Walkthrough for Threat Director: Mapping vulnerability scan results to a server environment

This walkthrough demonstrates how to map server assets and vulnerabilities detected in a vulnerability scan to the servers and remediation content you are managing with BMC BladeLogic Server Automation (BSA). This mapping process is a prerequisite before you can use Threat Director to correct any vulnerabilities revealed in the scan.

This topic includes the following sections:

The following video demonstrates how to use Threat Director (BladeLogic Portal 2.2) to map server assets and vulnerabilities detected in a vulnerability scan to the servers and remediation content you are managing with BMC BladeLogic Server Automation.

https://youtu.be/7pln8tFNLZs

Introduction

This walkthrough describes how to associate servers included in a vulnerability scan (known in Threat Director as assets) to servers managed with BladeLogic (known as endpoints). It also describes how to associate vulnerabilities identified in the vulnerability scan to remediation content that is available through BladeLogic. This process of associating—or mapping—must occur before you can perform any remediation based on a vulnerability scan.

Threat Director can perform an automatic mapping of assets based on their DNS server and IP address. However, after auto-mapping some assets may remain unmapped. When that occurs, you can manually find endpoints in your managed environment and associate them with assets in the vulnerability scan.

Threat Director can also perform an automatic mapping of vulnerabilities to patches in BladeLogic patch catalogs. Mapping is based on the Common Vulnerabilities and Exposures (CVE) number. Only patches can be auto-mapped. Vulnerabilities requiring other types of remediation content must be manually mapped.

After assets and vulnerabilities are mapped, you can examine the Security Dashboard and the Operator Dashboard and then create a Remediation operation that corrects network vulnerabilities. That process is described in Walkthrough-for-Threat-Director-Remediating-server-issues-detected-in-a-vulnerability-scan.

What do I need to get started?

A user ID that lets you access and use BladeLogic Portal.
The user ID must be associated with a portal security group that has the Threat Director permission. For more information, see Managing-portal-security-groups-for-BMC-Server-Automation.
Results of a vulnerability scan in an XML format that can be imported into BladeLogic Portal.
If you have access to a vulnerability management system, such as Qualys, Nessus, or Rapid7, you can export the results to XML. For more information, see Importing-scan-files-Threat-Director.

How to map vulnerability scan results

	Procedure	Example screen
1	Confirm that you can see the Threat Director menu. If you cannot, your portal security group probably does not have the Threat Director permission. To grant that permission, a portal administrator can use this procedure. At top right, select your user ID. From the drop-down menu, select Administration. Find your portal security group and select Edit the current security group . Find the Portal Level Permissions field and select Threat Director. Click Update Security Group. Exit BladeLogic Portal and then connect to the portal again as a member of the same portal security group (not necessarily the administrator for the group).
2	Using BladeLogic Portal, import a scan file exported from a vulnerability scanning product and automatically map assets in the scan to endpoints (that is, servers) managed in BMC Server Automation. Auto-mapping matches the IP address and domain name server (DNS) of assets in the vulnerability scan to servers managed by BMC Server Automation. Select Threat Director > Import. For Select Vendor, choose the type of vulnerability management system used to create the scan file you want to import. For Scan Report, click Browse and navigate to a scan file you want to import. The file must be in an XML format. Note that exports from Nessus must have a file ending of .nessus. Optionally, you can select Customize Filter Options and choose filters that are applied during the import, but in this example we accept the default values. Select the file and click Import Scan.
3	To check the status of the import, click Activity Status, in the menu bar at top right. A window lists long running activities, such as scan imports, and shows their status. If the import is still running, its status says In Progress.
4	For assets that remain unmapped after auto-mapping, you can perform a manual mapping procedure. Select Threat Director > Assets to display a list of assets. For Security Groups, select a group that you want to use while mapping devices. In this case we select BLAdmins. The security group must have permissions to access the servers you want to use for mapping in BSA. Select one or more assets that require mapping. If necessary, use the filtering capability at the top of each column to find assets. For example, if you are looking for assets with names that include the string "win," enter win in the filter box at the top of the Scan Host column. At top right, click the Actions menu and select Map. The Map Endpoint to Scanned Hosts page opens. It provides two tabs: Selected Scanned Hosts and Endpoints. The asset(s) you selected in the previous step are listed on the Selected Scanned Hosts tab.	Select one or more assets that need mapping. When you click Map, the asset(s) you selected appear on the Map Endpoint to Scanned Hosts page.
5	Specify a server managed in BSA that should map to the selected asset(s). Select an asset on the Selected Scanned Hosts tab and click the Endpoints tab. Use the text search or browse capabilities on this tab to find the server to be mapped. Click here to display a page that describes search and browse capabilities. Select a server to map to the asset selected on the Selected Scanned Hosts tab and click Save. A message says that mapping has occurred. The Assets page shows the name and IP address of the mapped server in BMC Server Automation. In some situations you may need to map multiple scanned assets to a single server. Or, you may need to map a single asset to multiple server. Click here for details. Use the same procedure to map additional assets.	Select an asset to map and then click the Endpoints tab. Assets page shows name of mapped endpoint.
6	Confirm that any assets you want to manage are enrolled in Threat Director management. An enrolled asset is marked with the gear icon. To enroll an asset, select it. Then drop down the Actions menu and select Enroll Asset. Note: A license fee is charged for every endpoint enrolled in Threat Director. The first 100 endpoints are free.
7	Display a list of vulnerabilities in the vulnerability scan. Then perform auto-mapping, which matches any vulnerabilities that can be corrected by patches with patches that already exist in BladeLogic patch catalogs. Select Threat Director > Vulnerabilities to display the list of vulnerabilities. Click Auto-map to perform an automatic mapping of vulnerabilities identified in the vulnerability scan to patches in BladeLogic patch catalogs.
8	For vulnerabilities that remain unmapped after auto-mapping, perform a manual mapping procedure. You can match vulnerabilities to any type of depot content that can be used for remediation, such as BLPackages, software packages, and NSH scripts. Select a vulnerability that requires mapping. If necessary, use the filtering capability at the top of each column to find vulnerabilities. For example, you can filter by name or severity. In this example, we filtered by Mapping Status and Vulnerability ID. At right, click the Actions menu in the highlighted row and select Map. The Map Remediation to Vulnerability page opens.
9	Using the Search and Browse tabs, select a remediation package. After selecting a rule, click Save. Click here to see a page with detailed instructions for using using search and browse capabilities.
10	Define rules that apply when you later deploy the remediation content to target servers. This capability is typically used to deploy one remediation content item to a certain type of target, such as Windows servers, and another type of remediation content to another type of target, such as Red Hat servers. Click Use Target Rules. A set of options appear that you can use to establish rules for deploying the remediation content. Select Any or All to specify whether all the criteria you establish must be met for deployment or any one of the criteria is sufficient. In this example, we select All. For OS, enter text that identifies the OS type. For example, we enter Windows. Click Add Criteria. A new row appears for defining another criteria. In the first field, select OS Platform. In the last field, enter a text string that identifies the platform. We enter x86_64 to indicate this package should be deployed to 64-bit systems. To set another set of target rules, select another remediation content item and click . Then, repeat the previous steps to define a new set of target rules for the selected content.
11	Click Save. A message says that mapping has occurred. The Vulnerabilities page shows the remediation content that was selected and the remediation type, such as a BLPackage or Windows Hotfix. If you have a long list of vulnerabilities, use the Remediation Type filter and the Mapping Status filter (at the top of the page) to find the vulnerability you just mapped. Repeat the same procedure to map additional vulnerabilities to remediation packages.

Wrapping it up

In this topic you used Threat Director to perform all the preliminary mapping necessary to remediate network vulnerabilities detected by an external vulnerability management system, such as Qualys, Nessus, or Rapid7.

Where to go from here

After all necessary mapping is complete, you can use the Security Dashboard and Operator Dashboard to analyze the vulnerabilities detected in a scan. Then you can use the Operator Dashboard to create a Remediation operation that corrects vulnerabilities in your server environment. Another walkthrough describes that process.