VMware announces multitude of security enhancements at VMworld

In addition to their core product and service announcements around cross-cloud services and app modernization, VMware has introduced a large number of security enhancements, that leverage their strength in virtual networking to make the new and existing product more secure.

Tom Gillis, senior vice president and general manager, Networking and Advanced Security Business Group, VMware

At VMworld, VMware is announcing a flock of new security enhancements, with a focus on end-to-end Zero Trust security inside clouds and data centers with secure workload access.

VMware is uniquely able to use its security and networking capabilities to provide greater security to workloads in today’s environments, emphasized Tom Gillis, senior vice president and general manager, Networking and Advanced Security Business Group, VMware.

“Together with our virtual networking capability, we can put security deep into the fabric of this infrastructure to secure workloads in ways that really, other solutions can’t,” Gillis said. “So we’ve enjoyed an enormous amount of success with our network and security products. We have more than 30,000 customers. That’s a large population of folks using our network and security products. We also process, in our security cloud, more than 8.4 trillion security events per week. That’s an enormous amount of data and I always say if you can’t see it, you can’t stop it. So, because of who we are at VMware we have access to this enormous amount of workloads running across the enterprise, all the way up to the edge to the end user compute, and we have the ability to see tremendous amount of activity in the network This allowed us to stop more than 1.1 million ransomware attacks just in the last 90 days. Typically, we can respond in less than six seconds to these ransomware attacks.”

Gillis said VMware’s security announcements at VMworld fall into three buckets.

“They align with the three big pushes you’re hearing from VMware: multi-cloud, modern apps, and the anywhere workspace and edge compute,” he stated.

With multi-cloud protection, the issues are to prevent ransomware attacks, but also, with the move to a more heterogeneous infrastructure, how to best protect workloads that are being spread across multiple clouds. The new solutions here are enhancements to VMware Carbon Black Cloud for ransomware protection and recovery, and VMware Cloud Disaster Recovery for rapid recovery at scale.

“Protecting against ransomware starts with making sure that you’re hardening the workload itself, and for Linux and Windows servers, VMware Carbon Black Cloud does all the things you need to protect the endpoint,” Gillis said. “It has next generation antivirus. It draws a picture of workload inventory, so we can see what’s there. Very importantly, we identify vulnerabilities so we scan the individual hosts, looking for vulnerabilities and weaknesses that we can automatically correct. We do EDR. We do MDR, and auto remediation all integrated into a single a very complete solution. The new news is that we have baked the solution into vSphere, in a way that is just brain dead simple to deploy – easy, fundamental and intuitive.” Now, VMware Carbon Black Cloud can be enabled with a simple switch in VMware vCenter, making protection from ransomware attacks simpler and faster to deploy.

VMware Cloud Disaster Recovery, the new DRaaS solution that enables more rapid recovery at scale, is also designed for ransomware protection. It lets customers utilize a deep history of immutable snapshots stored in an isolated cloud file system, instant VM power-on for iterative security evaluations, and powerful orchestration for highly automated testing, failover, and failback to recover end-to-end IT apps and data sets after a ransomware attack.

“With this disaster recovery, we make sure that we can recover from  ransomware, by making copies of all your data, frequently air gapping it from the attack and then, if an attacker does get through, we can restore your day to get you back up and running, seamlessly effortlessly and effectively,” Gillis said. “These are examples of security controls that are unique in the industry because they leverage the intrinsic attributes of a multi-cloud platform.”

Gills also emphasized the importance of VMware’s virtual networking to its security.

“Most of the modern ransomware attacks that we’re seeing are using in-band tools,” Gillis said. “It’s a technique, the hackers call living off the land, which means they use legitimate ports and protocols to move east, west, through your infrastructure. So to stop this, you have to be able to read these legitimate flows and look at which ones are real and which ones are ransomware. With our distributed architecture, we speak Layer Seven. And we have the ability to apply signatures to say, this is a real file request, but this one here, we know this to be ransomware, and so we stop it. Now the informed observer will say well yeah that’s signature, which means you have to have seen it before, which is absolutely true. And I will point out to a huge amount of ransomware is taking advantage of known vulnerabilities, so the signatures are really powerful. But the news is we now have non-signature-based analytics. These have the ability to observe the inner workings of an application. This is a technique that that the industry calls network traffic analysis. So the storyline is – let’s imagine i’ve got a mortgage payment application, if someone has stolen a credential and they’re coming into a mortgage payment app, it’s really hard to figure out If it’s friend or foe. But once they get into that mortgage payment application, they’re not going to pay my mortgage. They do things that are wildly anomalous – if you can see it. The way the industry used to solve this problem is they would put little taps all over everywhere, but that is really tough to do, especially for fine grained application that’s been virtualized.”

The key to handling this is an existing solution, VMware NSX Network Detection and Response, but VMware is announcing their intention to broaden out this technology further. VMware plans to deliver tapless NTA/NDR capabilities that leverage VMware vSphere to distribute sensors everywhere.

“With NSX, we have a tapless network traffic analysis, so we see every hop along the way, and we correlate this and say wait a second, this doesn’t make sense,” Gillis said. “This is what allowed VMware NSX Network Detection and Response to win a triple A rating from SC labs, a third-party independent company that verifies and measures efficacy of security solutions. This is the first network traffic analysis solution to win this rating and we’re very proud of it, but what does it mean? it means better security that is easier to operationalize, because you have no network apps to deploy. You push a button turn it on, and it just works, this is an example of why workloads running on the VMware cloud are more secure than any other cloud platform.

“As we start to move this across multiple clouds, the issue is how do we protect the edges of those clouds,” Gillis added. “At the edge of the data centre, we have had a set of services, and these are well understood, and are typically functions that we’re done with expensive proprietary rigid hardware appliances. These things are difficult to manage and then frankly limited in efficacy because they’re hard to manage. Imagine if we define this stuff in software and run it on general purpose compute and we add the thing that we do uniquely which is elasticity. We can scale the app itself, but we also can scale the infrastructure, so the firewall and the load balancer can get bigger or smaller to meet the needs of the application. You don’t have to go out buy more expensive proprietary appliances, This is the kind of flexibility that allows our customers to solve security in unique ways.”

The modern apps announcements relate to the fact that these apps can be made of thousands of components that communicate via APIs. VMware Tanzu Service Mesh Advanced edition brings them a new level of distributed visibility, discovery and security to APIs.

“With these cloud native applications, it’s a whole different world,” Gillis said. “You’re not talking about three components — web server, app server, and  database. You can have 300 or maybe even 3000 components and these things are coming up and blinking on and off all the time, so we can’t just cut and paste traditional security approaches into this native world. As a result, we’ve built a whole new set of security capabilities and we’ve built them into the software development lifecycle.

“We can protect those APIs in a really big way, with the Tanzu Service Mesh and API security that we have, as a result of the acquisition of Mesh7,” Gillis stated.
“As an application is being written, we’re constantly scanning it looking for security compliance violations. We’re constantly ensuring the integrity of the images. As you go to deploy, we will check and make sure that if the workload is vulnerable, we will coordinate to make sure it’s protected. And then, of course, at runtime we can wrap and harden the OS with all of our integrity controls. And our new capability we are now announcing is we have east and west controls for containers, to provide the ability to look at the inner workings of a cloud native application.”

In  addition, CloudHealth Secure State now delivers Kubernetes Security Posture Management [KSPM], which delivers the ability to provide deep visibility into misconfiguration vulnerabilities across both Kubernetes clusters and connected public cloud resources.

“The other issue is once this application gets up and running, how do we ensure that it stays secure throughout its life cycle,” Gillis said. “And so we have a unique Kubernetes security posture management that allows us to understand what’s happening and running and then ensure that we don’t have configuration drift misconfiguration. So this stuff is from cradle to grave. We can ensure the security of the cloud-native workloads.”

Finally, VMware is announcing that it has beefed up security for its integrated VMware Anywhere Workspace solution, which provides distributed workforces with appropriate levels of controlled access to apps and data from wherever they choose to work.

“The last piece of the puzzle is the Anywhere Workspace, and I think we cannot underestimate the impact that the Work from Home revolution is having on the way we think about networks,” Gillis said. “It means that the old model of backhaul and traffic to a DMZ is going away, and for good reasons, because if any of us have ever had the VPN experience with logging into the corporate network and you’re trying to use Zoom or WebEx or Microsoft Teams and the experience is rotten. It’s because this model was not built for these types of applications. So instead of backhaul and traffic to the security services, what if we could use the power of software and a distributed architecture to take those security services, break them into hundreds of pieces and run them in the points of presence. Well, this is what we’ve done. We have the ability to run firewall Web proxy but also the compute, I think this is what makes VMware unique.  So It all starts with SD-WAN, which is our foundation. We have the Zero Trust Network Access, the secure web gateway the firewall as a service and the AI-based operations to wrap it all up, to identify when there’s problems and to automatically remediate.”

The newly announced elements to this SASE architecture include adding a new inline CASB [cloud access service broker] service to help IT gain more visibility and control over app access.

“This is our SaaS controls, and we will be adding DLP [Data Loss Prevention] capabilities,” Gillis said. “We’ve also added really powerful self- healing network access so that, if we see problems with one of your Zoom sessions, we can reroute that traffic in the network in flight without breaking or disturbing the Zoom. That has a huge impact on the end user. Lastly, we’ve got a deep collaboration with Intel to provide unique security hooks in an endpoint device allow us to ensure the integrity that device and upgrade that device, while the device is being used, but it’s transparent to the user. These are very strong capabilities that are really helping us reshape how we think about network and security for this distributed workspace world that we’re moving into.”