Using Threat Director
Threat Director lets you use tools such as Qualys, Nessus, and Rapid7 to scan for vulnerabilities, import that information into BladeLogic Portal, and then analyze, prioritize, and remediate the vulnerabilities. The analytic tools available in Threat Director help align the actions of security and operations personnel who must maintain the integrity of your computing environment.
See Demonstrating the Threat Director process for walkthrough topics that show how to use Threat Director to manage vulnerabilities with both BMC Server Automation and BMC Network Automation.
This topic provides an overview of the process for using Threat Director. It contains the following sections:
- BladeLogic Portal 2.2 or later must be installed.
See Minimum hardware and software requirements for details about the versions of BMC Server Automation (BSA) and BMC Network Automation (BNA) that are supported.
- Although some capabilities of BladeLogic Portal allow connections to multiple sites, Threat Director only supports a connection to a single BMC Server Automation or BMC Network Automation site.
- Endpoints must be enrolled in Threat Director. An endpoint is either a server managed by BMC BladeLogic Server Automation (BSA) or a network device managed by BMC BladeLogic Network Automation (BNA). You enroll enpoints in Threat Director after you map assets to endpoints. Use of Threat Director requires a per-endpoint license fee. The first 100 endpoints enrolled in Threat Director are free.
Overview of Threat Director
All Threat Director capabilities can be accessed from the Threat Director menu.
Granting the Threat Director permission
To use Threat Director, a portal administrator must grant your portal security group the Threat Director permission. This type of portal-level permission is granted when you define a portal security group.
Until you are granted the Threat Director permission, the Threat Director menu is not available.
Specifying service level agreement information
The first time you use Threat Director, a portal administrator should specify service level agreements (SLAs) for each vulnerability severity level. The administrator can also specify a warning period after which vulnerabilities are classified as nearly exceeding SLAs. By default, the warning period is 80% of the SLA.
This procedure does not need to be repeated unless the details of your SLAs change.
Using capabilities shared with Vulnerability Manager
Threat Director shares many of its capabilities with those available in Vulnerability Manager (known as Vulnerability Management in earlier releases). These capabilities let you import scan files and then map assets and vulnerabilities to endpoints and remediation content in BSA and BNA. The basic process is:
- Import scan files—Select Threat Director > Import. The Scan Import page lets you import scan files that were created using a vulnerability management system, such as Qualys, Nessus, or Rapid7. During a scan file import, assets that are included in the scan file are automatically mapped to endpoints.
- Map assets—Select Threat Director > Assets. The Assets page lets you map assets that are included in a vulnerability scan report to endpoints. You can map assets one by one or you can automatically map assets. After mapping assets, you can enroll them in Threat Director.
- Map vulnerabilities—Select Threat Director > Vulnerabilities. The Vulnerabilities page lets you map vulnerabilities identified in a vulnerability scan to remediation content. For BSA, remediation content can be any type of BladeLogic depot content, such as patches, BLPackages, software packages, or NSH scripts. For BNA, remediation content can be any rule with with associated corrective actions.
After you have performed these steps and you have enrolled hosts in Threat Director, you can view data on the Threat Director dashboards. You can also launch remediation operations from the Operator Dashboard.
Enrolling assets in Threat Director
After you have used the Assets page to map assets to endpoints managed by BSA or BNA, you can enroll endpoints in Threat Director. The Threat Director dashboards only show vulnerability information for endpoints enrolled in Threat Director.
A license fee is charged for every endpoint enrolled in Threat Director. The first 100 endpoints are free.
To enroll an endpoint in Threat Director, open the Assets page. Select one or more mapped endpoints. Then click the Actions menu and select Enroll Asset.
You must be granted the Threat Director permission to enroll endpoints in Threat Director. Portal-level permissions like the Threat Director permission are granted when you define a portal security group.
Using the Threat Director dashboards
The two Threat Director dashboards show vulnerabilities from different perspectives:
- Security Dashboard—Select Threat Director > Security Dashboard. This dashboard provides visual tools to help security personnel assess the vulnerabilities affecting their computing environment, spot trends, and project days needed to close all vulnerabilities. Operations personnel can also use this dashboard.
- Operator Dashboard—Select Threat Director > Operator Dashboard. This dashboard provides visual tools to identify vulnerabilities on endpoints that require the highest priority remediation and then launch remediation actions for those endpoints. If you have connected the portal to BMC Discovery, you can also use this dashboard to identify servers that are not included in scans (sometimes called blind spots). After you have identified vulnerabilities that must be fixed, you can launch remediation operations from the dashboard.
Managing remediation operations
After you have launched a remediation operation, it appears on the portal's home page. There you can use the portal's capabilities for ongoing management of operations, such as executing the operation again, deleting the operation, or viewing its results.
When you view operation results, the tools available to you vary, depending on the type of operation. For more information, see Viewing and using results of operations.
The following video demonstrates how to use Threat Director to map server assets and vulnerabilities detected in a vulnerability scan to the servers and remediation content you are managing with BMC BladeLogic Server Automation.
The following video demonstrates how to use Threat Director to analyze the results of a vulnerability scan that has been imported into BladeLogic Portal.