The BigFix Vulnerability and Configuration Management Suite is designed to assist administrators prioritize fixes, patches, and other remedial actions according to a view of an asset’s criticality to their business. It will provide vulnerability severity information as defined by the Common Vulnerability Scoring System, CVSS, for operating system, configuration, and application vulnerabilities on Windows, Sun Solaris, and Red Hat Linux computers, the company said.
The CVSS promises to transform the way in which network threats are evaluated and dealt with, in the way that the common rating system it provides makes for a framework against which enterprises can start to prioritize their patch routines. Currently, the lack of a common scoring system has security teams worldwide trying to solve the same problems with little or no coordination, and often without any clear view of what patch is urgent and which fix can wait.
Various metrics and formulas have been baked into CVSS that help gauge the impact of an attack or vulnerability on systems availability, the affects on data confidentiality and integrity, as well as the vulnerability’s exploitability and potential for collateral damage. It also lets organizations input site-specific information that will provide security administrators with a risk score customized to an organization and to the peculiarities of its operating environment.
Colin Gray, VP and MD, EMEA said the system uses CVSS, but does not rely on it solely as a means of assessing a vulnerability rating. The system also uses NIST lists [National Institute of Standards and Technology], vulnerabilities identified by the SANS Institute, the US military-derived Open Vulnerabilities and Assessment Language board, and the system vendors themselves to establish a rating.
Gray said the suite had come about through the integration and enhancement of existing products found in the BigFix Enterprise Suite, bringing them into a fully bundled set that had been tightly integrated for automated patch management, vulnerability management, asset discovery, end-point security, and network access control. It’s what our customers have been asking for: a product set that will optimize remediation, he said.
The new suite will compete in the market with the likes of FoundStone, EndCircle, and EI. What makes the BigFix vulnerability management set unique is that it is said to be capable of remediating flaws almost instantly, so taking pressure off the helpdesk. The agents we use run in real time on the end point device, allowing the system to continually assess the attributes of managed server, desktop, or laptop devices, Gray said. So, for instance, if a patch becomes corrupted or is de-installed by an end-user, the system will automatically detect that and redeploy it.
Last month the Emeryville, California-based vendor closed a fifth round $8.4m venture capital funding deal, bringing total VC investment in the company to $26.4m since it opened for business in 1997. In the patch-management space, BigFix competes against Shavlik Technologies and PatchLink Corp. The company also rivals Altiris and LANDesk in the change management space, and goes up against HP/Marimba, CA Unicenter, and Microsoft SMS in the broader systems management space.
The new Vulnerability and Configuration Management Suite will retail at around $45 per client per year. It offers current support for Cisco Network Admission Control, Sygate, Zone, InfoExpress, Cyber Armour, and SenForce, and should include Microsoft Network Access Protection later this year, the vendor has promised.
