©2019 VMware, Inc. Confidential │ ©2019 VMware, Inc. Behavioral Analytics-Driven Security Automation with Workspace ONE Intelligence Criselda Abarquez Senior Systems Engineer, End-User Computing, Southeast Asia & Korea, VMware
©2019 VMware, Inc.Confidential │ ©2019 VMware, Inc.
Behavioral Analytics-Driven Security Automation with Workspace ONE Intelligence
Criselda AbarquezSenior Systems Engineer, End-User Computing, Southeast Asia & Korea, VMware
©2019 VMware, Inc.
Disclaimer
This presentation may contain product features or functionality that are currently under development.
This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.
This information is confidential.
2
The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any items presented herein.
©2019 VMware, Inc.
Agenda
3
Workspace ONE Intelligence Overview
Use Cases
Conditional Access based on User Behavior
4©2019 VMware, Inc.
Workspace ONEWhat is Workspace ONE
©2019 VMware, Inc. 5
The Digital Workspace
The Digital Workspace
VMware says –
The Digital Workspace simply and securely delivers, and manage any app on any device.
©2019 VMware, Inc. 6
Core Components of the Digital Workspace
The digital workspace is powered by three core
components:
• Workspace ONE UEM
• Workspace ONE Access
– (formerly known as VMware Identity Manager)
• VMware Horizon
©2019 VMware, Inc. 7
Digital Workspace with Workspace ONE
Unified Endpoint Management (Powered by AirWatch)
Desktop and App Virtualization(Powered by Horizon)
API Framework
DLPEncryptionAnalytics
Apps
Endpoints
Identity Access Management(Powered by Workspace ONE Access)
IdentityEmployees
SDDC
Single Sign-On & Multi-Factor Authentication
Secure Productivity Apps
Self Service Unified Catalog Cloud Apps
Conditional / Contextual Access
8©2019 VMware, Inc.
Workspace ONE IntelligenceWhere Does Workspace ONE Intelligence Fit In
©2019 VMware, Inc. 9
Employees worldwide disengaged at workComplexity of supporting new device types, apps and services
Source: Global Productivity Hinges on Human Capital Development study by Gallup, 2018
87%
Confidential │ ©2019 VMware, Inc.
IT Silos Negatively ImpactsEmployee Experience
9
Edge Devices
App AppDesktopApp Service App
Cloud Apps and Services Virtual Apps and Desktops
Cloud Services
Android Enterprise
Cloud Services
Chrome Enterprise
Microsoft
365
©2019 VMware, Inc. 10
Employees Worldwide Disengaged at Work
Complexity of supporting new device types, apps and services
Confidential │ ©2019 VMware, Inc.
Time Spent inDay-to-day Operations
Manage discrete IT platforms and apps
Security Events Per Day
Manage discrete IT platforms and apps
10,000
IT Silos Negatively Impact IT and InfoSec as Well
87% 80%
10
©2019 VMware, Inc. 11
What Are Customers Doing Today?Typical Flow
Manually export data from
different sources
Manually load into database
Manually Correlate data to get insights with Alteryx / Splunk
Create own visualization with Tableau
Manually calling APIs to take
action
Export Load Correlate Visualize Act
Time Consuming. Costly. Always Days Behind. Reactive
©2019 VMware, Inc. 12
VideoPlaceholder
©2019 VMware, Inc. 13
Workspace ONE IntelligenceInsights and automation for the modern digital workspace Integrated Insights: Get
complete visibility into your digital workspace and enable data driven decisions across your entire environment.
App Analytics: Optimize app development and deployments across the organization to quickly resolve issues, reduce escalations and increase user experience.
Powerful Automation: Automate processes to increase security hygiene across your environment, meet compliance requirements and increase employee productivity.
Workspace ONEIntelligence
Aggregate Correlate Insights Automate
INGESTION DECISIONS
Reports
Dashboards
Notifications
Actions
Identity Analyticsusing Workspace ONE Access
App Analyticsusing Workspace ONE Intelligence SDK
Endpoint Analyticsusing Workspace ONE UEM
Common Vulnerabilities and Exposures (CVE)
using cve.mitre.org
Threat Analyticsusing Trust Network
©2019 VMware, Inc. 14
TRUSTNETWORKPARTNERS
MTD
CASB
EPP/EDR
NGFW
Workspace ONE Intelligence
Aggregate Correlate Insights Automate
INGEST DATA DATA-DRIVENDECISIONS
REPORTS
DASHBOARDS
NOTIFICATIONS
ACTIONSAPPS
IDENTITY
ENDPOINTS
VIRTUAL
©2019 VMware, Inc. 15
Current partners
Workspace ONE Trust Network
16©2019 VMware, Inc.
Use Cases – Device and User PostureWorkspace ONE Intelligence in Action
Confidential │ ©2019 VMware, Inc. 17
#1 Track and report adoption of BYOD ProgramAdoption & Desired Use Case Context: Company decided
to implement BYOD program in replacement of corporate devices. How do IT can track adoption and measure the success of the program, also identify potential issues and make the required corrections??
Why Intelligence: Quickly assess and report over time device enrollment/ unenrollment, most used devices, top apps installed and take action on compromised devices.
Benefits: Make informed decisions, give quantitative insights to IT admins.
17
Confidential │ ©2019 VMware, Inc. 18
Security and Compliance Context: Global company want to streamline communication between IT & Infosec team (400 members) regarding Win 10 vulnerability (KBs) reported by Microsoft.
Why Intelligence: Quickly assess, prioritize patch distribution based on CVSS, and daily report vulnerable devices to members of IT & InfoSec daily.
Benefits: Make everybody daily aware of CVEs released and the impact on all of organization devices, as improve collaboration across teams.
18
#2 Detect and Remediate Security Vulnerabilities
Confidential │ ©2019 VMware, Inc. 19
Battery Health Context: Faulty devices create disruption, negatively impact employee experience and are a headache to identify and fix efficiently
Why Intelligence: Identify and monitor Windows 10 Dell devices with poor battery health. Create automation to tag devices and order new battery and notify employees.
Benefits: Reduce user generated support tickets, increase employee experience and productivity. Increase lifespan of devices.
19
#3 Monitor Battery Health and Automate Replacement
©2019 VMware, Inc. 20
Conditional Access based on User Behavior
©2019 VMware, Inc. 21
Integrating Identity and Device Compliance for Conditional Access
Conditional Access up to Today
Authentication Module
Device Posture
User Auth
APP SERVICE
Workspace ONE
Managed Jail Broken
Device Compliance
OS
3rd Party LocationBlacklist
Apps
Identity Context
Authentication Provider
Network Scope
Authentication Strength
Session Time
Per Application
Remote Apps | Web Apps | Native Apps
©2019 VMware, Inc. 22
Today’s Static/Boolean approach
How Do You Validate Trust of End User’s Devices?
©2019 VMware, Inc. 23
Integrating Identity, Device Compliance and Risk Score for Conditional Access
Introducing Risk Score for Conditional Access
Authentication Module
Device Posture
User AuthRisk
Score
APP SERVICE
Workspace ONE
Remote Apps | Web Apps | Native Apps
Managed Jail Broken
Device Compliance
OS
3rd Party LocationBlacklist
Apps
Identity Context
Authentication Provider
Network Scope
Authentication Strength
Session Time
Per Application
User Behavior
Risk Scoring
Device Risk User Risk
©2019 VMware, Inc. 24
Contextualized Risk Analytics Approach
How Do You Validate Trust of End User’s Devices?
©2019 VMware, Inc. 25
What if a user keeps delaying updates?
OS Update
©2019 VMware, Inc. 26
What if a user disables security settings?
Security Settings
©2019 VMware, Inc. 27
What if a user downloads a lot of unknown or questionable apps?
App Download
APP APP APP APP
SIDELOADING
©2019 VMware, Inc. 28
Multiple sources, analyzed continuously, generating actionable insights
Continuous Analytics Workflow
Ingest device activity data1
Identify device-related risky user behaviors
2Compute a personalized Risk Score for every device and user in an organization
3Automate responses to mitigate risks associated with end-users
4
Confidential │ ©2019 VMware, Inc. 29
How It Works
Enabling Risk Score Adapter in Workspace ONE Access
Confidential │ ©2019 VMware, Inc. 30
How It Works
Enabling Risk Score Adapter in Workspace ONE Access
Confidential │ ©2019 VMware, Inc. 31
How it Works
Defining Conditional Access Rule based Risk Score
Confidential │ ©2019 VMware, Inc. 32
How it Works
Defining Conditional Access Rule based Risk Score
©2019 VMware, Inc. 33
Conditional Access based on Risk Score
Demo
Confidential │ ©2019 VMware, Inc. 34
Behavior Identification Example
0
1
2
3
4
5
6
7
8
AuthenticationFrequency
Authentication Failures
AuthenticationSuccesses
LocationsNum of Devices
Num of Apps
Sensitivity of Apps
Baseline Current
Normal User with no Anomalous Behaviors
All appears normal
OK to proceed
Similar to Baseline
User Risk Score – 2.7 / Low
Confidential │ ©2019 VMware, Inc. 35
Behavior Identification ExampleUnusual behavior
0
1
2
3
4
5
6
7
8
9
10
AuthenticationFrequency
Authentication Failures
AuthenticationSuccesses
LocationsNum of Devices
Num of Apps
Sensitivity of Apps
Baseline Current
Multiple Outliers
Proceed with cautionConsider step-up authentication
User Risk Score – 5.2 / Medium
Confidential │ ©2019 VMware, Inc. 36
Behavior Identification ExampleAlarming, High Risk Behavior
0
2
4
6
8
10
12
14
16
18
AuthenticationFrequency
AuthenticationFailures
AuthenticationSuccesses
LocationsNum of Devices
Num of Apps
Sensitivity of Apps
Baseline Current
Multiple Significant Outliers
Block Access
Refer for further investigation
User Risk Score – 8.7/ High
©2019 VMware, Inc. 37
Examples of automated responses
Leverage Risk Score to Drive Better Decisions
1
10
8.3
John Doe
“Systematically ignores or keeps delaying software update”
1 10
7.5
John Doe
“Tends to accumulate apps and does not consider their reputation”
I no%ced you recently installed the applica%on
Ba# erySaverMobi on device John’s Pixel, this
applica%on is uncommon, always make sure to
stay safe online and comply with our Acceptable
Usage Policy. If you have any ques%on please ask
@johndoe
Monday, April 8th
1 10
9.2
John Doe
“Disabled firewall and antivirus”
Identity Manager
********
Ask for MFA
Assist Notify
Verify
©2019 VMware, Inc. 38
Combining Intrinsic, Zero Trust Security with Industry-leading Modern Management
Delivering a More Intelligent Secure Digital Workspace
Expand Breadth of Security
Data-Driven Decisions
Implicit & Intrinsic
Insights and Automation Lead
to Proactive Security at Scale
Security and Privacy Must Be Treated AsFirst-Class Citizens
An Integrated Ecosystem
is Essential to Eliminate Complexity
©2019 VMware, Inc. 39
Unleash Your IT SuperpowersGo from zero to hero with the latest technical resources
on the VMware Digital Workspace Tech Zone
TECHZONE.VMWARE.COM
©2019 VMware, Inc.
Thank You!
Confidential │ ©2019 VMware, Inc.
©2019 VMware, Inc. 41