One of the most interesting parts of working at VMware is watching a product as it evolves, and it’s been fun to watch AppDefense grow and progress. If you aren’t familiar with AppDefense, it’s VMware’s endpoint protection product that learns and protects the good behavior on a guest VM, versus trying to keep up with the bad things like traditional antivirus does. This new approach is more secure, more efficient, and much easier on IT staff time, which translates into much lower TCO (a very good thing).
The release of AppDefense 2.3 adds a number of features to smooth our use of the product and help with vulnerability detection and remediation across the infrastructure AND workloads. Patching & remediation is a thankless task because, to the untrained eye (i.e. everyone who isn’t a sysadmin), it seems like a lot of work where nothing happens as a result. That’s the point to patching, though: closing doors to bad actors so that nothing bad happens. Like many tasks IT professionals undertake it falls into the “no news is good news” category, where you’ll never know what bad things were stopped.
AppDefense 2.3 helps make those patching processes easier now by adding visibility to risk inside the VMs, allowing operations teams to report on risk and help their organizations prioritize the repairs. This is a huge release, let’s take a look at the release notes and see not only what’s new but also why it’ll help us (spoiler: the vulnerability stuff is at the end):
AppDefense allows admins to configure automatic actions when untrusted activity occurs. That’s nice because admins cannot be watching their systems at all times. vSphere admins have been able to choose whether AppDefense alerts on bad behavior, blocks the network traffic, quarantines the VM with NSX, suspends the VM, snapshots the VM, or powers the VM off. Now we can have it kill the suspicious process, too, as an evolution of response mechanisms.
One of the core tenets of information security is the principle of least privilege, meaning that a person, process, or other entity should only have the permissions to do exactly their job, and no more. One of the things we’ve learned is that as systems evolve we might not want what AppDefense learned as a behavior to be allowed anymore. Now we can see when the behavior last happened, which helps us audit and troubleshoot them.
Alert Classification Enhancements & Severity-based Remediations
Part of having a service that uses machine learning is that… it learns things. As the AppDefense systems learn more they can make better judgements about whether network and process behavior looks similar to what’s already allowed, and then offer more reasonable alerts to the vSphere admins and security teams. When everything is an emergency nothing is, right?
Similarly, severity-based remediations now mean that the response from AppDefense can match the offense. Critical alerts get a very stern response (power off, quarantine, etc.), but more minor alarms get more gradual responses (blocking, alerting, etc.).
SaaS User Roles
Keeping with the principle of least privilege we’ve added some additional roles to the AppDefense SaaS portal. This allows you to invite other staff, such as infosec folks or SecOps teams, to do reporting but not alter the settings in the portal.
Rebootless Install and Upgrade
The AppDefense in-guest module ships with VMware Tools to help smooth out relations between guest OS support staff and vSphere admins. However, unless you’re running the absolute latest VMware Tools you won’t have the latest AppDefense guest modules. To further smooth relations between teams in an IT organization the AppDefense modules can now be updated without rebooting the guest VMs, if you’re at version 2.2.1 or higher. If you aren’t at that version then you might consider going to VMware Tools 11 as well, which has some major benefits in other areas, including the new ability to get vmxnet, pvscsi, and other drivers from Windows Update.
DNS support for Allowed Behaviors
In the world of content delivery networks, DevOps, and the trend towards more dynamic services it is very hard to maintain an authoritative list of IPs a service can connect to. Now you can use FQDNs, too, which is a huge improvement.
NSX-T is evolving, too, and AppDefense can now use both NSX-V and NSX-T to quarantine a VM. This is a very powerful feature because it allows for a very granular automatic response, at least until a human can get in to look.
Vulnerability Scanning and Risk Prioritization
Once you’re upgraded to AppDefense 2.3 and guest modules version 126.96.36.199 or newer you’ll start seeing new vulnerability information appear. To be quite honest, this feature is huge and really speaks for itself, especially if you do any sort of vulnerability scanning. I’ve attached some screenshots from my own lab environment, which is set up as a medium-sized business would typically be configured. I am prompt about patching systems (it’s the best way to resolve vulnerabilities, after all) but to show the reporting tools I created an unpatched Windows Server 2016 VM. 729 vulnerabilities for the OS, and 36 for application components – ouch! You can also see the process integrity alarms that appear when something tampers with the Windows kernel. In this case it was me applying patches to my DR site’s AD DC.
In conclusion, AppDefense just keeps getting better, in very thoughtful ways. VMware tries hard to consider how best we can improve the security of applications and workloads while being respectful of IT staff time, skills, and the politics inside organizations. In that light it’s very exciting to think of the possibilities around the Carbon Black acquisition, too.
I cannot imagine how you wouldn’t be interested in AppDefense at this point, especially in any sizeable IT environment where risk management and patching is a big chore. AppDefense is delivered as part of vSphere Platinum, so please reach out to your account teams for more information or visit the vSphere Platinum test drive where you can take it, and a number of other VMware products, for a spin.