September 27, 2020

VMware and Carbon Black: An Advance for Cloud Endpoint Protection

Richard Dornhart
National Practice Manager - Security at Data#3
Initially, analysts were surprised when VMware completed its $2.1 billion cash purchase of Carbon Black in August 2019. VMware does virtualisation, right? And Carbon Black is a cloud-native endpoint protection solution. At a first look it’s hard to see the companies as a natural match. So, what was the opportunity foreseen by VMware?

VMware is building a modern Software Defined Data Centre, incorporating components such as endpoints, user or service identity, workloads, cloud and multi-cloud, plus networks. Incorporating technology from Carbon Black allows delivery of an intrinsic security strategy across the data centre, something VMware’s customers will appreciate. Not a bad match at all!

The Ongoing Challenge of Security in Multi-Cloud Environments

VMware sees what industry customers already know: security in a cloud and multi-cloud environment is challenging and expensive.

  • Spending in Australia alone on cyber security is expected to triple in coming years to A$6 billion by 20261
  • Small businesses average 15-20 tools, increasing to 30-40 for medium sized businesses and 130+ for large organisations2
  • In Australia, a VMware survey found a disturbing increase in attacks and data breaches over the last year– despite the vast number of software tools in play. In part, it concluded that the attacks and data breaches were aggravated by the surge in work from home users driven by the response to COVID-193.

Each of the above factors result in extensive operational impact through money, tools, and employee time. There’s also the additional potential factor around reputational damage with external customers. Month-by-month, the challenges and expenditures are increasing.

Most organisations’ IT management has fallen into the “point product” model of network security, with operating systems security, application security and overall performance monitoring all being managed by different teams with different tools. This multiplicity of tools, teams and people slows problem detection, problem remediation and increases per-incident expense.

The challenge of team coordination is borne out by a Forrester survey of 1,500 global IT leaders, including 270 in the APAC region, which identified those leaders’ #1 priority within the next year is to drive better collaboration between security and IT teams. This seems a disturbing priority to have in 2021: these teams are already trying to cooperate as well as they can– their motivation is firstly to prevent incidents, and secondly to get things fixed ASAP.

These groups are starting to – or have already – realised that piling tool on tool is not the answer and that the current point product model is not working. Worse, the current model doesn’t look likely to catch up to the existing level of attacks, much less meet the challenge of advancing faster than new attacks are developed. As an example, the COVID-19 increase in “work from home” users exposed new vulnerabilities from an increased use of insecure devices. Is that threat going to reduce post-COVID-19? As employees and employers come to appreciate the convenience and lower costs of at least part-time work from home, it doesn’t seem likely. All this at a time when we’re embedding more, and smarter, devices into our lives.

With so many tools in play, it’s difficult – if not impossible – to gather comprehensive data sets that can be easily aggregated, or at least correlated, to help protect against threats before they bite, let alone get one step ahead.

If the existing models aren’t working, what’s the solution?

Solutions Begin with an Opportunity

By developing a clear strategy to address these issues, and making smart choices from the plethora of security management technologies in the market, organisations have a real opportunity to simplify security management while at the same time reducing costs, reducing incidents, and detecting and addressing incidents that do occur faster.

Such a change demands the shift to a coordinated organisation-wide approach to security management, which raises critical questions like who “owns” security? When a new application is deployed, who owns the security policy? Who owns the procedures to implement that policy? Who monitors compliance, and who will notice an attack first? How long is it between a breach and its discovery? Who coordinates the response to an incident?

The typical scenario is that ownership becomes “joint”: different teams will share parts of the policy, and procedures. Rectification will depend on what vulnerabilities are discovered the hard way via an incident.

So how does Carbon Black fit into all this?

As joint ownership increases, security in the software defined data centre becomes hugely relevant to VMware. Enter Carbon Black.

Carbon Black is best known for Carbon Black Response, considered the premier tool for post-incident forensics. That’s good, but it’s used after you’ve had an intrusion or potential intrusion.

However, Carbon Black’s next generation endpoint solution is about more than forensics: it’s about defence and intrinsic security. It’s about a shift in the security model from point product to unified, threat-centric to context-centric, bolted-on to built-in. It’s about speeding attack detection and response via machine learning (ML) and artificial intelligence (AI) – and that speed isn’t possible without ML and AI techniques.

Traditional signature-based threat detection can only be updated after the threat has been detected, usually by an exploit. This means it’s always playing catchup- always on the defensive.

Intrinsic security integrates all the different control points run by different teams using different tools into a single platform. Collecting data across all functional areas and placing it into a single datastore allows access for all teams. Carbon Black supplies this cloud dataset, which VMware views as essential for its customers.

Carbon Black’s former CEO Patrick Morley, who heads the new cyber security division at VMware, explained the acquisition decision for Carbon Black was driven by the scale that the larger company would provide. Carbon Black’s ML and AI technology is hungry for data, and an increase from 6,500 customers to VMware’s half million is two orders of magnitude.

Carbon Black’s integration into VMware is significant to VMware as security:

  • Moves natively into the hypervisor
  • Integrates with end-user devices
  • Integrates with Software Defined Storage (SDS), Software Defined Networking (SDN), and application containers.

Fewer point products, fewer exploits and no version-lock problems where your security solution holds back or forces an upgrade at an inopportune time. Operations groups need to be able to schedule upgrades according to their business or organisation’s requirements.

The IT application delivery environment has evolved dramatically- now it’s time for security in that environment to do the same.

1Australia’s Cyber Security Sector Competitiveness Plan 2019
22019 RSA Conference presentation by Palo Alto Networks
3VMware Releases Cybersecurity Threat Survey Report Detailing Increased Attack Volume and Breach Levels in Australia