An article recently posted on CIO NZ titled: “Cost of cybercrime surges by 62 per cent in 5 years”,
states that the average financial losses are on the rise, and at the time of the article publishing, this had increased by 62% in the 5 years prior. When breaches do occur, companies need to focus on managing their reputation as well as the financial downside of the breaches. Presently, there are multiple security offerings on the market to address these concerns, but they bring with them increased complexity and often limited improvements in security.
CISOs and their teams face two main challenges while trying to secure their data and applications:
- Undetected threats and false alarms
Existing endpoint security solutions trigger numerous false alarms, resulting in Security Operations teams wasting time manually investigating non-existent threats. Worse yet, they can miss threats entirely.
- Fast-paced, dynamic environments
Existing security solutions are not designed to accommodate the speed at which modern application development and deployment occurs, which means that as new applications are launched and updated, security cannot keep pace.
The market needs more effective security, something which looks at your environment holistically and is able to deeply integrate and understand your applications. Organisations need something which can then utilise that understanding of how their applications are intended to run and communicate, whilst applying a zero-trust policy to anything which deviates outside of those parameters. And finally, something that can respond to any deviations autonomously and in a manner deemed appropriate to your security team.
With AppDefense by VMware, these concerns are addressed and we’d like to share with you our insights into its capabilities.
Traditional security solutions typically communicate with their endpoints (the things they are protecting) in one of two ways:
- Through agents installed on each endpoint and communicating back to the security solution.
PRO – It integrates well with the GuestOS and has the ability to collect a vast amount of information which can be used to protect the application installed on the Guest VM.
CON – The agent runs in the same runspace / trust domain as the Guest OS, which means the agent can also be compromised in an attack.
- As a physical object through which all traffic is redirected (such as an intrusion prevention system)
PRO – Collection happens in an isolated trust domain which means it is safe from attack when the guest VM is targeted.
CON – The limited collection abilities to rely on standard protocols such as SNMP.
So why AppDefense, because it provides all the PRO features above and none of the CONS. It can do this by running in the hypervisor (a separate trust domain), but with the ability to get direct context about the application at guest level whilst remaining isolated.
Implementation of AppDefense is done in a 3-phase process and each phase utilises a feature of the vSphere hypervisor: positioning, isolation, and automation, as shown below.
AppDefense can use its position in the hypervisor to gather enhanced application visibility, such as running state, linked systems, ports used and required services.
Example: Web server 1 runs apache using Linux as an OS. The server was built by Puppet and it has packages deployed by Jenkins. It needs to talk to a specific database server on port 2382 and requires services like NTP, DNS and LDAP to run.
AppDefense does this when placed in Capture mode, and during the time placed in this mode, it learns what the intended state of the application should be. It then places this information into a manifest directly on the hypervisor and thus inside of its own protected trust domain.
With the manifest stored safely in the hypervisor and thus isolated, AppDefense can use this secure position to detect any anomalies, which quite simply, is anything which deviates from the information placed in the manifest file.
This is a far more efficient approach than trying to keep a database with millions of possible attack vectors and attempting to keep whatever is in that database, off the guest operating systems. This approach also helps with zero-day attacks (an attack where a solution is not yet known).
This isolated position ensures, that even in the event an attacker did work out a way to compromise an application through a valid port or set of services, AppDefense itself would be protected. AppDefense monitors both the GuestOS and the host the VM is running on to ensure tampering does not take place at either level.
With virtualised environments being entirely built on software, they have the capability to be completely automated. AppDefense takes advantage of this by allowing automated responses to detected anomalies.
- When integrated with the vSphere Hypervisor, this can include actions such as:
- Powering off VM
- Suspending VM
- Snapshotting VM
- When integrated with NSX, actions such as:
- Quarantining a VM
- Start packet capture
- Rerouting traffic
AppDefense could also simply provide a risk analysis of any detected anomalies for a security admin or team to investigate before making a call on an action to be carried out. If a new activity is found to be valid, it can simply be placed into the whitelist and it will be added to the manifest and not be detected again.
These automated responses significantly reduce the time taken to respond to threats and provide a reliable and standard approach to ensure that the same threats are dealt with the same way, which can be customised as per your particular response requirements.
VMware recognises that even with continuous and perpetual updates, no security vendor can know about all the malicious software created which can target and attack your platform. Their solution is to know what your platform was created for and what its intended purpose is, then block or alert to everything which doesn’t conform to it.
VMware's networking and security product, VMware NSX, takes a similar zero-trust stance in the networking space by using micro-segmentation to achieve network security, where AppDefense protects the computer space, or more particularly, the Application space, as described above.
In our real-world example of Shaun at the airport (see Blog: Can we secure the DC with VMware?), The Hypervisor is the airport, NSX could be likened to the passages and queue-lines inside the airport with defined routes of where to go. Micro-segmentation doesn’t allow deviation from where the traffic is supposed to route. Shaun is the VM with his bag being the application. AppDefense, on the other hand, is the beagle, which knew what Shaun’s bag (the application) was supposed to be doing (carrying clothes/toiletries/ etc). This translates to a set of smells and is stored as a manifest of what is allowed. The beagle compared the manifest of smells, detected that a banana was not part of what was allowed, and this prompted an automated response (sitting next to the bag). This essentially was an alert to the SOC (security officer) who could then decide which actions to take. Luckily for Shaun, he didn’t end up being placed in quarantine. ?
This modern approach to security is a must for all companies, big and small. It highlights that the more traditional AV and perimeter protection solutions aren’t enough anymore and that there are more flexible solutions in place whilst keeping security simple.
If you would like a demo of AppDefense or are interested in improving your application security, feel free to get in touch with us as at https://www.parallo.com/contact/
Further information can be found here: