The following section details the basics of accessing and using the Carbon Black Cloud Workload Plug-In in vSphere. The Carbon Black Cloud Workload Plug-in for vSphere integrates CB security capabilities directly in the vSphere Client.
1. Accessing the Carbon Black Cloud Workload Plug-in
On the desktop, launch on the shortcut named vCenter Server (or open a Chrome browser and enter https://vca-1.vmwtd.com/ui).
The Carbon Black Cloud Workload Plug-in for vSphere integrates Carbon Black security capabilities directly in the vSphere Client.
Log in with the following credentials:
- Username: (listed in text file Carbon_Black_Demo_Credentials.txt on the Carbon Black desktop)
- Password: (listed in text file Carbon_Black_Demo_Credentials.txt on the Carbon Black desktop)
3. View Carbon Black Cloud Workload Plug-in
Once logged in, to view the Carbon Black Cloud Workload Plug-in, click Menu at the top to expose menu options. Then select the Carbon Black icon in the drop-down menu. The plug-in can also be accessed on the left-hand side of the vSphere console.
Note: If you receive the error "Unable to fetch appliance details, please contact the administrator", hit the browser refresh button.
4. CWP Plug-in Navigation - Summary Tab
On accessing the plug-in you will be brought to the Summary, or "Dashboard", tab. The Carbon Black Cloud Workload Plug-in Summary tab contains widgets on appliance health, inventory status, and critical vulnerabilities:
- Appliance Health: The CWP appliance facilitates communication between your vSphere environment and the CBC. Appliance Health displays the status of the CWP appliance. For more information on appliance status see the following page: https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-66E2A35A-4754-43F6-A5AD-C611D35EDD44.html
- Inventory Status: Inventory management for workloads; shows the coverage of Carbon Black through vSphere environment (is Carbon Black enabled, if there are updates to Carbon Black agent available, are assets eligible for Carbon Black, assets unsupported by Carbon Black, etc.)
- Affected Assets: Displays how many assets are affected by vulnerabilities, broken down by OS
- Critical Product Vulnerabilities: Displays how many critical vulnerabilities are present in the environment by vulnerability type (Windows OS, Windows App, Linux OS, Linux App)
5. Vulnerabilities Tab
The Vulnerabilities page displays vulnerabilities present in your vSphere environment. Click "Vulnerabilities" to navigate the vulnerability page.
An overview of vulnerabilities is shown at the top of the page - including filters based on vulnerability severity. Severity scoring allows for administrators to understand and mitigate risks in a prioritized, realistic method. Higher severity scores indicate that the vulnerability should be prioritized. There are four severity categories…
- Low: Score from 0.0 – 3.9
- Moderate: Score from 4.0 – 6.9
- Important: Score from 7.0 – 8.9
- Critical: Score from 9.0 – 10.0
6. Vulnerabilities Tab - Contd.
As a vCenter Server administrator, you want to have visibility of known vulnerabilities in your environment to understand your security posture and schedule maintenance windows for patching and remediation. With the help of vulnerability assessment, you can proactively minimize the risk in your environment.
Vulnerabilities can be viewed in Asset View or Vulnerability View:
- Asset View displays workloads covered by CWP and allows you to look at all vulnerabilities affecting the workload of interest.
- Vulnerability View displays all vulnerabilities based on type (Windows OS, Windows App, etc.).
Carbon Black looks into vulnerabilities related to:
- Operating System (OS) of the virtual machine.
- Windows OS: Displays OS-level vulnerabilities for Windows VMs. The system looks for OS details and the security patches applied on each VM. When the security patch associated with the vulnerability is not applied, the VM is flagged as vulnerable.
- Linux OS: Displays OS-level vulnerabilities for Linux VMs. The system looks for OS details with the list of all installed packages. The system determines the vulnerable packages installed on the VM and reports the CVEs against those packages.
- Applications are installed on the virtual machine.
- Windows Apps: Displays application-level vulnerabilities for the Windows VMs.
- Linux Apps: Displays application-level vulnerabilities for the Linux VMs.
A deeper dive into vulnerabilities and using the vulnerability tab will be covered in Section 4 of this lab.
7. Inventory Tab
The Inventory page displays workloads for which you have enabled and not enabled CWP. You can manage workloads from this page.
CWP provides a streamlined agent deployment process. The Carbon Black agent installer is provided as part of the VMware Tools package. Deployment to workloads is simplified to a ‘click to enable’ process. Simply select the workload for which you would like to enable CWP and click ‘Enable’. Initial assessment begins within 24 hours of enabling, and then occurs daily, automatically from that point forward.
Major sensor updates can be pushed by selecting workload(s) and clicking the ‘Update’ button. Only major sensor updates need to be manually done from the vCenter plugin or Carbon Black Cloud console. Updates can be done individually or on multiple/all workloads.
8. How VMware Carbon Black Measures Risk
Carbon Black Cloud partners with Kenna Security to leverage the largest database of vulnerability, exploit, and event threat data in the industry. This data is distilled into three main measures of risk:
- Active Internet Breach: Presence of near-real-time exploitation.
- Malware Exploitable: Availability of an exploit module in a weaponized exploit kit.
- Easily Exploitable: Availability of a recorded exploit.
There are metrics defined for Common Vulnerability Scoring System (CVSS). A few of the metrics are about the attack method itself, whereas the others depend on how the application assesses impact - the direct consequence of a successful exploit. To learn more about CVSS, visit https://www.first.org/cvss/specification-document.
9. Risk Score
Every vulnerability is assigned a risk score of between 0.0 (no risk) and 10.0 (maximum risk). The risk score range and severity are defined as follows.
To learn more about how the risk is calculated, refer to the Kenna Security documentation available at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-whitepaper-understanding-the-kenna-security-vulnerability-risk-score.pdf.