“Cybersecurity today is very similar to the way parents approach child development,” declared VMware’s Senior Vice President, Security Products Group, Tom Corn, as he kicked off his spotlight session at VMworld 2017 in Las Vegas. The session was designed to highlight VMware’s new security solution, VMware AppDefense™, and Corn’s analogy for explaining the current state of application security piqued the interest of his audience.
“A first child is treated like glass,” Corn continued. Anything and everything is a threat. Parents strive to set up a safe environment for their child. That starts at the hospital, with clear and focused rules for who gets into the nursery to interact with that child.
As Corn explained, this is not unlike the traditional approach to application security. But the last time organizations had an effective perimeter defense was when applications were monolithic stacks. Conventional firewalls and other “old school” security measures were sufficient, then. “But,” Corn said, “that hasn’t been true for quite some time.”
Corn continued his child-rearing analogy: As a child grows, the parents’ understanding of their child grows too. They learn when to stop chasing threats and calling their physician, or obsessively consulting WebMD about threats that don’t really exist. They learn what their pediatrician already knows, said Corn, “Some kids are hot, some not; some kids cry, some don’t.”
It’s when something really changes from their child’s normal state, that’s when they learn to call the doctor for help. And they learn that this partnership drives effective care.
This is the kind of security strategy needed today.
Shrinking the Attack Surface
Today, applications are dynamic, distributed systems—essentially mini-networks in themselves—and are highly complex. They are typically composed of multiple endpoints with a number of compute processes communicating across individual components at all times.
To provide truly effective security, organizations need ways to shrink the attack surface that modern apps expose, and find ways to align security controls to the applications as they move around environments. “This is our goal and strategy,” Corn said. It’s a strategy based on using virtualization to leverage one of the oldest principles in cybersecurity, least privilege.
VMware’s strategy now applies that same principle to the compute infrastructure. “By understanding the intended purpose of an application,” Corn said, “we can shrink the attack surface by focusing on ‘ensuring good,’ rather than ‘chasing bad.’”
The result is AppDefense, a new security solution that leverages the unique properties of virtualization to protect applications running in virtualized and cloud environments.
A Three-Part Security Model
AppDefense provides a three-part security model: capture, detect, and respond.
- Capture. The organization sets the rules and policies when establishing the application. This provides a baseline “approved” behavior and dictates what an application can do.
- Detect. Once parameters are set, AppDefense automatically detects any variation from the norm. It creates a zone to isolate and monitor unusual application behaviors and compare them to the app’s intended role in the manifest. If AppDefense determines that the behavior of the application is different from the intended state, it automatically sends a bright signal alerting the organization’s Security Operations Center (SOC).
- Respond. Once the anomaly is detected, AppDefense automatically triggers an orchestrated incident response routine for the SOC. This facilitates immediate collaboration between the security teams in the SOC and the application teams.
“It enables the security ecosystem to ‘architect in’ solutions,” Corn said. “We expose the logical boundary, so our partners can insert solutions.”
Demonstrating VMware AppDefense
In the second half of his session, Corn showcased how AppDefense works in the real world with a series of three demonstrations using a live application setup.
The demonstrations illustrated three components of common attacks: exploitation, extraction, and exfiltration. In each demo, Corn showed how the attack was prevented because a behavior did not correspond to AppDefense’s pre-set manifest.
Bringing Up Baby: Ensuring Good or Chasing Bad.
Corn ended his presentation by saying that VMware had identified millions of bad behaviors that could possibly impact VMware’s network systems worldwide. But, he concluded, “Using AppDefense, we identified 91 intended behaviors that we’re protecting, instead of defending against 27 million potential bad behaviors.”
Between the two—ensuring good or chasing bad—it was clear which is more efficient.
Watch a light board session with Tom Corn, illustrating how VMware AppDefense works.