Global pandemic drives the rise in Endpoint and Workload security

October 04, 2021

This is one of many articles in the Empowering Modern Security Operations Center (SOC) blog series. We will discuss ransomware along with emerging cybersecurity threats. We will discuss how to detect and prevent malware using VMware Carbon Black Cloud NGAV, Endpoint Detection and Response (EDR), and Audit & Remediation Vulnerability solution. 

In February 2019, when the global pandemic began, companies faced the unprecedented challenge of mobilizing their workforces to accommodate remote working immediately. The world became significantly more connected and consequently more vulnerable digitally. 

image 58

COVID-19 has forced cybersecurity professionals to change their priorities/activities and focus on ways to support remote work securely. Bring-your-own-device (BYOD) became the new norm which means now employees can connect to corporate servers and data using their personal computers or devices. Enabling employees to use their personal devices has significantly contributed to the increase of the attack surface and threat landscape and requires new methods of protection. Threat detection and response solutions must include advanced capabilities supported by next-generation technologies to combat the risks that surfaced after enabling remote work during the pandemic. 

In computer security, a vulnerability is a security flaw or weakness that allows an intruder to reduce a system’s information assurance. A vulnerability requires three elements: a system weakness, an intruder’s access to the weakness, and the intruder’s ability to exploit the weakness using a tool or technique. 

An endpoint can be a physical computer or a virtual machine that communicates with a corporate network to which it is connected to access corporate servers and data. For more than a decade, corporations have leveraged antivirus solutions to secure endpoints. However, those traditional solutions can no longer protect endpoints from modern and highly sophisticated attacks. 

As remote work is increasing, vulnerability management is becoming paramount to ensuring company assets are not being accessed by vulnerable endpoints.   

The lifecycle of endpoint vulnerability management used to be a split between the operating systems and applications installed on the operating system. Operating system examples are Windows, Linux, macOS, etc. and application examples are Microsoft Word, Google Chrome, Adobe PDF reader, etc. 

According to OWASP2 Vulnerability Management Guide (OVMG), there is a need for a unified platform to address operating system and applications vulnerabilities to provide a complete picture of the threat posed to an endpoint at any given time.   

Wide adoption of remote work and bring your own device, also known as endpoints, has increased. Ransomware is the top endpoint security threat. There is also a lack of visibility, and identity and access management issues. The FBI definition of ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for renewed access. 

VMware Carbon Black Enterprise EDR is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams. VMware Carbon Black's efficacy strategy is based on the adversaries’ lifecycle. Take ransomware for example, in the case of ransomware the adversary often operates with a goal of dumping credentials and escalating privileges. 

Know your endpoints 

In a vulnerability management lifecycle, the important steps are: Discover, Prioritize Assets, Assess, Report, Remediate, Verify. 

VMware Carbon Black sensor queries the endpoint’s operating system such as Windows 7 or 10, server 2016 or 2019, and application vulnerabilities regardless of the device location. This gathered vulnerability information is reported to Carbon Black Cloud (CBC) for reporting and analysis. 

Carbon Black Cloud console is a unified platform to manage alerts, configure prevention policies and investigate alerts that need further analysis. It also provides a list of context-aware vulnerabilities that are present on your endpoints across the organization. 

image-20211004142222-1

Figure 1: Carbon Black Cloud Console | Vulnerabilities screen, view by endpoints 

In figure 1, the Carbon Black Cloud (CBC) Console view is set to show all endpoints. It provides complete visibility into the operating systems such as Windows 7 or 10, server 2016 or 2019, and installed applications vulnerability on each endpoint. This is a way to prioritize patching efforts for high-valued endpoints. 

image-20211004142222-2

Figure 2: Carbon Black Cloud Console | Vulnerabilities screen, view by vulnerabilities 

If you have limited manpower and need to address critical vulnerabilities first, VMware  Carbon Black Cloud (CBC) console allows you to view the vulnerabilities, sort, and filter by either endpoint, risk score, or vulnerability (CVE) to identify the key issues and export in a format you can tailor for change management approvals or IT operation reporting. 

In figure 2, the vulnerabilities view is set to sort by vulnerabilities, you can view the operating system and installed applications risk per vulnerability and the affected endpoints. When a new CVE is published, the CVSS score is a fixed number. A critical piece of the prioritization puzzle is the right context to understand the true level of risk that a vulnerability poses to an organization. Kenna Security’s Risk Score—a score you’ll be able to find within VMware Carbon Black Cloud—ingests and processes billions of data points from internal and external sources, including more than 18 threat and exploit intelligence feeds. Kenna then automates the analysis of this data leveraging proven data science techniques like predictive modeling and machine learning to deliver an accurate risk score for every vulnerability. 

Ransomware prevention by VMware Carbon Black Cloud (CBC) 

In the following screenshots, we will show using the VMware Carbon Black solution, how ransomware attacks can be stopped. 

The most common ransomware technique used by adversaries is a phishing email. The term “phishing” is a spin on the word fishing because criminals are dangling a fake “lure” (the legitimate-looking email, website, or ad) hoping users will “bite” by downloading or clicking on a link in the phishing email. 

image-20211004142237-3

Figure 3: Phishing email with a ransomware attachment 

If a user clicks on a phishing email accidentally. VMware Carbon Black Cloud prevention policies will block the attack to keep the endpoint safe based on configured policies in  Carbon Black Cloud (CBC) console.  

image-20211004142237-4

Figure 4: Notification about the blocked ransomware attack 

The user is notified by a pop-up (figure 4) that he has clicked on a ransomware file in a phishing email. The user is notified about the threat and action is automatically taken by  Carbon Black Cloud (CBC) to keep the endpoint secure, no further action is required from the user. A policy can be configured to disable this notification for end users. 

In the next blog, we will discuss alerts shown in the Carbon Black Cloud console when ransomware is prevented and how to leverage that data for threat hunting.  

Filter Tags

Empowering the Modern SOC VMware Carbon Black Cloud Endpoint Standard Audit and Remediation Enterprise EDR Blog Opinion

Victor Monga

Read More from the Author

Victor Monga works for VMware and specializes in cybersecurity, risk management, and threat modeling. Previously, Victor worked for a major Healthcare Provider. He streamlined the transformation of the data center from a monolithic architecture to microservices for high availability and defense-in-depth security. His experience in Healthcare, Aerospace, Department of Defense (DoD) has given him an in-depth understanding of specific industry needs. His hybrid profile allows VMware to provide tailored Achievable Innovative Security Programs to clients in an evolving threat landscape. He holds a Bachelor’s Degree in Computer Science and Business Administration. He stays abreast of the latest Security Trends and holds numerous industry certifications. Victor is engaged in the Cybersecurity Community and strives to share knowledge among them. He promotes programs for nonprofits or underprivileged groups. Cybersecurity is a passion and troubleshooting can be a prize for him.