TheSaffaGeek

My ramblings about all things technical


3 Comments

VMware AppDefense Announced at #VMworld US

At todays VMworld US there are a number of announcements coming out but one of the big ones in my opinion is the announcement of VMware AppDefense.

AppDefense provides an number of features, notably:

  • Application Control: Comprehensive view/grouping of VMs in the datacenter, their intended state and allowed behaviour
  • Runtime anomaly detection and response: Monitor the real time state of the OS and user applications – alert and control process, network, and kernel events
  • Process Analysis: Built-in process analysis engine gives overall process maliciousness as well as specific traits that are potentially suspicious
  • Orchestrate Remediation: Our infrastructure reach provides a more effective way to orchestrate remediation during a security incident

image

Application Scope

  • Security Team View of Intended Application State
  • Security-team owned viewpoint of application infrastructure
  • Provides a lens to evaluate runtime behaviour against known good
  • An abstraction to validate and audit the placement of security policy

image

 

Attesting Runtime Behaviour

  • Writing Rules to Inspect Validate Endpoint Processes and Network Connectivity
  • Enforce behaviour by blocking activity or audit/alerting
  • Evaluate a number of endpoint events from a trusted location:
    • Process network activity (inbound/outbound)
    • Process activity
    • OS Kernel
    • Virtual Enclave

image

 

Built-In Process Analysis

  • Deep Level In-Memory Analysis of Process Capability to Provide Detail on Anomalies
  • Evaluate the in-memory state of a process before/after anomalies are recognized
  • Does not rely on signatures or hashes at all
  • Provides overall risk score and individual traits within the process

image

 

Orchestrating Remediation

  • Blocking Behaviour or Responding on Alarms Through Virtual Infrastructure
  • Each rule can be associated with a recommended remediation workflow
  • Alerts integrate with standard SIEM tools and other notification methods
  • Enforcement can be automated or manual
  • Leverages the mutability of the virtual infrastructure (ESX layer and NSX security policy)

image

AppDefense Architecture

image

 

Iā€™m really looking forward to learning more about AppDefense and seeing how it can fit my customers needs.

Gregg

Advertisements