VMware Takes On Lateral Security with Contexa Threat Detection

VMware has added threat detection capability called VMware Contexa that discovers lateral network traffic. The new technology, released on Thursday, is a cloud-based service that VMware is adding across its various offerings.

The launch of Contexa comes in advance of next week’s RSA Conference in San Francisco, where VMware will demonstrate it. It also comes a week after Broadcom agreed to acquire VMware for $61 billion. VMware had planned the Contexa launch before the announcement of the deal.

Detecting lateral network movement is important because it has become a prevalent threat. Lateral movement typically indicates an undiscovered attack that often has occurred months or in some cases, years earlier.

VMware claims that Contexa is more likely to discover lateral network traffic than current security information and event management (SIEM) and extended detection and response (XDR) solutions. That’s because SIEM and XDR offerings rely on sampled telemetry, said Tom Gillis, senior VP and general manager of VMware’s Advanced Security Business Group.

VMware’s Tom Gillis

“It’s a hint or an indicator of what’s happening, but it doesn’t give you the visibility,” Gillis said of SIEM and XDR offerings. “It’s not because the analytics of SIEM [or XDR] are bad; it’s because [they] doesn’t have access to the raw data to be able to understand what’s happening.”

VMware Contexa is not a product; rather, it is analytics technology that monitors traditional virtual environments through VMware NSX and endpoints via VMware Workspace One and Carbon Black. For modern, cloud-native app environments, Contexa detects threats via VMware Tanzu. VMware is offering it at no additional cost.

Advances in silicon from AMD and Intel have resulted in 128 core servers, making it possible to run more than 100 VMs on physical host, Gillis emphasized. Little of that traffic is actually analyzed, Gillis noted.

“By instrumenting the virtualization layer, we see every packet and every process,” he said. “And we understand them in context.”

Billions of Threats Detected

Contexa currently processes more than 1.5 trillion endpoint events and 20 billion network flows daily, according to a VMware internal analysis performed last month. Contexa detects roughly 2.2 billion suspicious activities each day, according to the analysis. VMware combines the machine learning data with information from 500 human researchers across the VMware Threat Analysis Unit and among different incident response partners. Among those events, VMware said it provides automated responses to more than 80% of them.

Omdia’s Eric Parizo

“By combining threat insights from NSX, Carbon Black and Workspace One, and supplementing those capabilities with machine learning and human expertise, VMware has an opportunity to excel as a provider of threat intelligence and threat detection, investigation and response across the entire modern enterprise,” said Eric Parizo, lead analyst for Omdia’s Cybersecurity Operations (SecOps) Intelligence Service. (Informa is the parent company of both Omdia and Channel Futures.)

Workspace One and MACS

VMware Contexa is available now for VMware’s Workspace One client virtualization offering and its Modern Apps Connectivity Services (MACS).  MACS is an offering consisting of the VMware NSX Advanced Load Balancer and VMware Tanzu Service Mesh. VMware’s NSX Advanced Load Balancer provides consolidated, multicloud, north-south application services.

Tanzu Service Mesh automates the execution of distribution of apps with secure east-west connectivity across Kubernetes clusters and connects to traditional virtual machine environments. It provides traffic management, policy control, encryption and authorization services to distributed apps. VMware plans to add Contexa to other offerings over time, including its Carbon Black endpoint protection offering.

“With Contexa, VMware is doing what’s rare in enterprise cybersecurity, namely offering a solution that’s truly innovative, by way of the depth and integration of its security telemetry across endpoints, applications, within virtual and hybrid data centers, at access points, and across distributed cloud edge environments,” Parizo said.

“Where I think VMware has a particularly compelling opportunity to excel is in its ability to use its unique position within the application infrastructure to observe and understand application-layer traffic, in both traditional virtual applications and cloud-native containerized and microservices-based applications, and pinpoint anomalous activity,” he added. “Even today this remains a remarkably challenging endeavor that few vendors can do consistently and effectively.”