by: VMware Director—Security Engineering Kevin Berger; VMware Sr. Manager—InfoSec Bharath H C; VMware Sr. Security Engineer—InfoSec Dorian Mendez; VMware Sr. Security Engineer—InfoSec Nick Muramoto; VMware Sr. Security Engineer—InfoSec Umesh Sollapura
One chronic security issue facing enterprises today is that open source network monitoring tools and full packet capture engines are resource exhaustive. Their usefulness is ironically hindered by their effectiveness—they generate an incredible number of events and alerts, often thousands per day. This makes it difficult for security teams to identify true positives that represent clear and present threats. Additionally, they are very high maintenance in the areas of storage capacity, IO, CPU, and memory.
Examining the VMware security ecosystem, our security operations (SecOps) team realized the in-house intrusion detection system (IDS) solution required a complementary network detection and response (NDR) platform to effectively combat this resource-intensive issue—in addition to mitigating other challenges such as how to easily identify real threats.
Example of detected threats to the enterprise
Want it all and want it now
Naturally, such an infrastructure investment was not taken lightly, and a comprehensive ‘must-have’ requirements list was created by input from various security teams including threat intel, incident response (IR), security operations center (SOC), etc. The list included packet capture (PCAP), event correlation, customized rules, SSL fingerprinting, risk scoring for events and hosts in the infrastructure, API maturity for integration with other tools and automation, and readily available integration with the security orchestration, automation, and response
(SOAR) platform—among other desired components.
The ideal answer came in the form of VMware NSX Network Detection and Response™ (formerly Lastline), an NDR platform that makes heavy use of artificial intelligence (AI) technology. NSX Network Detection and Response offers a wide variety of benefits above and beyond our in-house solution, including better correlation and enrichment of events, significantly reduced false positives thanks to event and asset scoring, deep packet inspection and built-in sandboxing capabilities, and granular PCAPs.
NSX Network Detection and Response delivers actionable correlations and associated blueprints
Achieving new relevance—and deploying it
Deployment was seamless thanks to virtualized sensors and agents, as well as centralized management of sensors. Plus, NSX Network Detection and Response offers the ability to ingest traffic from legacy network port mirroring (SPAN) and test access point (TAP), two of the most common network traffic access methodologies.
Our team identified critical office locations based on the type of traffic, whether they were located in a high-risk country (HRC) or not, data center(s) utilized, and numerous other factors.
Once every relevant factor was taken into account, we completed host, asset and network tagging in order to quickly analyze every event and assign it a threat severity score. We then performed a complete integration with the SOAR platform before operationalizing NSX Network Detection and Response.
Results came automatically
The automation functionality in NSX Network Detection and Response dramatically increased the usability of the mountain of security data generated. The platform adds risk scoring to events, actionable intelligence for rapid response, and the ability to leverage syslog notifications to filter out low and medium alerts. In this manner, only high severity alerts are forwarded to SecOps so they can focus on the true positives—without worrying that they are ultimately pursuing dead ends.
Snapshot of NSX Network Detection and Response sandboxing and scoring
Finally, by investing the time to integrate NSX Network Detection and Response with the SOAR platform, teams reap significant automation benefits. SOAR’s ‘set it and forget it’ features work behind the scenes without requiring human intervention—a major time savings. For example, artifacts can be submitted for automatic sandboxing. Reports are then returned back to the SOAR platform with a highly accurate risk score. Once an anomaly is detected, it then sends a notification asking if an issue needs to be escalated.
Check back for more updates on our journey with NSX Network Detection and Response.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or [email protected] to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.
