Ensuring Good with VMware AppDefense

co-author Geoff Wilmington

Traditional data center endpoint security products focus on detecting and responding to known bad behavior. There are hundreds of millions of disparate malware attacks, with over a million getting added every day.  In addition, there is the threat of zero-day attacks exploiting previously unknown vulnerabilities. It becomes a never-ending race to “chase bad” without ever staying ahead of the threat landscape.  What if we took an opposite approach to security?  What if, instead of  “chasing bad” we started by “ensuring good”?

VMware AppDefense is a new security product focused on helping customers build a compute least privilege security model for data center endpoints and provide automated threat detection, response, and remediation to security events. AppDefense is focused on “ensuring good” versus “chasing bad” on data center endpoints.  When we focus our attention on what a workload is supposed to be doing, our lens for seeing malicious activity is much more focused and as a result, we narrow the exploitable attack surface of the workload down to what we know about.

Changing The Way We Secure Compute

AppDefense applies the concept of “ensuring good” by using three main techniques:

Capture

AppDefense starts by capturing the intended state of an application and using machine learning to gather information about the runtime state of the application to get a full picture of the infrastructure.  AppDefense utilizes the unique properties of virtualization to provide enhanced application visibility.  The vSphere hypervisor can see both the intended state and the runtime state of a deployed application.

• Intended State – The purpose of an application and function it should perform.
  • Example –
    • A Web Server runs web services, or a Database Server runs database services.
    • The Web Server may have been built using vRealize Automation, Ansible, Puppet, or Chef.
    • The Web Server may have packages deployed from Maven or Jenkins.
  • Runtime State – An application placed into service will run the intended services and process and may require other processes and communications it needs to be fully functional.
    • Example –
      • A Web Server talking to an Application Intelligence Server or a Database Server.
      • The Web Server may also require services such as NTP, DNS, LDAP, etc. These processes and communications are identified as part of the running state once the machine is active and performing operations.

All of this information is collected into the manifest file and stored in a protected space in the vSphere hypervisor to be monitored against, prevent tampering, and alert on unexpected/unintended changes automatically.

Detect

AppDefense uses the unique virtualization property of strong isolation, utilizing the privileged position of the hypervisor to provide the best context for detecting anomalies.

Typical host-based security approaches fall into two traditional methods:

• Host-based Security –
  • Pro – Typically implemented with an in-guest agent, so context about what it’s protecting is exceptional.
  • Con – Typically implemented as an in-guest agent which is susceptible to being disabled as it runs in the same user space as most attacks.

The biggest pro about typical host-based security is its biggest con.  Attackers eventually start to attack the security software itself to disable it.  Since security software typically runs within the same trust domain as the attacker, there’s little it can do to protect the system and provide isolation.

• Hardware-based Security –
  • Pro – A networked piece of hardware that provides great isolation since it’s not typically in direct contact with the guest. This means it upholds is own trust domain which would have to be compromised in addition to the guest.  Two points of attack the attacker would have to pursue to be successful.
  • Con – A networked piece of hardware generally has no context of the guest and what’s going on. These systems would have to reverse engineer and spend heavy compute cycles to get context.  Most times, it’s guessing what to do.

Hardware-based security can provide great isolation.  It also provides an additional attack surface in which an attacker would possibly have to compromise to be successful.  The problem with hardware is the lack of context.  Most times they block or allow with no idea what the traffic is.  Next Generation Firewalls can provide benefits into context, but only on the wire and not without heavy computation engines to perform the tasks.

AppDefense resides in the hypervisor, which is a separate trust domain and has the ability to provide both context about the application and isolation as well.  The hypervisor has visibility into the guest from a privileged position while still maintaining disparate trust boundaries.

Respond

AppDefense uses the unique virtualization property of automation to provide automated responses to alerts that are triggered.  Virtualized infrastructure is fully capable of being automated.  It’s built entirely on software.  This means AppDefense can leverage the same properties we find with virtual machines, such as power off, suspend, and snapshot, for remediation tactics for malicious activity.

Traditional security tools require manual remediation for most tasks.  An administrator has to perform some action against the alert found.  This can delay and cause even wider damage to the infrastructure while waiting on a response.  AppDefense can take immediate action, based on a pre-defined security policy for any anomalies with confidence an anomaly is representative of malicious activity.

AppDefense Architecture

The AppDefense architecture is simple and has many integration points for optional configuration and automation engines to connect with it.

• AppDefense Manager – This is a multi-tenant, secured SaaS deployment engine that provisions the tenant Appliances for Management of the AppDefense components.
• On-Premises AppDefense Appliance – An OVF deployed virtual appliance that connects to vCenter and any other optional components for configuration and policy synchronization between the AppDefense Manager and on-premises components.
• vCenter Server – The vCenter Server that manages the hosts and clusters that applications run on which AppDefense will protect. This integration provides the API interface for AppDefense to connect to, to provide automated remediation’s using vCenter actions such as snapshot, poweroff, suspend.
• AppDefense Host Module – A software Virtual Installation Bundle deployed to all vSphere hosts AppDefense will protect. This module provides the trusted isolation within the hypervisor to store the manifests of context of the protected applications for AppDefense to monitor against.
• AppDefense Guest Module – The in-guest software module that communicates with the AppDefense Host Module to monitor the kernel integrity of the guest.
• NSX Manager (Optional) – The NSX Manager is an optional component used by AppDefense through API integrations to create a quarantine security policy within the NSX Manager. AppDefense leverages NSX security tags to provide automated remediation to quarantine an application based on AppDefense remediations.
• vRealize Automation (Optional) – Integrated with vRealize Orchestrator with connections to vRealize Automation, a tagging option can be placed on the applications in the machine blueprint to automatically place a new application into AppDefense scope.

AppDefense Supported Deployments

AppDefense currently supports following platforms:

AppDefense Requirements

Below are the initial minimum requirements for AppDefense:

AppDefense Functions

Using the unique properties of virtualization, AppDefense uses the capture, detect, and respond techniques to provide functionality the security administrator can use to capture known good configurations for functional allowlisting, detect anomalies against this known good configuration, and provide automated remediation of anomaly based malicious activity.  Let’s further review how AppDefense uses these techniques.

Capture and Building Application Scope

AppDefense begins by building a scope for an application.  A scope consists of the services and virtual machines that an application is made up of.  Once identified, AppDefense starts the capture process and gathers information on the behaviors of services and virtual machines.  As AppDefense undergoes the capture process, the administrator can see all of the behaviors that have been captured, down to the process level. This information is used to build a allowlist of the expected behaviors of the application to capture the runtime state of the application.  Once the capture process is complete, the administrator places AppDefense into “Verify and Protect” mode.  AppDefense now knows about all of the process and behaviors of the application and begins to monitor and protect against anomalies or deviations from the captured and verified allowlist.

Detecting Anomalies

When AppDefense is placed into verify and protect mode, any anomalies that deviate from the known good manifest is detected to be acted upon.  Since AppDefense knows how the application should be functioning, the attack surface is very narrow and easier to detect anomalies and deviations, with high confidence anomalies and deviations represent malicious activity.

If AppDefense detects an anomaly, it can provide a risk analysis of the anomaly for inspection. The Security Administrator can take a look at this analysis of the anomaly and either provide an automated remediation for it or even allow this behavior if it’s found to be a new known good process.  This makes AppDefense a powerful tool for not only finding anomalies but providing a quick remediation for process activity that needs to be allowed. Once the behavior is allowed, the process is placed into the allowlist manifest and is now an accepted behavior that no longer needs to be remediated.

Automating Remediation

Perhaps the most powerful capability of AppDefense is its ability to automatically remediate against anomalies representative of malicious activity.  A Security Administrator can now prescribe several remediation techniques in an automated fashion based on the application.  There are four main behaviors that AppDefense monitors:

• Inbound Communications – The allowlisted processes have specific inbound communication processes associated. Any new inbound communications from existing allowlisted processes or new processes can be automatically remediated against.
• Outbound Communications – The allowlisted processes have specific outbound communication processes associated. Any new outbound communications from existing allowlisted processes or new processes can be automatically remediated against.
• Enable Guest OS Integrity – The guest module looks at the kernel of the OS to ensure tampering is not allowed and also if it’s been tampered with. Any changes can be alerted and acted upon automatically.
• Enable Host Module Integrity – The host module that runs in the vSphere hypervisor is protected against tampering. Any changes can be alerted and acted upon automatically.

Each of these four behavior monitors has the following capabilities for automated remediation.

• Quarantine – When coupled with NSX, AppDefense can automatically quarantine an application to block all incoming and outgoing traffic from the virtual machine.
• Suspend – AppDefense uses the vCenter APIs to place the virtual machine in suspend mode.
• Power Off – AppDefense uses the vCenter APIs to power off the virtual machine.
• Snapshot – AppDefense uses the vCenter APIs to take a snapshot of the virtual machine.
• Alert – AppDefense sends an alert to the alarms interface in the AppDefense interface, but takes no other actions. This is a typical remediation for testing remediations.
• Block and Alert – AppDefense will send an alert to the alarms interface, and block subsequent anomalies that are identical.

AppDefense NSX Integration – Automated Quarantine

AppDefense has optional integration with the VMware NSX platform, specifically the Distributed Firewall and Service Composer capabilities.  Once AppDefense is connected to an NSX Manager, it automatically deploys a security policy, security group, and security tag for AppDefense to use.

The quarantine rule in AppDefense uses this integration with NSX to flag an application when an anomaly is detected when configured.  If an anomaly is detected and the rule is set to quarantine, AppDefense will use the NSX Manager APIs to attach the AppDefense security tag to the offending virtual machine.  This security tag is used as the inclusion criteria for the AppDefense quarantine security group which is used for blocking all inbound and outbound traffic with the AppDefense quarantine security policy.

AppDefense is a powerful new tool to build a least privilege compute model of security within data centers. AppDefense uses the unique properties of virtualization; Application Visibility, Isolation, and Automation to capture, detect, and respond to application activity in the data center.  Building a least privilege compute security model with traditional security products is difficult, as traditional security products alone do not provide the necessary combination of context, isolation, and automation.  AppDefense takes a new approach of  “Ensuring Good” versus “Chasing Bad” to make a least privilege compute model a reality.