I am the product manager here at BigFix responsible for the IT Policy Enforcement content suite. This includes patch management, vulnerability assessment, asset discovery, DLP, NAC and Security Configuration Management (SCM).
We recently announced that we will be releasing an updated SCM offering designed to provide ready-to-deploy support for various industry best practice security configuration templates, such as DISA Security Technical Implementation Guides (STIG), Center for Internet Security (CIS) benchmarks, for both Unix and Windows systems. The core of the solution will include a large library of technical controls, represented within BigFix as individual fixlets, that can be used to assess and later remediate specific configuration settings on systems within the enterprise. You can read the press release release for more details.
The purpose for this post is to solicit some feedback and ideas from you, our customers, as to the types of reports your organization is interested in and/or has a need to report on. This may include an operational view of the infrastructure or reporting that is required for management, executives, auditors or other interested parties within the organization.
I am very interested in having some discussions with you to discuss this and better understand your needs on the reporting front. If you are interested in learning more and would like to talk with me, please contact me. I am interested in hearing your thoughts, learning more about how your organization functions, and how the information that BigFix has can be more easily distributed to folks within your organization that need it.
Thank you and I’m looking forward to hearing back!!!
A timely subject. I work in public sector (local Government) Here are a few thoughts on SCM:
A recent Office of Management and Budget (OMB) announcement requires federal agencies to standardize desktop configurations to meet Federal Desktop Core Configuration (FDCC) standards.This applies to Windows XP and Vista Desktops. On a local and state level they don’t apply however I think most will adopt this standard.
I think it would a great place to start and a good selling point to your gov’t customers. We are a new bigfix customer and I would like to implmeent this standard as our baseline and I would be more than happy to work with bigfix and server a case study in turn for you guys working with us developing and implmenting the standard.
HIPPA, FISMA are af ew others however I think this FDCC is a perfect project for bigfix. It is not that complex and applies to desktops only.
As you indicated, interesting timing. Earlier this morning I conducted a webinar on the FDCC standard and BigFix’s plans to support that standard. I would love to talk with you in more detail, learn a bit more about your organization and thoughts on the subject. I should have access to your contact information and will contact you in the next day or two.
As you know from our Webex the other week - we were very impressed with the upcoming offering. The reporting structure was very powerful - and I look forward to that format being spread out among the other sites as well. We were originally interested in SCM for vulnerability scanning - however, seeing how we can also have a standard server baselines is huge.
Right now, when any one of our 20 engineers builds a new server - there is basically no standardization. And many times other engineers inherit other servers - and it can take time to familiar oneself with how someone else built the box. Having a standard basic server image - and then utilizing BES to then make sure the system is brought up to a company standard (not only with security in mind - but with standard versions of Adobe Reader, AV, etc) is huge!
And of course the ability to then report on systems out compliance…sweet!
I found this thread about the annoncement of CIS compliance tasks/fixlets. I assume this site contains fixlets/tasks which allow to calculate the CIS-score or similar security metrics. Those would be really helpful to get a fast overview about the security state of our computers. Of course we would need this not just for MicroSoft Windows.
But I cannot find a real product/fixlet site, is this feature not yet released? Where can I find the corresponding information?
The initial posting indicated that we were looking to implement CIS templates and offer those templates to our customers as part of the SCM offering. Since that posting, CIS changed their data format from using INF based configuration files to using XCCDF / OVAL to define their configuration guidance.
We now support this new data format through the FDCC initiative and I can point you in the right direction. If you want to contact me, feel free to do so and I can point you in the right direction so you can get a copy to take a look at. If you are not a customer, our product can be downloaded directly from the web site and I can help you get a copy for evaluation purposes.
A quick search of your site for FISMA turns up only this thread and a couple ‘sales’ pitches. I’m wondering if anything is still in the works for FISMA specific compliance and reporting, or if that’s on hold for future versions.