This blog will be part of a series where we start off with a basic re-introduction of VMware AppDefense and then progressively get into integrations, best practices, mitigating attacks and anomaly detection with vSphere Platinum, vRealize Log Insight, AppDefense and NSX Data Center.

VMware’s core principles for cyber hygiene

Before we get into the meat of things, let’s level-set on a few core principles of what VMware believes to be appropriate cyber hygiene. (Read the full cyber hygiene white paper)

  1. Follow a least privileged model
    • The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function. For example, a user account created for pulling records from a database doesn’t need admin rights, while a programmer whose main function is updating lines of legacy code doesn’t need access to financial records. The principle of least privilege can also be referred to as the principle of minimal privilege (POMP) or the principle of least authority (POLA). Following the principle of least privilege is considered a best practice in information security.
    • The least privilege model works by allowing only enough access to perform the required job. In an IT environment, adhering to the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application. Implementing this methodology helps contain compromises to their area of origin, stopping them from spreading to the system at large.
  2. Zero Trust Micro-segmentation of applications and network
    • The Zero Trust model, of “never trust, always verify,” is designed to address multiple threats within the network and application tiers by leveraging micro-segmentation and granular perimeters enforcement as well as application enforcement, based on user, data, behavior and location what VMware refers to as known good. Lateral movement for example, defines different techniques that attackers use to move through a network in search of valuable assets and data within the data center. With micro-segmentation businesses can define sub-perimeters within their organization networks using a specific set of rules for each leveraging the context around user, application traffic direction, etc . These rules are designed to identify the spread of an attack within an organization and stop the unrestricted lateral movement, command and control communications as well as data exfiltration throughout the network and application. Remember, the point of infiltration of an attack is often not the target location, and thus the reason for stopping lateral movement is so important. For example, if an attacker infiltrates an endpoint, they may still need to move laterally throughout the environment to reach the data center where the targeted content resides, or if credential phishing is successfully used, those credentials should be authenticated against the database to reach the location of the data an attacker is seeking to extract.

What is AppDefense?

As we are aware, security is on everyone’s mind nowadays, and two of the biggest goals are least privilege and zero trust, where people, processes, and software only get the privileges they need to do their job. AppDefense, part of vSphere Platinum, is part of VMware’s evolving intrinsic security story.

AppDefense is a cloud-based security product that provides foundational security for data center endpoints and applications.

The core of AppDefense focuses on protecting applications that are running on virtualized or cloud environments. It creates a least privileged environment on the compute stack. It uses the hypervisor to introspect the guest VM application behavior and enforces the model of least privilege. It watches the processes running and makes sure they continue to run as they initially were intended to run. AppDefense is part of our least privilege / zero trust story focusing on compute isolation / segmentation. Combined AppDefense, NSX Data Center and our newest vSphere addition (vSphere Platinum) The combination of these three products assist in visibility of process and network behavior, limiting lateral movement by ensuring good, enforcing micro segmentation rules by only allowing the application to talk to only what it needs to speak to as well as mitigating dwell time from an attacker perspective. This provides application visibility and isolation for the VI admin, the security operations center and security architect.

In essence, AppDefense provides four basic functions:

  1. Application control: AppDefense implements application control by first assigning virtual machines to a scope and a service. A scope is the representation of an application. A scope is made up of multiple services. A service represents an application tier. All VMs within a service are expected to be homogeneous and have the exact same allowed behavior/rules. Scopes and their services are the foundational components that establishes what the intended state (allowed behaviors) of an application or virtual machine (VM) in the data center. Scopes can also be integrated and dynamically created from automation tool integrations such as Puppet, vRealize automation, etc.
  2. Process analysis: Once AppDefense has established the known state and allowed behaviors for the application, AppDefense verifies that the learned behavior as ‘known good’ with VMware’s Application Cloud verification engine and cloud-based reputations feeds.
  3. Anomaly detection: After creating the intended state, AppDefense monitors for deviations to that state, alerting and preventing anomalies that could be attacks on the environment. Examples include unknown process execution, unknown command line arguments, unknown network connections or open ports.
  4. Response and remediation: When anomalous events are seen and the application’s behavior deviates from the known state, AppDefense responds to potential threats by triggering a response. The response is configurable, with responses ranging from a simple alert, isolating the VM, to shutting it down completely. AppDefense includes an orchestration capability that can remediate threats in real time with no administrator oversight. Built in to the infrastructure (intrinsic), AppDefense ensures that applications are behaving only as intended, monitoring and preventing unknown behavior that could potentially be attacks on the environment. It uses machine learning and reputation data to discern what is normal and good it can then take a remediation action or alert on unknown and potential malicious behavior in ways traditional security technologies such as antivirus could never do. It leverages some unique advantages of the virtualization layer to enforce least privilege security, application control and visibility while providing system integrity validation, and dynamic response capability through the infrastructure. Unlike traditional application control solutions, AppDefense analyzes every deviation so that it only sends alerts that matter to the security team and or security operations center. AppDefense is simple and easy to deploy within your infrastructure, leveraging existing lifecycle management workflows, resulting in a true agent-less experience. It flips the protection model around. Instead of chasing an always-incomplete list of unknown or malicious behavior AppDefense allows the intended behavior we want and takes a remediation action on everything else.

Combining AppDefense with NSX Data Center is even more powerful

NSX Data Center allows organizations to implement micro-segmentation into the environment at the hypervisor level so that only network resources that need access will gain access to certain resources in the environment. AppDefense provides not only deep visibility into applications and network behavior at the guest OS, but it works in conjunction with NSX Data Center to generate firewall rules as well as quarantine and block unknown or malicious behavior at the network level (adaptive). This is important for preventing attacks and intrusions. Not only do they ensure that there is a very tight & accurate set of firewall rules around your systems, but they also limit an attacker’s ability to move laterally in your organization, where they can attack other systems once they’ve established a foothold on one system.

AppDefense blocks an attacker’s ability to establish a foothold, and NSX Data Center ensures that the affected server is isolated correctly. Ultimately AppDefense builds on the security foundation of NSX Data Center.

AppDefense advancements, improvements, and integrations

Once AppDefense is in protect mode it proactively takes the security posture of micro-segmentation one step further and provides the functionality to secure the endpoint if any unknown behavior makes it through the network defenses. AppDefense automatically triggers responses from a configurable set of automatic remediation policies. The automatic responses can include:

  • Blocking process and network communication
  • Snapshotting a VM for forensic analysis
  • Suspending or shutting down a VM if malicious software is detected
  • Alerting of any anomalous behavior / deviation from known behavior

With the latest release of AppDefense it introduces a completely new plugin for vSphere 6.7u1 (Platinum).

Plugin Dashboard
The Plugin Dashboard delivers aggregated security metrics, visibility, and health statistics for applications and workloads running on vSphere. Users can drill into individual behaviors and reputation scores, leading to deeper visibility in the VM Monitor page. This high-level summary provides focused, at-a-glance statistics and a starting place for additional discovery.

Lifecycle Management
AppDefense announces one-click, integrated installation and upgrade workflows for AppDefense directly within vCenter. Users can now get a full report of their protection status, deploy AppDefense modules into entire clusters with a single click, and schedule regular upgrades, all while leveraging familiar workflows. Managing AppDefense components in this way greatly increases ease of operation for IT admins.

VM Monitoring
This release delivers a new virtual machine monitor tab that provides VM-specific behavior monitoring for visibility, security assessment, and troubleshooting directly within vCenter. Integrating this capability in vCenter enables IT admins to play pivotal roles in the protection of their organizations’ apps and data.

Connectivity Modes
The AppDefense Plugin can operate in three different connectivity modes: Online, Offline, and SaaS. Offline mode requires no internet connectivity and provides a basic visibility-only view of your environment. Online mode adds security feeds from the AppDefense Service. SaaS mode (recommended) provides the full AppDefense feature set. Select the connectivity mode that meets your compliance requirements. For more information, go to AppDefense Appliance Connectivity Modes.

Scope Level Dashboard
With this release, AppDefense has introduced the newly designed scope level dashboard, providing a real-time snapshot of your application scopes. The visual information allows users to see the protection status of your applications, understand quickly if there are any behaviors that need addressing, and provides an overview of the security validation checks that AppDefense has performed. It simplifies application-specific summaries into the following 4 sections:

  • Process burn down chart: The process summary info in a graphical representation
  • Process reputation: Summary of the process reputation information from various sources
  • Behavior risk analysis: Behavior risk analysis summary based on machine learning
  • Integrity check status: Integrity status summary to show the overall health of the org

Adaptive Allowed Behavior
AppDefense has added the ability to adjust allowed behavior automatically by adapting to security events that have been classified as normal by the AppDefense Verification Engine. This ability to automatically de-classify alerts and dynamically adjust the allowed behavior tremendously reduces ongoing operational tasks and improves operational efficiency.

Monitoring Events
AppDefense adds the Monitoring Event support to distinguish observed deviation from malicious behaviors which are categorized as critical alerts. Monitoring Events will be classified by AppDefense Verification Engine into three severities: Serious, Minor, and Info. Separating Monitoring Events further increases operational efficiency by allowing customers to focus on the alerts that matter the most.

Usage Counters Improvement
This release also improves usability by adding the following usage counters:

  • Allowed Behavior count for each service
  • Connection Count for each process

With these usage counters, users can easily evaluate the health of the application and have a glance at how many allowed behaviors and connections are protected and monitored by AppDefense.

As you can see, we have made major advancements as well as vast improvements and integrations with in the last year and there is way more to come. In the next post we will be getting into Visibility setting up scopes and services as well as basic remediations. Stay Tuned…

Want to see adaptive micro-segmentation in action?

We showcased how adaptive micro-segmentation stops a live attack at VMworld 2018 in Las Vegas, NV. Make sure you check out these sessions:

To read more about how customers are doing adaptive micro-segmentation today, check out this case study.

References