VMware’s security biz CTO on how cybersecurity must change

For enterprises, cyberattacks have advanced to the point that it is a matter of “when”, not “if”, especially since the start of the pandemic. Manufacturing bore the brunt of such malicious efforts in 2021, with Asia seeing more cyberattacks than any other region during that time.

In the era of working from home post-COVID, what can organisations do to protect themselves?

To dig deeper on this concern, Frontier Enterprise talked with Scott Lundgren, Chief Technology Officer at VMware’s Security Business Unit, about better ways to secure an organisation, how cybercriminals have evolved, modernising legacy applications, and more.

What’s the difference between the visibility across workloads, devices, users, and networks that VMware promises, versus the observability from traffic monitoring solutions – especially as both are said to lead to better cloud security?

Today’s threat landscape requires visibility beyond what’s happening at the endpoint and the perimeter. For example, how does a user interact with an application and how does that application interact with the infrastructure? The goal of today’s attacker is not just to get in – it’s to get in and stay in. That’s why lateral security is the new battleground and one that’s a major focus for us at VMware.

How is the use of virtual machines to modernise legacy apps different from updating legacy apps through containers? Which approach is more effective in this age of distributed workforces?

Scott Lundgren, Chief Technology Officer, VMware’s Security Business Unit. Image courtesy of VMware’s Security Business Unit.

VMs have and will continue to play a role in migrating legacy applications to the cloud and hybrid environments. Containers, on the other hand, lend themselves to modern practices and use cases, such as CI/CD (continuous integration and continuous delivery) in agile and DevOps environments. Both are important.

When it comes to securing applications, the concept of protecting the inner workings of a legacy application that is predominantly VM-based and the inner workings of a modern application that is predominantly Kubernetes-based are the same, but the insertion mechanisms are different.

In the age of the anywhere workforce, companies are embracing a cloud operating model to take advantage of a powerful combination of operational efficiency and better security. As an industry with an opportunity to lead the transition to the cloud operating model, we must think differently about how we instrument VMs and how we instrument containers so that we can protect all applications from within.

Traditional enterprise security seems to be less effective since the start of COVID as ransomware and cyberattacks are occurring more frequently. Why do you think that is?

Cybercriminals are moving beyond malicious downloads, email links, social network messages, and websites to deploy ransomware, launch destructive attacks, and increase their dwell time within an environment. This has all contributed to rendering traditional enterprise security approaches less effective.

Organisations now need to have a defence-in-depth approach, which involves deploying multiple layers of defence across endpoints and public and private clouds to better secure an organisation. Defence-in-depth strategies include endpoint detection and response (EDR), inspecting east-west internal traffic, and maintaining consistent patch management.

For enterprises, what is the best way forward if they’ve already been attacked by a ransomware intrusion? How do you see the ransomware threat evolve in the long term?

Organisations must operate under the assumption that they will, at some point, be hit by ransomware. When that happens, it’s not just about recovering, detecting, and protecting data; but also, the ability to ensure business continuity with minimal data loss or disruption.

Following a ransomware attack, organisations should immediately implement a patch management strategy that can ensure important patch updates are continuously deployed. Once patching fundamentals have been established, the organisation needs to have a clear line of sight into their environment. You can’t stop what you can’t see, so visibility is a key aspect of maintaining business continuity following a ransomware attack. 

Given the increase in cyberattacks, especially during the onset of the pandemic, how can enterprises once again make prevention a viable IT and business strategy moving forward?

Most of today’s cyberattacks feature advanced tactics such as lateral movement and island hopping that target legitimate tools to inflict damage. While it’s impossible to achieve 100% prevention, organisations should follow a defence-in-depth approach and focus on preventing attackers from abusing legitimate tools.

One of the key components of defence in depth is EDR, which provides added support to the SOC (security operations centre) team by combining sophisticated detection with threat intelligence, automated watchlists, and integration to help scale threat hunting across the enterprise. 

What are some of the most exciting tech developments that VMware Carbon Black is working on? What other emerging technologies do you plan to adopt?

Broadly, our security strategy at VMware focuses on three areas: multi-cloud security, modern app security, and anywhere workspace security. We see the opportunity to stitch all these together to have the ability to look across both the network and the endpoint and that is essentially the principle behind what the security industry has framed as extended detection and response (XDR).

We’re focused on building on XDR by providing network and endpoint telemetry that we correlate, enabling us to provide customers with meaningful data across their environment. Modern enterprises are well positioned to adopt and integrate XDR solutions, especially with the increasing trends of working from home and bringing your own device, heightening the risk of cyberattacks.