I was completely immersed when they announced AppDefense. I had to dig and find out some more. This is an over view of what I have found thus far.
AppDefense is designed to protect your virtual and cloud based applications. Traditional security is Network related. In the past VMware infrastructure, you had to run NSX to do micro segmentation and then use its Guest Introspection driver to use third party security tools to do Anti-Malware, Intrusion Prevention, Web Reputation, Log Inspection, and Integrity Monitoring. Don’t get me wrong this works well. But it only works after the fact. And its not a holistic approach. There are gaps missing. From where NSX gave you the Micro segmentation or leased privileged execution network. now AppDefense give you the ability to deploy the same leased privileged model to the application. This is where AppDefense fits in. AppDefense is a (SaaS) offering from VMware AWS. It can either be deployed in conjunction with NSX, or on its own. I would highly suggest you install side by side as you can not stop end users from clicking on malicious emails.
AppDefense is meant to take a 3 phase approach. Capture, Detect and Respond.
The capture process in AppDefense is brought to use through a engine that Looks directly into vCenter to find out the inventor. It also ties into your Provisioning systems, it also learns from the ESX host on what the VM is doing. Its starts learning the applications and what they do. At this point you have a general understanding of what the application is with some good data points. But this is not it. This is where the great part is. When you set a application owner you can have the security team ask specifics of what an application is doing and why from the metric that are being observed. This decreases the time to market for application and a true sense of what the application is doing.
The Detect in AppDefense uses a protected layer that uses the hosts, monitoring points. It compares what the applications are made of and what they do and need to talk to, to know manifests. It waits for a change in the operating system, processes, how process talk to each other, how one VM needs to talk to another VM.
The Respond part in AppDefense is the true power of the system. This is where you can automate the response from a detection. You can use ESX to suspend a VM, revert from snapshot. With NSX you can do the fun stuff, like blocking network traffic, run Packet Capture, use the Guest Introspection and leveraging 3rd party tools like Deep Security Manager from Trend Micro to kick off scans, or Log Analysis, quarantine and once found clean throw the machine back into production.
During a session, I could see this somewhat work in a “Live” demo. And to me that sold me on this product. They could stop an application exploit that uses the Applications standard operations. For instance, uses a exploit on a web server using 443 to gain remote shell access on port 443. Doing normal port 443 actions the normal firewall or IDS systems would not have caught this behavior unless they had some analytics of what the applications were doing. And most systems today do not necessarily do this. I may be a bit naive on some of the other products out there but for VMware to step into this market and bring the Security approach to the application layer is a great move by VMware.
It might be a bit of a hurdle to get the Security teams of the world to use it but I think once they see the value of what it has to offer and what the time savings it will have with putting a application to market I think all will be happy.
I am not sure on what the cost is yet on this product but would be interested to find out. I have heard rumors that it may be a per CPU cost. If that is the case it can become expensive quick. So be on the look out for more coming down the pipe on this in the future as more documentation is release.
More Info Please check out the following.