​

THE U.S. AGENCY for International Development (USAID) began researching network mapping technology several years ago as a way to help avoid misconfiguration issues throughout its huge network, which consists of nearly 18,000 devices in about 70 countries. The agency was also looking for a risk-based vulnerability management solution, says Karl Crandall, CISO of USAID. Skybox, one of the first vendors to offer network mapping, seemed to offer a relatively wide array of security features that would help to address the company’s concerns. Setting up the Skybox product, called Skybox View Security Risk Management Suite, was time-consuming, says Crandall. But this initial stage, which lasted for about three months, may also have provided the most value from a security perspective, he says.

A significant part of the setup process involved creating an existing network map, says Crandall. This involved continual scanning of the network to identify each existing device as well as its configurations.

Implementation also involved arranging the identified devices into categories inside the Skybox management software in a manner that would be most useful for IT administrators, says Crandall. Devices were placed into categories based on factors such as location or type of access. Devices might be grouped together if, for example, they accessed a common agency server. Such categorization was not always simple, he says, but once it had been completed, it was easier to access key data about devices and network activity.

Information collected through the scans was also fed into two Skybox tools, the Firewall Auditor and the Network Compliance Auditor. The tools could then be set to generate reports, either on a regular or ad hoc basis, which could flag potential firewall misconfigurations in addition to possible noncompliance with regulations and standards. Reports can provide data relevant to the Payment Card Industry Data Security Standard, for example, as well as to standards issued by bodies such as the National Institute of Standards and Technology.

Aided by the reports, IT staff identified some major security issues in the first few months, says Crandall, including an instance in which a network was connected to the Internet without any firewall protection. That part of the network was shut down until it had been appropriately secured.

The agency continues to scan the network each evening, a process that takes about five hours, says Julio Mercado, a USAID information security analyst. Each morning, Mercado and at least one other IT professional review approximately nine automatically generated reports, he says.

Sometimes the reports are used as a starting point for troubleshooting, he says. A report might indicate, for example, that a device is inappropriately accessing a certain port. Administrators might then investigate by examining a relevant firewall’s access policies, which can be found within the baseline network model.

Administrators might also map the route of traffic between a pair of devices, says Crandall. After entering the source and destination Internet Protocol addresses, Skybox produces a detailed map showing each “hop” along the route. Skybox’s ability to map such traffic is more detailed and accurate than at least a few tools frequently used for the same purpose. Other solutions may miss certain “hops,” he says, such as when traffic travels through a virtual private network.

Data from the nightly scans are also fed into another Skybox component, Skybox Risk Control, which produces reports listing the most significant network vulnerabilities. The product’s analytical engine conducts “a sophisticated evaluation of network topology, vulnerabilities, device configurations, and potential threats,” according to Skybox.

Risk Control-generated reports rank vulnerabilities as low, medium, high, and critical. Descriptions provide information, including the relevant network location, pertinent devices, and time of detection.

“It’s pretty granular,” says Mercado. The product sometimes identifies threats that many other vulnerability analyzers might skip, says Crandall. A report might indicate, for example, that “five servers are accessing the Internet when two would suffice.”

The reports also show when networks are missing important patches. The ability to conduct network-wide patch management from a central location makes it easier to mitigate risk, says Mercado, as “so many attacks happen because of missing patches.” At least once a month, administrators send reports to remote offices listing missing patches that need to be installed.

Skybox’s reports have been particularly helpful during security and compliance audits, Mercado says. But Skybox requires some work for it to yield optimal results.

One of the most time-consuming aspects of using Skybox is keeping the current network model accurate and useful, says Crandall. Administrators regularly “feed” the model, inputting data on areas such as policy changes and the addition of new devices. Data to input is gathered from sources including successfully completed network change management requests from throughout the network.

It can be challenging on occasion to keep up with all the data that Skybox both generates and requires for inputting, says Mercado. In the near future, the agency may add another relatively new Skybox module that could make managing the solution more efficient, he says. Called Security Profile Advisor, it tracks remediation activity and, through a “dashboard,” displays remediation progress, within the network or in individual business units, based on key performance indicators. The Advisor also automates internal security advisories based on customizable alerts.

Another issue is cost. Skybox and similar mapping solutions can be expensive. But few other solutions can provide as much detail on network security and compliance as well as assisting in key security areas such as vulnerability and patch management, says Mercado. “It is kind of amazing how it can take in so much information and digest it,” he says. “From a security standpoint, it really brings it all together.”