Meeting Security SLAs Through Intelligent Patch Automation: VMware Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, learn how VMware Workspace ONE® Intelligence™ provides visibility to managed Windows 10 devices and the security risks associated with each device.

Security Risk analysis provides visibility into all vulnerabilities, correlating Microsoft KBs with Common Vulnerability and Exposure (CVE) and Common Vulnerability Scoring System (CVSS) into a unified view to help you to make decisions based on real-time information. In addition, learn how to remediate those vulnerabilities through automation and create dashboards to monitor the remediation.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® UEM and VMware Workspace ONE® Intelligence is also helpful.

Understanding the Security Risks on your enviroment

Introduction

In this exercise, you explore the Vulnerabilities dashboard. This dashboard provides visibility into the impact of vulnerabilities that are reported through CVEs and correlated to the existing patches on each of your managed Windows 10 devices.

Prerequisites

Before you can perform the procedures in this exercise, verify that the following components are installed and configured:

Logging In to the Workspace ONE Intelligence Console

To perform most of the steps in this exercise, you must log in to the Workspace ONE Intelligence Console. You launch the Workspace ONE Intelligence Console from within the Workspace ONE UEM Console.

1. Launch the Workspace ONE Intelligence Console

In the Workspace ONE UEM Console:

  1. Click Monitor.
  2. Click Intelligence.
  3. Click Launch.

2. Confirm the Workspace ONE Intelligence Console is Opened

Confirm that you are now logged into the Workspace ONE Intelligence Console.

3. Return to the Workspace ONE UEM Console (If Required)

If you need to return to the Workspace ONE UEM Console:

  1. Click the menu icon on the right.
  2. Select Workspace ONE UEM.

Identifying Vulnerabilities on Managed Windows 10 Devices

In this activity, you use the Vulnerabilities dashboard to view a list of vulnerabilities, retrieve details on those vulnerabilities, and search for and explore CVE details.

1. Open the Vulnerabilities Dashboard

Adding Widget
Adding Widget

In the Workspace ONE Intelligence Console:

  1. Click Security Risk.
  2. Click Vulnerabilities.

2. Navigate Through the Identified Vulnerabilities

  1. Click the arrows (< or >) to navigate through the vulnerabilities.
    Each vulnerability card shows the number of devices impacted by the CVE and if the Patch has been installed.
  2. Identify a Critical CVE that impact a high number of devices. Copy the CVE number to Notepad++ for use in a later activity. For example, CVE-2019-0671.

3. Explore CVE Details

On the identified CVE, you can obtain detailed information about the vulnerability from NIST (National Institute of Standards and Technology) and Microsoft.

  1. Click Learn More.
  2. Click NIST Article.
  3. Click Microsoft Advisory.

4. Review Vulnerable Devices Based on CVSS Score

The Vulnerable Devices by CVSS Score chart helps to prioritize patches based on the highest number of devices impacted. On the chart, you can see that most of the vulnerable devices in this environment are associated with patches that score 9.3. Based on the current scenario, the IT administrator can decide to patch those devices, which is close to 100 and minimize the security risk on the environment.

5. Retrieve Details About Vulnerabilities

Clicking one of the KBs represented on the high score bar provides more information, as a result, you obtain a list of patches and correlated devices impacted based on the CVSS Score previously selected.

  1. Click Edit Columns to add or remove columns from the table results.
  2. Click Security Risk: Vulnerabilities to return to the main Dashboard.

6. Search for CVEs

You can scroll down and find the list of Vulnerabilities in a table format, which allows you to search, order the results and for each CVE see the link of detailed information on NIST and Microsoft websites.

  1. Use the search field to located specific CVE.
  2. Click the title bar to sort results based on CVSS Score, Published date, and Impacted number of devices, in ascending or descending order.
  3. Click the dot menu and select NIST Article or Microsoft Advisory. These websites provide more information about the related CVE.

Using Automation to Remediate Patches based on CVE

Introduction

Automation in Workspace ONE Intelligence uses numerous parameters that trigger a workflow. You can customize the workflow to act on unique scenarios in your Workspace ONE environment.

In this exercise, you create an automated process that pushes the patches associated with the CVE to the devices and then you monitor this process in the logs.

Prerequisites

Before you can perform the procedures in this exercise, verify that the following components are installed and configured:

Creating Automation

After identifying the devices at risk, create an automated process that pushes the patches associated to the CVE to the devices.

1. Open Automation Settings

Add Automation
  1. Click Automation.
  2. Click Add Automation.

2. Select OS Updates

  1. Click Workspace ONE UEM.
  2. Click OS Updates.

3. Select a Template

  1. Select Approve Windows Update.
  2. Click Next.

4. Configure Automation Parameters

  1. Enter the name of the Automation. For example, CVE-XXX-XXXX Approval, where XXX-XXXX refers to the CVE number identified in the previous activity.
  2. Enter Failed and Available for Windows Patch Update Status
  3. Enter the CVE-XXX-XXXX for the CVE Identifier List, where XXX-XXXX refer to the number of the CVE identified during the previous activity

5. Review the Impacted Devices

Based on the defined conditions, Workspace ONE Intelligence provides real-time visibility on the impacted devices.

Click View for a list of impacted devices.

6. Explore the Results

  1. Use the drop-down arrow to change how the results are grouped.
  2. Select different chart types.
  3. Click the arrow to close the Filter Results.

7. Review Revision ID

Define Action

Based on the initial template, the Approve Patch has been defined as the first action.

The Revision ID uses the lookup value ${win_patch_revision_id}, which dynamically searches for all patches (KBs) associated to the CVE—this will generate a UEM API call to approve each KB.

8. Save the Automation

  1. Switch the toggle to enable the automation.
  2. Click Save.

9. Enable the Automation

Click Save & Enable.

Monitoring Automation Execution in the Logs

After you have enabled an action, you can monitor its execution in the Workspace ONE Intelligence console. In this activity, you walk-through the logs and actions taken by the automation previously created.

1. Open CVE Approval Automation Activity

Access to View Logs
  1. Click View.
  2. Click Activity.

2. Review the Automation Logs

Review the Automation Log screen that displays the list of devices targeted by this automation.

  1. A COMPLETED status shows for successful actions.
  2. An ERROR status shows for actions that reported errors during the API Intelligence call. The error details are also listed.
  3. Click the Target Identifier to view the device details.

Tracking CVE Remediation through Dashboards

Introduction

After the automation has been enabled to start patching devices, you can create the following dashboard to track the approval process as the automation remediates. You can track the approval progress for all devices and determine which devices are missing approvals, which devices are approved, and which devices are patched (meaning the KB is installed).

Prerequisites

Before you can perform the procedures in this exercise, verify that the following components are installed and configured:

Creating a Dashboard to Track CVE Remediation

In this activity, you create a dashboard to track the progress of CVE remediation. This process includes creating and configuring a number of widgets to track vulnerable or impacted devices and patched or remediated devices.

1. Create the Dashboard

In the Workspace ONE Intelligence console:

  1. Click Add Dashboard.
  2. Enter CVE-XXXX-XXXX, where XXXX-XXXX is the CVE number you are tracking.
  3. Click Save.

2. Add Widget to Track Devices

Click Add Widget.

3. Select a Widget Template

  1. Under Category, select Workspace ONE UEM.
  2. Select OS Updates.

4. Search CVE Templates

  1. In the search field, enter cve.
  2. Select Devices Vulnerable for High CVE (CVSS >= 7).
  3. Click Next.

5. Configure Widget

  1. Change the title to Vulnerable/Impacted Devices.
  2. Keep the default setting for Windows Patch Update Status / Does not Include / Installed, Removed. This filters only for devices missing the patch.
  3. Change the Common Vulnerability Severity Score filter to CVE Identifier List.
  4. Enter your CVE number, which is in the format CVE-XXXX-XXXX.
  5. Click Save.

6. Adjust Widget Position

  1. Adjust the widget size.
  2. Click Save.

7. Duplicate Widget

  1. Click the menu icon.
  2. Select Duplicate.
  3. Rename the widget to Vulnerable Devices Needing Patch Approval.
  4. Remove the Description.
  5. Click Save.

Adjust the position and size of the new Widget and click Save on the Dashboard.

8. Edit Widget – Vulnerable Devices Needing Patch Approval

This widget represents the count of devices that don’t have the KB patch installed and assigned to remediate CVE-XXXX-XXXX vulnerability.

  1. Click the menu icon.
  2. Select Edit.

9. Configure Widget – Vulnerable Devices Needing Patch Approval

  1. Click the plus icon to add a new filter condition.
  2. Enter Windows Patch Approval Status.
  3. Enter Unapproved.
  4. Click Save.

10. Create Widget for Vulnerable Devices Needing Patch Assignment

This new widget represents the count of devices that don’t have the KB patch installed and approved to remediate CVE-XXXXXXX vulnerability.

  1. Duplicate the second widget created and rename to Vulnerable Devices Needing Patch Assignment.
  2. Edit the newly created widget and change the Windows Patch Approval Status to Does Not Include Installed.
  3. Add a filter with the following condition: Windows Patch Assignment Status / Includes / Unassigned.
  4. Click Save.

11. Create Widget for Patched / Remediated Devices

The Patched / Remediated Devices widget brings the count of devices that have the KB patch installed (not necessarily approved or assigned) that does remediate the CVE-XXXX-XXXX vulnerability.

  1. Duplicate the Vulnerable/Impacted Devices widget.
  2. Rename it to Patched/Remediated Devices.
  3. Edit the widget and change the values in the Windows Patch Update Status to Include Installed.

12. Review Widgets

The four widgets that you just created, should all be aligned to the left. The numbers will differ from your environment and will be updated based on the patch process.

13. Add Security Update Status Widget

The Security Update widget is a breakdown of all the devices with a CVE-XXXX-XXXX record associated with the corresponding patch record by their OS update status. It shows which devices are patched, which devices are not and why.

  1. Click Add Widget.
  2. Make sure you have OS Updates selected.
  3. Select Security Update Status.
  4. Click Next.

14. Configure Widget – Security Update Status Widget

  1. Rename the Widget to Device Update Status for CVE-XXXX-XXXX.
  2. Replace the Windows Patch Update Classification filter with CVE Identifier List / Contains All Of /  CVE-XXXX-XXXX. Replace CVE-XXXX-XXXX with your CVE number.
  3. Click Save.

15. Organize the Dashboard

Rearrange the dashboard as shown in the image.

  1. Duplicate the Device Update Status for CVE-XXXX-XXXX and name the new widget Number of Devices by Update Status and Approval Status.
  2. Click Edit for the new Number of Devices by Update Status and Approval Status widget.

16. Configure Widget – Number of Devices by Update Status and Approval Status

Keep the default filter settings.

  1. Select Table for the chart type.
  2. Add the following in Group by:
    • CVE Identifier List
    • Windows Patch KB Number
    • Windows Patch KB Title
    • Windows Patch Update Status

3. Click Save.

17. Review the Final Dashboard

Your final dashboard will look like the example shown and over time, based on progress of the patch remediation initiated by Workspace ONE Intelligence Automation, the dashboard will get updated.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to automate patch remediation based on CVEs for Windows devices using Workspace ONE Intelligence.

Procedures included:

  • Identifying vulnerable devices across the entire environment based on CVE information
  • Creating automated remediation based on CVE vulnerabilities
  • Using automation logs to monitor the execution of automation
  • Creating a dashboard to track CVE remediation

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

About the Author

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.