Let’s say you work in a large organization that operates with restrictions and security measures. You have isolated user accounts, regular password changes, and strict access permissions. Self-destructive activities are not your kind of thing. You would avoid leaving sensitive documents on unattended desktops or installing programs from suspicious websites. Unfortunately, cybercriminals won’t take the time to read your resume or check if you’re vetted before they attack. After all, they only have seconds to gain access to your network without being detected. In this blog post, we cover how you can use VMware Carbon Black Cloud Managed Detection and Response (CB cloud managed detection & response) to detect and remediate attacks against virtual machines in an automated way using the Threat Hunter capabilities as part of VMware vSphere Integrated Security operations.
What is VMware Carbon Black Cloud Managed Detection & Response?
VMware Carbon Black Cloud Managed Detection and Response (CB Cloud Managed Detection & Response) is a cloud-based platform that uses machine learning and artificial intelligence (AI) to detect and respond to cyber threats. It integrates with VMware vSphere Integrated Security and VMware vRealize Operations to extend security operations to the virtual environment. CB Cloud Managed Detection & Response delivers an application that is hosted in the cloud and can be installed on a host running vCenter Server or on a host running vRealize Operations. CB Cloud Managed Detection & Response uses the VMware vSphere Integrated Security and vRealize Operations events to trigger automated responses to cyber threats. CB Cloud Managed Detection & Response provides security operations teams with the ability to detect and respond to cyber threats in real time by automating the investigation and incident response processes. This extends security controls and threat intelligence to the virtual environment, enabling organizations to keep pace with the growing volume and complexity of cyber-attacks.
Detect and Remediate Attacks Automatically
Vulnerabilities and threats can be detected by matching specific events that are registered by the sensors in your environment with the given rule set. For example, the rule set can be configured to detect when a file is being downloaded or uploaded, or when an unknown user is trying to log in to the system. Once a threat is detected, an alert is generated that includes details about the type of event, the source, the target, and a recommended action. The security operations team can then investigate the alert to determine if it is an actual threat and if so, they can respond by taking the necessary action against the threat. CB Cloud Managed Detection & Response collects data from various sources (sensors) like vSphere, vRealize Operations, vRealize Log Insight and other security solutions like Cisco, FireEye, McAfee, and Palo Alto to name a few. With this information, it can identify known threats and suspicious activities and generate alerts that report potential security risks.
Use Case: VM Detection and Alerting
The VM Detection and Alerting rule set detects when a VM is being accessed illegally and generates an alert. This can happen when someone tries to log in to a VM account with an incorrect password or when someone tries to access the VM console remotely. The rule can be configured to generate an alert when any of the following events are detected: - Virtual machine console access - Remote desktop or VNC login attempt - VM console login attempt - VM login with incorrect username or password - VM console logon attempt with incorrect username or password - VM console logon attempt with incorrect username or password after failed login attempts VMware vSphere Integrated Security logs all these events and sends them to the CB CLOUD MANAGED DETECTION & RESPONSE application. The CB Cloud Managed Detection & Response application analyses the events identifies the source IP address and generates an alert. The alert includes information about the VM that was accessed, the IP address of the source, and a recommendation to act. VMware vSphere Integrated Security can also be configured to quarantine the VM to prevent the attacker from gaining access to it. VMware vSphere Integrated Security can also be configured to quarantine the VM to prevent the attacker from gaining access to it. VMware vSphere Integrated Security can also be configured to quarantine the VM to prevent the attacker from gaining access to it.
Use Case: Network Detection and Alerting
The Network Detection and Alerting rule set detects when an IP address tries to log into a port, MAC address spoofing occurs, or when a MAC address is being used by a different IP address. This rule can be configured to generate an alert when any of the following events are detected: - IP address trying to log into a specific port or MAC address spoofing - MAC address being used by a different IP address - IP address trying to log into a specific port or MAC address spoofing after failed attempts VMware vSphere Integrated Security logs these events and sends them to the CB CLOUD MANAGED DETECTION & RESPONSE application. The CB Cloud Managed Detection & Response application analyses the events identifies the source IP address and generates an alert. The alert includes information about the IP address that tried to log into a port, the spoofed MAC address, and a recommendation to act. VMware vSphere Integrated Security can also be configured to quarantine the VM to prevent the attacker from gaining access to it. VMware vSphere Integrated Security can also be configured to quarantine the VM to prevent the attacker from gaining access to it.
Use Case: Vulnerability Detection and Alerting
The Vulnerability Detection and Alerting rule set detects when a VM is running an outdated version of a software or a VM that is running a service with known vulnerabilities. This rule can be configured to generate an alert when any of the following events are detected: - VM running outdated software - VM running a service with known vulnerabilities - VM running outdated software after failed attempts VMware vSphere Integrated Security logs these events and sends them to the CB Cloud Managed Detection & Response application. The CB Cloud Managed Detection & Response application analyses the events identifies the VM that is running the outdated software or service with known vulnerabilities and generates an alert. The alert includes information about the VM and a recommendation to act. VMware vSphere Integrated Security can also be configured to quarantine the VM to prevent the attacker from gaining access to it. VMware vSphere Integrated Security can also be configured to quarantine the VM to prevent the attacker from gaining access to it.
Conclusion
CB Cloud Managed Detection & Response provides an automated way to detect and respond to threats. It collects information from sensors in your environment and analyses it to identify threats. Once a threat is detected, an alert is generated that includes details about the type of event, the source, the target, and a recommended action. The security operations team can then investigate the alert to determine if it is an actual threat and if so, they can respond by taking the necessary action against the threat. With this solution, you can quickly detect and respond to attacks, better protect critical systems and sensitive data, and improve your overall security posture.
Want to find out more?
If you have an opportunity that you would like Dicker Data to assist with, get in touch today.
Natalie Burke
VMware Partner Development Manager
Share Article
Leave a comment
