A New Way to Protect Your Applications
The international reference for the Kilogram is a cold cylinder of platinum and platinum-iridium alloy, which is kept at the International Bureau of Weights and Measures (BIPM) near Paris. We use this isolated reference to measure all other production kilograms. VMware feels that this strategy is what will help defend applications from malicious attack.
VMware has announced a new product, AppDefense at VMworld 2017 which acts much the say way. Instead of looking at new ways attacks happen and looking for threats, VMware theorizes it is much easier to know the intended state and measure running applications against the isolated standard to find anomalies.
VMware AppDefense leverages deep insight from vSphere to monitor running applications against their intended state (isolated reference) to detect and automate response to attacks that attempt to manipulate those applications.
- By working with vSphere, AppDefense is able to see rich application context; both run state and provisioned state.
- VMware AppDefense can utilize the hypervisor to create a protected zone from which to store the intended state and monitor runtime behavior.
- AppDefense can take advantage of vSphere and NSX to automate and orchestrate a response to the attack.
The end result is that VMware AppDefense can significantly reduce the attack surface by making threat detection and response more efficient since you don’t have to know what the next threat is, you just have to have a standard for which to compare.
“The growing frequency and cost of security incidents points to a fundamental flaw in security models that focus solely on chasing threats,” said Tom Corn, senior vice president, security products at VMware. “AppDefense delivers an intent-based security model that focuses on what the applications should do – the known good – rather than what the attackers do – the known bad. We believe it will do for compute, what VMware NSX and micro-segmentation did for the network; enable least privilege environments for critical applications.”
This new strategy can protect applications from new and evolving threats such as code cave. With this method, malicious applications can inject code into existing whitelisted applications to enable the execution of unintended code. These applications have already been approved by existing endpoint security, and have been deployed on locked machines, so executed threats from within and behind your security can have a dire impact on the environment. This is just one example of an attack that can be easily detected by VMware AppDefense. As you see below, the original known state can be fingerprinted by AppDefense and stored in the hypervisor. Once the compromise changes the application it no longer matches the standard. VMware AppDefense can help vSphere, NSX, and other security infrastructure to notify and remediate this threat. From there, you can use forensics to do a post incident analysis to protect your environment from future similar breaches.
VMware AppDefense is a strong addition to a security portfolio, but does not function alone; AppDefense can integrate into your existing security controls. Endpoint security, security information and event management (SIEM), and Security Operations Center Analytics are able to integrate with it.
Bad actors, those individuals and groups developing new threats to breach our defenses, are constantly innovating. Traditional security solutions are constantly being innovated to discover and protect against these new threats and are often one step behind. VMware feels it is much easier to just understand how your applications should work and constantly measure reality to that standard you keep locked away in a vault.
Much like the international standard for the kilogram, AppDefense gives us a known measurement to compare against and rapidly determine differences enabling efficient response and remediation and constantly measure reality to that standard you keep locked away in a vault.