HCL BigFix integration

IBM QRadar Vulnerability Manager integrates with HCL BigFix to help you filter and prioritize the vulnerabilities that can be fixed.

Why use BigFix capabilities with vulnerability management?

Previously known as IBM Security Endpoint Manager, BigFix provides shared visibility and control between IT operations and security. BigFix applies Fixlets to high priority vulnerabilities that are identified and sent by QRadar Vulnerability Manager to BigFix. Fixlets are packages that you deploy to your assets or endpoints to remediate specific vulnerabilities. You can simultaneously deploy Fixlets to many assets or endpoints from the Manage Vulnerable Computers dashboard on the BigFix console.

Use the Manage Vulnerable Computers on the BigFix console to manage and control a network of hundreds of thousands of assets or endpoints across a range of platforms and devices that are in any geographical location.

How to remediate vulnerabilities with BigFix?

BigFix provides a dashboard that is integrated with QRadar Vulnerability Manager. Use this dashboard on the BigFix console to view and remediate vulnerabilities that are detected and sent by QRadar Vulnerability Manager.

To see QRadar Vulnerability Manager vulnerability data in the BigFix console, configure QRadar Vulnerability Manager, and then configure BigFix to process the vulnerability data that is sent from QRadar Vulnerability Manager. For information about configuring BigFix, see the IBM® BigFix QRadar® User Guide.

How do QRadar Vulnerability Manager and BigFix work together?

QRadar Vulnerability Manager scans your assets or endpoints for vulnerabilities and assigns a risk score, which represents the risk level that a vulnerability poses to your organization. QRadar Vulnerability Manager uses the risk score parameter in the BigFix adapter to filter the high-risk vulnerabilities to send to BigFix for remediation. QRadar Vulnerability Manager assigns a CVE ID to each vulnerability that it sends to BigFix.

Learn more about how vulnerability data is identified and handled:

The following list describes how vulnerability data that is identified by CVEs (Common Vulnerabilities and Exposures) is handled by QRadar Vulnerability Manager and BigFix

QRadar Vulnerability Manager sends only vulnerabilities that have CVE IDs to BigFix.
QRadar Vulnerability Manager sends all CVE IDs that are associated with a single vulnerability to BigFix. Some vulnerabilities can have many CVE IDs.
QRadar Vulnerability Manager sends only the CVE with the highest risk score to BigFix when that CVE shows two or more vulnerabilities.
For example, the following CVE ID, 2016-0015 shows two different vulnerabilities. Only the CVE with the high-risk vulnerability is sent to BigFix.
```
{ 
Name: CVE-2016-0015 
- MS16-007 - Microsoft - DirectShow - Code Execution Issue
Vulnerability ID: 169296 
CVE: 2016-0015 
Risk: High 

Name: Microsoft Windows DirectShow code execution 
Vulnerability ID: 169243 
CVE: 2016-0015 
Risk: Medium 
}
```

BigFix receives the vulnerability data with risk scores and CVE IDs from QRadar Vulnerability Manager, which is visible on the BigFix Manage Vulnerable Computers dashboard. Use the Manage Vulnerable Computers dashboard on the BigFix console to view and manage the vulnerabilities that are sent by QRadar Vulnerability Manager. BigFix remediates the high-risk vulnerabilities that it has a Fixlet for by applying a Fixlet directly to the asset or endpoint. QRadar Vulnerability Manager gets a vulnerability fix status update from BigFix Web Reports by using the SOAP API.

How to extend BigFix to QRadar Risk Manager?

If you have a QRadar Risk Manager installation, you can use risk policies in QRadar Risk Manager to further refine your asset risk scores. When the risk policies that you define in QRadar Risk Manager either pass or fail, vulnerability risk scores in QRadar Vulnerability Manager are adjusted. You can reprioritize the vulnerabilities that require immediate attention. If you apply risk policies to assets in QRadar Risk Manager, then the risk scores for all the vulnerabilities on that asset are adjusted. For more information, see the QRadar Risk Manager user guide.

Vulnerability remediation

Depending on whether you installed and integrated BigFix, QRadar Vulnerability Manager provides the following information about your vulnerabilities.

If BigFix is not installed

QRadar Vulnerability Manager provides daily updates about vulnerabilities for which a fix is available.

QRadar Vulnerability Manager maintains a list of vulnerability fix information. Fix information is correlated against the known vulnerability catalog.

Use search in QRadar Vulnerability Manager to identify vulnerabilities that have an available fix.

If BigFix is installed

QRadar Vulnerability Manager also provides specific details about the vulnerability fix process. For example, a fix might be scheduled, or an asset might be already fixed.

The BigFix server gathers fix information from each of the BigFix agents. QRadar Vulnerability Manager gets updates on vulnerability fix information from the BigFix server at preconfigured time intervals.

Use search in QRadar Vulnerability Manager to identify vulnerabilities that are scheduled to be fixed or are already fixed.

Integration components

A typical integrated deployment consists of the following components:

IBM QRadar Console.
QRadar Vulnerability Manager.
BigFix server.
BigFix agent on each scan target in your network.