Skybox Security Suite Review

Prioritizes vulnerabilities and grants visibility into both traffic and rule sets

What is our primary use case?

We have been reselling Skybox for probably about five years now, so I'm pretty familiar with it. I've done numerous POCs and I've had hands-on with it quite a bit.

Because I get to work with a bunch of different customers, I get to see just about every use case for Skybox. The first one, which is pretty simple, is auditing firewall rule sets; taking a look at all the configurations that are on the firewalls and ensuring that they're locked down. What we run into a lot of times are firewalls that are set up with excessive permissions, meaning they allow a lot more traffic than they should. Skybox is essential to tearing that down.

Network visibility is another big use case, learning where all the assets are located on the network and how they can talk to each other. 

The last one that I deal with quite a bit is the vulnerability/exposure-monitoring piece. Looking at those vulnerabilities that are on the network, providing the context of network-based mitigation, and then reprioritizing or recasting those vulnerabilities.

How has it helped my organization?

Specifically, in the Vulnerability Management piece, vulnerability management products are very noisy and they provide this arbitrary score called the CVSS that rates the criticality of the vulnerability. How bad would it be if somebody were to exploit this vulnerability? That doesn't matter if I have something on the network that prevents that vulnerability from being exploited. What Skybox does is to allow organizations, including three of my largest customers, to reprioritize the vulnerability they attempt to patch and mitigate, based on the contextual awareness of the network.

Also, for the vulnerability, it's the operational efficiency of the patching team. Patch management programs are very expensive to run from a headcount cost, and also from a potential downtime cost, and there is a never-ending stream of vulnerabilities. The ability to contextualize those and recast them in a meaningful way to my organization, and to all my customers, has been very valuable in increasing the efficiency of the patching process.

With the Firewall Assurance, that changes the way applications are introduced into the environment. So instead of asking for firewall rules which may or may not be relevant, or could already be there, or could be over-permissioned, Skybox can be used to map out the resources that that application is going to use and provide the exact rules that an application would require to function correctly. If the traffic isn't able to flow for the application, if it's erring out, Skybox can be used to troubleshoot that and say, "All right, where is the traffic being stopped and why, and how do I fix that."

What is most valuable?

The Vulnerability Management module is among the ones we talk about the most and the one that customers are biting off on quite a bit.

Skybox, in general, has quite a few features that are particularly useful to large clients, but their scalability is unparalleled in the space. They have massive scalability, thousands of devices that they can pull from, hundreds of thousands of IP addresses for the vulnerability results and casting; that in itself is very unique. The way they do vulnerabilities, providing the additional context of the network mitigations is fairly unique and valuable.

What needs improvement?

The only place where Skybox has room for improvement, and they're working on releasing this, it's just a slow-go, is the UI. The user interface has historically been via a locally installed thick client. They are moving to a web-based console and it's slowly coming out. It looks really good right now. I've seen the previews. I've seen what's going GA. Really, it's just building in that feature parody, to take all the features that are currently in the thick client and move them into to the thin client of Web-based GUI.

What do I think about the stability of the solution?

Skybox is in three of my largest clients and they have hundreds of thousands of IPs and thousands of devices reporting into it. It has never been unstable for them. It's always available.

What do I think about the scalability of the solution?

It scales just fine. The way that it's built with three-tier architecture, it makes it very horizontally scalable, so I can have multiple fallbacks. If one machine does fall offline, there are four other machines that are doing the exact same job to pick it up. But I've never had a problem where fault tolerance was necessary. It's just an available option that makes everything a bit more robust.

How is customer service and technical support?

I've only had to call in twice, and the first-line support was able to resolve the issue within around 10 minutes. It was a pretty quick phone call, and it was immediate. Their tech support has been phenomenal.

Which solutions did we use previously?

I'm a reseller of this product but I represent a hundred security products to my customers. The other ones that I've looked at or used, or I have seen used in the past, are Kenna Security, FireMon, AlgoSec, Tufin. There are a couple others too, but these are off the top of my head.

How was the initial setup?

Setup is not complex, but it is a little bit more time consuming because of the three-tier architecture. It scales really well, but that means there are more pieces to install during the setup, although it's not hard. Everything is just "click, click, click, next." You get through it really quickly. It's just a lot to do.

It also depends on how you deploy it. If you stand it up bare metal, it's a lot to do, but it's not exceedingly difficult. If you stand it up as an OVA, it's a five-minute installation. 

So it depends on which route you go on the installation.

What's my experience with pricing, setup cost, and licensing?

In terms of licensing, it's about defining use cases. If somebody were to say, "Hey, how should I go about the licensing?" I would say, "Define what use cases you're looking for. Look at Skybox's entire portfolio and decide what is important, or what would improve your organization and then just license accordingly."

I have some customers who only purchased Firewall Assurance. That was all they're interested in, and they eventually grew into the Vulnerability Management. Then I had the exact opposite where they started off with Vulnerability Management, looking to improve their operations efficiency, and then they eventually branched into the Firewall Assurance module.

What other advice do I have?

The only piece of advice I would have is, feed it all of the data sources. Skybox can take in a lot of information; structured, unstructured. It has a ton of integration partners. Even if you don't know if you'll need to use them all, just integrate everything you can into Skybox as a centralized platform, because it does quite a bit more, the more data you feed it. You increase its capabilities when you give it more data sources to look at.

I'd rate Skybox at 10 out of 10. I'm the Director of Security Architecture, so I'm very customer-facing and senior when it comes to product management and security architecture development. I tend to develop a baseline of programs whose capabilities I feel every organization should have. The ability to appropriately prioritize vulnerabilities inside the environment, and then to have visibility into the traffic and rule sets of an organization, are two of the top capabilities that I recommend. Skybox is the only one that does both of those in a single platform.

When I go into an organization, especially larger ones that are 5,000 or 10,000-plus employees, the first things I'm looking for are: How are you doing your vulnerability scanning and what visibility do you have in your firewall traffic? Typically, the answer to both of those is, "We don't have a lot there," and Skybox is one of the first things I'll recommend because it's almost imperative to get operational efficiencies. Firewalls are very basic. Firewalls are the front line against inbound traffic. If you don't have something like Skybox inline, able to see what's going on with your traffic flows, you can't appropriately implement those firewalls. So Skybox is typically one of my first three recommended products for just about every client I step in front of.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
Add a Comment

Sign Up with Email