Whitelisting and Blacklisting in AppDefense
VMware AppDefense provides deeper visibility into data center endpoints by providing information of each process running inside application servers along with their network connection details. With greater visibility into application servers, AppDefense can be used to manage processes across your environment to have granular control over what should be allowed or blocked (otherwise known as process whitelist and blacklist).
Most organizations have a common set of software programs that run on every VM in the data center such as Antivirus/EDR processes. VMware AppDefense helps security and/or infrastructure administrators help identify these processes and add them to a whitelist. The advantages of whitelisting these processes are that AppDefense won’t need to learn these common processes for every scope/service in your AppDefense organization. Once detection for upgrade events is performed, these processes won’t be required again.
However, admins must be mindful when whitelisting these processes, as it can introduce vulnerabilities in your environment. For example, processes related to Java and Python should not be whitelisted within an AppDefense organization as their behavior depends on the programs using them.
Similarly, blacklisting processes with AppDefense provides benefit to the administrators. Imagine having identified a process in your environment as malicious – blacklisting that process will ensure that it is not allowed in any other scope in your organization. Basically, AppDefense ensures blacklist processes are not added in the allowed behavior in any of the scopes in the organization.
Processes within AppDefense can be whitelisted or blacklisted from two different pages i.e. Event Details Page.
Another way to add the processes to whitelist/blacklist within AppDefense manager console is from the Behaviors Page.
Finally, you can monitor the whitelist/blacklist processes in your AppDefense organization from the Manage Processes page and allows you to remove any of the processes from the list as well. For example, users can add noisy security agent as a whitelisted process. Then, the Alarm Classification Engine can de-classify alerts from that security agent with the abnormal behaviors.
In this blog I provided the details on managing processes with VMware AppDefense. This feature gives visibility to the security teams on their application interaction and provides a more comprehensive set of whitelisting/blacklisting. AppDefense also provides adaptive whitelisting, which adjusts the allowed behavior list to not penalize common changes that occur such as upgrade events. As mentioned, whitelisting is about managing legitimate software changes since this is where most false positives occur.
If you’re not leveraging AppDefense today and would like to learn more please visit the AppDefense home page.