It is important to position SRM in the suite of tools you'll need on your enterprise. First, this tool set - and it is a tool set rather than a single tool - is intended for very large geographically distributed enterprises. Typical target systems may have hundreds of firewalls and thousands of servers. Second, it is what I think of as a static system. It is not a security incident and event manager (SIEM) that watches data flows. It is concerned with the management of the configurations of the devices on the enterprises. In that regard it does an absolutely superb job. To paraphrase an old saw, misconfigured devices can neither run nor can they hide from a fully and correctly deployed SRM.
There are a couple of caveats that I need to point out before I get into the nearly overwhelming collection of functions in this product. First, don't even think about this product until you know what's on your network. While SRM will do network discovery for you, nothing beats knowing where your devices are located. For example, if you have a VLANed enterprise, there are possibilities that SRM will miss something simply because it cannot communicate between VLANs. That can be solved by putting the product on a management network that touches all domains -- if such a network exists in your enterprise, of course.
Second, this is not a trivial implementation. To get its full benefits expect to take some time getting it up and running. That means two things: make sure that the owners of the devices (firewalls, routers, switches, etc.) that you will monitor are on board with the project and are prepared to provide access to all managed devices. Next, understand your enterprise and make provisions for discovery by the system. That discovery is most easily done over a universal out-of-band management network, but it also can be done with multiple SRM receivers.
The SRM is comprised of two core systems: Skybox Secure (risk lifecycle management) and Skybox Assure (network security compliance). In turn, these two core systems - available separately - have subsystems for risk exposure analysis, threat alert management and security profile analysis (Skybox Secure), and firewall compliance and network compliance auditing (Skybox Assure). Taken together, these systems and their available subsystems offer a mix and match risk and compliance platform that can address just about any configuration/compliance issue imaginable.
The architecture is a three-tier model consisting of a user interface, a server that contains extensive content dictionaries, and agentless collectors that gather the configurations from the various monitored devices. The main purpose here is to gather the configuration information needed to analyze risk and to compare with policies for compliance purposes. However, the usefulness goes well beyond compliance.
On an extremely large network, identifying threats and vulnerabilities based on configuration errors - the most common kind of vulnerability on a large enterprise - is a daunting task. Some of these networks can exhibit millions of vulnerabilities on hundreds of firewalls, thousands of servers and tens of thousands of user machines, not to mention internet-working devices, such as routers and switches. Statistically, only a few of these vulnerabilities, relatively speaking, need to be remediated in order to reduce network risk to almost nothing. The trick is finding which ones. That is where Skybox enters the picture.
An important cabability of the Skybox system is modeling. Modeling allows network managers and planners to simulate network behavior in a variety of situations. For example, if there are changes in configuration to be made, those changes can be introduced into a model of the network based on everything Skybox knows about the device configurations on the enterprise. Using the "what if" model, the effects of the anticipated changes will become obvious. These effects can be managed before actually imposing the changes in the network.
The Skybox system seems expensive at first blush, but the vendor claims that few users take more than a year for full ROI break-even, and many break even in less time. With an integrated full-trouble ticketing system, Skybox SRM allows full configuration lifecycle management. If you have your own ticketing system, no worries. Skybox integrates with external systems as well. Finally - and only because I'm running out of space here - the reporting is extremely comprehensive. There are dozens of canned reports that address such things as compliance directly. If you want to brew your own reports, though, go ahead. There is a rich report writer.
At the end of the day, if your network is big and spread out, I have no idea how you can get along without the Skybox suite of tools. It is the most comprehensive network configuration and risk management system I've yet to see.
AT A GLANCE
Product: Skybox View 4.0 Security Risk Management Platform
Company: Skybox Security, Inc.
Price: Complicated because of a multitude of possible configurations and module combinations. Average entry prices range from $45,000 to $60,000 and up.
What it does: Provides an unrestricted view of all device configurations on the enterprise and offers several ways of using that view to calculate enterprise risk from a variety of perspectives.
What we liked: As near as I can tell, there is nothing in this space available today that even comes close to this product for its comprehensive views and analysis capabilities.
What we didn't like: Implementing this product is not for the faint-hearted. However, that is really not an indictment of the product. Complicated problems often require complicated solutions. This one is far less complicated than most.