EUCEUC: Advanced Integrations_PSO Session_2020 Day 4Identify Security Risk using Intelligence

Identify Security Risk using Intelligence

The Security Risk dashboards in Workspace ONE Intelligence gather reports on numerous device states and quickly identify high-risk devices. In this activity,

  1. You will identity the devices that are violating passcode and encryptions policies through the Policy Risks dashboard. Create an automation in Intelligence to mitigate this risk.
  2. Experience Intelligence's security capabilities for Windows 10 platform using a Simulation.

Lets get started.

Part 1: Access the Security Risk Dashboards

  1. Navigate to Workspace ONE UEM console, cn-livefire.awmdm.com from you ControlCenter2 Machine. You might already have this console open from the previous lab. 
  2. On the console,
    1. Navigate to Monitor Tab on the left navigation bar.
    2. Click on Intelligence.
    3. Click LAUNCH to open the Intelligence Console.
  1. On the Workspace ONE intelligence console,
    1. From the top options menu, click on Dashboards > Security Risk.

In the Security Risk dashboard, you will observe the below modules:

Security Risk Modules
Groups Modules
Threats

The Threats tab displays events identified by your Workspace ONE UEM compliance engine as compromised.

It also displays and aggregates events reported by your Trust Network services in the Threats Summary module.

Policy Risk

The Policy Risks tab displays events identified by your Workspace ONE UEMcompliance engine that do not comply with configured policies. Events include devices with no passcode and devices that are not encrypted.

Vulnerabilities

The Vulnerabilities tab combines and displays information from third-party security reporting services that report security data and Workspace ONE UEMthat manages your Windows 10 devices.

It displays vulnerabilities reported by the National Institute of Standards and Technology (NIST).

It also ties those applicable CVEs to impacted Windows Desktop devices managed by Workspace ONE UEM.

Navigate through the CVE explanation cards to find out what devices are impacted, the event's CVSS score, NIST articles, and Microsoft advisories.

Devices

The Devices tab displays risk scores for devices managed in your Workspace ONE UEM environment.

Select the tab to see device risk scores (reported as a level High, Medium, and Low), risk indicators, and to select single devices for analysis.

For details about risk scoring, access User Risk Dashboard.

Notice, Risks represented in the Security Risk dashboard are grouped as Threats, Policy Risks, Vulnerabilities, and Devices. Next we will identify devices with policy risk and potential vulnerabilities.

Part 2: Identify Devices without Passcodes

  1. From the Security Risk Dashboard,
    1. Click on Policy Risk.
    2. View the graph to identify the number of passcode-less devices detected in the past 30 days. After you understand the scope of the issue, you will build an automation to mitigate this security risk.

NOTE: If you do not see any values listed for the Policy Risks, this is because the device compliance has not been checked yet. Device compliance is queried approximately every 5 minutes, so you may need to click the Refresh button after a few minutes to see the Policy Risks for the newly enrolled Windows 10 device.

  1. Create an Automation,
    1. From the top Options Menu, click on Automations.
    2. Click on ADD AUTOMATION.
    3. Click on Category > Workspace ONE UEM > Devices.

4. From the list of available templates, select Passcode Not Compliant Remediation.

5. Notice the Filter is pre-selected for default template to Enrolled Devices and Passcode status Non Complaint. We will be changing the second filter to identify devices that do not have a passcode present.  (Intelligence gives you the option to add more filters to further target specific subset of devices if required)

6. Click on Passcode Compliant field under Filters. From the dropdown, select Device > Passcode Present.

7. In the Action Section, notice Install Profile is a default UEM action created. This action will help you to push a passcode profile to all devices that do not have a passcode present. For this test, we will delete this action and rather use a Send Email action. Click on the Delete icon.

8. Once deleted, In the Action (Then) field, click on the + icon.

  1. Under Available Connectors, Click on Workspace ONE UEM available connectors.

Notice you have multiple connectors to choose from. You can either integrate with out of box third party connectors like Slack & ServiceNow or you can add a custom connector. Custom connectors allows you to integrate with any third party portal and create custom actions. For example, Intelligence Automation actions available in UI do not support moving a device to a different Organization group in Workspace ONE UEM. But you can leverage the available APIs to create a custom connector & achieve this use case. In this example, we will select the out of box Workspace ONE UEM connector.

  1. Scroll down to find Send Email Option. Click on SEND EMAIL from the list of different possible actions.

Notice there are multiple options and so you can select multiple actions to be taken on the devices that do not have a passcode and are in violation of your Organization's security policies. You can choose to install a profile or revoke a profile until device has met your requirements. In our lab, we will only be using one such possible action.

  1. Enter the desired dummy values.

In the example above, we used lookup values to customize our Message to the user under which our device is enrolled.

  1. Scroll down to toggle Enable Automation switch to GREEN and hit SAVE. Click SAVE & ENABLE.
  1. Your Automation is saved and can be viewed under the Automation Dashboard. Click on VIEW.
  1. Click on Activity to access the log data of automation actions taken.

Notice the action SEND EMAIL have been successfully Completed.

This view allows you to  Edit your Automation policy and also check for Activity. Activity tab is useful for admins to monitor the devices and timestamp of the actions successfully taken to mitigate the risk.  

Part 4: Identify Unencrypted Devices

  1. On the Intelligence Console,
    1. Navigate back to the Intelligence Security Dashboard from Dashboards > Security Risk.
    2. Click on Policy Risk tab. Scroll down to view the unencrypted device graph. This graph showcases unencrypted devices in your organization. This allows administrators to have a quick view of total number of unencrypted devices in their organization.
    3. (Optional) You can create an automation by following the same steps as above to experience the automation capabilities in Intelligence. However if you choose to skip, no further action is required.

Note: Typically you would create an automation to enforce device encryption profile on the device to ensure required corporate devices are encrypted.

Part 5: Simulation

This part of the lab is presented as an Interactive Simulation. This will allow you to experience the capabilities that are not feasible to demonstrate in our lab environment due to lack of data and wait time for the CVE data to be updated in Intelligence Console. In this simulation, you can use the software interface as if you are interacting with a live environment.

In order to access the simulation,

On your ControlCenter2 Machine Desktop, find the Simulation - Security Risk.html file. Double click to start the simulation in the browser panel.

NOTE: Use your keyboard left arrow key ⬅️ to go back in the simulation. The screensteps for this simulation are on the right panel of the simulation screen.

Once completed, simply close the browser and proceed to the next section of the labs.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.