VMware NSX Advanced Threat Prevention (ATP)

 

 

VMware’s NSX Advanced Threat Prevention (ATP) provides network security capabilities that protect organizations against advanced threats. NSX ATP combines multiple detection technologies – Intrusion Detection/Prevention System (IDS/IPS), Network Sandboxing, and Network Traffic Analysis (NTA) – with aggregation, correlation, and context engines from Network Detection and Response (NDR). These capabilities complement each other to provide a cohesive defensive layer. As a result, ATP increases detection fidelity, reduces false positives, and accelerates remediation while decreasing security analysts’ manual work. VMware NDR solution is available in both Cloud and On-Prem versions for easier consumption as required.

 

VMware NSX Advanced Threat Prevention solution consists of 4 key components:

  1. IDS/IPS (Intrusion Detection and Prevention System)
  2. MP (Malware Prevention) (Network Sandbox)
  3. NTA (Network Traffic Analysis)
  4. NDR (Network Detection and Response)

 

IDS/IPS (Intrusion Detection and Prevention System)

This technology inspects all traffic that enters or leaves the network, detecting and preventing known threats from gaining access to the network, critical systems, and data. IDS/IPS looks for known malicious traffic patterns to hunt for attacks in the traffic flow. When it finds such attacks, it generates alerts for use by security analysts. Alerts are also logged for post-incident investigation. IDS/IPS uses accurate signatures, tailored to the applications that we protect. This allows to effectively protect applications against wide rage of known attacks and exploits.

 

MP (Malware Prevention) (Network Sandbox)

This is a secure isolation environment that detects malicious artifacts. It analyzes the behavior of objects, such as files and URLs, to determine if they are benign or malicious. Because it does not rely on signatures, the sandbox can detect novel and highly targeted malware that has never been seen before. It uses a combination of static and dynamic program analysis techniques to identify known, as well as previously unknown, malware programs and malicious documents.

 

NTA (Network Traffic Analysis)

This technology looks at network traffic and traffic flow records using machine learning (ML) algorithms and advanced statistical techniques to develop a baseline of everyday activities. NTA can identify protocol, traffic, and host anomalies as they appear. Of course, not all anomalies represent threats; that’s why VMware’s NTA implements additional ML and rule-based techniques to determine if the anomaly is malicious. This analysis pipeline keeps false positives to a minimum, reducing the security team’s work so the team can focus on real issues. It will identify unwanted network behaviors. This allows to detect threat actors that attempts to break into a network, move laterally, and exfiltrate stolen information.

 

NDR (Network Detection and Response)

NDR consists of aggregation, correlation, and context engines. IDPS, Network Sandbox and NTA all produce alerts that are related to individual hosts. NDR aggregation engine collects signals from individual detection technologies. It combines them to reach a verdict (malicious or benign) on network activities. The correlation engines combine multiple related alerts into an “intrusion campaign.” The context engines collect data from various sources (including sources outside NSX) to add helpful context to the information provided to security analysts.  The NDR (Network Detection and Response) component pulls all these alerts together and aggregates alerts across multiple assets and provides SOC or a security analyst with a high level picture of all ongoing intrusions.

 

Network Security Usecases

  • Virtual Patching: Proactively protect vulnerable workloads using distributed IDS/IPS, allowing security teams time to plan and deploy patches to workloads.
  • Advanced Malware Detection: Utilize a full system emulation network sandbox to detect and block sophisticated malware as it enters the infrastructure.
  • Anomaly Detection: Provide NTA data collection points on all workloads without requiring SPAN or TAP ports. Enable real-time intelligence on anomalous activities as such activity moves laterally across the infrastructure.
  • Intrusion Campaign Detection: Enable the security team to visualize attack chains by using the NDR to condense massive amounts of network data into a handful of intrusions along with contextual information. Correlate security events (suspicious objects and anomalous network flows) to automatically connect the dots for the security team.

 

Key Benefits

  • Efficient Operation: ATP combines multiple related alerts, across many different assets and hops, into a single intrusion campaign view. This view enables the incident response team to quickly understand the scope of the threat and prioritize its response. Further, the information ATP provides allows security teams to proactively hunt for network threats. Finally, the solution reduces false positives.
  • High-Fidelity Detection: ATP detects ot only known threats but new, evolving threats that have never been seen before. It is engineered to detect malware specifically designed to evade standard security tools. ATP detects threats by analyzing local network traffic behavior and importing and utilizing indicators of malicious behavior from the VMware global threat intelligence network (VMware Contexa).
  • Comprehensive Visibility: ATP has complete visibility into both northsouth and east-west traffic. Thus, ATP provides a comprehensive overview of abnormal behavior across the network. It also extends protection to all assets in the infrastructure, including those devices that do not have endpoint protection installed, such as physical servers with legacy workloads.

That’s it for this blog. Stay tuned for future blog posts!!!

Related Posts

Scroll to Top