Application Defence from VMware

    One of VMware’s recent new product announcements came in the form of VMware AppDefense, as the name suggests it’s a security product aimed at protecting applications, but what exactly does that involve, and what makes up the application?  More importantly what problem does it solve?

    The Threat

    Software companies are racing to improve security within their product given the rise and publicity of cyber-attacks and VMware are no different.  VMware have a strong hand to play when it comes to network security in the form of NSX, and more recently security improvements in vSphere, and vSAN with further encryption features.

    Attacks usually come in stages – initial infiltration, and then propagation via lateral movement on the network, which may include some sort of extraction of data which will then end with exfiltration.  Most security products look at stopping the initial infiltration but in a modern workplace with mobile working and multi-cloud applications that’s difficult to implement.

    No longer can protection at the perimeter to prevent infiltration be acceptable.

    A lot of security products focus on finding the known bad issues, the known malware for instance which can be complex to manage that relies on manual intervention, but it can also miss a lot of threats.

    Protect and Automate

    With the announcement of AppDefense it’s very interesting to look how it will work together with other VMware products to not only add protection but also automate any remediation.

    VMware’s AppDefense uses a so called known good behaviour model that helps apply least privilege at an application level.  This model monitors for deviations from known good behaviours, resulting in a simpler and smaller problem set over a known malicious list making it easier to manage.

    By initially capturing the application intended state, it will then be monitored against any deviation from that intended state.  If any deviation is detected the response can be automated based on configured policies.

    Using VMware’s NSX network microsegmentation, least privilege can be implemented at the network layer, creating granular policy driven firewall rules for protected VMs.  AppDefense brings the VM level contextual analytics and through automation a potentially compromised VM can be flagged to the admin or even automatically removed from production. 

    Applications can be isolated at a hypervisor layer but automation is not just about isolating a VM and alerting the admin. Automation could snapshot, suspend or power down VMs from the default policy configured in the console with potentially further automation such as cloning a VM and deploying in-place to take up the slack.

    Intended State

    Intended state is captured using various methods, first there is an inventory collection for the likes of vCenter to gather the initial information but further information can be gathered plugging into infrastructure automation tools such as Puppet, vRealize Automation and NSX.

    Further application specific information can be gathered by plugging into more developer tools such as Jenkins and Ansible.

    Once an inventory has been collected, the VMs will be unclassified and must be then moved to an audit stage, then by linking with infrastructure automation such as Puppet the application stack and associated VMs can be gathered.  Behaviour in those applications are then gathered for a set period of time and marked as low or high risk behaviours. 

    Once the behaviour has been fully audited the application stack can be protected using that intended state.  Rules can then be configured to automate a remediation action depending on what violation process was detected.


    VMware AppDefense at GA will protect workloads on-premises that are running on VMware infrastructure, vSphere is required as it integrates directly with the hypervisor.  Soon after GA will be support for VMware Cloud on AWS.

    There is a reliance on vCenter with optional tie-ins with NSX and vRealize Automation if available.  An on-premises appliance called Security Management Proxy will talk directly to a SaaS based Security Manager.

    Further integration with existing security vendors have been announced to extend further capabilities.


    Security is a major focus not only from software vendors but for customers and this product helps cement VMware’s security focus not only from an infrastructure layer but in an application layer. 

    VMware AppDefense will be a SaaS based model with more details to follow. To find out more and what Insight can offer around application security contact your Insight Account Manager.

    Why not read How to prevent & mitigate against Ransomware using VMware security solutions?