A new year brings new hope for optimism. One of the things we’re most excited about this year is watching innovative companies continue to come out with new security solutions to stay ahead of all the advances hackers continue to make with new malware attacks.
If you read the VMware Global Security Insights Report 2021, you’ll know that CIOs around the world share our sentiment. The survey polled over 3,500 CIOs, CTOs and CISOs at companies across a range of industries. The report identifies trends in network attacks and their effects on a company’s finances and reputation. Based on the survey, the frequency of attacks is increasing, and the sophistication of the attacks continues to evolve. Three-quarters of the respondents said the number of attacks they faced has increased in the past year. Of those, 78% said attacks had increased because of more employees working from home, and 79% said attacks had become more sophisticated.
Today’s standard arsenal of firewalls, intrusion detection/prevention systems (IDS/IPS) and antivirus are no longer enough to protect today’s network. These tools have served well in the past, but they are not designed to counter the sophisticated attacks of advanced malware.
Identifying today’s security problems
There are several problems with today’s security components. The first problem is that most security elements work in isolation and do not share “what they learn” with other components. This lack of communication limits how well security elements can detect more sophisticated attacks, and it can create issues when you are hunting for threats. Another problem with standard solutions is that many of these elements are working with static definitions of threats and are not able to adapt quickly to new never-seen-before threats. Finally, today’s offerings assume malware is focused on attacking just the operating system when in truth, many of today’s attacks are focused on a wide range of end devices and network components. One of the more damaging types of attacks that today’s tools miss is advanced persistent threats that establish a long-term presence on a network to collect large amounts of sensitive data.
To help augment the protection of current systems, companies are introducing Advanced Threat Protection (ATP). ATP takes a holistic approach to monitoring for attacks. It uses machine learning to identify and protect against advanced threats. ATP enhances the protection of standard tools by providing advanced malware analysis of artifacts traversing the data center. Other malware detection technologies inspect content and identify potentially malicious code, but they cannot interact with malware. As a result, they have significantly lower detection rates and higher false positives, in addition to being easily evaded by advanced malware.
ATP, through the use of artificial intelligence, can do a much more thorough analysis of potential threats. ATP deconstructs every behavior engineered into a file or URL and sees all the instructions that a program executes, all memory content and all operating system activity. This depth of knowledge gives ATP a much better understanding of potential threats. ATP safely executes malware samples, analyzes URLs and provides complete visibility into malicious behavior. This capability enables IT departments to analyze the malicious objects used in advanced, targeted and zero-day attacks safely and efficiently. ATP offers a unique isolation and inspection environment that simulates an entire host (including the CPU, system memory and all devices) to analyze malware and to interact with it to uncover every malicious behavior, including identifying dormant code and documenting all CPU instructions executed. It also identifies the memory (RAM) locations accessed by the analyzed artifact.
This intelligence allows ATP to cover the four key elements of protection:
- Detect threats in all east-west traffic using curated signatures based on precise application context
- Uncover anomalous activity and malicious behavior across the network using supervised and unsupervised machine learning
- Find malicious content traversing the network via hardware emulation and supervised machine learning models
- Filter large amounts of network data and events via a correlation engine to eliminate false positives and zero in on a smaller set of real intrusions
These features provide several benefits for network administrators. Not only does ATP provide visibility across the entire network, but it can also inspect all internal data center traffic for threats with deep visibility that leverages multiple threat detection techniques simultaneously. ATP intelligence gives it the ability to reduce false positives by up to 90% improving the accuracy of alerts and enabling security teams to focus on a small set of actual intrusions. Finally, and most importantly, ATP allows IT managers to evolve to proactive threat hunting. IT managers can move beyond merely reacting to alerts and start proactively hunting for emerging threats to the network before they impact the business.
Deploying Advanced Threat Protection
Deploying ATP is not complicated, but administrators must follow the proper steps to be sure the ATP works correctly and scales appropriately.
First, look at your existing security infrastructure to figure out what vulnerabilities you are trying to address with the new ATP. Are you trying to improve network visibility? Improve network event correlation? Reduce hopping between security tools? What you are trying to achieve with the ATP will dictate what actions are needed in the second step.
Second, while looking at existing infrastructure, decide what functions you want the ATP to service and what functions you want to remain with the existing infrastructure. There are some capabilities that only the ATP can do, but there may be capabilities that your current infrastructure does that might be better served by the ATP, either because the ATP can do it better or because it simplifies management. While looking at the existing security infrastructure you will also need to determine if you need to make any configuration changes to accommodate the ATP in the network. The goal is to create proper interaction/minimal overlap between the ATP and the existing equipment. As part of this step also collect key network facts to assist the ATP setup (e.g., VPN concentrator IP addresses, AV definition update server addresses).
Next, determine what hardware you need to run the ATP and where you need to place any ancillary equipment (e.g., sensors). Like any other software, ATP needs properly configured hardware to scale and run efficiently. The types and amount of traffic the ATP will monitor determines the location of the hardware. Data traffic patterns based on employee and data center locations also impact how you should distribute the ATP through your network.
Once you determine the proper configuration and hardware, you can then install the new ATP system. This will include setting up the manager, engine, data node and any necessary sensors. The goal is to be sure you have everything set up to properly collect (e.g., perimeter sensors, cloud sensors), analyze (e.g., file analysis, analytics) and respond (e.g., bloc, SIEM integration) to any threats. You can deploy the ATP on-premises or hosted.
Finally, once you get the ATP installed you will want to optimize the ATP for your network. The ATP should be tuned to maximize security monitoring but should not be so reactive that your team gets too many false positives. As part of the final steps, you also want to train employees to be sure the team fully understands the new tool and how to use it properly. As part of the final check, always be sure the ATP is properly integrated with other security tools and network management tools.
If all of this sounds like a lot, VMware Professional Services are here to help. Our team has a wide range of experience deploying ATP systems and can help with:
- Identifying and addressing problems and challenges
- Defining success criteria and setting achievable expectations
- Evaluating infrastructure and use case planning
- System design and deployment
- System acceptance and validation
- Employee training and creating new operating procedures
It has never been easier to get ATP!
We are big advocates of the benefits of ATP and now is great time take advantage of the advanced protection that ATP provides. To encourage faster adoption of ATP, VMware is running a promotion where VMware Professional Services will perform the NSX-V to NSX-T migration for customers who purchase a one- or three-year subscription license to NSX Advanced Threat Protection. So, in addition to modernizing your data center with NSX-T, you get the great benefits of ATP.
This is a limited-time promotion and restrictions do apply. If you’re ready to take full advantage of all the features of ATP (and other great features of NSX-T), contact your VMware sales rep today.
