Review: Predictively locking down security with Balbix

Balbix may technically be a vulnerability manager, but it does it so much better and also so much more that it breaks the bounds of its category.

If cybersecurity defenders could accurately predict when and how future attacks against their networks would take place, it would be a lot easier for organizations to commit their limited resources where they could do the most good. But there are precious few programs designed to stop attacks in the so-called “left of boom” area. Vulnerability managers do attack this problem head-on, but suffer from several disadvantages including not having enough insight into the assets they are protecting, no ability to rank or predict found vulnerabilities, and the fact that identifying millions of vulnerabilities out of context is almost as bad as not finding anything at all.

Technically, the Balbix program is a vulnerability manager, but it’s so advanced that it’s almost wrong to lump it into the same category as most of the others that simply populate a database or spreadsheet full of discovered network problems. Instead, Balbix is able to analyze each kind of vulnerable asset sitting on a network, what kind of data it holds, how many users interact with it, whether or not it’s public-facing, and other factors to determine its importance to an organization. It then compares each vulnerability with active threat feeds, and predicts the likelihood of a breach in the near future, as well as the loss or harm to the enterprise should it be successfully exploited.

Balbix likelihood of compromise John Breeden II / IDG

Going beyond just ranking risk elements, Balbix can predict how likely it is for an asset to be compromised given the way users interact with it and current intelligence from threat feeds.

In a sense, Balbix is providing the same type of service as a good security information and event management (SIEM) console, only all the threats that it identifies are potential problems, ranked by how critical they are to operations and how likely they are to be exploited. When testing Balbix, it felt more like working with a sort of magical pre-SIEM device. And fixing problems before they actually manifest is far less stressful than dealing with ongoing threats.

Balbix is deployed in three components. The brains of the system is a 1U device that could also be configured as a virtual appliance. Its job is to collect vulnerability data from the other components, compress it, encrypt it, and send it to a secure AWS cloud for processing. This reduces the amount of processing power needed within the network as well as the amount of traffic the system needs to use. The second component is comprised of network sensors that monitor traffic through and within a network. These sensors are also used to find network assets, and can be virtual or physical. Finally, agents can be deployed onto assets to give Balbix even more insight into things like user behavior. Although agents are optional, having them in place can make the program more effective.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!