VMware AppDefense is about detecting attacks and automating and orchestrating the response. In addition there is a significant focus on allowing partners to integrate in VMware's AppDefense framework because of the unique visibility VMware has.
If you think about it, we are trying to protect an application which is a distributed system. So how do we understand the application beyond just a collection of infrastructure. VMware is not a security company, however we are focused on Secure Infrastructure. We asked, can we understand the application and create lease privilege on a network so that only the components that should speak together do? Compute really is an enormous attack platform so we are reducing it with AppDefense. The last piece is can we architect in third party security products by giving them context they would not ordinarily have?
Micro segmentation from NSX is ofcourse a perimeter piece of this. It allows us to draw a logical boundary. AppDefense is looking within these boundaries to understand if there is any behaviour that is deviating from the purpose of the VM. The model today is always chasing bad behaviour while we are focusing on chasing good because it is more efficient and cost effective
Step one, is to capture what the VM should be doing; then monitoring against a manifest and then the third piece is a library of responses that can be automated. We are leveraging some unique capabilities with virtualization. We capture by plugging into vCenter and then crawling through the provisioning systems. This is already there in systems like Puppet, Chef and vRA, its just customers are not mining the data. We can go a level deeper looking at processes as will with technologies like Jenkins.
Once Step one is done we trigger the monitoring element so that there is a learning element. We leverage Machine learning to understand the delta's between what was done in provisioning and what is contained within the application instances. The end result is the application scope or manifest is created. In the manifest we understand that this is what this VM should do and these are the processes that do it. The manifest is maintained through updates and patches.
Step Two is about how we Detect. VMware at the virtualization level can monitor outside the guest vs a traditional approach where you have to be on the wire. In Step three, uncharacteristic behaviour triggers a set of reactions such as snapshot or VM isolation controlled by policy. What do you want to happen if something happens that is not good behaviour?
This allows us to have security that responds in the same time factor as the attack. Typically security is a partnership between security and infrastructure. AppDefense is a partnership between the security and application team.
In addition, there is a mobile app that gets installed so that any processing on the application can be sent directly to the application team for response and clarification. This allows the application team to partner in profiling the application. Remediation an attack is a lot easier to do because rather than sifting through tens of thousands of security exploits we monitor a few expected good behaviours. When it changes the system reacts.
The secret sauce is the ability to peer into the guest, which requires a component that runs in the guests kernel. This opens up the opportunity to run this on non-virtualized application components.