Security4 min read

5 Questions to Giovanni Vigna, Sr. Director of Threat Intelligence

VMware Staff
VMware Vigna Security

We caught up with Giovanni Vigna, Senior Director of Threat Intelligence at VMware's Networking and Security BU, who has been in the United States for twenty years, during his recent trip to the VMware Italy offices.

In addition to his role at VMware, Vigna is the Director of the NSF AI Institute for Agent-based Cyber Threat Intelligence and Operation (ACTION) and Professor of Computer Science at the University of California, Santa Barbara, and does research and development on security technologies, focusing on malware analysis, web security, vulnerability assessment, and intrusion detection.

In 2011, he founded the cybersecurity company Lastline, which was acquired two years ago by VMware.

We met him during his visit to our VMware Milan offices and took the opportunity to have a chat.

5 Questions to Giovanni Vigna, Sr. Director of Threat Intelligence
Giovanni Vigna

Question: What is the reason for your visit to Italy?

Italy is my home country and I always gladly return. This trip was an opportunity to meet some clients and hear from their voices what their perception of the market was, particularly in light of the international economic situation and the complex political events we are experiencing. It was an opportunity to talk about security, its level of adoption, and the needs that Italian organizations manifest. I also had the opportunity to meet the people who work at VMware Italy. It is always important and useful to exchange opinions, share knowledge and insights.

Q: What are the main threats and challenges in cybersecurity that organizations and individuals face today and how have they evolved over the past few years?

Threats are constantly evolving and have a wide variety as single attackers, organized groups, and the Nation-States coexist. The single attacker is the hacker, just as we imagine them, but then there was an initial evolution with the formation of organized groups that often cooperate with each other. The final evolution was reached with nation-states attacking in an organized manner to obtain intelligence information.

Given the complex nature of the scenario, it is of utmost importance to develop a comprehensive Threat Model that takes into account the data being safeguarded within an organization. This will help identify potential attackers more effectively. Indeed, protection measures must always have a specific match with the attacker they are intended to combat. For example, an organization may have an intrusion detection system that uses basic signatures, but if it wants to detect sophisticated attacks it will need Anomaly Detection, which is a machine learning system that creates a baseline of the network to be protected and identifies new anomalies not previously identified. Therefore, we can say that the threat landscape has evolved and protection measures must evolve accordingly.

Q: With large-scale cyberattacks and sensitive data breaches on the rise, what are the key measures and strategies that companies and users can take to effectively protect themselves? How can VMware support companies in this goal?

There are two key aspects to consider. The first relates to user education. An organization may have the most sophisticated protection systems, but if users are not properly educated to adopt behaviors in line with the corporate mission and security, such solutions can become useless.

The second aspect concerns the adoption of an integrated system. For example, VMware provides a threat monitoring and detection system for both network and programs. Through a network sandbox, program behaviors can be extracted and correlated with the network by providing a single interface, a single pane, where all security-related aspects (EDR, NDR, XDR) can be presented organically and integrated to the user. This is important because, it can be difficult to piece everything together when a user has to use different tools to examine different aspects of the same problem. The attack itself is one, but evidence of the attack can be scattered, and if that evidence is not linked together, important components and variables of the threat in action can be missed.

Q: Technology is advancing rapidly, with Artificial Intelligence playing an increasingly crucial role. What are the impacts of these technologies on the cybersecurity field, and what new challenges are emerging because of these developments?

Artificial intelligence solves two fundamental problems: scale and speed of response. Artificial intelligence replicates human behaviors that relate to protecting a network. The fundamental problem is that we do not have enough people and experts who can effectively respond to these continuous attacks by cyber criminals of different levels, and especially do so quickly enough to prevent disastrous consequences. Consequently, artificial intelligence represents a tool to "capture" the human intelligence of the expert and apply it quickly and on a large scale.

Recently, there has been a development of these Generative AI (generative artificial intelligence) techniques, which use so-called Large Language Models (LLM), such as ChatGPT, to generate interactions with humans that are easier to handle. There is a problem of a semantic gap between what is shown to the user in terms of detected events and what actually represents the problem those events reveal. The promise of these chatbots and LLMs is precisely to capture the correlation between these very abstract events and the actual effect on the network. At the moment, we are still in the early days of these kinds of technologies and have observed some initial developments by large international players. VMware is also working to use these technologies to provide a better service to users, one that can contextualize attacks, explain their effects, and suggest the steps needed to successfully remedy the situation.

Q: What do you miss most about Italy?

Quality ricotta and mozzarella – I can't find them in the United States!