VMware Carbon Black Workload Protection provides vulnerability assessment and inventory management for workloads hosted on vSphere. The Carbon Black Workload vulnerability solution provides shared information on vulnerabilities that is available in Carbon Black Cloud as well as in the native VMware vCenter administration client.
Carbon Black Workload is offered in different packages to suit your organization’s needs
Prevention and threat hunting capabilities can be extended beyond vSphere workloads to your endpoints (desktops, laptops, servers, VMs, etc.).
To learn more about all VMware Carbon Black Cloud products please visit VMware Carbon Black TechZone here.
- Section 1: Accessing the TestDrive Experience
- Section 2: Introduction to Cloud Workload Protection
- Section 3: Walkthrough of vSphere with the Carbon Black Cloud Workload Plug-in
- Section 4: Identifying Risks with vCenter Carbon Black Cloud Workload Plug-in
- Section 5: Carbon Black Cloud and Audit/Remediation
- Section 6: Additional Resources
In order to complete this product walkthrough please make sure you have the following:
- A valid account in the VMware TestDrive environment, sign up here if you do not have one.
- TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP 4172
- A Horizon Client installed on your machine.
To log in to the vSphere environment, perform the following steps.
Enter your TestDrive Username and Password and select ENTER.
Next, locate the VMware Carbon Black Workload product under the Intrinsic Security tab and click LAUNCH.
LAUNCH VIA WORKSPACE ONE.
A new tab will open with Workspace ONE. Enter your TestDrive username and password, then hit Sign In.
Next, search for the Carbon Black Cloud desktop. Click to open into the desktop either via HTML access or Horizon Client access.
Now you'll be on the Carbon Black Cloud desktop. At this point, you can begin the walkthrough steps listed below.
Carbon Black Workload provides vulnerability assessment and inventory management for workloads hosted on VMware vSphere. The Carbon Black Workload vulnerability solution provides shared information on vulnerabilities that is available in Carbon Black Cloud as well as in the native vCenter administration client. Workload protection capabilities are fully integrated into the world’s leading cloud management platform for complete data center visibility and protection. The solution combines vSphere and VMware Carbon Black in a purpose-built, operationally simple solution with minimal overhead and performance impact.
VMware Carbon Black Workload is the only vSphere vCenter workload protection platform for enterprise virtualization and security teams that delivers the most secure virtual infrastructure, while also providing the same visibility and capabilities within the public cloud as well.
The CBWL solution reduces the attack surface by giving Infrastructure, DevOps, and Security teams visibility into the operating system and application vulnerabilities right from within the vCenter Management plane as well as within the Carbon Black Cloud Management Console.
A Carbon Black plug-in within vCenter allows for a shared truth on vulnerabilities and risk for those residing in vSphere/infrastructure as well as team members more focused on security or the Carbon Black Cloud console. Through this unique approach, we can eliminate the trade-off between security and operational simplicity by providing a single source of truth for Infrastructure and Security teams to accelerate response to critical vulnerabilities and attacks, while enabling collaboration and reducing friction. The Carbon Black Workload Plug-in provides deep visibility into your data center inventory and end-to-end life-cycle management for the components.
VMware Carbon Black Workload contains two components that are integrated into vCenter:
- Carbon Black Workload Plug-in in vCenter
- Carbon Black Workload Appliance
For further information on the solution architecture reference the following resource: https://carbonblack.vmware.com/resource/carbon-black-cloud-workload-protection-architecture
For purposes of this lab experience, Carbon Black Workload is already installed and configured. For information on installing and configuring CBWL in under 15 minutes see the following video:
For a guided lab on installing and configuring the CWP appliance see Module 2 of the CWP Hands-on Lab simulation: https://labs.hol.vmware.com/HOL/catalogs/lab/10212
The following section details the basics of accessing and using the Carbon Black Workload Plug-In in vSphere. The Carbon Black Workload Plug-in for vSphere integrates Carbon Black security capabilities directly in the vSphere Client.
On the desktop, launch on the shortcut named “vCenter Server”.
Log in with the following credentials:
- Username: (listed in text file Carbon_Black_Demo_Credentials.txt on the Carbon Black desktop)
- Password: (listed in text file Carbon_Black_Demo_Credentials.txt on the Carbon Black desktop)
Once logged in, to view the Carbon Black Workload Plug-in, click Menu at the top left to expose menu options. Then select the Carbon Black icon in the drop-down menu.
Note: If you receive the error "Unable to fetch appliance details, please contact the administrator", hit the browser refresh button.
Carbon Black Cloud partners with Kenna Security to leverage the largest database of vulnerability, exploit, and event threat data in the industry. This data is distilled into three main measures of risk:
- Active Internet Breach: Presence of near-real-time exploitation.
- Malware Exploitable: Availability of an exploit module in a weaponized exploit kit.
- Easily Exploitable: Availability of a recorded exploit.
There are metrics defined for Common Vulnerability Scoring System (CVSS). A few of the metrics are about the attack method itself, whereas the others depend on how the application assesses impact - the direct consequence of a successful exploit. To learn more about CVSS, visit https://www.first.org/cvss/specification-document.
Every vulnerability is assigned a risk score of between 0.0 (no risk) and 10.0 (maximum risk). The risk score range and severity are defined as follows.
To learn more about how the risk is calculated, refer to the Kenna Security documentation.
VMware Carbon Black Workload consolidates multiple datacenter security capabilities with an easy deployment experience on vSphere and a single lightweight sensor for your workload environment. VMware Tools includes the Carbon Black agent installer, facilitating the installation process and eliminating management by providing native security capabilities as a service that IT infrastructure owners can provide.
Workload protection has already been deployed on numerous workloads within the TestDrive vSphere environment prior to this guide being written. This allows us to discover and view any risks that have been identified by our vulnerability assessment capability. With this capability there is no scanning involved because we are already collecting the data, we are leveraging the same single data stream to query and populate this data within the vCenter management plane. For this portion of the lab experience, we will be diving into vulnerabilities and information available to you directly in vSphere.
While logged into vCenter, click on the Menu button at the top left of vCenter and then navigate to and click on the Carbon Black plug-in. For more information on accessing and navigating the plug-in see section 3.2.
Navigate to the Vulnerabilities page within the plugin. The Vulnerabilities page displays information on vulnerabilities affecting the environment with intuitive filtering capabilities to give administrators a prioritized, realistic method to look at risk and threat.
On the top of the page severity level filters can be used to view vulnerabilities in a prioritized manner. For this lab, we will focus on Critical vulnerabilities, with a severity score of 9.0 to 10.0. For more information on how risk is scored see Section 3.3.
- If not currently selected, click the Critical filter at the top of the page to view only critical vulnerabilities
We should now see only Critical High-Risk score CVE’s, these are CVE’s that are exploitable within this environment. This means an attacker (external or internal) could gain access to a workload by leveraging one of these CVE’s in an attack if discovered.
- Scroll down to view vulnerabilities
- Click the Vulnerability View to view all vulnerabilities based on the type
Vulnerability types include Windows OS, Linux OS, Windows App, and Linux App. Select a vulnerability type of interest. Due to the nature of this lab, a specific vulnerability will not be selected as vulnerabilities will change across the environment.
A vulnerability will display:
- Severity: Criticality of a vulnerability
- Risk Score: Score denoting severity; ranges from 0.0 (no risk) to 10.0 (maximum risk)
- OS Name: Name of OS affected by the vulnerability
- OS Version: Version of OS affected by the vulnerability
- CVE ID: Identifier of the specific vulnerability
- Fixed by: If applicable, links to KB article denoting update/patch that fixes a vulnerability
- Vendor (if App vulnerability): Name of the vendor of application w/vulnerability
- Product Name (if App vulnerability): Name of application w/vulnerability for reference
- Version (if App vulnerability): Version of App vulnerability is fixed by
- Assets Affected: Number of workloads in your environment that are affected by this vulnerability
- Click the arrow next to a vulnerability to expand additional information
Expanding a vulnerability will show:
- A plaintext description of the vulnerability
- Link to the National Vulnerability Database
- Asset(s) affected by the vulnerability
- Risk details (Kenna variables affecting severity score)
- CVSS score information
- CVSS vector details
- Click the link to the National Vulnerability Database
Carbon Black Workload directly links to the National Vulnerability Database (NVD) page for the selected vulnerability. This allows for an easy workflow to get more background on the vulnerability and how to resolve it directly in your vSphere environment.
- Review information on NVD
- Click the vSphere tab to return to the CBWL plug-in
- Click the plus to expand Affected Assets
- Click one of the Affected Assets
When viewing a workload, on the Monitor tab, a Carbon Black Vulnerabilities page is available. You can view all vulnerabilities affecting a particular workload from this page.
Once the administrator has patched or resolved the vulnerability, the reassess function on top right will help to view the asset health in real-time.
We have now completed a workflow looking into a critical vulnerability directly in vSphere. CWP provides built-in vulnerability assessment capabilities in your vSphere console.
The VMware Carbon Black Workload solution can be accessed through both the Carbon Black Cloud Console and the Carbon Black vCenter plugin.
The Carbon Black Cloud console is web-based with one lightweight agent deployed to endpoints.
The console is accessed through a supported web browser:
- Windows: Chrome, Edge, Firefox
- macOS: Chrome, Firefox, Safari
Login to Carbon Black Cloud:
- URL: https://defense-prod05.conferdeploy.net/
- User: (listed in text file on the Carbon Black Cloud desktop)
- Password: (listed in text file on the Carbon Black Cloud desktop)
- Click the "Carbon Black Cloud" Chrome Link, a webbrowser with the Carbon Black URL will automatically populate
- Login with credentials listed in text file on the desktop
If you are an existing VMware Carbon Black Cloud customer using the NGAV, EDR, container security, or other solution, the Carbon Black Workload solution lives in the same cloud-based console. Workload vulnerability information lives in the Vulnerabilities tab.
- On the left side navigation menu, click Harden to expose menu options
- Click Vulnerabilities to view vulnerability information
Carbon Black Workload gives teams a shared truth of risk, minimizing friction between teams such as infrastructure and security. Teams have the same visibility and understanding of vulnerabilities whether they are viewing information in the Carbon Black Cloud or within the vCenter plug-in.
Click on Show graphs on the top right to expand the vulnerabilities dashboard.
Vulnerabilities can be explored within the Carbon Black Cloud in the same method used in Section 4.
For a more guided experience on using the Carbon Black Cloud for vulnerabilities see Module 4 of the CWP Hands-on Lab simulation: https://labs.hol.vmware.com/HOL/catalogs/lab/10212
To gather stateful information which is correlated to vulnerabilities, another part of the Carbon Black Solution suite is leveraged called Audit and Remediation. Audit and Remediation allows administrators to ask questions on the environment across hardware, software, and network variables at scale. Carbon Black Workload customers have access to the full Audit and Remediation solution beyond its use in vulnerability assessment. This portion of the experience will walk through using Audit and Remediation.
If you are not currently logged in to the Carbon Black Cloud console see section 5.1 for how to log in.
- On the left-hand navigation menu click Live Query to expand the menu
- Click New Query menu option
Numerous queries are pre-built and come OOTB with Audit and Remediation - called recommended queries. Pre-built queries full under IT Hygiene, Vulnerability Management, Threat Hunting, and Compliance use cases. Recommended queries can be filtered by selecting a use case, filtering by applicable OS, or searching for keyword(s).
Queries can be run on a one-off basis or scheduled to run automatically (daily, weekly, monthly, etc.). Query results can be viewed in the console or exported.
- Click Vulnerability Management to review queries falling under this use case.
Carbon Blak Workload and Audit and Remediation give administrators a greater understanding of what they are securing. We will review a recommended query to better understand the information Audit and Remediation can provide.
- Scroll down to the Installed Windows Applications query
- Click the 'plus' to expand and view SQL
The Installed Windows Applications query returns information about applications installed by msiexec.exe. By expanding a query you can view the SQL code used in the query. Audit and Remediation leverages osquery and standard SQL syntax.
osquery schema can be viewed on the following page: https://osquery.io/schema/4.5.0
Beyond recommended queries, administrators can create their own, custom queries to suit any number of use cases. Queries are built using standard SQL syntax and the previously linked osquery schema.
- Review the osquery schema at https://osquery.io/schema/4.5.0 to understand available tables
- Scroll to the top of the page; click the SQL Query tab
We will create a custom query that looks at the value for the 'LimitBlankPasswordUse' registry key. The value for this registry key can be 1 or 0; 1 being recommend as this prevents netconns from accessing endpoint with a blank password. An attacker could change the registry key to gain access to an environment.
This query comes from the Carbon Black Query Exchange. The query exchange is an open forum for Carbon Black customers to share queries they've created - or leverage queries others have created. The Query Exchange is linked on the top right of the page. Note that only Carbon Black customers can access the Query Exchange.
Queries can be run environment-wide or on a specific endpoint(s) or policy group. Let's run this query on a specific workload.
- Click 'Endpoints' hyperlink to expose endpoint selection
- Type in 'cb-win-10' and select the workload
- In the 'SQL' textbox copy and paste the following query
SELECT CASE WHEN 1 THEN "Blank Password Auth via Network Not Possible" WHEN 0 THEN "Blank Password Auth via Network Possible" END "LimitBlankPasswordUse" FROM registry WHERE PATH="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa";
- In the 'Query Name' text box enter 'YOUR NAME - TD'
- Click 'Run' to run your newly created query
Query results can be viewed in the console or exported.
- Click 'Query Results' on the left-hand menu under the parent 'Live Query'
- Select your query to view results by clicking on the name hyperlink
- You can refresh the page in a couple of seconds to see the query results after the sensor has collected all information