It has been a while since I wrote about end-user computing (EUC) or anywhere workspace related topics, but I was waiting for a solution like this when I joined VMware back in 2018 as a EUC Solution Architect focusing on Horizon and Workspace ONE. Before I left for vacation in mid-June, VMware announced the general availability of Workspace ONE Mobile Threat Defense (MTD), which brings mobile security integrated directly into Workspace ONE Intelligent Hub.
Workspace ONE (WS1) is VMware’s digital workspace platform that enables companies to simply and securely deliver and manage any app on any device. It integrates access control, application management and multi-platform endpoint management and is available on-premises deployment or as a cloud service (SaaS).
Part of WS1 is Workspace ONE UEM (Unified Endpoint Management), which gives customers the capabilities to manage the full lifecycle of any endpoint – mobile (iOS, Android), desktop (Windows 10/11, macOS, Chrome OS, Linux), rugged devices and even IoT devices – in one single solution and management console.
While Workspace ONE can enable a full zero trust architecture and provides different components that make a digital workspace more secure, there was no integrated solution available for mobile devices.
Before this announcement back in June 2022, Workspace ONE customers had to use Workspace ONE Intelligence with Workspace ONE Trust Network that integrates threat data from 3rd party vendors that provide EDR (endpoint detection and response) solutions, mobile threat defense capabilities, or cloud access security brokers (CASB). WS1 Intelligence provides users and admins insights into the risks of devices and users.
Workspace ONE Intelligence provides visibility by aggregating data from multiple sources with the goal in mind to better understand the security posture of a user’s device and employee experience. In the case of mobile security, by using Workspace ONE Trust Network, admins can integrate and aggregate threat data from external sources like Zimperium Mobile Threat Defense, Netskope or Lookout Mobile Endpoint Security.
Mobile Endpoint Security
The next step in the evolution is a WS1 UEM-integrated mobile protection powered by Lookout. Finally, customers can provide mobile specific protection and not only identity or network-based security mechanisms.
What started with an API integrated approach with Workspace ONE Trust Network has become one solution by integrating Lookout’s SDK (Software Development Kit) into Workspace ONE’s Intelligent Hub. Customers do not have to install or activate a separate app.
Workspace ONE Mobile Threat Defense Key Features
WS1 MTD addresses the dangers of phishing and web content, threat, vulnerabilities, and behaviors unique to mobile (Android, iOS, Chrome OS):
Application-based threats including mobile malware, app vulnerabilities, and risky application behaviors and configurations
Web and content vulnerabilities exposed through phishing via email, SMS, and messaging apps. This includes malicious URLs; malicious web pages, videos, and photos; and web and content behaviors and configurations
Zero-day threats and device vulnerabilities including jailbreak and root access detection. Device risk including OS version and update adoption.
Machine-in-the-middle attacks (MITM) and risky behaviors such as SSL certificate stripping; forcing weaker algorithm negotiation; anomalous application network connection activity; and vulnerabilities associated with rogue Wi-Fi
Integrated with Workspace ONE Intelligence, customers get these additional capabilities:
Aggregate view of events across users and device types
Interconnect endpoint, app, and identity analytics; CVE data; and threat data
Automate remediation of devices back to secure and compliant state
Flag users and devices for investigation and follow up
Notify users of issues that require self remediation
Lookout has developed the Mobile Risk Matrix to help organizations understand the components and vectors that make up the spectrum of mobile risk:
How does it work?
This video provides a short and good explanation:
Product Components and Requirements
There are different components required to use Workspace ONE Mobile Threat Defense:
WS1 MDT is available for Workspace ONE UEM on-premises, SaaS or managed hosting customers
Workspace ONE Intelligent Hub 2204 or later
Lookout for Work Mobile App is optional
Only required for phishing and content protection, Android dual enrollment, and Chrome OS support
Workspace ONE Intelligence is optional
Required for customers that want to see threat data and use Intelligence’s automation engine
How to get Workspace ONE Mobile Threat Defense?
Workspace ONE Mobile Threat Defense is available with all Workspace ONE editions that deliver mobile management and UEM. This add-on SKU per device can be subscribed with these editions:
Workspace ONE Mobile Essentials
Workspace ONE UEM Essentials
Workspace ONE Standard
Workspace ONE Advanced
Workspace ONE Enterprise
Anywhere Workspace Enterprise
The Workspace ONE editions comparison datasheet can be found here.
Lookout has a huge install base with more than 200 million devices and was first in the industry to provide an enterprise mobile security product. Lookout’s demonstrated track of record of continuous innovation creates value for customers and a competitive advantage (they hold more than 175 patents!):
The Company also continued to enhance its market-leading Mobile Threat Defense solution – Lookout Mobile Endpoint Security – with the release of two new innovative features: Mobile Endpoint Detection and Response (mEDR) and Protective DNS for iOS and Android platforms. Mobile EDR is used to detect and investigate threats on mobile endpoints through real-time continuous monitoring and endpoint data analytics. Protective DNS encrypts DNS queries and implements safeguards to prevent users from accessing domains associated with phishing, malware, botnets, and other high-risk categories before a connection to the endpoint can be established.
According to Gartner, regulated industry customers (such as finance and healthcare) and governments are looking for digital borders. Companies in these sectors are looking to reduce vendor lock-in and single points of failure with their cloud providers, whose data centers sometimes are also outside their country (e.g., Switzerland based customer with an AWS data center in Frankfurt).
The market for cloud technology and services is currently dominated by US and Asian cloud providers and many (European) companies store their data in these regions. There are European regions and data centers, but the geopolitical and legal challenges, concerns about data control, industry compliance and sovereignty are driving the creation of new national clouds.
That is why Gartner sees sovereign clouds as one of the emerging technologies, which is currently at the start of the August 2021 published hype cycle:
As an example and first use case I would mention the Swiss federal administration, which doesn’t see the need for an independent technical infrastructure under public law.
In June 2021 they published the statement that they notified the following cloud providers to become part of the federal administration’s initial multi-cloud architecture:
Amazon Web Services (AWS)
IBM
Microsoft
Oracle
Alibaba
There are several reasons (pricing, market share, local data center availability) that led to this decision to build a multi-cloud architecture with these cloud providers. But it was interesting to read that the government did an assessment and concluded that no technical independent infrastructure is needed – no need for a local sovereign cloud.
This means that they want to keep their existing data centers to provide infrastructure and data sovereignty.
Interestingly, the Swiss confederation is exploring initiatives for secure and trustworthy data infrastructure for Europe and is examining participation in GAIA-X.
Use Case 2 – Current Sovereign Cloud Providers
There are other examples where organizations and governments saw the need for a sovereign cloud. Having a public cloud provider’s data center in the same country does not necessarily mean, that it’s a sovereign cloud per se. Hyperscale clouds often rely on non-domestic resources that maintain their data centers or provide customer support.
Governments and regulated industries say that you need domestic resources to provide a true sovereign cloud.
A good example here is the UK government, who has chosen the provider UKCloud, that delivers a consistent experience that spans the edge, private cloud and sovereign cloud.
Another VMware sovereign cloud provider is AUCloud, who provides IaaS to the Australian government, defense, defense industries and Critical National Industry (CNI) communities.
The third example I would like to highlight is Saudi Telecom Company (STC), that brings sovereign cloud services to Saudi Arabia.
What do UKCloud, AUCloud and STC have in common? They all joined the pretty new VMware Sovereign Cloud initiative and built their sovereign clouds based on VMware technology.
Use Case 3 – Cloud Act
Another motivation for a sovereign cloud could be the Cloud Act, which is a U.S. law that gives American authorities unrestricted access to the data of American IT cloud providers. It does not matter where the data is effectively stored. In the event of a criminal prosecution, the authorities have a free hand and do not even have to notify the data owners.
What does this mean for cloud users? Because of the Cloud Act, they cannot be sure whether when and to what extent their data or the data of their customers will be read by foreign authorities.
Use Case 4 – GAIA-X
Let me quote the official explanation of GAIA-X:
The architecture of Gaia-X is based on the principle of decentralization. Gaia-X is the result of many individual data owners (users) and technology players (providers) – all adopting a common standard of rules and control mechanisms – the Gaia-X standard.
Together, we are developing a new concept of data infrastructure ecosystem, based on the values of openness, transparency, sovereignty, and interoperability, to enable trust. What emerges is not a new cloud physical infrastructure, but a software federation system that can connect several cloud service providers and data owners together to ensure data exchange in a trusted environment and boost the creation of new common data spaces to create digital economy.
Gaia-X aims to mitigate Europe’s dependency on non-European providers and there seems to be no pre-defined architecture or preferred vendor when it comes to the underlying cloud platform GAIA-X sits on top.
While one would believe that a sovereign cloud is mandatory for GAIA-X, it looks more like a cloud-agnostic data exchange platform hosted by European providers and customers.
I am curious how providers build, operate and maintain a sovereign cloud stack based on open-source software.
How real is the need for Sovereign Cloud?
If a company or government wants to keep, extend, and maintain their own local data centers, this is still a valid option of course. But the above examples showed that the need for sovereign clouds exists and that the global interest seems to be growing.
What is the VMware Sovereign Cloud Initiative?
In October 2021 VMware announced their VMware Sovereign Cloud initiative where they partnering with cloud service providers to deliver a sovereign cloud infrastructure with cloud services on top to customers in regulated industries.
To become a so-called VMware Sovereign Cloud Provider, partners must go through an assessment and meet specific requirements (framework) to show their capability to provide a sovereign cloud infrastructure.
VMware defines a sovereign cloud as one that:
Protects and unlocks the value of critical data (e.g., national data, corporate data, and personal data) for both private and public sector organizations
Delivers a national capability for the digital economy
Secures data with audited security controls
Ensures compliance with data privacy laws
Improves control of data by providing both data residency and data sovereignty with full jurisdictional control
VMware aims to help regulated industry and government customers to execute their cloud strategies by connecting them to VMware Sovereign Cloud Providers (like UKCloud, AUcloud, STC, Tietoevry, ThinkOn or OVHcloud).
Sovereign Cloud Providers in Switzerland
Currently, there is no official VMware sovereign cloud provider in Switzerland. We have a few and strong VMware cloud provider partners as part of the VMware Cloud Provider Program (VCPP):
Let us come back to the use case 1 with the Swiss federal administration. They are building a multi-cloud and would have in Switzerland a potential number of at least 10 cloud service providers, which could become an official VMware Sovereign Cloud Provider.
There are other Swiss providers who are building a sovereign cloud based on open-source technologies like OpenStack.
Hyperscalers like Microsoft or Google need to partner with local providers if they want to build a sovereign cloud and deliver services.
VMware already has 4300+ partners with the strategic partnerships and the same technology stack in 120+ countries and some of them are already sovereign cloud providers as mentioned before.
What are the biggest challenges with a multi-cloud and a sovereign cloud infrastructure?
What do you think are the biggest challenges of an organization that builds a multi-cloud with different public cloud providers and sovereign clouds?
Let me list a few questions here:
How can I easily migrate my workloads to the public or sovereign cloud?
How long does it take to migrate my applications?
Which cloud is the right one for a specific workload?
Do I need to refactor some of my applications?
How can I consistently manage and operate 5 different public/sovereign cloud providers?
What if I one of my cloud providers is not strategic anymore? How can I build a cloud exit strategy?
How do I implement and maintain security?
What if I want to migrate workloads back from a public cloud to an on-premises (sovereign) cloud?
Which Kubernetes am I going to use in all these different clouds?
How do I manage and monitor all these different Kubernetes clusters, networking and security policies, create secure application communication between clouds and so on?
How do I control costs?
These are just a small number of questions, but I think it would take your organization or your cloud platform team a while to come up with a solution.
What is the VMware approach? Let me list some other articles of mine that help you to better understand the VMware multi-cloud approach:
Public cloud providers build local data centers and provide data residency. Sovereign clouds provide data sovereignty. Resident data may be accessed by a foreign authority while data sovereignty refers to data being subject to privacy laws and governance structures within the nation where that data is collected.
Controlling the location and access of data in the cloud has become an important task for CIOs and CISOs and I personally believe that sovereign clouds are not becoming important in 2 or 3 years, they are already very important and relevant, and we can expect a growth in this area in the next months.
My conclusion here is, that sovereign clouds and the public clouds are not competitors, they complement each other.
On day 1 of VMworld 2021 we have heard and seen a lot of super exciting announcements. I believe everyone is excited about all the news and innovations VMware has presented so far.
I’m not going to summarize all the news from day 1 or day 2 but thought it might be helpful to have an overview of all the VMware projects that have been mentioned during the general session and solution keynotes.
Project Cascade
Project Cascade will provide a unified Kubernetes interface for both on-demand infrastructure (IaaS) and containers (CaaS) across VMware Cloud – available through an open command line interface (CLI), APIs, or a GUI dashboard. Project Cascade will be built on an open foundation, with the open-sourced VM Operator as the first milestone delivery for Project Cascade that enables VM services on VMware Cloud.
Project Capitola is a software-defined memory implementation that will aggregate tiers of different memory types such as DRAM, PMEM, NVMe and other future technologies in a cost-effective manner, to deliver a uniform consumption model that is transparent to applications.
Project Ensemble integrates and automates multi-cloud management with vRealize. This means that all the different VMware cloud management capabilities—self-service, elasticity, metering, and more—are in one place. You can access all the data, analytics, and workflows to easily manage your cloud deployments at scale.
Project Arctic is “the next evolution of vSphere” and is about bringing your own hardware while taking advantage of VMware Cloud offerings to enable a hybrid cloud experience. Arctic natively integrates cloud connectivity into vSphere and establishes hybrid cloud as the default operating model.
Project Monterey was announced in the VMworld 2020 keynote. It is about SmartNICs that will redefine the data center with decoupled control and data planes for management, networking, storage and security for VMware ESXi hosts and bare-metal systems.
I don’t remember anymore which session mentioned Project Iris but it is about the following:
Project Iris discovers and analyzes an organization’s full app portfolio; recommends which apps to rehost, replatform, or refactor; and enables customers to adapt their own transformation journey for each app, line of business, or data center.
Project Pacific
Project Pacific was announced at VMworld 2019. It is about re-architecting vSphere to integrate and embed Kubernetes and is known as “vSphere with Tanzu” (or TKGS) today. In other words, Project Pacific transformed vSphere into a Kubernetes-native platform with an Kubernetes control plane integrated directly into ESXi and vCenter. Pacific is part of the Tanzu portofolio.
Project Santa Cruz is a new integrated offering from VMware that adds edge compute and SD-WAN together to give you a secure, scalable, zero touch edge run time at all your edge locations. It connects your edge sites to centralized management planes for both your networking team and your cloud native infrastructure team. This solution is OCI compatible: if your app runs in a container, it can run on Santa Cruz.
So far, Project Dawn Patrol was only mentioned during the general session. “It will give you full visibility with a map of all your cloud assets and their dependencies”, Dormain Drewitz said.
Last year VMware introduced vSphere Bitfusion which allow shared access to a pool of GPUs over a network. Project Radium expands the fetature set of Bitfusion to other architectures and will support AMD, Graphcore, Intel, Nvidia and other hardware vendors for AI/ML workloads.
VMworld 2021 is going to happen from October 6-7, 2021 (EMEA). This year you can expect so many sessions and presentations about the options you have when combining different products together, that help you to reduce complexity, provide more automation and therefore create less overhead.
Let me share my 5 personal favorite picks and also 5 recommended sessions based on the conversations I had with multiple customers this year.
Project Monterey was announced in the VMworld 2020 keynote. There has been tremendous work done since then. Hear Niels Hagoort and Sudhansu Jain talking about SmartNICs and how they will redefine the data center with decoupled control and data planes – for ESXi hosts and bare-metal systems. They are going to cover and demo the overall architecture and use cases!
Learn from Matt Coppinger how augmented realited (AR) and virtual reality (VR) are transforming employee productivity, and how these solutions can be deployed and managed using VMware technologies. Matt is going to cover the top enterprise use cases for AR/VR as well as the challenges you might face deploying these emerging technologies. Are you interested how to architect and configure VMware technologies to deploy and manage the latest AR/VR technology, applications and content? If yes, then this session is also for you.
I am very interested to learn more cybersecurity. With Chad Skipper VMware has an expert who can give insights on how the Network Detection and Response (NDR) capabilities if NSX Advanced Threat Prevention provide visibility, detection and prevention of advanced threats.
Learn more about NUMA from Frank Denneman. You are going to learn more about the underlying configuration of a virtual machine and discover the connection between the Generapl-Purpose Graphics Processing Unit (GPGPU) and the NUMA node. You will also understand after how your knowledge of NUMA concepts in your cluster can help the developer by aligning the Kubernetes nodes to the physical infrastructure with the help of VM Service.
Are you interested to learn more about how to protect, detect, respond to and recover from cybersecurity attacks across all technology stacks, regardless of their purpose or location? Learn more from Amanda Blevins about the VMware solutions for end users, private clouds, public clouds and modern applications.
5 Recommended Sessions based on Customer Conversations
A lot of work is needed to better understand cryptographic agility and how we can address and manage the expected challenges that come with quantum computing. Hear VMware’s engineers from the Advanced Technology Group talking about the requirements of crypto agility and VMware’s recent research work on post-quantum cryptography in the VMware Unified Access Gateway (UAG) project.
Let Chris Wolf give you some insight into VMware’s strategic direction in support of edge computing. He is going to talk about solutions that will drive down costs while accelerating the velocity and agility in which new apps and services can be delivered to the edge.
In this session one can see how you can use two capabilities in VMware Tanzu Advanced, Tanzu Build Service and Tanzu Application Catalog, to feed a continuous stream of patched and compliant containers into your continuous delivery (CD) system. A must attend session delivered by David Zendzian, the VMware Tanzu Global Field CISO.
VMware NSX firewall reimagines East-West security by using a distributed- and software-based approach to attach security policies to every workload in any cloud. Chris Kruegel gives you insights on how to stop lateral movement with advanced threat prevention (ATP) capabilities via IDS/IPS, sandboxing, NTA and NDR.
Hear different the VMware CTOs Shawn Bass, Pere Monclus and Scott Lundgren talking about a zero trust approach. Shawn and the others will discuss specific capabilities that will enable customers to achieve a zero trust architecture that is aligned to the NIST guidance and covers secure access for users as well secure access to workloads.
For most organizations it is still new that they can talk about cybersecurity with VMware. VMware’s intrinsic security vision is something we have seen the first time at VMworld 2019, and since then it has become more a strategy than a vision.
VMware is not new to enterprise security and it didn’t start with Workspace ONE nor with NSX. Security was already part of their DNA since it was possible for the first time that two virtual machines can share a physical host and have isolated compute resources assigned.
Another example of (intrinsic) security came with vSAN and the encryption of data at rest, then followed by unified endpoint management and identity/access management with Workspace ONE. But wait!
It was August 2013 when Pat Gelsinger introduced NSX as the platform for network virtualization, which included the distributed firewall capability already. The internal firewall is built into the VMware hypervisor since almost 8 years now, wow!
NSX Service-Defined Firewall
I had no customer so far, who wasn’t talking about achieving zero trust security with micro-segmentation to prevent lateral (east-west) movement. Zero trust is one approach to improve data center defenses with the inspection of every traffic flow within the data center. The idea is to divide the data center infrastructure into smaller security zones and that the traffic between the zones is inspected based on the organization’s defined policies.
Micro-segmentation puts a firewall to each virtual machine or workload, allowing us to protect all east-west communication.
So, deploy micro-segmentation and the problem is solved, right? Not quite. While the concept of micro-segmentation has been around for a while, organizations still face barriers when trying to apply it in practice.
Let’s have a look at some of the barriers to micro-segmentation and why this solution alone is not enough (anymore) to achieve zero trust:
Policy discovery challenges – Identifying the right micro-segments and configuring the proper security policies is an extremely daunting task, especially in a dynamic data center environment.
Limited-access controls – Basing micro-segmentation solely on L4 attributes (e.g., IP addresses and ports) is not enough. The ephemeral nature of applications and flows requires more than that.
Reliance on agents – Some micro-segmentation implementations require the installation of extra software agents on each virtual machine (VM), causing complexity and introducing vulnerability.
Lack of threat detection and prevention – Threats often masquerade as normal-looking traffic. Settling for basic traffic blocking rules isn’t enough.
What does that tell us? Understanding the current applications’ topology and communication flows between their sub-services and -components is not easy. And with applications, which become less monolithic but very dynamic and distributed across multiple clouds, it becomes almost impossible, right?
NSX Intelligence is a home-grown solution that automates policy discovery, understands the communication between services and can construct apps and flows maps (topologies).
Can we assume that traffic from A to B over HTTPS is safe per se with micro-segmentation? Nope.
If we want to enhance traffic analysis capabilities and have a deeper look into traffic, the L7 (application layer) capabilities for micro-segmentation can be used.
Firewall rules cannot consume application IDs. A context-aware firewall identifies applications and enforces a micro-segmentation for east-west traffic, independent of the port that the application uses.
Other use case: For virtual desktop infrastructures (VDI), you could use VMware NSX’s ability to provide Active Directory identity-based firewall (IDFW) rules.
Okay. We have a topology now and can create context-aware service-defined firewall rules. How can we differentiate between good or bad traffic? How can we detect network anomalies?
Today’s attacks are becoming more sophisticated and hackers use masquerading techniques to embed threats within normal-looking traffic flows. Micro-segmentation alone will not intercept hidden threats, it only identifies traffic flows that should be allowed or blocked.
It’s time to talk about advanced inspection capabilities.
NSX Distributed IDS/IPS
In general, for a firewall to inspect traffic, the traffic has to pass through it. In a virtual world this means we would redirect traffic from the VM’s to the firewalls and back. A practice called hair-pinning:
That results in additional traffic and unnecessary latency. NSX has a distributed architecture, there is no centralized appliance that limits security capacity and network traffic doesn’t need to be hair-pinned to a network security stack for traffic inspection. Everything done with physical appliance can now be done in software (see coloring).
The term intrinsic security always means that security is built into the infrastructure. The micro-segmentation capabilities including NSX Intelligence come without an agent – no reliance on agents!
The VMware NSX Distributed IDS/IPS functionality adds additional traffic inspection capabilities to the service-defined firewall and follows the same intrinsic security principles.
Note: These regular-expression IDS/IPS engines detect traffic patterns and are programmed to look for malicious traffic patterns.
In my understanding, Lastline’s core product was a malware sandbox that can go deeper (than other sandboxes from other vendors) by using a full-system emulation to look at every instruction the malware executes.
The Lastline system uses machine learning that recognizes essential elements of an attack, unlike the narrow signature-based systems that miss the many variants an attacker may use. The Lastline approach is not just anomaly detection – anomaly detection treats every outlier as bad and results in many false positives. Lastline leverages the deep understanding of malicious behavior to flag clearly bad activities such as East-West movement, command and control activity, and data exfiltration.
This brings us to the powerful combination of the existing VMware capabilities with recently integrated Lastline feature set:
NSX Network Detection and Response
Network Detection and Response (NDR) is a category of security solutions that complement EDR (we talk about Endpoint Detection and Response later) tools.
Powered by artificial intelligence (AI), NSX NDR maps and defends against MITRE ATT&CK techniques with the current capabilities:
NSX NDR protects the network, cloud and hybrid cloud traffic, and provides a cloud-based and on-prem architecture that enables sensors to gain comprehensive visibility into traffic that crosses the network perimeter (north/south), as well as traffic that moves laterally inside the perimeter (east/west).
NSX NDR uses a combination of four complementary technologies to detect and analyze advanced threats:
Behavior-based Network Traffic Analysis (NTA)
Network Traffic Analysis tools are all about detecting anomalies within the network (on-prem and public cloud) and use AI to create models of normal network activity and then alert on anomalies.
The challenge today is that not all anomalies are malicious. With Lastline’s NTA, VMware can now pick up threat behaviors and correlate these to network anomalies and vice versa. Because of this, according to VMware, they have the industry’s most accurate threat detection with minimal false positives.
Intrusion Detection and Prevention System (IDPS)
The NSX Advanced Threat Protection bundle includes IDS/IPS, which is integrated into NSX. The NSX Distributed IDS/IPS benefits from the unique application context from the hypervisor and network virtualization layers to make threat detection more accurate, efficient and dynamic.
The key capabilities of NSX Distributed IDS/IPS include:
Included with NSX Advanced Threat Prevention, Advanced Threat Analyzer provides complete malware analysis and enables accurate detection and prevention of advanced threats. It deconstructs every behavior engineered into a file or URL, and sees all instructions that a program executes, all memory content, and all operating system activity.
Other malware detection technologies, such as traditional sandboxes, only have visibility down to the operating system level. They can inspect content and identify potentially malicious code, but they can’t interact with malware like NSX Advanced Threat Analyzer can. As a result, they have significantly lower detection rates and higher false positives, in addition to being easily identified and evaded by advanced malware. (Advanced threats evade other sandboxing technologies by recognizing the sandbox environment or using kernel-level exploits.)
VMware Threat Analysis Unit (TAU)
With the Lastline acquisition VMware could further increase the capabilities provided by the VMware Carbon Black Threat Analysis Unit (TAU) with network-centric research and behavioral analysis.
The VMware Threat Analysis Unit automatically shares the malware characteristics, behaviors and associated IoCs (Indicator of Compromises) of every malicious object curated and analyzed by VMware with all VMware customers and partners.
NSX Advanced Threat Analyzer continuously updates the VMware TAU in real time with intelligence from partner and customer environments around the world.
NSX Firewall for Baremetal Hosts. For organizations needing an agent-based network segmentation solution.
NSX Firewall. For organizations with one or more sites (optionally including public cloud endpoints) that primarily need advanced security services, select advanced networking capabilities, and traffic flow visibility and security operations with NSX Intelligence.
NSX Firewall with Advanced Threat Protection. For organizations that need NSX Firewall capabilities as well as advanced threat prevention capabilities, such as IDS/IPS, threat analysis, and network detection and response.
Use Case with Network Virtualization
If you are a customer with a NSX Data Center Advanced or Enterprise+ license, who uses NSX for network virtualization only today, you just need the “NSX ATP add-on” for NSX Data Center Advanced or Enterprise+.
Note: The ATP add-on requires NSX-T 3.1 and above.
Use Case without Network Virtualization (no NSX Data Center)
If you have no need for network virtualization for now, you have the following options:
If you look for base firewall features, you can get started with the NSX Firewall license.
Should you look for base firewall features plus advanced threat protection, then start with NSX Firewall with Advanced Threat Protection.
From here you still can down the network virtualization path and get the NSX Data Center Enterprise+ add-on for ATP
Use Case for VCF Customers
VCF customers have the option to start with the NSX ATP add-on for NSX NDC Adv/Ent+ as well.
Carbon Black Endpoint Detection and Response (EDR)
Before the Carbon Black acquisition, VMware already had strong technology, but was not seen or known as cybersecurity vendor. And it was really this acquisition that made the whole industry understand that VMware had to be taken seriously now as a security vendor.
So, what is EDR according to Wikipedia?
“Endpoint detection and response technology is used to protect endpoints, which are computer hardware devices, from threat. Creators of the EDR technology-based platforms deploy tools to gather data from endpoint devices, and then analyze the data to reveal potential cyber threats and issues. It is a protection against hacking attempts and theft of user data. The software is installed on the end-user device and it is continually monitored. The data is stored in a centralized database. In an incident when a threat is found, the end-user is immediately prompted with preventive list of actions.”
EDR is essential since local activities on machines that may be malicious are not visible on the network. VMware Carbon Black EDR is an incident response and threat hunting solution designed for security operations centers (SOCs) and incident response (IR) teams. Enterprise EDR is delivered through the VMware Carbon Black Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and dataset.
The Lastline acquisition, which came after Carbon Black, was just another brilliant move from VMware!
XDR – VMware Security brings together EDR and NDR
Again, while EDR protects endpoints, NDR protects the network, so that an organization’s entire IT infrastructure is secured. EDR gives security professionals visibility into endpoints that might be compromised, but this isn’t enough when an attack has moved across the network and into other systems by the time the security team is aware of it.
This is where XDR comes in. VMware rolled out its Extended Detection and Response (XDR) strategy at VMworld 2020. By the way, it was in 2020 when Gartner named XDR as one of the top nine cybersecurity trends.
By providing a holistic view of activity across the system that avoids visibility gaps, XDR allows security teams to understand where a threat comes from and how it’s spreading across the environment – in order to eliminate it. In other words, XDR offers greater analysis and correlation capabilities and a holistic point of view.
VMware’s XDR platform is the Carbon Black Cloud. Carbon Black Cloud’s evolution into an XDR platform includes product integrations with existing VMware products like Workspace ONE, vSphere and the NSX service-defined firewall, as well as third-party partner platforms.
At the Carbon Black Connect 2020 event, VMware announced launched their Next-Gen SOC Alliance that features integrations with the VMware Carbon Black Cloud to deliver key XDR capabilities and context into Security Information and Event Management (SIEM) technologies.
We’re in an epic war against cybercrime. We know the asymmetric nature of this war – you will not win by trying to staff your SOC with more analysts. Nor can the battle be won by deploying an individual technology focused on only one part of your IT infrastructure. EDR and NDR along with your SIEM form the winning combination you need to win the war.
Conclusion
The Carbon Black acquisition gave VMware a strong cybersecurity foundation to build on. The recent acquisition of Lastline VMware added sandboxing and network traffic analysis capabilities to their internal firewall, which is provided by NSX.
I don’t think it’s about “can VMware become a leading cybersecurity vendor” anymore. VMware has the most advanced internal firewall and is already becoming a leading cybersecurity vendor. The recent Global InfoSec award just confirms this statement:
Most Innovative in Endpoint Security” for VMware Carbon Black Cloud
“Market Leader in Firewall” for VMware NSX Service-defined Firewall
Michael Rebmann is currently working as a Lead Solution Architect for VMware by Broadcom in Switzerland and focuses on some of the largest and most strategic customers. Michael engages with the community as a co-leader of the Swiss German VMUG and became a VMware vExpert PRO in 2022. Opinions are his own.
VMware CMTY Podcast #607 – VMware Cloud Foundation
VMware CMTY Podcast #546 – VMware Carbon Black Cloud Workload
