VMware's Tom Gillis on Preventing East-West Hacker MovementGillis on Why Network and Endpoint Visibility Is Needed to Thwart Lateral Movement
Organizations must think differently about how to detect adversaries in the cloud rather than merely shifting their on-premises controls into the cloud, says VMware's Tom Gillis (see: VMware Doubles Down on Multi-Cloud, Lateral Movement Defense).
Combining Carbon Black's insights into the endpoint with NSX's ability to see network connections that a traditional network switch would miss has allowed VMware to more effectively spot lateral movement, says Gillis, senior vice president and general manager of networking and advanced security. VMware is under agreement to be bought by Broadcom, which will bring together the Symantec, VMware and Carbon Black security practices.
"If you have this level of visibility where you can really see and understand the context of what's happening in your data center, the lateral movement of an attacker sticks out like a sore thumb," Gillis says. "The magic is that we have access to data that our competitors don't, and that's what's going to drive efficacy."
In this video interview with Information Security Media Group, Gillis also discusses:
- How Project Northstar can help secure multi-cloud environments;
- The benefits of putting security processing power in the cloud;
- Why organizations need more control over application policies.
Gillis drives VMware's strategy in cloud, security and enterprise computing. Prior to joining VMware, he was CEO of Bracket Computing, which he founded in December 2011. Before starting Bracket, he was vice president and general manager of Cisco Systems' security technology group. He previously served as vice president of marketing and part of the founding team of IronPort Systems, which was acquired by Cisco in 2007. Prior to that, he was vice president and general manager at iBEAM Broadcasting, an internet startup that went public on Nasdaq. He also worked at Silicon Graphics, Boston Consulting Group and Raytheon Corp.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Tom Gillis. He is the general manager of VMware's Advanced Networking and Security Business Group. Good morning, Tom. How are you?
Tom Gillis: Good. How are you, Michael?
Novinson: I'm doing great. Thank you. I wanted to talk to you about the announcements made at VMware Explore last week. Let's start with some of the work you're doing to further tighten the integration between NSX and Carbon Black. I'd love to hear more around why you've focused on bringing the NDR and the EDR together and what that means for customers.
Gillis: There's kind of a series of logical steps on how this comes together. But it all ties to one conclusion, which is, as our customers start to begin their journey to embrace in the cloud operating model, which means having the ability to define a workload plus all the infrastructure and all the security around it, to find all that stuff in software, and then deploy it with a single click. No more tickets, no more waiting a month to deploy a workload. That's the hallmark of a cloud archive. That's what I use as my litmus test to argue there. As we go into that journey, I think there's an interesting and somewhat of an imperative for our customers, to not just take the security controls that we know and use today and try to cut and paste and transpose them into this cloud world, but rather to think differently about how we do security to help us stop these increasingly sophisticated attacks where the goal of an attacker is to avoid detection. The attackers we see are penetrating a network, and they'll remain resident in the network for six, nine or even 12 months. Very slowly and carefully moving laterally, oftentimes through legitimate application pathways. Stopping that type of attack requires very high-fidelity data. I think one of the things that's unique about VMware is that we have with Carbon Black a deep insight into what's happening in the endpoint. With NSX, we have an unusual and deep insight into what's happening on the network. We see network connections that a traditional network switch wouldn't see. Because those connections never leave virtualization world, which means they don't have the box of a server. When you put these two things together, it's a bit of a "chocolate meets peanut butter situation" where we can see this lateral movement in a way that no other solution can. I think that's the name of the game of security.
Novinson: What is combining that NDR and the EDR help with seeing lateral movement?
Gillis: Let's look at an example. With Carbon Black, we have an awareness of the components that make up an application. Let's talk about servers. We're looking at an Apache server, and we know what processes Apache should be running. Now, let's imagine that in your fleet of 100 Apache servers, we see one Apache server that spawns a new process; maybe it's coming off a PowerShell script. That doesn't mean it's bad. That happens in the real world that could be a sysadmin doing an update, or just somebody trying something new. It just means it's suspicious. Carbon Black has a notion of reputation for each process, like does this thing look real and recognized and trusted, or is this is behaving strangely. Carbon Black will share that information with NSX. NSX not only sees every packet and every connection, it sees every process that initiated the connection that's very unique. We're not just looking an Apache server but what's coming from the Apache server, we can see which process in the Apache server initiated that. What you find is if you have this level of visibility, where you can see and understand the context of what's happening in your data center, the lateral movement of an attacker sticks out like a sore thumb. The magic here is not necessarily that we have invented some new security algorithm that some other mathematicians didn't think of. The magic is that we have access to data that our competitors don't. That's what's going to drive efficacy. And that's what's got us so excited about this combination.
Novinson: I see. What's the plan to roll this out to customers? And for existing Carbon Black customers, what are the most significant changes you'll notice once NSX is fully embedded?
Gillis: The cool thing here is the way we're structuring is at VMware, we believe in the philosophy of better together. When NSX and Carbon Black are both deployed in account, this stuff is super easy to deploy and use, but one is not contingent on the other. We were able to deploy this with Carbon Black without NSX. The way it's going to manifest itself in the first incarnation is that the Carbon Back customer has a console that is frequently used by threat hunters, incident responders and the security operations team to identify anomalies. With a simple software upgrade, that console is going to have an awareness of both the endpoint and the network. We have this notion of an attack sequence. We can show you that narrative I just described, that weird Apache server, the process in the Apache server made this connection to a Windows Server. The connection that that process terminated into in the Windows Server is just that one connection. Process suddenly goes from user space to route, that should never happen. And then that route process made a DNS query with malformed headers and a giant payload. If you lay that stuff out, attack sequence, you know that is clearly an attack happening, and you can intercept it in real time before it occurs. It gives you this level of visibility that can provide a response. But it also has very, very high levels of forensics. You can look back and say, "If a ransomware attack did happen, would it initiate all from a single console?" Prior to this, administrators would have to go and look at multiple different consoles and try to piece it together. Oftentimes, you don't have sufficient resolution. For example, NetFlow will tell you this Apache server talked to this Window Server. It's not going to tell you which process initiated the connection. But we see all that. That's what I mean by that high-level/high-fidelity data that lets us drive efficacy, because at the end of the day, that's all we care about: is this system effective?
Novinson: Let's talk a little bit about Project Northstar. Two parter for you, what is it, first off? And then secondly, how does it help with securing multi cloud environments?
Gillis: Yeah, sure thing. So you know, NSX is the fabric, the foundation of the multi-cloud infrastructure. NSX provides the automation and the connectivity to stitch together workloads that can run on your East Coast data center, your West Coast data center, but it can also run out on Amazon, Google, Microsoft. And it's one code base that makes that all possible. With NSX, there's a management plane that has security analytics. We call it NSX intelligence, it's akin to an advanced firewall console, and then a policy management console. We're delivering that as a true SaaS multi-tenant service. So you think about your infrastructure in a multi-cloud world, most customers are going to have some combination of private and public and more likely, you're going to have some combination of more than one public. I want to use Amazon for this particular workload. But then the marketing team wants to use the analytics libraries at Google for that workload. Northstar is the hub that ties all that together. It's the one pane of glass that gives you a security, profile for workload wherever the workloads running - whether it's running, you know, private cloud, public cloud, East-West, it doesn't matter. Northstar ties all that together. So that's currently in tech preview, we can demo it. And we'll be shipping that later this year.
Novinson: So once that starts shipping, what are the biggest benefits customers will notice?
Gillis: It's the same interface the customers are familiar with, actually. Right? So it's a different way of delivering, at this point, I think, a relatively well-understood and well-accepted set of capabilities. One of the biggest benefits is not so much from Northstar. It's what this management and security capability can deliver. And that is unprecedented ability to understand and control and protect East-West traffic. So if we think about coming back to that security narrative, we talked about with Carbon Black, the goal of attackers is to get in and stay in, right? Even if we play back the Log4j fiasco, right? We all went through this together, like Log4j - a huge burden. Everyone running around passionate servers. Whoever had access to that vulnerability, especially before it was announced, had unprecedented access to virtually every network on the planet. I don't know of a customer that wasn't in some way impacted by the Log4j vulnerability. So given the widespread nature of this vulnerability, what was the big breach? What was the big like the movie script that was stolen? Or the plans for you know, coke, or the 250 million credit cards? There wasn't one. Right? That was nine months ago, I think it's safe to assume that attackers used that vulnerability to get into network and they've been delaying it for nine months. So think about that. In real world terms, if someone broke into your data center, and stayed for nine months, hanging up there, you know, in sweat socks to make impression or cheese in the morning, it'd be insane. But in cyber, that's what we deal with - attackers getting insane. So NSX is really the most powerful tool for identifying the lateral movement when those attackers are trying to survey and find the information they're looking for. NSX gives you the ability to understand a very high level of detail, that East-West traffic Northstar is the control panel that manages all that. So it allows you to run the analytics, to see what's happening, to build the policies and to respond to the network side of it. And then as we talked about earlier, in the second half of this year, we'll be tying Carbon Black and that same infrastructure, and connecting with VMware's Contexa, which is our threat intelligence database so that we can correlate what we see in the endpoint and what we see on the wire. In my opinion, this is the highest impact thing that you can do to increase your security. Right? Everybody has perimeter firewalls, everyone has some form of endpoint and many people have EDR solutions already. It's that horizontal east-west, the lateral movement that is the problem. And VMware is uniquely suited to solve that problem.
Novinson: Are you seeing adversaries are doing more around lateral movement today than maybe they were a year or two ago? What are some of the new things we're seeing adversaries do when it comes to lateral movement?
Gillis: Yeah, what we see happening is there's like, you know, more than doubling, even as a tripling of the use of legitimate protocols. And the number one protocol that we see being used is RDP - remote desktop protocol. And the attackers move very slowly, right? Their goal is to avoid detection. So they're trying to hide in the noise of normal application behavior. So RDP is a tool that all of your sysadmins use all the time, it's what you use to upgrade your Windows servers, right? So to make sure those Log4j vulnerabilities are all patched and clean. And so you can't just block RDP. So RDP connections are generally allowed. And so with NSX, we have the ability to look at each connection, we look into what we speak, you know, we speak layer seven, right? So we speak RDP. And we can say, does that connection look like something a sysadmin would do? Or does that look like ransomware? And we do it in two ways. We have signatures, so we run a Distributed Suricata-based IDS/IPS. So we're like, "Look, if we know there's a malware load or something that should never happen. Let's catch that with the cigs," But we also do distributed behavioral analytics and be like, that just looks weird. You know, like, wait a minute. So this one server is doing, you know, a series of sequential reads on a big database. And then it downloads an encryption kit, and it's encrypting that data. And now it's going to do a series of sequential writes, that looks suspicious, and it's coming from an RDP connection. Right? It shouldn't happen that way. So I make it sound simple. It's almost like common sense. If you can see the data. And that's, again, where VMware shines is that we can see that data and we can figure out legitimate RDP connections from ransomware.
Novinson: In terms of Project Northstar, I know part of that is getting that hardware and software capability at the application level, rather than at a central data center. What's the benefit to putting some of that security processing power at the application level?
Gillis: Northstar takes it and puts it in the cloud. It's application aware, as you were saying. We have that Layer 7 context, we understand the protocol, we understand this is a web server, this is an app server, this is a database and this is how they should behave. When you have all of that context, you can make very high-fidelity decisions. NSX brings that context, to the wire, to the network. Carbon Black brings that context to the endpoint. As we stitch those two together, we think we're going to have extremely high performance, high efficacy in the alerts that we generate.
Novinson: Let's talk about Project Watch here. What's the significance of that? Why is there a need for more app to app policy control?
Gillis: Let's think about a real world example. I have, in my organization, more than 1000 developers, and we develop on every public cloud, as well as we have a huge private cloud infrastructure we use for build and test. I've got more than 150 VPCs, in my organization, and my peers each have a couple of 100 VPCs. Security says, "I got to put a Layer 7 firewall between those VPCs and the apps that you're running on-prem, like build farm for security reasons. That's a fundamental requirement. All of a sudden, you've got this n × n matrix, where you're trying to connect hundreds of VPCs on one side to hundreds of apps and developers on the other side. That can balloon into tens of thousands of firewall rules. We're developers, so we're constantly trying new ideas, changing things all around. It creates a level of burden on the part of traditional firewall, that it's extremely cumbersome. Many customers I talked to were like, "I can't, this is like not going to scale and it's not going to work." We were trying to use our next-gen firewalls, firewalls that we know and love at our perimeter and they are good as a perimeter. That's what they're built for. But they're not good at this deal with cloud to cloud internal communication, because they don't have notion of identity. They don't know, like an app server from a web server from a database. With Project Watch, we throw away the old firewall constructs and we build a Layer 7 app aware construct that says, "Look, if I've got a marketing analytics," and we talked about marketing analytics, and marketing team came up with this clever idea using Google TensorFlow in one of our earlier examples. Let's say that analytics application needs to talk to a customer database that's residing on-prem. We use certificates to say this is the customer database. This is the analytics engine and Project Watch provides a secure, encrypted connection from one part of the app to the other part of the app or from two separate apps that are just exchanging information and data. Independent of any network pathway, don't care if you're running on direct connect, if you're running on a VPN, if you run on the plain old dirty Internet. It doesn't matter. It's about app to app connectivity. And it can take tens of thousands of firewall rules and turn it into two. This can talk to that. It's all you are trying to do. You can do it with encryption, you can do it very high performance. That's what Project Watch is about. It's about simplifying the interchange of a multi-cloud infrastructure. The other clever thing about Project Watch is it has a notion of risk. We look at those apps, and we're like, "What is this thing? Is this like, the company launch menu? Or is this sensitive customer data, or PII?" We can automatically build risk profiles based on our observation of the app, based on topology, and there's a whole variety of sources that we use to help formulate and streamline the connectivity policy, and just the observability of where's all that data going? Because sometimes you'd be absolutely shocked. I'm running an application and it's using APIs from SaaS services. Project Watch can discover all that and be like, "Do you realize you're talking to 20 external SaaS services and pushing customer data up there?" Having the ability to identify and then to protect app to app connectivity and have a notion of risk and building security policies that are dynamic associated with that risk, we think that's the future. Nothing to do with infrastructure. Nothing to do with IP address protocol. It's all Layer 7 constructs that are built around identity.
Novinson: What's the fastest growing area of the VMware security portfolio today? And why?
Gillis: Probably the number one area is our East-West security controls because of its explosive growth. The reason is that everyone knows that the goal of attackers is to get in and stay in effect. The whole principle of zero trust says, "Guess what? They are already in, they are already there." It's a pretty good assumption. So assume that they're in. How do we make it hard for them to stand? How do we make it hard for them to get to what they're trying to get to, which is your valuable assets, your data, your IP and that East-West, Advanced Threat Protection, it's so easy to deploy on top of NSX. If you can find and watch The Sopranos on HBO, you can turn on advanced threat protection on NSX. It's that simple. It has very high impact, solves big problems and stops ransomware better than anything else on the market. It's super easy to deploy. Over the next 12 months, it's only getting better, faster and stronger as you bring the additional context of Carbon Black into that analytics engine.
Novinson: Tom, It's been a pleasure. Thank you.
Gillis: Thanks very much, Michael.
Novinson: We've been speaking with Tom Gillis. He is the senior vice president and general manager of VMware's Networking and Advanced Security Business Group. For Information Security Media Group, this is Michael Novinson. Have a nice day.