CBI Blog

First Thoughts on BigFix Detect

We have a new topic to discuss in the BigFix world – BigFix Detect. It has been a while since we had something this big announced by Team BigFix – there is always a constant flurry of new content and enhancements being released in the various modules, but this is different. We have a brand new module to kick the tires on. There were folks at IBM working secretly behind the scenes to build this out – and they kept it completely secret until this apple was highly polished. I will be making a series of posts on Detect as I move through various stages of testing/evaluation. So, onto my first post on BigFix Detect…

What is BigFix Detect?

It is a module with some really cool capabilities in the EDR (Endpoint Detection and Response) realm with a key focus on Response – so we can see bad things happening on managed devices across the enterprise in real time and actually do something intelligent about it. The biggest thing to know about this module is that it is NATIVE to BigFix. So why does that matter? There are a couple of really important reasons. First, it means that IBM (and Team BigFix) owns everything related to the content and development of this module. Second, it means that these tools were specifically built to leverage all of the goodness of BigFix – real time communications, the BigFix Client, the relay infrastructure, etc. These are very good things.

Throughout my beta and GA testing, I have worked with a variety of people on the Detect support team. Both from an educational perspective to get up to speed quickly as well as working through some technical challenges in the beta code (all of which have already been addressed) and we even worked on some enhancement requests. Including all of the senior people technical/DEV folks and product management teams related to BigFix, the Detect team lives up to the standards. They are a rock solid team that loves what they do, believes in the tools, and wants customers to succeed. What more could you ask for?

IBM BigFixBefore we get into the actual details of the EDR piece, what all is included in the BigFix Detect module? Some of the items are familiar faces like Asset Discovery, Patch Management and Software Distribution. I love the fact that these items are included in the new module. This gives you the core functionality that you need to address enterprise wide issues.

Asset Discovery: Detect devices on the network. If you can’t see it, you can’t manage it.

Patch Management: The core goodness that BigFix was built from. Huge amounts of patching content for over 100 operating systems.

Software Distribution: Super cool enhanced wizard for building content to deploy software to Windows, Mac and Linux systems with a few clicks. If you have a patch that needs to be deployed that isn’t out of the box, this is your delivery vehicle.

BigFix Query: The ability to talk to all of your systems in real time. Think zero day. Ask questions in plain English and get responses back instantly – all leveraging the single BigFix communications port.

Now Onto The New Stuff

If I quote Doug Cahill from ESG:

IBM BigFix Detect is a unified platform that allows organizations to not only manage threat detection but also remediation to expedite reducing the attack surface area.

It's also entering a market where the bar is high with respect to both functionality and innovation, and has cleared that bar with the integration of detection and remediation. The user interface also looks great, which is important to streamline workflows.

Detect: Detect and respond to malicious activity. Evaluate against IOCs (including creating your own) on a periodic basis as well as detect IOAs based upon behavior – not signatures.

Investigate: Detailed information about what was flagged during an alert. Plenty of investigative information at your fingertips as well as tons of forensic related information.

Response: Take action to address the issue. Quarantine the file, kill the process, deploy patches/software/custom content. Target the appropriate machines with the appropriate action.

So let’s take a look at the tools and see what all we can see. When I first go into the Detect portion of the BigFix WebUI, I see an Overview page that shows me unhandled alerts.

IBM BigFix Detect

If I drill into any of the computers listed, I can see all of the unhandled alerts for that system in a standard list.

IBM BigFix Detect

So, why is this important to me?

When I click on the records, I get to the meat of the conversation. Tell me what’s going on, why it’s important to me, and what I can do about it.

IBM BigFix Detect

What happened on the machine? Notice that we even know the command line of the process that was executed.

IBM BigFix Detect

What process launched this command?

IBM BigFix Detect

What else can you tell me about this?

IBM BigFix Detect

So, I clicked on the link to show me other systems with the same command line arguments as the alert in question and I get the chart below. How AMAZINGLY COOL is this? Show me something bad that is happening in my environment and then also let me see where else it’s happening. No effort, no heavy lifting, no drama, just useful and concise data at my fingertips. Win.

IBM BigFix Detect

If I drill into the details further, I can see the full details of what’s going on with the machine during the timeline of the activity in question and get tons of details. Here is a process tree of how we ended up where we did.

IBM BigFix Detect

After I have done some research and found out that I want to kill this process, I can do that quickly through the tools. Quick, easy, painless.

IBM BigFix Detect

There are a couple of interesting things to know about BigFix Detect related to communication flows. The data analysis for Detect is done in the cloud. So, as I mentioned earlier that this is a native tool to BigFix. The communications flow for Detect can travel directly to the cloud from the client, or you can configure the environment to leverage the existing BigFix infrastructure and ride across the BigFix port. This means that if I have an environment where internet access is tightly restricted, I can still leverage BigFix Detect and the data still flows. Since it is a simple fixlet action to allow a system to talk directly to the Detect Cloud, I can easily control who can talk direct and who can’t.

This also means that there is a direct integration between the data that is being reported via the Detect interface in the WebUI and taking actions. When you take an action to remediate, you are leveraging the inherent communications of BigFix to take actions immediately across the targeted machine(s).

I have done a fair amount of testing since the Beta code was released and I have since upgraded to the full GA code. I have noticed very similar results in various environments that I have played with. The results show that during simulated activities (actual processes executed on managed devices that replicate malicious activities) the data flows up to the Detect Cloud and alerts are visible in the Detect Console in very short order. I get different results related to timing based upon where the data is flowing through. There is a short delay if the traffic flows over BigFix rather than directly to the internet, but the results were still very good. I was seeing alerts within the Detect Console within a couple of minutes in all of the scenarios I tested against even with variations in data flow. Every time I drilled into the data, I found accurate and reliable information.

I am extremely optimistic from my initial experiences with BigFix Detect. There is a tremendous amount of value to these tools that I can see immediately.

  • I now have real time visibility into things that happen on my managed devices in a way that I never had before. How many times have you heard of an end-user reporting that malware is running on the machine? Have you ever wondered what all was really happening on the machine? Have you ever wanted to know in real time that bad things are happening?
  • I not only know what is happening on the machine, I also have a level one security analyst looking through the data for me automatically, telling me what I need to know about and what is going on in ways that are easy to understand.
  • Not only do I have the ability to see where something bad is happening, within a couple of seconds, I can see all systems in my environment that are experiencing the same thing.
  • Then I can remediate within a few clicks.

Having done IT stuff for a very long time, these are the capabilities that I have wanted for an eternity. Useful and reliable tools that simply snap into an existing toolset so I don’t have to deploy something new or learn some new technology that potentially replaces tools I love to use. BigFix Detect gives me the visibility I need, along with intelligent analysis so I can remediate quickly. Win.

That’s it for my first thoughts on BigFix Detect. I will move onto additional/advanced testing very soon and then onto a full production environment for real-world testing scenarios.

More to come in the near future…