All Posts

Hey AppDefenders! There are two ways to get support with VMware AppDefense: Chatting in the AppDefense manager with a technical engineer Logging a ticket through ‘My VMware’ portal (traditional support method) Chatting in the AppDefense manager with a technical engineer Access chat through the support tab in the AppDefense Manager- available 24/5 This is a great option if you are working in the AppDefense console and have a quick question on deployment, features, any status icons you see on the console, etc. Typically, you will be able to get a resolution just by chatting with one of the engineers, but if not, they have the ability to create a ticket on your behalf and will follow up through email and virtual meetings if needed. In some cases, if you have questions around use case and best practices, they will suggest you speak with someone on our team (AppDefense Architects). In support tab you will also be able to view relevant documentation for deployment and how to best use AppDefense features. Logging a Ticket through ‘My VMware’ Logging a support ticket through ‘My VMware’, this is the same process as logging support issues for traditional VMware products. To log a support ticket through ‘My VMware’ you will need to log in with your ‘My VMware’ credentials. Navigate to the support tab and choose you AppDefense service. Once this support ticket is received an engineer with be in contact with you over email and schedule a virtual meeting if needed. This is a great option if for some reason you are unable to get to your AppDefense Cloud Manager or you don’t have immediate time to chat with someone. We would love to hear from you, so chat with us to give us feedback or just to say hi! And as always- Happy AppDefending! Paige

Hey AppDefenders! Thanks for reading our weekly blogs! Today’s blog will cover what happens when Discovery Mode ends. After 2-3 weeks the learning phase of Discovery Mode will be complete and your scope will be ready to move into Protected Mode. Remember that in Protected Mode any deviations from your verified behavior list will trigger an alert, an event, and if rules have been set up they will be enforced. Moving to Protected Mode is a very simple process that only requires the completion of the few short steps listed below. Check your behavior chart in the Scope Dashboard (top box on the screen): If more than 5 behaviors are being still learned over the last couple of days, the Scope is not ready to enter Protected mode. If the Scope is not ready let it sit in Discovery mode for a few more days to ensure the learning process is complete. Look for any malicious processes, integrity alerts, or ML alerts: Check the services tab for any malicious behavior(all malicious behavior will be shown in red on the scope dashboard) Check the ‘Windows ML Analysis’ box on the Scope Dashboard for any anomalous or unverified behavior (ML=Machine Learning) Finally, Check the ‘Windows Integrity Checks’ for any changes to the guest Module or AppDefense Module (this will send an alert to the alerts page even if in discovery) Identify any processes or behaviors that need to be deleted or added to the blacklist, based on internal best practices: For example, many customers do not want to add public internet processes to their verified behavior list Add any processes to the blacklist that you want to be sent as a critical alert (this will most likely be based on internal best practices.) Add the Scope to Protected Mode: When all the quick checks are done it is time to move the scope into protected mode: Click the “Verify And Protect” button at the top of the page. You have now entered protected mode! Keep in mind you can monitor alerts and events in the AppDefense manage or integrate with your internal SIEM! Happy AppDefending! VMware AppDefense is hypervisor-native workload protection platform for virtual infrastructure and security teams that delivers secure virtualization by providing deep application visibility and control. To learn more, visit www.vmware.com/appdefense or contact us.

VMware AppDefense has five components – AppDefense Appliance AppDefense Appliance is installed on-premises typically in the management cluster. It is registered with the vCenter to get the inventory and make necessary API calls for triggering rules action defined within AppDefense. It acts as a control point for exchanging data from and to the AppDefense Manager. The mapping between AppDefense appliance and vCenter is 1:1 which means for every vCenter a dedicated AppDefense appliance must be installed and registered. AppDefense Manager It is a SaaS service which runs on the cloud and provides complete feature set for the customers to protect their datacenter endpoints. It is a multi-tenant cloud service available as a subscription. You can use the AppDefense Manager to define the intended behavior and protection rules of your applications and then monitor security events and alerts in real time. In addition to management capabilities, the AppDefense Manager provides process reputation services, machine learning capabilities, and other additional visibility features for your environment. AppDefense Plug-in AppDefense plug-in is available with vSphere Platinum i.e. vSphere 6.7U1 and onwards. When AppDefense is installed with the plug-in customers can access AppDefense from vSphere client. The AppDefense Plug-in provides improved life cycle management and real-time visibility directly in the vCenter Server. The plug-in provides direct visibility into processes and network connections running on a given virtual machine. It also provides reputation information to ensure that those behaviors are trusted. The AppDefense Plug-in works in concert with the AppDefense Service to provide visibility and control for the entire security team. AppDefense Host Module Host modules are the vibs which gets deployed on the ESXi host. The Host Module enables virtual machines (VMs) on that host to deploy and run AppDefense. For Windows environments, the Host Module also monitors and ensures the integrity of the Guest Module installed on the VM. AppDefense Guest Module Guest module is installed on every VM which must be protected by AppDefense whether Windows or Linux system. It is delivered with VMware Tools or an MSI as well. The Guest Module collects guest process and network connection information from the VM and communicates directly with the AppDefense Host Module. Happy AppDefending!! Please comment below with any questions or further comments. VMware AppDefense is a hypervisor-native workload protection platform for virtual infrastructure and security teams that delivers secure virtualization by providing deep application visibility and control. To learn more, visit  www.vmware.com/appdefense .

Proper configuration of Scopes and Services is an essential step in ensuring that AppDefense is used properly and to its full potential. To refresh on terminology, a Scope is a data center application that establishes the intended state of an application. A Service is equivalent to a tier within the application that will collect allowed processes/behaviors and add them to a verified behavior list. This blog will cover the best practices for setting up Scopes and Services! Scope and Service Creation based on tiers within an application From the dashboard in the AppDefense manager click create Scope and name the Scope after your data center application. From here, select “add service” and name the Service after the tier within your data center application. (If you do not see your service type listed you can select “other”- this is not an essential part of the service creation) Next, you will be able to select members. (note that members must be homogenous, i.e. do not put an App server and DB server in the same service.) Add behaviors if you have them if not this step will be done in the Discovery phase. Scope and Service creation based on planned remediation action From the dashboard create a scope (For example an: “active directory” scope). Segment VMs based on certain rule sets you want to enforce. (for AD that might include: internal-only communication and VMs that allow external communication- all AD internal VMs into one service, and external VMs into another service) Once in Protected mode, you can then create rules for each service that applies to only those VMs in the service. (in the AD example you could block outbound connections from the internal AD service.) Keep in mind There is no limit on the number of Scopes you can create. There is no limit on the number of Services you can create in Scope. There is no limit on the number of VM(s) you can put in a Service. (as long as it meets best practice You can add a new VM to an existing Service in Protected mode and it will adopt the allowed behavior of the service. If you create a completely new service within a Scope, the scope must enter discovery mode again. Happy AppDefending! Please comment below with any questions or further comments. VMware AppDefense is a hypervisor-native workload protection platform for virtual infrastructure and security teams that delivers secure virtualization by providing deep application visibility and control. To learn more, visit  www.vmware.com/appdefense .

VMware AppDefense should take no longer than 4-5 weeks to get to a protected state. For the majority of this time, the application will be in Discovery Mode (1-3 weeks), requiring no user action. This post will cover the different phases of installation, providing you with a basic deployment timeline for AppDefense! Week 1: Physical Deployment: Deployment typically takes between 1-2 hours. Customers can follow the self-onboarding guide to get started, or chat with support (24/5) if additional help is needed. Scope and Service Set-up: Setting up scopes and services takes between 30 minutes to 2 hours, depending on how many scopes and services are being set up at once. Please review Documentation for best practices on setting up Scopes and Services. Week 1-3: Discovery: Discovery Mode in AppDefense begins once all the Services are added into a Scope. Scopes must stay in Discovery Mode for a minimum of 14 days. However, this period may last for longer for specific applications. From the Scope Dashboard, you will be able to determine when a Scope is ready. Week 3-4:  Protected Mode:  Once Discovery Mode is completed, you can either leave it in “Alert Only Mode” or set up “Remediation Actions” for each Service. Week 4+: (Recommended) Remediation Actions:  Setting up remediation actions only takes a couple of minutes, so depending on how many services you are setting the remediation actions for it could take up to 30 minutes. Keep in mind that a majority of deployment (weeks 1-3) is spent in Discovery Mode, which requires no user action. So for the first three weeks, sit back and let AppDefense work for you! Happy AppDefending! VMware AppDefense is hypervisor-native workload protection platform for virtual infrastructure and security teams that delivers secure virtualization by providing deep application visibility and control. To learn more, visit www.vmware.com/appdefense or contact us.

VMware AppDefense provide security to your datacenter endpoints. In order to secure your datacenter applications AppDefense requires guest module installation to start getting network & process attestation information from the servers. We have separate guest modules for Windows & Linux systems and the way they are delivered for installation. However, for Linux systems it is super easy to start getting the visibility inside your Linux systems using AppDefense for your Infrastructure & Security administrators. For Linux systems AppDefense guest module package can be installed on the fly without requiring any reboot of the servers. A problem what we have seen is how to scale the deployment for the large Linux environment which do not have any provisioning tools like Puppet, etc. in their environment. To overcome this, I have written a script which fetches the Linux OS flavor information and accordingly configures the repository on them to get the package installed on multiple systems. Prerequisites You must verify the following components on the virtual machine before the actual installation. The AppDefense solution works with Guest Introspection for VMwareNSX (VMware open-source product) to provide a network attestation service. Ensure that the guest virtual machine (VM) has: A supported version of Linux is installed. See System Requirements For AppDefense iptables Verify glib 2 Internet access on the servers to connect to VMware package repository to download the packages You must have Administrator credentials to connect to your vCenter You must have ‘root’ account credentials to the Guest OS of all the Virtual Machines you will define. A csv/txt file with the list of VMs on which module has to be installed Execution This script will prompt for vCenter name where VMs reside followed by administrator credentials. Post that it asks for input file location and root credential of the Linux servers. Once script has been successfully executed you can notice AppDefense vCenter plugin will start showing the process & network attestation information providing instant visibility in to your Linux systems. *Disclaimer* This project is open source and can be edited to your desire. Thus, VMware and its employees are not responsible for any modifications made to this script or any unexpected behavior that should result from the running of this script. Please ensure you completely understand the functions this script performs and run against test machines first to ensure proper functionality.

VMware AppDefense requires the installation of a guest module that comes included with VMware Tools 10.3.2 and above. VMware Tools 10.3.2 is only included in ESXi 6.7 U1+ and VMware Tools 10.3.5 is only included in ESXi 6.5 P03+. This means that it may be necessary to update the version of VMtools that’s packaged with your ESXi hosts for easy upgrade. In this blog, ephuber explains how to quickly update the VMware Tools image on ESXi using VMware Update Manager. Read the blog > Learn more about VMware AppDefense >

Problem to Overcome During the install and configuration process of AppDefense there are multiple steps to preparing the Guest OS of the Virtual Machines you plan to protect. Today, those configuration steps require a power cycle of the Virtual Machine and a Guest OS reboot at the time of configuration. This is where our opensource Guest OS Preparation PowerCLI script can help! What does this script do? The steps this script performs can be summarized to the below major points in this order. 1. Gathers Windows VMs using the method that you chose to define them via a menu. 2. Starts the process of checking and configuring Guest Integrity on those VMs if they are not already configured with it. 3. Enables the AppDefense Module within VMtools 4. Writes log files to C:\Temp with the VMs that will need to be power cycled at your convenience. Prerequisites 1. You must meet the minimum system/hardware/guest requirements as noted in the AppDefense documentation here: System Requirements For AppDefense 2. Your VMs MUST be running VMtools version 10.3.2 or higher. 3. You must have administrator@vsphere.local credentials to connect to your vCenter 4. You must have administrator credentials to the Guest OS of all the Virtual Machines you will define. These credentials can be local administrator credentials or AD credentials. Things to consider This script installs the AppDefense Module within VMtools using this "msiexec", specifically this CLI: "msiexec /i <product_code> /qn /quiet /norestart REMOVE=AppDefense". We use the ADDLOCAL=AppDefense to specifically enable the AppDefense feature within VMtools. This ensures that any other features you may have installed via VMtools will not be touched by this process. *IMPORTANT* You need to Power Cycle the VMs this script installs AppDefense on in order for Guest Integrity and the AppDefense Module to start. You can schedule Power Cycles at your convenience but the VM's will not work in AppDefense until a complete Power Cycle is completed. v1.1 ChangeLog Changed method of installation from using the VMtools ISO to using the existing installation MSI utilizing "msiexec" functionality. This means you no longer need to worry about the version of VMtools packaged with your ESXi hosts. Increased reliability when installing VMs from a CSV file Getting VMs from a CSV file will no longer count the first row containing the "Name" header as a VM name. Added error handling for "Invalid Login" to certain VMs. This will no longer kill the script and instead will write the VMs you weren't able to authenticate with to a log file. Increased performance Increased general reliability Conclusion The script is attached and is named "appd_guest_prep_v1.1.ps1". We hope that you find this tool useful and please continue to provide feedback on v1.1 of this script. We couldn't make it better without your help! We will continue to develop this open source tool as AppDefense matures and time permits. Happy Automating! *Disclaimer* This project is open source and can be edited to your desire. Thus, VMware and its employees are not responsible for any modifications made to this script or any unexpected behavior that should result from the running of this script. Please ensure you completely understand the functions this script performs and run against test machines first to ensure proper functionality.

This question, in some form, tends to kick off our first conversation with corporate training managers and executives.  By now, most have heard that the benefits of adding virtual reality for training to their programs, but there's still something of a learning curve. It might seem silly to start here, but there is a fair amount of confusion at the very definition of'virtual reality'. When we talk about virtual reality, we are describing a completely immersive, virtual world that completely replaces the physical surroundings (the"real" world).  To achieve this immersive experience, the user's eyes, and often ears, are totally obscured from the outside world by a display and headphones, often built into the same HMD (head-mounted display).  The pc then fully controls the inputs to these sight and sound sensors. When you are in virtual reality for training experience, you are working inside a simulated and, (in the event of PIXO's VR), three-dimensional, photo-realistic, computer-generated world.  This digital world can be realistic, fantastical, or a blend of both. In the realm of virtual reality for training, we are generally creating realistic environments to mimic real-world situations and measuring different performance variables. So that is a working definition of virtual reality. However, before we depart this topic, I think that it's vital to differentiate virtual reality for training out of two other closely related theories -- augmented reality (AR) and 360-degree video. Augmented reality is adding computer-generated content into the world around you, augmenting it with added graphics, sounds, and data.  This technology is meant to'enrich' the real world, however, the virtual and real remain distinctly different and interact with the other. A 360-degree video surrounding is a sort of digital experience.  However, rather than being put in an interactive world, you are put inside of a static video and permitted to navigate and control your own view within that world.  Again, there is no active involvement within this digital video atmosphere. You desire your virtual reality for training environment to be as close to reality as possible, particularly if you're doing something like military, construction, security, or first responder training.  There's little room for error in case you're teaching people how to receive a dangerous occupation done right the first time they encounter it in the real world. These are ideal situations for virtual reality for training and much superior to most non-virtual alternatives. Training programs that require this level of quality may ask you to find out more about the underlying technology to acquire the ideal experience.  One of the best places to start researching VR technologies is by learning about the VR engine itself -- this is the software that will run your virtual world. The advantages and weaknesses of these software tools, together with the ability and experience of the development group using them will establish the grade of your training content and VR experiences. Unreal is your premier VR engine, (in our experience).  It generates higher quality visuals and smoother motion than other options.  Created by Epic Games, Unreal provides VR content designers and developers access to the full C++ origin code.  This access provides developers ultimate control and several limitations.  However, it will require more experienced talent -- innovative 3D designers and skilled developers, but that is finally a benefit to the creation of your practice content.   Find out more about Unreal on their site. Unity is quite popular, particularly one of indie and small team VR studios.  A number of their most significant strengths include an excellent development community and also their use of C# and Javascript, which tend to be fundamental skills for any applications engineer.  However, Unity doesn't provide access to the source code, which is limiting the functions of high-quality enterprise deployment.  CryEngine is a lesser-known game engine which has been used for VR, but most VR studios will tell it suffers from an obsolete user interface.  The biggest criticisms include disorganized documentation, its popularity seems to be waning, and there are numerous grey areas within their licensing agreement.  Learn more about CryEngine on their site.  One interesting note, related to CryEngine is that Amazon grabbed a lot of CryEngine engineers and built what some consider the updated version of CryEngine -- Amazon Lumberyard. While all of these virtual reality authoring tools are exceptional, the requirements of your virtual reality for training will inform which of the engines make the most sense. In the instance of PIXO VR, we specialize in and have developed a growing library of safety and high-impact training content for the construction, manufacturing, energy & utility verticals.  We have discovered that, for these training programs, the exceptional visual fidelity and full accessibility to this C++ source code allow for our proprietary forking of the Unreal engine, creating an improvement in the quality of experience within our previous usage of Unity. Even though this article is about VR applications, it is essential we touch base on hardware.  The virtual reality for training immersive experience is highly dependent on the headset, along with your VR hardware requirements can influence your VR software choices. Here's a brief rundown of VR hardware and also the ideal virtual reality for training uses of each. Professional Coaching Content This headset will deliver a number of the most realistic training experiences and leave your employees really asking for more training time.  Crazy resolutions, strong hardware, and a lot of sensors make this the preference for business training departments needing highly realistic and detailed VR content. Windows Mixed Truth -- Microsoft has taken a slightly different strategy to the VR headset, using an assortment of hardware manufacturers (HP, Lenovo, Dell, etc.), enabling it to operate on both high-end and more basic desktops.  As its name implies the Mixed Reality headset straddles the fence between VR and AR experiences, adapting both.  Critically, the HP Windows Mixed Reality headset can be paired with the HP Z VR Backpack -- a high profile wearable unit that allows for a tetherless VR experience.  For pure freedom, the WMR and HP Z cannot be beaten.  (If for whatever reason, a tetherless experience is not necessary, the HP Z may also be conducted in a more basic docked, desktop style.) Oculus Rift -- As"the one that started it ", Oculus has been aggressively improving their platforms since the debut of the Rift I While Oculus was one of the first entrants from the VR headset market, they've fought a bit to get out of the R&D and beta phase.  Only recently have they become a strong and professional peer competitor to HTC's Vive and Vive Guru models. The previous three headsets on our list are just recommended as entrees to the world of virtual reality --"beginner-level" if you will.  All these are supposed to work with your cellular phone and can supply a teasing glimpse into the potential of a much more complete digital reality. IMPORTANT NOTE: If you are serious about buying a real virtual reality for training experience, buy one of these if you prefer, but understand they are not the last destination of your journey, only the initial steps.  If you would like to jump forward to the good things, then contact one of our virtual reality for training experts, and we are going to deliver"the real thing" for you. Speak with virtual reality for training Expert Early -- They could cut through all the techno-babble in the market, educate you about the ideal trends and inventions to follow and help you research the possibilities, opportunities, and ideal areas to introduce compelling new coaching scenarios. Find a Good Starting Point -- Focus on one or two particular areas of training that will benefit from virtual reality for training -- fully-immersive and sensible -- training atmosphere.  Typical starting points are to substitute training that is traditionally dangerous, expensive, or conducive to normal operations. Content, Content, Content!  -- This is likely your most important consideration.  A fully recognized virtual reality for the training program will take a good library of training content that meets your training needs -- but how can you get exactly what you need?  Since many training conditions will require some quantity of custom content creation, it is not necessarily one or the other -- habit or premade experiences.  Rather, employ a combination of both: existing training modules which may be customized for your requirements.  If you're able to find a firm like PIXO VR that delivers an existing library plus a subscription pricing model, (and to our knowledge, we are one of very, very few doing so ), you can begin much quicker and substantially more affordable by minding some nimble, lightweight personalizations that could tailor existing virtual reality for training content to satisfy your own specifications.  This averts the sticker shock of starting from scratch using a completely custom VR experience that only you can use.  If you want to learn more, ask us about our VR Content Library subscriptions. As always, PIXO VR is happy to assist you to explore this fascinating and persuasive new world of training.  If you have any questions about virtual reality for training applications, content, or hardware we always enjoy talking shop.  Schedule a complimentary consultation with one of our virtual reality for training pros today!

How do I install AppDefense? An Overview showing how AppDefense can be deployed and fully functional in 5 easy steps: Physical Deployment First, deploy the appliance into the vCenter that you will deploy AppDefense to (one per vCenter). After the appliance is deployed, then deploy the host module through the AppDefense Manager. Be sure that vib is installed on all hosts that will have VMs with AppDefense on them (there will be no downtime installing on the host(s). Finally, install to the guest through VMtools. (enable guest integrity and plan accordingly as this will take a reboot of the guest.) Check our documentation and blogs for deployment short cuts and integrations that can be done in this step.  Scope and Service Set up Next, set up scopes and services. (scopes are the datacenter application(s) and the services are the tiers within that application.) You will add the VMs you have installed AppDefense on into the services within the scope. Check our documentation, blogs, and youtube channel to see best practices setting up scopes and services.         Discovery After setting up the services in a scope, discovery mode will be automatically enabled to learn processes and behaviors. Protected Mode Upon completion of discovery mode and any edits to processes and behaviors in the dashboard, the scope is ready for protected mode. Remediation Actions Once the scope(s) is/are in protected mode, then decide what (if any) remediation actions you would like to set. This is done at the service level which allows for more granular control of actions being taken. (If no remediation actions are set, AppDefense will only alert you when a deviation occurs.) Once these 5 steps are complete you are fully protected and operational with AppDefense! (For a step-by-step direction guide please refer to our documentation: VMware AppDefense Documentation) Happy AppDefending!

In May 2019 security researchers discovered a vulnerability which allows for the possibility of remote code execution in Microsoft's Remote Desktop Protocol named BlueKeep (CVE-2019-0708). In this blog, Barak Raz, Staff Security Researcher at VMware, outlines several methods to defend against the vulnerability and protect your organization's critical data. Read the blog > Learn more about VMware AppDefense >

VMware AppDefense | May 2019 What's New (May, 2019) This release of AppDefense improves user experience by adding more intelligence into the product’s ability to clearly delineate between known and malicious behaviors. The number of events is reduced through better detection of process upgrades and existing connections. Additionally, by enabling process execution monitoring to be turned on by default, AppDefense provides more comprehensive behavior detection and blocking within the environment. Improved Upgrade Detection AppDefense has expanded the ways in which it detects when a process has been upgraded. Improving the recognition and verification of upgrades reduces the number of false positive alerts related to new process execution in the environment. The new binary is automatically added to the allowed behavior list, thereby reducing any manual overhead of verifying the upgraded process. Enhanced Verification of Connections AppDefense has added capabilities to recognize inbound and outbound connections which were instantiated before the AppDefense Guest Module had been enabled. In this way, AppDefense is able to validate not only new connections, but also existing connections on the system. Additionally, if a rule set is changed, AppDefense verifies that the existing connections do not violate this new rule. Process Execution Monitoring The ability to monitor and control execution of process binaries is now enabled by default. This further enhances the ability of AppDefense to verify application intended state. Support Wildcard in Process Path AppDefense has introduced support for the wildcard character in the process path for all behaviors in the environment. In many instances, the same process is executed from different paths (such as 32-bit and 64-bit process instances on Windows). Services and behaviors no longer need to account for all such paths with the option to now use the wildcard character to account for this variability. Support for Appliance Rename and Delete Users now have the ability to rename the Appliance through the AppDefense Manager. In the case of a testing environment, users can also delete the Appliance and have the updated status appear in the AppDefense Manager. Change Terminology from “Alarm” to “Alert” In order to maintain consistency with terminology used in the industry, AppDefense has changed all references of “Alarm” to “Alert” in UI and documentation. This makes for clearer communication within organizations and with the AppDefense team.

VMware AppDefense Plug-In 2.2.0 for Platinum Edition | Released 21 May 2019 | Build 13700433 What's New In AppDefense Plug-In This release provides additional visibility within the AppDefense Appliance and improves the process of setting connectivity status to the AppDefense Manager. Connectivity Status The Plug-In now supports only two connectivity modes: SaaS and non-SaaS. The workflow for selecting SaaS connectivity mode has been simplified to allow checkbox selection for enabled/disabled. There is also a text field to provide or alter the AppDefense Manager details from the default value. Additionally, the Appliance UI has been enhanced to show connectivity status between itself and the AppDefense Manager. This eliminates the need to navigate outside of the Appliance in order to view this information. Available Upgrades The Appliance UI now displays information about all available versions and components of AppDefense that can be upgraded to after an upgrade bundle has been uploaded.

AppDefense has automatic responses using vSphere and VMware NSX, including the ability to block process communication, alert, suspend, shut down the endpoint, and snapshot an endpoint for forensic analysis. These remediation actions can be enforced automatically or manually as well. With AppDefense it is possible to create NSX distributed firewall rules based on the discovered behavior. This configures the necessary micro-segmentation security policies, which are in line with the expected behavior of the application/virtual machine. Remediation action can be set at individual service level within the application scopes. NSX integration with AppDefnese avoids the process of manually retrieving Application Dependency Mappings for each application in the datacenter, as it gives greater visibility in to every protected VM in the datacenter including the processes running within the OS but also all the in/out bound connection which are made by each process. When an attacker tries to start a new process, which is not “known good” behavior process, AppDefense can block this (within the virtual machines). This means that AppDefense not only offers security at the network level it also provides security at the process level (within the virtual machine). How is NSX manager integrated with AppDefense? As part of AppDefense appliance registration process, customers are required to register it with AppDefense manager, vCenter server and it discovers the NSX managers details integrated with the vCenter automatically. Once NSX manager is registered with the AppDefense appliance you can notice it automatically creates few objects in the NSX manager which are used to perform the remediation action. NSX Security tag – AppDefense.AnomalyFound Security Group – AppDefense Quarantine Group Security Policy – AppDefense Quarantine Policy Firewall Rules – To block all In/Out bound traffic from the VM which is quarantined via security policy How are remediation actions configured to use NSX? Within AppDefense manager customers get the ability to set the remediation action at the individual service level within the scopes created. This allows the security team to set the remediation actions at a more granular level for each service within an application running in datacenter. Customers can enforce remediation action for all In/Out bound connections, Guest OS integrity, AppDefense module integrity. Currently Linux OS only support In/Out bound connection remediation actions. What happens when remediation action is triggered? Whenever AppDefense notices a new behavior post moving the scope in to protected state it triggers the action which is configured for the service which the VM is member. As part of remediation action NSX security tag is assigned to the VM and Appdefense Quarantine policy gets applied to VM to block all the In/Out bound connections from the VM hence, isolating it. Conclusion AppDefense takes security from fishing for problems to providing customers with assurance about their security. Knowing the processes needed for applications and how they communicate over the network. Also, the known good state of an application. And if there is an anomaly, we can inform users about what is changing, sniff out the changes, and be very proactive so that the app owner can see the security footprint of the app at any time. The close tie to NSX is key to understanding the known good state of an application and taking remediation actions in case of any deviation from their known-good state.

Join us for a live webinar tomorrow, Tuesday, May 21st at 11am Pacific and learn how to simplify application security with VMware AppDefense. You'll learn: Why a new approach to securing applications is needed What AppDefense does and how it works How a real customer is transforming security with AppDefense See how AppDefense handles a live attack (demo) Reserve your seat

AppDefense users often ask us about integration with automation tools such as PowerCLI. Automation tools like PowerCLI give VI Admins a convenient way to script out deployments and configuration steps for virtual machines (VMs). While there’s no native integration with this tool today, many of the configuration steps for AppDefense are your standard vSphere configurations and thus we can still use PowerCLI. One of the most disruptive configuration steps of AppDefense is enabling Guest Integrity on the VMs that you plan to protect. Enabling Guest Integrity via the AppDefense Manager immediately requires a power cycle of the VM which forces admins to enable Guest Integrity, only when they can afford downtime on those VMs. How is Guest Integrity Configured in VMware AppDefense Let’s talk a little bit about what enabling guest integrity actually does from a configuration standpoint. When we enable Guest Integrity in AppDefense, a new option called “guestIntegrity.enable” is created in the VM’s configuration file (.vmx) and the value is set to “TRUE”. This can be done via the UI in the VM Options under Advanced Configuration. Automate Guest Integrity Enablement Now, the title of this post indicates automation, so let’s get into PowerCLI and see how we can perform this action across multiple VMs all without forcing the power cycle. Remember, you will need to perform the power cycle on all of them later for the change to take effect. Since we know enabling guest integrity is just an advanced VM option, we can use the cmdlet “New-AdvancedSetting” to set a new advanced setting on a VM like in the below example where $vm is a VM we obtained using the “Get-VM” cmdlet: Get-VM Eric-JumpBox | New-AdvancedSetting -Name 'guestIntegrity.enable' -Value 'true'  -Confirm:$false Now, we have the option to apply this to each and every Windows VM individually, but in my opinion that defeats the point of automation all together. Instead, let’s write a simple “foreach” loop to apply this to multiple VMs with a Guest OS type of “Windows”. #Get VMs  $vms = Get-VM | Where{$_.Guest.OSFullName -match 'windows'}     #Set Advanced Setting Param  $param = 'guestIntegrity.enable'     #Loop to enabled guest integrity in all windows vm's  foreach($vm in $vms){  $vm | New-AdvancedSetting -Name $param -Value 'true' -Confirm:$false  } The above code gets all VMs with “Windows” as the Guest OS and places them in the variable $vms. Then I set the advanced setting parameter to a variable called $param. From that point we have all the information to start our loop and add this advanced setting to all Windows VMs. Now to verify, we can run the below command to validate the parameter has been applied. Get-VM | Where{$_.Guest.OSFullName -match 'windows'} | Select-Object Name, @{Name="Guest Integrity Enabled";Expression=  {($_ | Get-AdvancedSetting -Name 'guestIntegrity.enable').Value}  } This can be done to VMs while they are powered on and does NOT force a shutdown at the time of execution. That being noted, a complete power cycle will still be required for the change to take effect, but this will offer you more flexibility to schedule your downtime when you can afford to take it. Conclusion AppDefense is a data center endpoint security solution that embeds threat detection and response into the virtualization layer, and uses machine learning to ensure virtual machines (VMs) and applications are running in a known-good state. You can use PowerCLI to automate some of the configuration steps required to deploy and use AppDefense today by following the simple steps above. We hope this blog has helped you on your journey to automation with AppDefense and stay tuned for more automation news. If you’re not leveraging AppDefense today, or would like to learn more please contact sales or visit: https://www.vmware.com/products/appdefense.html.

VMware AppDefense separates virtual machines (VMs) into categories called scopes and services. A Scope is an application in the datacenter such as a web application whereas a service is a tier of that application. In this example, we could assume, and would be correct, that Services reside within Scopes to model this tiered application architecture. This particular part of the configuration process is where most customers get stuck or ask the question: “is there a right way to setup Scopes and Services?”. The answer to that question is a resounding, “YES!”. Proper Scopes and Services creation is imperative to the correct functionality of VMware AppDefense. Creating Scopes So, let’s talk about Scope creation. I’m going to eat my words a little bit and say this is the least important piece to worry about configuring correctly. This is because VMs will reside in the Services created within a Scope and product functionality such as allowed behaviors apply only within the context of services. Discovery Mode and Protected Mode are set at the Scope level, where remediation actions are set at the Service level. The primary use for Scopes is to organize your internal applications. Let’s say, for example, that I am a company that hosts a web application and that I have the following applications protected by AppDefense. Web Application Internal email server Internal team chat tool In the above scenario I would configure one scope per application. I would then have a scope called “Web Application,” a scope called “Email,” and a scope called “Team Chat.” The above image shows what this would look like in the AppDefense SaaS Manager. Organizing scopes in this way allows you to better identify Services (tiers) for those applications and VMs that will belong to those services. Creating and Configuring Services Services are where it’s really important to plan out your categorization and organization. Two items will be in Services: (1) VM(s) which we call “Members” and (2) learned processes and behaviors. Best practice when it comes to adding members is to have homogenous members that is to say that each and every service should ONLY contain VMs that are performing identical or very similar functions and processes. Let’s use the Web Application example from above and assume that your web application is an n-tier architecture application. This means you would probably have a Database Tier, Web Tier, and Application Tier. It would look something like below In the diagram above we see it’s an n-tier architecture because the various components required to run it all reside on different VMs. Now, if we were to create one Service and throw these three functionally different VMs into it, what would happen? Considering that services are homogenous as mentioned above, the learned behaviors from each of the VMs would apply to the other VMs as well. This would mean that your web VM’s behaviors would apply to, and be allowed, on your database VM. This obviously is not ideal since we would not want web VM behaviors on a database VM. Therefore, the correct way to setup AppDefense for this type of application is a single scope with three unique services. Configuring services this way ensures that the behaviors learned in that service apply to the VMs and ONLY the VMs that would have identical or similar functions. The below screenshot shows the scope “Web Application” containing three services: “App,” “Database,” and “Web.” We would then add the VMs from each tier in the diagram above, into the corresponding service. If you had two VMs per tier i.e. two database VMs etc… you would then add both those database VMs into the database service because they would perform identical functions. Additionally, if you were to add more VMs to an application tier, you could add that VM into its corresponding service and because the behaviors that would occur on this newly added VM have already been learned by the service, you would not need to go back into Discovery Mode again. We’ve covered both Scopes and Services creation here. Services creation is just takes a little thought and planning but once properly configured will make managing your virtual environments security much easier! Conclusion AppDefense is a data center endpoint security solution that embeds threat detection and response into the virtualization layer and uses machine learning to ensure virtual machines (VMs) and applications are running in a known-good state. Correct configuration of Scopes and Services is essential to proper product functionality. We hope this blog helps you better understand the methodology required when setting these up. If you’re not leveraging AppDefense today, or would like to learn more please contact sales or visit: https://www.vmware.com/products/appdefense.html. For more documentation on VMware AppDefense please refer to the VMware AppDefense Documentation.

Check out Eric Huber's latest post on automating guest integrity enablement for VMware AppDefense and learn how to leverage automation tools like PowerCLI. Read the blog > Learn more about VMware AppDefense >

Get the benefits of a full conference pass, without actually attending the show! VMware Staff Security Researcher, Barak Raz shares highlights from the RSA Conference 2019 - check his latest post to the VMware Security Products blog - What You Missed at RSA Conference 2019 - VMware Security. Read more > https://blogs.vmware.com/vmwaresecurity/2019/04/22/what-you-missed-at-rsa-conference-2019/