Use the User Risk dashboard to view data collected for and identifying risk with scores. This risk analytics feature tracks user and device actions and behaviors and then calculates the potential risk. It shows this potential with risk levels and other metadata so you can quickly gauge the vulnerability of your Workspace ONE UEM deployment.
Risk scoring in Workspace ONE Intelligence is a risk analytics feature that tracks user and device actions and behaviors. It displays scores as levels to help quicken the trust process. Certain levels imply that you can trust a user or device and others suggest an immediate mitigation. Risk scoring begins with a baseline or a "normal" level of risk. As a user or device behaves and deviates from normal, the score identifies those deviations with High, Medium, and Low.
You can respond with various actions based on the score and your organization's security policies. For example, an organization with permissive security policies might warn users for high risk scores. However, another organization with restrictive security policies might deny privileges for medium risk scores. Other ways organizations can act with risk scores include the following list.
The risk score changes depending on the behaviors the system identifies for a device or user. These behaviors are also known as risk indicators. Positive behaviors lower the score or make it more trustworthy. Negative behaviors increase the score or make it less trustworthy. The system recognizes and aggregates several risk indicators to compute risk score deviations.
|Anomalous Alert Activity||A device that produces an unusual number, type, or severity of security alerts.||An unusual number, type, or severity of threat alerts is an indication of a potentially compromised device.|
|App Collector||A person who installs an unusually large number of apps.||Any app can include known or unpatched vulnerabilities and these vulnerabilities can become attack vectors. The surface area for cyber-attacks increases with the number of apps on the device.|
|Compulsive App Download||A person who installs an atypical number of apps in a short period of time.||Users frenetically installing unusual apps on their devices have a greater risk of being a victim of malicious activity. Some apps disguise themselves as useful, friendly, or entertaining, when in fact they want to harm the user. Marketplace approaches to filtering unsafe content (malware) vary from vendor to vendor. A careless user can get tracked, hacked, or conned.|
|Excessive Critical CVEs||A device with an excessive number of unpatched critical CVEs (Common Vulnerability Exposure).||The greater the number of critical CVEs present on a device, the larger the device's attack surface.|
|Laggard Update||A person who sluggishly updates the device OS or who refuses to update at all.||Ignoring software updates can make a device vulnerable to attack and increases the risk of being compromised.|
|Persistent Critical CVEs||A device with one or many critical CVEs (Common Vulnerability Exposure) remaining unpatched after the majority of eligible devices in the organization were patched.||The greater the number of critical CVEs present on a device, the larger the device's attack surface.|
|Rare App Collector||A person who installs an unusually large number of rare apps.||Unlike widely used apps, rare ones are of questionable provenance and have a greater chance of having malware or security vulnerabilities.|
|Risky Security Setting||A person who owns one or many devices and has explicitly disabled security protection features or has devices explicitly declared lost.||Disabling security measures on a device increases the risk of being compromised.|
|Unusual App Download||A person who has recently installed unusual apps.||Apps can disguise themselves as useful, friendly, or entertaining, when in fact they want to harm the user. Marketplace approaches to filtering unsafe content (malware) vary from vendor to vendor. A careless user can get tracked, hacked, or conned.|
Risk scoring works on Android, iOS, macOS, and Windows 10 platforms. It also works on devices categorized as corporate-dedicated, corporate-shared, employee-owned (BYOD), and undefined.
|Device Platform||Anomalous Alert Activity||App Collector (Unmanaged and public apps)||Compulsive App Download (Unmanaged and public apps)||Excessive Critical CVEs||Laggard Update||Persistent Critical CVEs||Rare App Collector (Unmanaged and public apps)||Risky Setting||Unusual App Download (Unmanaged and public apps)|
|Mobile (iOS and Android)||✕||✓||✓||✕||✓||✕||✓||✓||✓|
|Desktop (Windows 10 and macOS)||✓||✕^||✕^||✓ (Windows only)||✓||✓ (Windows only)||✕^||✓||✕^|
^The feature does not collect app data.
|Device Ownership Type||Anomalous Alert Activity||App Collector (Unmanaged and public apps)||Compulsive App Download (Unmanaged and public apps)||Excessive Critical CVEs||Laggard Update||Persistent Critical CVEs||Rare App Collector (Unmanaged and public apps)||Risky Setting||Unusual App Download (Unmanaged and public apps)|
|Corporate-Dedicated, Corporate-Shared, Undefined||✓||✓||✓||✓||✓||✓||✓||✓||✓|
^Although the default Workspace ONE UEM privacy settings prevent the collection of app data on BYOD devices, admins can change the privacy settings so that Workspace ONE Intelligence can collect app data. Check your organization's privacy strategy before changing privacy configurations in Workspace ONE UEM.
To use risk analytics, integrate the following systems and follow the listed restrictions.
Workspace ONE Intelligence reports risk scores and other risk data in different dashboards.
Risk scoring has modules you can add to My Dashboard or to your custom dashboards. Use the category Workspace ONE UEM > Device Risk Score or User Risk Score to access the modules.
You can also view pre-configured modules.
Act with automations in Workspace ONE Intelligence.
Risk Score Equals Highby default but you can customize this section.
Workspace ONE UEM integrates with Workspace ONE Intelligence for risk scoring to get data for devices managed in your Workspace ONE deployment. It uses the user's enrollment account stored in Workspace ONE UEM to recognize the user's activity on managed devices.
Risk scores run daily and provide an actionable metric to identify and potentially isolate users who have poor security behaviors and who introduce risk to the organization.
Risk scoring is similar to consumer credit scoring. The credit scoring system does not check a user's credit card account to see what the balance is as of today. Risk scoring works asynchronously and doesn't necessarily know the current state of devices. It runs once a day and analyzes the data reported about the device up to the moment the scoring process is run. Scoring models use historical data (for example, the past 14 days) to determine the risk of the user's behaviors.