Understanding BigFix: The Premier Endpoint Patch Solution

Thousands of businesses of all sizes and industries have chosen BigFix as their enterprise endpoint management tool. In fact, BigFix manages millions of endpoints worldwide, providing real, tangible value to IT and security operations teams. BigFix excels at continuous patching and eliminating configuration drift – both critical to effective endpoint hygiene. If these measures are properly implemented and monitored, the probability of a breach drops exponentially. Understanding why CIOs and CISOs rely on BigFix to secure their endpoint environment is critical to how BigFix achieves 98% or greater first-pass success rates.

Core Capabilities

BigFix supports effective patching of:

• Over 90+ different operating systems across Windows, Linux, UNIX and macOS as well as support for specific operating systems that are at End of Support (EOS). Consolidating tools using BigFix drives significant cost savings.
• Third-party applications for Windows and macOS.
• Off network, roaming workstations, including those workstations used by employees working from home.
• Resources running in Amazon Web Services, Microsoft Azure, VMware, and Google Cloud Platform (GCP) clouds.

BigFix patching also relies upon the following platform features and capability of the platform:

• Low CPU requirements – typically less than 2%.
• Network throttling – allows management of impact on high latency, low capacity network circuits.
• Pre-caching – reduces patch time with a specified maintenance window.
• Visibility of cloud endpoints – running in Azure, Google and Amazon.
• Up to 250,000 endpoints – from a single, root BigFix Enterprise Server.
• Distributed intelligence – moves decision-making and calculations to the endpoint rather than higher level in the infrastructure. An intelligent agent lowers network bandwidth consumption and requires a smaller server while speeding patch deployment, configuration and remediation.
• Flexible distribution points – provides a lot of flexibility in creating an effective but low cost infrastructure. In additional to dedicated relays, there are several other low cost options that may be useful for many organizations. BigFix Virtual Relays have lower resource and maintenance requirements, and are easy to deploy.  Non Dedicated relays allow BigFix functions across the enterprise by co-locating BigFix services on existing systems. And lastly, BigFix Peer Nest capability allows one BigFix agent can act as a subnet repeater in smaller offices and remote sites.
• Granular Administration and Control – BigFix allows granular control over when patches are deployed and when endpoints are rebooted. Many organizations implement a decentralized patch deployment process that allows central IT to develop, test patches and distribute patch content, enabling individual user groups or departments to decide when to deploy/install patches when it is convenient within a specified timeframe.

There are specific features and capabilities of BigFix Patch that cumulatively and routinely result in very high first pass patch success rates — often 98% or above. Higher first pass success rates mean shorter patch cycles, less remediation effort and an endpoint landscape that is secure.

Additional patch-specific features and capabilities are discussed below.

Automated Content Delivery

The BigFix team creates Fixlets using content provided by operating system and third-party application vendors to reduce windows of vulnerability. The BigFix content, called Fixlets, is made available on our cloud delivery servers. The BigFix Enterprise Server (BES) checks for new content once daily (or more frequently if configured to do so.) New site content is automatically downloaded so that BigFix can determine which Fixlet’s are relevant, eliminating wasted bandwidth for non-relevant content.

BigFix delivers critical patches within two business days after being released by the vendor, but usually much faster. The most critical patches are delivered first. The automated development and delivery of content to your BigFix environment, for all supported top-tier operating systems, results in faster notification and ability to patch vulnerabilities — reducing the window of vulnerability.

Automated Patching

Automated patching reduces the effort required by patch administrators and operators. By defining a patch policy and schedule, operators can automate patching. For example, a Windows Server Patch policy can be set up to only deploy critical patches, then overlay with a schedule that targets the Windows servers. Therefore, as soon as your BES server downloads the relevant content, patches are automatically deployed. Refreshing the policy takes a minute or less, every month.

In a production BigFix environment, administrators will use multiple schedules such as alpha, beta and production1 to ensure methodical testing, verification and patch deployment. If these automatic schedules are several days apart, IT operations can intervene to prevent problematic patches from being deployed. Otherwise, patches are deployed systematically and automatically saving time and effort. This is particularly important for small-to-medium organizations, where resources may be constrained.

Flexible Baselines

BigFix users can deliver multiple patches and configuration items together in a baseline, saving time and effort. You can also make a baseline a policy. When an endpoint falls out of specification to the baseline, BigFix will automatically apply the content again. Baselines deliver a more efficient and consistent security and patching posture.

Patch Installation Validation

Unlike many solutions on the market, BigFix validates that patches are successfully installed using the same criteria that made an endpoint eligible to receive the patch. This trusted method ensures patches are installed properly. Countless organizations have implemented BigFix because their existing patching solution incorrectly reported that patches were installed successfully, when they were not. This issue gives IT and Security organizations a false sense of security and increases the vulnerability of attack. Organizations need to be confident that their endpoint management solution is correctly reporting accurate patch status. BigFix provides users with that confidence.

No Additional Software Dependencies

BigFix has no dependency on WSUS, WMI, or Active Directory for Windows patching, which have been known to be problematic and unreliable. For RedHat Linux, BigFix also has flexibility to use either Satellite repositories or native BigFix content libraries. Additionally, with the BigFix packaging wizard, the cost of additional tools for packaging content is eliminated as well as additional points of failure or problems.

Ensuring Integrity of Content

The use of checksums ensures safe transmission of files between BigFix infrastructure components. Specifically, BigFix employs Secure Hashing Algorithms (SHAs), such as SH1 and SH256. When content is downloaded from cloud delivery servers, BigFix calculates the checksum of each file and compares it to the original checksum published by the software vendor. If both checksums match, BigFix deems the downloaded content to be secure. If not, this indicates data loss or alteration, which could mean file corruption – either accidental or intentional.

Rolling Back Deployments

With BigFix, rolling back or removing Windows patches is easy. After entering the Microsoft Knowledge Base (KB) number in the BigFix Rollback Wizard, the associated Fixlet is automatically created. For other operating systems and applications, it is easy to create a Fixlet to uninstall a patch or software deployment by using the vendor-supplied uninstall task within a Fixlet.

An Intelligent Supersedence Engine

The BigFix supersedence engine provides the intelligence that simplifies patch administration. BigFix knows which patch is superseded by another, reducing duplicate or unnecessary effort on the part of administrators and the patching solution. The BigFix supersedence engine improves targeting of relevant endpoints and patching effectiveness. In contrast, some patch tools require you to apply prior patches before you can deploy the latest patch, which unnecessarily increases effort and patch complexity.

BigFix Delivers Extraordinary Business Value

For all the reasons above, BigFix is a powerful and effective patch solution that reduces IT costs and complexity while reducing the likelihood of a security breach. HCL’s IT organization has already realized significant savings. BigFix is a cost-effective tool even when competing against so-called ‘free’ solutions. The HCL BigFix team has routinely helped organizations build their business case for BigFix using the Business Value Assessment (BVA) process.  This no-fee, collaborative process typically requires very little time to evaluate the impact of BigFix on an organization.

The quantifiable benefits include:

• Reduced Software Spend
• Reduced IT Infrastructure Complexity and Costs
• Improved Quality of Endpoint Information
• Reduced Cost of Compliance Management
• Reduced Patch Remediation Effort
• Simplified Software and Operating System Deployment
• Security Risk Avoidance
• Reduced Data Breach Costs

Join others who have optimized their patch management processes, slashed costs, reduced IT complexity, and improved their security posture using BigFix. Learn more at BigFix.com.