The API “is the future of networking,” according to VMware’s Tom Gillis, SVP and GM of the company’s Network and Security Business Unit.

“Code is not monolithic anymore,” he said. Instead, developers create applications made up of hundreds, possibly even thousands of microservices. “And each one of these microservices is talking through an API,” Gillis said. “The things that a network used to do was basically to connect and protect. So figuring out who gets to talk to who, but more importantly, who doesn’t get to talk to who. Fundamentally, that’s what networking and network security does.”

Containers and microservices, however, speak a different language, he continued. “So you have to understand the language of the application. HTTP is a new TCP. If you don’t speak HTTP and HTTPS, then you’re not in the conversation.”

Security remains a critical piece of this container world, and this requires API visibility and protection. This, Gillis said, is why VMware bought Mesh7.

Mesh7 developed API security software that detects and mitigates threats. It collects and correlates contextual data from APIs, host processes, user identities, public cloud data-event logs, and other sources of threat intelligence. And then it continually monitors applications for any API vulnerabilities and behavioral changes that could indicate a breach.

It’s built on open source projects Istio and Envoy, a service mesh substrate — and this is particularly important to VMware because Envoy is a foundational component of its Tanzu Service Mesh, which provides connectivity and security for microservices across Kubernetes clusters and clouds.

“This of it like a combination of a load balancer and a firewall and an APM tool, all wrapped up into one architecture,” Gillis said. “It is the future of networking.”

VMware plans to announce the first Mesh7 integrations this summer. “We’ll probably announce at VMworld,” Gillis said.

The upcoming Mesh7 integrations, along with VMware’s other recent acquisitions including Lastline, Avi Networks, and Carbon Black, among others, also point to the vendor’s larger security business goal. “You can agree or disagree, but VMware has become a security company. We speak security, we have security, and we’re deploying security for our customers in a unique way.”

VMware also published a new threat intelligence report. The report, based on data collected between June and December 2020 by VMware sensors deployed across enterprise networks, provides insights into attacks that had already breached companies’ perimeter defenses.

It found that email continues to be used as the most common attack vector to gain initial access with more than 4% of all business emails analyzed contained a malicious component. Additionally, more than half of all malicious artifacts analyzed were delivered by a Zip archive.

More than 75% of lateral movement events identified were conducted using remote desktop protocol (RDP), often using stolen credentials to log in to other hosts on the network. VMware Senior Director of Threat Intelligence Giovanni Vigna points to this as an “interesting trend. It’s this idea of using existing tools, or even importing new tools that are actually legitimate tools, but they are being used in a malicious way,” Vigna co-founded Lastline where he was CTO before VMware acquired the network threat detection company.

“We see Cobalt Strike, for example, used as part of the SolarWinds attack,” he added, referring to the popular threat emulation software used by penetration testers. “If we look at DarkSide, it’s all about PowerShell.” DarkSide, the ransomware gang that took down Colonial Pipelines earlier this week, uses PowerShell backdoors for persistence within corporate networks and also to deploy its ransomware.

“All these mechanisms are already on the system, and so it’s not a new piece of code that’s easy to recognize as external,” Vigna said. “It’s like using your antibodies against you because those tools have dual uses in many contexts.”

The report highlights the need for security teams to extend their threat detection and prevention capabilities beyond the firewall to cover East-West traffic, Gillis said. “The East-West controls, the security that sits between the flow of traffic in the data center, is the new battleground, and this is a place where we really shine,” he added.

VMware does this using a distributed security architecture that puts capabilities such as internal and web application firewalls, microsegmentation, intrusion detection and prevention systems, and network traffic analysis into the virtualization layer. “NSX gives us that distributed architecture,” Gillis said. Integrations with Avi Networks and Lastline provided the missing pieces, he added.

Gillis says there are three steps to building “world-class security” in the data center. Step one is software-based segmentation, which can be as simple as separating the production environment from the development environment. “And then you want to make those segments smaller and smaller until we get them down to per-app segmentation, which we call microsegmentation,” he explained.

Step two requires visibility into in-band network traffic. “We’re gonna go through on a flow-by-flow basis, and starting looking at, okay, this one is legitimate, and this one is WannaCry, and being able to figure that out using a distributed architecture,” Gillis said.

Step three involves the ability to do anomaly detection, which allows analysts to find unknown threats as the attackers continually change their tactics. “Most security-conscious companies do this with a network TAP,” Gillis says. These test access points (TAPs) allow companies to access and monitor network traffic by making copies of the packets.

However, deploying all of these network TAPS, and storing the copies in a data lake becomes “very cumbersome, very operationally deficient,” Gillis said. “But with our distributed architecture, we can do this anomaly detection in the hypervisor and be TAP-less.”

“There’s actually a fourth step, or it’s kind of three B, which is anomaly detection using network-based parameters, and it’s super interesting,” he added. Gillis is talking about extended detection and response (XDR), which combines endpoint detection and response with network detection and response. XDR centralizes security data, threat hunting, and incident response.

“We make XDR easy to deploy,” along with its other security products and services, Gillis said. “All of this stuff is designed to be operationalized at scale in the data center in ways that I think will be very difficult without us.”