Close the endpoint vulnerability gap to reduce risk and improve compliance

Endpoint vulnerability management is nothing new, yet vulnerabilities continue to introduce too much risk. 

Despite the exponential growth in the number of Common Vulnerabilities and Exposures (CVEs), challenges in endpoint vulnerability management persist. In September 1999, the first CVE list was published with 321 entries. Today, over 314,000 CVE records exist. Despite ongoing efforts to prevent exploits, organizations are increasingly embracing proactive vulnerability reporting through initiatives like the CISA Secure by Design Pledge. 

The U.S. Government and other organizations are adopting more aggressive standards for resolving critical vulnerabilities, including known exploited vulnerabilities (KEVs), but there’s still a significant lag between the time it takes for a threat actor to exploit a vulnerability (5 days on average) and the time it takes for organizations to patch or mitigate their exposure (the median time is currently 38 days). Endpoints are often the weakest link in an organization's security, and hackers are well aware of this. (Source: 2025 Verizon DBIR, a.k.a. the Verizon Data Breach Investigations Report, page 31). 

What is your window of exploitation for endpoint vulnerabilities?  

Even if you follow CISA, FedRAMP, and PCI DSS vulnerability management guidelines, the exploitation of KEVs happens much faster than the resolution of these vulnerabilities in end-user environments. Key metrics to consider include: 

• The timeline for resolving CVEs carrying high risk, for example, those with known exploitation or criticality of 8 or higher on the CISA rating scale
• The timeline and target resolution rate for CVEs in your environment 

Can you shorten the window of exploitation for endpoint vulnerabilities? 

Minimizing risk is crucial, which involves reducing the window of opportunity for exploitation. While it is clear that faster patching and mitigation are essential, organizations often face challenges. What we hear from customers is that remediations often take a couple of weeks at a minimum to implement. These workflows involve: 

• Scanning the entire environment for vulnerabilities
• Batching out requests for updates via IT Service Management (ITSM) tools
• Implementing specific processes for urgent, high-risk threats posed by vulnerabilities 

Accelerating these processes can reduce exposure, but concerns include: 

• Rolling out updates too quickly, leading to major failures or negative end-user experiences
• Tracking the test environment failure metrics that are required for change control
• Lack of visibility into the progress of updates, resulting in unexpected issues 

How do you address vulnerabilities without the process becoming its own threat to your sanity and the performance of the business?  

Studying the processes that organizations follow today, we see significant opportunities to: 

• Reduce the time spent evaluating the impact of and prioritizing vulnerabilities
• Accelerate the delivery of information to end-user computing stakeholders
• Implement built-in control and observability points to help people feel comfortable with accelerated rollouts of patches, updates, and mitigations. 

New solution addressing these issues in Beta at Omnissa 

Omnissa is kicking off this effort with Vulnerability Defense. At Beta, we present vulnerability information from CrowdStrike Falcon Exposure Management in the context of your endpoint deployment, so that you can see where your major liabilities lie and review suggested fixes. You can start with a controlled deployment, addressing your first group manually then allowing for automating remediations to subsequent populations.. Checkpoints are built into the process, so that you can see how things are performing in real time. And our digital employee experience (DEX) tools help you monitor and manage rollouts so that they don’t adversely impact your end users.  

Achieving compliance at scale requires efficiency. So how do you get away from manual processes—periodic scanning, ticket creation, and triage—to a more fluid approach to vulnerability management?  

CrowdStrike Falcon Exposure Management (purchased via CrowdStrike) required at Beta 

We partnered with CrowdStrike to integrate their vulnerability assessment capabilities with Omnissa Workspace ONE. CrowdStrike Falcon Exposure Management, a component of the CrowdStrike Falcon Endpoint Protection Platform, is required for the 2025 Beta and limited availability versions of Omnissa Vulnerability Defense. CrowdStrike Falcon Exposure Management is part of the CrowdStrike Falcon Endpoint Protection Platform and is purchased directly from CrowdStrike. Omnissa has several integrations with CrowdStrike, including API-based tagging via CrowdStrike Foundry and data sharing with CrowdStrike Falcon NG-SIEM. More information about CrowdStrike integrations here. 

Begin with application patching 

In our research, we see that endpoint teams spend about 80-90% of their time on application and OS patching. Our Beta solution includes comprehensive workflows that allow you to: 

• Automatically assess vulnerabilities affecting your Workspace ONE managed endpoints
• Perform risk-based prioritization of CVEs for remediation
• Review recommended path for addressing application and OS vulnerabilities
• Import and deploy pre-configured app updates from Workspace ONE Enterprise App Repository
• Monitor and manage rollout through deployment tracking dashboards 

Reduce remediation time from weeks to days 

An over-the-air connection with devices is essential for proactive vulnerability management. With Omnissa Workspace ONE UEM, you have the connectivity you need to manage the full lifecycle of devices and support secure digital work.  

Workspace ONE Vulnerability Defense integrates vulnerability discovery and assessment with prioritization and remediation in UEM. This automated approach helps you quickly address vulnerabilities, reducing the time spent on manual tasks and allowing you to assess the success of patching and other mitigations from your Workspace ONE UEM console.  

Spend less time closing the loop. You can assess the success of endpoint vulnerability patching, updates, and other mitigations from your Workspace ONE UEM console. It is easier to confirm that vulnerabilities have been resolved without executing a comprehensive compliance scan.  

What's next? 

Learn more from our Vulnerability Defense Community webinar and register for the Beta.

For more information on Vulnerability Defense, scheduled to launch in late 2025, please access the replay of our October 1st Vulnerability Defense Community webinar, where experts share our technical solution and talk about the broader topic of endpoint risk.  

Please apply to participate in our Vulnerability Defense Beta here.