The traditional application security protection mechanism is passive. To detect the malicious attack on the application in time, first understand the characteristics of the attack means. For example, the anti-virus software has a “virus signature database”, which uses the signature to scan and Found the virus code. The biggest problem with this method is that it cannot protect against unknown attack methods, and the protection mechanism has hysteresis. In recent years, with the development of artificial intelligence technology, machine learning has also been applied to detect unknown attack methods. By collecting and analyzing data in the computing environment, it is possible to find unusual behaviors, which may be potential. Aggressive behavior. The challenge of this method is how to deal with the massive environmental noise, how to filter out the desired result from the noise, and often cause misjudgment in practical use.
VMware’s innovative product, AppDefense, has created a new security mechanism that is embedded in the vSphere Hypervisor to provide complete security protection for virtual machines. The innovation of AppDefense is mainly reflected in the following three aspects:
Proactive security protection: By detecting the “good” state of the virtual machine to detect “bad” attacks, instead of passively responding to malicious attacks like traditional security mechanisms, it actively defines the state that the system should have in normal operation. When a deviation from normal behavior is detected, it may be a malicious attack. Because AppDefense exists in the virtualization layer, it has the unique advantage to understand the normal behavior of each virtual machine or application, and can also know any changes in the virtual machine in the first time. This advantage greatly enhances the intelligence of AppDefense, eliminating the need to guess which changes are normal and which are potential threats. Instead of monitoring a specific virtual machine in isolation, AppDefense considers security from the perspective of the entire data center, which allows AppDefense to understand the complex interaction patterns between virtual machines.
Automated and accurate threat response: Automatically respond to security threats at the right time, and whenever a malicious attack is detected, AppDefense can automatically invoke the vSphere and NSX features to automatically take action security measures:
- Block process communication
- Grab a virtual machine image for further analysis
- Hang an infected virtual machine
- Put the infected virtual machine
Isolated from the attack surface: Most malware first attacks security systems, such as anti-virus software, or security agents, to create conditions for further attacks. AppDefense exists in the Hypervisor, which keeps it away from the attack surface and has natural security that is unmatched by any security software running on a virtual machine.
Let’s take a look at the system architecture of AppDefense. AppDefense is a service provided in the form of cloud SaaS. After the user logs in to the AppDefense Manager in the cloud, the following three modules can be downloaded:
- AppDefense Appliance: Users need to deploy such a virtual machine in the data center, responsible for all management functions of AppDefense in the data center, and responsible for communication with the cloud AppDefense Manager.
- Host Module: Can be used as a VIB (VMware Installable Bundles) installed on the ESXi Hypervisor for each physical server.
- Guest Module: is an executable installation package installed on each virtual machine. The guest module and the host module work together to monitor the behavior of the virtual machine.
The yellow components in the figure are traditional modules in a vSphere cluster. vCenter is responsible for managing all hosts and virtual machines in the cluster. AppDefense uses vCenter to get this information about the cluster and plan the protection scheme for the cluster. vRA (vRealize Automation) and vRO (vRealize Ochestrator) contain blueprints for automatic configuration, and AppDefense uses this information to better understand the behavior of the application. AppDefense also implements some automatic response operations by calling the functions of these components, such as suspending infected virtual machines through vCenter when security threats are detected, and isolating security threats through NSX’s virtual firewall function.
AppDefense’s workflow includes the following steps:
- Specify the scope of protection (safety scope): Specify the application to be protected and its related services, which is the scope of AppDefense monitoring.
- Understand what is a “good” behavior: AppDefense takes one to two weeks to understand the behavior of a protected application under normal conditions, during which the protected application’s state is “learning mode”; learning ends and then state It becomes “protected mode”, indicating that it is beginning to be protected by AppDefense.
- Define automatic response rules: AppDefense can detect whether the virtual machine’s operating system is illegally tampering, network communication requests that should not occur, and whether the AppDefense module itself has been tampered with, etc., and can automatically respond to rule behavior deviations for various definitions.
- Detect and generate warnings: When a protected application is attacked by malware, AppDefense can detect these behavioral deviations, generate warnings, and follow predefined response rules, as these attacks do not occur while the application is running. Automatic processing.
For more articles you can follow us on: