BigFix CyberFOCUS Analytics 1.0 is now available!

The BigFix team is pleased to announce the initial release of BigFix CyberFOCUS Analytics! This offering is included in the BigFix Lifecycle, Compliance, and Remediation suites. This application will enable Business executives, IT Security and Operations teams to collaborate much more effectively in an effort to discover, measure and manage ongoing threats and vulnerabilities. The initial release of BigFix CyberFOCUS Analytics correlates vulnerabilities from two perspectives.

1. The CISA Know Exploited Vulnerabilities catalog (reference here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog) provides an enhanced mitigation perspective in alignment to vulnerabilities known to have active exploits as well as patched mitigations.

2. MITRE ATT&CK® (reference here: https://attack.mitre.org/) provides an enhanced mitigation perspective in alignment with threat actor landscape (Advanced Persistent Threat - APT) to associated vulnerability and BigFix Fixlet content within BigFix.

This allows for enhanced and enriched prioritization perspective as the organization looks to mitigate vulnerabilities and threats.

Additionally, BigFix is introducing a concept we are calling “Protection Level Agreements” or PLA’s. This release includes several default PLA’s that allow organizations to measure and manage ongoing mitigation efforts in alignment with Business specifications.

The main features of this release are as follows:

• 3 Out of the box Data Visuals to help organizations visualize and prioritize risk mitigation efforts:
  • CISA Known Exploited Vulnerabilities (KEV)
  • MITRE APT Groups
  • Protection Level Agreements
• Ability to export data supporting the CIS KEV and MITRE APT data visuals
• Interactive interface that allows relative drilldowns to assist in security and mitigation analysis
• The report supports native Web Reports filtering capabilities to limit the scope of endpoints and/or Content

How to enable, along with additional information about this release:

• Find the “CyberFOCUS” Fixlet Site from the License Overview Dashboard under the Lifecycle, Compliance, or Remediation Sections. For more information on enabling sites, please see https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Console/c_selecting_sites.html

Known limitations and Issues.

• Currently there is no capability to export supporting PLA data (this capability will be delivered in an upcoming release)

• The report is currently limited to External content only and specifically excludes Vulnerabilities for Windows Systems and BigFix Labs. Custom content sites are not evaluated within this release.

• This report has been qualified on Chrome Firefox & Safari. Internet Explorer is specifically not supported.

• The Report may take some time to load depending on customer environment variables. Variables that affect report run time include:

  • System Resources - Web Reports
  • Number of Fixlets within the environment
  • Number of endpoints within the environment
  • Number of vulnerabilities

  For additional context, we have done numerous performance tests, and average load times depending on these variables typically are within 1 min – 5 mins. Environments varied from 20K – 384K endpoints. The report presents a progress bar to inform the user of progress. The report will render once the progress bar has reached 100%

• Certain browser and environment configurations may cause the report to “stutter” when hover over events occur with hyperlinks that have tool tips. This has been noted and experienced with Firefox or Chrome under rare circumstances. Should this occur, the user should attempt to use another browser.

• The CISA chart, when viewed by CVE release date, shows no date on the X-axis. The left portion of the X-axis can be considered “Then” while the right portion of the X-axis can be considered “Now”

• The CISA KEV CVSS field is based upon CVSS v3. Some of the vulnerabilities associated in the CISA KEV predate CVSS v3, and thus do not have CVSS v3 metadata to provide.

Useful links

• Documentation: https://help.hcltechsw.com/bigfix/10.0/lifecycle/c_cyberfocus.html
• Learn more on our Product Page: https://www.hcltechsw.com/bigfix/products/cyberfocus

Am I correct that adding the site will likely require refreshing and propagating the license file, which requires bouncing the service? And interrupting connected Windows consoles?

Yes, thank you for bringing this up. Being a new site, your Server will likely need to propagate an updated license before the ‘CyberFOCUS’ site appears in the License Overview Dashboard.

Please see https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_licensing_update_upgrade.html for reference/details.

@Aram - I found that the Vulnerability Reporting site was a duplicate of the CyberFOCUS site (for the most part). Is this site deprecated?

Anyone have any idea why my MITRE APT tab and PLA tab would be empty today, but they had data populated yesterday? The version is still 3 on the external site so that doesn’t appear to have changed between yesterday and today.

The CISA KEV tab is still populated like it was yesterday.

This is very odd considering the calls are mostly the same between mitre and cisa… just for sanity, perhaps try to restart the web reports server, and see if you can reproduce it in a clean slate. If you can reproduce it, I would open a ticket and supply the debug logs (you can get this by clicking the hamburger on the top \ click “View Debug” , Scroll down and click Download Logs.) The logs should help us determine whats occurring.

Im hopeful its a transient issue. But if its not, we will figure it out…

Thx

Mike

Thank you, I will try to reproduce it in the morning and open a ticket if needed.

I apologize for never updating this, this appears to have been tied to debug logging being enabled on the webreports server. The server had been rebooted several times as well as the service being restarted and neither helped. When I went to go enable debug logging to try to capture logs while it was occurring, I noticed debug logs had apparently been left on from some prior issue and after disabling debug logging and restarting the service again, it started populating. I was able to duplicate it again by starting debug logging on my webreports server, so maybe it’s just overburdened in the process while debug logging is enabled. Ideally debug logging shouldn’t be left on for very long so I don’t imagine this would be likely to see from anyone else.

This topic was automatically closed after 30 days. New replies are no longer allowed.