Andrea Danti - Fotolia


VMware AppDefense application monitoring system enhances security

The new VMware AppDefense application monitoring system takes a baseline of an application's behavior and uses it to identify behavior patterns that are out of the ordinary.

Formerly known as Project Goldilocks, VMware AppDefense is a new application monitoring system that uses the VMware hypervisor to enhance security in a unique and unprecedented way. In order to really appreciate AppDefense, however, you need to know a little bit about the VMware cloud.

As you probably know, VMware partnered with Amazon last year, which led to the creation of VMware Cloud on Amazon Web Services (AWS). This partnership makes VMware's software-defined data center available through the AWS cloud. This not only makes it possible for VMware administrators to run workloads in the cloud but also to manage those workloads with the same exact tools and techniques they use to manage workloads on premises. AppDefense builds on this partnership even further, as it is a VMware SaaS hosted through the AWS cloud.

So, what is AppDefense? As its name implies, AppDefense is a cloud service that uses the VMware hypervisor in a way that helps keep applications secure.

While it might be tempting to dismiss AppDefense as yet another application firewall, this isn't the case. Application firewalls are commonly used to protect web applications by monitoring the packets flowing into and out of web application servers. Although AppDefense does perform protocol monitoring, there are major differences between a typical application firewall and AppDefense. Rather than simply scan packets in an effort to detect malicious activity the way a typical application firewall would, AppDefense uses heuristics to spot malicious activity.

AppDefense takes a baseline of an application's behavior while that application is in a known good and healthy state. In other words, AppDefense learns what types of behavior patterns are normal for the application.

Once AppDefense learns what's normal for an application, it continuously monitors the application, looking for behavior patterns that are out of the ordinary. It's worth noting, however, that the AppDefense application monitoring system does not make use of attack signatures, malware hashes or anything like that. Instead, the mechanism that identifies suspicious activity behaves much like a spam filter.

AppDefense … does not make use of attack signatures, malware hashes or anything like that. Instead, the mechanism that identifies suspicious activity behaves much like a spam filter.

Although some early spam filtering tools attempted to use message hashes to identify spam, spammers quickly realized that they could easily circumvent hash-based filters by simply adding a random character string to the message. Since hash-based filtering proved unreliable, some of the antispam vendors developed probability-based filters. When an email message is received, the spam filter looks at the message's characteristics rather than its contents to determine whether the message is spam. For instance, such a filter might consider who sent the message, the IP address where the message originated and the links contained within the message.

The AppDefense application monitoring system uses a similar method to identify potentially malicious activity within processes running on VMs. If, for example, an application attempts to transmit data, AppDefense might look at the transmission to see what it contains, where it's going, how large the transmission is and so on. At present, VMware has yet to disclose all of AppDefense's evaluation criteria.

As AppDefense scrutinizes the action, it calculates a numerical score for the action. VMware refers to this score as a risk score. A low risk score would typically reflect benign activity that fits in with the expected behavior patterns for the activity. On the other hand, a high risk score might be an indicator of malicious activity. When AppDefense detects a high-risk action, it can block the activity and alert the administrator to the problem.

This, of course, raises the question: What's to stop an attacker from tampering with AppDefense and then attacking a monitored VM? AppDefense monitoring is based on the use of agents, and because these agents are aware of the underlying hypervisor, the agent is able to use a secure context store to prevent unauthorized access to the agent and the data it uses.

VMware's new AppDefense application monitoring system promises to greatly improve application-level security by combining port monitoring with intelligent behavior analytics. VMware could conceivably further enhance these capabilities in the future through the use of deep machine learning.

Next Steps

AppDefense brings SaaS capabilities to the cloud

The top news and announcements from VMworld 2017

VMware adds NSX "secret sauce" to core products

Dig Deeper on VMware new releases and updates