You do not need to use all of them at once, although the value increases as you tie the different functions together. The main areas include threat assessment, risk reporting and compliance auditing. The analysis is also useful for tracking patch readiness and vulnerability assessment.
The two main components are Skybox Assure and Skybox Secure. The first allows the user to model and manage changes to the infrastructure and analyze threats and impacts along the way. The second models the environment from the threat standpoint to identify risks and threats, and provides a risk management framework.
Skybox defines its operating model in terms of layers, starting with a network layer. The software allows you to build a visual map of the network, and this logical view can be customized not unlike a number of network management environments. Mapping out infrastructure and potential lines of communication allows the admin to predict impact and threats more accurately. For example, you can easily map the path an attacker could take, hopping from one machine to another, to penetrate your internal network via, say, a web database application.
Then you have a business map of business units containing assets, relevant regulations and their various relationships. A simple threat layer breaks threats into their potential sources (internal, external and so on) and categories. Finally, but crucially, a security layer models vulnerabilities, possible attacks and the associated risks to each business asset.
The modelling capabilities are great, and mapping layers together is easy through the Java interface.
While the system provides tools to catch errors and missing data that could leave gaps in your planning, a lot of the real usefulness inevitably depends on the accuracy of the data you provide.
Many organizations will need outside expertise for this, and there is a version of the product aimed specifically at consultants.
Because the topics are complex, we were impressed with the voluminous documentation. We liked the detailed sections about hardening the base system, including guides to change default certificates (a very good idea) and platform security. Backing up the documentation is excellent context-help within the system.
The product comprises three main components which can be separated across a network: a collector of network configuration data that sends it back to the server; the server, which holds the data and security model; and the manager which provides the GUI interface to the system. There are a few other pieces, like an HTML dashboard to provide a summary view of operations, and a dictionary of threat definitions and known vulnerabilities.
Skybox uses an XML-based data format for its information, and provides an integration kit for importing data in non-standard formats, including APIs and Perl modules to parse and generate Skybox’s iXML files. But out of the box, the software supports a good range of firewalls, routers, system management frameworks, network scanners and other tools.
The server components run on various flavors of Windows and Red Hat Enterprise Linux, which is recommended for systems needing more than 2GB of RAM. The server, with all its data crunching, is memory- and CPU-intensive.
Despite being Java-based, the admin front end looks just like a Microsoft Management Console snap-in, with a standard tree view and details in the main panel. The interface is broken down into options for managing users, ticket rules, collectors, threat origin categories, business impact types and regulations.
Setting up known business assets, types of risks, estimated damage, business process and all the related data is not complicated, just laborious. Skybox’s excellent context-help, and the consistent interface, make it really easy. A set of regulation templates further maps business assets with compliance requirements. Templates are provided for various parts of Sarbanes-Oxley, Gramm-Leach-Bliley Act and The Health Insurance Portability and Accountability Act.
Ticket rules determine the guidelines for handling policy exceptions. For example, if a high-risk vulnerability is detected on the network, a ticket is opened and the policy guides who to contact, how quickly it should be handled, and so on. Skybox can track the tickets or they can be integrated with a separate system (most large organizations will have some form of problem ticket system in place).
And once set up, the modelling capabilities of Skybox really shine. You can switch from a live view of network activity to a projection or an historic (forensic) view. The Assure and Secure modules allow changes to be modelled, and impact to be assessed. And threats can be assessed in "what if" scenarios using all existing data about the environment. Because the system maps business processes and assets to infrastructure and threats, a clear model of estimated risk and damage can be produced, and weak or non-compliant areas targeted for improvement.
If you have the skills to get the most out of Skybox, then we would definitely recommend this very impressive product.
For: Powerful, yet easy-to-use security modeling and analysis.
Against: High system requirements.
Verdict: Very impressive, both in capability and presentation.