How To Secure Your Organization When Working Remotely – Interview With VMware Carbon Black

VMware Carbon Black is an endpoint protection platform (EPP) that prevents advanced threats, provides actionable insight, and enables businesses of all sizes to simplify operations. By analyzing billions of security events per day across the globe, VMware Carbon Black has key insights into attackers’ behaviors, enabling customers to detect, respond to and stop emerging attacks.

In this interview, Rick McElroy discusses the challenges that COVID19 has imposed on the entire business world, and describes how VMWare Carbon Black can make it easier.

Please describe the background behind VMWare and Carbon Black, who they are, and why they joined forces

I’ll take you through this journey from my own perspective, the Carbon Black perspective. Carbon Black as an entity has been around for 17 years, so it’s a fairly long-standing cybersecurity company. It started by creating a market space and technology which was referred to as application control. As a product, Carbon Black is largely deployed in very secure areas, where organizations only allow good known executables to run and ban everything else.

Subsequent and a few years later, 5-6 people were working in a garage on an issue that crossed boundaries, from government entities to commercial enterprises. That was called Operation Aurora. It was a nation-state that started targeting commercial cloud providers, departments of defense, and government entities. The technology to record activities on an endpoint didn’t exist, and there was no data to figure that out with. So that team created it, which led to the formation of a brand new market called Endpoint Detection and Response (EDR).

Subsequent to starting EDR an acquisition of another organization was made to provide next-gen antivirus and a cloud platform, and bring those two solutions together.

After we launched our cloud technology, bringing on-prem solutions into the cloud, we went public in 2018 and then were acquired by VMware in late 2019. So now we’re actually serving as part of the security business unit for VMWare.

VMware has an awesome history. It started off in the late 90s, essentially creating virtualization technology that 80% of all providers use. If you’re running a data center, there’s a good chance you’re a VMware customer. So for us, it represents the opportunity to not only build security for 80% of that market space, but also to provide intrinsic solutions – security that’s baked into the fabric of existing technology. Too many people simply bolt security on. VMware’s intrinsic security strategy means customers can simplify and strengthen security.

Essentially, anytime you deploy a virtual machine server, our technology will be there, automatically deployed as part of the toolset, and transparent to all users. What we’re trying to do is simplify and reduce the number of controls teams need, and allow them to focus on the important stuff. That’s the journey we’re on in 2020.

Here’s a quick preview of what the VMware Carbon Black dashboard looks like:

Carbon Black Endpoint Standard Comprehensive Detection & Prevention

In your view, what are the main challenges that Covid-19 has introduced to the corporate environment?

There’s a number of challenges. Depending on the organization, some portion of the staff will probably be allowed to work remotely. Specifically, IT teams, who will be able to support security teams quickly, as security incidents can happen 24/7.

So far, most executive staff were able to work remotely, but finance, legal, and a lot of other functions were still in offices. So regardless of whether or not you had a population of users that were already allowed to work remotely, you’ll see this trend growing in tech companies, sales teams, and anyone who typically does most of their work face to face.

Sensitive conversations that typically would be discussed privately are now being sent via email, Slack, or on video conferencing software. Particularly, some healthcare and financial institutions have actually had to temporarily break their compliance models. Their security and compliance stacks were built on-premises, so certain systems could only be accessed by certain people sitting at a certain desk. They’ve actually wired their networks that way.

So, what happened as a result of COVID-19 was that lots of VPN configurations and firewall rules have been changed. For most organizations, the entire model around data loss prevention has changed. Specifically in the health care sector, a lot of their work is actually enabled through fax machines. In a lot of ways, it provides better security than email, which is notorious for getting broken into.

Some organizations have to retrofit all of their infrastructures to enable business continuity while users stay at home. My personal prediction is that organizations will realize that people are still getting their jobs done, and they can save money on real estate as well as avoid the liability of putting a large number of people in the same building.

I don’t think we’ll go back to how we designed companies to work before. We’ve ripped off the duct tape that a lot of organizations were hesitant to remove because they were just old school. The initial two-three weeks required a lot of work out of teams to facilitate these requests. Many organizations still had file-sharing systems in their offices that can only be accessed from the office and now, they are sharing local files and passing them around. So clearly, security models need to change.

What is VMware doing to help those organizations?

I’m very proud to be part of VMware. I don’t say that because they acquired us, I say that because I was already a big fan of that company and the way they do business. They’re giving away an immense amount of technology to secure remote workers. And then of course, on the Carbon Black side, what we’ve seen is a lot of folks that have had to extend their endpoint security to home devices.

So I’m very proud that VMware isn’t participating in the FUD of COVID-19, like some organizations out there. We’re more realistic about it. We know we need to enable that remote work, so that’s what we’re focused on.

What is your advice for organizations that are undergoing a forced digital transformation?

Firstly, they’re going to need security built from the ground up. We call that intrinsic security. Your security should be there to cover you as you digitally transform and build new things.

The other thing I’d like to emphasize with folks on that journey is evolving from work FROM home to work AT home. Historically we’ve relied heavily on network solutions to provide visibility and prevention. But in a world where users want to work on any device from anywhere, and that has to be approved, their ability to do endpoint security needs to be raised.

What we see is that the innovations from attackers are happening on the endpoints. The lack of visibility causes them to stick around on a system for as long as 200 days. And then eventually someone notifies the company that they’ve been breached. So our model is that you should push your security to where the data is and where users interact with it.

I think the advice for teams out there is to use the current crisis as an opportunity. Essentially, we just tested everyone’s resiliency plans. From food to banking to healthcare; what I hate to see is organizations that don’t make progress. So chances are that, for them, their projects are going to change and some money will evaporate from their programs.

There’s only so much money in an economy and cybersecurity happened to be getting a big chunk of that for the last 10 years. I think that curve will start to flatten. Cybersecurity spend will start to plateau. Keeping an eye on the new technology that will come as a result will be a good idea at this stage.

If you’re going to be resilient for something, I think two things are particularly important: loss of power and the loss of people. Those are the two things to learn the lessons from and move forward.

People use different platforms that each have their own security measures, producing huge amounts of data that can be overwhelming. What do you do with all this data?

Hopefully, you log all of it, and then you do some analytics on top of it. So you’ll see this new market space being developed. Gartner is calling it XDR. What this really means is that you’re logging the right things and then providing the right analytics over that to identify that something happened. That’s essentially what everybody wants to accomplish. Did someone break into my house? If they did, where are they in the house, and can I go find them?

So I think when you look at it broadly, what teams have struggled with is picking what’s called SIEM, which is the market space to log everything and start to analyze and then, hopefully, put together this picture. But I believe most teams aren’t capable of writing their own analytics. Most of them will not go down the road of writing an ML engine to go identify outliers in a set of data, it’s just too much work.

So I believe the vendors that have the largest picture and the best analytics are going to help customers the most, and I believe VMware represents that. Firstly, because of the footprint that we have, so there’s a unique value proposition in what Carbon Black specifically is doing with VMware. Most security tools are deployed above the operating system. So there’s going to be a kernel driver that exists in Microsoft or MacOS, and then you have all this activity that everyone does in the operating system, and they watch that stuff. So whether it’s you opening Firefox or a bad actor, from VMware perspective, we’re going to be deployed into their virtualized kernel, which gives us a super unique level, because bad guys can’t get to it and we’ll have data that other vendors don’t so we’ll be able to see things like attacks that occur pre the operating system.

If you look across all of the VMware technology stacks and you tie that together with analytics, NSX, data coming from your mobile devices from workspace one; all that stuff put together with the analytics. The Carbon Black proposition is that we understand attackers’ behavior. So when you start to fuel all these data sources, you need analytics that is specific to behaviors and patterns that attackers follow, and that really provides value for customers out there.

Of course, VMware is in the container space as well, which is sort of the new path forward for application development. A web application front end may do some calls on the back end but there’s a number of challenges to getting visibility inside those containers. We believe we’ve leaped those hurdles so we can actually provide security throughout that entire lifecycle. Whether someone wants to develop on containers or write applications on top of Windows or Linux, we’ll be there.

Which trends and technologies do you expect to see more of in your industry in the coming years?

I expect an absolute acceptance of cloud security providers. In the current crisis, it’s been very helpful for the teams that have embraced that. It’s also been helpful for small and medium businesses who don’t have a giant staff and need things like VPN, firewall, and content filtering that will be there for the users wherever they go. So, cloud security represents a way to provide high security anywhere the user goes with low management. I don’t need to build a bunch of servers to do that, because somebody else has done that. So I think cloud network security providers and cloud endpoint security providers are going to be able to help.

You’ll probably also see a rise in IoT security as it relates to the cloud. My expectation is that post COVID, we’re going to deploy lots of new solutions. I don’t know what all those solutions are yet, but I imagine we’ll see temperature monitors at airports. We might see some form of digital immunity cards that we’ll all carry around on our phones, but this is something I’m assuming certain countries are going to require from visitors who travel there, basically stating that you don’t have COVID-19 or that you’re immune to it.

Teams are going to continue to struggle with moving from the stacks and models that they built, toward this new world and you’ll see a lot of money being spent on that space. So for us, I think it represents a good future for VMWare. Holistically, we understand there are thousands of solutions in this space and it’s not plausible to buy them all. You get out of configuration pretty easily so I think for VMware customers, simplifying that entirely and being able to provide simple security management is super helpful for teams.

So I think the movement is toward making security more inherent and easier to provide. There are a lot of layers and we, as an industry, have historically over-complicated it, so we have to simplify it.

How do you see the future of your industry five years from now?

One of the first predictions that I blogged about is we’re going to have consolidation in a lot of markets, due to the economic impacts of COVID-19. Managed service providers and managed SOCs are already feeling some of the pain, as margins were really thin in our industry. A lot of the companies that have been waiting for a new round of funding may now be consumed by larger organizations. For them, it will be an opportunity to acquire some of this technology and some of these teams and start to bring them together. That movement started about five years ago in security anyway, but I think this particular economic downturn will accelerate that. In the end, if the right companies do it, I think it will be a good thing because when you look at the overall landscape of information security alone, there are about 5000+ vendors. For comparison, if you look at endpoint security, it’s 100+ vendors. So for a team that needs to pick a tool that they’re going to use for five to seven years, it’s a lot of work. You have to manage it and tend continuously.

So what security has traditionally done is that for each new thing that attackers do, we go and build a new tool. But if you look at that tool now and it’s largely a point in time. So I think there will be a shift from addressing one-off areas of risks and threats, to a more intrinsic view, and I think that is good for the vendors because there are really too many of them.