AppDefense by VMware: Finding the Good vs. Chasing the Bad

September 19

Why AppDefense?

Last week at VMware’s VMworld Conference, Pat Gelsinger VMware’s CEO, introduced a new security offering called AppDefense.  The security software segment is already very confusing with hundreds of product offerings from a wide range of vendors providing various firewalls, SIEMs, IDS/IPS, endpoint protection, HBSS, and on and on.  Most of these security products are designed to seek out vulnerabilities, malware, etc.  In other words, chasing bad.  So why would VMware, which already offers a security platform via NSX, enter into this crowded and often confusing space?  The short answer is that VMware has a unique opportunity to deliver something different and potentially more effective than any of the other solutions out there.

Understanding Intended State of Applications

Rather than “chasing bad”, AppDefense flips the problem around and identifies the “known good” state of an application and its interactions with related components to create a blueprint or manifest that declares a proper operational model.  AppDefense learns this information in a number of ways - some automated, some manual. The known good state goes beyond allowing the web tier to talk to the app tier, etc.  It means considering the specific process or executable program being used to initiate the communications must be the same and its binary hash must not be disrupted in any way.  In addition, critical memory such as that used to by the operating system kernel must not be changed and an OS footprint must remain intact as well.  So, known good goes well beyond the simple.  It can even take into account automated build systems such as Puppet or Chef to define what a particular application’s server software manifest should be.  AppDefense will incorporate an iOS or Android app that can be used to alert an application owner when discrepancies arise where they can confirm or deny a problem immediately so IT can consider the application state to be good.  This responsibility sharing amongst the application owner and IT is unique.  The key here is that AppDefense understands the proper application behavior.

Protect the Protector

What’s unique about this solution for VMware is that AppDefense uses the vSphere hypervisor, which is isolated from the VM workloads it is protecting.  This puts the protection force outside of the thing being protected.  In other words, in a separate or different security domain.  Once the AppDefense knowns what the good state should be, it monitors the application state for discrepancies and automatically and proactively takes action.  In addition to the hypervisor based code, there are also updates to VMware tools to provide deeper introspection into running applications, as well as the processes and communications aspects of them.  These components also run in a protected memory space where tampering would result in an automatic disable response.

Respond Automatically with Precision

When a threat is detected, AppDefense leverages vSphere and VMware NSX (if installed) to automate the correct response to the threat.  For example, AppDefense can automatically block process communications, snapshot an endpoint for forensic analysis, suspend the endpoint, or even shutdown the endpoint completely.

VMware demonstrated AppDefense live on-stage during VMworld and showed a hacker trying to subvert a web application much like recent attacks we’ve all read about in the news lately.  AppDefense stopped these attacks cold and without having to keep track of a known vulnerability or malware signature.  Instead, it sensed that something was different with the application and stopped the threat from proceeding to do damage.  In fact, VMware internally tested AppDefense with the recent WannaCry ransomware attack and the results showed that the attack was mitigated.

VMware intends to sell AppDefense on a subscription basis for $500 per CPU for a year of service.  The implementation includes cloud based components that aggregate and learn from customers’ anonymized known good configurations to aid in the setup phase, ESXi host based components and in addition to VMware Tools, AppDefense has its own agent (likely will be added to VMware Tools soon) that must be installed on every guest for detecting change and protecting applications and data.

Have questions about how VMware AppDefense can be used in your IT environment? Reach out to an August Schell specialist, or call us at (301)-838-9470.