We have watched these folks almost from their inception and we always have been impressed. Their mission is a rather grand one: manage the security on the enterprise's entire threat surface. To do this, they break down their tool's functionality into vulnerability and threat management. Within these broad categories there are individual modules that work together to accomplish the various tasks required to protect the attack surface. This is one of the very few products that we have seen that takes this comprehensive approach. It is integrated with nearly 100 third-party security tools and has its own built-in vulnerability intelligence feed.
While Skybox, like many similar products, does not do its own network discovery, the tool can consume topology maps in a number of formats. Once the assets lists are ingested, Skybox performs network validation and reads such things as routing tables. The result is that the product can create a credible network topology knowledge base.
Skybox aggregates more than 20 threat and vulnerability feeds. Additionally, you can identify threat origins unique to your organization. Skybox provides a significant number of standards and policies out of the box. Functionally, the company focuses on security policy management and vulnerability and threat management.
We were impressed by its internal vulnerability detection system. It is completely passive and uses the Skybox vulnerability dictionary. The tool contains two separate ticketing systems - one for change management and one for vulnerability management. The offering also can integrate with third-party ticking systems giving a closed loop remediation capability.
Skybox collectors gather information from switches, firewalls, routers and scanners. These data are fed to the Skybox server where management consoles can see and manipulate the data. The system is agentless and it has APIs for integrating with third-party systems. It deploys as an appliance or a virtual appliance on-premises.
When we looked at Skybox, we dropped into a network topology map that was well-annotated and based largely on data flows. One of the first tasks we saw was the Access Analyzer. This uses path and rule analysis to define and test paths between elected sources and destinations. This is a neat way to perform an attack simulation.
We view the ability to do attack simulation as one of the significant indicators of a next-generation tool. Just because an asset is exhibiting vulnerabilities does not mean that it deserves immediate attention. It may be a low priority asset where a high priority asset needs attention now. This form of triaging is critical to seeing where your risks actually lie.
You can perform firewall assurance using the Skybox configuration analysis or you can add in your checks using simple regex commands. Out of the box there are NIST-based and PCI standards available. The tool helps you perform cleanup on rule sets, in many cases eliminating redundant rules. Analysis can be standard live views or a deeper forensic view. The tool lets you perform "what-if" analysis, a function that we view as very important.Workflows are the heart of any of the types of tools that we looked at this month. Without a good workflow management capability, changes don't get made and problems don't get identified. Skybox has an excellent change management workflow. There are four specific APIs: ticketing, administration, networking and vulnerability. The ability to see the network topology and understand how it is supposed to be working, lets Skybox identify a compromised asset and then pivot off of it to see likely paths that the intruder could have taken. Finally, the Horizon dashboard - an add-in that is provided at no extra cost - shows indicators of exposure on a cool dashboard that quickly calls attention to any problems that Horizon sees.