Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

VMware Project Cypress – AI Assistant for Network Vulnerabilities Detection and Resolution

  • April 16, 2024
  • 10 min read
Virtualization Architect. Alex is a certified VMware vExpert and the Founder of VMC, a company focused on virtualization, and the CEO of Nova Games, a mobile game publisher.
Virtualization Architect. Alex is a certified VMware vExpert and the Founder of VMC, a company focused on virtualization, and the CEO of Nova Games, a mobile game publisher.

Last year, at the Explore 2023 conference, VMware announced a very interesting product – Project Cypress (it now runs on Intelligent Assist capabilities). This solution allows you to integrate generative AI into VMware security solutions, acting as a co-pilot when investigating information security incidents.

VMware recently showed this product in action:

Security Operations Center (SOC) analysts play a key role in protecting an organization’s digital assets and data. They must continually monitor, investigate, and respond to information security threats on a daily basis. Meanwhile, they face the following challenges:

  • Expanding cyber threat landscape – the ever-evolving cyber threat landscape is producing a constant influx of increasingly sophisticated attacks. Analysts often find themselves overwhelmed by the sheer volume of notifications and incidents, requiring additional assistance.
  • Fatigue from a large flow of notifications – this is now a common phenomenon among analysts due to the high level of false positives. An AI co-pilot with machine learning capabilities can help filter and prioritize notifications, reducing fatigue and improving overall efficiency.
  • Response time – quick response to security incidents is critical. It is AI that can help in this matter by providing timely information on immediate actions to eliminate threats.
  • Lack of qualified analysts – this remains a big problem in mid-sized companies. Therefore, automation tools are definitely required here, reducing the requirements for personnel qualifications.

VMware’s generative AI in chatbot form is designed to improve the efficiency of the Security Operations Center solution. Its task is to analyze current notifications of security events related to the network functioning of the virtual data center. VMware has three goals here.

  • Help customer Security Operations Center analysts to make better initial assessments of emerging security threats that have been identified through technical means.
  • Provide analysts with more context regarding detected threats in terms of the functioning of the infrastructure and the impact on it.
  • Provide them with quick response actions that they can take directly from the Project Cypress console window.

If you look at the VMware NSX product console in terms of detected threats and actions to eliminate them, you can see that we have a lot of campaigns and notifications, making it easy to get confused. This is where trained generative AI comes in. It perfectly understands the essence of these notifications, their context in relation to your infrastructure, and has knowledge of exactly how these threats can be eliminated.

Let’s see the Project Cypress solution in action and activate it. After that, you will see that it really reduces all those warnings to just a few dialogs from which you can communicate with the AI as if you were working with a professional virtualization and information security administrator.

VMware NSX product console in terms of detected threats and actions to eliminate

As a result of internal VMware testing and analytics, customers have seen significant reductions in response time to threats using generative AI. And the number of notifications is immediately reduced several times, and only useful notifications that you need to work with right now are displayed:

vmw NSX | VMware testing and analytics

Some campaigns are grouped together because they all look similar. You can see recurring threats grouped and the MITER ATT&CK framework matrix associated with each group.

MITER ATT&CK framework matrix associated with each group.

MITER ATT&CK framework matrix associated with each group.

You can now go to Project Cypress and pose a question or ask for an action to be taken. For example, you can ask something like: “Can you explain this campaign to me? What’s going on there?”

Project Cypress and pose a question or ask for an action to be taken

So, we see here a suspicious event of scheduled tasks running, followed by some commands and control traffic, after which data exfiltration occurs (that is, its unauthorized transfer to the outside). Based on the totality of what is happening, this case looks like CryptoWall – a case of Ransomware that encrypts data on disks, after which it displays a message about how much and where the victim has to pay in order to get the decryption key.

You can ask the generative AI how this attack could have happened and what its consequences would be:

 Ask the generative AI how this attack could have happened and what its consequences would be

You can also ask Cypress to show you options to correct this situation and eliminate the threat:

Ask Cypress to show you options to correct this situation and eliminate the threat

Please note that Cypress not only talks about what can be done, but also gives its recommendation in this particular case – namely, it suggests disconnecting the virtual machine from the network and dealing with it separately. You are also asked to disable only this suspicious type of traffic.

If you choose to disable only this type of traffic, you are presented with IDS signatures that you can immediately apply to this workload:

Presented with IDS signatures that you can immediately apply to this workload

After this, the policies will be successfully applied, and you can verify this in the Security > IDS/IPS section:

Policies will be successfully applied

Policies will be successfully applied

Conclusion

Project Cypress is an interactive solution for finding network vulnerabilities and solving problems powered by generative AI. It allows you to filter notifications about information security incidents, group them and talk about their potential impact on the infrastructure. You can communicate with AI until the moment when you do not understand exactly how you should act next.

You can then continue to apply policies to, for example, stop data exfiltration and regain command and control. This happens almost instantly, taking only a few seconds. At the same time, you can continue to ask generative AI your questions during the investigation of the incident and after the vulnerability is closed.

The goal of this AI workflow is to process notifications faster and give you more context about what’s happening, rather than having to spend a lot of time searching through consoles for settings and reading documentation.

Found Alex’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!