TCVM: A New Approach to Targeting Risk with Context-Aware Vulnerability Management

David Anteliz | Senior Sales Engineer | Central

David.Anteliz@SkyboxSecurity.com

2

Who We Are

Silicon Valley HQ

Offices around the globe

Fastest–growing company in our space

$270M funding since February 2016

Attack Surface Management

Visibility & Analytics to maintain resilience

700+ active customers

50 countries, all verticals

TMTM

Who Relies on Us

Financial Services

ServiceProviders

Government & Defense

Energy &Utilities

Technology & Manufacturing

Healthcare Consumer

44

Current Industry Challenges

TMTM

Most Breaches are Preventable

No visibility of the environment

Lack of actionable intelligence

Disjointed security tools and data

Lack of cross-functional expertise

skyboxsecurity.com 5

Organizations don’t understand their attack surface

97% of breaches are avoidable through standard controls*

*According to Verizon Data Breech Investigation Report

#1 Overwhelming Number of Vulnerabilities

www.vulnerabilitycenter.com

• 700 – 1,100 new vulnerabilities every month

• Historically systems have been poorly patched

• Scanner generates a LOT of data

• People end up focusing on the “criticals”

Most Exploited Vulnerabilities were Not Ranked “critical”

#2 It’s not just about the criticals

– IBM X-Force/Analysis by Gartner, September 2016

0

100

200

300

400

500

600

700

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

MEDIUM

HIGH

CRITICAL

LOW

Num

ber

of

Vuln

era

bilitie

s

TMTM

#3 Not just a Zero Day problem

85% of exploited vulnerabilities were more than 2 years old

– Verizon Data Breach Investigations Report

0

20

40

60

80

100

120

2015 2013 2011 2009 2007 2005 2003 2001 1999

9

Traditional Approach Causes Pain – Broken Process

Remediation

Hard to convert vulnerability info to patch needs

Difficult to find alternative remediation options

Unnecessary patching

Critical risks open for too long

Poor SLA management

Poor communication

Poor tracking of remediation

Risk Analysis

Too much data

No context of existing controls

Hard to correlate data from multiple sources

Threat landscape is dynamic

Hard to prioritize by business impact

Exploitability is not considered

Likelihood of exploitability is not considered

Lack of prioritisation by SLA/Risk

Discovery

Infrequency of scans

Disruptive scans

Unable to scan all assets

Multiple environments

Lack of authenticated scanning

TMTM

Understanding the IT/OT Asset Relationships

Level 5: Corporate Network

Level 4: Bus Apps

Level 3.5: Data DMZ

Level 3: Control System LAN

Levels 0-2: Basic Control, Supervisory, Process

IT Assets

OT NetworkIT Network

IT Assets IT Assets OT Assets

Skybox: Ingredients for Effective Vulnerability Prioritization

+ +Vulnerability-Centric

Criticality of vulnerability (CVSS score, exploitation

impact, public exploit available)

Context-Centric

Business criticality, value and exposure of an asset

(internet-facing, third-party access, contains sensitive data, provides business-

critical functions)

Threat-Centric

Actively being targeted by malware, ransomware, exploit kits and threat actors

in the wild

1212

How is Skybox helping?

Skybox Security Suite Asset Management

SIEM/IT-GRC(Trailing Edge)

DeepSight/iDefense(Leading Edge)

Vulnerability Scanners

Firewalls

IPS Ticketing Systems(Remedy/ServiceNow)

Improve Customer’s Existing Resources

14

Complete IT & OT Network Model

Improve Customer’s Existing Resources

Integrates with 120+ technologies

Cloud/Virtual

Endpoint Security

Vulnerability Management, SIEM

Firewall/Network Security & Infrastructure

TMTM

Skybox Vulnerability Database & Attack Vector Intelligence

16

Skybox Research Lab aggregates 20+ vulnerability and threat feeds

More than 50,000 vulnerabilities on 1,800 products

Including products, vulnerabilities, IPS signatures, patches, malware patterns

CVE compliant, CVSS v3 standard

− Exploitation pre-conditions

− Likelihood of attack

− Conflict resolution

Proprietary intelligence added by analysts

ADVISORIES

AdobeCisco PSIRTMicrosoft Security BulletinOracleRedHat

SCANNERS

eEye RetinaIBM ScannerMcAfee Foundstone

Qualys GuardRapid7

NexposeTenable NessusTripwire IP360

IPS

Fortinet FortiGateHP TippingPointIBM Proventia

McAfee IPSPalo Alto

NetworksCisco Sourcefire

OTHER

CERTIBM X-ForceMitre CVENIST’s NVDOSBDV

Rapid7 MetasploitSecuniaSymantec

DeepSightSymantec Worms

− Vulnerabilities with no CVE

− Remediation solutions

− Cross-references

Updated daily

skyboxsecurity.com

1717

How this works at a high level

TMTMskyboxsecurity.com 18

TMTMskyboxsecurity.com 19

TMTMskyboxsecurity.com 20

TMTMskyboxsecurity.com 21

TMTMskyboxsecurity.com 22

TMTMskyboxsecurity.com 23

TMTMskyboxsecurity.com 24

TMTM

Skybox – Security Middleware platform

Asset Management

DeepSight/iDefense(Leading Edge)

Vulnerability Scanners

Firewalls

IPS Ticketing Systems(Remedy/ServiceNow)

SIEM/IT-GRC(Trailing Edge)

25

2626

Thank you

2727

Questions?