Pages

Friday, June 3, 2022

Vmware NSX Intelligence & Security Use Cases

Traditional approaches to security analytics are relied on a centralised architecture or either agents based. The first challenge that we see generally is the size and footprint these sorts of a centralised processing model requires. Racks and racks of servers and storage, particularly in scale or also if you're leveraging an agent based solution, there's a huge operational overhead to manage agents across hundreds or thousands of endpoints. 

This also has additional network overhead and degradation because you have to duplicate traffic across all the endpoints. There are multiple trade offs that you get with a network based solution that has limited contexts, looking at ports and protocols so guest can easily be compromised. Other trade off that you often see to get around this is sampling of data means you're not collecting all of the data and context and another challenge is some of the solutions are tied to specific physical devices and don't work across all networks.In contrast, with NSX intelligence we have built and delivered a native distributed analytics engine that leverages the rich and unique workload context that we have in NSX to deliver security policy management and visibility through analytics across the DC. 

NSX can provide services like routing, stateful security enforcement at scale using a distributed model with centralised management. Within NSX intelligence we have built analytics capabilities on top of the NSX platform and a unique data using the same model and it allows us to do it far more efficiently and in a lightweight form factor compared to our competitors and the reason for this is NSX architecture allows us to do in line processing for multiple functions. Essentially we implement these as different steps in the packet processing pipeline so we have distributed firewall followed by IDS/IPS. With this, analytics can be provided with minimal overhead directly in kernel space and this benefits and differentiate us from competitors. With the fact that NSX intelligence builds on top of the proven NSX platform and DFW engine we don't need to rely on agents or third party solution to go from an analytics driven recommendation to actual effective policy. We're already in line for all of the traffic in every flow anyway, so storing and analysing the data just allows us to do more which is one of the core principles of the NSX. We're also leveraging a number of patented an innovative AI and ML algorithms. Because of this architectural advantage we don't have any trade offs in terms of sampling or being too far away from the workload we see everything stored and can actually act on analytics from this data. 

Using a streaming based architecture, we also heavily optimize the data platform through distribution because at the source we're able to do things like deduplication compression and matching on the unique flows and it's these optimisations that allow us to deliver NSX intelligence in light footprint. While still storing up to thirty days of historical data in our data platform we've built features in our NSX intelligence engine that leverage this time series historical data and enable an extensible solution that can serve as a hub for analyse data that we can share with existing security tools and other VM products. 

These are the three primary security use cases and features for NSX intelligence. NSX intelligence visualisation, security policy recommendations, network traffic analysis. 
1. Visualisation helps with visibility of workloads and security postures when it comes to the East West traffic within the data center. Intelligence learns about all traffic flows in an environment and give customers that visibility that they're either lacking or have been struggling. 
2. Security policy recommendations provide the ability to simplify and automate NSX security recommendations for NSX firewall rule groups and services based on that traffic flow that we observe using distributed analytics engine. 
3. Network traffic analysis allows you to protect against known threats and apply segmentation through networking. It is proactive and behavioural security controls that utilize all these contacts that we have in NSX to report on potential issues and threats in any environment.

##
VMware NSX Intelligence provides advanced analytics and security capabilities for VMware NSX environments. Here are some common use cases for NSX Intelligence:

1. **Threat Detection and Mitigation**:
   - NSX Intelligence utilizes advanced analytics and machine learning to detect anomalous behavior and potential security threats within the NSX environment. It continuously monitors network traffic, identifies suspicious activities, and provides real-time alerts to security teams.
   - Security teams can leverage NSX Intelligence to detect and mitigate various types of threats, including malware infections, data exfiltration attempts, and lateral movement by attackers.

2. **Policy Enforcement and Compliance**:
   - NSX Intelligence helps organizations enforce security policies and compliance requirements by providing granular visibility into network traffic and application behavior. Security policies can be defined based on application context, user identity, and other factors, ensuring that only authorized traffic is allowed.
   - NSX Intelligence can automatically enforce security policies, quarantine compromised endpoints, and block malicious traffic in real-time, helping organizations maintain compliance with industry regulations and security standards.

3. **Micro-Segmentation and Zero Trust Security**:
   - NSX Intelligence enables organizations to implement micro-segmentation and zero trust security models by creating security policies based on application awareness and workload context. This approach allows organizations to segment their network into smaller, isolated zones and restrict lateral movement between workloads.
   - By leveraging NSX Intelligence's visibility and analytics capabilities, organizations can gain insights into application dependencies and communication patterns, making it easier to define and enforce micro-segmentation policies effectively.

4. **Advanced Threat Prevention**:
   - NSX Intelligence integrates with third-party security solutions, such as intrusion detection/prevention systems (IDPS), antivirus software, and security information and event management (SIEM) platforms, to enhance threat prevention capabilities. It can correlate security events from multiple sources, identify emerging threats, and take automated actions to mitigate risks.
   - NSX Intelligence enables organizations to implement a defense-in-depth strategy by combining network-based threat detection with endpoint security controls, reducing the likelihood of successful cyberattacks.

5. **Traffic Visibility and Forensics**:
   - NSX Intelligence provides detailed visibility into network traffic, including application-level insights, flow telemetry, and historical data. Security teams can use this information for forensic analysis, incident response, and troubleshooting purposes.
   - NSX Intelligence's traffic visibility capabilities enable security teams to identify security incidents quickly, investigate the root cause of incidents, and take appropriate remediation actions to contain and mitigate the impact of security breaches.

Overall, VMware NSX Intelligence empowers organizations to strengthen their security posture, improve threat detection and response capabilities, and enhance compliance with regulatory requirements in virtualized and cloud environments. By leveraging advanced analytics, automation, and integration with existing security tools, NSX Intelligence helps organizations address evolving cybersecurity challenges and protect critical assets from advanced threats.