What does carbon black actually do

From witchcraft to "security ex works"

It creaks in the IT security framework: ransomware paralyzes Garmin for days, a provider that provides critical navigation services for consumers and the aviation industry. And a 17-year-old hijacked Twitter, a short message service that is now an elementary source of news (or fake news source, depending on your preference). At the same time, the industry hangs everything on the Internet, which up to now has been prudently physically separated. Fortunately, VMware has long thought that security built into the (virtual) IT infrastructure would not be such a bad idea. Since then, the group has been promoting "intrinsic security".

At VMware, this means a uniform strategy for context-related end-to-end security with several pillars: network segmentation including traffic inspection using the network virtualization NSX, the protection of digital workspaces including mobile devices (with AirWatch), the defense against threats to the cloud Instances (through CloudHealth) and protection for endpoints and workloads (Endpoint Detection and Response, EDR). For the latter component, the group acquired Carbon Black, a specialist in ML-based (machine learning) EDR, almost exactly a year ago, with the aim of integrating its software into the portfolio for intrinsic security. So I talked to Rick McElroy, Head of Security Strategy at VMware Carbon Black, about the current state of affairs.

According to the chief strategist at Carbon Black, a core problem of corporate security is that numerous security tools generate an almost unmanageable amount of security information. This makes it difficult to get an overview and to prioritize defense measures sensibly (in the SOC, as in medicine, called "triage"). “With this in mind, it is important to get a better picture of what is happening,” stresses McElroy. "So it's about context and behavioral analysis."

"It's about context and behavioral analysis," said Rick McElroy of VMware Carbon Black.

The “deus ex machina” that should come to the rescue here is artificial intelligence - in this case in the form of ML. The problem for user companies (as well as for curious journalists): The functionality of machine learning is basically a "black box". In this black box, so-called "algorithms" are up to mischief - and it usually doesn't get more specific. When asked how he could explain the advances in ML-based security, McElroy said: “The more data you feed machine learning algorithms, the better ML can work. We now process 8 TB per day. This allows us to better train and tune the ML models. ”This in turn increases the degree of accuracy of the results for classification and triage. “We're constantly making improvements,” says McElroy, “to move from detection to prevention as much as possible. Because it is easier to detect attacks than to prevent them. ”This is why it is important to get as close as possible to the beginning of a chain of attacks.

"'Algorithm' is what the developer says when he doesn't want to reveal how it works," is a well-known IT joke. This raises the question of how an interested party can check the effectiveness of the black box for their IT environment. "I would generally advise a company not to listen to vendors' recommendations when testing ML solutions," said McElroy. Many companies have adopted the MITER framework to classify threats and attacker groups, according to McElroy. This provides a good grid for testing the effectiveness of security solutions. “When testing security solutions, it is definitely most effective to proceed as attackers would,” says the expert. "Then you realize: with one tool I see attackers moving sideways in the network, with another not." He points out that some of the largest MSSPs worldwide use the carbon black solution to uncover precisely such behavioral patterns.

EDR for intrinsic security

So much for carbon black as a standalone solution. The aim of the acquisition by VMware in August last year was of course to integrate the software into its comprehensive security architecture. On the status of this project, McElroy explained: “Even before the acquisition, we had a partnership with VMware. We are currently still working on the integration of the solutions, the goal for next year is then intrinsic security. "

The short-term goal is the integration of XDR technology (XDR: EDR for "x", ie any instances) in vSphere. Kubernetes and Tanzu are to follow later. In addition, they are working on an integration into VMware's mobility management solution AirWatch: According to McElroy, you can already distribute the carbon black software to endpoints with AirWatch - which is not surprising, since this is a core function of the AirWatch software. “The next step is to be able to deploy EDR to mobile devices faster. In the future, this should be done at the push of a button, without having to create software packages first. ”He considers the sharing of security information with the AirWatch platform to be another important aspect. This should enable better contextualization of the security information in the future.

Like so many in the security industry, McElroy warns against resting on their ML laurels: “The attackers will also use AI more in the future. For example, there is already offensive AI at the machine code level, ”he warns. This is precisely why companies need built-in, i.e. intrinsic, security in their IT. He sees this approach as relevant not only for large companies, but also for the SME market: "The broad mass of small and medium-sized companies will benefit from the preparatory work that large companies and MSSPs are doing today," he says. Companies of all sizes could make ML-based solutions part of their prevention model.

According to Rick McElroy, the goal must be "that IT teams can say: IT security, that's not rocket science!" The development is already heading in this direction: "I know, for example, smaller companies that do their own threat hunting" says the security expert. "The value of ML-based security is becoming more and more obvious, even for smaller companies."

Related articles

VMware Global Inc.


Threat defense