Contributed by: Mike Gluck, CTO, Sanity Solutions on October 31, 2017.

In my October 23rd blog, “Security or Insecurity? That is the question” I highlighted a very scary and disheartening trend of spending more and getting less.

Despite spending more on security, 21% of IT spend in 2015 vs. 11% in 2012, the estimated industry losses last year of $445 billion exceeded the $80 billion spent for security defenses in 2016 – more than 5 time as much! Underfunding security is not the problem since throwing money at the problem is not working. Instead the problem lies in the fundamental approach to security and the strategies that we employ today.

We need to “think differently.” My previous blog covered how Darktrace is currently leading the way with a novel approach for Core Infrastructure Protection.

Today, I want to highlight VMware’s AppDefense as an innovative and game-changing approach to application and endpoint protection. VMware introduced AppDefense at VMworld in August and turned the traditional approach to security on its head. Instead of focusing on “chasing bad,” VMware’s new approach is to focus on validating good (e.g. intended) behavior.

Traditional legacy signature-based approaches to protecting applications, such as antivirus software, monitor Intelligence databases for known threats and malware signatures. However, their drawback is that they miss the threats that are unknown to them, like zero-day threats where there is no signature to match.

In recent years, behavioral analysis and machine learning approaches have become more prominent to address the problem of identifying these unknown threats. They utilize machine learning and artificial Intelligence to identify threats versus normal behavior by aggregating data, typically from a Security Information Event Monitoring (SIEM) solution. While these solutions offer a giant step forward, the main drawback to date has been the high number of false positives that occur because these solutions take in so much data from so many different corners of the environment. It is incredibly difficult for them to accurately detect threats.

Other approaches include application whitelisting and blacklisting, both suffer from extreme manual involvement by IT in keeping up and/or extreme user dissatisfaction with the inconveniences caused when workflow and applications are slightly changed and then blocked until they are re-whitelisted. What IT professionals need is a more automated secure approach.

So why and how can VMware, a virtualization company, solve the problems mentioned above? Virtualization provides a layer between the physical infrastructure and applications. The code name for AppDefense was “Goldilocks,” because the virtualization layer location is “just right” for understanding and controlling applications, while still remaining isolated from the attack surface.

VMware cites 3 key advantages for embedding security intelligence in the virtualization layer:

  1. Deep visibility and contextual understanding of applications to determine their intended state
  2. The ability to automate responses to detected threats
  3. Isolation from the attack surface so that AppDefense itself is protected

The deep visibility and a contextual understanding of the application arises because AppDefense knows which processes and services should be running on the OS and in the application, which ports they should be communicating on, etc. This automated collection of the intended state of the application is key to AppDefense’s ability to reliably detect threats. In the diagram below, steps 1 and 2 show how AppDefense is creating, in effect, an application “birth certificate.”

But just like humans grow and evolve, so do application workflows. AppDefense can automatically keep track of these life cycle changes as noted in steps 3 and 4.

As important as automating and keeping the definition of “known good” current, so is the need for automated detection and response. AppDefense, with its position in the hypervisor, is uniquely suited to compare in real-time the intended state against the run-time state and to detect deviations.

Depending on the nature of the identified threat, AppDefense can leverage vSphere and NSX to take any number of automated actions. AppDefense can:

  • Block a process from executing or communicating on the network
  • Quarantine a compromised endpoint using the NSX Distributed Firewall
  • Snapshot and suspend the running VM for forensic analysis
  • Shutdown the VM

Furthermore, the hypervisor provides a protected environment from which AppDefense can monitor endpoints and orchestrate responses to threats.

AppDefense is also very affordable at only $500 per socket. While it is not dependent on NSX, the range of automated responses will be significantly more robust with NSX. VMware is also providing APIs and aggressively developing an ecosystem of partners such as AV and Firewall vendors that will leverage its APIs, similar to what VMware did for backup and storage array vendors.

Therefore, on Halloween, AppDefense customers can avoid the scary “tricks” of the hackers and criminals that are lurking about, and enjoy the “treat” of being able to relax and know that the company’s applications are running securely and safely.

If you want more information on VMware’s AppDefense, let us know at