Blog - article

How AI detects and mitigates cyber attacks in software-defined data centers

How AI detects and mitigates cyber attacks in software-defined data centers

How AI detects and mitigates cyber attacks in software-defined data centers

Chris Morales
June 23, 2017

Earlier this month Vectra announced plans to leverage the capabilities of VMware NSX to accelerate the detection and mitigation of hidden cyber attackers in virtualized data centers.

Vectra currently applies artificial intelligence to automatically detect attacker behaviors inside virtualized data centers. Vectra also integrates with endpoint and network response tools to automate the workflow.

Automating network response directly into VMware is a logical next step. Through this automation, VMware NSX micro segmentation and adaptive security-policy capabilities enable customers to close the gap between detection and mitigation. This dramatically reduces the time to mitigation and attacker dwell time.

Why is this important?

According to the 2017 M-Trends report, the time from initial compromise to when an attack is discovered is 99 days, during which time cybercriminals have free reign to spy, spread and steal key assets in data centers.

This is because data centers lack internal security controls and network visibility. It’s an ideal environment where attackers can go unnoticed for months. Consequently, reducing dwell time is critical to minimizing damage and data loss.

Attackers may initially compromise an employee laptop via a phishing email or social engineering, then establish persistence inside the network by spreading from the initial victim to other hosts or devices.

To control the ongoing threat, attackers will plant backdoors or hidden tunnels to communicate from inside the network, map out the internal network, identify valuable resources, and compromise devices and user credentials along the way.

The most coveted asset is administrator credentials to the data center, which enable attackers to access enterprise data. Administrative protocols also give attackers backdoor access to the data center without having to exploit an application vulnerability.

Using standard administrative tools such as SSH, telnet or RDP, attackers will easily blend in with normal administrative traffic and use their position of trust to access, steal and damage critical assets.

What you don’t see can hurt you

It’s interesting to note that 80% of data center traffic never leaves the data center, which makes it invisible to traditional network security controls. The fact that data center servers are virtualized makes things even worse.

Here’s why. Visibility into the physical network is lost for virtual machine-to-virtual machine communication on the same physical hardware. The traffic between virtual workloads also represents a dangerous blind spot.

The combined outcome of all this is that cyber attackers have too much time to steal and damage key assets in the data center. We need to reduce that window of time as quickly as possible.

Visibility, intelligence and automation are essential to reducing attacker dwell time in the data center. And this should include context about what is happening and the precise, swift actions to take.

How does it work?

The Vectra and VMware partnership aligns artificial intelligence-based threat detection and real-time enforcement down to the virtual machine, and will provide mutual customers with increased visibility and automated threat mitigation orchestrated through Vectra Active Enforcement.

First, with network visibility across the data center, Vectra automates the detection of hidden attack behaviors. Once the threat reaches a configurable threshold, Vectra turns the detection into action by integrating with the VMware NSX adaptive security policy-enforcement framework. The NSX security policy is automatically adjusted to block malicious traffic, modify the security policy or quarantine the compromised host.

Want to know more?

Vectra and VMware are hosting a joint webinar on June 28, 2017 at 9:30 a.m. Join us to learn more about how this works. We hope to see you there!

About the author

Chris Morales

Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author


Most attacks against energy and utilities occur in the enterprise IT network

November 1, 2018
Read blog post
Security operations

2018 Black Hat Superpower Survey: It's about time and talent

August 22, 2018
Read blog post
Threat detection

Cyberattack detections from more than 250 Vectra customers with over 4 million devices and workloads

August 8, 2018
Read blog post