July 17, 2024

Securing your Endpoints with Workspace ONE Intelligence Risk Scoring

Workspace ONE Intelligence provides robust risk scoring to enhance security by evaluating user and device behaviors. It dynamically assesses risk levels, offering insights through an intuitive dashboard and facilitating proactive threat mitigation.

Mobile devices are increasingly under threat from cyber threats, presenting major security challenges for organizations. With some devices frequently accessing sensitive corporate data, they become prime targets for malware, phishing, and unauthorized access. To mitigate these risks, Workspace ONE Intelligence Risk Analytics can be crucial for businesses. This tool enables organizations to monitor user and device risk scores, offering real-time insights and automated responses to enhance data protection.

Risk scoring is one of the valuable components of risk analytics, utilizing machine learning technology to dynamically evaluate risk scores in response to evolving threat landscapes, user behaviors, and device status. Several factors can influence risk scores. For example, if a user installs multiple unusual applications on a device within a short period, it may introduce unsafe content, such as malware, resulting in a higher and less trustworthy risk score. Conversely, a user who consistently keeps the managed iPhone updated with the latest iOS version demonstrates positive behavior, leading to a lower and more trustworthy risk score. This Risk Scoring document outlines the requirements for calculating risk scores and provides a comprehensive list of risk indicators that influence these scores.

Risk Analytics Dashboards

Workspace ONE Intelligence has several built-in dashboards that display device risk data, user risk data, and login risk data.

Device Risk 

As the name suggests, device risk scores indicate the security posture of devices that are managed by Workspace ONE. Specifically, risk scores can be determined by various factors, including whether the device's operating system is up-to-date, if device encryption has been disabled, or if any unusual applications have been installed. For details, review this Risk Scoring document.

To view the device risk data on Intelligence, you can navigate to the Intelligence console, then Workspace > Workspace Security > Security Risk. As the screenshot below, this dashboard shows the historical distribution of device risk indicators.

A screenshot of a graph</p> <p>Description automatically generated

Figure 1: Built-in security risk data

Besides the built-in dashboard, there are other templates related to risk scoring that are available under Marketplace. For instance, to create a dashboard that shows the risk indicators for each platform, you can search “risk” under Marketplace > Templates > Dashboards. After clicking on one of the templates, you can preview the dashboard, and then add it to your workspace if needed.

A screenshot of a computer</p> <p>Description automatically generated

Figure 2: Dashboard templates that are related to risk scoring

A screenshot of a computer</p> <p>Description automatically generated

Figure 3: Risk indicators (only for iOS) dashboard created from the marketplace template

By clicking the view button under each widget of the Risk indicators dashboard (screenshot above), you can view the detailed explanation. For example, the view button below the widget of Apple Devices with Medium and High Risk Scores can direct you to another widget that also lists the devices with the status of risk indicator(s).

Figure 4: Widget that filters out iOS devices with high-risk scores

Also, you can click the report button right below the widget name (See Figure 4) to automatically generate a report on iOS devices with medium and high-risk scores.

Figure 5: Easy report on devices with medium and high-risk scores

Besides the templates of risk indicators under the dashboard, other risk scoring-related templates are also available under the marketplace of widgets, reports, and workflows for administrators to explore. 

User Risk

By aggregating the individual device risk scores associated with the same user, Intelligence utilizes historical data and machine learning to assign a comprehensive user risk score to the user. A user’s risk score can be calculated using several risk indicators, such as whether the user's title grants access to more sensitive data and if the user has registered multiple devices, some of which may be more vulnerable to security threats.

Workspace ONE Access can use User Risk as a secondary authentication method. However, Login Risk score authentication may have its own benefits for businesses to consider when it comes to risk score-based authentication. We will explain it later in the Login Risk section below.

Similarly, you can view the built-in dashboard of user risk under Workspace > Workspace Security > User Risk.

A graph on a screen</p> <p>Description automatically generated

Figure 6: Built-in dashboard of user risk data

Login Risk

Workspace ONE Intelligence login risk scores are specifically designed for the conditional access policies of Workspace ONE Access. This Omnissa document shows the steps to set up login risk score authentication and policy. Unlike user and device risk scores, login risk scores evaluate the risk level at the moment a user attempts to access an application via Workspace ONE Access. The objective of login risk scoring is to identify malicious and abnormal actors attempting to infiltrate enterprise systems. This system maintains a model of “norm” for each user based on the typical location, app, and device information. When a user attempts to log in to a resource, it dynamically calculates the risk based on the comprehensive data.

Once the system has the baseline of normal behaviors, it can provide real-time risk scores that can help Access detect if an attempt is malicious or safe. For instance, if the system has observed a user accessing a corporate app via the Safari browser from Dallas for the past two years, this would likely be considered low risk if the app authentication comes from the same combination. However, if the user suddenly uses a different device but from the same IP address, the system may flag it as medium risk. Finally, if the user attempts to log in with a different device and browser from a foreign country, it would be marked as high risk.

Note that Intelligence has a 14-day learning period to understand the normal behaviors of users accessing corporate applications. During this initial phase, the risk level is set to medium risk by default, and user profiles begin to be established. After that, users will get assigned the risk level based on their login behavior.

To view the login risk data on Intelligence, you can navigate to Workspace > Workspace Security > Login Risk.

Figure 7: Built-in dashboard of login risk data

Workspace ONE Intelligence Freestyle Orchestrator Workflow

Dashboards are a great tool to monitor potential risks of users, devices, and logins with comprehensive data. Risk scores can also be used in Workspace ONE Intelligence Freestyle Orchestrator Workflows to mitigate possible issues by taking actions. 

There are different ways to create a freestyle workflow that uses risk score data:

  1. Manually create a freestyle workflow by clicking Workspace > Freestyle > Add workflow and selecting Device Risk Score.
    A screenshot of a computer</p> <p>Description automatically generated 
  2. If there is any existing widget on risk scores, you can click the automate button to start creating a freestyle workflow as well.
    A screenshot of a computer <p>Description automatically generated 

Here is an example of Freestyle Orchestrator workflow for the devices with a high-risk score:

If the iOS device’s risk score is high and the risk indicator is a laggard update, you can schedule an iOS update and send out a short message with an explanation. 

Note: This iOS update action only works for DEP/supervised iOS devices.

A screenshot of a computer</p> <p>Description automatically generated

Figure 8: A Freestyle Orchestrator workflow for iOS devices with outdated OS

On top of that, you can also leverage the freestyle workflow to automatically tag the device with “At risk” if the risk score is high. Then all the critical apps (Boxer, Content, etc.) or profiles (VPN connection, CA certificate, etc.) can be excluded from the smart group with “At risk” tagged devices. This measure can be used to proactively prevent the compromise of sensitive corporate data by mitigating potential risks associated with users or devices. Once the risk score returns to low or medium from high, then another freestyle workflow can automatically untag the device as “At risk”. Then, the critical apps and profiles can come down to the device again.

By using the Intelligence integration with ServiceNow, Slack, Mobile Threat Defense, and other 3rd party IT tools, you can explore more options for devices with risk issues.

Summary

Workspace ONE Intelligence provides robust risk scoring to enhance security by evaluating user and device behaviors. It dynamically assesses risk levels, offering insights through an intuitive dashboard and facilitating proactive threat mitigation. This comprehensive approach minimizes integration efforts while maximizing security benefits. Omnissa is continuously improving and enhancing the product, including its risk-scoring capabilities, to meet evolving security needs.

Filter Tags

Workspace ONE Workspace ONE Intelligence Workspace ONE UEM Blog Announcement Intermediate

Yan Luo

Read More from the Author

Yan Luo is currently a Senior Customer Success Engineer at Omnissa, where he provides technical guidance and helps customers succeed by adopting Omnissa products.