Increasing Application Visibility with VMware AppDefense



Do you know what’s been hiding in your applications? The truth is, most of the infrastructure teams we work with today don’t have a comprehensive answer to this question. VI Admins don’t always have visibility (out of the box) into the applications or processes running in their environment. Fortunately, AppDefense provides a detailed view into application process and behavior which tend to surface some unknowns for customers in their applications. Here are the three distinct customer profiles have that have emerged since we launched in 2017:


  1. Customer A has no visibility into applications and needs to understand them more.
  2. Customer B has no visibility to E-W communication between VMs and VM integrity.
  3. Customer C knows their applications and wants to implement Zero Trust.


VMware AppDefense can provide a solution for each of these scenarios.

Let’s review each of the customer profiles in more detail to learn how AppDefense can help.


Customer A = No Visibility into Applications 


Customer Profile = Small Business

Customer A typically does not have access to the application development team and does not have an extensive security team. Therefore, Customer A is often unaware of how the application should work and whether there are any potential threatening behavior(s) or process(es). Without visibility and application knowledge, Customer A is highly susceptible to attacks and potentially suffers from the inability to locate source of a threat for an undetermined amount of time.

AppDefense can help Customer A by providing them with both visibility and built-in process intelligence. This includes:

  • Scope Dashboard – The Scope Dashboard provides an overview of all the services in a scope. Any suspicious, malicious processes, or integrity issues will appear in red.
  • Process Scores and Process Path- Most processes will have a reputation score and will be identified if they’re anomalous behavior.
  • Process Hash- This will allow for further investigation if needed.


AppDefense Protected Behavior


What Customer A will achieve with AppDefense:

  • Verified and known processes- AppDefense will highlight process to focus on (bad or unverified) and which processes are classified as known good.
  • Verify that company security policies are being carried out – are applications communicating over proper ports? Are people using public internet in Data Center Applications?

Upon deployment of AppDefense, Customer A will have a better understanding of their applications, be able to templatize these applications to see any deviations, and immediately identify potentially threatening behavior.


Customer B = No Visibility into East – West Traffic


Customer Profile: Med – Large Customer

Customer B has a strong affinity to security but has some major gaps in visibility from east- west process communication between VMs in their datacenter. Furthermore, they do not have information on VM guest integrity. The implication for Customer B’s lack of visibility into east-west communication and guest integrity leaves them vulnerable to internal breaches.

AppDefense has been able to help Customer B by showing intra-VM traffic and guest integrity checks.

  • Topology View- The topology view illustrates the process between services.
  • Guest Integrity and AppDefense Module integrity- AppDefense will highlight the 9 integrity checks and if at any point something has been changed in the kernal AppDefense will alert on it.


AppDefense Topology View


What Customer B achieves with AppDefense:

  • Visibility into all process communication among VMs (depending on how you set up VMs in Services)
  • Visibility and ability to take action on guest and AppDefense Module Integrity


Customer C = Wants to implement Zero Trust


Customer Profile: Large customer (SOC team)

Customer C is aware of what their application should do, but lacks the visibility and control to see deviations and act upon them accordingly. Customer C is unable to react to deviations if they are not able to create and use an application template to lock down known good processes and behaviors.

AppDefense can help Customer C with:

  • Creating a verified behavior list. This list will be based on the Application/VM template Customer C has.
  • Setting up rules based on deviations – Customer C can specify actions they want to take when process or behavior deviations occur.
  • Blacklist – Customer C can use this to highlight processes that need to be marked critical.


AppDefense Undeclared Alarms


What Customer C achieves with AppDefense:

  • Create clear application Manifests (verified behavior list)
  • Create rules based on deviations from the verified behavior list
  • Identify/add behaviors to the Blacklist- this will create critical alerts for this process.




In the three use cases above, we were able to illustrate how AppDefense provides value to VMware customers. VMware AppDefense is a hypervisor-native workload protection platform for enterprise virtualization and security teams and delivers the most secure virtual infrastructure and simplifies micro-segmentation planning. AppDefense reduces the attack surface by modeling intended application behavior, monitoring for anomalous behavior, and providing deep application visibility, reputation scoring, and security. AppDefense is simple for teams to install and operationalize. it is an intrinsic part of vSphere Platinum, so it is easy to leverage what you already own and run. To learn more, visit the website or contact sales today.