VMware Carbon Black Cloud Workload Protection provides vulnerability assessment and inventory management for workloads hosted on vSphere. The VMware Carbon Black Cloud Workload Protection vulnerability solution provides shared information on vulnerabilities that is available in Carbon Black Cloud as well as in the native vCenter administration client.

Workload Protection is offered in different packages to suit your organization’s needs

Prevention and threathunting capabilities can be extended beyond vSphere workloads to your endpoints (desktops, laptops, servers, VMs, etc.).

In order to complete this product walkthrough please make sure you have the following:

To log in to the vSphere environment, perform the following steps.

1.1 Accessing Environment

First, open a web browser of your choice and navigate to portal.vmtestdrive.com. Select LOG IN. If you do not already have an account please reference the instructions found here.

Enter your TestDrive Username and Password and select ENTER.

Next, locate the Carbon Black product under the Intrinsic Security tab.

Click LAUNCH and LAUNCH VIA WORKSPACE ONE.

A new tab will open with Workspace ONE. Enter your TestDrive Username, then hit Next.

On the next screen, enter your TestDrive Password then hit Sign in.

Next, search for the Carbon Black Cloud desktop. Click to open into the desktop either via HTML access or Horizon Client access.

Now you'll be on the Carbon Black Cloud RDSH desktop. At this point, you can begin the walkthrough steps listed below.

VMware Carbon Black Cloud Workload Protection provides vulnerability assessment and inventory management for workloads hosted on vSphere. The VMware Carbon Black Cloud Workload Protection vulnerability solution provides shared information on vulnerabilities that is available in Carbon Black Cloud as well as in the native vCenter administration client. Workload protection capabilities are fully integrated into the world’s leading cloud management platform for complete data center visibility and protection. The solution combines vSphere and VMware Carbon Black Cloud in a purpose-built, operationally simple solution with minimal overhead and performance impact.

VMware Carbon Black Cloud Workload Protection solution is the only vSphere vCenter workload protection platform for enterprise virtualization and security teams that delivers the most secure virtual infrastructure, while also providing the same visibility and capabilities within the public cloud as well.

The Carbon Black Cloud Workload Protection solution reduces the attack surface by giving Infrastructure, DevOps, and Security teams visibility into the operating system and application vulnerabilities right from within the vCenter Management plane as well as within the Carbon Black Cloud Management Console.

2.1 CWP Architecture

A Carbon Black plug-in within vCenter allows for a shared truth on vulnerabilities and risk for those residing in vSphere/infrastructure as well as team members more focused on security or the Carbon Black Cloud console. Through this unique approach, we can eliminate the trade-off between security and operational simplicity by providing a single source of truth for Infrastructure and Security teams to accelerate response to critical vulnerabilities and attacks, while enabling collaboration and reducing friction. The Carbon Black Cloud Workload Plug-in provides deep visibility into your data center inventory and end-to-end life-cycle management for the components.

VMware Carbon Black Cloud Workload Protection contains two Carbon Black Cloud Workload Protection components that are integrated into vCenter:

For further information on the solution architecture reference the following resource: https://carbonblack.vmware.com/resource/carbon-black-cloud-workload-protection-architecture

2.2 Installation Walkthrough

For purposes of this lab experience, CWP is already installed and configured. For information on installing and configuring CWP in under 15 minutes see the following video:

For a guided lab on installing and configuring the CWP appliance see Module 2 of the CWP Hands-on Lab simulation: https://labs.hol.vmware.com/HOL/catalogs/lab/10212

The following section details the basics of accessing and using the Carbon Black Cloud Workload Plug-In in vSphere. The Carbon Black Cloud Workload Plug-in for vSphere integrates CB security capabilities directly in the vSphere Client.

3.1 Accessing the Carbon Black Cloud Workload Plug-in

On the desktop, launch on the shortcut named “vCenter Server”.

Log in with the following credentials:

Once logged in, to view the Carbon Black Cloud Workload Plug-in, click Menu at the top to expose menu options. Then select the Carbon Black icon in the drop-down menu. The plug-in can also be accessed on the left-hand side of the vSphere console.

Note: If you receive the error "Unable to fetch appliance details, please contact the administrator", hit the browser refresh button.

3.2 CWP Plug-in Navigation

On accessing the plug-in you will be brought to the Summary, or "Dashboard", tab. The Carbon Black Cloud Workload Plug-in Summary tab contains widgets on appliance health, inventory status, and critical vulnerabilities:

The Vulnerabilities page displays vulnerabilities present in your vSphere environment. Click "Vulnerabilities" to navigate the vulnerability page.

An overview of vulnerabilities is shown at the top of the page - including filters based on vulnerability severity. Severity scoring allows for administrators to understand and mitigate risks in a prioritized, realistic method. Higher severity scores indicate that the vulnerability should be prioritized. There are four severity categories…

As a vCenter Server administrator, you want to have visibility of known vulnerabilities in your environment to understand your security posture and schedule maintenance windows for patching and remediation. With the help of vulnerability assessment, you can proactively minimize the risk in your environment.

Vulnerabilities can be viewed in Asset View or Vulnerability View:

Carbon Black looks into vulnerabilities related to:

A deeper dive into vulnerabilities and using the vulnerability tab will be covered in Section 4 of this lab.

The Inventory page displays workloads for which you have enabled and not enabled CWP. You can manage workloads from this page.

CWP provides a streamlined agent deployment process. The Carbon Black agent installer is provided as part of the VMware Tools package. Deployment to workloads is simplified to a ‘click to enable’ process. Simply select the workload for which you would like to enable CWP and click ‘Enable’. Initial assessment begins within 24 hours of enabling, and then occurs daily, automatically from that point forward.

Major sensor updates can be pushed by selecting workload(s) and clicking the ‘Update’ button. Only major sensor updates need to be manually done from the vCenter plugin or Carbon Black Cloud console. Updates can be done individually or on multiple/all workloads.

3.3 How VMware Carbon Black Measures Risk

Carbon Black Cloud partners with Kenna Security to leverage the largest database of vulnerability, exploit, and event threat data in the industry. This data is distilled into three main measures of risk:

There are metrics defined for Common Vulnerability Scoring System (CVSS). A few of the metrics are about the attack method itself, whereas the others depend on how the application assesses impact - the direct consequence of a successful exploit. To learn more about CVSS, visit https://www.first.org/cvss/specification-document.

Every vulnerability is assigned a risk score of between 0.0 (no risk) and 10.0 (maximum risk). The risk score range and severity are defined as follows.

To learn more about how the risk is calculated, refer to the Kenna Security documentation available at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-whitepaper-understanding-the-kenna-security-vulnerability-risk-score.pdf.

VMware Carbon Black Cloud Workload Protection consolidates multiple datacenter security capabilities with an easy deployment experience on vSphere and a single lightweight sensor for your workload environment. VMware Tools includes the Carbon Black agent installer, facilitating the installation process and eliminating management by providing native security capabilities as a service that IT infrastructure owners can provide.

Workload protection has already been deployed on numerous workloads within the TestDrive vSphere environment prior to this guide being written. This allows us to discover and view any risks that have been identified by our vulnerability assessment capability. With this capability there is no scanning involved because we are already collecting the data, we are leveraging the same single data stream to query and populate this data within the vCenter management plane. For this portion of the lab experience, we will be diving into vulnerabilities and information available to you directly in vSphere.

4.1 Looking into A Critical Vulnerability

While logged into vCenter, click on the Menu button at the top of vCenter and then navigate to and click on the Carbon Black plug-in. For more information on accessing and navigating the plug-in see section 3.2.

Navigate to the Vulnerabilities page within the plugin. The Vulnerabilities page displays information on vulnerabilities affecting the environment with intuitive filtering capabilities to give administrators a prioritized, realistic method to look at risk and threat.

On the top of the page severity level filters can be used to view vulnerabilities in a prioritized manner. For this lab, we will focus on Critical vulnerabilities, with a severity score of 9.0 to 10.0. For more information on how risk is scored see Section 3.3.

We should now see only Critical High-Risk score CVE’s, these are CVE’s that are exploitable within this environment. This means an attacker (external or internal) could gain access to a workload by leveraging one of these CVE’s in an attack if discovered.

Vulnerability types include Windows OS, Linux OS, Windows App, and Linux App. Select a vulnerability type of interest. Due to the nature of this lab, a specific vulnerability will not be selected as vulnerabilities will change across the environment.

A vulnerability will display:

Expanding a vulnerability will show:

CWP directly links to the National Vulnerability Database (NVD) page for the selected vulnerability. This allows for an easy workflow to get more background on the vulnerability and how to resolve it directly in your vSphere environment.

When viewing a workload, on the Monitor tab, a Carbon Black Vulnerabilities page is available. You can view all vulnerabilities affecting a particular workload from this page.

We have now completed a workflow looking into a critical vulnerability directly in vSphere. CWP provides built-in vulnerability assessment capabilities in your vSphere console.

The Carbon Black Cloud Workload Protection (CWP) solution can be accessed through both the Carbon Black Cloud Console and the Carbon Black vCenter plugin.

5.1 Accessing Carbon Black Cloud

The Carbon Black Cloud console is web-based with one lightweight agent deployed to endpoints.

The console is accessed through a supported web browser:

Login to Carbon Black Cloud:

If you are an existing Carbon Black Cloud customer using the next-generation AV, EDR, container security, or other solution the Cloud Workload Protection solution lives in the same cloud-based console. CWP vulnerability information lives in the Vulnerabilities tab.

CWP gives teams a shared truth of risk, minimizing friction between teams such as infrastructure and security. Teams have the same visibility and understanding of vulnerabilities whether they are viewing information in the Carbon Black Cloud or within the vCenter plug-in.

Vulnerabilities can be explored within the Carbon Black Cloud in the same method used in Section 4.

For a more guided experience on using the Carbon Black Cloud for vulnerabilities see Module 4 of the CWP Hands-on Lab simulation: https://labs.hol.vmware.com/HOL/catalogs/lab/10212

5.2 Audit and Remediation

To gather stateful information which is correlated to vulnerabilities another part of the Carbon Black Solution suite is leveraged called Audit and Remediation. Audit and Remediation allows administrators to ask questions on the environment across hardware, software, and network variables at scale. Cloud Workload Protection customers have access to the full Audit and Remediation solution beyond its use in vulnerability assessment. This portion of the experience will walk through using Audit and Remediation.

If you are not currently logged in to the Carbon Black Cloud console see section 5.1 for how to log in.

Numerous queries are pre-built and come OOTB with Audit and Remediation - called recommended queries. Pre-built queries full under IT Hygiene, Vulnerability Management, Threat Hunting, and Compliance use cases. Recommended queries can be filtered by selecting a use case, filtering by applicable OS, or searching for keyword(s).

Queries can be run on a one-off basis or scheduled to run automatically (daily, weekly, monthly, etc.). Query results can be viewed in the console or exported.

CWP and Audit/Remediation give administrators a greater understanding of what they are securing. We will review a recommended query to better understand the information Audit and Remediation can provide.

The Installed Windows Applications query returns information about applications installed by msiexec.exe. By expanding a query you can view the SQL code used in the query. Audit and Remediation leverages osquery and standard SQL syntax.

osquery schema can be viewed on the following page: https://osquery.io/schema/4.5.0

Beyond recommended queries, administrators can create their own, custom queries to suit any number of use cases. Queries are built using standard SQL syntax and the previously linked osquery schema.

We will create a custom query that looks at the value for the 'LimitBlankPasswordUse' registry key. The value for this registry key can be 1 or 0; 1 being recommend as this prevents netconns from accessing endpoint with a blank password. An attacker could change the registry key to gain access to an environment.

This query comes from the Carbon Black Query Exchange. The query exchange is an open forum for Carbon Black customers to share queries they've created - or leverage queries others have created. The Query Exchange is linked on the top right of the page. Note that only Carbon Black customers can access the Query Exchange.

Queries can be run environment-wide or on a specific endpoint(s) or policy group. Let's run this query on a specific workload.

Query results can be viewed in the console or exported.

Contact VMWare Carbon Black Sales