Model network access and compliance to de-risk IT/OT convergence

Build a network model by ingesting data from industrial/general-purpose firewalls and network infrastructure to validate access and comply with regulatory frameworks.

The Skybox Security Posture Management platform is the only platform that combines infrastructure context with threat visibility across the entire attack surface that spans the IT and OT environments.

Model network infrastructure

The Skybox Security Posture Management Platform ingests:

• Configurations and routing tables from Purdue Enterprise Reference Architecture Layer 3 devices
• Security groups, security tags, and assets from virtual domains
• Asset information from configuration management databases (CMDBs) and management systems
• Vulnerabilities from scanners and vulnerability definitions from Skybox threat intelligence

The information is parsed and normalized to create a network model, which is an abstraction of the IT, OT, and hybrid cloud infrastructures. The entities represented in the model include assets, network devices, networks, locations, and clouds. The model can include both industrial and general-purpose infrastructure. It supports specialized devices that are custom-built for industrial applications and hazardous environments, such as the Siemens 1400 and 1500 families of intelligent edge routers.

Map networks to zones and define access policies

Map networks in the model to zones and easily customizes out-of-the-box templates to create flexible policies aligned with industrial standards such as ISA/IEC 62443. Encodes the standards’ requirements in the policies created in the Skybox platform – such as segmenting the network into zones (grouping cyber assets with the same cybersecurity requirements) and conduits (used for communication within/between zones).

Analyze access compliance and update violating rules

Analyzes the actual – as opposed to theoretical – access across network zones and considers access rules, routing rules, and network topology. Identify violating rules for easy updates. Include industrial firewalls in the network model to test, demonstrate, and ultimately ensure compliance with the regulations governing network separation across the entire attack surface.

Maintain firewall hygiene

Ensures that industrial firewalls, in addition to other firewalls in the network, are correctly configured to align with industry best practices. Rule compliance policies are used to inspect specific rules to identify violations in the configured source, destination, port, or application. Access compliance policies are used to identify firewall rules that allow violating traffic to move between network zones. To help maintain good firewall hygiene, Skybox identifies shadowed or redundant rules and objects for elimination, which significantly reduces the organization’s attack surface.

Track changes

Track any changes made to firewall access rules. This includes recording new, deleted, and modified rules to create a comprehensive audit trail for the purposes of troubleshooting, forensic analysis, and compliance. Change records include details of the change made, the time and date stamp, and the user who made the change. These change records make it easy to reconcile every detected change to the firewall with an existing change request in the organization’s chosen change management platform.

Generate audit-friendly reports

Leverage a single model of the IT and OT estates for reporting and auditing purposes. Tailor dashboards and reports to suit the needs of different audiences and stakeholders across the organization. The highly configurable Web-based interface makes it easy to report on the entire estate or specific areas such as device configuration, network separation, access, and firewall rule compliance.

Detect infrastructure vulnerabilities without scanning

Active scan-based vulnerability assessment tools unlock point-in-time visibility at best. Gaps between scan events on a device can result in undetected vulnerability occurrences. Scanless detection addresses blind spots by combining outputs from generic CMDB parsers and patch management systems with the Skybox vulnerability dictionary to continuously detect vulnerabilities on networking and firewall infrastructures.