Intelligence Use Case: Risk Analytics for Mobile Devices
Risk Analytics for Mobile Devices
Another built-in, out-of-the-box security solution available in Workspace ONE Intelligence is Risk Analytics. Like Vulnerability Management, this solution is built on top of Workspace ONE Intelligence as it harvests data from Workspace ONE UEM (and, optionally, Workspace ONE Access) and derives more information from it. With the UEM data, Workspace ONE Intelligence can identify potentially anomalous and high-risk behaviors on devices, allowing us to proactively mitigate potential threats to your environment.
There are multiple behaviors that impact the Risk Scoring. For example, we look at users’ application download behavior and check if they download any obscure or questionable applications. in VMware Docs contains a great description of the Risk Scoring concept, including additional details on different risk indicators by platform and ownership type, as well as how the score is calculated.
Risk Analytics Dashboards
To visualize our overall Device Risk Scoring, a built-in dashboard is available for you. This can be found under Intelligence Dashboard > Security Risk Dashboard > Devices tab, as seen here in the following screenshot. This dashboard shows you the historical data of the devices with a high-risk score, broken down by different risk indicators. (Note that one device can have more than one high-risk indicator.)
Figure: Built-in Risk Analytics historical dashboard aggregated by Risk Indicator
Figure: Custom Risk Analytics dashboard, built by me!
Now that we can visualize devices & users who are high-risk, our next step is to act against them. We can do that through…you guessed it…Workspace ONE Intelligence Automation. I alluded to this earlier in the first security use case (#5). We can use the Automation workflow to create a Compliance Policy based on the Risk Score data. Here are a few ideas you can explore for devices with high risk score:
- Send the Security team and/or user notification through , , or email, alerting them to take corrective action.
- Open a incident, alerting the help desk team to reach out to the end-user to mitigate the issue.
- Tag devices in Workspace ONE UEM as High Risk, triggering additional workflow in UEM or Intelligence, e.g., moving them to a quarantine organization group, installing a new background image indicating that the device is a high-risk device, etc.
- Schedule OS update (only for supervised iOS devices) if the Risk Score Indicator is Laggard Update.
Figure: Example of an automation workflow targeting devices with a high risk score
With the Workspace ONE Access integration, Risk Score can also be used to manage user access through Workspace ONE Access’s Conditional Access Policy. Risk Score can be used as another criterion — requiring devices and/or users with higher risk to perform additional layers of authentication or simply denying access to your sensitive resources.
This video dives into more details on how Risk Analytics works, including the integration with Workspace ONE Access and how you can use Risk Scoring in the Conditional Access Policy flow.
To summarize, Risk Analytics is a low-effort, high-reward out-of-the-box solution that will add value to your security setup without any additional integration. (Workspace ONE Access integration is optional.) The risk score data has already been calculated for you. You can fully leverage this solution through the built-in risk scoring dashboard for visualization, along with your defined Compliance actions for high-risk devices to mitigate potential threats in your environment.