Security Dashboard - Threat Director

The Security Dashboard provides visual tools to help security and operations team members assess the vulnerabilities affecting their server environment.

This topic includes the following sections:

Overview

The Security Dashboard offers a set of charts that give insight into the security status of a computing or network environment.

The Vulnerability Status bubble chart depicts vulnerabilities across a date range. The position, color, and size of bubbles indicate vulnerability severity, service level agreement (SLA) status, and number of endpoints affected. (An endpoint is a server for BMC Server Automation, a network device for BMC Network Automation.) At a glance, you can identify situations on the bubble chart that may require immediate attention and prioritize remediation actions accordingly. 

The Vulnerabilities per Stage bar chart shows the daily status of vulnerabilities across the same date range as the Vulnerability Status chart. Each bar in the chart represents vulnerabilities on a given day. Colors indicate the management status of each vulnerability, such as awaiting action or awaiting execution. Using this chart you can spot vulnerability management trends and project a date when all vulnerabilities should be closed.

The Security Dashboard only presents data for:

The only action you can take from this dashboard is to export information. However, if you specify a set of filters on this page and then open the Operator Dashboard, it will automatically use the same set of filters.

Notes

Vulnerability Status chart

The Vulnerability Status bubble chart provides a snapshot showing how vulnerabilities affect your server or network environment.

The chart presents vulnerabilities across a date range (the X axis). The default date range is 90 days, but you can adjust the range. The Y axis measures severity; the most severe vulnerabilities (level 5) appear at the top of the axis. 

The color of each bubble corresponds to an SLA status: green for within the SLA limits, yellow for approaching the SLA, or red for exceeding. (Portal administrators can enter SLA standards for each severity level.)

The size of each bubble indicates how many endpoints are affected by these vulnerabilities; the bigger the circle, the more endpoints that are affected. Even though a single endpoint might have hundreds of severity 5 vulnerabilities, the size of the bubble remains constant if only that one endpoint is affected.

Using these visual cues, you can scan the chart to identify problems. For example, large red bubbles high on the Y axis might mean trouble. Red indicates the SLA has expired. Large bubbles mean more endpoints are affected. Higher on the Y axis means the vulnerability is more severe. When you identify a hot spot like this, you can hover the cursor over a bubble to get more information (as shown at right). Then you might want to instruct the operations team to take corrective actions. If necessary, you can export the contents of the dashboard.

Restricting vulnerabilities by stage

Headers on the Vulnerability Status chart show the average time needed for each stage of activity in the vulnerability management process. 

You can limit the information displayed on the chart by clicking the headers that correspond to stages:




  • Average Days Awaiting Attention—The average number of days before vulnerabilities are addressed as well as the average number of days for vulnerabilities that have never been addressed.
  • Average Days Awaiting Approval—Vulnerabilities for which a remediation action has been created but still must be approved. Currently, this stage is not supported for BMC Network Automation data.
  • Average Days Awaiting Execution—Vulnerabilities for which a remediation action has been created and approved but still must be executed. This category also includes vulnerabilities that are currently being remediated.
  • Average Days to Close—Vulnerabilities that have been closed. The color of bubbles indicates the SLA status of vulnerabilities when they were closed.

SLA Breakdown chart

The SLA Breakdown pie chart shows the total number of unique vulnerabilities for the selected stage and divides those vulnerabilities according to their SLA status. When you hover over any part of the chart, you see a breakdown of vulnerabilities by severity level.

Note that "within SLA" means vulnerabilities that have not exceeded the SLA and are not categorized as approaching the SLA.

Vulnerabilities per Stage chart

The Vulnerabilities per Stage chart helps security and operations team members recognize historical trends in vulnerability management.

The chart shows the daily status of vulnerabilities across a date range (the X axis). The default range is 90 days, but you can adjust the range. The Y axis measures the total number of vulnerabilities. When new scans are imported, the height of the bar changes.

The colors in each bar represent the stages of vulnerability management: awaiting action, awaiting approval, awaiting execution, or closed. 

Every bar in the chart is a daily snapshot showing vulnerabilities in their various stages. For example, the chart above shows how a few scans are initially imported. After about a week, the colors begin to change as remediation actions begin. After nine days, the number of vulnerabilities awaiting action begins to decline until more scans are imported and the total number rises. 

Restricting vulnerabilities by stage

Headers on the Vulnerabilities per Stage chart show the total number of vulnerabilities in each stage of activity in the vulnerability management process. 

You can limit the information displayed on the chart by clicking the headers that correspond to stages:


  • Awaiting Attention—Vulnerabilities that have not been acted on in any way. 
  • Awaiting Approval—Vulnerabilities for which a remediation action has been created but still must be approved. Currently, this stage is not supported for BMC Network Automation data.
  • Awaiting Execution—Vulnerabilities for which a remediation action has been created and approved but still must be executed.
  • Closed—All vulnerabilities that have been closed.
  • Total—All vulnerabilities.

Estimated Days to Close chart

The Estimated Days to Close chart projects on a time line the date when all vulnerabilities should be closed based on current trends. 



Specifying the range of vulnerability data 

By default, the charts in the Security Dashboard show all vulnerability information that was generated and imported into the portal within the last 90 days. Rather than use that time frame, you can display vulnerability information for:

  • A set period of time—From Scan Data, select 90, 45, or 30 days. 
  • The oldest date included in selected scan reports—From Scan Data, select the name of one or more reports. If you want information for all reports, click Select All.  The date range extends to the oldest scan data that was imported.

When you select an option from Scan Data, the dashboard automatically updates to show the information you have selected.

Showing vulnerability information by security group

If you belong to more than one security group, use the Security Group drop-down list at top to show vulnerability information for that group. If you belong to one security group only, this option is not enabled.

Filtering vulnerability information

Using the filters at top, you can limit the information the Security Dashboard shows. In this way you can restrict data to a limited subset of all potential data. This can be particularly useful if you plan to export data that lists vulnerabilities requiring action.

By default, the Security Dashboard uses the same filters last set in the Operator Dashboard. This allows users of the Operator Dashboard to refine their view of vulnerabilities. Then users can open the Security Dashboard to display the same set of vulnerabilities immediately.

To filter data, select any of the following options:

  • CVE—Shows information for specific vulnerabilities, as identified by common vulnerability and exposure (CVE) number. 
  • O/SBSA only: Shows information about selected operating systems. 

  • Device typeBNA only: Shows information about selected network devices.

  • Severity—Shows information about vulnerabilities with a specific severity.
  • Server GroupBSA only: Shows information about vulnerabilities detected for a selected BladeLogic server group. Because you can select smart groups, this filtering option can be very useful for limiting the information displayed. 

  • Software InstanceBSA only: Shows information about servers that include the types of software you specify.

    Note

    The Software Instance filter is only visible if you set up a connection to BMC Discovery.

To apply filtering choices

After making filtering choices, click Apply Filters to activate your selections. 

Exporting data

You can export the current contents of Security Dashboard. Data is exported in a comma-separated value (CSV) format and stored in a ZIP file. After exporting, you can open the file in a spreadsheet and then manipulate the data in any way you want.

If you filter data by software instance, an export shows the applicable software instances per server. If you do not filter by software instance but a connection to BMC Discovery is enabled, an export lists all software instances that are discovered.Large exports are broken into multiple files within the ZIP file. Each file contains 40-50 thousand rows. 

When you export the Security Dashboard, the VAT Status column displays one of the following states:

  • IMPORTED: The vulnerability is imported into the system. No action has been taken so far on this vulnerability.
  • TARGET_MAPPED: The vulnerability is imported into the system and assets on which it is reported are mapped to targets.
  • OPERATION_CREATED: A remediate operation has been created in the system for that vulnerability.
  • AWAITING_APPROVAL: A remediation operation has been created for the vulnerability, but still the operation is pending for approval. This statistics are not applicable for TrueSight Network Automation or SCCM.
  • AWAITING_EXECUTION: A remediation operation has been created for the vulnerability and the approval has been received (if it was configured while creating the operation), however, operation is still waiting for execution on the server.
  • REMEDIATION_RUNNING: Remediation operation is in progress for the vulnerability. 
  • CLOSED: Assets affected by the vulnerability are remediated.

To export the contents of the dashboard

Click Export, at top right. Using your browser, you can open the file or save it locally.   


Was this page helpful? Yes No Submitting... Thank you

Comments