The Cranky Admin

Deciphering VMware's AppDefense

Some answers, but many questions remain.

• By Trevor Pott
• 08/29/2017

Of all VMware's new subscription services, AppDefense deserves a bit deeper discussion. AppDefense is the flagship product of an entire new business unit at VMware. With security being one of the only real growth markets left in IT, it's a sensible investment by VMware.

AppDefense appears to be superficially similar to Bromium, but for server workloads. We say "appears to be" because VMware was unable to provide adequate insight into the technical details of AppDefense during their briefing with Virtualization and Cloud Review. We will continue to push for a far more in-depth look after the craziness of VMworld is over.

From what we can tell at the moment, AppDefense works in conjunction with desired state configuration tools -- at the moment this consists of Puppet Enterprise, with addition tools planned -- to build a list of what workloads "should" look like. This is compared against what is actually running in a vCenter-managed environment. If there are differences discovered between what's running and what "should" be running, actions can be taken.

VMware indicated that the automated incident response capabilities of AppDefense, while currently still nascent, are going to be quite formidable.  There is some handwaving about "machine learning," but VMware was unable to go into detail about where exactly machine learning fits in to the AppDefense discussion. We can, however, make some educated guesses.

The Bromium Comparison
Bromium serves as an excellent guide for how these sorts of defense mechanisms can work, once they're fully developed. Bromium secures endpoints by acting on applications in two different ways.

In the first case, Bromium defend endpoints by launching individual applications in containers using hardware virtualization technologies to provide hard isolation. This means that if an application is compromised, it can't infect other applications: it's completely isolated. VMware has made it clear that this is not a security feature AppDefense currently offers.

Bromium also maintains a "whitelist" of expected application behaviors. If, for example, Bromium sees that when winword.exe launches, a previously unknown library is hooked and then starts launching additional processes, Bromium's software will flag that as suspicious. Everything about that application session will be recorded and logged and can be reviewed by administrators and/or sent to Bromium itself.

The deviant behavior gets analyzed by Bromium's security experts with the assistance of some sophisticated machine learning tools. Once the behavior is classified, that information is pushed down to all of Bromium's customers.

Bromium customers can have different levels of paranoia about allowing new and interesting behaviors in their applications, including a default behavior to only allow applications to behave in known ways and to block all unknown behaviors.

Let's say, for example, that you equip Microsoft Word with a plug-in like UBit Menu for those who hate the ribbon bar. Unless Bromium knew about it, this would look a lot like malware. Indeed, because of the way Bromium packages applications under management for use, end users wouldn't be able to install this sort of add-on; it would have to explicitly whitelisted and then included in the organization's Microsoft Word image.

The purposeful inclusion of the plug-in, however, lets Bromium know that the plug-in is not malware. It becomes a known good possible behavior for Microsoft Word. Compare this to, for example, a completely unknown ransomware payload that could execute using a flaw in Word when someone opens an e-mail attachment. Here you have the standard Word application opening, but then suddenly there are other executables occurring within the container space that have never before been classified. That's pretty clearly malware.

Bromium's combination of containerization and application behavior whitelisting makes for a powerful defensive capability. The questions that VMware needs to answer are: just how close to this has VMware come with AppDefense, and what is the currently envisioned evolution of capability for this product?

Desired state tools like Puppet can define a virtual machine's operating system environment. They can define which applications should live in that environment. It is certainly possible to build a "high level" solution that says "if you see any application installed in this VM that isn't in the manifest provided by the desired state tool, freak out and do something." There are plenty of these solutions on the market.

How Deep Does It Go?
But just exactly how in-depth does VMware's AppDefense go, and how far does VMware plan to go? Does VMware's talk of "machine learning" mean that it will do Bromium-like snooping and whitelisting of application processes, investigating active libraries and even individual hooks for deviant behavior? Will AppDefense make use of VMware's patent for hot swapping operating systems out from under running applications?

VMware has a lot of technology, numerous partnerships and a great many patents that lend themselves to potentially becoming the most powerful security solution provider in the entire industry. Unfortunately, right at this moment, we don't know how much of that VMware is actually making use of.

Is AppDefense Bromium for Servers, and heading into novel territory using mind-blowing patents? Or is it little more than the equivalent of duct taping Kubernetes to Puppet for traditional VMs instead of containers? We'll keep asking VMware until we find out.