VMware : Operationalize threat data for Zero Trust Security with Workspace ONE Intelligence

One of the top priorities for many of our customers is implementing a Zero Trust security strategy.

VMware Workspace ONE Intelligence delivers integrated visibility, analytics, and automation for the Workspace ONE platform, and it can help customers operationalize Zero Trust in a variety of ways, such as:

• Monitoring and visibility
• Integrating security data from other products through the Workspace ONE Trust Network
• Operationalizing threat data through automations
• And watching specific triggers and computing a risk score

Let's look a bit closer at each of these.

Monitoring and visibility

Workspace ONE Intelligence enables customers to monitor their environments for anomalous security and performance-related metrics and build automations to proactively correct issues as they arise. As shown below, one is able to view risk trends over time as well as drill down into individual systems to determine risk causality.

Trust Network

In addition to collecting data from across the Workspace ONE Platform - including Workspace ONE UEM and Workspace ONE Access - the data within Workspace ONE Intelligence can be augmented through integration with various partners in our Trust Network.

VMware Carbon Black also uses the Trust Network to integrate with Workspace ONE. The screenshots below demonstrate two widgets measuring Carbon Black Threat Count and Threat Type in Workspace ONE Intelligence.

Operationalizing threat data with automation

You can operationalize this data so that when high-severity malware tagged as ransomware is detected by Carbon Black, an automation is configured to quarantine the system (using Carbon Black), send a Slack message alerting the SOC of the issue, create a ServiceNow ticket, and to use Workspace ONE UEM to tag and quarantine the offending device. See this example in the image below.

Risk Analytics

To further enrich the proactive nature of anomaly detection within the ecosystem, the capability of dynamically calculated device and user risk scores has been overlaid overtop of the Workspace ONE dataset. In the table below, you can see the metrics currently implemented within the platform to determine device and user risk.

The metrics outlined above are collected daily, normalized, and the outliers are assigned a heightened Risk Score. This Risk Score represents a completely dynamic, statistical approach to determining drift that is specifically tailored to your environment. The power of these Risk Scores can be seen when it comes to reporting and automation.

Learn More

To learn more about how risk scoring works, see the Risk Score documentation. Stay tuned to the EUC Blog and Tech Zone for more on newly released features, exciting security use cases, as well as what we have planned next for operationalizing security through Workspace ONE Intelligence.