Review: Predictively locking down security with Balbix

If cybersecurity defenders could accurately predict when and how future attacks against their networks would take place, it would be a lot easier for organizations to commit their limited resources where they could do the most good. But there are precious few programs designed to stop attacks in the so-called “left of boom” area. Vulnerability managers do attack this problem head-on, but suffer from several disadvantages including not having enough insight into the assets they are protecting, no ability to rank or predict found vulnerabilities, and the fact that identifying millions of vulnerabilities out of context is almost as bad as not finding anything at all.

Technically, the Balbix program is a vulnerability manager, but it’s so advanced that it’s almost wrong to lump it into the same category as most of the others that simply populate a database or spreadsheet full of discovered network problems. Instead, Balbix is able to analyze each kind of vulnerable asset sitting on a network, what kind of data it holds, how many users interact with it, whether or not it’s public-facing, and other factors to determine its importance to an organization. It then compares each vulnerability with active threat feeds, and predicts the likelihood of a breach in the near future, as well as the loss or harm to the enterprise should it be successfully exploited.

John Breeden II / IDG

In a sense, Balbix is providing the same type of service as a good security information and event management (SIEM) console, only all the threats that it identifies are potential problems, ranked by how critical they are to operations and how likely they are to be exploited. When testing Balbix, it felt more like working with a sort of magical pre-SIEM device. And fixing problems before they actually manifest is far less stressful than dealing with ongoing threats.

Balbix is deployed in three components. The brains of the system is a 1U device that could also be configured as a virtual appliance. Its job is to collect vulnerability data from the other components, compress it, encrypt it, and send it to a secure AWS cloud for processing. This reduces the amount of processing power needed within the network as well as the amount of traffic the system needs to use. The second component is comprised of network sensors that monitor traffic through and within a network. These sensors are also used to find network assets, and can be virtual or physical. Finally, agents can be deployed onto assets to give Balbix even more insight into things like user behavior. Although agents are optional, having them in place can make the program more effective.

It takes about 15 minutes to deploy Balbix, and then about two days for the discovery process, depending on network size. Pricing is based on the number of assets being protected, with a yearly subscription fee to continue using the program.

John Breeden II / IDG

Working with a large testbed, Balbix was able to find 41,135 network assets. Of that group, it identified 69 of them as mission critical, something it was able to accomplish without human intervention. The mission critical assets were things like domain controllers that were serving the bulk of the user base or webservers that provided applications and web pages for the pubic. It also properly identified as critically important a database server that was filled with personal information and a workstation used by an admin superuser. If Balbix doesn’t catch something that should be considered critical, local users can add the missing asset to that category, but unlike most other vulnerability managers, training the program about network operations was completely unnecessary.

John Breeden II / IDG

Once assets are discovered and ranked by importance, Balbix examines each one to discover any vulnerabilities. But it goes beyond simply finding vulnerabilities and ranking them based on asset importance. The program also has access to several threat feeds, including ones that monitor chatter on the dark web. It additionally ranks vulnerabilities based on the likelihood that they are going to be exploited, either because of an ongoing threat campaign or even because hackers are talking about it. The rankings that Balbix provides are not unlike a Google page-rank type of score. Critical assets with vulnerabilities and any asset that is likely to soon be attacked filter to the top of the list.

Drilling down into specific vulnerabilities provides a lot of information about the problem. Balbix even breaks down discovered problems into one of nine categories, and then provides detailed information about suggested fixes.

As one example of a discovered vulnerability, the program found a server where the admin of that device was using the same password to access the machine as their LinkedIn account. It was able to discover this because the admin was accessing LinkedIn from a network asset and Balbix captured their password. Because LinkedIn suffered a previous password breach, and because this problem involved an administrator, this particular vulnerability was raised fairly high up the priority list.

Other discovered vulnerabilities included things like unpatched software or operating systems, again ranked by how likely an attacker would be to exploit it, and situations such as an asset that was being remotely managed by risky hosts.

John Breeden II / IDG

In addition to the ranking that Balbix conducts, users are free to type questions using natural language about the state of the network and vulnerabilities. For example, we were able to ask, “how many iPhones are connected to the network in our Mountain View offices?” Balbix answered, showing all of the smartphones and any vulnerabilities. Those iPhones were not initially listed very high in the vulnerability rankings, but we were able to quickly find them and read about recommended fixes as needed.

John Breeden II / IDG

And while Balbix can’t fix problems itself, it provides a detailed description of how to fix or otherwise protect the asset. And should that fix involve cybersecurity hardware or software, it can help users select the best product for the job.

Balbix has the ability to emulate various security devices and programs, and test how they would work if deployed against the specific vulnerabilities lurking within the protected network. Would Palo Alto or McAfee be a better fit? We simply selected them from the list and let Balbix tell us which would quash more vulnerabilities, or which would work to correct a specific vulnerability that we needed to quickly fix. This could be used to show a company comptroller that money spent on a specific cybersecurity tool would not be wasted.

John Breeden / IDG

Balbix is constantly monitoring the network and all discovered assets. Whenever we fixed a vulnerability, it was almost instantly reflected in the dashboard, especially when the optional program agents were deployed. The program also has a very good reporting tool that can show graphically how vulnerabilities change over time, which would be good for presentations from IT staff to their executives.

The Balbix program would be an invaluable asset for any organization regardless of their cybersecurity maturity level. Those just starting out on that journey could ensure that their critical assets were protected, while also using it to demonstrate what kinds of specific hardware and software could most effectively protect their network as they grew. More mature organizations could use it to find unknown vulnerabilities in their large enterprise deployments. And anyone could tap Balbix to deal with as many of their cybersecurity problems as possible to the far left of that infamous boom.