VMware Carbon Black Workload User Guide for AWS Administrators
VMware Carbon Black Workload Overview
VMware Carbon Black Workload provides advanced security for native workloads hosted on AWS (EC2 instances). The VMware Carbon Black Workload vulnerability solution provides information on vulnerabilities that is available in Carbon Black Cloud Management Console.
Workload protection is offered in different packages to suit your organization’s needs. Prevention and threat hunting capabilities could be extended beyond AWS workloads to your endpoints (desktops, laptops, servers, VMs, etc.).
This document provides the AWS Administrator with a foundational body of knowledge concerning Carbon Black and how it is utilized in the overall Carbon Black Workload architecture, as well as instructions for onboarding AWS accounts in read-only format to enable security.
Section 1: Introduction to Cloud Workload Protection
VMware Carbon Black Workload provides vulnerability assessment and inventory management for native workloads hosted on AWS. The VMware AWS Support for Carbon Black Workload vulnerability solution provides information on vulnerabilities in Carbon Black Cloud Management Console. The solution combines AWS workloads and VMware Carbon Black Cloud in a purpose-built, operationally simple solution with minimal overhead and performance impact.
Carbon Black Workload is the workload protection platform for enterprise cloud, virtualization, and security teams that delivers the most secure virtual infrastructure, while also providing the same visibility and capabilities within the public cloud as well.
This solution helps to reduce the attack surface by giving Infrastructure, DevOps, and Security teams visibility into the operating system and application vulnerabilities right from within the Carbon Black Cloud Management Console.
Cloud Workload Protection Architecture
With the addition of AWS Support for Carbon Black Workload, the workload architecture is now expanded to include native AWS EC2 Instances in addition to on premise workloads associated with an enterprise vSphere infrastructure. A Carbon Black plug-in within vCenter allows for a shared truth on vulnerabilities and risk for those workloads residing in vSphere infrastructure as well providing visibility to team members more focused on security through the Carbon Black Cloud Management Console. Through this unique approach, we can eliminate the trade-off between security and operational simplicity by providing a single source of truth for Infrastructure and Security teams to accelerate response to critical vulnerabilities and attacks, while enabling collaboration and reducing friction. The Carbon Black Workload Plug-in provides deep visibility into your data center inventory and end-to-end life-cycle management for the components.
VMware Carbon Black Workload contains three Carbon Black Cloud components:
· Carbon Black Workload Plug-in in vCenter (only utilized in vSphere infrastructures)
· Carbon Black Management Console
· AWS Support for Carbon Black Workload
For further information on the solution architecture reference the following resource: https://carbonblack.vmware.com/resource/carbon-black-cloud-workload-protection-architecture
Section 2: What is Carbon Black Cloud?
The Carbon Black Cloud is a cloud-native endpoint and workload protection platform that provides what teams need to secure endpoints all using a single lightweight sensor and an easy-to-use console. Customers can utilize the real-time behavioral analytics at the core of the platform. Leveraging the power of the cloud, it analyzes more than 500B events per day across millions of global endpoints, helping teams stay ahead of emerging attacks and react with maximum efficiency when they do occur.
The VMware Carbon Black Cloud is a security solution suite comprised of the following products that may be used together or alone utilizing a single lightweight sensor and the easy-to-use cloud-based console:
- Endpoint Standard: Next-generation antivirus (NGAV) and endpoint detection and response (EDR) solution. Carbon Black Endpoint Standard provides multiple layers of prevention to prevent/detect a variety of attacks such as known malware, non-malware, and fileless attacks.
- Enterprise EDR: Enables advanced threat-hunting with out-of-the-box watchlists curated by Carbon Black and third parties like MITRE as well as the capabilities for creating and tracking customized indicators of compromise (IOCs)
- Audit & Remediation: Allows admins to gather current-state information across software, hardware, and network variables, at scale across your environment leveraging osquery schema.
- Workload: Allows admins to reduce the attack surface and protect critical assets with advanced security purpose-built for workloads. Increase visibility across your environment and simplify operations for IT and security.
Section 3: Walkthrough of the Carbon Black Cloud
The following section details the basics of accessing and using the Carbon Black Cloud. For more a more in-depth walkthrough of the CBC please see the “Endpoint Standard Hands-On Lab” located here: https://labs.hol.vmware.com/HOL/catalogs/lab/10096
AWS Account Overview
Onboard an AWS account in Carbon Black Cloud
The first step in the AWS account onboarding is to create a trust relationship between customer's AWS account and Carbon Black AWS Account. To establish the trust relationship, an IAM role needs to be created in the customer’s AWS account with the “SecurityAudit” permission. The “SecurityAudit” permission is a well-known access policy built-in to AWS policies, this gives read-only permissions to the resources. The trust relationship allows read only communication between the Carbon Black AWS account and customer AWS account.
Steps to create IAM Role
1. Login to the AWS console. It will open the AWS home page.
2. Search for Roles and click on the “Roles” link listed under the Features section.
3. The screen will list all existing Roles. Click on the “Create role” button in the right top corner.
4. Select “Custom trust policy”
5. Update the “Custom trust policy”
a. Update the Principal section based on Carbon Black Console region
b. Choose appropriate external-id (any string)
c. For the US region with external id “cb-trust-1”, below is the “Custom trust policy” JSON value. (Substitute AWS ARN as per region from above table.)
"AWS": " arn:aws:iam::132308400445:role/mcs-psc-prod-cwp-pc-aws-collector-us-east-1-pod"
6. Click on the next button in the right bottom corner.
7. Type the “SecurityAudit” in the “Permissions policies” search box and hit enter.
8. Select the checkbox against the “SecurityAudit” policy name row and click on the “Next” button.'
9. Enter Role name and role description.
10. Click on Create Role.
11. Once the role is created, it will show a success message on the top left corner. Newly created Roles can be searched using the search box. Click the Role Name to open.
12. Newly created Role will be shown on the screen. Note down the IAM Role ARN and external ID from the summary section.
Onboard Customer AWS account on Carbon Black Cloud Management Console
Onboard Customer AWS account on Carbon Black Cloud Management Console
1. Login to Carbon Black Cloud Management Console
2. Navigate to Settings -> AWS Accounts
3. Click on the “Add Account” button
4. Fill the account details and click the “Done” button
a. Account Name: - It can be any valid string
b. Account ID: - Customer AWS account ID
c. Account Owner: - Account Owner Name (Any String)
d. Account email Id: - Valid email id of account owner.
e. IAM Role ARN: - This is IAM Role ARN value. It is copied from the previous section, step 12.
f. External ID: - It is copied from the previous section, step 5.c
5. Once an account is successfully onboarded it is shown on the AWS accounts screen with Status "Active".
Setting Up API Access
Setting up API Access
You can use the Carbon Black Open API platform to integrate with a variety of security products, including SIEMs, ticket tracking systems, and your own custom scripts.
To find integration partners, see https://www.vmware.com/products/vmware-marketplace.html and visit the Carbon Black Developer Network at https://developer.carbonblack.com/.
API Key Overview
You add and manage services integrations into your environment by setting their access level through creating and managing your API keys.
When creating your API Keys, you must understand the following limitations and implications.
- API keys of type “Custom” are required for the majority of API calls. Other key types are legacy and being phased out. This key type is required for the Splunk App and other integrations released in the future. To limit access, create an Access Level with only the permissions required.
- SIEM type API keys can only receive notifications through the Notifications API. Use a SIEM API key to configure the Syslog connector. New integrations should use one of the following to receive all available data:
o Data Forwarders: to stream alerts or events to your own S3 bucket, where you can control retention.
o Alerts v6 API: to search up to 180 days of historical alert data
- Keys of type API are required for Policy and Audit Log APIs
- Treat the API ID and the API Secret keys on the API Access page the same as your Carbon Black Cloud console login password.
Prerequisites for Carbon Black Workload Access
Prerequisites for Carbon Black Workload Access
Carbon Black Workload uses Custom access permissions for the API. You must create a Custom access level.
1. Log in to the Carbon Black Cloud console and navigate to the Settings > API Access page.
2. Your API Key requires a custom access level. You must create that access level.
1. Click Settings > API Access on the left navigation pane.
2. Go to the Access Levels tab and click Add Access Level.
3. Enter a name and description for your access level.
4. Select the boxes of the correct permission functions to include in your Custom access level for the customer's AWS account.
5. To apply the changes, select Save.
You can view the newly created access level listed in the Access Levels tab.
For a detailed guide, see the Authentication section of the Developer Network.
3. Go to the API Keys tab and Click Add API Key.
(a) Give the API key a unique name and description.
(b) Select the Custom access level just created.
(c) You can restrict the use of an API key to a specific set of IP addresses for security reasons.
Note Authorized IP addresses are not available with Custom keys.
4. To apply the changes, click Save.
- A pop-up displays the new API credentials. They include API ID and API Security Key:
- API ID: F3HLZ13ZS3
- API Security Key: FGD7T51232HQ37GN3VE8UZYF
What to do next
To update the name, description, or the IP addresses for a specific API key,
click the Edit button in the Actions column.
To view the credentials for a specific API key,
click the Actions drop-down menu and select API credentials.
To generate new credentials,
click the Actions drop-down menu, select API credentials, and click Generate new API Secret Key.
Note You must re-enter the API secret key in the integration to take effect.
To see all notifications sent to the API key within a timeframe,
click the Actions drop-down menu and then select the timeframe.
To confirm the removal of the API key,
click the Actions drop-down menu and select Delete.
Event Stream Monitoring
You can enable event stream monitoring for every AWS account you add into the Carbon Black Cloud console by running a script in the AWS CLI. The script helps you create AWS resources which ease the ingestion of AWS events into the inventory.
Before you run the script, make sure you have the AWS CloudTrail enabled on the customer's AWS account. It monitors and records your customer's account activity, API use, and displays these events in the AWS CloudTrail console. For more details, see AWS CloudTrail.
Then, ensure that your current role has write access to CloudFormation, EventBridge, Secrets, and IAM roles. Finally, while in the AWS Management Console, export your access key and secret access key by navigating to the IAM console > My Security Credentials > Access keys section, and select Download Key File. For more information, see Managing access keys for IAM users.
The script, you set up for each AWS region, streams events on management changes from your AWS account into the Carbon Black Cloud Management console. The setup script is a Bash/PowerShell script that uses a CloudFormation template describing the intended state of all the resources you must deploy in that AWS region. The template, provided by VMware, and run by you in the AWS CLI, creates the AWS CloudFormation stack with EventBridge rules, and a secret to store API key, an API destination, and an IAM role used by the API destination. The stack implements and manages the outlined resources in the template as a single unit. For example, you can delete a collection of resources by deleting the stack. For more details, see Working with stacks.
The Amazon EventBridge reacts to a change in your environment only when you set a rule to match a specific incoming event. Once you create the rule, it sends the matched incoming event to multiple targets for processing. Rules in EventBridge only work in the Region where they are created. For more details, see Amazon EventBridge rules.
To locate the Event Stream template field, go to the Carbon Black Cloud console and navigate to the Settings > AWS Accounts > Add AWS Account window.
The CloudFormation template uses your input for every region. Based on the following input in the Event Stream text box, if the CloudFormation stack does not exist, the template creates the stack with EventBridge rule, event source configuration, and destination configuration.
The onboarding environment you specify in the Environment drop-down menu automatically populates the <ScriptURL> in the Event Stream text box.
Possible values per environment
- The AWS account ID you enter in the Account ID text box automatically populates in the Event Stream text box.
- All regions you specify in the Regions drop-down menu automatically populate in the Event Stream text box.
- The provisioned API key. For more details, see Create and Manage an API Key.
- The Org Key. Locate it by navigating to the Settings > API Access > API Keys tab.
To set up the event stream for the selected regions and on the customer's AWS account, copy the command from the Event Stream text box, and run the command as an AWS admin with AWS CLI access to that account.
curl <ScriptURL> --output setup-cbc-event-stream.sh && bash setup-cbc-event-stream.sh --CBInventoryApiHost <value> --CBInventoryOrgKey <value> --CBInventoryApiKey <value> --region <value>
Accessing the Carbon Black Cloud
The Carbon Black Cloud Management Console is web-based with one lightweight sensor deployed to endpoints. The single sensor allows for consolidation across AV, EDR, vulnerability, and security auditing technologies. No stand-up or maintenance of on-premises servers is required – offloading work from infrastructure and security teams.
The console is accessed through a supported web browser:
- Windows: Chrome, Edge, Firefox
- MacOS: Chrome, Firefox, Safari
Login to Carbon Black Cloud:
- URL: https://defense-prod05.conferdeploy.net/
- User: (listed in text file Carbon_Black_Cloud_Malware_Credentials.txt on the Carbon Black Malware desktop)
- Password: (listed in text file Carbon_Black_Cloud_Malware_Credentials.txt on the Carbon Black Malware desktop)
On login you will land on the CBC Dashboard. The main navigation menu is located on the left-hand side of the web console.
: Carbon Black Cloud Dashboard | The dashboard gives a high-level overview of your environment with interactive widgets.
The Alerts page displays events of known threats or potential risks to your environment. To navigate to the Alerts page, select Alerts from the left-hand menu.
Regularly review alerts to determine whether action needs to be taken or policies need to be modified. Alert notifications can be setup to email designated administrators when an alert occurs. Alerts can also be forward to a SIEM with the Carbon Black open API (https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/).
An alert will show:
- Status – Run status and policy status
- Run Status: process ran/did not run
- Policy status: policy applied/no policy applied
- First Seen – What time the events of alerts first occurred
- Reason – High level overview of the reason the alert occurred
- S(everity) – Numerical score from 1 to 10, 1 being lowest severity and 10 being highest
- T(arget Value) – Acts as a multiplier for the severity score; target value can be assigned per policy group
- Device – Device that was alerted upon
Alert severity indicates the relative importance of an alert and acts as a prioritization assistant (one being lowest severity and ten being highest, mission critical). The following describe the ranges of severity:
- Severity 1-2: Activities such as port scans, malware drops, changes to system configuration files, persistence, etc.
- Severity 3-5: Activities such as malware running, generic virus-like behavior, monitoring user input, potential memory scraping, password theft, etc.
- Severity 6-10: Activities such as reverse command shells, process hollowing, ransomware, destructive malware, hidden processes and tool sets, applications that talk on the network but should not, etc.
- Filters are available on the left-hand. This can be used to filter into alerts of interest by device, severity, etc.
To view additional information about an alert, click the chevron to expand. The Alert Details show additional information about the processes, behaviors (or TTP’s – Tactics, Techniques, and Procedures), recommended steps for remediation, and notes/tags.
Figure 2: CBC Alerts – Alert Details | Alert Details show additional information for further investigation into malicious/suspicious events
The Techniques section in Alert Details shows what behaviors, or TTPs (tactics, techniques, and procedures), were exhibited by the specified process. TTP’s are color coded, with red being a higher severity. TTP’s can be clicked into to view further information about the TTP and what it means. Carbon Black also correlates MITRE techniques to TTPs which are also displayed. Clicking a MITRE technique will take you directly to the MITRE page correlating to that technique.
An alert visualization is generated for all alerts that occur. The visualization provides an easy to understand and digest view of what occurred during the attack sequence. To view an alert visualization, called the Alert Triage, click the tree icon) in the upper right of alert details.
Figure 3: CBC Alerts | Quickly pivot to the Alert Triage (tree icon), investigate, or additional actions with linked buttons
The Alert Triage displays a tree containing events associated with the alert. A node represents an individual process or event. You can click a node to view additional process details on the right including reputation, TTPs (behaviors), command line used, and other information. The Alert Triage provides actionable information about the events that occurred during an alert: including where prevention was applied, source, and what the attacker may have been attempting.
Figure 4: CBC Alerts – Alert Triage| Alert Triage shows alert in visual format; each node can be selected for more details on right
The alert can be viewed in a log level format as well for richer, process level behavioral information such as: command line, parent command line, if the device was on or off-premises at the time of the event, etc. These logs can be viewed in the Enriched Events section, which you can find by scrolling down to the bottom of the Alert Triage page.
Figure 5: CBC Alerts – Enriched Events | Click the chevron next to an enriched event to view additional details
The CBC next-gen AV and EDR solution offers flexible Policies. Policies determine preventative rules as well as sensor functionality. Carbon Black gives administrators control and visibility into how prevention works in your environment.
Each endpoint with a sensor installed will belong to a single policy. A policy defines how the sensor should behave on the endpoint, blocking/preventative rules, exclusions and allowances, and other configurations.
The Standard policy group comes OOTB (alongside the Monitored and Advanced policies) and is meant to function as a day-one, production viable policy that gives additional preventative layers beyond a traditional AV.
To view information about Policies and the Standard Policy Rules, navigate using the main left-hand menu to Enforce -> Policies. On the ‘Prevention’ tab you can see rules associated with the selected policy group.
Figure 6: CBC Policies- Prevention Rules | Carbon Black offers OOTB production viable policies for day-one use while giving admins visibility and customizability into prevention/allowances
Review the rules within the Standard policy including rules for:
- Process: Known Malware
- Process (At Path): Excel, Invokes a command interpreter
- Process: Not Listed, Performs ransomware-like behavior
Audit and Remediation Walkthrough
To gather stateful information which is correlated to vulnerabilities another part of the Carbon Black Solution suite is leveraged called Audit and Remediation. Audit and Remediation allows administrators to ask questions on the environment across hardware, software, and network variables at scale. Workload customers have access to the full Audit and Remediation solution beyond its use in vulnerability assessment. This portion of the experience will walk through using Audit and Remediation.
Using the Carbon Black Cloud Management Console.
1. On the left-hand navigation menu click Live Query to expand the menu
2. Click New Query menu option
Numerous queries are pre-built and come OOTB with Audit and Remediation - called recommended queries. Pre-built queries full under IT Hygiene, Vulnerability Management, Threat Hunting, and Compliance use cases. Recommended queries can be filtered by selecting a use case, filtering by applicable OS, or searching for keyword(s).
Queries can be run on a one-off basis or scheduled to run automatically (daily, weekly, monthly, etc.). Query results can be viewed in the console or exported.
3. Click Vulnerability Management to review queries falling under this use case
If you are an existing Carbon Black Cloud customer using the next-generation AV, EDR, container security, or other solution the Workload solution lives in the same cloud-based console. CWP vulnerability information lives in the Vulnerabilities tab.
1. On the left side navigation menu, click "Harden" to expose menu options
2. Click "Vulnerabilities" to view vulnerability information
Carbon Black Workload gives teams a shared truth of risk, minimizing friction between teams such as infrastructure and security. Teams have the same visibility and understanding of vulnerabilities whether they are viewing information in the Carbon Black Cloud or within the vCenter plug-in.
The Vulnerabilities page displays vulnerabilities present in your workload environment.
An overview of vulnerabilities is shown at the top of the page - including filters based on vulnerability severity. Severity scoring allows for administrators to understand and mitigate risks in a prioritized, realistic method. Higher severity scores indicate that the vulnerability should be prioritized. There are four severity categories…
- Low: Score from 0.0 – 3.9
- Moderate: Score from 4.0 – 6.9
- Important: Score from 7.0 – 8.9
- Critical: Score from 9.0 – 10.0
As a Security administrator, you want to have visibility of known vulnerabilities in your environment to understand your security posture and schedule maintenance windows for patching and remediation. With the help of vulnerability assessment, you can proactively minimize the risk in your environment.
Vulnerabilities can be viewed in Asset View or Vulnerability View:
- Asset View displays workloads covered by CWP and allows you to look at all vulnerabilities affecting the workload of interest.
- Vulnerability View displays all vulnerabilities based on type (Windows OS, Windows App, etc.).
Carbon Black investigates vulnerabilities related to:
- Operating System (OS) of the virtual machine.
o Windows OS: Displays OS-level vulnerabilities for Windows VMs. The system looks for OS details and the security patches applied on each VM. When the security patch associated with the vulnerability is not applied, the VM is flagged as vulnerable.
o Linux OS: Displays OS-level vulnerabilities for Linux VMs. The system looks for OS details with the list of all installed packages. The system determines the vulnerable packages installed on the VM and reports the CVEs against those packages.
- Applications are installed on the virtual machine.
o Windows Apps: Displays application-level vulnerabilities for the Windows VMs.
o Linux Apps: Displays application-level vulnerabilities for the Linux VMs.
How Carbon Black Measures Risk
Carbon Black Cloud partners with Kenna Security to leverage the largest database of vulnerability, exploit, and event threat data in the industry. This data is distilled into three main measures of risk:
- Active Internet Breach: Presence of near-real-time exploitation.
- Malware Exploitable: Availability of an exploit module in a weaponized exploit kit.
- Easily Exploitable: Availability of a recorded exploit.
There are metrics defined for Common Vulnerability Scoring System (CVSS). A few of the metrics are about the attack method itself, whereas the others depend on how the application assesses impact - the direct consequence of a successful exploit. To learn more about CVSS, visit https://www.first.org/cvss/specification-document.
Every vulnerability is assigned a risk score of between 0.0 (no risk) and 10.0 (maximum risk). The risk score range and severity are defined as follows.
To learn more about how the risk is calculated, refer to the Kenna Security documentation available at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-whitepaper-understanding-the-kenna-security-vulnerability-risk-score.pdf.
For a more guided experience on using the Carbon Black Cloud for vulnerabilities see Module 4 of the CWP Hands-on Lab simulation: https://labs.hol.vmware.com/HOL/catalogs/lab/10212
Summary and Additional Resources
This user guide covers the VMware Carbon Black Workload solution using the Carbon Black Cloud console.
Carbon Black Endpoint Standard NGAV/EDR
- Product Page: https://www.carbonblack.com/products/vmware-carbon-black-cloud-endpoint/
- Endpoint Standard Hands-on Lab: https://labs.hol.vmware.com/HOL/catalogs/lab/10096
Carbon Black Workload Protection
- TechZone Mastering Carbon Black Workload: https://carbonblack.vmware.com/mastering-carbon-black-workload
- TechZone Installing Carbon Black Workload Appliance in Under 15 Minutes: https://via.vmw.com/tchz24b2b1d7no3036
- TechZone vSphere Admin Best Practice Guide for Carbon Black Cloud: https://via.vmw.com/tchz24b2b1d7no3082
- Workload Protection Hands-on Lab: https://labs.hol.vmware.com/HOL/catalogs/lab/10212
Carbon Black TestDrive Experiences
- Malware Lab (Endpoint Protection): https://kb.vmtestdrive.com/hc/en-us/articles/4404323100187-VMware-Carbon-Black-Cloud-Malware-Lab
- Container Security: https://kb.vmtestdrive.com/hc/en-us/articles/1260803985870-Securing-Modern-Applications-with-CBC-Container-Security
The following updates were made to this guide.
Description of Changes
About the Author and Contributors
Dale McKay is a technology evangelist and strategist with deep expertise in security, virtualization, and networking.
Dale McKay, Senior Technical Marketing Architect, Network and Advanced Security Business Group, VMware