VMware introduced a threat intelligence database dubbed Contexa today, which gathers telemetry from different systems including network and hybrid cloud to better identify suspicious behaviors and abnormalities. 

Contexa “is that amalgamation of the four different security threat telemetry databases that we have at VMware, from the endpoint to the application,” Tom Gillis, SVP and GM of networking and advanced security business group at VMware, explained in a briefing for the announcements.

It pulls together telemetry at the endpoint, access point, cloud edge, between containers, virtual machine, and clouds from VMware’s endpoint detection and response (EDR), secure access service edge (SASE), hybrid-cloud, virtual machine, and service mesh platforms into a common threat database, he added. “It allows us to spot and see these attackers are trying to mask themselves like real application traffic far more effectively than any other solution.” 

This security threat intelligence capability records and processes over 1.5 trillion endpoint events and over 10 billion network flows daily, along with data captured from other technology partners, VMware claims.

To further analyze those contexts, VMware uses machine learning, insights from its threat analysis unit which includes over 500 researchers, and incident response partners.

“Anytime we do security analytics, it's a combination of humans and machines” that is built on both supervised and unsupervised machine learning, Gillis said. “We break an attack down to its fundamental DNA, which allows us to see derivative attacks very effectively, that really comes from the supervised machine learning, that oversight is provided by the threat analysis unit human beings.”

Contexa uncovers over 2.2 billion suspicious behaviors every day and offers “zero-touch” detection and automated response for over 80% of those events, the company touts.

It also integrates into VMware’s products including NSX advanced threat protection platform, Carbon Black Cloud, Tanzu Service Mesh, and Workspace ONE without additional cost for the users. “It's the brains that help us identify friend from foe,” Gillis said.

Ahead of the RSA Conference, VMware also announced that it has joined the XDR Alliance which is a cybersecurity partnership committing to building an inclusive and collaborative extended detection and response (XDR) framework and architecture.

“We are joining the XDR Alliance to help build standards so that we can help work in the ecosystem to make sure that all of these systems work together and make the job of the security operations team easier and more effective,” Gillis noted.

VMware already works with partners like Proofpoint, Splunk, and Okta to build an open XDR ecosystem, he told SDxCentral in an earlier interview.

“Correlating endpoint and network together, this is what we do with our lateral security solution,” Gillis said in the briefing. “We believe there is a role for an XDR or a SIEM and that's why we're opening it, we're working with other vendors around the open XDR lines to create common data models to make the interoperability better and smoother.”

In addition, VMware also introduced enhancements to its Workspace One platform with the Mobile Threat Defense capability to help protect devices from app, device, and network-originated threats, Windows Server patching and management service, and new capabilities to identify and respond to malware ransomware attacks in the network built on the NSX platform.