4 Replies Latest reply on Sep 30, 2019 12:13 PM by ephuber

    AppDefense On-Prem vs SaaS on vCenter without NSX

    KevBot Lurker

      My customer refuses to purchase NSX, but insists on solutions in the hypervisor for AV, Application Whitelisting, and whatever else they can get their hands on. Currently On-Prem, but will be moving to Azure next year.

       

      My overarching question is: WIthout NSX, is AppDefense+CB Defense worth spending money on? Consider On-Prem, SaaS, and Cloud (Azure/AWS).

       

      The Doc page has a lot of information, but there are gaps in information or there weren't answers.

       

      I apologize for the litany of questions, but it's a new product and I want to make sure it will do what my customer expects it to do. Thanks everyone!

       

      I know the CB Defense Connector uses threat reputation and can stop processes. My questions are:

      • Can AppDefense+CB Defense run on vCenter alone?
      • Can AppDefense+CB Defense run agentless without NSX?
      • How effective is application whitelisting on an agentless endpoint?
      • How does AppDefense+CB Defense handle unknown file reputations? Does it have self-approval?
      • How does it handle Windows Patch Weekend? Windows Updater likes to spawn unsigned powershell scripts in different directories. Making it really hard to isolate to whitelist the process stream.
      • Does it offer Memory Protection?
      • Is there an inventory function?
      • How effective is AppDefense+CB Defense agentless with NSX vs vCenter + Guest Module Agent?
      • Does the AppDefense SaaS offering run agentless? Does it require NSX?
      • How does the effectiveness/performance compare to other vendors such as Symantec EP, McAfee ENS/App Control, Trend Micro Deep Security?
        • 1. Re: AppDefense On-Prem vs SaaS on vCenter without NSX
          ephuber Novice
          VMware Employees

          Hello KevBot

           

          Thanks for your questions surrounding AppDefense I will outline the answers to your question in-line below but first I wanted to clarify something. AppDefense and CB are two different products and as such will perform independently of each other as well as have different architectural requirements. Just keep this in mind as answer your questions below.

           

          One thing to keep in mind is I'm sure you've heard our intent to acquire CB. As that deal has not gone through we are two separate companies with two separate product offerings. Once we get to close on that deal, we look forward to being able to share some more details on thoughts about integration.

           

          Take a look at the answers below and let me know if you have any additional questions. You can also hit us up in our slack channel #appdefense for questions. I'm one of the Solution Architects on the AppDefense team and that slack channel also has the PMs for AppDefense in it as well.

           

          Thanks!

           

          • Can AppDefense+CB Defense run on vCenter alone?
            • AppDefense does have an offline version that can work without SaaS but you do require vSphere Platinum for this functionality to prove beneficial as you'll only get the vCenter plugin with that version of vSphere. You also lose out on certain functionalities when running in purely offline mode in vSphere Platinum. Keep an eye out on VMware's Security Blog for an upcoming post by my colleague nishus on exactly what functionalities you lose out by running in purely on-prem mode.

          • Can AppDefense+CB Defense run agentless without NSX?
            • AppDefense is able to run agentless without NSX. AppDefense is a completely separate product than NSX and is thus agnostic to NSX being present. The only added functionality you get today with NSX integration is the ability to quarantine a VM as a remediation action in AppDefense. AppDefense has the ability to see, report, alert and take remediation actions all without the presence of NSX.

          • How effective is application whitelisting on an agentless endpoint?
            • Could you provide some more clarity on this question? The way whitelisting works in AppDefense is to assist in the classification of alerts that are generated. AppDefense is a Zero Trust product which means it learns the intended state (all the behaviors) of a VM/Application and then locks down the manifests of those behaviors and alerts on any deviation. When an alert is generated it goes through a classification process to assign a severity to that alerts. Whitelisting a hash in AppDefense serves the purpose to help classify an alert associated with that hash down to a lower severity.

          • How does AppDefense+CB Defense handle unknown file reputations? Does it have self-approval?
            • AppDefense integrated with CB to provide a Trust or Threat score to a process. This is indicated by a number value ranging from 0-10 for both scores. If a process shows up that has no reputation score associated with it, AppDefense takes that into consideration when classifying that alert. That is to say if there are no scores at all for a particular process and we have not verified that process through our own social assurance (Machine Learning), AppDefense may assign a higher severity to an alert associated with that hash.

           

          • How does it handle Windows Patch Weekend? Windows Updater likes to spawn unsigned powershell scripts in different directories. Making it really hard to isolate to whitelist the process stream.
            • AppDefense has built in logic to detect if a process is changing as a result of a patch or upgrade. It might trigger alerts at the moment but AppDefense will know after classification that it was a change in behavior due to an upgrade and then take appropriate measures to ensure that it's not alerted on again.

          • Does it offer Memory Protection?
            • We have the ability to detect Guest OS Integrity issues and one of the checks we are looking for is page file tampering. If we detect any kind of tampering at all we automatically throw a critical alert.

          • Is there an inventory function?
            • Could you elaborate on this a little more? In the AppDefense SaaS manager, you have the ability to see all the ESXi hosts and VMs that are part of the vCenter that you registered AppDefense with. This is how you install the ESXi host module and add VMs to Scopes and Services.

          • How effective is AppDefense+CB Defense agentless with NSX vs vCenter + Guest Module Agent?
            • AppDefense + CB Defense provides great coverage and together can effectively protect against the majority of threats out there. Threats are constantly evolving and we are evolving with them. AppDefense by providing that Zero Trust protections is the most effective solution to protect against said threats and with the addition of CB Defense you just add that additional layer of protection! I should note that today CB Defense is not an agentless solution because it's a completely different product and it requires an agent to be installed if I remember correctly. The guest module you refer to is part of VMware tools and is a feature that is just enabled but is included by default in VMtools 10.3.2 and above.

           

          • Does the AppDefense SaaS offering run agentless? Does it require NSX?'
            • AppDefense is agentless both on-prem and SaaS. The feature which provides network and process attestation is built directly into VMtools. It's disabled by default and has to be enabled but it's already built into VMtools. AppDefense does NOT require NSX to function.

          • How does the effectiveness/performance compare to other vendors such as Symantec EP, McAfee ENS/App Control, Trend Micro Deep Security?
            • AppDefense is not an EDR replacement today and such comparing it to these over vendors is not black and white. AppDefense is a zero trust application which protects the known good rather than chasing bad (known signatures). It's inherently different than these products above. CB Defense on the other hand is an EDR/Endpoint protection tool which compares very highly and favorably to the above programs and it does integrate with AppDefense so that alerts coming from CB defense get piped into AppDefense for a single management interface.
          1 person found this helpful
          • 2. Re: AppDefense On-Prem vs SaaS on vCenter without NSX
            KevBot Lurker

            Thank you ephuber! I appreciate your detailed responses. I have some additional questions and some clarifications for you:

             

            Again I appreciate everything, this has been very helpful. I'm excited for the product, but want to make sure it's functional for customers environment before I start uprooting existing vendors

             

            My current understandings:

            • On-Prem AppDefense can function normally without NSX, the only requirements is vCenter. The only functional benefit to NSX is for VM quarantine.
            • AppDefense can monitor Inbound/Outbound Communications of applications whitelisted, and take action against deviations from the whitelisted applications.
            • The Guest Module is an endpoint agent that monitors OS integrity, processes, and applications.
            • Remediation functions for On-Prem include: Alert, Report, Block, Suspend, Snapshot, and Shut-down.
            • AppDefense integrates with CB Defense for threat reputation only, currently. CB Defense is a separate product with it's own features.

             

            That's my take away so far. Is this correct?

             

            Clarification/Additional Questions:

            • What I mean by Application Inventory function is that it is a function that collects a list of applications and files on the endpoint and compares them through their respective vendor's machine learning intelligence (McAfee's GTI/TIE, Symantec AML/Insight, etc). Once inventory has been established for endpoints and trusted/blocked, that trusted whitelisted policy can be applied to other endpoints in their respective groups. There's also a feature for Image Deviation. Which reports/responds to, as the name suggests, deviations from the gold image configured. Does AppDefense work in a similar fashion to the above?
            • Your answer about memory protection suggested in monitors the pagefile. Does AppDefense monitor the RAM on the endpoint and respond to fileless malware threats?
            • CB Defense, being a separate product, requires it's own Agent to be installed on the endpoint. It cannot be ran agentless? or does it have an agentless version?
            • What are the features/function loss when moving to an Agentless AppDefense? I will follow nishus for the blog post and read up on that blog post, for sure. Thank you for that. Still, it's worth it to me to ask these questions anyway. Never hurts to ask, right?
            • I see monitoring Inbound/Outbound communication the primary vector for identifying process behavior?
            • I'm still unclear as to how the Agentless AppDefense version monitors Applications from the Hypervisor level. Does On-Prem Agentless match functionality of SaaS?
            • 3. Re: AppDefense On-Prem vs SaaS on vCenter without NSX
              ephuber Novice
              VMware Employees

              Happy to help KevBot! As with the first post, please find my response in-line below.

               

               

              My current understandings:

              • On-Prem AppDefense can function normally without NSX, the only requirements is vCenter. The only functional benefit to NSX is for VM quarantine.
                • This is correct.
              • AppDefense can monitor Inbound/Outbound Communications of applications whitelisted, and take action against deviations from the whitelisted applications.
                • I want to make sure that we understand that the term "Whitelist" purely means to Classify Down. Meaning classify alerts from a hash with a lower severity. Whitelisting does NOT mean "Allow". AppDefense can monitor inbound/outbound connections from Processes within a VM. It also has the ability to monitor processes on a VM even if they don't make an inbound/outbound connection. AppDefense has the ability to take action on process and inbound/outbound connections that deviate from the learned behavior.
              • The Guest Module is an endpoint agent that monitors OS integrity, processes, and applications.
                • This is partially correct. The Guest Module is a feature of VMtools. This is how we can claim that AppDefense is agentless because the feature lives in VMtools. You are correct that the AppDefense module monitors processes and network behavior. OS Integrity is a separate driver in the latest version of VMtools (VMtools 11) but shares a driver with the guest module in prior versions of VMtools.
              • Remediation functions for On-Prem include: Alert, Report, Block, Suspend, Snapshot, and Shut-down.
                • You are correct that these remediation actions are the ones available in AppDefense. On-prem might be a little misleading. You can only manage the remediation actions from within the AppDefense SaaS Manager.
              • AppDefense integrates with CB Defense for threat reputation only, currently. CB Defense is a separate product with it's own features.
                • This is mostly correct. We integrate with Carbon Blacks threat database to assign threat/trust scores to hashes. We also integrate specifically with CB Defense to ingest their alerts. So, if CB Defense throws an alert then it will also show up in the AppDefense SaaS manager.

               

               

              Clarification/Additional Questions:

               

              • What I mean by Application Inventory function is that it is a function that collects a list of applications and files on the endpoint and compares them through their respective vendor's machine learning intelligence (McAfee's GTI/TIE, Symantec AML/Insight, etc). Once inventory has been established for endpoints and trusted/blocked, that trusted whitelisted policy can be applied to other endpoints in their respective groups. There's also a feature for Image Deviation. Which reports/responds to, as the name suggests, deviations from the gold image configured. Does AppDefense work in a similar fashion to the above?
                • AppDefense performs similar but not in the same way as what you're describing above. AppDefense has the ability to compare the learned behaviors (process/network connections) with all of the data that we gather from every AppDefense customer and validate if that behavior is a verified behavior. What we don't do is automatically allow that behavior on that endpoint or any other endpoint.
              • Your answer about memory protection suggested in monitors the pagefile. Does AppDefense monitor the RAM on the endpoint and respond to fileless malware threats?
              • CB Defense, being a separate product, requires it's own Agent to be installed on the endpoint. It cannot be ran agentless? or does it have an agentless version?
                • Today, I do not believe they have an agentless solution but you would have to check with Carbon Black on that particular question.
              • What are the features/function loss when moving to an Agentless AppDefense? I will follow nishus for the blog post and read up on that blog post, for sure. Thank you for that. Still, it's worth it to me to ask these questions anyway. Never hurts to ask, right?
                • AppDefense is always agentless. There is never an agent with AppDefense. There are two different versions of AppDefense. AppDefense SaaS and AppDefense Offline. There's actually a third version as well but for the intent of this conversation we'll focus on these two. AppDefense SaaS is the fully featured AppDefense product. This gets you access to the AppDefense SaaS manager hosted in the cloud. This is where you manage your AppDefense environment including creation of scopes and services, seeing alerts and events, setting remediation actions and more. AppDefense Offline only works with vSphere 6.7u1 and higher and only allows you to see process information plus a couple of other items directly from within vCenter.
              • I see monitoring Inbound/Outbound communication the primary vector for identifying process behavior?
                • We can see all process behavior whether that process makes a network connection or not. We also see the Command Line Arguments (CLI) that that process is executing to perform a specific behavior.
              • I'm still unclear as to how the Agentless AppDefense version monitors Applications from the Hypervisor level. Does On-Prem Agentless match functionality of SaaS?
                • This is where I think there's some confusion regarding agentless and on-prem. As mentioned above, AppDefense is always agentless. We are able to use the hypervisor for communication with VMs via the VMCI channel and thus do not need any networking requirements to communicate with VMs. This is also how we can be agentless because the ESXi host has visibility into the VMs that are running on it.

               

               

              I hope this helped answer your additional questions! I'm sure there will be more but what I highly recommend is following the VMware Security Blog space where myself and my colleagues regularly post content. Also check out our youtube channel here: VMware AppDefense - YouTube. There's also a quickstart guide that our team developed here: VMware AppDefense - VMware AppDefense Quick Start Guide.

               

              That quickstart guide has a page with helpful links with a lot of content to review that should also help in understanding how AppDefense works

               

              Thanks so much for your interest in AppDefense

              • 4. Re: AppDefense On-Prem vs SaaS on vCenter without NSX
                ephuber Novice
                VMware Employees

                Hey KevBot just checking to see if you had any additional questions? If so I'd also be happy to setup a call with you as that might be a little easier than continuing via the forum but I want to make sure you get all the questions you need answered

                 

                Thanks!