VMware announced its new AppDefense service at the 2017 VMworld conference, aiming to simplify security in their virtualized environments. VMware AppDefense is a datacenter endpoint security product that was created to protect any applications running in virtualized environments. It functions by understanding how the application is supposed to work, monitoring for any changes to that intended state that could signal a breach of security, then automatically responding. Unlike most other antimalware programs, AppDefense is focused on whether the app that is running is operating as intended. VMware defines this as “ensuring good” vs. “chasing bad” on datacenter endpoints.
AppDefense has been in the works for two years, moving the focus of security from servers and infrastructure to applications and data. Tom Corn, senior vice president of security products at VMware, told TechRepublic that “the idea stems from one central question: ‘Can you look at the infrastructure through the lens of the application — what you’re really trying to protect?’ ”
Of course, businesses are even more invested in their security today as there is seemingly a never-ending barrage of malware ready to infect your machines. Because of this, tech companies like VMware are working on new products to reduce the potential threats customers have to face.
AppDefense was launched after a number of detrimental cybersecurity threats that have been steadily increasing, such as the WannaCry ransomware attacks that threatened hundreds of thousands of computers, including those at large corporations.
VMware AppDefense features
Although AppDefense claims that it doesn’t produce many alerts, it does have application-centric alerting for the Security Operations Center (SOC) for when they are necessary.
According to their site, the seldom but important alerts that AppDefense generates, along with its automatic response system, “allow the SOC to focus on catching and eradicating threats from their environment, rather than sifting through noisy data and investigating threats that aren’t there.”
AppDefense also helps security teams to not get lost or learn about a new application too late by creating a “common source of truth between application teams and the security teams.” This works in making applications more security ready through better communication and readiness reviews.
One of this service’s main selling points is that it can understand the intended state of the application from inside the vSphere hypervisor, knowing how the datacenter endpoints are meant to behave. This intelligence gives VMware AppDefense immediate knowledge of changes, helping to determine which are threats.
AppDefense also has automatic responses using vSphere and VMware NSX, including the ability to block process communication, suspend or shut down the endpoint, and snapshot an endpoint for forensic analysis.
Of course, it wouldn’t be a great addition to security if AppDefense itself was compromised. However, AppDefense is installed in the vSphere hypervisor, so it can continually monitor datacenter endpoints while staying in an isolated, protected environment.
How does VMware AppDefense work?
While VMware already has multiple security features built into its products, AppDefense is made specifically to help secure its virtual machines. It accomplishes this by first understanding the provisioned state and run state of any applications. It then works to discover what the intended behavior or purpose of these apps are, according to Corn.
The idea behind this is that if the security model can properly predict the expected behavior of an application, it can then better pinpoint any threats and “shrink the attack surface.” After the intended behavior and state are discovered, AppDefense is able to better detect any unwanted behavior.
Senior principal analyst and founder of ESG’s cybersecurity service, Jon Oltsik, explained in a press release by VMware, “With this focus on intended state behavior, AppDefense offers a productive alternative to traditional application and endpoint security.”
Oltsik elaborated that VMware AppDefense “is shifting the focus from simply securing the virtual infrastructure, to using vSphere capabilities as creative enhancements to applications and infrastructure security.”
The potential responses by this service vary, from snapshotting it, quarantining it, reimaging it, or inserting new controls, according to Corn. Additionally, there are many different possible integrations offered with AppDefense from its launch, including IBM Security, RSA, CarbonBlack, SecureWorks, and Puppet. For more info on each company’s integration, take a look at VMware’s press release.
While some people might say that AppDefense is the same as the third-party product from Bromium, the difference is that products like Bromium work alongside the VMs, whereas AppDefense resides inside of them.
Machine learning technology
Essentially, AppDefense's machine learning technology helps the VM learn good behavior to recognize and prevent the malicious attempts. After AppDefense learns how the software should behave, certain packages are allowed to run in the VM without any problem, but any software that seems to have actions that are different from what the VM has come to expect will be routed to a different VM where it can be closely monitored and secured.
Also, if the software is running very far outside of the norm, it won’t be allowed to run at all. Still, users should make sure that they run the app in monitoring mode for a few weeks to give it sufficient time to learn typical software behavior before they rely on it.
Corn explains that, simply, VMware would like to accomplish for compute what microsegmentation did for the network. “To be able to say,” he explains, “for a given application, these are the things that should be able to happen and nothing else.”
While it hasn't been out long, early adopters seem happy. Director of infrastructure and head of security at the Interfaith Medical Center, Christopher Frenz, told Fortune that he “is pleased with what he saw in testing AppDefense” because he “set up a web server intentionally with known vulnerabilities and watched this software stop them.”
Using VMware AppDefense alongside the pre-existing features in its NSX networking and VSAN data storage products should greatly help increase VM security. Essentially, you can’t rely only on AppDefense, but it’s a new and important player in the fight for security. Only time will tell us certainly if it accurately prevents malware and attacks.