VMware Security - AppDefense is a Gamechanger
When speaking about security I often relate it to the flu!
If you think about it many of us get a flu vaccination every year. A number of people I know this winter still got the flu even though they got the flu vaccination. This was because of a new variant of the flu called "aussie" flu.
Next year when we get the vaccination we will be protected against the aussie flu but more than likely there will be a new variant.
In many ways this is similar to security, constantly looking for bad and waiting for the next threat, remediating that vulnerability and preparing for the next one. The vicious circle continues.
AppDefense is a new and interesting way of addressing the issue of chasing bad, it does this by looking at good and creating a known good manifest. The hypervisor is in a unique position whereby it knows what workloads are running and can create "Security Scopes" learning the interactive patterns in the datacenter, creating a picture, defining a dynamic pattern instead of an individual per workload behavior. At a high level a "learn mode" (or from automation blueprints e.g. vRA, vRO) of the workloads is performed, this is then stored in manifests in both the guest agent and hypervisor.
The architecture consists of a number of components
1. AppDefense Manager Console - Multi Tenant SaaS component that deploys the appliances for the AppDefense management, here you can monitor the enforcement of configuration, security events and alarms.
2. AppDefense Appliance - The OVF appliance is hosted on premise connecting to vCenter and other components and acts as a control point for traffic to/from the manager.
3. AppDefense Host Module - Provided as VIBs and deployed to all ESXi hosts. This provides trusted isolation within the hypervisor to store manifests of the protected applications.
4. AppDefense Guest Module - An AppDefense agent is installed in the guest OS communicating with the AppDefense Host module to enforce the intended state of guest behaviour.
Application Control - Applications can be grouped in the datacenter, intended state recorded and allowed behaviour set
Run Time Anomaly Detection & Control - Monitor in real-time the state of the OS, applications, control and network and kernel events
Process Analysis - A built in analysis engine provides overall process maliciousness rating and also looks at specific traits that are potentially suspicious
Orchestrated Remediation - Actions can be taken to remediate security incidents whether this be with NSX or directly with vCenter.
By having security handled by the hypervisor it provides quite a unique opportunity as it can monitor whats running on top of it without actually being in the user world. When a workload it compromised the first area to be attacked and potentially shutdown/altered is the protecting service itself. When security is both in the user world and the underlying hypervisor the threat is eradicated. This is the power that AppDefense brings. It has controls that protect the agent running in the user world, if there is tampering of the agent a warning or remediation can be performed by the hypervisor.
On initial login to AppDefense manager you will see a landing page showing coverage, scopes and alarms.
We can see an inventory and status of the hosts and VMs in the test environment
It will also show a list of unassigned VMs that can be selected and a security scope assigned.
Creating an AppDefense Security Scope
Creating a scope is very simple, we select Scopes and +, provide a name for the scope and select create. It then asks us to create a service in this case I typed "DB" and selected the VMs that I wanted to be part of this service protection.
I then clicked Finish as we will put AppDefense into learning mode.
Once finished there is a list of processes and behaviors detected from the "DB" machine. Note: the recommendation for learning mode is to run for between 7 to 14 days.
We can then go ahead and select "Verify and Protect"
AppDefense will now verify the running state against the manifest.
On selecting "rules" control handling can be specified and remediation actions configured.
It can work with or without NSX. If using NSX tags can be leveraged to work in conjunction with the platform for additional remediation actions.
This post is just a quick look at AppDefense and it's power. I would highly recommend looking at this recording at VMworld with Tom Corn, they simulate a hacker attack and the response AppDefense takes!