VMware has recently enlarged NSX’s service defined firewall security capabilities with the acquisition of LastLine, an anti-malware and AI-powered network detection response solution. LastLine’s network traffic analysis (NTA) will help protect east-west traffic across multi-cloud environments and uses unsupervised and supervised machine learning to identify threats and reduces false positives by up to 90%. On top of that, virtual patches can be added at every workload in the environment and not limited to just the perimeter.

NSX Advanced Threat Detection can be installed in less than an hour and immediately starts sensing the north, south, east and west network traffic. Within a few days, you will gain visibility into all the devices communicating on the network as well as their operating system, as well as which services and application are involved.

It will process the network traffic and narrow down the search through several hoops. In the example below from the VMworld session, we can see that 4 intrusions were identified out of almost 20TB of data analysed.

It will first process terabytes of network data by applying various forms of machine learning to identify potentially suspect and malicious network activity. Artificial Intelligence will then leverage all the knowledge about these anomalies to identify what malicious actors might be doing on the network and prioritize intrusions based on the risk associated. This is where Advanced Threat Protection can expect to reduce the number of false positives in the threat detection compared to a Legacy IDS solution.

The management console offers a holistic view of the detected threats associated with the affected hosts with a colour-coded display to highlight the most dangerous threats. Amazingly, it even provides insight into the context of the attack and its different stages.

To go even further, an “intrusion blueprint” of the attack is generated to quickly get an idea of the scale of the attack with a visual representation of the different flows of internal and external assets involved. That intrusion blueprint can also be displayed as a detailed timeline of events detailing the stage of the action (delivery of payload via email, lateral movement with psexec, exfiltration with data upload and so on).

This interface offers an incredibly in-depth graphical view of actions that were in the past identifiable in gigabytes of logs.

The analysis shows the network interactions of each stage and the threat level of the payload. AI will also warn on unusual operations that deviate from a typically observed pattern. For instance, a host that uploads 1GB of data while it usually sends around 150MB will be reported as suspicious data upload.

NSX Network Detection Response provides a Flexible, distributed and scalable cloud architecture with a rich set of APIs which integrates with existing workflows. It will help block malicious network flows, prevent data exfiltration and render attackers attempts unsuccessful.

Conclusion

This new release fits right into VMware’s drive towards providing customers with the intrinsic security mindset. VMware NSX Advanced Threat Prevention brings network detection and prevention to a whole new level by providing security engineers with visibility never seen before on malicious activity.