VMware advances application security with AppDefense

VMware's AppDefense combines least privilege with automation, orchestration and machine learning to help improve application security.

VMware advances application security

This week at VMworld, VMware announced market availability of a new security technology called AppDefense. AppDefense is an application-layer security control designed to profile applications, determine “normal” behavior and then provide a series of least privilege controls for applications and options for security incident remediation.

Now, in some respects, AppDefense is a lot like application whitelisting/blacklisting, which can be very effective for limiting the attack surface, but the historical problem with application controls is operational overhead. If you want to implement whitelisting, you have to know what workloads are running and what they are allowed to do, and then implement controls to restrict unanticipated application behavior. This can become quite cumbersome when servers run multiple applications with dynamic development cycles and changing behavior. 

What VMware has done with AppDefense is marry application controls to machine learning in order to automate the whole enchilada. AppDefense discovers all the applications, monitors their behavior and then creates a manifest of known behavior for each application.

Armed with this knowledge, the cybersecurity team can build rules and processes that can be triggered when application behavior suddenly goes haywire. Potential actions could include coordination with application development and DevOps teams to see if new applications components were added, quarantining applications using NSX, or even sharing AppDefense telemetry with SIEM or EDR solutions for more thorough analysis.

How VMware's AppDefense improves application security

AppDefense isn’t a revolutionary way to do things, but it certainly has the potential to help CISOs really improve application security, as these features illustrate:

1. AppDefense's automation and machine learning trumps manual product deployment and customization. In case anyone forgot, we are in the midst of a global cybersecurity skills shortage. According to ESG research, 45% of organizations have a “problematic” shortage of cybersecurity skills today. CISOs know that decreasing the attack surface is synonymous with risk reduction, but many organizations don’t have the resources to assess, plan, deploy and operate application controls. As previously stated, AppDefense applies machine learning algorithms to alleviate this operational burden while delivering the risk-mitigating goodness of least privilege.

2. AppDefense brings security closer to application development. Security teams have always looked at security from the infrastructure up to the application, but that purview is no longer appropriate in an IT environment driven by agile development, DevOps, containers and cloud computing. By viewing security at the application layer, AppDefense can help CISOs align rapid application development/deployment with strong security.

3. AppDefense suits organizations with varying security and incident response skill sets. Far from a one-size-fits-all product, AppDefense can be used by different organizations in different ways. For example, mature organizations will capitalize on greater application visibility by sending AppDefense telemetry to other security analytics tools for further investigation. Leading-edge security teams can also bake AppDefense into application deployment workflows to coordinate with automation/orchestration DevOps tools such as Chef, Kubernetes and Puppet. Those firms with fewer security resources and skills can simply maintain least privilege by blocking anomalous behavior as it occurs.

4. AppDefense is built for integration. It’s worth mentioning that Carbon Black and IBM announced AppDefense integration partnerships at VMworld this week. Look for more security analytics partners soon. And with AppDefense’s built-in security controls, look for VMware to partner with security operations automation/orchestration tools, such as Demisto, Komand, Phantom, ServiceNow, Siemplify, Swimlane, etc., to automate incident response runbooks.   

VMware has some work ahead. AppDefense will likely take a while to gain broad market penetration while organizations figure out how to use it, where to deploy it, and what other application/compute-based security tools are needed to complement it. That means VMware must invest in market, channel, and partner education programs, create use case templates, and work with partners on reference architectures. If VMware can execute on these programs, AppDefense’s strong value proposition should drive adoption with enterprise customers. 

NSX is already a $1 billion-plus firewall business, while AppDefense should be quite successful on its own. VMware isn’t generally perceived as a infosec vendor, but based upon its performance and innovation, it may be high time for cybersecurity professionals to rethink this perception. 

Copyright © 2017 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!