How BigFix Displaced Microsoft Configuration Manager for Patching

Don Moss isa Technical Advisor on the BigFix team. Don began using BigFix in 2012 when he was employed at LANDesk, now known as Ivanti. Before joining HCLSoftware, Don worked at IBM Security as a Security Solutions Architect & Cyber-Security Engineer.  He shares a recent story about why one of his clients who replaced Microsoft Configuration Manager™, often referred to as SCCM, in favor of BigFix.

Many clients are often overwhelmed with endpoint management activities. The plethora of patches across many versions of operating systems keep most IT operations and security organizations very busy. Windows is the predominate operating system and Microsoft Configuration Manager (also known as SCCM) is the most common management tool for patching the Windows OS and Microsoft Office. CIOs implement SCCM because it is ‘free’ since it is packaged with Microsoft Enterprise License Agreements. Unfortunately, there have been a history of issues and some are still plaguing that solution. As a result, BigFix is helping organizations improve their patching and compliance operations. In this blog, I will explain why one of my recent clients decided to replace SCCM with BigFix.

My client is a manufacturer, marketer and distributor of consumer and commercial products with offices and plants in the USA, Latin America, Europe, the Middle East, Africa, and Asia. The company employs about 50,000 people across these geographies, requiring 24×7 endpoint management operations.

HCL learned that IT ops team was getting beaten up by security ops because they found missing patches during their vulnerability scans. The BigFix team was asked to help ascertain the truth. In the side-by-side comparison on a select group of servers, SCCM reported 70-90% compliance while BigFix reported 40-50%. In a deeper investigation, BigFix found missing patches from 5-6 years ago as well as patches released in the past three months!  IT ops and security ops validated the accuracy of BigFix’s patch findings.

Next, my client challenged me to produce the automated reports using BigFix that company executives wanted but were not able to get from SCCM in a timely fashion. For example, IT ops often found that after six hours of patching, SCCM showed an ‘unknown’ patch status for most endpoints. Even after more than eight days, a complete patch status report was still unavailable from SCCM. In a similar test, BigFix was able to show near-real time patch progress within minutes. I was able to show the breadth and width of BigFix reporting and demonstrate to the CIO and CISO that their custom reporting needs could easily provided by BigFix.

BigFix’s return on investment (ROI) was not even questioned because it was clear that BigFix’s efficient patching capabilities would improve their overall security posture over what SCCM was delivering. Since most security incidents are caused by known but unpatched vulnerabilities, having endpoints with missing patches was too great of a security risk than the company could afford. BigFix could confidently show and demonstrate to the executives that all endpoints (including roaming laptops) are patched, regardless of location, connection or status.

The POC was so successful, my client asked to extend the POC so they could continue to patch vulnerable servers while they expedited the purchase order. By doing so, my client simplified patching and improved their defense against cyber-attacks.

Are you finding missing patches in your vulnerability scans? If so, contact the BigFix team and request a demonstration.