TestDrive

Identifying Risks

Updated

VMware Carbon Black Cloud Workload Protection consolidates multiple datacenter security capabilities with an easy deployment experience on vSphere and a single lightweight sensor for your workload environment. VMware Tools includes the Carbon Black agent installer, facilitating the installation process and eliminating management by providing native security capabilities as a service that IT infrastructure owners can provide. 

Workload protection has already been deployed on numerous workloads within the TestDrive vSphere environment prior to this guide being written. This allows us to discover and view any risks that have been identified by our vulnerability assessment capability. With this capability there is no scanning involved because we are already collecting the data, we are leveraging the same single data stream to query and populate this data within the vCenter management plane. For this portion of the lab experience, we will be diving into vulnerabilities and information available to you directly in vSphere.

4.1 Looking into A Critical Vulnerability

While logged into vCenter, click on the Menu button at the top of vCenter and then navigate to and click on the Carbon Black plug-in. For more information on accessing and navigating the plug-in see section 3.2.

Navigate to the Vulnerabilities page within the plugin. The Vulnerabilities page displays information on vulnerabilities affecting the environment with intuitive filtering capabilities to give administrators a prioritized, realistic method to look at risk and threat.

On the top of the page severity level filters can be used to view vulnerabilities in a prioritized manner. For this lab, we will focus on Critical vulnerabilities, with a severity score of 9.0 to 10.0. For more information on how risk is scored see Section 3.3.

Critical Vulnerabilities

  • If not currently selected, click the Critical filter at the top of the page to view only critical vulnerabilities

We should now see only Critical High-Risk score CVE’s, these are CVE’s that are exploitable within this environment. This means an attacker (external or internal) could gain access to a workload by leveraging one of these CVE’s in an attack if discovered.

  • Scroll down to view vulnerabilities
  • Click the Vulnerability View to view all vulnerabilities based on the type

Vulnerability types include Windows OS, Linux OS, Windows App, and Linux App. Select a vulnerability type of interest. Due to the nature of this lab, a specific vulnerability will not be selected as vulnerabilities will change across the environment.

A vulnerability will display:

  • Severity: Criticality of a vulnerability 
  • Risk Score: Score denoting severity; ranges from 0.0 (no risk) to 10.0 (maximum risk) 
  • OS Name: Name of OS affected by the vulnerability 
  • OS Version: Version of OS affected by the vulnerability 
  • CVE ID: Identifier of the specific vulnerability 
  • Fixed by: If applicable, links to KB article denoting update/patch that fixes a vulnerability 
  • Vendor (if App vulnerability): Name of the vendor of application w/vulnerability 
  • Product Name (if App vulnerability): Name of application w/vulnerability for reference 
  • Version (if App vulnerability): Version of App vulnerability is fixed by 
  • Assets Affected: Number of workloads in your environment that are affected by this vulnerability

Additional Information

  • Click the carrot next to a vulnerability to expand additional information

Expanding a vulnerability will show:

  • A plaintext description of the vulnerability
  • Link to the National Vulnerability Database
  • Asset(s) affected by the vulnerability
  • Risk details (Kenna variables affecting severity score)
  • CVSS score information
  • CVSS vector details

National Vulnerability Database

  • Click the link to the National Vulnerability Database

CWP directly links to the National Vulnerability Database (NVD) page for the selected vulnerability. This allows for an easy workflow to get more background on the vulnerability and how to resolve it directly in your vSphere environment. 

  • Review information on NVD
  • Click the vSphere tab to return to the CWP plug-in
  • Click the plus to expand Affected Assets
  • Click one of the Affected Assets

Monitor Tab

When viewing a workload, on the Monitor tab, a Carbon Black Vulnerabilities page is available. You can view all vulnerabilities affecting a particular workload from this page. 

We have now completed a workflow looking into a critical vulnerability directly in vSphere. CWP provides built-in vulnerability assessment capabilities in your vSphere console. 

Previous Article Carbon Black Cloud Workload Plug-in
Next Article Audit/Remediation