Behavioral Analytics-Driven Security Automation …...Behavioral Analytics-Driven Security...

©2019 VMware, Inc.Confidential │ ©2019 VMware, Inc.

Behavioral Analytics-Driven Security Automation with Workspace ONE Intelligence

Criselda AbarquezSenior Systems Engineer, End-User Computing, Southeast Asia & Korea, VMware

©2019 VMware, Inc.

Disclaimer

This presentation may contain product features or functionality that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.

This information is confidential.

2

The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein.

©2019 VMware, Inc.

Agenda

3

Workspace ONE Intelligence Overview

Use Cases

Conditional Access based on User Behavior

4©2019 VMware, Inc.

Workspace ONEWhat is Workspace ONE

©2019 VMware, Inc. 5

The Digital Workspace

The Digital Workspace

VMware says –

The Digital Workspace simply and securely delivers, and manage any app on any device.


Core Components of the Digital Workspace

The digital workspace is powered by three core

components:

• Workspace ONE UEM

• Workspace ONE Access

– (formerly known as VMware Identity Manager)

• VMware Horizon


Digital Workspace with Workspace ONE

Unified Endpoint Management (Powered by AirWatch)

Desktop and App Virtualization(Powered by Horizon)

API Framework

DLPEncryptionAnalytics

Apps

Endpoints

Identity Access Management(Powered by Workspace ONE Access)

IdentityEmployees

SDDC

Single Sign-On & Multi-Factor Authentication

Secure Productivity Apps

Self Service Unified Catalog Cloud Apps

Conditional / Contextual Access


Workspace ONE IntelligenceWhere Does Workspace ONE Intelligence Fit In


Employees worldwide disengaged at workComplexity of supporting new device types, apps and services

Source: Global Productivity Hinges on Human Capital Development study by Gallup, 2018

87%

Confidential │ ©2019 VMware, Inc.

IT Silos Negatively ImpactsEmployee Experience

9

Edge Devices

App AppDesktopApp Service App

Cloud Apps and Services Virtual Apps and Desktops

Cloud Services

Android Enterprise

Cloud Services

Chrome Enterprise

Microsoft

365


Employees Worldwide Disengaged at Work

Complexity of supporting new device types, apps and services


Time Spent inDay-to-day Operations

Manage discrete IT platforms and apps

Security Events Per Day

Manage discrete IT platforms and apps

10,000

IT Silos Negatively Impact IT and InfoSec as Well

87% 80%

10


What Are Customers Doing Today?Typical Flow

Manually export data from

different sources

Manually load into database

Manually Correlate data to get insights with Alteryx / Splunk

Create own visualization with Tableau

Manually calling APIs to take

action

Export Load Correlate Visualize Act

Time Consuming. Costly. Always Days Behind. Reactive


VideoPlaceholder


Workspace ONE IntelligenceInsights and automation for the modern digital workspace Integrated Insights: Get

complete visibility into your digital workspace and enable data driven decisions across your entire environment.

App Analytics: Optimize app development and deployments across the organization to quickly resolve issues, reduce escalations and increase user experience.

Powerful Automation: Automate processes to increase security hygiene across your environment, meet compliance requirements and increase employee productivity.

Workspace ONEIntelligence

Aggregate Correlate Insights Automate

INGESTION DECISIONS

Reports

Dashboards

Notifications

Actions

Identity Analyticsusing Workspace ONE Access

App Analyticsusing Workspace ONE Intelligence SDK

Endpoint Analyticsusing Workspace ONE UEM

Common Vulnerabilities and Exposures (CVE)

using cve.mitre.org

Threat Analyticsusing Trust Network


TRUSTNETWORKPARTNERS

MTD

CASB

EPP/EDR

NGFW

Workspace ONE Intelligence

Aggregate Correlate Insights Automate

INGEST DATA DATA-DRIVENDECISIONS

REPORTS

DASHBOARDS

NOTIFICATIONS

ACTIONSAPPS

IDENTITY

ENDPOINTS

VIRTUAL


Current partners

Workspace ONE Trust Network


Use Cases – Device and User PostureWorkspace ONE Intelligence in Action

Confidential │ ©2019 VMware, Inc. 17

#1 Track and report adoption of BYOD ProgramAdoption & Desired Use Case Context: Company decided

to implement BYOD program in replacement of corporate devices. How do IT can track adoption and measure the success of the program, also identify potential issues and make the required corrections??

Why Intelligence: Quickly assess and report over time device enrollment/ unenrollment, most used devices, top apps installed and take action on compromised devices.

Benefits: Make informed decisions, give quantitative insights to IT admins.

17


Security and Compliance Context: Global company want to streamline communication between IT & Infosec team (400 members) regarding Win 10 vulnerability (KBs) reported by Microsoft.

Why Intelligence: Quickly assess, prioritize patch distribution based on CVSS, and daily report vulnerable devices to members of IT & InfoSec daily.

Benefits: Make everybody daily aware of CVEs released and the impact on all of organization devices, as improve collaboration across teams.

18

#2 Detect and Remediate Security Vulnerabilities


Battery Health Context: Faulty devices create disruption, negatively impact employee experience and are a headache to identify and fix efficiently

Why Intelligence: Identify and monitor Windows 10 Dell devices with poor battery health. Create automation to tag devices and order new battery and notify employees.

Benefits: Reduce user generated support tickets, increase employee experience and productivity. Increase lifespan of devices.

19

#3 Monitor Battery Health and Automate Replacement


Conditional Access based on User Behavior


Integrating Identity and Device Compliance for Conditional Access

Conditional Access up to Today

Authentication Module

Device Posture

User Auth

APP SERVICE

Workspace ONE

Managed Jail Broken

Device Compliance

OS

3rd Party LocationBlacklist

Apps

Identity Context

Authentication Provider

Network Scope

Authentication Strength

Session Time

Per Application

Remote Apps | Web Apps | Native Apps


Today’s Static/Boolean approach

How Do You Validate Trust of End User’s Devices?


Integrating Identity, Device Compliance and Risk Score for Conditional Access

Introducing Risk Score for Conditional Access

Authentication Module

Device Posture

User AuthRisk

Score

APP SERVICE

Workspace ONE

Remote Apps | Web Apps | Native Apps

Managed Jail Broken

Device Compliance

OS

3rd Party LocationBlacklist

Apps

Identity Context

Authentication Provider

Network Scope

Authentication Strength

Session Time

Per Application

User Behavior

Risk Scoring

Device Risk User Risk


Contextualized Risk Analytics Approach

How Do You Validate Trust of End User’s Devices?


What if a user keeps delaying updates?

OS Update


What if a user disables security settings?

Security Settings


What if a user downloads a lot of unknown or questionable apps?

App Download

APP APP APP APP

SIDELOADING


Multiple sources, analyzed continuously, generating actionable insights

Continuous Analytics Workflow

Ingest device activity data1

Identify device-related risky user behaviors

2Compute a personalized Risk Score for every device and user in an organization

3Automate responses to mitigate risks associated with end-users

4


How It Works

Enabling Risk Score Adapter in Workspace ONE Access


How it Works

Defining Conditional Access Rule based Risk Score


Conditional Access based on Risk Score

Demo


Behavior Identification Example

0

1

2

3

4

5

6

7

8

AuthenticationFrequency

Authentication Failures

AuthenticationSuccesses

LocationsNum of Devices

Num of Apps

Sensitivity of Apps

Baseline Current

Normal User with no Anomalous Behaviors

All appears normal

OK to proceed

Similar to Baseline

User Risk Score – 2.7 / Low


Behavior Identification ExampleUnusual behavior

0

1

2

3

4

5

6

7

8

9

10


Authentication Failures



Num of Apps

Sensitivity of Apps

Baseline Current

Multiple Outliers

Proceed with cautionConsider step-up authentication

User Risk Score – 5.2 / Medium


Behavior Identification ExampleAlarming, High Risk Behavior

0

2

4

6

8

10

12

14

16

18


AuthenticationFailures



Num of Apps

Sensitivity of Apps

Baseline Current

Multiple Significant Outliers

Block Access

Refer for further investigation

User Risk Score – 8.7/ High


Examples of automated responses

Leverage Risk Score to Drive Better Decisions

1

10

8.3

John Doe

“Systematically ignores or keeps delaying software update”

1 10

7.5

John Doe

“Tends to accumulate apps and does not consider their reputation”

I no%ced you recently installed the applica%on

Ba# erySaverMobi on device John’s Pixel, this

applica%on is uncommon, always make sure to

stay safe online and comply with our Acceptable

Usage Policy. If you have any ques%on please ask

@johndoe

Monday, April 8th

1 10

9.2

John Doe

“Disabled firewall and antivirus”

Identity Manager

********

Ask for MFA

Assist Notify

Verify


Combining Intrinsic, Zero Trust Security with Industry-leading Modern Management

Delivering a More Intelligent Secure Digital Workspace

Expand Breadth of Security

Data-Driven Decisions

Implicit & Intrinsic

Insights and Automation Lead

to Proactive Security at Scale

Security and Privacy Must Be Treated AsFirst-Class Citizens

An Integrated Ecosystem

is Essential to Eliminate Complexity


Unleash Your IT SuperpowersGo from zero to hero with the latest technical resources

on the VMware Digital Workspace Tech Zone

TECHZONE.VMWARE.COM

Behavioral Analytics-Driven Security Automation …...Behavioral Analytics-Driven Security...

Documents

Transcript of Behavioral Analytics-Driven Security Automation …...Behavioral Analytics-Driven Security...