Name of Your Organization:

Skybox Security Inc.

Web Site:

http://www.skyboxsecurity.com

Compatible Capability:

Skybox View Enterprise Suite

Capability home page:

http://www.skyboxsecurity.com/products/risk-control
General Capability Questions

1) PRODUCT ACCESSIBILITY <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Skybox Security suite of products is sold via a global direct sales force and through a large globally distributed channel partner program. The software platform is sold and licensed per module. See http://www.skyboxsecurity.com/partners for a list of available partners.
Mapping Questions

3) MAP CURRENCY INDICATION <CR_5.1>

Describe how and where your capability indicates the most recent CVE content used to create or update its mappings (required):

Skybox Security manages a dictionary of vulnerabilities which uses a proprietary system for identifying vulnerabilities (SBV-IDs). CVE content (including CVE IDs) is used as a central method for mapping vulnerabilities.

4) MAP CURRENCY UPDATE APPROACH <CR_5.2>

Indicate how often you plan on updating the mappings to reflect the current CVE content and describe your approach to keeping reasonably current with the CVE content when mapping them to your repository (required):

CVE mapping and content in the Skybox View dictionary is updated on a daily basis.

5) MAP CURRENCY UPDATE TIME <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect newly available CVE content (required):

Skybox Security releases dictionary updates to our customers on a daily basis. The updates also include updated CVE content.

6) MAP CONTENT SELECTION CRITERIA <CR_5.4>

Describe the criteria used for determining the relevance of a given CVE-Identifier to your Capability (required):

Skybox Security's vulnerability dictionary includes the relevant CVE-Identifiers for each product.

CVE coverage includes all vulnerabilities that appear in vulnerability assessment solutions. Mapping is determined by cross references provided by the VA vendors. For popular products, Skybox will make extra effort to find the mapping based on actual vulnerability information (including product, version, component, and description).

7) MAP CURRENCY UPDATE MECHANISM <CR_5.5>

Describe the mechanism used for reviewing CVE for content changes (required):

Skybox Security uses automated scripts to identify additions and changes to CVE information, such as new CVE entries, changes in CVE references to already mapped vulnerabilities, and changes to vulnerability severity and description etc. These changes are added to the dictionary.

8) MAP CONTENT SOURCE <CR_5.6>

Describe the source of your CVE content (required):

The information is taken from the National Vulnerability Database, CVE vulnerability feeds: security related software flaws, NVD/CVE XML Feed with CVSS and CPE mappings (version 2.0).

Documentation Questions

9) CVE AND COMPATIBILITY DOCUMENTATION <CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

The following topic appears in the User Guide for Skybox Risk Control and in the online help.
CVE compliance

Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE is the industry standard for vulnerability and exposure names. CVE's common Identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization's security tools.

When information from one or more of Skybox View's external sources incorporates CVE-Identifiers for vulnerabilities, this information is added to the information in the Skybox View dictionary. CVE updates are also incorporated into the Skybox View dictionary as they are released.

To ensure CVE compliance, the Vulnerability Dictionary defines a single vulnerability (that is, a single SBV ID) for every CVE ID. The SBV ID can also include IDs from scanners and other dictionaries, such as Security Focus. There are also vulnerabilities for which no CVE ID is defined: if one of these vulnerabilities is reported by a scanner that is supported by , it is assigned an SBV ID. If a CVE ID is assigned to one of these vulnerabilities later, the CVE ID is then added to the vulnerability's data in the Vulnerability Dictionary.

10) DOCUMENTATION OF FINDING ELEMENTS USING CVE NAMES <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

Skybox Risk Control and Skybox Threat Manager focus on vulnerabilities in various contexts. Whenever lists of vulnerabilities and vulnerability instances are displayed, these lists can be sorted by the CVE name. In Skybox Threat Manager, the lists can also be searched.

CVE and Compatibility Documentation

In addition, customized KPIs (security metrics for organizations) can be defined to include only vulnerabilities with specific CVE names.

CVE and Compatibility Documentation

11) DOCUMENTATION OF FINDING CVE NAMES USING ELEMENTS <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

When using Skybox Risk Control and Skybox Threat Manager, it is not necessary to use a process to find the CVE names associated with vulnerabilities, security updates, or IPS signatures. Lists of vulnerabilities, vulnerability instances, security updates, and IPS signatures in the GUI show the CVE name as part of the basic data for each one.

CVE and Compatibility Documentation

CVE and Compatibility Documentation

CVE and Compatibility Documentation

12) DOCUMENTATION INDEXING OF CVE-RELATED MATERIAL <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

The index includes the topic listed above in section 9. However, a search in the online help turns up numerous references to CVE. These "hits" are inside of topics within the documentation set.

CVE and Compatibility Documentation

The Skybox Security website enables you to download various white papers, including one about Skybox View's approach to vulnerability discovery, and one about the Skybox View dictionary.

From the Vulnerability Discovery white paper:

Vulnerability Discovery with Rule-Driven Profiling (RDP)
Rule-driven profiling is a two-step process that converts the product configuration and description information stored in system and security management repositories into a detailed and accurate product catalog, and then accurately deduces a list of vulnerabilities present in the network environment.

The first phase is called product profiling, which involves collecting, merging, and normalizing product configuration information into a comprehensive list of the systems and products installed in the network environment. The raw data is collected automatically from multiple data sources such as Microsoft Active Directory, Microsoft SCCM, WSUS, and patch management systems. Thousands of information extraction rules are then applied to translate strings, such as "Microsoft Windows 7 Enterprise with MDOP 2011 R2," into a normalized product catalog which represents installed products, version information, patch level and more.

The second phase is called vulnerability profiling, which converts this normalized product catalog into accurate vulnerability data. We utilize a proprietary library of tens of thousands of logical rules, updated daily, to test the product catalog to determine if a set of pre-conditions for the existence of a vulnerability are met. The rules take multiple factors into account to deduce if a vulnerability truly exists in the environment. For example, a particular vulnerability may exist on a certain product, version, and patch level of Adobe Reader, but only when running in a particular operating system environment and in the presence or absence of other products or factors.

This results in a comprehensive and highly accurate product catalog and list of found vulnerabilities, compatible with MITRE's CPE and CVE standards, that can be updated automatically and continuously without requiring an active scan.

Type-Specific Capability Questions
Tool Questions

13) FINDING TASKS USING CVE NAMES <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (recommended):

It is not possible to search for reports by CVE name, but it is possible to limit the vulnerabilities used in a specific report according to their CVE name.

CVE and Compatibility Documentation

CVE and Compatibility Documentation

14) FINDING CVE NAMES USING ELEMENTS IN REPORTS <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

Skybox View allows users to enter CVE names as a filter for vulnerability reports (as shown in the previous section), and also to search for vulnerabilities by their CVE name. In addition, lists of entities (vulnerabilities, IPS signatures, and security bulletins) that include CVE names in their basic information can be sorted by the CVE name.

CVE and Compatibility Documentation

15) GETTING A LIST OF CVE NAMES ASSOCIATED WITH TASKS <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):

Skybox View shows the CVE name for every vulnerability, IPS signature, and security update in the system, as it is part of the entity's basic information.

CVE and Compatibility Documentation

16) SELECTING TASKS WITH A LIST OF CVE NAMES <CR_A.2.5>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):

This functionality is not directly supported by Skybox View, but we do allow specifying CVE names for queries of vulnerability lists, as shown above in section 10.

17) SELECTING TASKS USING INDIVIDUAL CVE NAMES <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

This functionality is not directly supported by Skybox View, but we do allow specifying CVE names for queries of vulnerability lists, as shown above in section 10.

18) NON-SUPPORT NOTIFICATION FOR A REQUESTED CVE NAME <CR_A.2.7>

Provide a description of how the tool notifies the user that task associated to a selected CVE name cannot be performed (recommended):

Vulnerabilities and IPS signatures may be imported into the Skybox View database with or without a CVE name. Since Skybox View consolidates data from multiple scanners, network devices and IPS devices, it allows for the possibility that a vulnerability or signature will not have a CVE name. If no CVE name was provided for the vulnerability/signature, the field will be empty. If the vulnerability/signature has a CVE name that is found later by another source, it will be updated in the database.

Aggregation Capability Questions

27) FINDING ELEMENTS USING CVE NAMES <CR_A.5.1>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (required):

N/A

28) FINDING CVE NAMES USING ELEMENTS IN REPORTS <CR_A.5.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the capability allows the user to determine the associated CVE names for the individual security elements in the report (required):

In lists of security elements (vulnerabilities, security bulletins, and IPS signatures) – both onscreen and in CSV reports, the CVE name is part of the meta-data shown for each element in the list. In published reports of vulnerabilities which include detailed information, the CVE name is shown as part of the meta-data for each vulnerability. In published reports of vulnerability tickets, the CVE name is also shown as part of the vulnerability data.

CVE and Compatibility Documentation

Media Questions

32) ELECTRONIC DOCUMENT FORMAT INFO <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

CSV output files can include lists of vulnerabilities, IPS signatures, or security bulletins. These files can be processed (sorted and searched) via Microsoft Excel.

33) ELECTRONIC DOCUMENT LISTING OF CVE NAMES <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

CVE names are listed for each individual vulnerability in detailed vulnerability reports and in detailed ticket reports.

CVE and Compatibility Documentation

34) ELECTRONIC DOCUMENT ELEMENT TO CVE NAME MAPPING <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

N/A – No such documents.

Graphical User Interface (GUI)

35) FINDING ELEMENTS USING CVE NAMES THROUGH THE GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

As stated above in the answer to <CR_B.4.2>, whenever lists of vulnerabilities and vulnerability instances are displayed, these lists can be sorted by the CVE name. In Skybox Threat Manager, the lists can also be searched.

CVE and Compatibility Documentation

36) GUI ELEMENT TO CVE NAME MAPPING <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

The CVE name is part of the entry of every vulnerability, IPS signature, and security update in a table.

CVE and Compatibility Documentation

37) GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

Skybox View enables users to export tables to CSV files, which can then be processed (sorted, searched, etc.) using Microsoft Excel.

CVE and Compatibility Documentation

Questions for Signature

38) Statement of Accuracy <CR_2.7>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability. "

Name: Moshe Raab

Title: Vice President Research & Development

39) STATEMENT OF ACCURACY <CR_A.3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies.

Name: Moshe Raab

Title: Vice President Research & Development

40) STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS AND SERVICES ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it.

Name: Moshe Raab

Title: Vice President Research & Development

Page Last Updated or Reviewed: September 13, 2016