How AppDefense works to detect app and VM anomalies

AppDefense, a newer addition to the VMware security tool portfolio and part of the vSphere Platinum edition, helps organizations detect security related anomalies in VMs and applications.

Organizations are struggling to keep pace with the ever-increasing number of security threats. For many companies, this means protecting applications in virtualized environments. For users of VMware, there's a new approach to securing applications running on vSphere.  

VMware has added a new endpoint security tool to its vSphere Platinum edition, AppDefense. Organizations that are already using the Enterprise edition, or are considering upgrading, should take a look at how AppDefense works in vSphere Platinum.

AppDefense consists of a cloud-based service, an appliance and a vCenter plugin that IT administrators can install on premises. Unlike traditional antivirus products that search for known malicious software or activity, AppDefense learns the normal behavior of VMs and applications so it can detect and block anomalies. It continuously monitors VMs and apps, studying their behaviors.

The AppDefense endpoint security tool doesn't require agents to be installed in the guest OS because the hypervisor layer does activity monitoring. AppDefense currently protects 64 bit Windows Server 2008 R2 and later and several Linux distributions.

The AppDefense endpoint security tool in action

I used the VMware hands-on lab to demonstrate how AppDefense works. The following report was generated when I loaded the AppDefense plugin into vCenter and enabled AppDefense on a VM. This enables vSphere admins to see the possible anomalies and threats in the client they use every day.

An AppDefense report
The AppDefense reporting tool monitors VM and application behaviors.

When a program exhibits an unusual behavior that wasn't whitelisted in the capture process, it can trigger several actions, including sending out alerts and reports and even shutting down the VM.

The actions an admin takes when this occurs depend on what other programs the site is running, such as VMware NSX. Powering off or suspending the VM is the most basic action and uses the vSphere API. Sites that also have VMware NSX deployed can place the VM in a Quarantine Security Group. That enables the admin to regulate traffic to and from the VM or completely block inappropriate behavior.

Once the admin captures the normal behavior of a VM, he can monitor the guest OS for anything abnormal. Although it can be hard to keep up with the rising number of security threats, the VMware AppDefense endpoint security tool protects VMs by knowing what's normal behavior and what's abnormal and stopping malicious attacks.

VMware AppDefense can support up to 250 hosts, with a maximum of 50 VMs per host. A vSphere Platinum license includes the VMware AppDefense plugin and AppDefense SaaS version. VMware doesn't publish pricing information, as that's customized by site.

Dig Deeper on VMware cloud

Virtual Desktop
Data Center
Cloud Computing
Close