VMware NSX-T Advanced Threat Prevention Announcements at VMworld 2020

Posted by

It is hard to believe that NSX-T is now three years old and what an incredible three years has it been.  Being a former global enterprise architect for a couple companies that deployed NSX-T, I have had the privilege of watching this solution grow.  Every year there feels like there is a new acquisition or partnership that expands this solutions capabilities.  This year was no different, which is why at VMworld 2020 the new Advanced Threat Prevention features have been announced.  Below you will find an overview of these new features and licensing models.

Other VMworld 2020 announcements:
https://digitalthoughtdisruption.com/2020/09/29/vmware-bringing-sase-to-sd-wan-vmworld-2020/
https://digitalthoughtdisruption.com/2020/09/29/vmware-vrealize-network-insight-vrni-vmworld-2020-announcements/
https://digitalthoughtdisruption.com/2020/09/29/vmware-nsx-t-advanced-threat-prevention-announcements-at-vmworld-2020/
https://digitalthoughtdisruption.com/2020/09/29/importance-of-vmware-nsx-t-in-the-modern-datacenter-vmworld-2020/
https://digitalthoughtdisruption.com/2020/09/29/vmware-cloud-on-aws-vmconaws-vmworld-2020-announcements/
https://digitalthoughtdisruption.com/2020/09/29/vmware-cloud-disaster-recovery-draas-vmworld-2020/
https://digitalthoughtdisruption.com/2020/09/29/vmware-vrealize-ai-cloud-vmworld-2020/
https://digitalthoughtdisruption.com/2020/09/29/vmware-vrealize-cloud-universal-vmworld-2020/
https://digitalthoughtdisruption.com/2020/09/29/vmware-cloud-on-dell-emc-vxrail-vmworld-2020/

VMware has the strategic advantage and knowledge of what is happening inside the systems running your production workloads.

In traditional models they take big bucket of signatures to match against traffic.  VMware asks, why run windows signatures against linux servers? 

Where VMware is making a difference is they know what workloads/apps are running in the environment and take 13k signatures and only apply signatures for the workload that is needed to protect it.

By reducing unnecessary signatures in your environment VMware is reducing the stress on the system and focusing on what matters.

Why important?  At some point legacy solutions become over loaded and will drop traffic.  By only applying what matters, VMware doesn’t have to drop traffic merely because the system is getting overloaded with unnecessary traffic.

Most sandbox solutions lack the full visibility into workloads, thus making malware easier to hide unless you can trigger the right task to unleash the malware inside the sandbox. 

Like I stated earlier, VMware is uniquely positioned to have deeper visibility into OS executions and network traffic to give more visibility into what is going on inside your sandbox.

In a VMware environment there is no code running anywhere that VMware doesn’t have visibility into.

VMware can see what is going on, IE if a piece of malware infected a VMware and is searching for anti-virus on the system to shut it down before spreading further.

VMware’s network traffic analysis tracks the flows back and forth between machines.

The analysis is intelligent enough to analyze anomalous network activity and see if it is a false positive or an actual threat.  IE if it is the middle of the night and packets sent from one machine offsite due to a backup because an upgrade is about to occur in the environment, allow the traffic. 

All those activities mentioned above are generating events .  This is where a unified console comes in as value by VMware.  By putting all this information together, taking thousands of events and distilling them down into 100’s of relevant activates VMware is able to get more granular on pointing out actual threats to the environment. 

VMware has the ability to take the hundred events mentioned above and correlate them into campaigns basically saying to the security team these four things are really bad.  By addressing these four things you will make those previous thousands of events go away. 

Here is a nice slide to show which features of NSX-T correlates with the life cycle attack chain and how VMware is helping customers defend their organizations.

One new team within VMware that should bring an extra layer of security to customers is the TAU (threat analysis unit).  This team is dedicated to reducing threats to customers environments while working in lock step with the ever expanding machine learning capabilities baked into the security portfolio. 

VMware is offering flexibility in the licensing of NSX-T now.  You can go with the straight firewall option or you can go with the fill NSX-T firewall with Advanced Threat Prevention.  Best part is if you start with NSX firewall then all you have to do is upgrade you existing license if you want to add in the Advanced Threat Prevention capabilities.  These licenses are based on a per CPU cost for virtualized hosts or a per host license for your physical workloads.

Summary:
I have been with NSX-T since early 2.1 days and watched this network security solution grow into 3.0.3.  NSX-T has come a long way from being an overlay network providing firewalls on the vNIC of your virtual machines.  Through acquisitions VMware has been able to expand their security portfolio offering in the network security space.  Plus, with strategic partnerships with 3rd party vendors they are able to provide true end point to end point security to the edge and back.  I’m excited to see what is next with VMware security.  As always, I hope y’all found this useful.

One comment

Leave a Reply