VMware has acquired Lastline, a network detection and response (NDR) vendor. Combined with endpoint detection and response (EDR) technology via its acquisition of Carbon Black in August 2019, VMware is pursuing an XDR offering to compete with Palo Alto Networks and Trend Micro.
VMware adds NDR to existing EDR offering
VMware made its name and fortune by enabling server virtualization in its customers’ data centers. The virtualization maven makes no secret of its ambition to be a major player in cloud security now that virtual machines are migrating out of on-premises data centers and into infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) environments.
Now, VMware's Lastline acquisition is part of an even broader strategy to provide threat detection and response across enterprises' evolving hybrid infrastructures.
Buying well-known and well-established cybersecurity vendor Carbon Black last year took VMware squarely into the forefront of the EDR market. However, from day one, the plan has been to drive Carbon Black technology into cloud workloads. This means extending it to offer cloud detection and response (CDR) – a term coined by Omdia and now gaining currency in the market – to provide comprehensive threat detection and response capabilities across the enterprise cloud estate.
Lastline had long been known primarily as a dynamic malware analysis or sandboxing vendor; its technology is employed by numerous OEM technology partners. More recently, the vendor has pushed into NDR, combining what it describes as lightweight network sensors with an on-premises or cloud-delivered solution for malicious and anomalous threat detection. Its Lastline Defender NDR solution combines network traffic analysis, intrusion detection and prevention, and curated threat intelligence. The vendor claims Defender has had strong competitive win rates against traditional IPS offerings, due to its easier deployment and fewer alerts, hence less "noise" for SOC analysts.
NDR is often considered synonymous with network traffic analysis (NTA), but Lastline, like Omdia, considers them different: NTA is a subset of NDR functionality; NTA emerged earlier to meet the needs of network performance monitoring. NDR took NTA and applied it to the security paradigm, adding a response capability for that purpose.
A hybrid cloud view of XDR
Omdia has long argued that at least the three core pillars – endpoint, network, and cloud -- must be present for a vendor's XDR platform to be deemed comprehensive and positioned to address the bulk of its customers’ detection and response requirements. Carbon Black provided VMware with the endpoint capability, and its NSX-T and vRealize Network Insight solutions serve as foundational elements for delivering threat detection and response in cloud environments. Lastline's NDR solution offers VMware the third pillar to round out its XDR solution.
Other vendors with an XDR offering, or at least talking about their technology in these terms, include Trend Micro, Palo Alto Networks, Stellar Cyber, and LogRhythm. Indeed, Trend goes even further by adding a fourth focus within XDR, namely email.
There is, of course, still work to be done by VMware in crafting such an offering. Lastline and Carbon Black will need to sing in harmony, so to speak, with their alerts adopting a common format so as to be handled on a single dashboard and provide an enterprise-wide view of threats across a modern corporate infrastructure, not to mention further integration with VMware's various hybrid cloud data center solutions.
Just as critically, VMware’s eventual XDR offering will need the ability to span the newer workload formats beyond VMs. Containers, and beyond that, the serverless/function-as-a-service ways of packaging application code present their own security challenges, and while an increasing amount of security for them will need to be in the development pipeline (the so-called “shift left” trend), there will still be a role for detection and response.
"News Analysis: VMware pressures NGFW vendors with updated distributed data center firewalling," INT005-000111 (April 2020)
Cloud security – IaaS and PaaS, INT005-000063 (December 2019)
"VMware's logical acquisition of Carbon Black expands an illogical Dell security portfolio," INT005-000030 (August 2019)
On the Radar: Lastline Enterprise offers threat analysis, IT0022-001015 (June 2017)
Rik Turner, Principal Analyst, Cybersecurity
Eric Parizo, Senior Analyst, Cybersecurity Accelerator