The VMware team in India had organized this webinar on 11th January 2022, with primary focus on VMware's endpoint protection software suite "Carbon Black Cloud". In this post, I will be summarizing the key features, which I found really impressive, that were discussed in this webinar.
Carbon Black Cloud is VMware's cloud native endpoint and workload protection platform, that allows us to Prevent, Detect & Respond and Identify Risks; these are critical in threat detection and response. Carbon Black Cloud is platform independent, which means it supports multiple platform such as on-prem MacOS and Windows, AWS workloads, Azure workloads, K8 apps etc; the only requirement is connectivity to the internet. Carbon black supports cloud and hybrid cloud infra, but not pure "air-gapped" on-prem devices.
It provides endpoint security for everything VMware, from Workspace One to identity management; from vSphere to NSX; it provides security across all telemetry. An interesting statistics shared in the webinar was that 70% of breaches in the past year were non-malware attacks (Remote login, PowerShell etc); which is where VMWare claims that the Carbon Black's solution stands out in threat detection and prevention.
The key features of carbon black cloud that were discussed in the webinar were:
1- Single agent solution: Carbon Black deploys a single agent to endpoints for entire security solution: real-time sensor, enforcement engine, known attack behavior and analysis; all of this is enforced from a single endpoint agent.
2- Carbon Black's EDR: This is carbon black's Endpoint Detection and Response tool, and the feature that I found most impressive. I will be elaborating on this feature in a bit.
3- Real time threat Database: Since carbon black has large number of endpoints across multiple platforms, it's threat database is updated in real-time and enforces real-time threat endpoint protection against this real time threat database.
Let's take a detailed look at VMware Carbon Black's Endpoint Detection and Response (EDR) tool. This is Carbon Black's threat hunting and incident response tool for hybrid deployments. The key use cases include: Threat Hunting, Incident response, breach Preparation, Alert Validation Triage, Root cause analysis, Forensics investigations and host isolation. The key feature of interest is EDR's Continuous and Centralized recording feature. EDR records every process's chain of execution including all files/folders, DLLs etc opened/accessed by a process. This allows security professionals to hunt threats as well as conduct in-depth analysis after a breach. EDR allows you to break down the attack chain into a graphical representation. This allows a security analyst to visualize and quickly understand how the breach was carried out, the attack signature and weak links of the system that were taken advantage of by the attacker. This allows to effectively close the identified gaps. A good example of EDRs use case has been discussed in this blog: MITRE ATT&CK Evaluation Demonstrates the Power of the VMware Carbon Black Cloud - VMware Security Blog - VMware
I would have loved to get hands-on with a trial version to understand the software in more details, hopefully someday VMware would offer a trial Carbon Black version or probably add it to VMUG subscription so that enthusiasts like me can get to experiment with it.