In extending the Vectra cybersecurity platform to enterprise data centers and public clouds, we wanted to do more than simply port the existing product into a virtualized environment. So, Vectra security researchers, data scientists, and developers started with a fresh sheet of paper to address the real-world challenges and threats that are unique to the enterprise data centers and clouds.
First, it was important to remember that the data center can be both integrally connected, yet in some ways separated from the physical enterprise. For example, attacks can spread from the campus environment to the data center environment, and security teams absolutely need to know how these events are connected. On the other hand, 80% of data center traffic never leaves the data center, making it invisible to traditional security controls.
Vectra addresses both of these realities, by building a unified approach to cyber security that integrates native visibility of the virtual data center environment with our more traditional visibility into campus and remote office environments. Vectra virtual sensors can attach to vSwitches to reveal attack behaviors between virtual workloads. Integration with VMware vCenter also provides a top-down overview of the environment and can alert staff anytime a virtual asset is not being monitored by Vectra.
When looking at the state of security in the data center, it was clear that most of the industry’s focus has been around things like segmentation and policy control within the virtual environment. Such control is important, but policy enforcement is not the same as detecting active cyber attacks.
The high value of data centers means that they will attract some of the most advanced attackers, and their position within the enterprise means that attacks may be relatively mature by the time they reach the data center. For example, an attacker may initially compromise an employee laptop at the perimeter, spread internally, gain administrative credentials, and only then move against the data center. It was clear we needed to prepare for advanced attackers operating at an advanced stage of attack.
To this end, we developed new detection models that detect the most advanced attack strategies and address the entire attack surface of the data center. For example, we quickly recognized that some of the most advanced adversaries were not trying to compromise the virtual environment, but instead, were focused on subverting the physical infrastructure that the virtual data center depends on. For instance, if an attacker can plant a backdoor below the operating system of a server and read the physical disk, then he can see any data he wants.
To this end we developed new detection models to reveal subverted infrastructure both within the data center as well as in the campus environment. This can reveal sub-OS rootkits such as Synful Knock that have been seen in networking infrastructure, backdoors in firewalls such as those revealed in the recent Equation Group breach, or the abuse of low-level management protocols such as IPMI that are used to manage servers within the data center.
Next, we turned our attention to the human element of trust in the data center. Administrators are the key to keeping a healthy and reliable data center, but they are also prime targets for attackers. With this release Vectra introduces new detection models to reveal signs of compromised or rogue administrators as well as end-users who may be abusing administrative credentials.
This truly just begins to scratch the surface of what the solution can do, so we encourage you to download the white paper "Securing the cloud data center from cyberattacks"or reach out to learn how you can test the solution in your network.
Wade Williamson is a cybersecurity writer, product manager and marketer. Wade held a position as director of product marketing at Vectra with previous experience as a security researcher at Shape Security. Prior to Shape Security, he was a senior security analyst at Palo Alto Networks.