Risk Scoring (Workspace ONE Intelligence Risk Analytics)
Use Workspace ONE Intelligence to view data collected for and identifying risk with scores. This Workspace ONE Intelligence Risk Analytics feature tracks user and device actions and behaviors and then calculates the potential risk. It shows this potential with risk levels and other metadata so you can quickly measure the vulnerability of your Workspace ONE UEM deployment. You can also view login risk scores from Workspace ONE Access and these scores ingest information from a user’s login location and can report if the user is showing anomalous, risky behavior.
What is risk scoring?
Risk scoring in Workspace ONE Intelligence is a risk analytics feature that tracks user and device actions and behaviors. It displays scores as levels to help quicken the trust process. Certain levels imply that you can trust a user or device and others suggest an immediate mitigation. Risk scoring begins with a baseline or a “normal” level of risk. As a user or device behaves and deviates from normal, the score identifies those deviations with High, Medium, and Low.
- High - This score indicates a great potential to introduce threats and vulnerabilities to the network and internal resources. This level is the least trustworthy.
- Medium - This score indicates a moderate potential to introduce threats and vulnerabilities to the network and internal resources.
- Low - This score indicates little potential to introduce threats and vulnerabilities to the network and internal resources. This level is the most trustworthy.
You can respond with various actions based on the score and your organization’s security policies. For example, an organization with permissive security policies might warn users for high risk scores. However, another organization with restrictive security policies might deny privileges for medium risk scores. Other ways organizations can act with risk scores include the following list.
- Monitor the device or user.
- Warn the device or user with notifications.
- Deny the device or user privileges.
- Add authentication methods to the user or device with Workspace ONE Access integration.
What behaviors influence risk scores?
The risk score changes depending on the behaviors the system identifies for a device or user. These behaviors are also known as risk indicators. Positive behaviors lower the score or make it more trustworthy. Negative behaviors increase the score or make it less trustworthy. The system recognizes and aggregates several risk indicators to compute risk score deviations.
Identified behaviors
| Risk Indicators | Description | Risk |
|---|---|---|
| Anomalous Alert Activity | A device that produces an unusual number, type, or severity of security alerts. | An unusual number, type, or severity of threat alerts is an indication of a potentially compromised device. |
| App Collector | A person who installs an unusually large number of apps. | Any app can include known or unpatched vulnerabilities and these vulnerabilities can become attack vectors. The surface area for cyber-attacks increases with the number of apps on the device. |
| Compulsive App Download | A person who installs an atypical number of apps in a short period of time. | Users frenetically installing unusual apps on their devices have a greater risk of being a victim of malicious activity. Some apps disguise themselves as useful, friendly, or entertaining, when in fact they want to harm the user. Marketplace approaches to filtering unsafe content (malware) vary from vendor to vendor. A careless user can get tracked, hacked, or conned. |
| Excessive Critical CVEs | A device with an excessive number of unpatched critical CVEs (Common Vulnerability Exposure). | The greater the number of critical CVEs present on a device, the larger the device’s attack surface. |
| Laggard Update | A person who sluggishly updates the device OS or who refuses to update at all. | Ignoring software updates can make a device vulnerable to attack and increases the risk of being compromised. |
| Persistent Critical CVEs | A device with one or many critical CVEs (Common Vulnerability Exposure) remaining unpatched after the majority of eligible devices in the organization were patched. | The greater the number of critical CVEs present on a device, the larger the device’s attack surface. |
| Rare App Collector | A person who installs an unusually large number of rare apps. | Unlike widely used apps, rare ones are of questionable provenance and have a greater chance of having malware or security vulnerabilities. |
| Risky Security Setting | A person who owns one or many devices and has explicitly deactivated security protection features or has devices explicitly declared lost. | Disabling security measures on a device increases the risk of being compromised. |
| Unusual App Download | A person who has recently installed unusual apps. | Apps can disguise themselves as useful, friendly, or entertaining, when in fact they want to harm the user. Marketplace approaches to filtering unsafe content (malware) vary from vendor to vendor. A careless user can get tracked, hacked, or conned. |
What types of devices does risk scoring work on?
Risk scoring works on Android, iOS, macOS, and Windows platforms. It also works on devices categorized as corporate-dedicated, corporate-shared, employee-owned (BYOD), and undefined.
Supported risk indicators by platform
| Device Platform | Anomalous Alert Activity | App Collector (Unmanaged and public apps) | Compulsive App Download (Unmanaged and public apps) | Excessive Critical CVEs | Laggard Update | Persistent Critical CVEs | Rare App Collector (Unmanaged and public apps) | Risky Setting | Unusual App Download (Unmanaged and public apps) |
|---|---|---|---|---|---|---|---|---|---|
| Mobile (iOS and Android) | ✕ | ✓ | ✓ | ✕ | ✓ | ✕ | ✓ | ✓ | ✓ |
| Desktop (Windows and macOS) | ✓ | ✕ The feature does not collect app data. |
✕ The feature does not collect app data. |
✓ (Windows only) | ✓ | ✓ (Windows only) | ✕ The feature does not collect app data. |
✓ | ✕ The feature does not collect app data. |
Supported risk indicators by device ownership type
| Device Ownership Type | Anomalous Alert Activity | App Collector (Unmanaged and public apps) | Compulsive App Download (Unmanaged and public apps) | Excessive Critical CVEs | Laggard Update | Persistent Critical CVEs | Rare App Collector (Unmanaged and public apps) | Risky Setting | Unusual App Download (Unmanaged and public apps) |
|---|---|---|---|---|---|---|---|---|---|
| Corporate-Dedicated, Corporate-Shared, Undefined | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Employee-Owned (BYOD) | ✓ | ✕ Although the default Workspace ONE UEM privacy settings prevent the collection of app data on BYOD devices, admins can change the privacy settings so that Workspace ONE Intelligence can collect app data. Check your organization’s privacy strategy before changing privacy configurations in Workspace ONE UEM. |
✕ Although the default Workspace ONE UEM privacy settings prevent the collection of app data on BYOD devices, admins can change the privacy settings so that Workspace ONE Intelligence can collect app data. Check your organization’s privacy strategy before changing privacy configurations in Workspace ONE UEM. |
✓ | ✓ | ✓ | ✕ Although the default Workspace ONE UEM privacy settings prevent the collection of app data on BYOD devices, admins can change the privacy settings so that Workspace ONE Intelligence can collect app data. Check your organization’s privacy strategy before changing privacy configurations in Workspace ONE UEM. |
✓ | ✕ Although the default Workspace ONE UEM privacy settings prevent the collection of app data on BYOD devices, admins can change the privacy settings so that Workspace ONE Intelligence can collect app data. Check your organization’s privacy strategy before changing privacy configurations in Workspace ONE UEM. |
What requirements are there to see risk scores?
To use risk analytics, integrate the following systems and follow the listed restrictions.
- Register Workspace ONE UEM.
- To display risk scores in Workspace ONE Intelligence, each Workspace ONE UEM-managed device must have a unique account in the Workspace ONE UEM console. Do not use generic accounts that are assigned to multiple devices.
- Deploy 100 devices or more of the same platform to allow the scoring system to produce results. The risk indicator compares the device indicators against the entire device population across the organization. To provide statistically significant scores, the system needs a dataset with at least 100 devices of the same platform.
- Users must have six or fewer devices enrolled with the same account. The system consider users with more than six devices as part of a shared device environment. It is difficult for the system to measure user and device risk accurately in a shared environment.
- Optionally, register Workspace ONE Access so that you can configure access policies in Workspace ONE Access with user risk scores.
- To use the Anomalous Alert Activity risk indicator, meet the listed requirements.
- Use Carbon Black Endpoint Standard as your cloud native endpoint protection platform (EPP).
- Ingest Carbon Black data into Workspace ONE Intelligence using the Trust Network API.
Where can you find risk scores in the console?
Workspace ONE Intelligence reports risk scores and other risk data in different dashboards.
- User risk data is on the Workspace > Workplace Security > User Risk dashboard.
- Device risk data is on the Workspace > Workplace Security > Security Risk dashboard.
Risk scoring has modules you can use in your custom dashboards. Use the category Workspace ONE UEM > Device Risk Score or User Risk Score to access the modules.
What can you do with risk scores?
Act with workflows in Workspace ONE Intelligence.
- You can mitigate and act by selecting Automate right from the User Risk dashboard or the Security Risk dashboard. Create workflows and select from various Workspace ONE UEM Actions.
- You can create a customized workflow using the Workspace ONE UEM category, either with Device Risk Score or User Risk Score.
- You can use pre-configured workflow templates.
- Risky Device Detected - This template requires a Slack connection.
- MTD App Deployment Prioritization
- Update Laggard Devices - This template works only for iOS.
- Manage access to resources with access policies in Workspace ONE Access.
- Register your Workspace ONE Access environment with Workspace ONE Intelligence to access risk scores in the Workspace ONE Access manager console.
- Access policies in Workspace ONE Access create and enforce authentication protocols for users with an If-Then construct. You can specify a user risk score in the If section that dictates the authentication method allowed in the Then section. If a user has a risk level of high, medium, or low, then the user can authenticate to resources using a specified method approved by your organization’s security policies.
- Depending on the user risk level, the system can enforce a restrictive access policy for high risk users to offer increased security to internal resources. Conversely, the system can enforce a permissive access policy for low or medium risk users.
What systems contribute data for risk scores?
Workspace ONE UEM integrates with Workspace ONE Intelligence for risk scoring to get data for devices managed in your Workspace ONE deployment. It uses the user’s enrollment account stored in Workspace ONE UEM to recognize the user’s activity on managed devices.
How often are scores calculated?
Risk scores run daily and provide an actionable metric to identify and potentially isolate users who have poor security behaviors and who introduce risk to the organization.
Risk scoring is similar to consumer credit scoring. The credit scoring system does not check a user’s credit card account to see what the balance is as of today. Risk scoring works asynchronously and doesn’t necessarily know the current state of devices. It runs once a day and analyzes the data reported about the device up to the moment the scoring process is run. Scoring models use historical data (for example, the past 14 days) to determine the risk of the user’s behaviors.
What are login risk scores?
Workspace ONE Intelligence login risk scores are part of the risk analytics feature in Workspace ONE Intelligence but they are currently not reliant on the same requirements as other risk scores. The system creates and displays these scores from Workspace ONE Access data where they are available to use out of the box in access policies. These scores ingest information from a user’s login location and can report if the user is showing anomalous, risky behavior. The model learns users login patterns. If long term changes in behavior occur, like an employee moves to another city, the model adjusts itself to deem logins from the new city as the new normal.
What is a login risk score?
Intelligence assigns a risk score to each login request as Low, Medium, or High, like other risk scores. This score is driven by machine learning models that take into account historical login requests and user location to decide if an attempt is malicious or safe. This score is updated in real time, and this means you always have the latest login data included for each user. For the first month of login activity there is a grace period for each user to give them time to establish their normal login pattern. While the system establishes their login pattern, it returns a Low login risk score during the grace period.
Where can I use login risk scores?
Use login risk scores in Workspace ONE Access, access policies and also in Workspace ONE Intelligence, if you have integrated the two systems. They are available for use in Workflows, Dashboards, and Widgets.
