Today’s attacks present a significant challenge for network security solutions
Many network security products include sophisticated analysis components that inspect traffic for the presence of malicious payloads. This allows them to detect known exploits and malware binaries with good accuracy. Unfortunately, attacks have evolved over time and became much more sophisticated. Today, adversaries move stealthily through a victim network and try to “live off the land.” That is, they blend their activity into regular background traffic. And rather than installing dedicated attack tools, they use legitimate applications to further their nefarious goals. As a result, malicious activity does not clearly “stick out” anymore. This loss of signal presents a significant challenge for traditional detection tools. One option is to increase the tool’s sensitivity and alert on anything that remotely appears suspicious or abnormal. It is easy to imagine that such anomalies appear frequently in large networks, where thousands of workloads might occasionally exhibit unusual but entirely benign behaviors. The resulting false positives quickly overload SOC analysts, which will either turn off the security solution or ignore its alerts. A second option is to wait and collect enough high-confidence evidence before alerting. This limits false positives, but it also leads to missed or – in the best case – delayed alerts (false negatives). Neither option is acceptable for organizations that rely on security solutions to protect their business-critical workloads and their most sensitive data.
Workload Awareness provides critical context to detect stealthy attacks
The only way to reliably distinguish between suspicious – but ultimately benign – network activity and true attacks is to add signal. That is, a network security solution needs to see more than just the packets on the wire to make accurate detection decisions. It needs to know more about the context in which these packets were sent. We are particularly interested in knowing more about the sender and the recipient of these packets. For example, when we see an unusual data transfer to a cloud service, is the originator a well-known backup service or an application that has just been installed a couple of days ago? As another example, when we identify an unusual remote desktop protocol (RDP) connection, is the user who opened that connection an administrator that regularly performs network maintenance or a user who has never used RDP before? Finally, when we detect a potential exploit payload, what is the application name (and version number) that is targeted, and is it even vulnerable to that attack? In all three cases, additional information about the users or applications that are responsible for the network connections will allow us to make better decisions. It can help us to quickly elevate the severity of a seemingly harmless anomaly, and it can also help us to suppress false positives. We refer to the additional knowledge about the applications and the users who are involved in network traffic as Workload Awareness.
vDefend is in the best position to gather workload context
Workload Awareness requires network security solutions to possess a very deep understanding of the infrastructure where they are deployed. What workloads are running on which servers? What processes and applications are they running? Who are the users who are currently logged in, and which processes have these users launched? Which network connection is associated with which application? The answers to these questions are not available to traditional network security products. Fortunately, vDefend is deeply integrated into the infrastructure and has access to rich workload context. First, our distributed firewall runs in each hypervisor, and it has full knowledge of all virtual machines (VMs) that run on top of it. This includes the labels of each workload and the applications that are installed in each image. Second, using guest introspection (GI), which is included with VMware Tools, vDefend can peek into each VM and determine the users who are currently logged in together with a mapping between users, processes, and active network connections. In fact, we already use this information today to block malicious network connections that are initiated by unauthorized users. We also use GI to collect files that are downloaded into workloads and forward them into our (hypervisor-based) malware detection pipeline for further analysis. This allows us to detect ransomware even when it is distributed over the network via encrypted channels. Finally, we allow our users to define intrusion detection profiles that apply certain rules only to services that are actually susceptible to particular attacks and “virtually patch” applications by blocking exploits that target newly discovered vulnerabilities.
Isn’t Workload Awareness just XDR in different clothing?
Workload Awareness argues that additional endpoint context – information about applications and users – is critical to take network security to the next level. However, one might ask if this is not the same promise that eXtended Detection and Response (XDR) makes. After all, is XDR not based on the aggregation and correlation of alerts from different sources, such as network and endpoint detection systems? While we believe that XDR adds value, there is a fundamental difference between XDR and Workload Awareness. XDR solutions post-process alerts after they have been produced by independent and siloed detectors. That is, the network detector must make its decisions without endpoint context, and the endpoint agent has to make its detections without network information. Each detector is myopic and limited, and XDR enters the picture only after the fact. Workload awareness is different. vDefend has workload context available right at the time it analyzes traffic, for every connection in the network. That means that it can make more accurate decisions with additional signal, allowing it to detect threats that other solutions cannot recognize.
The future is bright
vDefend is a network security solution that already has workload awareness. However, we are just at the beginning of our journey, and we see a lot of exciting future opportunities to leverage the available workload context. These opportunities cover both ways to make network segmentation more comprehensive and ways to improve advanced threat protection. For example, we can expand our segmentation policies to include application identity. This would allow security administrators to restrict connections to sensitive services only to trusted clients. We can also build more fine-grained behavioral profiles for individual apps instead of entire virtual machines or servers. This allows us to detect threats that manifest in subtle changes in the traffic from a compromised service; changes that might otherwise get lost in the network activity of the entire node. Finally, we can track data flows and stop sensitive information from leaving the network. Imagine a process that reads a sensitive database and then connects to a remote cloud service. With Workload Awareness, we link the cloud service connection to the originating process, and we understand that this process has previously accessed a database. This enables vDefend to quickly alert SOC analysts or directly block this potential leak.
Learn more about VMware vDefend Distributed Firewall and VMware vDefend Advanced Threat Prevention.