VMware Workspace ONE’s Support of CVE Remediation
Helping Industry & Government Reduce the Risk of Cyber Attacks
VMware Support for MITRE / NIST CVSS
With the increase in cyber threats, it has become necessary for organizations to ensure their systems are secure and updated. The National Institute of Standards and Technology (NIST) provides a comprehensive framework for managing and mitigating cybersecurity risks through their (NVD). As part of this framework, the (CVE) from MITRE is a list of known vulnerabilities that can be exploited by cyber attackers. VMware's Workspace ONE provides a comprehensive solution for organizations to manage and remediate CVE vulnerabilities.
CVE remediation was developed by MITRE to help enable rapid data correlation regarding a vulnerability across multiple information sources that are compatible with CVE. For example, if you own a security tool whose reports contain references to CVE IDs, you may then access fix information in a separate database that is compatible with a CVE.
So what’s the correlation between the two? CVE and NVD are two separate programs:
- CVE - A list of records each containing an identification number, a description, and at least one public reference for publicly known cybersecurity vulnerabilities. CVE Records are used in numerous cybersecurity products and services from around the world, including NVD.
- NVD - A vulnerability database built upon and fully synchronized with the CVE List so that any updates to CVE appear immediately in NVD.
- Relationship - The CVE List feeds NVD, which then builds upon the information included in CVE Records to provide enhanced information for each record such as fix information, severity scores, such as Common Vulnerability Scoring System (CVSS), and impact ratings.
While separate, both CVE and NVD are by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and both are available to the public and free to use by both public and private sectors.
VMware Workspace ONE CVE Solution Overview
In order to support customer’s remediation of CVEs within their own environment, they can leverage the Vulnerability Management feature as an alternative to the Vulnerabilities security risk module. The solution gathers vulnerability data, trend widgets, and CVE lists for your managed Windows devices into a single workspace.
Vulnerability Management combines and displays information from Workspace ONE UEM and from third-party reporting services that report security data to help:
- Find vulnerabilities reported by the National Institute of Standards and Technology (NIST)
- See what CVEs impact your devices that are managed by Workspace ONE UEM
- View lists of applicable CVEs and read the CVE explanation cards
- For each CVE, find what devices are impacted, the event's CVSS score, NIST articles, and vendor advisories
Automating Patch Remediation Based on CVE
VMware’s Security Risk analysis provides visibility into all vulnerabilities, correlating vendor KBs with CVE and CVSS into a unified view to help you to make decisions based on real-time information. In addition, with VMware Workspace ONE you can remediate those vulnerabilities through automation and create dashboards to monitor the remediation.
The Vulnerabilities dashboard provides visibility into the impact of vulnerabilities that are reported through CVEs and correlated to the existing patches on each of your managed devices.
What Are SLAs?
SLAs help you prioritize patch installations and their subsequent Knowledge Bases (KBs). Depending on the security protocols set by your organization, you can set the priority level for installing patches depending on the CVSS score.
For example, if your organization considers CVSS scores ranging from 4.4 to 6.5 as high risk but not critical to the health of your device deployment, you can configure to agree to remediate 50% of devices impacted by a CVE having a score in the 4.4 to 6.5 range within 5 days. You can change the CVSS ranges on the range slider if the default ranges do not match your organization's security protocols. Workspace ONE Intelligence uses SLA configurations to visualize the health of the patching progress in the SLA Patch Target widget in every CVE.
Dashboards in Intelligence
Customers can use dashboards in Workspace ONE Intelligence to view and interact with their Workspace ONE data. By enabling Workspace ONE UEM Reports in Workspace ONE UEM with an Intelligence admin role, customers can access and use dashboards of various types, including: My Dashboard, Security Risk, Apps, Devices, and OS Updates.
Security Risk Dashboard
In order to view device security and events in relation to CVEs from your Workspace ONE UEM environment, a customer can do so through the Security Risk dashboard and can view and interact with this data including several key elements within the Security Risk Module including:
- The Threats tab displays events identified by your Workspace ONE UEM compliance engine as compromised.
- It also displays and aggregates events reported by your Trust Network services in the Threats Summary module.
- Policy Risks
- The Policy Risks tab displays events identified by your Workspace ONE UEM compliance engine that do not comply with configured policies.
- Events include devices with no passcode and devices that are not encrypted.
- The Vulnerabilities tab combines and displays information from third-party security reporting services that report security data and Workspace ONE UEM that manages your Windows devices.
- It displays vulnerabilities reported by NIST.
- It also ties those applicable CVEs to impacted Windows devices managed by Workspace ONE UEM.
- Navigate through the CVE explanation cards to find out what devices are impacted, the event's CVSS score, NIST articles, and Microsoft advisories.
- You can use the Vulnerability Management feature in Solutions to interact with this data.
- The solution offers more features like the ability to configure Service Level Agreements (SLAs) to help track the progress of patching devices. You can view the KB Install Trend widget to identify the status of KBs installations for CVEs. For details, access Solutions.
- The Devices tab displays risk scores for devices managed in your Workspace ONE UEM environment.
- Select the tab to see device risk scores (reported as a level High, Medium, and Low), risk indicators, and to select single devices for analysis.
Identifying Vulnerabilities Example on a Managed Windows Device
In order to identify and manage vulnerabilities related to CVEs, a customer can use the Vulnerabilities dashboard to see a list of vulnerabilities, retrieve details on those vulnerabilities, and search for and explore CVE details. The example below shows Workspace ONE Intelligence Identifying vulnerabilities on a managed Windows device and within this dashboard, you can see the Vulnerabilities view of a list of vulnerabilities, retrieve details on them, and search for and explore CVE details:
Figure 1: Workspace ONE Intelligence Vulnerability Dashboard
From here, an administrator can further review Vulnerable Devices based on CVSS Score – this chart helps to prioritize patches based on the highest number of devices impacted. On the chart, you can see that most of the vulnerable devices in this environment are associated with patches that score 9.3. Based on the current scenario, the IT administrator can decide to patch those devices, and minimize the security risk on the environment.
Figure 2: Workspace ONE Intelligence Vulnerability Dashboard
Workspace ONE Intelligence Vendor Vulnerability Support
Additionally, VMware’s Workspace ONE intelligence can provide different category reports for different vendors from basic information provided by CVE and NVD sources, including for macOS, iOS, and Windows platforms:
Figure 3: Workspace ONE Intelligence CVE & NVD Vulnerabilities Categories per Vendor
How can Workspace ONE support NIST CVE Remediation?
Automation in Workspace ONE Intelligence uses numerous parameters that trigger a workflow. You can customize the workflow to act on unique scenarios in your Workspace ONE environment. Workspace ONE can further support for vulnerability management by creating an automated process that pushes the patches associated with the CVE to the devices and then you monitor this process in the logs on a per Knowledge Bases (KBs) that are represented on the high score bar, providing information that results in a list of patches and correlated devices impacted based on the CVSS Score previously selected. On defined conditions, Workspace ONE Intelligence can provide real-time visibility on those impacted devices dynamically searches for all patches (KBs) associated to the CVE.
Automating Patch Remediation Based on CVE
Security Risk analysis provides visibility into all vulnerabilities, correlating vendor KBs with (CVE) and (CVSS) into a unified view to help an admin make decisions based on real-time information. In addition, they can remediate those vulnerabilities through automation and create dashboards to monitor the remediation.
By leveraging Workspace ONE, organizations can ensure that their systems are secure and protected against known vulnerabilities identified via the National Vulnerability Database (NVD), helping to mitigate cyber risks and protect critical assets and via the Vulnerabilities dashboard while providing visibility into the impact of vulnerabilities that are reported through Common Vulnerabilities and Exposures (CVEs) and correlated to the existing patches on each of your managed devices including:
- Using reports to gain insights into CVEs
- Using dashboards to visualize related data and enforce device compliance based on CVEs
- Automating patch remediation for those CVEs