Intelligence Use Case: Vulnerability Management and Remediation
A zero-day vulnerability has, unfortunately, become increasingly prevalent in this day and age. Like it or not, we have become far too familiar with dropping everything we are doing and spending hours, if not days, having all hands on deck fending off new exploits by bad actors.
Vulnerability Management and Remediation
Recognizing this challenge, VMware provides us with a way to lift the weight off us quite a bit through its out-of-the-box Vulnerability Management solution. This solution is built on top of Workspace ONE Intelligence, harvesting its core functionalities of Reports, Dashboards, and Automations to help you proactively manage potential vulnerability in your environment. It accomplishes this by gathering reported vulnerability data (CVE and CVSS) along with device data from Workspace ONE UEM to evaluate potential threats on the devices.
At the time of this writing, the Vulnerability Management solution within Intelligence supports Windows and iOS platforms. (macOS is coming later this year.) And although it does not cover all device platforms now, it still is an immensely powerful tool to use. Because this series is focused on mobile devices, I will focus on iOS in this post.
There are three parts to this solution — SLA definition, vulnerability monitoring, and vulnerability remediation.
Service-Level Agreements (SLAs), in this context, refer to how fast we need to remediate vulnerabilities for various levels of severity. This solution allows you to define what your SLAs should be, aligning with your security best practices. Based on your defined CVSS Score range, you can determine the threshold for the percentage of devices patched and remediation timeframe, as seen in the screenshot below. This will be used further in your security health visualization of the patching progress.
Figure: SLA definition found under Solutions > Vulnerability Management > Settings
The second part is vulnerability monitoring. In this solution, there are built-in dashboards we can leverage to identify available updates and vulnerable devices and observe patch install status trends. This allows us to take further action if we see that our remediation effort is not going to meet the SLA target. This is what the dashboard for iOS devices looks like.
Figure: Built-in vulnerability management dashboard for iOS (1)
Figure: Built-in vulnerability management dashboard for iOS (2)
Lastly, we have vulnerability remediation. For this, we will use Workspace ONE Intelligence Automation workflow. Based on the CVSS score, we can create a workflow to act as a compliance policy engine to either remove resources, install restrictions, notify users, or push out the latest OS update if we detect that the devices are vulnerable (e.g., devices with CVSS score over a defined threshold). This allows you to automate the OS update, specifically for the ones addressing any new vulnerability without manually updating the workflow.
Here is an example of how we can schedule the latest OS update on iOS devices that are vulnerable to CVEs with CVSS scores higher than 9.8.
Figure: Example of an automation workflow targeting devices susceptible to high CVSS score
Keep an eye out for the next post in this series, Intelligence Use Case: Risk Analytics for Mobile Devices.