VMware AppDefense is a data center security service designed to protect virtualized applications running in an enterprise data center in order to improve the protection and threat response performance of an enterprise security operations center (SOC).
What AppDefense does
As a VMware security product, AppDefense provides four principal functions: application control, process analysis, anomaly detection and response, and remediation.
AppDefense provides application control by establishing a "known good" or "intended" state for each application or virtual machine (VM) in the data center. The intended state also defines a set of allowed behaviors that the application performs normally. The intended state is derived from analyzing normal application behaviors, and can even take state definitions from platforms such as Puppet.
Once AppDefense has established the known state and allowed behaviors for the application, it constantly monitors the applications, analyzing and looking for behaviors that could be deemed suspicious. For example, if an application usually receives traffic from one port, attempting communication to another, different port can signal an anomaly that might indicate a threat or attack.
If an anomalous event occurs and the application's behaviors deviate from the known state, AppDefense is able to respond to potential threats by reporting/alerting, isolating the application, or shutting it down completely. AppDefense includes an orchestration capability that can remediate threats in real-time with no administrator oversight.
Important AppDefense features
AppDefense utilizes VMware vSphere and VMware NSX technologies. VSphere provides the virtualization layer which offers complete isolation between applications. VMware NSX handles the network virtualization and isolation. Taken together, vSphere and NSX provide the platform needed to completely isolate each application from other workloads and underlying system components. AppDefense offers an additional layer used to establish the "normal" operating behaviors for each isolated application, and can take varied responses when an application deviates from its "normal" behaviors. Since AppDefense sits between the hypervisor and NSX, it should be immune from attack or compromise -- even when a workload is afflicted.
When AppDefense detects a threat, it can use vSphere and NSX to automatically take action. For example, AppDefense can block the communications involved in a potentially compromised program or process. AppDefense can take a snapshot of the questionable workload for later analysis or recreation of the suspicious behavior. And AppDefense can either suspend or shut down a workload entirely in order to prevent further malicious behavior or possible propagation of the problem to other workloads. AppDefense produces alarms that can inform administrators about the threat, and any actions taken to isolate or correct it.
AppDefense operates with a high degree of autonomy, eliminating much of the manual log parsing and investigation that normally accompanies data center threats. The goal is to provide faster and more holistic assessments of the environment.
AppDefense has few direct competitors. One similar product, Bromium, employs a specially-crafted Xen-based hypervisor to create small VMs for every processing task performed on unknown or un-vetted information, such as opening a document file or launching a web page. Bromium isolates tasks and protects the host system as well as the network. Bromium also enforces least privilege so that tasks can only access the minimum resources needed to accomplish the task. When the task is finished or closed, Bromium discards the VM created for that task, as well as any malware introduced to the task.
But AppDefense occupies a unique niche in the enterprise security realm, and it is quickly appearing alongside other major security platforms as a complementary tool or integration. For example:
- AppDefense is expected to integrate with IBM's Qradar security analytics platform;
- RSA NetWitness Suite should interoperate with AppDefense;
- AppDefense will take advantage of Carbon Black's reputation service to improve security;
- New offerings in the SecureWorks Cloud Guardian portfolio should use AppDefense to help detect, isolate and respond to threats;
- Puppet Enterprise is expected to integrate with AppDefense for stronger security and malicious threat detection
Additional third-party integrations are likely into the future, though some vendors may wait until AppDefense is more proven and mature.
AppDefense release and pricing
VMware announced U.S. general availability (GA) for AppDefense at VMworld 2017 on 28 August 2017 for customers using VMware vSphere 6.5. As a software as a service (SaaS) offering, VMware AppDefense pricing is listed at USD $500 per CPU per year.