Security

How Carbon Black Brought Cybersecurity Out of the Dark Ages

by: VMware Director—Security Engineering Kevin Berger

Enterprise environments have become amazingly complex ecosystems, and that makes ensuring security for endpoints, servers, and containers a significant challenge. Traditional solutions work effectively under specific circumstances, but today there are simply too many attacks, too often, on too many fronts.

Realizing a different approach was required, VMware security experts transitioned to VMware Carbon Black® Cloud™. Now, one lightweight client can monitor millions of endpoints and workload operations. That enables teams to detect and prevent never-seen-before attacks in near real-time (NRT). In fact, personnel can analyze more than 500 billion events per day.

Infographic of VMware Carbon Black infrastructure

Diagram of the Carbon Black security ecosystem.

This is your pilot speaking

Using VMware Workspace ONE®, the security team launched a pilot program. Since the ultimate purpose of Carbon Black is to protect the entire enterprise, the pilot program followed a ‘go-big-or-go-home’ mentality. More than 60 K desktops and 3 K Windows servers were involved, yet strict deployment parameters ensured minimal disruption to colleagues. There was even an unforeseen factor that further tested the Carbon Black real-world abilities—the majority of colleagues suddenly went remote thanks to COVID-19 restrictions.

Man in sunglasses and hat at night

Deployment and testing were broken into three categories—performance, detection, and prevention. Carbon Black metrics for all three had to dramatically improve upon the existing system. First, the VMware Colleague Experience and Technology team (CET) monitored performance levels to guarantee they exceeded the traditional norm. Within seven days, the Carbon Black sensor system was staged. This was instrumental in finding and resolving initial issues prior to the full launch. 

Once the solution proved superior to its predecessor, the team activated Carbon Black Enterprise EDR to baseline the various business operations under surveillance—a detection process accomplished in less than 60 days. It captured substantially more endpoint detection and response (EDR) data than any time in VMware history.

Once the comprehensive Enterprise EDR knowledge base was created, prevention was possible. This meant fine-tuning VMware-specific activities to repel malicious activity while allowing seamless business operation. Workspace ONE was employed to remove the existing legacy cybersecurity system, with the added benefit of saving VMware $900K per year in license fees and other costs.

We’re also human

One mandatory requirement for the Carbon Black deployment was close collaboration among groups—including Information Security, CET, the Windows server team, and the Security Business Unit (SBU)—as well as intricate planning involving colleagues affected, individualized service desk Carbon Black categories and Oasis involvement (our colleague support team), a dedicated Slack channel, and comprehensive project team monitoring. Combined, these teams and components working in unison meant any issues that arose were immediately owned and quickly resolved.

Questions, lessons learned, and a cause to celebrate

Various colored party balloons

We learned a number of lessons during the migration to Carbon Black. The #1 lesson was to keep expectations realistic, in addition to knowing exactly why the migration was necessary. Strategic planning well in advance of the cutover is mission-critical to overall success—today and down the road. Therefore, important questions need to be asked:

  • What problem are you trying to solve?
  • What is the timeline for deployment?
  • Is there an upcoming renewal prompting the switch?
  • Has your company had a recent breach?
  • Is there an upcoming compliance audit?
  • How are you going to remove the existing solution?

Other lessons learned include:

  • Have a dedicated team watching for alerts and other issues, tuning policies as needed 
  • Always be vigilant for compatibility problems
  • Continually enable enforcement of system subsets
  • Ensure a phased enablement of the enterprise EDR, as well as next-generation anti-virus (NGAV) tools 
  • Implement tight coordination with Security Operations Center (SOC) and Incident Response teams regarding operation adoption 

And don’t forget to hold frequent milestone celebrations so all stakeholders feel a sense of accomplishment!

VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or [email protected] to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.