Q&A: VMware Executive Tom Corn On How AppDefense Will Lock Down Security At The Virtualization Layer

AppDefense Is Live

VMware is about to change the security equation with a new offering that protects applications at the virtualization layer.

Developed under the code name Goldilocks, the long-anticipated AppDefense will finally be revealed to partners at the VMworld conference starting this week in Las Vegas.

AppDefense employs a totally different approach to securing apps than other products on the market. Rather than trying to detect malware and other threats, VMware's offering leverages control of underlying virtual infrastructure to continually verify applications are running as they should. AppDefense learns and records the intended state of all apps on the system, then monitors them running in production to ensure they don’t veer from appropriate behavior patterns.

Tom Corn, VMware's senior vice president of security products, explained to CRN how the new offering works, the unique benefits it delivers in locking down production IT environments, and how VMware sees those capabilities impacting the wider security market.

What is AppDefense?

AppDefense is really about protecting applications that are running on top of virtualized or cloud environments. In some sense, it is creating a 'least privilege' model for the compute stack. Least privilege being one of the oldest principles in computer security -- that an application or system should have access to the functions and resources it needs to get the job done and nothing more. It’s a very powerful concept because it can vastly decrease the attack surface and make for a much more manageable problem.

An analogy: You can open the doors to your house and just focus all kinds of sophisticated analytics to analyze the people coming and going, but you start by locking your doors and handing out the keys to a handful of people to reduce an enormous amount of the attack surface and make the analytics a much more manageable exercise.

How different is this approach to security?

Today, the vast majority of the security market is really innovating around how we find bad. But it's a model of chasing threats. What we're trying to do with AppDefense is ensure good. So it's sort of the flip of that model.

It's different in a few ways -- one of them is the manner in which we're leveraging the underlying virtual infrastructure to do some things we simply couldn't do before. Another way is that we're doing some work around aligning security teams to application teams, whereas in the past most of the alignment tended to be around security teams and infrastructure.

What are the components of AppDefense?

First, there's the capture component, which is about discovering and capturing the applications and intended purpose and behavior of every machine in the environment.

The second is about detection, which is about monitoring in real time what is running in the machine environment against the intended state.

Third is leveraging the virtual infrastructure to create some sort of automated or orchestrated incident response if what's running doesn't match what was intended.

How does AppDefense capture the intended purpose of virtual machines?

One of the things the system leverages is the hypervisor's unique position to be able to see what is running in a very efficient manner and also anything that is ever provisioned to that machine. We hook into vCenter, which gives us a complete inventory of all the machines in an environment. In order to start to capture the knowledge from the application teams, the knowledge about the intended state and the intended purpose of that environment, we start to crawl through the various provisioning systems, things like Puppet and Chef and vRealize. These start to give us insight into the various machines' purposes, such as whether it's part of the database tier of the EMR system supposed to be running Windows 2012 and have a Python package on it.

We then start to crawl through the application automation framework. Things like Ansible, Maven, Jenkins that are used by application teams to deploy the packages give us more clarity about the intended purposes of those machines, how processes communicate or interact with other processes part of that application.

How does AppDefense monitor the environment?

We have a novel, interesting machine-learning approach to looking at activity on the machine and starting to verify and validate, cross-correlating with what was provisioned, things deployed on those pieces, reputational services, looking across the environment to see similar types of systems. We can trigger our position on the hypervisor to monitor those applications running on the environment. We start to see in the wild what is actually running.

The net of all of that is in a highly automated manner the teams can start to see all applications and regulatory scopes in their environment.

We're essentially creating a manifest, or a birth certificate, for the application and for all the VMs that form the application. It becomes a source of truth and it's formed by a lot of authoritative knowledge that isn't just pulled from the machine in a normal baseline manner.

How is the 'manifest' used to detect threats?

The detection component is unique because we've leveraged the hypervisor itself to create a protected zone where we store this manifest of VMs as well as a process that monitors what's running against these manifests. So we have real-time detection of anyone and anything that starts to manipulate the applications that are running on top of these. It's an incredibly powerful model.

We don’t necessarily know what the malware is. All we know is what's running doesn't match what was intended to run.

How does AppDefense respond when it detects anomalous behavior?

With response, we've taken advantage of the fact that the virtual infrastructure is software — highly automatable. So we've basically created a library of incident response routines, such as kill the machine, bring up an image, snapshot for forensics, quarantine the machine on the network. They can be triggered automatically or be configured and provide the security operations team essentially a big red 'Easy' button.

We've created something from an operations standpoint that's incredibly simple to use. The policies are just what do you want to have happen if what's running doesn't match. We've paid close attention to the fact that you need a graduated response. A response to every problem of this type isn't so draconian as to quarantine a machine. That simply doesn't work in most data centers.

Part of what we built is a mobile companion app that runs on the iPhone or Android phones. It allows for real-time collaboration between the security teams and the app owners. If an attack is manipulating an application, security operations can hit a button and it will instantly pop up on the phone of the app owners. They can see what's going on, they can comment or communicate.

Should other security vendors be concerned?

There will always be incredible value in being able to identify and detect threats. At the highest level again, it's this notion of ensuring good versus chasing bad. It's not that one should disappear. It's not that finding bad will become obsolete. We're just never going to be able to catch up by only finding bad.

All the attacks that caused so much disruption over the last year clearly weren't being addressed by endpoint security and other controls that were sitting on those systems. The idea to lock down in a more significant way those machines, machines in a data center that serve a very specific purpose on mission-critical systems, that's a fantastic application for something like this.

Finding malware today is like finding needles in a haystack. We can get rid of most of the hay that's not needed for the application to run and for those services to be delivered. And if you get rid of most of the hay, it's harder to slip the needle in there in the first place.

So other security products won't be pushed out of VMware environments?

What you'll see is most of the major endpoint security vendors partnering with us. You'll see a bunch at VMworld doing integrations.

We can give them our visibility about applications, what it was supposed to be and what it is, the ability to leverage the virtual infrastructure for incident response, something that will monitor their endpoint presence. We can watch their backs, and they can bring to the table their expertise about detecting bad, and now, with that context, they can do a more effective job with detection.

Is this a new approach to implementing security?

Some of the concepts are not new. We've certainly had whitelisting before. But what has been whitelisted has tended to be processes that have been approved. The problem we always had with that model is it's very brittle.

Because people increasingly are using solutions like Puppet and Chef and Ansible and Maven and Jenkins, etc., it means application teams are starting to document intent. And that becomes incredibly powerful. The fact that organizations overwhelmingly possess virtual infrastructure, it means some of the other pieces, automation, ability to create a protected zone, to watch over the control, suddenly those things are possible.

So it's not a new concept to do some form of application whitelisting. But it is a very different take on it that has been made possible by a few things that have bubbled up.