VMware vDefend’s GenAI co-pilot innovation speeds up ransomware threat defense with context-driven explainability of the attack chain, correlated threat campaign insights, and guided remediation.
There’s a lot of euphoria around generative AI/GenAI today, not just among enterprises but also among threat actors wanting to cast a wider net for ransom. As these technologies evolve, they will be more deeply embedded into security workflows, helping enterprises stay ahead of emerging threats and enabling defenders to be more effective than ever. VMware vDefend has long been at the forefront of the AI/ML innovation journey, which includes the use of AI for micro-segmentation rule recommendation and applying ML to traffic flows and workload contexts to deliver granular insights. We have now embarked on the logical but important next step with GenAI and Large Language Models (LLMs) to further enable customers to protect their crown jewels.
Over the past year, our team has been hard at work on an initiative known as Project Cypress. The result is Intelligent Assist for vDefend, powered by GenAI and LLM. This new capability simplifies the way virtualization, network security, and SOC teams understand detailed, contextual information about active threats and their impact. With just a few clicks, teams can initiate remediation, streamlining processes that once required complex workflows across multiple-point products. By democratizing threat response, Intelligent Assist for vDefend enables security and infrastructure teams to operate far more collaboratively to defend against ransomware attacks and make a greater impact.
Decoding the Complexity of Security Threats and Alerts
Prior to the advent of Gen AI, correlating actions across campaigns or investigating the relationships between threats and alerts was a manual, time-consuming process. Attempts to integrate multiple-point solutions often introduced more complexity, increasing the risk of errors and visibility gaps.
All too often, critical context around an event—such as what occurred before and after—was missed. While there are numerous systems to score the severity or impact of vulnerabilities, they lack the ability to communicate this information in clear, natural language across teams, making it challenging to assess the true scope of threat campaigns. Sharing Indicators of Compromise (IoCs) for threat hunting has also been historically difficult for similar reasons.
Generative AI makes security operations faster and smoother. GenAI-powered tools significantly accelerate the ability of security teams to sift through large volumes of alerts, which would otherwise be overwhelming due to the high number of threats. GenAI can save hours—or even days—of manual efforts by intelligently prioritizing and correlating these alerts for appropriate remediation. This increase in speed translates directly to enhanced threat defense posture.
Introducing Intelligent Assist for vDefend
At its core, Intelligent Assist is an interactive chatbot powered by a Large Language Model (LLM) integrated directly into the vDefend user interface (UI). This chatbot explains detection events in plain English, helping security teams grasp the full impact of threats while enhancing collaboration across the organization. It helps security teams grasp the full impact of threats while enhancing collaboration across the organization. This not only lowers the false positive rate but also accelerates the remediation process. With an easy-to-use natural language interface, analysts can ask specific questions to gain deeper contextual insights whenever needed.
Key features of Intelligent Assist for vDefend include its ability to explain threats in plain English, as well as its automated response and remediation capabilities. The platform is purposefully designed to offer a simple and intuitive user experience.
Let’s dive into these features.
Explainability
Consider a typical ransomware scenario involving data exfiltration via tools like dnscat, which creates an encrypted Command-and-Control (C&C) over the DNS protocol. With our comprehensive set of IDS signatures, vDefend detects this malicious activity and generates a high-impact detection event. Intelligent Assist provides additional context for the SOC operator, revealing that other events suggest Darkside ransomware was the initial attack vector. Moreover, it confirms that the impact is significant but currently contained to a specific workload. With this information in hand, the SOC team can confidently conclude that the event is a true positive, prompting immediate action.
Intelligent Assist’s ability to explain threats and events in plain English allows security, network and virtualization teams to immediately assess the scope and impact of individual threats. By automatically identifying related events and displaying Indicators of Compromise (IoCs), it eliminates visibility gaps across the security stack and accelerates time-to-insight far beyond what was previously possible.
Automatic Response and Remediation
Once an event is verified as a true positive, rapid and effective remediation is crucial. This is where Intelligent Assist steps in again, taking automatic, immediate remediation actions while you continue gathering information and conducting forensic analyses.
Depending on your risk tolerance and the potential impact on legitimate traffic and business productivity, you can choose between a targeted or comprehensive response:
- Targeted response: This approach focuses on narrow, specific remediation actions to minimize business disruption. However, this ‘scalpel-like’ strategy carries the risk of not fully containing the attack.
- Comprehensive response: Broader in scope, this ‘hammer’ approach is more likely to prevent lateral threat movement but poses a higher risk of disrupting normal business operations.
Whenever Intelligent Assist identifies an attack campaign, it recommends an appropriate response strategy. In the example below, involving an in-progress ransomware attack, Intelligent Assist has recommended a comprehensive remediation policy. While Intelligent Assist automates policy creation, it is not meant to be a fully autonomous system. The security team still has the final say—Intelligent Assist generates the policy, but it’s not enforced until reviewed and activated by a security expert. In this case, the recommended policy blocks all outbound DNS communication from the impacted workload to prevent further propagation of the threat.
Seamless and Intuitive User Experience
When designing Intelligent Assist, we focused on making the end-user experience as seamless and intuitive as possible. Features like chat export allow users to easily save and share relevant insights from conversations with other teams, while built-in feedback mechanisms ensure the system’s responses improve over time. Intelligent Assist also recommends queries, helping even the least experienced users unlock its full potential. The administrative dashboard is built to simplify user management, and multi-user session support, along with workflow management tools, enhances collaboration among various teams. Deploying Intelligent Assist is effortless. The solution leverages a secure Chrome browser extension, providing a direct communication channel. Simply download the extension, and you’re ready to go.
Try Intelligent Assist Today
Ready to take off with our threat defense co-pilot? The Intelligent Assist for VMware vDefend is available to all ATP customers in a limited usage capacity. .
To learn more about Intelligent Assist, watch the VMware Explore Las Vegas 2024 technical breakout session here.
