Securing Windows with Workspace ONE Intelligence and Carbon Black

The following guide walks you through using the Workspace ONE Intelligence's Carbon Black setup for threat detection and automatic remediation.   

Contents


Before You Begin


Before you begin this walkthrough ensure you have the following:

  • A valid account in the VMware TestDrive environment, sign up here if you do not yet have an account.
  • A Windows 10 device enrolled into Enterprise - EMM Demo (corporate owned) OG. 
    See enrollment here.
  • Reference the Workspace ONE Intelligence guide.

Overview


VMware Workspace ONE Intelligence with Carbon Black provides a modern, cloud-based enterprise security approach to secure users and endpoints.  To manage risks related to modern-day cyber threats, Workspace ONE Intelligence with Carbon Black combines insights from Workspace ONE, an intelligence-driven digital workspace platform, with Carbon Black to deliver predictive and automated security in the digital workspace.  Existing security tools provide IT with only limited visibility, focusing only on silos of security that provide legacy functionality. This results in a band-aid approach that impacts organizations with high-costs due to complexity and manual tasks involved in trying to secure a digital workspace.
 
Fortifying Intelligence, Carbon Black provides:
  • Single Agent, Cloud Platform - Carbon Black Defense is delivered through the CB Predictive Security Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and dataset.
  • Streaming Prevention with Minimal False Positives - Carbon Black Defense’s unique, data-driven prevention technology is certified to replace AV, using predictive modeling that identifies and stops more known and unknown threats including malware, fileless attacks, and ransomware. This technology eliminates the black magic typically associated with machine learning, minimizing misses and false positives.
  • Complete Endpoint Visibility - Carbon Black Defense gives you a clear, comprehensive picture of endpoint activity using unfiltered, tagged data that allows you to easily search and investigate endpoints, follow the stages of an attack, and identify root cause so you can close security gaps.
  • Improved Efficiency Between Security & IT Ops - Carbon Black Defense breaks down the walls between IT Operations and Security with simple workflows and built-in tools for live incident response, real-time investigations, and team collaboration. In addition, flexible policy configurations allow you to explicitly tailor your prevention, keeping users happy without compromising security. 

Navigating to Workspace ONE Intelligence in TestDrive


There are two different methods to navigate to Workspace ONE Intelligence within TestDrive. 

To launch into the Workspace ONE UEM Admin Console from TestDrive:

  1. Log in at portal.vmtestdrive.com with your TestDrive account.
  2. Locate Workspace ONE UEM in the Secure Digital Workspace tab under Ready to Use Experiences...click the Launch button.

    Alternatively, you can navigate directly to the Workspace ONE UEM console by browsing to the following URL: https://testdrive.awmdm.com

  3. From the Workspace ONE UEM console, verify you are using the proper role.  In the top right, click your username to view your Account details. Set your role to:

    Intelligence & Tenant Administrator at TestDrive

    mceclip0.pngAfter the role is selected, the page will reload and you may see an admin error. This would happen if you were previously viewing a page that is unavailable with the new role.  Simply navigate to Monitor > Intelligence.   Click Launch.

    mceclip1.png

     

 

mceclip0.png Carbon Black Dashboards


PLEASE DO NOT MODIFY PRESET DASHBOARDS.
 
Workspace ONE UEM, Workspace ONE Intelligence, and Carbon Black are fully integrated.  In TestDrive's Workspace ONE Intelligence setup, Carbon Black has a preconfigured dashboard and automation.
 
Filter your Intelligence dashboards view by entering "Carbon Black" to see the preconfigured dashboard Carbon Black Threats.
 
mceclip0.png

Click view to drill into the dashboard and review the layout. 

 

mceclip0.png Trigger Carbon Black Automation


PLEASE DO NOT MODIFY STAGED AUTOMATIONS.

The automation and workflow engine allows the administrator to take action directly on the data in real time across any of the data sources as well as take action, using Workspace ONE actions via an integration with the Carbon Black cloud.

A couple automations are staged for Carbon Black, one is available to demonstrate and the other is set up to enhance discussions. 

  • STAGED Carbon Black Terminate VPN - Use for demonstration.
  • STAGED Carbon Black Ransomware Threat Detected - Discussion only. 

Automation in Action - STAGED Carbon Black Terminate VPN

Find the STAGED Carbon Black Terminate VPN automation and view it.

This enabled automation is set to remove the Per-app Tunnel VPN profile on a Windows 10 desktop upon Carbon Black's detection of a specific threat.

mceclip0.png

Demo alert! Due to threat remediation innateness, the demo cannot be readily repeated after completion.

For demonstration purposes, UISpy, a benign app, has been set up by UEM in Windows.  It's also been set in Carbon Black as a low priority threat. 

On the enrolled Windows 10 machine, attempt to launch UISpy.exe from search.

mceclip6.png

...observe the instant Carbon Black Defense notification in Windows.

mceclip3.png

Back in Workspace ONE Intelligence, in the Carbon Black low-risk threats widget, hover over the threat category "policy" (lightest green) for the current date.  Note the triggered policy.

mceclip1.png

Drill through the "policy" category and view the threat type.    

mceclip5.png

A few moments later, in the Workspace ONE UEM console, check your device's details > profiles for the removal of the WWE - Windows - Tunnel profile.

mceclip1.png

...and the removal of the Per-app VPN profile from the Windows device itself (< 2 min for remediation).

Before Intelligence's Carbon Black threat remediation:mceclip1.png

After Intelligence's Carbon Black threat remediation:
mceclip2.png

While its exposure to the device and a corporate network is greatly reduced compared to device VPN, per-app VPN is still a pipeline to the internal network and may act as a conduit for a threat to enter enterprise systems.  Workspace ONE Intelligence with Carbon Black has removed the Per-app Tunnel profile from the device, eliminating the threat's chance to spread to internal systems. 

STAGED Carbon Black Ransomware Threat Detected (Discussion Only)

Select Automations on the left menu bar.  Find the "STAGED Carbon Black Ransomware Threat Detected" automation and view it.

This particular sample automation is set to push a profile to update controlled folder access policy, send email to the affected user(s), create a Service Now ticket and approve patch to remove the OS vulnerability.

mceclip0.png

 

Device Deployment


Workspace ONE UEM all but eliminates administrative overhead by installing the Carbon Black Defense Sensor app (agent) on your Windows 10 device.  Devices enrolled in the Enterprise - EMM Demo (Corporate Owned) OG will have the appropriate sensor app automatically installed by Workspace ONE UEM.

Log in to the console and change your admin role to Device Administrator at World Wide Enterprises.

Next, validate the Cb Defense Sensor app is successfully installed on the device.  Drill into your device and go to Apps.

  • Carbon Black (Windows 10) should look like this (version may very well be different).
    mceclip2.png

If the Defense Sensor is not installed, chances are that a system update or higher system process may have prevented it from initially installing.  You can push the installation from the UEM console again.

Workspace ONE Intelligence with Carbon Black Availability


VMware Workspace ONE Intelligence with Carbon Black capabilities are available to Workspace ONE customers who have Workspace ONE Intelligence.  Workspace Intelligence is available in Workspace ONE Enterprise, Workspace ONE Enterprise for VDI, and as an add-on to Workspace ONE on-premises editions.

 

 

Have more questions? Submit a request

Please sign in to leave a comment.