Empowering employees by providing them access to any app on any device is key to the success of every company. But at the same time, protecting the organization from cyber security attacks is a growing challenge as apps can run anywhere – cloud, on-premises, mobile – and employees access them from any device, anywhere. Organizations are slowly embracing the Zero Trust security model to ensure enhanced employee experience and productivity without compromising security. One of the things that is central to Zero Trust is the ability to constantly monitor and verify risk before granting access to the network and other enterprise resources.
After first announcing it at VMworld 2019, today we are thrilled to bring Risk Analytics in Workspace ONE Intelligence to market and make it generally available. Customers can now continuously verify risk score for every user, leveraging machine learning techniques.
What is Risk Analytics?
Risk Analytics in Workspace ONE Intelligence is a risk scoring capability that analyses user behavior and device posture before calculating a risk score for all devices and users in the system. Admins can then leverage the user risk score to set policies for conditional access to apps and data. Using Intelligence’s powerful Automation Engine, admins can also automate actions such as updating OS, patch deployment, updating risky device security protections etc. to increase overall security.
How does it work?
By analyzing data from multiple sources, such as Workspace ONE UEM for device compliance and Workspace ONE Access for user identity, and applying machine learning capabilities, Risk Analytics first calculates a baseline for a normal level of risk for each use based on historical data, and then constantly looks for anomalies. Behavior anomalies can be detected based on user activity and device context and are compared to both the user’s baseline and to other users in the organization. When a user behavior deviates from the baseline, Risk Analytics will raise the risk score until the user behavior is back to normal. Here are some examples for anomalies we look for:
• Laggard OS update – the user keeps postponing OS update beyond what’s normal in the organization (based on what most users do)
• Risky Settings – the device security protections posture (turned on/off)
• Compulsive App Download – the number of apps that are being downloaded in a period of time
• Rare App Collector – the type of applications that are being downloaded, rare apps might impose a risk
Risk Analytics analyses all this data and calculates a risk for each user:
Low – trustworthy – little potential to introduce threat to the network and internal resources
Medium – moderate – potential to introduce threat to the network and internal resources
High – least trustworthy – high potential to introduce threat to the network and internal resources
Three most common use cases
Let’s take a look at how customers leverage Risk Analytics to enhance the security posture in their organization:
• Enable conditional access – define policies using risk score to apply the right access controls when a user tries access to the network. For example, if the user risk score is low – allow access, medium – ask for MFA (multi-factor authentication, for example with RSA Secure ID or VMware Verify), and high – deny access.
• Warn users with notifications – in the case of a laggard OS update for example, automate notifications to users asking them to update their OS version. If the user continues to ignore the update, send a firmer request, and finally, enforce the OS update. Another example is to warn users about security protections (i.e., their encryption is turned off). These notifications can be sent through the Workspace ONE Intelligent Hub UI, out-of-the-box integration with Slack, or via email. You can also introduce other internal or 3rd party tools (assuming they support REST APIs) using Intelligence’s Automation Connectors
• Assign users to training – when you notice a user often has devices that are out of compliance, a training might be needed.
By analyzing user behavior and device context, Risk Analytics enables you to detect suspicious behavior, curb compromised or incompliant devices and protect your environment from potential malware. As we build the capabilities of Risk Analytics, we look forward to bringing to you more integrations with different technologies from VMware and our partners to unlock new use cases that can be executed seamlessly. Risk Analytics is a big part of the Zero Trust Story and will continue to strengthen it.
To learn more about the Zero Trust journey, check out our website for Zero Trust Security for the Digital Workspace.