IBM Security MaaS360

 View Only

Risk Actions

By Priyanka Keshari posted Mon January 02, 2023 01:14 AM

  

Requirement

The Security Dashboard allows administrators to view metrics for security risks on devices and users who are enrolled in the MaaS360 account. The admin needs to remediate/mitigate the risks as they can have a cascading impact on an organization's strategic goals.

Overview

The ability of an admin to take action against risky devices and users based on their risk score. The feature is enabled for anyone who has URM(User Risk Management) or Endpoint Security enabled. URM is enabled by default for Endpoint Security.

Features

Manual actions triggered from the dashboard

User actions


Top risky users section


User summary page


Users list page

Device actions


Risky devices section of user summary page


Automated actions

Admin can configure actions from risk rule-action configuration UI to be taken automatically on devices falling into a certain risk threshold. When risk posture on a device changes:

  1. Actions applicable will get applied

  2. Actions no longer applicable will get revoked

Ex- If the device has potential critical vulnerabilities on the device beyond a threshold(as configured in risk rule action config UI), the admin can block access to the corporate VPN.

Actions category

  • Device - locate, sms or MaaS app notification, lock, change MDM and persona policy, change ruleset, remove user from device(only for iOS/Windows), wipe, selective wipe (Block access to all corporate resources - Remove managed apps, block access to maas apps, first party apps)
  • User - email user, inactivate user, block enrollment/sign-in for a user, quarantine user
  • App - remove app, enforce MFA (multi factor authentication) on all MaaS apps and first party apps, change restrictions on managed apps(via app config), turn on MFA for all managed apps (apps with SSO configured), wipe local data from managed apps(SDK/wrapped apps only) , remove corporate wifi, remove corporate vpn (from policies , and also if MaaS VPN is used) , block Secure Browser /MEG access, clear data from MaaS document sources, block access to managed apps (ones configured with SSO OR SDK/wrapped apps), remove ability to install more managed apps(remove app catalog) , remove all managed apps
  • Network - block all corp traffic from the device (only for iOS and Android)
  • MaaS app - block access to all MaaS apps (Except settings and security section)
  • MaaS vpn - block MaaS VPN (only for iOS and Android)
  • MaaS remote control - block Remote control on the device
  • Email - block attachments in email, remove email configuration (from policies) , block /approve email access(from CE) , block Secure Email

Actions log

Lists all the actions taken by an admin against all devices and users

Planned enhancements

  • Extending the framework to take action after some delay
  • Capability to define groups and take different actions based on groups in the risk rule-action configuration UI
  • Transitioning of actions to OpenSearch from oracle DB
  • Making the framework independent which can be used with any MDM solution
  • Integration with QRadar for actions

Integration with different products

  • QRadar is already integrated with MaaS360 for security related events through APIs. Action apis can be similarly used to show actions on QRadar to let a security analyst take required actions. The apis needs maasapp or portal auth
  • Integration with ReaQta is planned

Technologies

  • ReactJS is used as frontend technology
  • AWS with its services ROSA, CloudWatch, CloudTrail, OpenSearch, MSK, Keyspaces are used as backend technologies

 

 

0 comments
12 views

Permalink