and security device configurations; evaluates access paths; maps dependencies among devices; and incorporates the risk exposure of critical assets. Network Assurance then uses this data to model the network environment, which can be used to run access simulations and analyze connectivity paths and policy compliance in context with risk exposures. Skybox Risk Control collects network infrastructure and security configurations; evaluates vulnerability scan results; and leverages the mapping and data from Network Assurance. Using patented attack simulation, Risk Control uses this data to calculate all possible access paths, and highlight vulnerabilities that can be exploited by internal and external attackers and malicious worms. By modeling the credit union’s network environment with Skybox Network Assurance, and simulating multistep attacks with Skybox Risk Control, the security team is able to focus on the real-world threats that could bypass the company’s heavily-layered security defenses. Skybox provides contextual validation of the critical risks, and enables the security team to see what vulnerabilities and potential security exposures need to be closed with a visual representation of all possible attack vectors, the probability of successful exploitation, and the severity of impending business impact. With Skybox, the security team receives a precise and prioritized battle plan, and management gains unprecedented visibility into the organization’s risk and governance profile. The result is a more secure network by transforming security from a defensive practice to a true business enabler. Reducing the Window of Vulnerability Exposure Since implementing Skybox, the credit union is in a better position to mitigate daily threats quickly. Actionable Intelligence with Risk Modeling and Attack Simulation: case study Through the simulated model, the CISO is able to visualize all of the potential vectors of attack against his systems that any new vulnerability or attack may create. So, while the reports from his vulnerability scanner indicate that there are 400 servers affected by a vulnerability, the sophisticated risk analytics provided by Skybox indicate that only three servers are actually at risk to a potential attack. The rest of the vulnerabilities are safely mitigated through the company’s existing layered security defenses, whether they are firewall rules, network segmentation, or other mitigating factors. “The model shows us what systems need immediate attention and enables us to focus resources to fix our most business-critical and at-risk systems immediately,” he says, while the remaining patchwork to be done can be conducted at will. Vulnerability latency KPI. “Actionable intelligence is really critical in situations like this. You want to be able to make the most critical decisions in the least amount of time with the least amount of business impact. That’s what Skybox helps us do—mitigate risks faster and reduce our vulnerability exposure window. Instead of looking at four hundred servers, I can concentrate on three. “It’s about being able to focus our efforts on the right things, for the right reasons, in the shortest amount of time.” Avoiding Risks of Network Changes The modeling technology also proves exceptionally valuable to the CISO before the credit union deploys any new services, applications, or network changes. Planned changes can be modeled and perfected within a virtual environment without experimenting on a live network and risking a disruption in services or a data breach. “It’s actionable intelligence when I need it,” the CISO says. The organization can maximize connectivity while minimizing risk exposure, and reduce the IT workload by transforming change management from a labor-intensive, error-prone process to an automated, reliable, and accurate process. Ensuring Continuous Compliance Since deploying Skybox, the company’s most recent federal regulatory audit was radically different from those of previous years. “This was the first year where rather than spending our time tearing through firewall rules, IDS logs, and incident reports, the examiners focused on our risk management and assessment plans and our infrastructure strategy. That is a dramatic shift from previous years,” says the CISO. The reports generated by Skybox “make it incredibly self-explanatory [to regulators] as to why certain assets are more critical that other assets.” With the ability to associate the credit union’s security threats and vulnerabilities to their actual business impact and their likelihood of a breach, it’s no surprise that the CISO is positioning Skybox as the cornerstone of the credit union’s information security management program. “We’re focused on making Skybox the risk management center of our universe. We’re building dashboards that show risk across the enterprise to gain a deep insight into our overall risk. It’s all made possible because Skybox correlates our relevant business information with our real-world risks. It’s phenomenal technology.” www.skyboxsecurity.com Headquarters: Skybox Security, Inc.• 2099 Gateway Place, Suite 450 • San Jose, California 95110 USA Phone: +1 (866) 441 8060 • Phone: +1 408 441 8060 • Fax: +1 408 441 8068 Copyright © 2013 Skybox Security, Inc. All rights reserved. Skybox is a trademarks of Skybox Security, Inc. All other registered or unregistered trademarks are the sole property of their respective owners. CS_NAFED_EN_03052013