Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

IBM BigFix Patch Management Overview

by Stephanie Dunn
March 8, 2017

Patch management solutions provide a way for organizations to automate the deployment and installation of patches throughout the enterprise. Unfortunately, these solutions can fail to detect vulnerabilities on systems connecting in between patch cycles, or managed systems that have fallen out of scope. Organizations can face additional risks from isolated or stand-alone systems that are patched on an infrequent basis. This dashboard presents a summary of vulnerabilities reported by IBM BigFix, which can be used to determine whether vulnerabilities are being patched effectively.

IBM BigFix (formerly IBM Tivoli Endpoint Manager) provides organizations with a centralized console to manage and deploy patches on a variety of platforms, including mobile devices, across the enterprise. This solution will help organizations to inventory and manage network assets effectively, but may not always account for every system or device on the network. Tenable SecurityCenter Continuous View (CV) provides organizations with the additional coverage needed to identify vulnerabilities on systems that patch management solutions may not be aware of. Organizations can create temporary virtualized systems, or have a Bring Your Own Device (BYOD) policy in place where systems only connect to the network periodically. Using active scanning, SecurityCenter provides additional coverage to monitor for missing or unknown systems and devices on the network. Scans can also account for unmanaged systems that may be patched on an infrequent basis, or detect managed clients that have fallen out of scope.

The IBM BigFix Patch Management Overview dashboard provides a comprehensive look at Microsoft Security Bulletin vulnerabilities detected by BigFix. Vulnerability data collected by Nessus can be used to determine whether BigFix is reporting any outdated or inaccurate information from managed hosts. Systems are scanned to identify managed clients and event data. Patch reports are collected from managed hosts that will provide analysts with a full summary of hotfixes, security advisories, and other patches that need to be applied. Data will also report on hosts not communicating properly or that may have fallen out of scope. Organizations can use the information provided within this dashboard to strengthen overall network security and improve patch management efforts.

This dashboard is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Discovery & Detection. The dashboard requirements are:

  • SecurityCenter 5.4.2
  • Nessus 6.10.0
  • LCE 5.0.0

Tenable SecurityCenter Continuous View (CV) provides continuous network monitoring to identify vulnerabilities, reduce risk, and effectively monitor patch management solutions. SecurityCenter CV is continuously updated to detect advanced threats and vulnerabilities. Active scanning periodically examines systems to determine vulnerabilities and compliance concerns on network assets. Agent scanning enables scanning and detection of vulnerabilities on transient and isolated devices. Host data and data from other security products is analyzed to monitor events captured from patch management solutions on the network. Using SecurityCenter CV, organizations will obtain the most comprehensive view of the network and the intelligence needed to support proactive patch management efforts.

The following components are included within this dashboard:

  • IBM BigFixPatch Management - BigFix Vulnerability Trend: This chart presents a trend of both current and previously mitigated vulnerabilities reported by IBM BigFix over the last seven days. Information presented within this component can provide organizations with a comprehensive view into how often systems are being scanned, patched, and rescanned. The “Current” trend line will report on the number of vulnerabilities collected from BigFix using the “Never Mitigated” filter. The “Previously Mitigated” trend line includes the number of vulnerabilities that have moved from the mitigated section to the active section. Previously Mitigated or recurring vulnerabilities can be the result of systems not being restarted after a patch was applied, virtual systems reverting to previous snapshots, or services that were disabled or failed to restart. Organizations can use this component to focus efforts on remediating both current and previously mitigated vulnerabilities.
  • IBM BigFixPatch Management – BigFix Detected Vulnerabilities: This component provides a summary of Microsoft Bulletin vulnerabilities detected by a IBM BigFix (formerly IBM Tivoli Endpoint Manager) server. The rows include vulnerabilities at each severity level discovered within the Windows: Microsoft Bulletins Plugin Family. The columns include the total number of vulnerabilities discovered, number of vulnerabilities discovered by Nessus that IBM BigFix is reporting as vulnerable, number of mitigated vulnerabilities, and percentage of exploitable vulnerabilities. Information presented within this component can be used to discover whether vulnerabilities are being patched in a timely manner through IBM BigFix. This data can also be used to identify any systems reporting outdated vulnerability information.
  • IBM BigFixPatch Management – Nessus Detected Vulnerabilities: This component provides a summary of Microsoft Bulletin vulnerabilities detected by Nessus that have been reported as not vulnerable by a IBM BigFix (formerly IBM Tivoli Endpoint Manager) server. The rows include vulnerabilities at each severity level discovered within the Windows: Microsoft Bulletins Plugin Family. The columns include the total number of vulnerabilities discovered by IBM BigFix, number of vulnerabilities discovered by Nessus that IBM BigFix is reporting as not vulnerable, number of mitigated vulnerabilities, and percentage of exploitable vulnerabilities. Information presented within this component can be used by the analyst to identify how often systems are being patched by IBM BigFix and whether current security settings need to be modified.
  • IBM BigFixPatch Management – Unmanaged Vulnerabilities: This component provides a summary of vulnerabilities detected by Nessus on hosts not managed by patch management systems. The rows include vulnerabilities at each severity level discovered within the Windows: Microsoft Bulletins Plugin Family. The columns include the total number of vulnerabilities discovered on unmanaged systems, number of mitigated vulnerabilities, and percentage of exploitable vulnerabilities. This matrix provides targeted information analysts need to compare the effectiveness of patch management efforts, and whether current security settings need to be modified.
  • IBM BigFixPatch Management - Client Detection Per Class C: This chart presents a Class C summary of hosts managed by a IBM BigFix (formerly IBM Tivoli Endpoint Manager) server. Nessus actively scans hosts to determine whether BigFix clients are installed. Having an enterprise-wide patch management solution will assist in strengthening the organization’s overall security posture. Using Nessus plugin 19506, information is collected on hosts managed by IBM BigFix. By drilling down, analysts can obtain additional information on managed hosts, and can be used to identify hosts may not be fully patched or included in the patch management process.
  • IBM BigFixPatch Management – BigFix Patch Management Events: This component includes a summary of events reported by IBM BigFix (formerly IBM Tivoli Endpoint Manager) over the last 72 hours. The list is sorted in descending order by the number of events reported from BigFix. Logs from BigFix are forwarded to the LCE server. LCE can detect changes in patch management solutions that analysts can monitor to determine if further action is needed. Event data in this component may include information on packages being downloaded, patch installation errors, and systems restarts. Analysts can modify this component to include specific normalized events per organizational requirements.
  • IBM BigFixPatch Management – BigFix Patch Report: This table presents a summary of hosts managed by IBM BigFix (formerly IBM Tivoli Endpoint Manager) where a patch report summary has been collected. Other components within this dashboard report on Microsoft Bulletin vulnerabilities on Windows hosts managed by BigFix. Using Nessus plugin 62561, this component will provide a full summary of missing patches from managed systems. By clicking on the Browse Component Data icon and changing the tool to Vulnerability Detail List, analysts will obtain a full summary of hotfixes, security advisories, and other patches that need to be applied. Data will also report on hosts not communicating properly or that may have fallen out of scope. Using this information, analysts will obtain the critical context needed to strengthen remediation efforts within the organization.