Video Transcript

   >> SPEAKER: Please welcome Senior Vice President/General Manager, Networking and Advanced Security Business Group, VMware, Tom Gillis.

  >> TOM GILLIS: Hey, I'm Tom Gillis. I'm the General Manager for Networking and Advanced Security of VMware. And I've got to say, this is a first for me in my career. Usually, I’m the opening act for a rap band, not the other way around. But I want to talk about what I think is a pretty significant shift in how we think about and deploy security systems.

   So, I have been doing this for a while. And as long as I have been around, and I think many folks in the audience, we all tend to think about security systems, particularly our scanning security enforcement devices, as living in two places, at the perimeter and at the endpoint. So, in really simple terms, you might think I have got a next generation EDR solution on my endpoints. I’ve got a next generation firewall at my perimeter. So, I'm good, right? And yet despite the fact that these are widely deployed systems, we see a significant increase in both the frequency and the impact of cyberattacks.

   And so, I think in really broad strokes, we have got to think differently about our security systems. We need a system that can work not just at the endpoint, not just at the perimeter, but can look across all of that stuff in the middle. Right? We need to look at how a user interacts with an application and understand the application interacting with the infrastructure. And the reason why we need this broad view is because the nature and I think the objective of the attacks has changed.

   Let's just think in simple terms about Log4j. Whoever discovered that vulnerability gave themselves a skeleton key to virtually every network on the planet. I don't know of a single network that was not impacted in some way by Log4j. And so, despite this unbelievable access to pretty much everything, what was the movie script that was stolen, or the 500,000 credit cards that were stolen? There wasn't one, or at least not one that we know of. And so, what we can conclude from this is that the goal of an attacker is not just to get in, but it is to get in and stay in. So, think about this in real terms. If someone were to break into your house and let's say steal your tax return or your laptop and run, like, oh, that's a breach. That's a violation. Now imagine that someone were to break into your house and stay for nine months. All right?

(Laughter).

   >> TOM GILLIS: Moving room to room. It is unthinkable in the real world. But in cyber, this is the problem that we’re up against. And it’s not just the big folks that have to worry about this. Some friends of mine, their family owns a regional potato chip company. They got ransomed twice. So, that tells you these attackers, they have no decency, folks. They’re going after our barbecue potato chips. But it’s the same tools and techniques that the attackers are using to disrupt the potato chip line could also be used to say disrupt the power grid. Or let’s imagine that this attacker said, you know what, if you’re going to remove us from the global financial system, what if we decided to erase every bank account in North America? And so, this is not hyperbole anymore, unfortunately. And in a zero‑trust model, we have to assume that the attackers are in.

   So, the name of the game is how do we make it hard for them to move laterally and stay in? This is why I think lateral security is the new battleground. So, what do we think about and define as lateral security? It really requires an end-to-end view in how a user interacts with the application. So, we have to gather telemetry from the user themselves, the device they’re on, what’s the posture of that device, the network that you traverse, the application – and this is important – the application can’t be viewed as a monolith. We’ve got to look at the little piece parts, the services that make up the application and how it interacts with the data. And then we will be prepared to deal with these sophisticated threats.

   So, there are three steps for how we can do this. I’ll argue that the first and perhaps most important is we have to come up with a way that we can protect the inner workings of an application. Now when I talk to customers about this, they will say, oh, okay, I think about my security toolchain for apps and how I can protect my apps in terms of a set of tools that I use on my private Cloud, and I’ve got a different set of tools that I think about on my public Cloud.

   And while I understand that thinking, I’m going to suggest that we need to turn it 90 degrees. Right? We need to talk about how do I protect the inner workings of a traditional application that is going to be predominantly VM-based, and then, separately, how do I protect the inner workings of a modern application, which is going to be predominantly Kubernetes-based? Because the concepts are the same, but the insertion mechanisms are different. So, let’s consider each one separately.

   When we think about east-west controls for VM-based applications, the most, I think - for many people, the most obvious control that you’re going to think of is micro-segmentation. And so, to illustrate how micro segmentation solves this problem and fits into the overall picture, I’m going to run a little experiment. Okay? I want all of you in the audience for just a moment to become SOC analysts. So, can you analyze this traffic pattern and see if you can identify an anomaly? See anything weird there? All right. Now, I'm from Boston, so I look at that, I’m like, nope, that’s normal. That’s how we drive. My dad would be proud of me. He’s like good move, son. You drove around the tree. You got two cars ahead. But for most of us, right, micro‑segmentation stops what is obviously bad traffic. It’s traffic that is trying to use application pathways that should never exist in the first place.

   So, let's put guardrails in place and let’s stop that traffic from flowing. Now, the good news is micro‑segmentation is – it probably just had its 7th birthday, so it’s been around for a while. And I can say with confidence that the tools for doing micro-segmentation at scale are pretty mature. That's the good news. Here is the bad news. The bad news is that the attackers are assuming you have micro‑segmentation in place.

   One of the more interesting and disturbing trends that we are seeing in the last two years is the significant increase in what the security researchers call living off the land attacks, which means that attackers are using a stolen credential or compromising a protocol to move through legitimate application pathways, and the number one protocol that we see is RDP, remote desktop protocol. You can't just block RDP because that is what your sys admins are using to update their servers. So, how can we look at each one o these RDP connections and figure out is this the sys admin updating a server, or is this ransomware?

   So, this is not a radically new concept. This is what SIM systems were designed to do more than 10 years ago. Let's look across everything and try to figure out friend from foe. But SIM systems are subject to an immutable rule of security, all of us are, you can’t stop what you can’t see. And so, for many customers, I think SIMs suffer from the car alarm problem. Do you know what the car alarm problem is? If you’re walking down the street and you hear a car alarm going off, what do you do? You keep walking, right? Maybe yell, shut that thing off. Right?

   So, car alarms have very, very high false positive rate, and so does a SIM. And it’s not that the analytics in a SIM are bad. The problem is you’re relying on sample data. And when an attacker is trying to use legitimate application pathways, you can’t rely on something like just net flow or sample data to see these kinds of patterns. We have to look deeper. So, again, let’s think about how we can instrument traditional applications, which are VM-based, and identify the inner workings of that application.

   Many customers will think about, all right, I’m going to deploy a network tap. Okay? So, the network tap is going to look at that east-west traffic and try to find the bad guys. But if an application has let’s say three tiers, a web tier, an app tier, and a data tier, and they’re all VMs running on the same chassis, that east‑west traffic, it never leaves the box. It’s not going to hit a network switch or a network tap, and so it creates a blind spot.

   And here is what makes the problem worse is that the silicon vendors, Intel and AMD, and hypervisor vendors like VMware, are building ultra-high-density servers where, on the latest generation of hardware, we can run more than a – well over 100 VMs in a single chassis, more like 150. So, imagine you have got 100VMs that are talking to each other, and that traffic never sees a switch.

   When I was an engineer, one of my teachers used to stand up in the classroom, and he says, never forget, Tom, GIGO. Does anyone know what GIGO stands for? Garbage in, garbage out. And I know some people recognize that. It’s an old programming term, I guess. But the idea is that if you’re looking at 1% of the east‑west traffic and you’re trying to figure out, is that RDP connection good or bad, that’s not enough sample data to make an intelligent division. So, we need to look at all of the traffic.

   Here is where the virtualization layer becomes the security professional’s best friend, because when you instrument the virtualization layer, you see every packet. In fact, you know what process, not just what application, which process initiated that. Even if it's encrypted, we can - hypervisor can peek up into the guest and say, well, it’s an encrypted connection, but I’m going to look at the payload in the clear. So, it is very high-fidelity data that allows us to understand every connection, and, more importantly, to understand the conversation in context and figure out is this real or not.

   Now, same exact principle applies for modern apps, but the insertion mechanisms are different, because in a modern app, you’re not dealing with three tiers, you might be dealing with 300 micro-services, or maybe even 3,000 micro services, lots of tiny little chunks of code, and they’re all talking to each other. Each one of these micro-services has its own internal API. And so, in order to protect that application from within, we need to understand those APIs. We need to see those APIs.

   Again, the good news is just like the virtualization layer is a friend to VMs, there is a new technology called a service mesh, which is built on open standards that allows us to see those inner workings. And so, we can observe and measure the APIs, understand their schemas, and baseline them and say this is what normal looks like. So, if an attacker is in doing something that’s highly anomalous, we can pick it up and detect it and protect those east-west APIs, which allows us to, again, see every connection and understand the conversation.

   So, when I talk to customers about this, they will be like, ooh, beautiful story, Tom. I love it. I want to do this. But where do I start? And this is actually the third and one of the most important points I wanted to deliver to this room. As every enterprise company is embracing the Cloud operating model in a significant way, security has an opportunity to lead the conversation, not follow it, to lead the conversation, and say, you know what, as we move into a world of Cloud operating, we are not going to take the old toolset and try to graft it on. We’re going to think differently about how we instrument our VMs and how we instrument our containers so that we can protect those applications from within.

   And yet, when I talk to customers, many of them are saying, yeah, yeah, yeah, yeah, we’re going to automate our data center and we’re just going to use the existing toolset, these firewalls and load balancers that we have. I’ll say, oh, so you can launch a workload without having to update firewall rules. Oh, no. No. We open a ticket for that. Our guys are good, though. We close those tickets in like two weeks. I’ll say, okay, how about getting a VIP, a virtual IP, from a load balancer? No. We open a ticket for that, too.

   And so, I kind of sometimes let my mind wander, and I think this is like sort of partial automation. Is this some kind of like IT vending machine? And I go up to that vending machine and I push a button in it and request a firewall update, but behind that vending machine is a person and they get that ticket, and they go take – I’ve got to take that to Steve. Oh, is Steve around? No. Is Steve on vacation? Where’s Steve? Oh, let’s go to Brian. Brian gets it and then takes that request, and he passes it to an engineer and days are going by. Our engineer gets that request, scratches his beard, ooh, firewall update, eh? Hmm, let me think about that. Punches some buttons. Maybe I’m going to have lunch. I’m kind of hungry, you know. Is it lunchtime? Okay. Here’s your firewall. Oh, the vacuum tube. I wonder if they have one of those vacuums. Remember those things in the mailroom? Whoosh. Finally, your firewall rules get updated, and now days have gone by. All right? So, taking existing toolsets and trying to graft them onto the Cloud operating model, that’s not automation.

   So, if you remember one thing from this conversation, when you go into the Cloud operating model, I want you to think about nothing. Okay? And what I mean by nothing is zero tickets, zero network taps, zero expensive proprietary appliance because those things are a rip-off, and zero trust. All of these concepts fit together. In the Cloud operating model, we want the guts of our private Cloud to look and behave like the public Cloud. Do you think the public Cloud providers are buying expensive firewalls and proprietary load balancers? No. It’s racks and racks of X86 systems with scale-out infrastructure software. Not a software VM of what is a hardware firewall, but a scale-out architecture with high-level APIs that understands the topology of an application. And when this is your foundation, it allows you to think about security. And all of that instrumentation of the east‑west traffic, that security becomes code. And so, instead of updating it with a ticket and waiting for Steve to get back from vacation to update this system, the computers do the work. The Cloud operating model gives us this magical combination of operational efficiency and better security because all of our infrastructure is implemented as software. Core switching, routing, firewall, IPS, load balancer, advanced threat detection, all of that stuff is under these high-level APIs, which means we have freed it from the dependencies of proprietary hardware, which means we can pick it up and move it.

   And so, real world example, I had a customer who was running a production data center in Ukraine and things got really, really crazy really, really fast, and they had to move that data center from their private Cloud, they wanted to split it across two providers. They did it in a weekend. Now you don’t move a data center that often. But when you do, it makes you realize the power of the operational efficiency that we get with a Cloud operating model and the ability to instrument this stuff in a way that we can detect these advanced threats.

   So, to talk a little bit more about the impact that these threats are having on our security teams, I’ve got a special guest that is going to join us. She’s going to join us remotely. It’s Dr. Amelia Estwick. Amelia is the head of threat research at VMware. She’s no stranger to the threat operations community. She’s worked for more than 17 years in the NSA in various threat operations roles. She’s a veteran of the Gulf War, U.S. Army INFOSEC. She’s very active in the academic community on cybersecurity issues.

   Amelia, thank you for joining us remotely. You spent more time in the SOC than anyone I know. What do you think are the greatest challenges impacting SOC leadership today?

   >> AMELIA ESTWICK: Well, Tom, that's quite interesting. I actually see two challenges. One is - we talked about earlier - is data. Our SOC analysts are inundated with data. When I worked at NSA, I worked in a network threat operations center for ten years, and our analysts were inundated with data back then, and that is, unfortunately, still the case today. So, our adversaries know this, and they remain stealthy. They know that having that signal to noise ratio is so difficult to determine for our SOC analysts. So, our SOC analysts also need the right tooling, integrated tooling so they can then look at those alerts with high fidelity and able to not only correlate those results, but also with machine learning and analytics. This will help increase the fidelity so we can, again, evict those attackers out of our networks.

   >> TOM GILLIS: So, Amelia, we are here at the RSA Conference, thousands of security professionals all gathered together, and we all face a common adversary. These attacks are more sophisticated and more disruptive than ever before. Do you have any thoughts on how we can do as a community to stop these kinds of problems?

   >> AMELIA ESTWICK: Well, I've got a couple of thoughts, but one that's top of mind, really, is we all just need to come together. Not one organization/vendor has a silver bullet. We're all on one team to fight against the common

adversary. So, what does that mean? That means, here at VMware, we are very fortunate to have visibility across the

enterprise, that's the user, the device, all the way through to the network and the applications, and we are

really, really excited to partner with the community and

the ecosystem to build not only the tools and technologies, but also common frameworks and sharing this telemetry with the ecosystem so we can not only protect our customers in a

community, but also protect our nation.

   >> TOM GILLIS: Amelia, thank you very much. And as Amelia said, the security operations center, they don't need more data. All right? They don’t need more alerts that they have to respond to. What they need are high-fidelity signals that are actionable. And so, as proud as we are of our ability to correlate what we see on the endpoint and what we see in the network, we also at VMware recognize that it’s an ecosystem. And so, we’re announcing at the show that we’re joining the Open XDR Alliance, working with our partners and other vendors, sometimes our competitors, to create common data models, common schema, to make these systems work better together because the sophistication of the attackers just grows and grows.

   The other thing we're announcing at the show for is that we're taking our discrete security telemetry sets that we have from the endpoint for our EDR customer base for the access point and for nearly every private Cloud workload imaginable, and we’re pulling this all together into a single threat telemetry database that we call Contexa. Contexa is the brain that gives us the context to understand is that a legitimate RDP connection or does that look like ransomware.

   So, for you as security professionals, now is the time to drive change. Now is the time to embrace the Cloud operating model, and not just cut and paste our old ways of working, but let’s move forward with a new way of instrumenting our workloads, protect them from within, and get ready for this next onslaught.

   Thank you all very much for listening. Come by and see us at the show floor. And, of course, stay safe, everyone. Thanks.