The release of vSphere 6.7 Update 2 was announced (and will soon be generally available as an update and download), bringing improvements and fixes to all editions of vSphere. This includes vSphere Platinum 6.7 Update 2, the premier edition of vSphere that features AppDefense.
If you aren’t familiar with VMware AppDefense it is cutting edge technology designed to change the way we protect applications and workloads. For far too long we’ve relied on traditional antivirus and threat detection, each with huge lists of malware signatures that need constant maintenance. How does an attacker defeat a system like that? Just change the malware a little so it isn’t on the list anymore! What if we flipped that around, though? What if we made a list of the stuff that we know is good and then blocked everything else? That’s exactly what AppDefense does at its core. It uses machine learning at the hypervisor & infrastructure level to discover how a workload is supposed to work, and from there it’s able to block the rest.
AppDefense also uses IP and process reputation data to figure out whether a trusted process is talking to someone untrustworthy. This is especially important as a line of defense when a vulnerability is found in a trusted process, before a patch is available or applied. AppDefense identifies unknown behavior and stops attackers by blocking connections, preventing malicious processes from starting, and even using VMware NSX to quarantine the VM with microsegmentation. In third-party tests AppDefense has been proven to be extremely adept at blocking zero-day threats and new malware, areas where traditional approaches fail.
AppDefense is evolving rapidly, and vSphere Platinum 6.7 Update 2 is a great opportunity to highlight some recent improvements.
Process Burndown Charts
AppDefense has a “discovery” mode where it learns about an application. How do you know that it’s time to move it to “protected” mode, though? These new burndown charts help immensely. In this example AppDefense isn’t seeing many new behaviors so it’s time to change to protected mode:
Process Reputation Status
AppDefense displays easy-to-read graphics to help virtualization administrators and security teams focus on problem areas, such as untrusted or unknown processes.
Integrity Check Status
AppDefense also checks for signs of malware and intrusion on guest operating systems, and now displays what it knows so you can easily see that something is amiss:
Adaptive Allowed Behavior & Better Monitoring Events
AppDefense gets smarter every day, and one of the improvements is better classification of alerts so us humans can focus on the big problems. AppDefense is now more expressive, using more detail about whether it’s an application that it already knows about that’s doing something unexpected, or a new process, and whether it’s a minor or major issue.
Topology Charts (in Beta)
AppDefense can now show a graphical representation of your applications. Want to know who is talking to who? Want to know what ports they’re using? Here’s the answer, and it’s useful for both security and day-to-day troubleshooting. This feature is in beta but shows the power of protecting applications from within the hypervisor itself.
VMware Tools Integration for AppDefense
The AppDefense modules for guest OSes ship now as part of VMware Tools, just as NSX introspection modules do. This means that VM templates can be built with the modules installed, and operating system support teams are able to maintain them just as they do with VMware Tools.
vSphere Plugin Improvements
Last, the AppDefense Plugin for vSphere Platinum 6.7 Update 2 gets improvements for virtualization admins in the form of one-click cluster installations and the option of automatic plugin and appliance upgrades.
Wait, there’s more!
Beyond AppDefense, vSphere 6.7 Update 2 has additional security enhancements that continue the trend of making it easy to be secure.
- New guest OS support makes it easy to take advantage of Virtualization-Based Security, virtual TPMs, VM encryption, secure boot, and other security features inside modern guest operating systems. As you replace aging and end-of-life OSes, like Windows Server 2008 R2, enable these features to seamlessly improve your guest OS security.
- Improvements to Update Manager and Host Profiles mean that patching vSphere is even easier and more reliable. Patching is one of the biggest ways you can keep an environment secure, and vSphere makes it very easy to do with vSphere 6.7 Update 2.
- A slew of new auditing and compliance features, such as password history & reuse limits in ESXi, and much improved SSO and vCenter Server audit logging, all of which is displayed in vCenter but can also be sent securely to a log analytics system like vRealize Log Insight or third-party SIEMs. Want to know who changed a particular VM last week or who logged in on Saturday? No problem!
- Improved ESXi certificate replacement APIs, as well as features to allow certificate signing requests to be generated from inside vCenter.
- New CPU scheduler options that may provide some additional flexibility when dealing with hardware CPU vulnerabilities like L1TF. This is a big topic that needs its own post so please stay tuned for more information.
vSphere Platinum 6.7 Update 2 builds on VMware’s long heritage of security, availability, and freedom of choice when it comes to hardware and deployments. Coupled with the new & flexible compliance monitoring and remediation tools in vRealize Operations Manager 7.5 this is the most powerful, cost-effective, and secure platform yet on which to build and operate mission-critical workloads.