© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Challenges The eroding network perimeter of today’s modern data center, the increase in mobility and telecommuting, and a dangerous cybersecurity threat landscape perpetrated by highly capable bad actors have created a multi-dimensional challenge for IT executives charged with protecting and securing their organization’s data assets. Cloud computing brings both challenges and opportunities to the equation. “Cloud native” companies operate entirely in a public environment, while those with a “cloud first” strategic imperative typically employ hybrid clouds. In both cases, an increasingly borderless network results in a visibility and control gap where the lack of access to the egress point eliminates the ability to employ traditional security controls. This increased complexity is reflected in security automation and orchestration research ESG conducted in which 55% of respondents cited an increase in the use of cloud services as contributing to making security operations more difficult1. Results of this survey indicate that existing tools and processes are less than ideal for automating security operations across hybrid environments.

The Solution Cybric, a security virtualization provider for today’s modern enterprise infrastructure, is accelerating research and product development on its pioneering Continuous Security Delivery Fabric, a next-generation cyber-automation and threat remediation solution. Upon general availability, global enterprise organizations will be able to rely on Cybric’s continuous security virtualization to dramatically reduce the time to conduct vulnerability scanning and remediation, from months to minutes. The Cybric framework (see Figure 1) will enable automation of various security tasks to gain efficiencies.

Figure 1. Cybric’s Continuous Security Delivery Fabric

1 Source: ESG Custom Research, Security Orchestration Trends, March 2015.

ESG Lab Spotlight

Cybric Continuous Security Delivery Fabric Closing the exploit window with a near real-time, continuous security framework

Date: December 2015 Author: Aviv Kaufmann and Kerry Dolan, ESG Lab Analysts and Doug Cahill, ESG Senior Analyst

Abstract: This ESG Lab Spotlight provides a first look at Cybric’s Continuous Security Delivery Fabric and documents the results of pre-release hands-on validation testing of its next-generation cyber-automation and threat remediation framework and management interface.

ESG Lab Spotlight: Cybric Continuous Security Delivery Fabric 2

© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

The Continuous Security Delivery Fabric virtualizes security vulnerability scanning and remediation—including automation and orchestration—with a single management interface. This approach will drastically reduce the time required to identify and fix vulnerabilities, and will put engineers back on the job instead of chasing down threats. Cybric’s Fabric integrates with existing vulnerability scanning tools (or replaces them with open-source tools) through the creation of policy-based security elements called Business Resiliency Internal Controls (BRICs). BRICs can be applied dynamically and scheduled to run with any production environment as the source, on-premises or in the cloud. A key component of the solution is that instead of running a BRIC against the actual production infrastructure (which could impact performance), it uses the fabricOps orchestration capability to automatically create a virtual copy of the environment against which to execute controls. This enables near real-time scanning with no production impact.

Cybric’s Continuous Security Delivery Fabric consists of four core components:

fabricOPS: Orchestration. FabricOps enables organizations to create and automate policy BRICs, security workflows that run against an encrypted virtual copy of your entire application stack. This near real-time scanning enables simple, efficient risk reduction.

fabricRX: Remediation Integration. By integrating with open source and commercial security tools, patent-pending fabricRX identifies fixes that can be automatically used to remediate cyber vulnerabilities discovered through fabric OPS, based on the BRIC policies and machine learning.

fabricVUE: Reporting and Compliance Engine. FabricVUE is a single, intelligent view of an organization’s entire security operation, including organization-wide and BRIC-centric dashboards showing key performance indicator (KPI) benchmarking and service level agreement (SLA) compliance, for actionable intelligence.

fabricHUB: Developer-defined Security Integration. Using the Cybric API, fabricHUB integrates into existing continuous development and delivery workflows, allowing organizations to build more secure applications faster.

Also on the roadmap are consulting services and human/machine-based intelligence (fabricSRV). The platform, comprised of a virtual fabric and a framework for automation, will enable Cybric to deliver advanced capabilities such as non-disruptive penetration testing and ethical hacking on encrypted virtual copies served through the Cybric API.

Leveraging BRICs as Reusable Components for Operational Efficiency

The foundation of the Continuous Security Delivery Fabric is the concept of BRICs, which are comprehensive security templates that define IP-based targets, security services and tools to run on defined schedules, and actions to take for remediation of a particular exploit or vulnerability. A typical integration workflow starts with defining the targets and target groups, including physical and virtual servers and applications. Next, the organization chooses which of its existing security tools to leverage, plus any additional software or web-based security services to purchase. The organization then creates a new BRIC or leverages a predefined one. Once the BRICS are activated, shadow containers of the production environments are created, and all security tasks are run in parallel across multiple containers, removing the risk and performance impact to the production environment. Finally, remediated changes are applied to the production environment via integration with the applicable automation tools, effectively closing the exploit window and any potential vulnerabilities.

Figure 2. A Typical Cybric Integration Workflow

ESG Lab Spotlight: Cybric Continuous Security Delivery Fabric 3

© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Simple, Automated Security

ESG Lab tested the management interface for the Continuous Security Delivery Fabric to experience first-hand how easy it is to deploy and manage Cybric’s next-generation, automated security environment. In less than a minute and with just a few clicks, ESG Lab was able to set up a new fabric by providing account information and then selecting the subscription, initial BRIC templates, a copy data management (CDM) provider, and the security tools that we wished to leverage. Then, using the simple and intuitive graphical interface, ESG Lab performed nearly every task associated with managing and monitoring the entire simulated enterprise security environment. We easily switched between the fabricVUE, fabricOPS, fabricRX, and fabricHUB modules within the same interface by simply selecting the appropriate modules from a drop-down window.

Using the fabricVUE module, ESG Lab could gain insight into the entire security environment with an easy-to-read dashboard. The dashboard provided a “Risk Vector” for the entire environment that categorized potential vulnerabilities into high, medium, or low levels of risk. The dashboard also listed the top priority issues, number of issues found, and the number of issues fixed, and rolled these results into easy-to-read graphs and scores. The same information was available for each of the BRIC policies using fabricOPS, allowing similar insight into the security effectiveness of individual application environments. Figure 3 shows the summary at both the organizational and BRIC levels.

Figure 3. Organization-wide and BRIC-specific Risk and Efficiency Assessment Dashboards

ESG learned that Cybric’s automated, policy-based BRICS give an organization greater flexibility by removing the dependence on the production environment. BRICS can be created and run against shadow environments to evaluate and compare the effectiveness of commercial and open sourced security products and services, perform penetration testing, test patches and potential fixes, and much more, without impacting the production environment or placing it at risk. These shadow environments are provisioned on demand and include only the resources required by the task. ESG notes that this is well suited to elastic infrastructures, such as public infrastructure- or platform-as-a-service solutions that can automate compute and storage provisioning.

ESG Lab also explored the use of fabricOPS for creating and modifying BRICs. Each BRIC contained information on the targets against which a prescribed set of security services would be run. These targets could be chosen to focus security operations on particular environments, workloads, or applications by simply providing IP addresses or an entire sub-net. BRICs also contained the specific security tasks that were to be orchestrated against the shadow targets, as well as the alerts, workflows, and remediation steps that would be taken through fabricRX if a particular task were to find an exploit or vulnerability. Workflow integration can include tasks such as initiating a ticket in a services automation platform such as ServiceNow.

BRICs can be fully customized, modified from an existing template, or collected from security vendors for incorporation into a security catalog to easily automate and enforce an organization’s security practices. Through the Integrations menu, ESG Lab was able to view and connect to tasks supplied by third-party security vendors such as Qualys, Rapid7, Core Security, Symantec, IBM, McAfee, VeraCode, and other leading open-source options such as Metasploit. These tasks

ESG Lab Spotlight: Cybric Continuous Security Delivery Fabric 4

© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

can be easily added to the BRIC by simply clicking the + icon in the task section of the BRIC workflow tab. ESG Lab also learned that Cybric plans to create a secure community where fully validated BRIC templates aimed at protecting particular solutions can be shared among organizations.

Why This Matters Security is especially complex and costly in terms of time, people, and money in today’s data center. The tasks of scanning, analyzing, and remediating security vulnerabilities and exploits for any organization is time-consuming and invasive. New applications, borderless infrastructure, and a growing set of threats exacerbates this reality and often lead to the development and deployment of additional security applications and an ever-growing pile of daunting remediation policies and procedures. And when it comes to meeting SLAs, scanning and patching production environments adversely impact performance and can result in costly downtime.

ESG believes Cybric’s approach to addressing these operational security issues has some unique dimensions. First, performing security functions against a shadow environment comprised of containers which can be provisioned on-demand represents an architecture that can expedite invasive security functions without impacting the production environment. Further, leveraging a framework powered by BRICs to instrument third-party security controls should yield greater efficiency and streamline workflows which would otherwise require interacting with a series of point tools.

ESG Lab validated the approach Cybric employs with the Continuous Security Delivery Fabric to automate and optimize the process of enterprise vulnerability scanning, exploit detection, and remediation. We deployed the framework in less than a minute, and explored how the intuitive user interface could be used to easily evaluate risk and apply automated security policies to shrink exploit windows. Cybric’s innovative approach to employing a virtualized shadow environment can help organizations improve their security posture and meet compliance requirements in less time, at a lower operational cost.

Cybric Use Case: Automated Security in a DevOps Environment Cloud-based production environments are often deployed via continuous DevOps methodologies. While this increases the risk for introducing vulnerabilities, it also affords the opportunity to automate the orchestration of security best practices for notable gains in efficiency.

ESG Lab evaluated how Cybric’s Continuous Security Delivery Fabric could provide real-world value for organizations that leverage a DevOps methodology to manage software and operations. DevOps-centric organizations expect to gain efficiencies through the automation of procedures by integrating tools via APIs and scripts. Security vulnerability scanning and remediation can create problems, as these often-serialized tasks are not only manual and thus time-intensive, but can also require downtime for patching, which substantially impacts performance and availability. Since some developers make multiple copies of their development environments, and API-driven automation tools are employed to automatically provision fleets of workloads into production, it is all too easy for security vulnerabilities and potential exploits to be propagated across environments. In addition, inspecting modified code for vulnerabilities before checking it into a central repository can be time consuming and difficult to manage, and is thus a step that is too often skipped in the software development process.

Several important attributes of the Cybric approach that make it highly appropriate for DevOps shops. First, many organizations that employ DevOps have moved their operations to the cloud where they gain the advantages of on-demand resource allocation at scale, rich platform services, cloud-based CDM, and software-as-a-service. The infrastructure requirements for the Cybric Continuous Security Delivery Fabric are well suited for such cloud environments because it can use the elastic infrastructure for its shadow environments against which BRICs are applied. In addition, Cybric’s support for third-party APIs means that the Cybric solution can be easily integrated into DevOps ticketing systems, reporting infrastructures, and code management applications.

Cybric is actively developing a powerful, developer-defined security capability called fabricHUB. FabricHUB will seamlessly integrate into existing continuous development and delivery workflows, allowing organizations to build more secure applications faster. Organizations will be able to leverage the same BRICs used in production for application development to ensure delivery of secure end-user applications.

ESG Lab Spotlight: Cybric Continuous Security Delivery Fabric 5

© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Figure 4. Sample BRIC Functionality for Penetration Testing in a DevOps Environment with Integrated Reporting

The Bigger Truth Enterprise security has traditionally been under the network security umbrella, where controls such as intrusion detection and prevention, firewalls, and malware detonation/detection sandboxes are deployed on the wire and integrated with a security information and event management (SIEM) framework. The eroding network perimeter in the modern data center has necessitated a shift to a workload-centric security model. Continuous delivery via DevOps methodologies has created an opportunity to codify and thus automate security practices via API-driven automation. To support existing infrastructure investments, operate natively in elastic ones, and embrace DevOps methodologies, innovation is required.

Cybric’s Continuous Security Delivery Fabric is purpose-built to automate and orchestrate security best practices in the modern infrastructure. Creating a shadow environment against which security functions can be applied lends itself to use cases beyond finding and patching vulnerabilities; this includes the ability to validate system integrity and more without impacting the availability and performance of production environments, essential for transaction-intensive, mission-critical applications. The central operating convention of a BRIC and the ability to instrument preexisting security controls represents a framework approach that promises to unify visibility and control across the increasingly complex IT landscape. In terms of integrations and extensible APIs, the Cybric platform enables a DevOps approach to security automation, providing a level of operational efficiency that is well aligned with the fundamental value proposition of the cloud: agility.

Contemporary cybersecurity solutions should provide customers with a highly intuitive, workflow-centric user interface. ESG Lab validated that Cybric’s Continuous Security Delivery Fabric employs this approach for automating and optimizing enterprise vulnerability and exploit detection and remediation. It should be noted that while ESG Lab performed this testing at a very early stage in the development cycle, ESG intends to validate the technology in greater depth following the full release of the product. While Cybric’s technology is still in its early stages, what Cybric has delivered to date is impressive, and the vision of the complete solution is intriguing. By orchestrating and automating the security workflow, Cybric can deliver increased protection, value, and choice to organizations while embracing security vendors as valuable partners rather than as competitors. ESG Lab suggests that if your organization is looking to simplify and automate enterprise security and close the exploit window, you should keep a close eye on the availability of the Cybric Continuous Security Delivery Fabric.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188. This ESG Lab Spotlight was sponsored by Cybric.