Security Workspace ONE Intelligence

Operationalize threat data for Zero Trust Security with Workspace ONE Intelligence

One of the top priorities for many of our customers is implementing a Zero Trust security strategy.

VMware Workspace ONE Intelligence delivers integrated visibility, analytics, and automation for the Workspace ONE platform, and it can help customers operationalize Zero Trust in a variety of ways, such as:

  • Monitoring and visibility
  • Integrating security data from other products through the Workspace ONE Trust Network
  • Operationalizing threat data through automations
  • And watching specific triggers and computing a risk score

Let’s look a bit closer at each of these.

Monitoring and visibility

Workspace ONE Intelligence enables customers to monitor their environments for anomalous security and performance-related metrics and build automations to proactively correct issues as they arise. As shown below, one is able to view risk trends over time as well as drill down into individual systems to determine risk causality. 

Trust Network

In addition to collecting data from across the Workspace ONE Platform – including Workspace ONE UEM and Workspace ONE Access – the data within Workspace ONE Intelligence can be augmented through integration with various partners in our Trust Network.

VMware Carbon Black also uses the Trust Network to integrate with Workspace ONE. The screenshots below demonstrate two widgets measuring Carbon Black Threat Count and Threat Type in Workspace ONE Intelligence.

Operationalizing threat data with automation

You can operationalize this data so that when high-severity malware tagged as ransomware is detected by Carbon Black, an automation is configured to quarantine the system (using Carbon Black), send a Slack message alerting the SOC of the issue, create a ServiceNow ticket, and to use Workspace ONE UEM to tag and quarantine the offending device. See this example in the image below.

Risk Analytics

To further enrich the proactive nature of anomaly detection within the ecosystem, the capability of dynamically calculated device and user risk scores has been overlaid overtop of the Workspace ONE dataset. In the table below, you can see the metrics currently implemented within the platform to determine device and user risk.

Risk Indicator   Description   Risk
Anomalous Alert ActivityA device that produces an unusual number, type, or severity of Carbon Black alerts.An unusual number, type, or severity of threat alerts is an indication of a potentially compromised device.
App CollectorA person who installs an unusually large number of apps.Any app can include known or unpatched vulnerabilities and these vulnerabilities can become attack vectors. The surface area for cyber-attacks increases with the number of apps on the device.
Compulsive App DownloadsA person who installs an atypical number of apps in a short period of time.Users frenetically installing unusual apps on their devices have a greater risk of being a victim of malicious activity. Some apps disguise themselves as useful, friendly, or entertaining, when in fact they want to harm the user. Marketplace approaches to filtering unsafe content (malware) vary from vendor to vendor. A careless user can get tracked, hacked, or conned.
Excessive Critical CVEsA device with an excessive number of unpatched critical CVEs (Common Vulnerability Exposure).The greater the number of critical CVEs present on a device, the larger the device’s attack surface.
Laggard UpdateA person who sluggishly updates the device OS or who refuses to update at all.Ignoring software updates can make a device vulnerable to attack and increases the risk of being compromised.
Persistent Critical CVEsA device with one or many critical CVEs (Common Vulnerability Exposure) remaining unpatched after the majority of eligible devices in the organization were patched.The greater the number of critical CVEs present on a device, the larger the device’s attack surface.
Rare App CollectorA person who installs an unusually large number of rare apps.Unlike widely used apps, rare ones are of questionable provenance and have a greater chance of having malware or security vulnerabilities.
Risky Security SettingA person who owns one or many devices and has explicitly disabled security protection features or has devices explicitly declared lost.Disabling security measures on a device increases the risk of being compromised.
Unusual App DownloadA person who has recently installed unusual apps.Apps can disguise themselves as useful, friendly, or entertaining, when in fact they want to harm the user. Marketplace approaches to filtering unsafe content (malware) vary from vendor to vendor. A careless user can get tracked, hacked, or conned.

The metrics outlined above are collected daily, normalized, and the outliers are assigned a heightened Risk Score. This Risk Score represents a completely dynamic, statistical approach to determining drift that is specifically tailored to your environment. The power of these Risk Scores can be seen when it comes to reporting and automation.

Learn More

To learn more about how risk scoring works, see the Risk Score documentation. Stay tuned to the EUC Blog and Tech Zone for more on newly released features, exciting security use cases, as well as what we have planned next for operationalizing security through Workspace ONE Intelligence.