Security Dashboard

The Security Dashboard provides visual tools to help security and operations team members assess the vulnerabilities affecting their server environment.

To display the Security Dashboard, select TrueSight Vulnerability Management > Security Dashboard.

This topic includes the following sections:

Overview

The Security Dashboard offers a set of charts that give insight into the security status of a computing or network environment.

The Vulnerability Status bubble chart depicts vulnerabilities across a date range. The position, color, and size of bubbles indicate vulnerability severity, service level agreement (SLA) status, and number of endpoints affected. At a glance, you can identify situations on the bubble chart that may require immediate attention and prioritize remediation actions accordingly. 

The Vulnerabilities per Stage bar chart shows the daily status of vulnerabilities across the same date range as the Vulnerability Status chart. Each bar in the chart represents vulnerabilities on a given day. Colors indicate the management status of each vulnerability, such as awaiting action or awaiting execution. Using this chart you can spot vulnerability management trends and project a date when all vulnerabilities should be closed.

The only action you can take from this dashboard is to export information. However, if you specify a set of filters on this page and then open the Operator Dashboard, it will automatically use the same set of filters.

Notes

For the Security Dashboard to show data, you must first:

  • Import one or more scan files
  • Map endpoints to assets included in scan files
  • (Applicable only for version 3.0) Ensure that vulnerabilities have not been excluded from consideration.
  • NEW IN 3.0.01 Ensure that exceptions have not been applied to vulnerabilities, which exclude them from various vulnerability counts depicted in the dashboard. For example, if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability is excluded from the counts (explained in the sections that follow). Also, if for an asset all vulnerabilities have been considered for exclusion while importing an exception, and so, the exception has been applied on the asset that is affected by all the vulnerabilities, that asset is excluded from the counts (explained in the sections that follow).

Vulnerability Status chart

The Vulnerability Status bubble chart provides a snapshot showing how vulnerabilities affect your server or network environment.

The chart presents vulnerabilities across a date range (the X axis). The default date range is 90 days, but you can adjust the range. The Y axis measures severity; the most severe vulnerabilities (level 5) appear at the top of the axis. 

The color of each bubble corresponds to an SLA status: green for within the SLA limits, yellow for approaching the SLA, or red for exceeding. (Both endpoint administrators and ordinary users can enter SLA standards for each severity level.)

The size of each bubble indicates how many endpoints are affected by these vulnerabilities; the bigger the circle, the more endpoints that are affected. Even though a single endpoint might have hundreds of severity 5 vulnerabilities, the size of the bubble remains constant if only that one endpoint is affected.

NEW IN 3.0.01 If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability is excluded from this count. For example, if for a vulnerability, you have specified All endpoints, bubble size is reduced and SLA Breakdown chart is affected. If only selected vulnerabilities are considered, then the bubble size remains unaffected.  

If for an asset all vulnerabilities have been considered for exclusion while importing an exception, and so, the exception has been applied on the asset that is affected by all the vulnerabilities, the asset count decreases by 1. 

Using these visual cues, you can scan the chart to identify problems. For example, large red bubbles high on the Y axis might mean trouble. Red indicates the SLA has expired. Large bubbles mean more endpoints are affected. Higher on the Y axis means the vulnerability is more severe. When you identify a hot spot like this, you can hover the cursor over a bubble to get more information (as shown at right). Then you might want to instruct the operations team to take corrective actions. If necessary, you can export the contents of the dashboard.

Restricting vulnerabilities by stage

Headers on the Vulnerability Status chart show the average time needed for each stage of activity in the vulnerability management process. 

You can limit the information displayed on the chart by clicking the headers that correspond to stages:




  • Average Days Awaiting Attention—The average number of days before vulnerabilities are addressed as well as the average number of days for vulnerabilities that have never been addressed.
  • Average Days Awaiting Approval—Vulnerabilities for which a remediation action has been created but still must be approved.  This statistic is not provided for TrueSight Network Automation or SCCM.
  • Average Days Awaiting Execution—Vulnerabilities for which a remediation action has been created and approved but still must be executed. This category also includes vulnerabilities that are currently being remediated.
  • Average Days to Close—Vulnerabilities that have been closed. The color of bubbles indicates the SLA status of vulnerabilities when they were closed.

SLA Breakdown chart

The SLA Breakdown pie chart shows the total number of unique vulnerabilities for the selected stage and divides those vulnerabilities according to their SLA status. When you hover over any part of the chart, you see a breakdown of vulnerabilities by severity level.

Note that "within SLA" means vulnerabilities that have not exceeded the SLA and are not categorized as approaching the SLA.

NEW IN 3.0.01 If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability is excluded from this count. For example, if for a vulnerability, you have specified All endpoints, then vulnerability count decreases by 1. If only selected assets or tags are considered, then the count remains unchanged.

Vulnerabilities per Stage chart

The Vulnerabilities per Stage chart helps security and operations team members recognize historical trends in vulnerability management.

The chart shows the daily status of vulnerabilities across a date range (the X axis). The default range is 90 days, but you can adjust the range. The Y axis measures the total number of vulnerabilities. When new scans are imported, the height of the bar changes.

NEW IN 3.0.01 If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability is excluded from this count. For example, if for a vulnerability, you have specified All endpoints, then vulnerability count decreases. If only selected assets or tags are considered, then the count remains unchanged.

The colors in each bar represent the stages of vulnerability management: awaiting action, awaiting approval, awaiting execution, or closed. 

Every bar in the chart is a daily snapshot showing vulnerabilities in their various stages. For example, the chart above shows how a few scans are initially imported. After about a week, the colors begin to change as remediation actions begin. After nine days, the number of vulnerabilities awaiting action begins to decline until more scans are imported and the total number rises. 

Restricting vulnerabilities by stage

Headers on the Vulnerabilities per Stage chart show the total number of vulnerabilities in each stage of activity in the vulnerability management process. 

You can limit the information displayed on the chart by clicking the headers that correspond to stages:


  • Awaiting Attention—Vulnerabilities that have not been acted on in any way. 
  • Awaiting Approval—Vulnerabilities for which a remediation action has been created but still must be approved. This statistic is not provided for TrueSight Network Automation or SCCM.
  • Awaiting Execution—Vulnerabilities for which a remediation action has been created and approved but still must be executed.
  • Closed—All vulnerabilities that have been closed.

    Important

    For a patch remediation operation that does not use any deploy template, and you create manual remediation runs for missing patches, and the remediation operation needs target reboot (as indicated in the Show Log tab), associated vulnerabilities for those targets are closed only when you perform the following tasks:

    1. Reboot the targets.
    2. Re-create the Patch Analysis Job against those targets for those vulnerabilities.
    3. Data Refresh cycle is run after the Patch Analysis Job is completed.

  • Total—All vulnerabilities.

Note

Dashboard statistics may not show the most recent vulnerability status, depending on how often data from the endpoint manager is updated using the Data Refresh capability.

Estimated Days to Close chart

The Estimated Days to Close chart projects on a time line the date when all vulnerabilities should be closed based on current trends. 



Specifying the range of vulnerability data 

By default, the charts in the Security Dashboard show all vulnerability information that was generated and imported into TrueSight Vulnerability Management within the last 90 days. Rather than use that time frame, you can display vulnerability information for:

  • A set period of time—From Scan Data, select 90, 45, or 30 days. 
  • The oldest date included in selected scan reports—From Scan Data, select the name of one or more reports. If you want information for all reports, click Select All.  The date range extends to the oldest scan data that was imported.

When you select an option from Scan Data, the dashboard automatically updates to show the information you have selected.

Showing vulnerability information by security group

If you belong to more than one security group, use the Security Group drop-down list at top to show vulnerability information for a particular group. If you belong to one security group only, this option is not enabled.

In SCCM, you can only belong to one security group.

Filtering vulnerability information

Using the filters at top, you can limit the information that the Security Dashboard shows. All charts, counts, and graphs update dynamically based on your filtering choices. Filters can be particularly useful if you plan to export data that lists vulnerabilities requiring action.

By default, the Security Dashboard uses the same filters last set in the Operator Dashboard. This allows users of the Operator Dashboard to refine their view of vulnerabilities. Then, users can open the Security Dashboard to display the same set of vulnerabilities immediately. In addition, settings for the Tags filter persist when you move between the Operator Dashboard, the Security Dashboard, and the Assets page.

To filter data, select any of the following options:

  • BULLETIN IDSCCM only: Shows information for specific vulnerabilities, as identified by Microsoft bulletin ID.
  • CVETrueSight Server Automation and TrueSight Network Automation only: Shows information for specific vulnerabilities, as identified by common vulnerability and exposure (CVE) number. 
  • Device collectionSCCM only: Shows information about selected device collections, which are groupings of devices. You can choose from all the device collections accessible to your Active Directory group.

  • Device typeTrueSight Network Automation only: Shows information about selected network devices.

  • O/STrueSight Server Automation only: Shows information about selected operating systems. 

  • Server GroupTrueSight Server Automation only: Shows information about vulnerabilities detected for a selected BladeLogic server group. Because you can select smart groups, this filtering option can be very useful for limiting the information displayed. 

  • Severity—Shows information about vulnerabilities with a specific severity.
  • Software Instance—Shows information about servers that include the types of software you specify.

    Note

    To enable the Software Instance filter, you must set up a connection to BMC Discovery.

  • Tags—Shows the tags that are present in the system, when you click the drop-down arrow. These tags are associated with only assets or a combination of vulnerabilities and assets (also called vulnerability-asset tags). 

    • When you select a tag that is associated only assets, the following statistics change on the dashboard:
      • Only the vulnerabilities that are affecting the assets associated with the selected tags are shown.
      • Only the assets that are associated with the selected tags are shown.
    • NEW IN 3.0.01When you select a tag that is associated with both vulnerabilities and assets, the following statistics change on the dashboard:
      • Only the vulnerabilities that are part of the vulnerability and asset combination on which selected tags are created are shown.
      • Only the assets that are part of the vulnerability and asset combination on which selected tags are created are shown.

To apply filtering choices

After making filtering choices, click Apply Filters to activate your selections. 

How exceptions affect the Security Dashboard

NEW IN 3.0.01 This section explains how exceptions change the statistics on the Security Dashboard.

Exception for a vulnerability on all assets

Whenever you apply an exception for a particular vulnerability to all assets, vulnerability count changes on the Security Dashboard depending on the status of the exception. For example, in the following figure, the number of vulnerabilities exceeded SLA is 4 (SLA Breakdown chart) and number of vulnerabilities awaiting attention is 28 (Vulnerabilities per Stage graph). At this stage, no exception has been applied to assets that are affected by these vulnerabilities.

Now, you add an exception for the Enabled DCOM vulnerability, which is applied to all the assets. This is a Severity 3 vulnerability. After applying the exception, following changes take place on the Security Dashboard:

  • The middle bubble that indicated Severity 3 vulnerability, no longer appears.
  • In the SLA Breakdown chart, unique vulnerability count has reduced by 1.
  • In the Number of vulnerabilities per Stage section, number of vulnerabilities awaiting attention has reduced to 24 from 28. This count reduces even if an exception has been applied only to a few endpoints.

Exception on an asset for all vulnerabilities

Whenever you import an exception that applies to a particular asset for all vulnerabilities, asset (endpoint) count changes on the Security Dashboard depending on the status of the exception. For example, in the following figure, endpoint count is 5. At this stage, no exception has been applied on the assets that are affected by vulnerabilities.

Now, you import an exception for one asset, clm-aus-008440.bmc.com for All vulnerabilities that are affecting this asset. After applying the exception on this asset, asset (endpoint) count decreases by 1. For example, in the following figure, the number of assets (endpoints) is 4. For the duration, the exception is active, this asset (endpoint) will not be affected by any vulnerability in the system.

Exporting data

You can export the current contents of Security Dashboard. Data is exported in a comma-separated value (CSV) format and stored in a ZIP file. After exporting, you can open the file in a spreadsheet and then manipulate the data in any way you want.

If you filter data by software instance, an export shows the applicable software instances per server. If you do not filter by software instance but a connection to BMC Discovery is enabled, an export lists all software instances that are discovered.

If you have imported tag data, the export file includes a column for each tag. NEW IN 3.0.01 If an exception has been created for a vulnerability, the file includes an extra column, Active Exception. The values in this column are YES or NO, depending upon whether or not exception has been applied.

Large exports are broken into multiple files within the ZIP file. Each file contains 40000 to 50000 rows. 

When you export the Security Dashboard, the VAT Status column displays one of the following states:

  • IMPORTED: The vulnerability is imported into the system. No action has been taken so far on this vulnerability.
  • TARGET_MAPPED: The vulnerability is imported into the system and assets on which it is reported are mapped to targets.
  • OPERATION_CREATED: A remediate operation has been created in the system for that vulnerability.
  • AWAITING_APPROVAL: A remediation operation has been created for the vulnerability, but still the operation is pending for approval. This statistics are not applicable for TrueSight Network Automation or SCCM.
  • AWAITING_EXECUTION: A remediation operation has been created for the vulnerability and the approval has been received (if it was configured while creating the operation), however, operation is still waiting for execution on the server.
  • REMEDIATION_RUNNING: Remediation operation is in progress for the vulnerability.
  • CLOSED: Assets affected by the vulnerability are remediated.

To export the contents of the dashboard

Click Export, at top right. Using your browser, you can open the file or save it locally. 

Was this page helpful? Yes No Submitting... Thank you

Comments