Identify abnormal application behavior with VMware AppDefense
VMware AppDefense is an endpoint security tool that relies on security automation to determine the intended state of a VM and to analyze and identify unusual application behavior.
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Step 2 of 2:
more pressing issues.
Many businesses find that the number of workloads and applications in their data center far exceeds the amount that a security administrator can manage manually. Data centers have numerous components that require protection; networking equipment, IT appliances, applications, OSes, hypervisors, and even baseband management controls in servers can all be compromised.
Traditional security methods, such as using antimalware applications that rely on signatures or behavioral heuristics, have been largely unsuccessful because malware can adapt to antimalware and find ways to work around it.
VMware's solution to this problem is to use the hypervisor to make sure nothing untoward is going on inside a VM. The hypervisor sits on a separate trust domain than the application or OS it operates on, so it's less likely that the malware it's attempting to detect will compromise it.
AppDefense is a security automation tool that analyzes workloads and applications to identify unusual behavior. The concept of intended state, which defines normal workload or application behavior, is core to AppDefense. AppDefense uses the intended state engine (ISE) appliance to automate the process of determining the intended state of a VM.
Identify abnormal workload and application behavior
VMware AppDefense uses the ISE to communicate with vCenter to get an inventory of all the VMs inside the data center. The ISE also communicates with configuration management systems and application automation frameworks, which include products such as Puppet, Ansible and vRealize Automation. This capability enables AppDefense to gather information about applications and packages that were configured to be deployed into a given VM, and it provides insight into the intended configuration of those applications and their underlying OSes.
AppDefense also uses an observer built into the ESXi hypervisor to monitor VMs. This observer looks for processes that the ISE's other state collection methods did not identify. The observer feeds data into a machine learning algorithm in VMware's cloud. When used together, ISE and the observer create a baseline for the VM or collection of VMs that operate as a single unit.
AppDefense integrates with the hypervisor, NSX and vSphere to isolate questionable workloads and, if so configured, to tear those workloads down and instantiate them. ESXi enables AppDefense to perform basic tasks, such as snapshotting, cloning, terminating or instantiating a VM. NSX enables AppDefense to quarantine a VM, block network ports or redirect data flows through configured network services.
Speed up the profiling process
Another important component of AppDefense is application profiles, which VMware calls scopes.
Most IT professionals learned the importance of baselining early in their careers; we've used profiling for everything from monitoring a workload's resource usage to designing network security defenses. The problem with profiling is that it is a difficult, miserable, lengthy and highly manual process. The tools to create workload baselines automatically are expensive at best and spectacularly unhelpful at worst.
To properly profile a workload's network communications, the vSphere administrator needs to be able to categorize and monitor all the traffic coming into or out of a given workload. To monitor a workload's resource usage, the user either has to control the hardware itself or rely on resource usage the OS reports.
AppDefense simplifies this process by using ESXi as the hardware and NSX as the networking layer, giving the administrator total control. In conjunction with an OS agent, AppDefense can build a highly accurate baseline for any workload.
Find AppDefense's place in the ecosystem
If profiling workloads is the hard part, integrating AppDefense with the various ecosystem applications is the tedious bit. AppDefense needs to be able to read information from -- and, on occasion, issue commands to -- configuration management services, network function providers, security information and event management packages, and managed security service providers.
VMware and application vendors must manually build each integration between AppDefense and a third-party offering. There is no standard for information interchange in this market. As a result, AppDefense's support for the various services organizations use to monitor, manage and respond to security threats can limit its usefulness.
Drawbacks to AppDefense
Although AppDefense uses a guest agent on each VM to collect info on running processes, it doesn't learn the state of all of those processes. Instead, it focuses on the ones that make network connections.
There are some caveats to be aware of with AppDefense. VMware can't possibly support everything out of the box, and so it has made some choices on what to support first.
From a purely functional standpoint, although AppDefense uses a guest agent on each VM to collect info on running processes, it doesn't learn the state of all of those processes. Instead, it focuses on the ones that make network connections.
Similarly, AppDefense only works with Windows Server 2012 and later, which leaves out a large number of workloads still running on older versions of Windows. AppDefense also did not launch with a Linux guest agent.
Use automation to your advantage
The ultimate goal of AppDefense is to automate incident response. The response varies depending on the organization's goals, capabilities and the design of their workloads. In many cases, it isn't enough to be able to spot a misbehaving workload and replace it with a clean version of the workload because, although it's ideal for business continuity, it doesn't prevent recurrence.
Operations teams focus on uptime, but security teams might want to do more careful analysis. In some cases, they'll simply want to clone workloads for analysis. In others, they may want to redirect network traffic through various scanners and sniffers, or even move the workload into a honey pot environment to see what it does.
Monitor apps with network management tools
To take full advantage of AppDefense, an organization must first pursue composable infrastructure. Composable workloads store data in a permanent data store, such as a database or files. This data storage is attached to the composable workload similar to how application storage is attached to a VDI instance.
With AppDefense, the user can separate from the data upon which they act, which makes it possible to recompose workloads that misbehave or to completely reinstantiate them at the first sign of trouble. You can decouple compromised workloads from production data sets and instead feed them dummy data while still operating in a heavily monitored infrastructure.
This approach enables security teams to profile compromised workload and application behavior and determine how best to handle it. This isn't possible for pet workloads that contain the OS, applications, configuration and data all in a single VM.
AppDefense is a useful security automation tool, but it's only one aspect of a solid security system. Modern IT security requires a combination of configuration management, infrastructure automation and automated incident response tools, such as AppDefense. These are all important parts of next-generation composable infrastructure, which is, ultimately, the best defense against malware.
