As technologists, security is a part of our daily lives. If it isn’t it should be. After all, just look at the recent Ransomware outbreaks that have crossed the news headlines.
Now, let’s grossly simplify how some security software works. Many times, when we’re using a security product, it has a definition database. This database, which should be updated very, very regularly contains information on what things should NOT be allowed to run on a system. The problem is, if a virus isn’t in our database, we are vulnerable to it. If we don’t update our database quickly enough, we are also vulnerable to it. While this is a gross simplification This practice of NOT allowing things to run is something commonly known as blacklisting.
Another way to handle this would be to look at a system, and determine what is normal behavior, or what should be allowed to run. When we specifically say what is allowed to run, we are whitelisting the components of the system. If a new virus finds a way onto our system, it will not be allowed to run, since its behavior is different from the normal state of the system, again, an oversimplification.
By leveraging automation in conjunction with VMware vSphere, appropriate action can quickly be taken on virtual machines which deviate from their normal behavior patterns. For example, a workflow may shut down a virtual machine that appears to be infected, then deploy a new clean virtual machine in its place.
This ties into the constant discussion of pets versus cattle. While we are used to our virtual machines being pets (requiring antivirus definitions to be updated on a regular basis, among other things), virtual machines are starting to become more like cattle. As applications are re-architected in a distributed manner, sometimes we simply don’t care about the virtual machine itself, only the function it performs. In this case, the model of killing an infected virtual machine and deploying a new one in its place makes a lot of sense.
I’m looking forward to find out more about this offering, especially integration into the vSphere ESXi hypervisor itself. At launch, VMware has announced several partners which will integrate with AppDefense, such as IBM Security, Carbon Black, RSA, SecureWorks, and Puppet.
You can find out more about VMware AppDefense on the VMware site.