Knox Asset Intelligence Security Center

To help Samsung Knox customers better manage their security risks, SecOps Teams can easily track the security posture of every device in their fleet with powerful insights like the total number of devices with vulnerabilities detected, which devices have outdated security patches, and which devices pose the highest security risk to the organization.

The Knox Asset Intelligence Security Center provides clear, granular mapping of device vulnerabilities, as well as routine attestation to track the health of enrolled Samsung Knox endpoints. SecOps Teams, in collaboration with IT admins, can prioritize security patching efforts based on security risks reported by the Knox Asset Intelligence Security Center.

For example, if an organization has a mixed device fleet consisting of XCover Pro and Galaxy S22 models, the Security Center can report the total number of vulnerabilities affecting each specific device model, and omit any devices that already have the latest security patches deployed, thus making it easier for SecOps and IT admins to identify only the devices that are at risk. IT admins can then launch Knox E-FOTA to deploy the correct security patch for each model, ensuring that devices are updated in the most effective way, with the least amount of business disruption.

The Security Center provides 3 benefits for enterprises:

• Granular mapping of vulnerabilities to individual device models

• Daily health attestation through Knox Device Health Attestation

• Knox Security Events & Log for Security Operations Centers

Vulnerability management

As many purpose-fit devices are deployed across the enterprise, the ability to manage security risks becomes increasingly complex due to differences in device vulnerabilities and patch cadence. Without an understanding of each device’s hardware and drivers, enterprises have no way to accurately assess the risks posed by certain chipset vulnerabilities, or know which devices were—or could have been—exploited.

Security Center leverages Samsung’s software and hardware supply chain to directly map vulnerabilities to devices. By hooking directly into our software supply chain, we can granularly track which vulnerabilities have an impact on each specific binaries, and specify which builds patch each vulnerability. This becomes especially important for devices impacted by Samsung Vulnerabilities and Exposures (SVEs) not bound to the Android Security Patch Level (ASPL).

Given the diverse set of Samsung devices across the globe, many device families often have differing hardware depending on the region. For example, a Galaxy S24 in the US has a Qualcomm chipset, while EU models have the Exynos chipset. This difference in chipset can have a significant impact on how vulnerabilities get patched, as one vulnerability reported in one chipset may not be reported in the other, despite being the same device model. In other words, a Galaxy S24 with a Qualcomm chipset will have different vulnerabilities than a Galaxy S24 with an Exynos chipset. With the Knox Asset Intelligence Security Center, you can trust that the vulnerabilities reported are the actual vulnerabilities that impact the models in your fleet, right down to the root hardware and software level.

Daily attestation

Each device enrolled in the Security Center gets attested on a daily basis to verify its security posture. If devices are offline (no internet connection) or powered-off during the attestation request, these devices are categorized as Unknown in the Security Center dashboard. If attestation is successfully carried out, devices are categorized as either Good or Bad. Devices with a Bad attestation result should be investigated immediately, as this is a strong indicator of compromise.

Connecting Security Center to your SOC

To allow security telemetry to be gathered from your devices, a Security Information & Events Management (SIEM) solution must be connected to the Security Center. The Security Center itself does not store any data related to security events or logs, as it purely provides a passthrough architecture. For this reason, IT Admins and SecOps teams must connect Security Center to a third party service for events & log reporting. For more information on how to connect Knox Asset Intelligence with your SIEM solution, please contact a Samsung Knox sales rep.