by: VMware Digital Experiences Director Robert Coggins and VMware Security Experiences Sr. Manager Marcus Newson
If a threat actor can breach the enterprise ecosystem via a false/stolen login, any number of tragic consequences can occur. The key is to stop the breach before it even begins—at the login stage. The trouble is, traditional methods of preventing login breaches only go so far, especially in the era of automation and machine learning (ML) where a microsecond can make a huge difference in security.
One of the best ways to stop login threats before they start is to assign risk scores, analytics based on user/device actions and behaviors. Devices can include iOS and Android mobile sets, Windows and macOS desktops, corporate dedicated or shared, and employee owned (known as bring your own device or BYOD).
VMware IT uses VMware Workspace ONE® Intelligence™ risk scores based on data from VMware Workspace ONE® Access™. The scores are determined by a user’s location, anomalies and/or risky behavior (as defined by corporate policies) using both automation and ML. For example, a user who only logs in onsite, yet suddenly logs in from Europe, would immediately be flagged, versus a traveling user who frequents Europe for business trips. The model is constantly learning patterns and can adjust to long-term behavior changes, such as an employee switching from onsite to fully remote.
Workspace ONE Intelligence assigns a risk score to each login request as low, medium, or high. This is like risk scores generated by the system for other threat potentials such as persistent critical common vulnerabilities and exposures (CVEs) and unusual app downloads.
The risk scores are defined as follows:
High
A great potential to introduce threats and vulnerabilities to the network and internal resources. This level is the least trustworthy.
Medium
A moderate potential to introduce threats and vulnerabilities to the network and internal resources.
Low
Little potential to introduce threats and vulnerabilities to the network or internal resources. This level is the most trustworthy.
Scores are updated in real time, and this means the platform always has the latest login data included for each user. There is a one-month ‘grace period’ for each user during which the system employs ML to formulate patterns of login behavior consistent with corporate policies. The software returns a low risk score for this period.
There’s a lot more to this topic than is presented here. That’s why we encourage you to contact your account team to schedule a briefing with us. No sales pitch, no marketing. Just straightforward peer conversations revolving around your company’s unique requirements.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. To learn more about how VMware IT uses VMware products and technology to solve critical challenges, visit our microsite, read our blogs and IT Performance Annual Report and follow us on SoundCloud, Twitter and YouTube. All VMware trademarks and registered marks (including logos and icons) referenced in the document remain the property of VMware.
