Earlier this year we introduced Risk Analytics in Workspace ONE Intelligence. Risk Analytics delivers device and user risk score based on user behavior and device context and empowers our customers to implement risk based conditional access as part of their Zero Trust journey. Most recently, we added two new risk indicators, based on CVE data.
Tracking and patching CVEs (Common Vulnerabilities and Exposures) is an essential component of any security risk mitigation strategy. With more than an average of 1,000 CVEs being discovered every month, this is a daunting task for organizations managing a large fleet of endpoints, including desktop and mobile devices.
A typical security procedure includes monitoring every new published CVE, determining which devices are affected, and patching them in a timely manner. The fast identification of vulnerable assets is critical; nevertheless, it’s still the halfway point of the patching workflow; and IT admins usually commit to the MTTP (Mean Time to Patch) as a key SLA metric to measure their efficiency.
Researchers have found that, on average, it can take 60 to 150 days to patch a vulnerability. That’s enough time for determined attackers to mount a sophisticated, multilayered breach that remain hidden until the infosec team notices suspicious activity and starts taking actions.
IT teams can leverage Workspace ONE Intelligence to streamline CVE patching and maintain maximum hygiene using automation and remote endpoint management capabilities. Workspace ONE Intelligence enables users to:
• Automatically report vulnerable devices
• Define which update is required to fix specific vulnerabilities
• Prioritize patch deployment across the enterprise (e.g., deployment ring)
• Remotely deploy KB, OS update, and patches on endpoints
(For a specific example, read Andreano Lanusse’s article describing how to prevent ‘Bad Neighbor’ Vulnerability that Affects Windows 10 Systems Using Workspace ONE.)
The actions listed above are necessary, but not enough. The reality is that most organizations find it challenging to manage endpoint OS updates. And even in an organization with the most efficient and automated patching method, there are always devices slipping through the cracks. It isn’t easy to get every patch right, on every device, every time. For example, endpoints could be unreachable for an extended period or not have sufficient resources (memory, bandwidth, etc.) to download and apply the update. Assuming that all technical roadblocks are cleared, the end-user can always interfere in the process by preventing or delaying system reboots.
In practice, we hear from our customers that there are on average five devices for every 1,000 devices with an excessive number of critical CVEs, and an average of twelve devices for every 1,000 devices with at least one persistent critical vulnerability – a high severity vulnerability that is not patched even after the patching campaign has been completed.
To address these gaps and help our customers reduce overall attack surface, we are adding two new risk indicators to the Device Risk Score calculation in Workspace ONE Intelligence Risk Analytics: Persistent Critical Vulnerabilities and Excessive Critical Vulnerabilities.
Persistent Critical Vulnerability
In a typical CVE management scenario, the patching campaign is driven by a SLA to patch a large majority (e.g., 90%) of devices within a certain amount of time. However, measuring the campaign’s progress can be a very enduring task, as not all devices are scanned simultaneously on the first day of the CVE release. It can take days or weeks to scan the entire endpoint fleet.
For example, in the animation below, the percentage of patched devices for a given day fluctuates based on the total number of scanned devices over time. Arithmetically, when new devices are scanned, the rate of fixed devices decreases.
The Persistent Critical Vulnerability risk indicator aims to identify those devices that are missing a critical patch for a more extended period than other similar devices in the organization. This risk indicator contributes to the overall Risk Score of devices.
Example of CVE patching campaign timeline
Excessive Critical Vulnerabilities
The goal for this risk indicator is to identify devices that accumulate multiple critical CVEs on a device; despite a rigorous vulnerability management strategy, it’s not unusual to find some devices with a significantly larger number of critical CVEs compared to other devices.
For example, there are a few devices with up to eight critical vulnerabilities in our reference environment (see chart below). Those devices represent a significant risk for the organization, so Workspace ONE Intelligence tags them as “Excessive Critical Vulnerabilities.” Similar to “Persistent Critical Vulnerability,” this risk indicator also contributes to the overall risk score of devices.
Example of distribution of open critical CVEs per devices
At the end of this post, you can see an example of the Workspace ONE Intelligence console displaying CVE-based Risk Indicators. For more about these new risk indicators, we have posted a more detailed video on the EUC channel.
With Workspace ONE Intelligence and those new risk indicators, IT teams can adjust their priorities and focus their patching effort toward the most vulnerable devices. More broadly, risk scores are also used in conditional access policy as criteria to dynamically determine each access request in real-time. For example, when coupled with Workspace ONE Access, organizations can strengthen their security by assuming a zero-trust policy to limit access to high-value assets depending on the device’s vulnerabilities at the time.
To learn more about Risk Analytics, see the Workspace ONE Intelligence documentation.
Screenshot of the Workspace ONE Intelligence console displaying CVE-based Risk Indicators.