Vendor Provided Validation Details - Big Fix Security Configuration and Vulnerability Management Pack 8
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.
Statement of FDCC Scanner Implementation
The BigFix Security Configuration and Vulnerability Management solution pack and BigFix Platform will run natively within an FDCC hardened environment and requires no change deviations from the FDCC standard on any platform.
However, running the BigFix solution may slow down the performance and ability of a BigFix agent to receive requests from the server. The BigFix agent receives server requests from the server on port 52311. In order for this functionality to work efficiently, the Windows Firewall will need to be modified to allow communication to this port.
If a customer does not open this port, the BigFix agent will proactively reach out to the server every 15 minutes, by default, to receive an update and identify anything new. Thus, the solution does not require changes to the FDCC default configuration.
Statement of Authenticated Configuration Scanner Implementation
Same as Statement of FDCC Scanner Implementation
Statement of Authenticated Vulnerability and Patch Scanner Implementation
Same as Statement of FDCC Scanner Implementation
Statement of SCAP Implementation
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation.
BigFix exists to maintain the health and improve the security of every computing device in the world – fixed or mobile – physical or virtual – through a high-performance, single infrastructure, single console, and single agent solution. Any device, anywhere, anytime! The BigFix unified management platform provides high-performance systems and security management solutions for systems lifecycle management, endpoint protection, and security configuration and vulnerability management.
The BigFix Security Configuration and Vulnerability Management solution pack has adopted and now supports the use of SCAP to generate mis-configuration, vulnerability, and patch based assessment rules so organizations can discover and report on software vulnerabilities, assess the impact of those vulnerabilities, enumerate and remediate the mis-configurations identified, and report on the current state of a system based on the SCAP defined policy definitions. BigFix consumes a SCAP-expressed data stream, produces a set of policies known as Fixlet messages, and delivers real-time assessment and remediation on a global scale.
BigFix managed systems continuously discover, assess, secure and remediate themselves according to an organizationí»s SCAP-based policies and practices as well as the operating context in which it finds itself – mobile, connected, disconnected, etc. Without requiring significant investments in dedicated hardware, management resources, or professional services, BigFix automates enterprise-scale desktop and server management, malware defences, and IT policy enforcement without compromising network performance, end-user productivity, or security. BigFix delivers superior, customer-documented, return on- investment by reducing labor and infrastructure costs and automating critical management functions.
Statement of CVE Implementation
Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information security vulnerabilities and exposures that are used by both public and private sectors to enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
BigFix is a leading global provider of high-performance systems and security management software for organizations. One of the many features of the Security Configuration and Vulnerability Management Platform includes the ability to discover and report on software vulnerabilities for many different computing platforms. BigFix has actively supported CVE for several versions of the product and enjoys a mature product integration with CVE content. For any given security patch or vulnerability that has an associated CVE ID, BigFix will display that CVE ID within the BigFix Management Console. In the case where a single vulnerability is associated with multiple CVE IDs, all will be cross-referenced and displayed.
Users can easily find the CVE ID associated with a given security patch or vulnerability by opening the BigFix Management Console and navigating to a Patch or Vulnerability Fixlet Site, double-clicking on a relevant Fixlet, selecting the Details tab, and viewing the CVE ID. The CVE ID is also accessible from other views within the product and can be leveraged as part of the reporting criteria for detailed reports and summary reports on individual end-point systems or for a large group of systems reported on in the aggregate.
Statement of CCE Implementation
Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE Identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.
BigFix is a leading global provider of high-performance systems and security management software for organizations. One of the many features of the Security Configuration and Vulnerability Management solution pack includes the ability to assess workstations, laptops, servers and mobile computing devices against common configuration settings to identify mis-configuration states in a heterogeneous computing environment. BigFix fully supports CCE and displays the CCE ID for each mis-configuration for which there is a CCE ID within the BigFix Management Console. In the case where a mis-configuration is associated with multiple CCE IDs all will be cross-referenced and displayed.
Users can easily find the CCE ID associated with a configuration setting by opening the BigFix Management Console and navigating to a configuration setting consumed from an SCAP-expressed data stream, clicking on a Fixlet message that represents a configuration setting, and viewing the Source ID column. The Source ID will display the CCE ID. The CCE ID is also accessible from other views within the product and can be leveraged as part of the reporting criteria for detailed reports and summary reports on individual end-point systems or for a large group of systems reported on in the aggregate.
Statement of CPE Implementation
CPE is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name.
BigFix is a leading global provider of high-performance systems and security management software for organizations. One of the many features of the Security Configuration and Vulnerability Management solution pack includes the ability to leverage the CPE as a check and balance to ensure that configuration settings are assessed on the correct system. Whether the system is a Windows XP, Vista, 2000, 2003, Unix or other technology platform, the CPE ID can be used to uniquely identify a given platform and ensure that assessment is done appropriately.
BigFix customers can easily optimize the assessment and remediation of system configurations by targeting systems by platform, in addition to numerous other targeting mechanisms. By targeting a particular platform, customers can eliminate the overhead of scanning systems inappropriately and against configuration checks that have no applicability. Configuration checks are assessed in real-time based on the platform and policies can be enforced, enabling administrators to have real-time visibility and control over platforms as needed in a distributed or non-distributed computing environment.
Statement of CVSS Implementation
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores.
BigFix is a leading provider of high-performance systems and security management software for organizations. One of the many features of the Security Configuration and Vulnerability Management solution pack includes the ability to assess and report on vulnerabilities and the ability to quantify the impact of those vulnerabilities for multiple computing platforms. BigFix fully supports the CVSS standard and displays both the CVSS base score for each applicable vulnerability and the CVSS Base Score Vector used to produce the score.
BigFix administrators can access the CVSS score and the associated vector string from within the BigFix Management Console. For additional detail, administrators can navigate to the desired vulnerability definition from within the Fixlet messages. BigFix provides a link for administrators to connect to the CVSS definition located on the NVD web site. The BigFix Platform is a powerful tool that further enhances the value of CVSS by displaying this common metric for both detailed reports on individual end-point systems or for a large group of systems reported on in the aggregate.
Statement of OVAL Implementation
The Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. The OVAL language is a collection of XML schema for representing system information, expressing specific machine states, and reporting the results of an assessment.
BigFix is a leading provider of high-performance systems and security management software for enterprise customers and has been certified as OVAL Compatible since October 2006. Through a repository of vulnerability assessment policies, BigFix provides its customers with the ability to assess their managed computers against OVAL vulnerability definitions using real-time data tracking based on the data elements of each definition. These policies are automatically retrieved by the BigFix product within an organization's network. Once validated for authenticity, the policies are made available to the BigFix client installed on each managed computer and added to their local library of configuration policies. The agent, quietly and continuously evaluates the state of the machine against each policy so that any instance of non-compliance can be immediately reported to the BigFix Server for review by an administrator. If pre-authorized by an administrator, the appropriate corrective action will be applied to the computer immediately upon mis-configuration detection — even to remote or mobile users who are not connected to the organization's network.
Statement of XCCDF Implementation
The Extensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems and is the core element to the SCAP-expressed data stream. The specification also defines a data model and format for storing benchmark compliance testing results.
BigFix is a leading provider of high-performance systems and security management software for organizations. One of the many features of the Security Configuration and Vulnerability Management solution pack includes the ability to consume a SCAP-Expressed data stream, which includes the XCCDF component, and translate the underlying configuration checks that are defined into BigFix-compatible Fixlet messages. These Fixlet messages enable administrators to assess their computing assets against the SCAP defined configuration rules in real-time across one, thousands, or hundreds of thousands of endpoints regardless of location.
Once the SCAP converted configuration rules are imported into the BigFix Console, any system under BigFix management control, both on the managed network and off the managed network, can begin to immediately assess themselves against the defined configuration rules. The results of those configuration checks are relayed to the BigFix Console where administrators can view the results and generate detailed reports on an individual system or large groups of systems in the aggregate.
BigFix also provides the ability to export the results of the configuration checks into the defined XCCDF report format such that the organization can easily store those reports or send the report to another party.