Endpoint Security Innovations in 2022

Endpoint Protection and XDR

December 9, 2022

As we look back on 2022 it is amazing just how much we have accomplished in terms of new product and feature launches over just 12 short months. Our dedicated Engineering and Product Management teams have listened to you and introduced many innovations to make your lives more secure. 

We’re proud of this great work and want to take the opportunity to review everything we have brought to you in 2022. 

Endpoint Protection and XDR

Extended Detection and Response (XDR)

We launched VMware Carbon Black XDR in November at our Barcelona VMware Explore Customer Conference. XDR greatly enhances lateral security by leveraging telemetry within VMware Contexa, a full-fidelity threat intelligence capability that observes the breadth of VMware’s network, endpoint, and user technologies. Security teams can use Carbon Black XDR to quickly identify threats across their environment and make better-informed decisions in applying prevention policies that leave attackers nowhere to hide. If you are interested in gaining early visibility into the benefits associated with Carbon Black XDR, please consider registering for our Early Access Program. For more information, read the announcement, “VMware unveils Carbon Black XDR to help Enterprises strengthen lateral security”, and blogs “Putting people first in Modernized SOC: XDR and the Analyst Experience” and “Setting the record straight on XDR at VMware Explore Europe”.  

Platform and Integrations

FedRAMP

In July, VMware Carbon Black Cloud on AWS GovCloud (US) achieved FedRAMP High authorization. This authorization underscores VMware Carbon Black Cloud’s ability to prevent, detect, and respond to threats on endpoints and server workloads from a single console for improved visibility and simplified operations.  The FedRAMP High designation solidifies VMware Carbon Black Cloud’s position as a trusted security platform helping the US government protect its most critical assets. For more information read the press release and blog post “Empowering the Public Sector: VMware Carbon Black Cloud Achieves FedRAMP High Authorization”

ServiceNow Apps 

VMware Carbon Black’s latest integrations combine our industry-leading endpoint telemetry and response actions with ServiceNow’s solutions for IT and Security teams to accelerate cross-functional workflows through automation. IT and Security teams can leverage Carbon Black Cloud telemetry and endpoint response actions from within their ServiceNow console and workflows, streamlining hand-offs between analysts and standardizing common workflows. 

Host-Based Firewall 

VMware Carbon Black Cloud Host-based Firewall enables security teams to further consolidate their security stack by integrating firewall management capabilities directly into their endpoint and workload protection platform. By including HBFW capabilities in the Carbon Black Cloud platform, SOCs can leverage a single platform for multiple use cases, increasing their overall efficiency and reducing the resources needed to run their SOC. Although currently only available through the Early Access Program, Host-based Firewall will launch in early 2023. 

1170x555Figure 1. Host-based Firewall provides the ability to create a prioritized list of rules and rule groups that will trigger alerts or response actions based on the network behavior of an application.

Figure 1. Host-based Firewall provides the ability to create a prioritized list of rules and rule groups that will trigger alerts or response actions based on the network behavior of an application. 

Endpoint Protection

Audit and Remediation Differential Analysis API 

Customers are now able to perform differential analysis on their Audit & Remediation queries enabling them to quickly gain visibility into the changes that occurred between instances of a query running. We now offer more targeted queries that return more useful data with richer context. 

For more information, check out the Announcement Blog. 

Recommended Query Refresh 

The VMware Carbon Black team has completed a refresh of the Audit & Remediation Recommended Query collection. All queries were reviewed for ways to improve and refine the data sets returned. The updated collection provides more targeted queries that return more useful data with richer context. In addition to this refresh, our expert team has reviewed the queries submitted to the Query Exchange and has vetted and added several of these queries to the CBC Console. These queries include submissions made by the VMware Carbon Black team, and queries submitted by customers. 

For more information on this release, read the User Exchange Announcement.  

Dismiss Vulnerabilities  

Customers that have Vulnerability Management can now dismiss vulnerabilities so that they no longer appear in their console. This enables users to customize their visibility into the vulnerabilities in their environment. Vulnerabilities can be dismissed and tagged with a variety of reasons, including “Under Resolution” or “Non-critical Asset.” Visibility into dismissed vulnerabilities can be restored at any time. 

For more information on this release, read the User Exchange Announcement. 

App Control

We achieved Common Criteria Certification in the Spring, which provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use. Common Criteria maintains a list of certified products, including operating systems, access control systems, databases, and key management systems. This certification assures our Government customers that we meet the rigorous standards they need. 

In October we launched the Content-based Inspection feature which enables administrators to leverage the power of the open source Yara engine to create their own Yara rules to provide more granular control over their security policy. Users will see a new tab within Software Rules called Yara. On this tab are existing internal App Control Yara rules and an “Add Yara Rule” button to create rules to use in conjunction with Custom rules. 

image-20221213165315-1

 

Figure 2. Content–based inspection leverages Yara Rules to provide more granularity in creating security policies. 

We have also enabled functionality on App Control that supports VMware vSphere: 

  • App Volumes is an app layering technology of vSphere. Basically, IT makes a drive volume that contains a set of applications that are loaded into a VDI based on policy. We support this by assuming that what is in the volume is trusted and we don't scan it (improving performance) 

  • Instant Clones support provides App Control functionality for vSphere VDIs. 

We achieved Common Criteria Certification in the Spring, which provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use. Common Criteria maintains a list of certified products, including operating systems, access control systems, databases, and key management systems. This certification assures our Government customers that we meet the rigorous standards they need. 

In October we launched the Content-based Inspection feature which enables administrators to leverage the power of the open source Yara engine to create their own Yara rules to provide more granular control over their security policy. Users will see a new tab within Software Rules called Yara. On this tab are existing internal App Control Yara rules and an “Add Yara Rule” button to create rules to use in conjunction with Custom rules. 

image-20221212175529-2

Figure 2. Content–based inspection leverages Yara Rules to provide more granularity in creating security policies. 

We have also enabled functionality on App Control that supports VMware vSphere: 

  • App Volumes is an app layering technology of vSphere. Basically, IT makes a drive volume that contains a set of applications that are loaded into a VDI based on policy. We support this by assuming that what is in the volume is trusted and we don't scan it (improving performance) 

  • Instant Clones support provides App Control functionality for vSphere VDIs. 

 

On-Premise EDR

On-premise EDR customers now have a containerized offering of Carbon Black EDR Server. Carbon Black EDR Server will be offered for the foreseeable future as two distinct distributions: the traditional, RPM-based distribution and the Containerized EDR Server  The container-based distribution simplifies installation and upgrade because all Carbon Black EDR Server components and dependencies are packaged into a container image. It also provides superior flexibility for which operating system (OS) on which you host Carbon Black EDR Server. 

Microsoft Active Directory (AD) Integration provides simplified, centralized management of Carbon Black EDR user authorization, authentication, team memberships, and feature-level enhanced permissions for customers who use Microsoft Active Directory. 
 
Customers can exclude the collection of one or more event types on a per-process basis with our Windows Event Collection Exclusions capability. This feature allows customers to balance visibility with endpoint and network performance considerations, and to reduce noise created by normal process behavior.  

image-20221212175621-3image-20221219192521-1

Figure 3: The Windows event collection exclusions are saved and displayed in the panel as shown above. You can edit or delete any exclusion. 

Author

  • Elizabeth Schultheisz, Product Line Manager at VMware Carbon Black
  • Kellie Regan,  Manager, Product Marketing, VMware Carbon Black

Filter Tags

Audit and Remediation Enterprise EDR Blog Document