VMware supports lateral security with Contexa Threat Detection
VMware will offer broad threat detection with telemetry from its various solutions.
VMware has added a threat detection capability called VMware Contexa which discovers lateral network traffic. The new technology, released Thursday, is a cloud-based service that VMware is adding to its various offerings.
Contexa’s launch comes ahead of next week’s RSA conference in San Francisco, where VMware will demonstrate it. It also comes a week after Broadcom agreed to acquire VMware for $61 billion. VMware had planned Contexa to launch before the deal was announced.
Network lateral movement detection is important because it has become a widespread threat. A sideways movement usually indicates an undiscovered attack that often happened months or, in some cases, years earlier.
VMware says Contexa is more likely to discover lateral network traffic than current Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) solutions. This is because both SIEM and XDR offerings rely on sampled telemetry, said Tom Gillis, senior vice president and general manager of VMware’s Advanced Security business group.
“It’s a clue or an indicator of what’s going on, but it doesn’t give you the visibility,” Gillis said of the SIEM and XDR offerings. “It’s not because SIEM analytics [or XDR] are bad; it’s because [they] does not have access to the raw data to be able to understand what is happening.
VMware Contexa is not a product; rather, it is a scanning technology that monitors traditional virtual environments through VMware NSX and endpoints through VMware Workspace One and Carbon Black. For modern, cloud-native application environments, Contexa detects threats through VMware Tanzu. VMware offers it at no additional cost.
Silicon advancements from AMD and Intel have resulted in 128 core servers, allowing more than 100 virtual machines to run on one physical host, Gillis pointed out. Little of that traffic is actually analyzed, Gillis noted.
“By instrumenting the virtualization layer, we see every packet and every process,” he said. “And we understand them in context.”
Billions of threats detected
Contexa currently processes more than 1.5 trillion endpoint events and 20 billion network flows per day, according to an internal VMware analysis conducted last month. Contexa detects about 2.2 billion suspicious activities every day, according to the analysis. VMware combines machine learning data with insights from 500 human researchers from VMware’s Threat Analysis Unit and various incident response partners. Of these events, VMware said it provides automated responses to more than 80% of them.
“By combining threat intelligence from NSX, Carbon Black and Workspace One, and complementing these capabilities with machine learning and human expertise, VMware has the opportunity to excel as a threat intelligence provider. and threat detection, investigation, and response across the modern enterprise,” said Eric Parizo, senior analyst, Cybersecurity Operations Intelligence (SecOps) at Omdia. parent company of Omdia and Channel Futures.)
Workspace One and MACS
VMware Contexa is available now for VMware’s Workspace One client virtualization offering and Modern Application Connectivity Services (MACS). MACS is an offer composed of VMware NSX Advanced Load Balancer and VMware Tanzu Service Mesh. VMware’s NSX Advanced Load Balancer provides consolidated, multi-cloud, north-south application services.
Tanzu Service Mesh automates the execution of application distribution with secure east-west connectivity on Kubernetes clusters and connects to traditional virtual machine environments. It provides traffic management, policy control, encryption, and authorization services to distributed applications. VMware plans to add Contexa to other offerings over time, including its Carbon Black endpoint protection offering.
“With Contexa, VMware is doing what is rare in enterprise cybersecurity, namely offering a truly innovative solution, thanks to the depth and integration of its security telemetry on endpoints, applications, in data centers virtual and hybrid data, at access points and across distributed cloud edge environments,” said Parizo.
“Where I think VMware has a particularly compelling opportunity to excel is in its ability to use its unique position within the application infrastructure to observe and understand application layer traffic, both in traditional virtual applications and containerized and microservices-based cloud-native applications, and identify anomalous activity,” he added. “Even today, it remains a remarkably difficult undertaking that few vendors can do consistently and effective.”