Risk Modeling and Attack Simulation

case study
Skybox® Actionable Intelligence with Risk Modeling
and Attack Simulation
National Federal Credit Union
Customer Profile
Customer Profile
A large national federal credit union implemented Skybox solutions
for risk modeling and attack simulation to identify risk, plan safe
countermeasures, and optimize patching. The credit union has
more than 400 employees worldwide and generates annual revenues in excess of $500M, with more than $20B in financial assets.
Business Problem and Scope
It’s nearly impossible to comprehend the complexity of today’s
business technology systems. Even a distributed organization of
modest size will command thousands of application and network
interdependencies. And the continuous flow of application and
network changes—as well as software vulnerabilities—all converge to create enormous risk that must be mitigated daily.
Consider this: Based on data from the National Vulnerability Database (NVD), an alarming 4,347 new security vulnerabilities were
reported in 2012—that’s nearly 12 new vulnerabilities discovered
every day—that place applications and networked resources at
risk to attack. What’s more, 35% were rated as having a high
severity level, with 55% rated “medium” severity.
That’s why security managers struggle to continuously identify, assess, and remedy each exposure that impacts their systems before
critical applications and information are compromised. But the
complexity of their architecture—and the lack of insight into the true
business value of their digital assets—forces them to base their
remediation plans on vague software vendor prescribed risk severity such as low, medium, and high. As a result, administrators waste
countless hours rushing to brute-force patch every so-called highly
critical flaw based on these blurred perceptions of risk.
Security managers need the ability to correlate vulnerabilities
and threats posed against their infrastructure, their vital intellectual property, and customer information, with the actual business impact a cyber-breach would inflict on their enterprise. Only
through such a solid understanding of the actual value of business systems, and the real-world likelihood of a successful attack,
can enterprises move from a security posture of reactive firefighting
to a proactive approach that effectively reduces risk, maximizes
www.skyboxsecurity.com
Large national federal credit union
Industry
Financial Services
IT Environment
• Global organization with a complex
architecture
Challenges
• No network visibility
• Unable to prioritize vulnerabilities into
meaningful action
• Comply with government and
financial industry regulations
Skybox Solution
• Network Assurance
• Risk Control
Results
• Significant reduced vulnerability
exposure window
• Automated the vulnerability management process to prioritize risks
based on security infrastructure and
focus on real business risks
• Complete network visibility and access path / connectivity analysis
• Secured the change management
process using modeling and simulation on virtual network
• Ensured continuous compliance
• Implementing a Security Risk
Management (SRM) program as
recommended by most analysts,
compliance regulations and industry associations
Actionable Intelligence with Risk Modeling and Attack Simulation: case study
Skybox uses predictive analytics and attack simulation to prioritize and eliminate security risks.
investment in existing security applications, and more
ensures continuous compliance.
That’s exactly where the Chief Information Security
Officer (CISO) is leading this national credit union.
Recent security breaches and soaring cases of identity
theft have heightened concerns over the information
security due diligence of financial services firms to an
all-time high.
Understanding Real Business Risk
The credit union is in midst of transforming its information security practice from inexact vulnerability management to a precise business risk management approach.
They started by moving from manual and sporadic
scans to automated vulnerability scans.
While that action reduced the window of vulnerability
caused by software flaws to the credit union’s systems,
the CISO and his team still had no clear way to see
what their vulnerability reports meant when it came to
actual business risk. “You get scan reports that tell that
you have 5,000 highly critical vulnerabilities. But what
does that actually mean?” says the CISO.
In the past, the IT team would download, test, and
deploy patches throughout their infrastructure. “We still
had to manually correlate whether we should patch
all of our vulnerable systems and accept the business
impact that meant to the organization,” he says.
The credit union turned to Skybox Security to better
understand the risks and vulnerabilities to its business
technology infrastructure. Skybox Network Assurance
collects network infrastructure, access and security
device configurations; evaluates access paths; maps
dependencies among devices; and incorporates the
risk exposure of critical assets. Network Assurance
then uses this data to model the network environment,
which can be used to run access simulations and
analyze connectivity paths and policy compliance in
context with risk exposures.
Skybox Risk Control collects network infrastructure
and security configurations; evaluates vulnerability
scan results; and leverages the mapping and data
from Network Assurance. Using patented attack
simulation, Risk Control uses this data to calculate all
possible access paths, and highlight vulnerabilities
that can be exploited by internal and external attackers
and malicious worms.
By modeling the credit union’s network environment
with Skybox Network Assurance, and simulating multistep attacks with Skybox Risk Control, the security
team is able to focus on the real-world threats that
could bypass the company’s heavily-layered security
defenses. Skybox provides contextual validation of the
critical risks, and enables the security team to see what
vulnerabilities and potential security exposures need
to be closed with a visual representation of all possible
attack vectors, the probability of successful exploitation,
and the severity of impending business impact.
With Skybox, the security team receives a precise and
prioritized battle plan, and management gains unprecedented visibility into the organization’s risk and governance profile. The result is a more secure network
by transforming security from a defensive practice to a
true business enabler.
Reducing the Window of Vulnerability
Exposure
Since implementing Skybox, the credit union is in
a better position to mitigate daily threats quickly.
Actionable Intelligence with Risk Modeling and Attack Simulation: case study
Through the simulated model, the CISO is able to
visualize all of the potential vectors of attack against
his systems that any new vulnerability or attack may
create. So, while the reports from his vulnerability
scanner indicate that there are 400 servers affected by
a vulnerability, the sophisticated risk analytics provided
by Skybox indicate that only three servers are actually at risk to a potential attack. The rest of the vulnerabilities are safely mitigated through the company’s
existing layered security defenses, whether they are
firewall rules, network segmentation, or other mitigating factors. “The model shows us what systems need
immediate attention and enables us to focus resources
to fix our most business-critical and at-risk systems immediately,” he says, while the remaining patchwork to
be done can be conducted at will.
Vulnerability latency KPI.
“Actionable intelligence is really critical in situations
like this. You want to be able to make the most
critical decisions in the least amount of time with the
least amount of business impact. That’s what Skybox
helps us do—mitigate risks faster and reduce our vulnerability exposure window. Instead of looking at four
hundred servers, I can concentrate on three. “It’s about
being able to focus our efforts on the right things, for the
right reasons, in the shortest amount of time.”
Avoiding Risks of Network Changes
The modeling technology also proves exceptionally
valuable to the CISO before the credit union deploys
any new services, applications, or network changes.
Planned changes can be modeled and perfected
within a virtual environment without experimenting on
a live network and risking a disruption in services or a
data breach. “It’s actionable intelligence when I need
it,” the CISO says. The organization can maximize
connectivity while minimizing risk exposure, and reduce the IT workload by transforming change management from a labor-intensive, error-prone process to an
automated, reliable, and accurate process.
Ensuring Continuous Compliance
Since deploying Skybox, the company’s most recent
federal regulatory audit was radically different from
those of previous years. “This was the first year where
rather than spending our time tearing through firewall
rules, IDS logs, and incident reports, the examiners
focused on our risk management and assessment
plans and our infrastructure strategy. That is a
dramatic shift from previous years,” says the CISO.
The reports generated by Skybox “make it incredibly
self-explanatory [to regulators] as to why certain assets
are more critical that other assets.” With the ability to
associate the credit union’s security threats and
vulnerabilities to their actual business impact and their
likelihood of a breach, it’s no surprise that the CISO
is positioning Skybox as the cornerstone of the credit
union’s information security management program.
“We’re focused on making Skybox the risk management center of our universe. We’re building dashboards
that show risk across the enterprise to gain a deep insight into our overall risk. It’s all made possible because
Skybox correlates our relevant business information
with our real-world risks. It’s phenomenal technology.”
www.skyboxsecurity.com
Headquarters: Skybox Security, Inc.• 2099 Gateway Place, Suite 450 • San Jose, California 95110 USA
Phone: +1 (866) 441 8060 • Phone: +1 408 441 8060 • Fax: +1 408 441 8068
Copyright © 2013 Skybox Security, Inc. All rights reserved. Skybox is a trademarks of Skybox Security, Inc. All other registered or unregistered trademarks are the sole
property of their respective owners. CS_NAFED_EN_03052013