This week at VMworld, VMware announced market availability of a new security technology called AppDefense. AppDefense is an application-layer security control designed to profile applications, determine “normal” behavior, and then provide a series of least privilege controls for applications and options for security incident remediation.
Now in some respects, AppDefense is a lot like application white listing/black listing, which can be very effective for limiting the attack surface but the historical problem with application controls is operational overhead. If you want to implement white listing, you have to know what workloads are running and whether they are allowed to, and then implement controls to restrict unanticipated application behavior. This can become quite cumbersome when servers run multiple applications with dynamic development cycles and changing behavior.
What VMware has done with AppDefense is marry application controls to machine learning in order to automate the whole enchilada. AppDefense discovers all the applications, monitors their behavior, and then creates a manifest of known behavior for each application. Armed with this knowledge, the cybersecurity team can build rules and processes that can be triggered when application behavior suddenly goes haywire. Potential actions could include coordination with application development and DevOps teams to see if new applications components were added, quarantining applications using NSX, or even sharing AppDefense telemetry with SIEM or EDR solutions for more thorough analysis.
AppDefense isn’t a revolutionary way to do things but it certainly has the potential to help CISOs really improve application security because:
- Automation and machine learning trumps manual product deployment and customization. In case anyone forgot, we are in the midst of a global cybersecurity skills shortage. According to ESG research, 45% of organizations have a “problematic” shortage of cybersecurity skills today. CISOs know that decreasing the attack surface is synonymous with risk reduction but many organizations don’t have the resources to assess, plan, deploy, and operate application controls. As previously stated, AppDefense applies machine learning algorithms to alleviate this operational burden while delivering the risk mitigating goodness of least privilege.
- AppDefense brings security closer to application development. Security teams have always looked at security from the infrastructure up to the application, but that purview is no longer appropriate in an IT environment driven by agile development, DevOps, containers, and cloud computing. By viewing security at the application layer, AppDefense can help CISOs align rapid application development/deployment with strong security.
- AppDefense suits organizations with varying security and incident response skill sets. Far from a one-size-fits-all product, AppDefense can be used by different organizations in different ways. For example, mature organizations will capitalize on greater application visibility by sending AppDefense telemetry to other security analytics tools for further investigation. Leading-edge security teams can also bake AppDefense into application deployment workflows to coordinate with automation/orchestration DevOps tools like Chef, Kubernetes, and Puppet. Those firms with fewer security resources and skills can simply maintain least privilege by blocking anomalous behavior as it occurs.
- AppDefense is built for integration. It’s worth mentioning that Carbon Black and IBM announced AppDefense integration partnerships at VMworld this week. Look for more security analytics partners soon. And with AppDefense’s built-in security controls, look for VMware to partner with security operations automation/orchestration tools like Demisto, Komand, Phantom, ServiceNow, Siemplify, Swimlane, etc. to automate incident response runbooks.
VMware has some work ahead. AppDefense will likely take a while to gain broad market penetration as organizations figure out how to use it, where to deploy it, and what other application/compute-based security tools are needed to complement it. This means that VMware must invest in market, channel, and partner education programs, create use case templates, and work with partners on reference architectures. If VMware can execute on these programs, AppDefense’s strong value proposition should drive adoption with enterprise customers.
NSX is already a $1 billion+ firewall business while AppDefense should be quite successful on its own. VMware isn’t generally perceived as an infosec vendor but based upon its performance and innovation, it may be high time for cybersecurity professionals to re-think this perception.