Two years ago, VMware first began talking about the concept of the “Goldilocks Zone,” where the virtualization hypervisor sits at the ideal location in the network to improve enterprise security. At the VMworld event today in Las Vegas, VMware announced that its Project Goldilocks vision is at long last becoming generally available, under the product name AppDefense.
AppDefense aims to provide an intent-based security capability that is able to detect and block malicious actions and applications. The AppDefense system understands and learns what is a known good process and is also able to determine when the runtime behavior of an application deviates from its intended state.
“AppDefense has occupied my life for the last two years, and what it’s basically doing is providing least privilege access on compute,” Tom Corn, senior vice president for security product at VMware, told eWEEK. “Basically, it defines what is allowed to run.”
Much of the data center endpoint security market has been focused on finding bad elements and actors within a network, according to Corn. In contrast, with AppDefense, VMware is trying to ensure that only known good processes can run, he said.
“We have created a technology that uses our position in the hypervisor to capture the intent of a VM [virtual machine] and detect what’s running against a manifest,” Corn said. “We can then use the virtual infrastructure to automate and orchestrate response.”
The automated policies that can be enacted as part of AppDefense include alerting an administrator, quarantining a VM, blocking VM operations and snapshotting a VM. Corn said that when VMware captures the application’s intent, it is getting the developer’s intent by hooking into configuration management tools including Ansible, Chef and Puppet to make sense of the purpose of a given application. In addition to the developer intent, Corn said there is also machine learning that analyzes what is running to further evaluate processes that show up in runtime.
“What we end up with is a manifest for each application, and we store that in a protected zone in the hypervisor and we monitor what is running against it in real time,” he said. “We’re really trying to go to an intent-based model where we are ensuring good, rather than chasing bad.”
The Goldilocks Zone
VMware’s code name for the AppDefense technology for the last two years has been Project Goldilocks. Corn said that part of the challenge of doing security at the endpoint is that the endpoint is very exposed and at risk of being easily manipulated, since it’s in the same trust domain as a potential attacker. Attackers who know what they are doing, for example. can easily turn off antivirus technology running on an endpoint, he said.
“So we built capabilities in the hypervisor host to create a protected zone,” Corn said.
The protected zone, known internally at VMware as the Goldilocks Zone, is where the application manifests are stored as well as the process that monitors application behavior. The privileged position that the hypervisor has in the application deployment life cycle means that in a virtualized environment, no application can be provisioned without first being known to the hypervisor. As such, Corn said the hypervisor is in the perfect place to see all applications and processes and make a determination about both intent and potential malicious actions.
AppDefense runs on VMware’s vSphere 6.5, with the management plane for AppDefense running in the cloud, providing a place to set policies. Corn said the actual policy decisions and all data remain with the local hypervisor and are not sent to the cloud.
Looking forward, Corn said VMware is rapidly iterating AppDefense, adding new functionality on a weekly basis. Among the capabilities that VMware is continuing to add to AppDefense are integrations with security endpoint vendors as well as SIEM (Security Information and Event Management) tools.
“We have a pretty exciting list of features we’re looking to add to AppDefense,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.