Judging what I’ve heard during my 30 years in the security industry, CISOs invest most heavily in two areas: technology to protect the perimeter of their networks, and technology to make sure the PCs and other endpoint devices used by employees are not compromised. And yet many companies are still successfully attacked every year, at an increasingly unacceptable cost. It’s time for a new approach to protect the most vulnerable and the most enticing target: the applications, data centers, access points and other infrastructure. In other words, inside your network.
Many of the most sophisticated attackers spend their days devising ways to sneak into the massive flow of data that takes place behind the perimeter. Often, the plan is to obfuscate payloads and hide their malicious activities within legitimate traffic and slip it into this “East-West” traffic, which can be orders of magnitude larger than the relative trickles of “North-South” data that flows past a firewall or onto an endpoint. Once inside, smart attackers bide their time, hiding within the common noise of your network, discovering assets, moving laterally leveraging common ports and protocols waiting for opportunities to do the most damage—say, to launch a ransomware attack or surreptitiously steal customer data. Some of the worst breaches of 2021 fit this description.
Fortunately, the internal traffic is in our wheelhouse. Our heritage in hypervisor technology gives us a privileged position when it comes to understanding precisely what is happening inside the company’s applications and networks—both the aggregate flows of traffic, but also at the most granular level. Thousands of companies use our tools to manage the deployment of software, whether using virtual machines (VMs) or container technology, and to understand network traffic at the packet level. This privileged position gives us visibility and context about every packet like no other.
Today, we’re taking a major step to make the most of this privileged position. We introduced enhancements to our security system focused on detecting and stopping lateral movement of threats, on private and public clouds, made of both VMs and containers. The enhancements include capabilities purpose-built for VM workloads, and a complimentary set of capabilities purpose-built for container-based Modern Applications, all tied together with advanced security analytics and management powered by VMware’s newly announced Contexa threat intelligence cloud.
Think of VMware Contexa as a massive online brain that leverages the vast amount of telemetry collected by our VMware platforms, across endpoints, workloads, users and networks, and applies powerful machine learning techniques to quickly sniff out subtle anomalies and the most well-disguised attacks.
This is a major advance relative to how most companies check lateral movement today. Today, most companies cannot afford the sheer computing power to look deep within all that rushing East-West flow, so they do the next best thing: examine small portions of the traffic. Many companies, for example, use network taps that typically look at the traffic that crosses a particular network switch. However, in a virtualized, cloud world only a small fraction of the East-West traffic actually touches a physical switch, the majority of it stays within VMs on a single server. These tapped network portions are typically analyzed after-the-fact in a separate “sandbox” or with an Intrusion Detection System (IDS), and the findings are recorded in a security information and event management system (SIEM) that serves as a kind of digital library.
Such sampling is no longer a realistic option for actually stopping attacks. We (and every security expert) are urging companies to adopt zero-trust security as their MO, the whole idea of which is that the only safe assumption is that you have already been breached and don’t know it. If that is the case, you can’t look at a small sample of east west traffic and think you are protected. It would be like taking a digital photo of a diamond thief as he grabs the jewel but capturing just 10% of the pixels. All you would see are colored blobs.
Modern cloud architectures are making the blind spots worse. New silicon and virtualization capabilities can run well over 100 VMs in a physical host, meaning only a small fraction of that VM to VM traffic would hit a physical network tap. For systems that rely on these taps, no matter how good their analytics are they will not be effective with such a small sample size.
VMware Contexa is built for this virtual cloud world. It works on live, “in-band” data where it sees every packet and every process, without relying on a physical network tap. As a result, Contexa can understand the context—get it?—of the data in real-time, to spot subtle anomalies that could hide malicious activity. For example, a standalone firewall might not think twice about giving a green light to a query on an application just because it had a random string of characters in it. Contexa, however, might quickly notice if any queries with the same random string had been used with malicious intent to seek access to sensitive databases holding customer information or employee usernames and passwords.
This is not a hypothetical example. Some portion of the thousands of companies affected by the Log4J vulnerability were infected in just this way. As a result, attackers—including extremely determined and well-funded state-sanctioned attackers—likely have the equivalent of skeleton keys to these companies’ networks. Worse, many of these companies don’t even know these attackers are still present and may only find out when the attacker steals data or worse.
In such a dangerous world, companies can no longer afford to be satisfied with security strategies of the past. The stakes are too high. While there are never any panaceas in cyber security, we hope our new solutions and the philosophy behind them will help companies level the playing field with bad guys, or even begin to tip it in the right direction.
Learn more:
- VMware Announces Its Unique Lateral Security for Multi-Cloud
- VMware Contexa: The Threat Intelligence Cloud
This article may contain hyperlinks to non-VMware websites that are created and maintained by third parties who are solely responsible for the content on such websites.
