How VMware is re-thinking security for the cloud era

You don’t have to be an IT pro to know that there’s an urgent need for some new ideas in security. And if you’re not yet convinced, a concise summary of some of the headline-grabbing breaches of the last few years will probably make the case.

For years you could broadly describe most the manner in which most security products work as “chasing the threat.” In looking for signs of trouble, they may rely on signatures that can easily become outdated or flawed behavioral models. Both approaches leave a lot of IT pros wishing for a better way.

Meanwhile security spending by large companies is on the rise around the world according to a recent estimate by Gartner, yet it seems not to be making much difference. The likelihood that an organization will suffer a material security breach in the next 24 months has increased according to an estimate by the Ponemon Institute. And the average cost of a breach has risen to $3.6 million or about $141 per record stolen, and often higher depending on the kind of data involved.

It’s no surprise then that the appetite in the marketplace for new approaches is strong. Last year venture capitalists poured $3.1 billion into security startups, an all-time record according to CB Insights.

I got to talking about this state of affairs last week with Tom Corn, senior VP for security products at VMware. His contention is simple: At time when most applications are running on virtual machines in public and private clouds, we’re often not protecting the right things.

The typical security product tends to generate alerts intended to raise an alarm about activity that may indicate an attack. Usually there are too many alerts for any person to track, and often they indicate false positives that turn out not to be attacks anyway. This means the real alerts indicating real attacks often go unnoticed before it’s too late. Other times, sneakier attackers will turn off the systems designed to raise an alarm altogether, meaning it may be months before a breach is detected at all.

“Against that backdrop, it’s hard — impossible almost — to ever get ahead of the threats,” Corn says.

This week VMware announced a new security product called AppDefense that takes advantage of its dominant presence of the server virtualization market. And it uses that leverage to bring two fundamental precepts to cloud environments.

The first is the “known good state.” This is when an application is running normally and as intended. 

“Once you’ve defined what that means, you can decide what to do when it’s no longer running in that known good state,” Corn says.

The second is an old idea in computer security, the principle of least privilege. Basically it states that an application or process is allowed to access only the resources it needs to run and nothing more. From the point of view of an attacker, a compromised app can’t reach any resources or data that it couldn’t already reach. That makes it a less-tempting target.

“When done correctly it’s an incredibly powerful idea,” Corn said. “If you allow an app to do something it doesn’t need to do, you’re only creating more risk. Least privilege takes a lot of that risk off the table.”

Putting those precepts in place, Corn says, reduces the attack surface, essentially giving an attacker fewer options to exploit. It also makes it easier to detect an attack.

Also easier is the collaboration between security teams and developers, both of which have a stake in the “ownership” of an app. Corn likened it to the relationship between parents and pediatricians.

“The doctor is an expert on illnesses the same way a security team is made up of experts on threats,” he said. “Doctors basically say two things: Create a safe environment, and know what’s normal for your kid.”

Developers know their app’s normal behavior in much the same way that parents know what’s normal for their kid and can quickly tell is something when something’s amiss. Their temperature is up, or they’re crying more than usual. They know their kid’s known good state.

Corn’s analogy goes further: Watching for deviations from the child’s normal state makes it easier to identify an illness when it happens, rather than test for every possible condition that a kid may have all the time. The same is true of cloud applications.

And what happens when an attack does get through? Since AppDefense is baked in to virtualized infrastructure, it’s easy to craft an automated response that can move faster than any human can. Communications to and from the process can be blocked in a quarantine. The process can be frozen in place for forensic analysis later. It can even be shut down.

AppDefense will be delivered as a cloud service, regardless of where the apps it protects are running, including on public and private clouds. This will allow VMware to quickly add more features. It also makes it easy for customers to deploy.

It also integrates with VMware’s hypervisor vSphere and also its NSX virtual networking platform. That visibility into what’s going on the hypervisor allows for the automated collection of that “known good state” data that can be used to design security policies that are finely-tuned to the protect an application.

That information can be collected into what Corn described as an “application manifest,” essentially a detailed list of everything that’s known about the application related to that good state. If it’s been patched or updated with new features, they’re in the manifest. Everything about the application is observed.

“If someone patches it, that’s observed and it goes in the manifest. If malware has been used to manipulate how it’s running, and what’s running doesn’t match what’s in the manifest, then AppDefense can automate a response.”

And that, Corn says, opens up the door to a more automated approach to infrastructure overall. “There’s a whole variety of actions that a security team might want to take that usually require a bunch of manual actions on their part,” he said. “Automation speeds up the response.

In the end, Corn says, attacks are going to happen. “It comes down to ensuring the known good state,” which AppDefense does he says. “When you’re sure about that, then it’s a lot easier to notice an attack when it happens.”