VMware brings XDR capabilities to Carbon Black in a push for lateral security

A telephoto shot of the VMware logo on the conference floor of VMware Explore Europe

VMware has revealed an addition to its network detection and visibility solutions in the form of Carbon Black XDR, seeking to address the very significant threat posed by lateral attacks and empower companies to combat threat actors that have already breached their networks.

Whereas endpoint detection and response (EDR) reacts to endpoint data, extended detection and response attempts to provide environment-wide, comprehensive visibility on threats. In this way, VMware Carbon Black XDR adds to and extends the capabilities of VMware Carbon Black Enterprise, the threat hunting and response solution already available for VMware customers.

VMware identifies this as crucial in drawing attention to the danger of threat actors performing lateral attacks once gaining access to a system, with historical focus having been placed almost exclusively on endpoint tools to prevent malicious access altogether.

The service leverages data within VMware Contexa, the firm’s threat intelligence solution that provides observability across VMware’s network, as well as endpoint and user technologies. The company claims it processes over 1.5 trillion endpoint events daily, using machine learning (ML) to contextualise this information in parallel with the input of more than 500 VMware Threat Analysis Unit partners and researchers. VMware Carbon Black XDR can then use this data to prompt action by security teams, and inform policy changes.

In August, VMware research suggested cyber attacks were on the rise following Russia's invasion of Ukraine, with 25% of attacks seeing lateral movement by attackers once systems had been compromised.

"Lateral security is the new battleground," said Tom Gillis, SVP and general manager, networking and advanced security business group at VMware.

“By bringing VMware Carbon Black XDR to market, we’re improving threat detection and prevention across endpoints and networks to address the need from our customers to limit the lateral movement of attackers inside their environment.

"Our XDR solution is not replacing SIEM, rather it’s helping to paint a broader picture of the threat landscape for customers. We are correlating high-fidelity, process-level data from the endpoint with packet-level data on the network to create super high-fidelity and actionable alerts that can also be fed into a larger SIEM. That data is pulled from VMware Contexa, our threat intelligence cloud that combines the telemetry of Carbon Black and NSX."

VMware has been quick to note the uptake in demand for XDR solutions within the current threat environment, citing a Forrester study it commissioned which indicated that although 75% of responding organisations have not implemented XDR, 27% are planning to in the next 12 months. Data from the same study suggested that ROI increased following early adoption of the technology, bringing the boons of automation and adding another feather to the cap of existing security stacks.

Carbon Black was acquired by VMware in 2019, in the interest of boosting security oversight across VMware’s cloud offerings. Since then, its offerings have been expanded and are now part of VMware’s array of network and endpoint security options. These include Contexa and the upcoming Project Northstar, a SaaS-based tool for network security for applying multi-cloud security policies through a central cloud console, which is currently in tech preview.

Joe Baguely, VP & CTO EMEA at VMware, spoke to IT Pro about how VMware Carbon Black XDR expands upon past efforts by VMware:

"We've actually been talking about these threats for over 10 years. When we first acquired Nicira, which became NSX, we talked about east to west security and what we're talking about now with natural security is pretty much the same thing. But what we're doing in that space is when we talk about it back in the past, we were literally introducing the concept of having micro firewalls per workload. But it was pretty basic, pretty manual.

"What we're doing with Carbon Black and the XDR technologies and EDR, is we're making that much more intelligent. We're bringing artificial intelligence (AI) and ML to that. And we're bringing all the intelligence we've got around threat analysis to what's going on in the data centre, to make it much more responsive."

VMware’s NSX security solutions aim to provide consistent, zero trust, multi-cloud security policies alongside granular protection such as network segmentation. The firm also states that NSX is uniquely able to combat lateral attacks, as it sits alongside a hypervisor to protect individual virtual machines within a VMware vSphere environment, and alongside Kubernetes to protect native clouds.

VMware Carbon Black XDR is available for certain customers in early access, with the security specialist team handling sign up requests.

Carbon Black in action

"Carbon black is an absolute godsend for us," said Ed Higgs, group director of IT Shared Services at Rentokil Initial, speaking to IT Pro.

"We're very acquisitive. We acquire just over one company a week and we've just done one for $6.1 billion - we just acquired Terminix in the US. It’s massive for us, and obviously all those acquisitions bring relative complexities, but whenever we've got an acquisition, the first thing they do is install Carbon Black, because that gives us visibility from day one."

Referring to the threat posed by lateral security, Higgs praised Carbon Black for the security insight it provides:

"We've been pretty good over years in managing the perimeter," added Higgs. "We pay companies, like everyone else, to hack us and see where they get and, of course, they're still finding things. When they first started doing it, there were massive gaping holes, and over the years we’ve matured and matured.

"Carbon Black and NSX have significantly reduced [a threat actor's] capability to do anything - because as soon as anyone elevates a role, on any of our systems, we immediately get a notification and they can go on and delete the account, segregate the environment, whatever they need to do. The last time we paid someone to hack into our systems, we had to tell the [Carbon Black team] to ignore the test, because we don't want them to stop the testers straight away, otherwise they wouldn't get to anything else that they might find."

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.