VMware officially entered the crowded extended detection and response (XDR) market with the introduction of Carbon Black XDR built on its endpoint detection and response (EDR) and Contexa threat intelligence capabilities during VMware Explore Europe 2022 event. The vendor also announced several updates for its Project Northstar.

So far, almost all of the large security vendors and a majority of the endpoint detection and response (EDR) and security information and event management (SIEM) players have introduced or rolled out XDR platforms.

The market is “very confusing,” Tom Gillis, SVP and GM of VMware’s networking and advanced security business group, told SDxCentral. “The industry talks an awful lot about XDR, but it's our view that much of what is being discussed and marketed as XDR is nothing more than a rebranding of a SIEM because it's relying on sample data [and] metadata,” which leads to a high false positive rate in SIEM.

But, VMware is not replacing SIEM with XDR, instead, it adds its standalone endpoint and network detection and remediation (ENDR) service into Carbon Black EDR and feeds alerts into SIEM or XDR platforms, Gillis explained.

To this end, the vendor will continue its partnership with Proofpoint, Splunk, and Okta for an open XDR ecosystem. “Correlating endpoint and network data that is unique to VMware,” he added. “We will then feed those alerts into Splunk [and] every other SIEM vendor. We will also take data from Okta, from Proofpoint, and correlate that data into a broader picture.”

Before unveiling Carbon Black XDR, VMware was already a member of the XDR Alliance to help the community to build standards.

Per Gartner, XDR offers improved threat prevention, detection, and response capabilities for security operations teams. XDR combines elements of EDR, SIEM, security orchestration, automation, and response (SOAR), and network traffic analysis (NTA) in a software-as-a-service (SaaS) platform.

Gillis argues the concept of XDR is evolving. “XDR, which is extended detection and remediation, doesn't necessarily require that you look across all systems,” he said. “If you're gonna say that an XDR has to do all of those things and you've immediately positioned every SIEM system as an XDR and we haven't been able to differentiate. So that's not a fight that I really want to fight.”

“We have what I oftentimes call ENDR — we are correlating high-fidelity, process-level data from the endpoint with packet-level data on the network and creating super high fidelity alerts, which are actionable on their own right, but also can be fed into a larger SIEM.”

Those alerts and detections are based on VMware’s “brain” — Contexa, which gathers telemetry from different systems including network and hybrid cloud to better identify suspicious behaviors and abnormalities.

“Contexa is our central repository for the telemetry where we do the analytics and do the correlation,” Gillis said. “It’s combining the Carbon Black awareness of the application with the NSX awareness of the network.”

Introduced earlier this year, VMware claims Contexa records and processes over 1.5 trillion endpoint events and over 10 billion network flows daily, which are further analyzed using machine learning and insights of over 500 researchers across VMware’s Threat Analysis Unit and incident response partners.

VMware announced a centralized cloud console for networking and security in the hybrid, multicloud environment — Project Northstar in a technology preview at this year’s VMware Explore U.S.

The project offers a centralized console for consistent software-as-a-service (SaaS) consumption of VMware’s networking and security offerings including network and security policy management, network detection and response (NDR), NSX Intelligence network visibility and analytics, advanced load balancing, and HCX workload mobility for private cloud and VMware Cloud deployments.

Today at Explore Europe, the vendor introduced VMware HCX+, a managed workload migration and mobility as-a-service for multicloud environments.

The “+” is “a terminology that VMware is using to denote multi-tenant, SaaS-based cloud control plane offering,” Gillis explained.

HCX “allows a workload running at a private cloud to just pick up and move to Amazon or to Google or Microsoft or to move from one to the other. So HDX is that really important operational capability of moving workloads across clouds. Having the control plane exist as a SaaS service is very logical and makes perfect sense,” he added.

VMware plans to release Project Northstar in the first quarter of next year.