Downloaded 104 times
Uploaded bySkybox Security
Network Security Trends for 2016: Taking Security to the Next Level
The document outlines key security trends for 2016, emphasizing the growing challenges faced by CISOs due to increased vulnerabilities from cloud and mobile technology, and the necessity for continuous monitoring and rapid response to threats. It discusses the high costs of cybercrime, the proliferation of security solutions, and the need for adaptive technologies amid complex networks. Recommendations include leveraging security analytics, improving visibility, and prioritizing threat monitoring to address the continuous compromise landscape.
More Related Content
Similar to Network Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next Level
- 1. 24 November 2015 SCMagazine UK Webcast Security Management 2016 Take Security to the Next Level
- 2. © 2015 SkyboxSecurity Inc. Speakers Michelle Cobb Skybox Security VP of Worldwide Marketing Alastair Williams Skybox Security Technical Director, EMEA
- 3. © 2015 SkyboxSecurity Inc. Agenda 2016 Security Trends and What You Can Do About Them -- Michelle Cobb, Skybox Security Demo: Skybox Overview -- Alastair Williams, Skybox Security
- 4. © 2015 SkyboxSecurity Inc. Gravitational IT Trends Affecting Security Internet of Things By 2020, 25B embedded and intelligent systems IAM Every user is a consumer Infrastructure Cloud, Mobile, BYOD Monitoring, Attack Detection The Era of “Continuous Compromise”
- 5. © 2015 SkyboxSecurity Inc. Making the CISO’s Job More Difficult Less control over devices (BYOD) Less control over infrastructure (Cloud) Less control over users ….Still need to protect information and services!
- 6. © 2015 SkyboxSecurity Inc. Attackers Have the Advantage $400B cost of cyber crime Hardest hit: Public Sector, Information, Financial Services Incident patterns vary – FinSvcs, Information Crimeware, Webapp attacks – Public sector – Crimeware, Errors – Manufacturing Cyberespionage – Retail, Accomodation, Entertainment POS – Education, Healthcare Errors Sources: Costs – Center for Strategic and International Studies; Incidents - 2015 Verizon Data Breach Investigations Report
- 7. © 2015 SkyboxSecurity Inc. Plenty of Security Solutions $75B spent on security solutions in 2015 (Gartner, others) Average enterprise has dozens of security solutions Sources: Gartner VPN Firewall IPS Endpoint Protection Secure Web Gateways Attack Detection Vulnerability Assessment Secure Web Gateway Secure Email Gateway Identity and Access Mgmt Data Loss Prevention SIEM IT-GRC Forensics
- 8. © 2015 SkyboxSecurity Inc. Some Security Technologies Need to Adapt Sources: Gartner VPN Firewall IPS Endpoint Protection Secure Web Gateways Attack Detection Vulnerability Assessment Secure Web Gateway Secure Email Gateway Identity and Access Mgmt Data Loss Prevention SIEM IT-GRC Forensics Check for Weak Spots Gartner points out technologies that need to adapt
- 9. © 2015 SkyboxSecurity Inc. No Change in “Defender Gap” in 10 years 80% of Attackers Compromise Network in Days 25% of Defenders Discover Attacks in Days Sources: Spending-IDC & Gartner; Costs – Center for Strategic and Interational Studies; Chart - 2015 Verizon Data Breach Investigations Report
- 10. © 2015 SkyboxSecurity Inc. Entering the Era of “Continuous Compromise” Continuous Compromise – Custom malware, 1- 2% infection rate, long time to detect & respond 2016 Wish List: Understand and Take Action Security Analytics at the core Visibility and Intelligence Continuous monitoring Fast response Security automation
- 11. © 2015 SkyboxSecurity Inc. In Security, Visibility is Everything It might not be as easy as you think.
- 12. © 2015 SkyboxSecurity Inc. In Security, Visibility is Everything Problem 1: Sheer Size of Network Problem 2: Dozens of network & security vendors Problem 3: Complex rule- sets to analyse Problem 4: Changes, changes, changes
- 13. © 2015 SkyboxSecurity Inc. Building Attack Surface Visibility ASSETS • Servers • Workstations • Networks
- 14. © 2015 SkyboxSecurity Inc. Building Attack Surface Visibility SECURITY CONTROLS • Firewalls • IPS • VPNs ASSETS • Servers • Workstations • Networks
- 15. © 2015 SkyboxSecurity Inc. Building Attack Surface Visibility SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks
- 16. © 2015 SkyboxSecurity Inc. Building Attack Surface Visibility SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality
- 17. © 2015 SkyboxSecurity Inc. Building Attack Surface Visibility SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality THREATS • Hackers • Insiders • Worms Source: Skybox Security
- 18. © 2015 SkyboxSecurity Inc. Continuous Monitoring is Required Network device rules and configurations Users access policies Vulnerabilities New threats Constant changes
- 19. © 2015 SkyboxSecurity Inc. Continuous Monitoring of Vulnerabilities HALF of CVE’s have a published exploit in less than ONE month after CVE publish date Vulnerabilities continue to be exploited YEARS after the CVE release date Sources: 2015 Verizon Data Breach Investigations Report Act fast Continuous process
- 20. © 2015 SkyboxSecurity Inc. Difficult to Keep up with Vulnerabilities 222 new critical or high severity CVE’s October 2015 2 years ago… 127 new critical or high severity CVE’s in Oct 2013 90-day vulnerability cycle? 686 critical/high in the 90 day period from Aug–Oct 2015 Source:Skybox Vulnerability Center
- 21. © 2015 SkyboxSecurity Inc. Infrequent Active Scans Are Insufficient Time Month 1 Month 2 Month 3 50% Monthly or quarterly scanning100% Active scanner Update vulnerabilities continuously using analytics- based “scanless” detection
- 22. © 2015 SkyboxSecurity Inc. Putting it Together – Fast Response to New Threats Visualize Correlate, Prioritize Exploitable Vulnerabilities CVE-1234 CVE-0123 MS12074 CVE-4567 CVE-5678
- 23. © 2015 SkyboxSecurity Inc. Take Context into Account Visualize Correlate, Prioritize Understand Controls Security Controls Access paths Policy violations Unauthorized changes
- 24. © 2015 SkyboxSecurity Inc. Attack Simulation to Verify Exploitable Risks Visualize Correlate, Prioritize Understand Controls Identify Attack Vectors High-risk vector
- 25. © 2015 SkyboxSecurity Inc. From the CISO point of view - First protection, then management CISO Endpoints Networks Apps Content Users SIEM SOAR EPP IAMDLPApp Sec VPN, FW, IPS Security Protections • Security Traditional Sec Mgmt Events, Alerts, Reporting t Policy Compliance SIEM VA NSM
- 26. © 2015 SkyboxSecurity Inc. Update Security Architecture 2016 Incorporate Security Analytics CISO Endpoints Networks Apps Content Users SIEM EPP IAMDLPApp Sec VPN, FW, IPS Traditional Security Management Security Protections Intelligence, Analytics Visibility, Actions Events, Alerts, Reporting Next-Gen Security ManagementSecurity Analytics
- 27. © 2015 SkyboxSecurity Inc. 27 Demonstration www.skyboxsecurity.com
- 28. © 2015 SkyboxSecurity Inc. 28 Questions? www.skyboxsecurity.com
- 29. © 2015 SkyboxSecurity Inc. References 1. Best Practices for Reducing Your Attack Surface 2. 2015 Skybox Enterprise Vulnerability Management Trends Report 3. Best Practices for Vulnerability Management 4. 2015 Research Sources: – Skybox Security Vulnerability Research – 2015 Verizon Data Breach Investigations Report – Ponemon Cost of Cyber Crime – Center for Strategic and International Studies – Gartner: 2015 The Impact of Data Center Transformation on Security
Editor's Notes
- #5 Infrastructure changes continue, disrupting the architecture, providers of network security and services Cloud security expands, though not as fast Mobile device protection expands, slowly Security brokerage services to protect new infrastructure that’s hard to protect Identity and access management Instead of rights being granted based on company access to resources, they are based on the user Which means that designing security around the user and user attributes will rise in importance IoT We don’t even know what this change will mean, except that we will probably be woefully unprepared for the impact Monitoring, defense, and attack detection The need for advanced visibility and intelligence increase as security teams shift from proactive security to detect and respond. Security analytics rise in importance
- #6 Continuous compromise. There will continue to be an increase in advanced targeted attacks that bypass traditional protection mechanisms and persist undetected for extended periods of time. As a result, in all scenarios, systems and individuals must be considered compromised. ■ Financially motivated attacks. In most cases, these advanced targeted attacks against enterprises and individuals are attempting to steal sensitive information — customer information, credit card data, trade secrets, formulas, processes, plans, pricing and similar intellectual property. In some cases, financial damage through critical system or business process outages is the goal. ■ IT will lose control. IT increasingly will not directly own the user's device or the services they consume, limiting its ability to place invasive controls. Consumerization and bring-your-owndesktop programs combined with the increase in the use of cloud-based services create a Gartner, computing environment where IT loses control of the consumption device and the services being consumed. Combined, these megatrends will create several shifts in information security organizations, processes and strategies that we discuss in this research: ■ A shift up the stack to the protection of information rather than systems ■ A shift from control-centric to people-centric security ■ A shift in processes and spending toward continuous and pervasive monitoring ■ A shift toward the use of collective intelligence and reputation services
- #7 Everyone else (minus Agriculture, Construction, Mining, Real Estate) Other notes from the source reports: A study that estimated the global cost of cybercrime at $400 billion also revealed information security market trend data from research firm IDC showing a burgeoning market for products associated with identifying threats, data protection and incident response activities. The report, issued this week by the Center For Strategic International Studies, a Washington, D.C., think tank, estimates the global cost of cybercrime at $400 billion and projects the figure to climb substantially until public- and private-sector organizations implement stronger measures to address intellectual property theft. The study, commissioned by Intel Security (formerly McAfee), also highlighted data from Framingham, Mass.-based research giant IDC, projecting a steep rise in spending on digital forensics tools, next-generation firewalls, and identity and access management software. The increased spending on security products may be having a negative impact on the global economy, the report found.
- #8 Source: Gartner
- #9 Source: Gartner Source: Ahlm, 2015 The Impact of Data Center Transformation on Security Firewalls – top of list as need for access control continues IPS – or other network based threat detection SIEM – must be able to factor in dynamic attributes Inventory discovery and Vuln mgmt. – needs to know where and state of security for assets GRC – compliance reporting must speak dynamic
- #10 Script: In 2014, a group called the Center for Strategic and International studies in Washington DC released a report estimating the annual cost of cyber crime at 260B GBP ($400B USD). According to IDC, Gartner and other analyst firms –the worldwide spending on information security solutions in 2014 was 45B GBP ($70B USD). Both of these numbers have been climbing at extraordinary rates, toward 15% per year growth over the most recent time period. In fact, this unchecked growth in spending on security products, and the continued cyber crime costs may now be having an impact on the global economy. Given all of this security spending and attention to the cyber problem, you would expect that defenders would have made substantial inroads into reducing the number of attacks, but this hasn’t shown to be true. Instead, in this graph you see the most recent Verizon Data Breach report, indicating that the gap the time to compromise and the time to discover an attack is largely unchanged over 10 years! So attackers are still able to compromise networks in minutes or days, while defenders require weeks or months to discover, an attack, and even more time to analyze the incident, contain, and devise an effective plan of response. Other notes from the source reports: A study that estimated the global cost of cybercrime at $400 billion also revealed information security market trend data from research firm IDC showing a burgeoning market for products associated with identifying threats, data protection and incident response activities. The report, issued this week by the Center For Strategic International Studies, a Washington, D.C., think tank, estimates the global cost of cybercrime at $400 billion and projects the figure to climb substantially until public- and private-sector organizations implement stronger measures to address intellectual property theft. The study, commissioned by Intel Security (formerly McAfee), also highlighted data from Framingham, Mass.-based research giant IDC, projecting a steep rise in spending on digital forensics tools, next-generation firewalls, and identity and access management software. The increased spending on security products may be having a negative impact on the global economy, the report found.
- #13 First, you need to make sure all of your devices are configured – according to security best practices, according to vendor recommended configurations. Problem 2: And you have lots of vendors. Devices that speak different languages, or require the Cisco expert, or the Juniper expert to be on hand to deciper what’s what. Even if the device configurations are maintained to meet Control 10, the sheer size or complexity, or both, of most enterprise networks makes analysis of device configurations, rules, and changes a complex nightmare. And you need to keep up with changes – changes that may impact compliance with policy, or interfere with intended protection. Are IPS signatures up to date? What’s the impact of a new vulnerability? Logical checks on a device by device basis aren’t enough, because it’s a complex system we are talking about. A necessary firewall rule can be shadowed by other rules, an improperly configured device can render your segmentation strategy ineffective.
- #14 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- #15 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- #16 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- #17 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- #18 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- #20 The charts on the main page of the Vulnerability Center show the Skybox Vulnerability Index. This Index is a measurement that gives an indication of both the scale and severity of vulnerabilities affecting an enterprise organization at a point in time. The Skybox Vulnerability Index has no upper bound, and there is no maximum number of vulnerabilities. The Vulnerability Index is calculated daily from a summation of factors assigned to every vulnerability reported in the Skybox Vulnerability Database in a preceding time window. The default time window is 90 days, relevant for an organization with a 90-day vulnerability management cycle from assessment to remediation. The Index can be customized to a 30-day or 180-day rolling time window, allowing organizations to see the impact of faster or slower resolution cycles on overall risk. Vulnerability severity is used as a weighting factor, so 10 new critical vulnerabilities would influence the Vulnerability Index more than 10 new low or medium severity vulnerabilities. All vulnerabilities added to the Index are assigned a severity index between 0 and 1, with 1 indicating critical vulnerabilities.
- #21 The charts on the main page of the Vulnerability Center show the Skybox Vulnerability Index. This Index is a measurement that gives an indication of both the scale and severity of vulnerabilities affecting an enterprise organization at a point in time. The Skybox Vulnerability Index has no upper bound, and there is no maximum number of vulnerabilities. The Vulnerability Index is calculated daily from a summation of factors assigned to every vulnerability reported in the Skybox Vulnerability Database in a preceding time window. The default time window is 90 days, relevant for an organization with a 90-day vulnerability management cycle from assessment to remediation. The Index can be customized to a 30-day or 180-day rolling time window, allowing organizations to see the impact of faster or slower resolution cycles on overall risk. Vulnerability severity is used as a weighting factor, so 10 new critical vulnerabilities would influence the Vulnerability Index more than 10 new low or medium severity vulnerabilities. All vulnerabilities added to the Index are assigned a severity index between 0 and 1, with 1 indicating critical vulnerabilities.
- #23 Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry. Old script for attack simulation: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
- #24 Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
- #25 Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.