At VMworld 2020 VMware announced Carbon Black Cloud Workload (CBC Workload) as part of their intrinsic security approach.
For me, this was the biggest and most important announcement from this year’s VMworld. It is a new offering, which is relevant for every vSphere customer out there – even the small and medium enterprises, which maybe still just rely on ESXi and vCenter only for their environment.
CBC Workload introduces protection for workloads in private and public clouds. For vSphere, there is no additional agent installation needed, because the Carbon Black sensor (agent) is built into vSphere. That’s why you may hear that this solution is “agentless”.
Carbon Black Cloud Workload Bundles
This cloud-native (SaaS) solution provides foundational workload hardening and vulnerability management combined with prevention, detection and response capabilities to protect workloads running in virtualized private cloud and hybrid cloud environments.
Note: Customers, that are using vSphere and VMware Horizon, should take a look at Workspace Security VDI, which has also been announced at VMworld 2020. A single-vendor solution with the combination of VMware Horizon and Carbon Black.
If you would like to know more about the interoperability of Carbon Black and Horizon, have a look at KB79180.
Carbon Black Cloud Workload Overview
Customers and partners have now the possibility to provide a workload security solution for Windows and Linux virtual machines. The complete system requirements can be found here.
“You can enable Carbon Black in your data center with an easy one-click deployment. To minimize your deployment efforts, a lightweight Carbon Black launcher is made available with VMware Tools. Carbon Black launcher must be available on the Windows and Linux VMs.”
Carbon Black Cloud Workload consists of a few key components that interact with each other:
You must first deploy an on-premises OVF/OVA template for the Carbon Black Cloud Workload appliance (4 vCPU, 4GB RAM, 41GB storage) that connects the Carbon Black Cloud to the vCenter Server through a registration process. After the registration is complete, the Carbon Black Cloud Workload appliance deploys the Carbon Black Cloud Workload plug-in and collects the inventory from the vCenter Server.
The plug-in provides visibility into processes and network connections running on a virtual machine.
As a vCenter Server administrator, you want to have visibility of known vulnerabilities in your environment to understand your security posture and schedule maintenance windows for patching and remediation. With the help of vulnerability assessment, you can proactively minimize the risk in your environment. You can now monitor known vulnerabilities from the Carbon Black Cloud Workload plug-in:
The infosec guys in your company would do the vulnerability assessment from the CBC console:
Carbon Black Cloud Workload protection provides vSphere administrators a full inventory, appliance health and vulnerability reporting from one console, the already well-known vSphere Client.
Cybersecurity Requirements
According to the NIST Cybersecurity Framework the security lifecycle is made of five functions:
- Identify – Cloud & Service Context, Dynamic Asset Visibility, Compliance & Standards, Cloud Risk Management
- Protect – Services / API Defined, Cloud Access Control, Network Integrity, Data Security, Change Control & Guardrails
- Detect – Cloud-Speed, Inter-connected Services, Events & Anomalies, Continuous Monitoring
- Respond – DevOps Collaboration, Real-time Notifications, Automated Actions, Response as Code
- Recover – Templates / Code Review, Shift Left / Pipeline, Exceptions and Verification
CBC Workload focuses on identifying the risks with workload visibility and vulnerability management, which are part of the “Workload Essentials” edition.
If you would like to prevent malicious activities to protect your workloads and replace your existing legacy anti-virus (AV) solution, then “Workload Advanced” would be the right edition for you as it includes Next-Gen AV (NGAV).
Behavioral EDR (Endpoint Detection & Response), also part of the “Advanced” bundle, belongs to “detect & respond” of the security lifecycle.
Workload Security for Kubernetes
You just learned that Carbon Black Cloud gives workload protection for virtualized Windows or Linux virtual machines running on vSphere. What about container security for Kubernetes?
In May 2020 VMware officially closed its acquisition of Octarine, a SaaS security platform for protecting containers and Kubernetes. VMware bought Octarine to enable Carbon Black to secure applications running in Kubernetes.
Traditional security is no longer relevant for the security of Kubernetes, because Kubernetes is so powerful and hence risky, networking is very complex and a total different game, because static IPs and ports are no longer relevant. And you need a new security approach which is compatible with IT’s organizational shift from traditional to a DevSecOps approach.
VMware’s solution covers the whole lifecycle of the application from building the container to the app running in production. It is a two-part solution with the first one being “Guardrails“. It is able to scan container images for vulnerabilities and Kubernetes manifests for any misconfigurations.
The second part is runtime protection. When the workloads are deployed in production, the Carbon Black security agent is able to detect malicious activities.
Let’s have a look at the different features the Kubernetes “Guardrails” provide for each phase of the application:
- Build: Image vulnerability scanning, Kubernetes configuration hardening
- Deploy: Policy governance, compliance reporting, visibility and hardening
- Operate: Threat detection and response, anomaly detection and least privilege runtime, event monitoring
And these were the key capabilities and benefits, which have been mentioned at VMworld 2020 for “Guardrails”:
For “runtime” security the following key capabilities and benefits were mentioned:
- Visibility of network traffic
- Coverage of workloads and hosts activity
- Network policy management
- Threat detection
- Anomaly detection
- Egress security
- SIEM integration
Customers will be able to have visibility of all the workloads running in the local or cloud-native production clusters and how they interact with each other. They will also see which services are exposed to ingress traffic, which services are exiting the cluster and where this egress traffic is going to. It is also going to be visible which communication is encrypted and what type of encryption is used.
Note: The Carbon Black Cloud module for hardening and securing Kubernetes workloads is expected to be generally available until the end of 2020.
The launch of Carbon Black Workload was the first important step to let the intrinsic security vision become more a reality (after VMware acquired Carbon Black). Moving on with Kubernetes and bringing new container security capabilities is going to be the next big move forward, that VMware can become a major security provider.
Stay tuned for more security announcements!
Additional Resources
If you would like to know more about Carbon Black Cloud Workload and security for Kubernetes, have a look at:
- VMware TestDrive – Introduction to Carbon Black Cloud Workload
- Carbon Black Cloud Workload Datasheet
- VMworld 2020 – Session “ISWL2616” – Intro to VMware Carbon Black Cloud Workload
- VMworld 2020 – Session “ISWS2941” – Purpose-Built: Securing vSphere Workloads
- VMworld 2020 – Session “ISWL2942” – Securing Kubernetes Environments from Development Through Runtime
