VMware rolled out its extended detection and response (XDR) strategy at VMworld, and joined security vendors including Cisco, Microsoft, McAfee, and Palo Alto Networks in jumping on the latest buzzy acronym bandwagon. But it’s been laying the foundation for XDR for more than a year, said Tom Corn, SVP of VMware’s Security Business Unit.
“This is largely about the problem of security-incident detection and response,” Corn said during an interview with SDxCentral at the virtual event. “Security operations teams need to be able to detect security issues that have circumvented their controls — the hardening and the prevention. They need to be able to investigate it, understand everywhere where that activity is happening, be able to rewind the cameras to understand how an attacker got to that point, and where have they gone since.”
Security operations teams need to understand the attacker’s campaign, not just locate and isolate infected machines, he added. “That’s critical because in the absence of dealing with the campaign, you end up playing a game of whack a mole.”
XDR aims to help security teams understand and detect threats by correlating threat intelligence across security products and providing visibility across networks, clouds, and endpoints. It does this by combining elements of security information and event management (SIEM), security orchestration, automation and response (SOAR), endpoint detection and response (EDR), and network traffic analysis (NTA) in a software-as-a-service (SaaS) platform to centralize security data and incident response.
Carbon Black Cloud, aka VMware’s XDR PlatformVMware’s XDR strategy includes fives pillars, Corn said. The first piece is the SaaS platform that provides centralized data and security analytics for the security operations team. “This will be a natural evolution of what we’re delivering today with Carbon Black Cloud,” Corn explained.
VMware bought Carbon Black for $2.1 billion last year. This acquisition gave it the Carbon Black Cloud, which is a SaaS platform that provides anti-virus capabilities, EDR, threat hunting, and vulnerability management from a single console. Carbon Black Cloud’s evolution into an XDR platform includes product integrations with existing VMware products like Workspace One, vSphere, and the NSX Service-defined Firewall, as well as third-party partner platforms.
Network, Endpoint Threat HuntersThe second XDR pillar involves expanding VMware’s threat intelligence team, which now numbers more than 100 threat hunters. “VMware Carbon Black originally had developed a threat analytics unit — we refer to it as TAU,” Corn said.
In addition to growing the TAU team over the 14 months since the acquisition closed, VMware also bought Lastline, which adds network detection and response (NDR) to its security arsenal. Corn said the company’s been combining the two threat hunting teams.
“We’re trying to build a team that can think about threats, analyze threats, and articulate threats through multiple dimensions,” he explained. “The Lastline team was really looking at it from a network perspective, and the Carbon Black team was looking at it from an endpoint and workload perspective. So part of what we’re trying to do by bringing these things together is widen their views so that you can think about this from multiple angles.”
XDR-Enabled Security ControlsThe third piece focuses on XDR-enabled controls, or creating security controls that not only plug into Carbon Black Cloud, but also leverage context from other domains. “A good example of this is the NSX Service-defined Firewall,” Corn explained. This is VMware’s internal firewall that combines the capabilities of VMware’s NSX virtualization platform, which provides network and application visibility, and its App Defense security product, which protects workloads by monitoring them against their intended state. It also adds automated and adaptive firewall capabilities to the mix.
With these XDR-enabled controls the security team can use the NSX-service Defined Firewall to microsegment some virtual desktops and then create a security policy that factors in identity and workload information. “You can have a policy that says if the person logged into that desktop is a contractor, their traffic can only go to these places,” Corn explained.
Building Security Into Infrastructure“The fourth pillar of the strategy is to build these things into the infrastructure themselves,” Corn said, citing a new product called Carbon Black Workload, which essentially integrates Carbon Black’s endpoint and workload protections VMware’s vSphere compute virtualization platform. This provides agentless security, including prevention, detection, and response capabilities across workloads running in virtualized, private, and hybrid-cloud environments.
“There’s no agents, no appliances,” Corn said. “We’re trying to build platforms that out of the box are fully instrumented, so that it’s really about turning on security or turning off security, not installing and implementing it.”
Over the next year or two, VMware plans to provide deeper integrations with the NSX networking portfolio and also extend Carbon Black’s security capabilities to containers with VMware’s Tanzu Kubernetes portfolio.
VMware XDR Ecosystem PartnersAnd finally, VMware’s building out an XDR ecosystem. “It’s not a platform until you’ve created something that others can build value on top of,” Corn said.
In May, VMware Carbon Black SVP Patrick Morley announced the Next-Gen SOC Alliance between VMware and leading SIEM and SOAR vendors: Splunk, IBM Security, Google Cloud’s Chronicle, Exabeam, and Sumo Logic. The alliance aims to provide security operations center (SOC) teams with these SIEM and SOAR vendors’ visibility, prevention, detection, and response capabilities using the VMware fabric and its console to centralize security events and provide context.
It will also automate and orchestrate threat investigation and response, which VMware says will allow SOCs to scale and standardize their processes.
“We were foreshadowing a little bit of what we’re doing here [with XDR],” Corn said. VMware doesn’t have in-house SIEM and SOAR capabilities, which it needs to provide a full XDR platform. These vendor partnerships will be key for VMware to compete in the XDR market.
“This has got to allow people to solve a security problem, even if it’s not on VMware fabric,” he said. “If VMware doesn’t have a product in a particular area, we want to leave an open platform so that this can really extend end to end and fit into someone’s operational workflow.”