Vulnerability Lifecycle Management for Critical Infrastructure
Automate the vulnerability lifecycle based on infrastructure context and threat intelligence to de-risk your OT environment.
Learn how to:
- Gain a unified view of IT and OT assets and vulnerabilities
- Reduce active scanning blind spots
- Identify cyber hygiene gaps
- Utilize a customizable, multi-factor risk scoring framework
- Reduce dependence on patching
New vulnerabilities in operational technology (OT) products have risen 88% year over year. This increase in vulnerabilities can be attributed to vulnerability debt as well as a culture of greater transparency among product manufacturers. In addition to vulnerabilities on OT products, vulnerabilities on IT assets such as servers and workstations can also be weaponized to enable attack paths. In light of this, vulnerability management teams must discover and remediate both IT and OT vulnerabilities to protect critical OT assets. In parallel, the cyber security talent gap has resulted in small teams struggling with complex manual vulnerability management workflows. The resource problem can be rectified by automating operational workflows across the for pillars of vulnerability lifecycle management: discovery, prioritization, remediation, and reporting.
The Skybox Security Posture Management Platform ingests and normalizes asset and vulnerability information from multiple sources, including active scan-based vulnerability assessment tools, endpoint detection and response systems, OT passive scanning solutions, and various asset data repositories. In addition to vulnerabilities, security risks such as outdated OS versions, or insecure applications and services can be flagged for easy remediation. In parallel, scan less detection expands coverage by correlating asset information from generic CMDB parsers and patch management repositories with updated vulnerability data from Skybox threat intelligence. The result is continuous non-intrusive vulnerability discovery on non-scannable assets (routers, switches, and sensitive OT devices) as well as filling in the gaps between active scan events on scannable assets. This comprehensive catalog of IT and OT assets and vulnerability information spans layers 0-5 of the Purdue model and becomes a single source of truth that multiple enterprise security teams can cross-reference.
Skybox uses a flexible and customizable algorithm to compute risk scores for assets and vulnerability occurrences (a specific instance of a vulnerability on an asset). By default, the framework uses four key criteria or risk factors.
- CVSS scores: assigned by NVD and affiliated bodies
- Exploitability: based on Skybox threat intelligence, flagging vulnerabilities that are exploited in the wild or have exploits available
- Asset importance: based on the value of an asset to an enterprise and allowing prioritization of mission-critical OT devices
- Exposure: based on attack path analysis to identify the reachability of a target from potential threat origins
The risk scoring algorithm supports formula flexibility such that each organization can control the risk factors to be included in the formula, as well as the weight for each factor. This approach facilitates a tailored risk posture based on an organization’s business logic.
The Skybox Platform, based on contextual analysis of IT, multi-cloud, and OT environments, can recommend diverse remediation solutions including patching, software updates, firewall rule modification, IPS signature, and network segmentation.
Strict system availability requirements for Industrial Control Systems and often remote locations for OT sensing devices mean potentially disruptive processes like patching require careful planning. Network-based remediation solutions can fortify security controls while relieving the urgency around patch application, buying VM teams much-needed time for planning, testing, and deploying patches.
The Skybox Platform enables extensive reporting through customizable out-of-the-box dashboards and reports. Prebuilt templates allow administrators to query underlying Elasticsearch clusters quickly and intuitively for a wide range of asset and vulnerability attributes. Assets can be grouped by business units for granular visibility by each business owner. Some useful reports for continuous trend analysis and program benchmarking include:
- Remediation of high-risk score vulnerabilities within SLA
- Decrease in scan frequency
- Assets with overdue scan status
- Increase in high-risk vulnerability occurrences or exposed vulnerabilities