Virtual Patching with VMware NSX Distributed IDS/IPS

Patching: The Perennial Problem  

Cybersecurity consumes an ever-increasing amount of our time and budgets, yet gaps remain and are inevitably exploited by bad actors. One of the biggest gaps is unpatched vulnerabilities: a recent survey found that 60% of cyberattacks in 2019 were associated with vulnerabilities for which patches were availableⁱ.   

Most companies have a patch schedule that is barely able to keep up with applying the most important patches to the most critical vulnerabilities. Yet new ones crop up all the time: approximately 15,000 new vulnerability are discovered every year, which translates to one every 30 minutes ⁱⁱ. They impact all types of workloads, from multiple vendors, as well as open source projects.  

It’s a constant race to try to find and fix the most dangerous vulnerabilities before the bad actors can exploit them. But ignoring them is not an option.  

The Simplest Approach is Not So Simple  

Why not just patch everything or fix flaws in the code? Because it’s operationally challenging – and almost impossible.  

First, patching is an expensive and largely manual process. Second, applications may rely Continue reading

Defeat Emotet Attacks with Behavior-Based Malware Protection

The security community has enjoyed a few months of silence from Emotet, an advanced and evasive malware threat, since February of this year. But the silence was broken in July as the VMware Threat Analysis Unit (TAU) observed a major new Emotet campaign and, since then, fresh attacks have continued to surface. What caught the attention of VMware TAU is that the security community still lacks the capacity to effectively detect and prevent Emotet, even though it first appeared in 2014. As an example of this, Figure 1 shows the detection status on VirusTotal for one of the weaponized documents from a recent Emotet attack. Only about 25% of antivirus engines blocked the file, even though the key techniques — such as a base64-encoded PowerShell script used to download the Emotet payload from one of five URLs — are nothing new. (These results were checked five days after they were first submitted to VirusTotal.)

Figure 1: Detection of an Emotet-related document on VirusTotal

In this blog post, we’ll investigate the first stage of the recent Emotet attacks by analyzing one of the samples from the recent campaign to reveal the tactics, techniques, and procedures (TTPs) used. This will help Continue reading

Trick or Threat: Ryuk ransomware targets the health care industry

Simplify the Modern Network with VMware NSX-T 3.1

Continuing our commitment to helping organizations around the world deliver a public cloud experience in the data center through VMware’s Virtual Cloud Network, we’re excited to announce the general availability of VMware NSX-TTM 3.1. This latest release of our full stack Layer 2 – 7 networking and security platform delivers capabilities that allow you to build modern networks at cloud scale while simplifying operations and strengthening security for east-west traffic inside the data center.  

As we continue to adapt to new realities, organizations need to build modern networks that can deliver any application, to any user, anywhere at any time, over any infrastructure — all while ensuring performance and connectivity objectives are met. And they need to do this at public cloud scale. NSX-T 3.1 gives organizations a way to simplify modern networks and replace legacy appliances that congest data center traffic. The Virtual Cloud Network powered by NSX-T enables you to achieve a stronger security posture and run virtual and containerized workloads anywhere. 

Continue reading

Evolution of Excel 4.0 Macro Weaponization – Continued

Introduction 

The evolution of the Excel 4.0 (XL4) macro malware proceeds apace, with new variations and techniques regularly introduced. To understand the threat landscape, the VMware NSBU Threat Analysis Unit extended its previous research on XL4 macro malware (see the previous blog) to analyze new trends and techniques.  

Against analysis engines, the new samples have some novel evasion techniques, and they perform attacks more reliably. These variants were observed in June and July. Figure 1 depicts the Excel 4.0 macro malware wave.  

Figure 1: Malicious XL4 submission: May-Aug 2020 

Broadly, the samples can be categorized into three clusters. Based on the variation of the samples in these three clusters, the weaponized documents can be grouped into multiple variants. 

Cluster 1: Relative Reference   

The samples in this cluster appeared in the month of June. They use FORMULA.FILL for obfuscation and to move the payload around the sheet. The formula uses relative references to access values stored in the sheet. There are variations in this category; Continue reading

Closing security gaps and eliminating blind spots in the data center: a software-based approach to securing east-west traffic

It’s no secret that traditional firewalls are ill–suited to securing east-west traffic. They’re static, inflexible, and require hair-pinning traffic around the data center. Traditional firewalls have no understanding of application context, resulting in rigid, static policies, and they don’t scale—so they’re unable to handle the massive workloads that make up modern data center traffic. As a result, many enterprises are forced to selectively secure workloads in the data center, creating gaps and blind spots in an organization’s security posture. 

A software-based approach to securing east-west traffic changes the dynamic. Instead of hair-pinning traffic, VMware NSX Service-defined Firewall (SDFW) applies security policies to all workloads inside the data center, regardless of the underlying infrastructure. This provides deep context into every single workload.  

Anyone interested in learning how the Service-defined Firewall can help them implement micro–segmentation and network segmentation, replace legacy physical hardware, or meet growing compliance needs and stop the lateral spread of threats, should check out the following sessions: 

Creating Virtual Security Zones with NSX Firewall Continue reading

Meet compliance requirements cost-efficiently by implementing East-West security at scale 

Compliance is more than a necessary evil. Sure, it’s complex, expensive, and largely driven by manual processes, but it’s also a business enabler. Without the ability to prove compliance, you wouldn’t be able to sell your products in certain markets or industries. But meeting compliance requirements can’t be cost-prohibitive: if the barriers are too high, it may not make business sense to target certain markets.  

The goal, of course, is to meet and prove compliance requirements in the data center in a simple, cost-effective way. With the intent to provide safety and maintain the privacy of customers, new government and industry regulations are becoming more robust, and many require organizations to implement East-West security through micro-segmentation or network segmentation inside the data center. Of course, this is easier said than done. Bandwidth and latency issues caused by hair–pinning traffic between physical appliances inhibit network segmentation and micro-segmentation at scale.  

VMware NSX applies a software-based approach to firewalling that delivers the simplicity and scalability necessary to secure East-West traffic. It does this with no blind spots or gaps in coverage— Continue reading

Intrinsic Security: Take security to the next level

The other guys will have you believe that more is better. You have a problem, just buy a solution and patch the hole. Security operations too siloed? Just cobble together some integrations and hope that everything works together. 

VMware thinks differently. We believe that “integrated” is just another word for “complexity.” And clearly, complexity is the enemy of security. 

Integrated security is bolted–on security. An example would be taking a hardware firewall and making it a blade in a data center switch. That’s what the other guys do. It makes it more convenient to deploy, but it doesn’t actually improve security. 

Security always performs better—and is easier to operate—when it’s designed–in as opposed to bolted–on. At VMware, we call this intrinsic security. When we think about security, being able to build it in means you can leverage the intrinsic attributes of the infrastructure. We are not trying to take existing security solutions and integrate them. We are re-imagining how security could work. 

Enterprises that want to learn how we’ve built security directly into Continue reading

Simplify your micro-segmentation implementations

Micro–segmentation is a critical component of Zero Trust. But, historically, micro-segmentation has been fraught with operational challenges and limited by platform capabilities.  

Not anymore.  

VMware NSX enables a new framework and firewall policy model that allows applications to define access down to the workload level. NSX does this by understanding application topologies and applying appropriate policy per workload. Creating zones in the data center where you can separate traffic by application simultaneously helps stop the spread of lateral threats, create separate development, test, and production environments, and meet certain compliance requirements. 

VMworld attendees who want to learn more about how to set up micro-segmentation in their data centers should consider the following sessions: 

Permit This, Deny That – Design Principles for NSX Distributed Firewall (ISNS2315D) 

Micro-segmentation is something that is certainly easier said than done. Although micro-segmentation allows applications to define access down to the component level, the operation of such an environment can be daunting without structure and guidance. In this session, you’ll learn how to develop a Continue reading

Introducing VMware Transit Connect for networking and security on VMware Cloud on AWS

As you migrate and expand your deployments on VMware Cloud on AWS, your network connectivity provides the foundational infrastructure for all workloads in your SDDCs. When you then scale across multiple SDDCs — which also need to network with several data centers and tens or even hundreds of VPCs — scaling network connectivity becomes a critical challenge.  

In this context, we’re excited to announce a number of new networking and security capabilities on VMware Cloud on AWS. 

• SDDC Groups – a way to organize SDDCs together for ease of management
• VMware Transit Connect –high bandwidth, resilient connectivity for SDDCs in an SDDC Group
• Multi-Edge SDDCs – the ability to add network capacity for north-south traffic to the SDDC

Together, these new features enable seamless connectivity to your SDDCs from on-prem data centers and AWS VPCs while unlocking the capacity you need to efficiently drive your workloads in the cloud. 

Let’s take a closer look at each one. 

SDDC Groups 

SDDC Groups enable customers to manage multiple SDDCs as a single logical entity. This simplifies operations while maintaining the flexibility that customers rely on. SDDCs in a Group can be interconnected with VMware Transit Connect, and Continue reading

Countering the Rise of Adversarial ML 

The security community has found an important application for machine learning (ML) in its ongoing fight against cybercriminals. Many of us are turning to ML-powered security solutions like NSX Network Detection and Response that analyze network traffic for anomalous and suspicious activity. In turn, these ML solutions defend us from threats better than other solutions can by drawing on their evolving knowledge of what a network attack looks like. 

Attackers are well-aware of the fact that security solutions are using AI and ML for security purposes. They also know that there are certain limitations when it comes to applying artificial intelligence to computer security. This explains why cyber criminals are leveraging ML to their advantage in something known as adversarial machine learning. 

In this post I’ll explain just what adversarial machine learning is and what it is not. To start, the label itself can be a bit misleading. It sounds like criminals are actually using ML as part of their attack. But that is not the case. The simple explanation is that they’re using more conventional methods to understand how security solutions are using ML so that they can then figure out how to Continue reading

Detecting Malware Without Feature Engineering Using Deep Learning 

Detecting Malware Without Feature Engineering Using Deep Learning 

Nowadays, machine learning is routinely used in the detection of network attacks and the identification of malicious programs. In most ML-based approaches, each analysis sample (such as an executable program, an office document, or a network request) is analyzed and a number of features are extracted. For example, in the case of a binary program, one might extract the names of the library functions being invoked, the length of the sections of the executable, and so forth. 

Then, a machine learning algorithm is given as input a set of known benign and known malicious samples (called the ground truth). The algorithm creates a model that, based on the values of the features contained in the samples, is the ground truth dataset, and the model is then able to classify known samples correctly. If the dataset from which the algorithm has learned is representative of the real-world domain, and if the features are relevant for discriminating between benign and malicious programs, chances are that the learned model will generalize and allow for the detection of previously unseen malicious samples. 

The Role of Feature Engineering 

Even though the description Continue reading

Machine Learning, Artificial Intelligence, and How the Two Fit into Information Security 

Everywhere I look, someone’s talking about machine learning (ML) or artificial intelligence (AI). These two technologies are shaping important conversations in multiple sectors, especially marketing and sales, and are at risk of becoming overused and misunderstood buzzwords, if they haven’t already. The technologies have also drawn the attention of security professionals over the past few years, with some believing that AI is ready to transform information security. 

Despite this hype, there’s still a lot of confusion around AI and ML and their utility for information security. In this blog post, I would like to correct some misperceptions. Let’s start by differentiating machine learning from artificial intelligence in general. 

Machine Learning vs. Artificial Intelligence: Understanding the Difference 

Artificial intelligence is the science of trying to replicate intelligent, human-like behavior. There are multiple ways of achieving this — machine learning is one of them. For example, a type of AI system that does not involve machine learning is an expert system, in which the skills and decision process of an expert are captured through a series of rules and heuristics. 

Machine Learning is a specific type of AI. An ML system analyzes a large data set in Continue reading

Lateral Movement: What It Is and How to Block It 

In any given attack campaign, bad actors have a specific goal in mind. This goal may involve accessing a developer’s machine and stealing a project’s source code, sifting through a particular executive’s emails, or exfiltrating customer data from a server that’s responsible for hosting payment card information. All they need to do is compromise the system that has what they want. It’s just that easy. 

Or is it? 

In reality, it’s a little more complicated than that. When attackers compromise an asset in a network, that device usually is not their ultimate destination. To accomplish their goal, bad actors are likely to break into a low-level web server, email account, employee endpoint device, or some other starting location. They’ll then move laterally from this initial compromise through the network to reach their intended target. The initial compromise seldom causes severe damage. Thinking about this another way: if security teams can detect the lateral movement before the attackers reach their intended targets, they can prevent the attacker from successfully completing the mission. 

But what exactly is lateral movement, and how does it work? In this blog, we’ll look at some of the most common types of lateral movement and Continue reading

Stop Ransomware with NSX Network Detection and Response 

Back in 2018, some cybersecurity vendors were reporting that cryptomining malware had infected organizations roughly 10 times more than ransomware.  But since then, ransomware has climbed back to the top of the cybercrime landscape. Europol named ransomware as the top cyber threat organizations faced in 2019. And its impact is increasing: 

“Even though law enforcement has witnessed a decline in the overall volume of ransomware attacks, those that do take place are more targeted, more profitable and cause greater economic damage. As long as ransomware provides relatively easy income for cybercriminals and continues to cause significant damage and financial losses, it is likely to remain the top cybercrime threat.” 

Putting the Dominance of Ransomware into Perspective 

Targeted attacks aren’t the only factor behind the ongoing prevalence of ransomware. Several other forces are also at play. Here are just a few of them. 

The Rising Costs of Ransomware Infections 

Higher ransomware amounts are common. A 2020 report indicated the average cost to recover from a ransomware attack more than doubled from $41,198 to a staggering $84,116. The Wall Street Journal reported that claims managers at Continue reading

The Relevance of Network Security in an Encrypted World 

Hiding malware in encrypted traffic is a tactic increasingly employed by bad actors to conceal attacks. By one estimate, 60% of cyberattacks carried out in 2019 would leverage encryption, and that was predicted to increase another 10% in 2020. Having an understanding of how your security solutions can recognize or prevent threats within SSL traffic is therefore extremely important, particularly since many such tools don’t provide that ability. In this blog, we’ll outline the ways in which security solutions can work with encrypted network traffic. 

The Security Challenges Surrounding Encrypted Network Traffic 

We all understand one of the goals of encrypting network traffic: to protect the confidentiality and privacy of sensitive data in motion. However, encryption also poses a challenge to most network security products —if these products cannot inspect the payload of connections, they lose their ability to detect and respond to threats. 

The Rise of Encrypted Data 

The use of encryption on the Internet has risen dramatically, which on the whole is a good thing. For example, the Google Transparency Report shows that the percentage of encrypted web traffic on the Internet has steadily increased, from around 50% in 2014 to Continue reading

NSX deep dive sessions at VMworld 2020

It’s that time of year again; VMworld!  This VMworld is unprecedented in its delivery this year.  VMworld 2020 will be entirely online and general sessions available for anyone who wants to attend for free!  There is a small fee track for Premier pass which has access to additional sessions.  More on that in the links below.  The numbers we’re seeing for potential attendees is staggering and people who may not have been able to attend in the past, can now join their industry peers for discussions, hands-on labs, and breakout and keynote sessions.

At previous VMworld events, it could be difficult to attend all the sessions you wanted, as they may have had times where one or more overlapped.  This year, the majority of our sessions are on-demand for the attendee convenience.   Log on and watch whatever the session you want, whenever you want.  To ensure you don’t miss out on all the deepest technical NSX content the Network and Security Business Unit at VMware as created, we’ve come up with a list of sessions for you to check out:

Security

Apply Consistent Security Across VMs, Containers and Physical Server with NSX-T [ISNS1272]
Continue reading

VMware Transit Connect – Simplifying Networking for VMC

The release of VMware Cloud on AWS (VMC) 1.12 brings a number of exciting new capabilities to the managed service offering. A comprehensive list can be reviewed in the release notes. A key feature that is now Generally Available (GA) in all VMC commercial regions worldwide is VMware Transit Connect^TM. VMware Transit Connect enables customers to build high-speed, resilient connections between their VMware Cloud on AWS Software Defined Data Centers (SDDCs) and other resources. This capability is enabled by a feature called SDDC Groups that helps customers to logically organize SDDCs together to simplify management.

The SDDC Group construct empowers customers to quickly and easily define a collection of SDDCs, Virtual Private Clouds (VPCs) or on-premises connectivity that need to interconnect. Additionally, the SDDC Group construct provides value inside the individual SDDCs by simplifying security policy as will be shown later in this post. Behind the simplification that SDDC Groups provide is the instantiation of an VMware Managed AWS Transit Gateway, a VTGW. The VTGW is a managed service from VMware and provides the underlying connectivity between the different resources.

The initial Transit Connect service provides three primary connectivity models:

• SDDC to SDDC
• SDDC to Native AWS VPC
• Continue reading

Three Ways Operationalizing NSX Will Transform Your IT Organization

By Kevin Lees and Devyani Pisolkar, authors of the ‘Operationalizing VMware NSX’ guide

Virtualized networking and security may appear to be a standard feature of today’s modern data center, but it wasn’t so long ago — what, seven years? — that network virtualization was a new concept, largely introduced and propelled by VMware. How time flies. Today, across industries, network virtualization, in the form of VMware NSX, is the go-to choice for delivery of software-based network and security services. Nowadays we spend less time discussing the novelty of the architecture and more time talking about how to maximize the value of NSX by fully operationalizing the platform to make it a critical driver in your digital transformation.

VMware NSX is utterly unlike legacy networking

VMware NSX delivers networking and security services entirely in software. That enables organizations to move myriad operational tasks into the software layer, but to leverage it fully requires a top-to-bottom rethink of network operation itself. Under NSX, the old paradigm of the network as a hardware silo is gone; instead, the virtualized NSX network is an integral component in the software-defined data center.

Which brings us to the key point: in order to fully realize Continue reading

Guide to the Virtual Cloud Network at VMworld 2020

The countdown to VMworld 2020 is nearly at an end and we are eager to share our latest advancements in network and security virtualization that are powering the Virtual Cloud Network with you. With this year’s FREE virtual event having such a jam-packed agenda on all things virtualization, we’ve put together this comprehensive guide to navigating the Virtual Cloud Network.

Our engineers, technologists and customers will be dropping knowledge in over 100+ live and on-demand technical sessions, hands-on labs, and interactive roundtable sessions throughout the event, covering all technical levels from beginner to advanced. Read on to get a curated list of can’t-miss activities going on between September 29 and October 1.

If you haven’t already registered, make sure to do so here and then jump into the content catalog and schedule your sessions today. See you online!

(For Security-specific programming, check out this post on the top security sessions you must attend at VMworld)

 Virtual Cloud Networking Education Track at VMworld

(Note: Scheduled Sessions are offered during several timeslots to

accommodate regional time zones. Click the session links to attend the most convenient one for you. And for the full-list of scheduled and on-demand sessions, click here. Continue reading