You don\u2019t have to be an IT pro to know that there\u2019s an urgent need for some new ideas in security. And if you\u2019re not yet convinced, a concise summary of some of the headline-grabbing breaches of the last few years will probably make the case.\nFor years you could broadly describe most the manner in which most security products work as \u201cchasing the threat.\u201d In looking for signs of trouble, they may rely on signatures that can easily become outdated or flawed behavioral models. Both approaches leave a lot of IT pros wishing for a better way.\nMeanwhile security spending by large companies is\u00a0on the rise around the world according to a recent estimate by Gartner, yet it seems not to be making much difference. The likelihood that an organization will suffer a material security breach in the next 24 months has increased\u00a0according to an estimate by the Ponemon Institute. And the average cost of a breach has risen to $3.6 million or about $141 per record stolen, and often higher depending on the kind of data involved.\nIt\u2019s no surprise then that the appetite in the marketplace for new approaches is strong. Last year venture capitalists poured $3.1 billion into security startups, an all-time record according to CB Insights.\nI got to talking about this state of affairs last week with Tom Corn, senior VP for security products at VMware. His contention is simple: At time when most applications are running on virtual machines in public and private clouds, we\u2019re often not protecting the right things.\nThe typical security product tends to generate alerts intended to raise an alarm about activity that may indicate an attack. Usually there are too many alerts for any person to track, and often they indicate false positives that turn out not to be attacks anyway. This means the real alerts indicating real attacks often go unnoticed before it\u2019s too late. Other times, sneakier attackers will turn off the systems designed to raise an alarm altogether, meaning it may be months before a breach is detected at all.\n\u201cAgainst that backdrop, it\u2019s hard \u2014 impossible almost \u2014 to ever get ahead of the threats,\u201d Corn says.\nThis week VMware announced a new security product called AppDefense that takes advantage of its dominant presence of the server virtualization market. And it uses that leverage to bring two fundamental precepts to cloud environments.\nThe first is the \u201cknown good state.\u201d This is when an application is running normally and as intended.\u00a0\n\u201cOnce you\u2019ve defined what that means, you can decide what to do when it\u2019s no longer running in that known good state,\u201d Corn says.\nThe second is an old idea in computer security, the principle of least privilege. Basically it states that an application or process is allowed to access only the resources it needs to run and nothing more. From the point of view of an attacker, a compromised app can\u2019t reach any resources or data that it couldn\u2019t already reach. That makes it a less-tempting target.\n\u201cWhen done correctly it\u2019s an incredibly powerful idea,\u201d Corn said. \u201cIf you allow an app to do something it doesn\u2019t need to do, you\u2019re only creating more risk. Least privilege takes a lot of that risk off the table.\u201d\nPutting those precepts in place, Corn says, reduces the attack surface, essentially giving an attacker fewer options to exploit. It also makes it easier to detect an attack.\nAlso easier is the collaboration between security teams and developers, both of which have a stake in the \u201cownership\u201d of an app. Corn likened it to the relationship between parents and pediatricians.\n\u201cThe doctor is an expert on illnesses the same way a security team is made up of experts on threats,\u201d he said. \u201cDoctors basically say two things: Create a safe environment, and know what\u2019s normal for your kid.\u201d\nDevelopers know their app's normal behavior in much the same way that parents know what's normal for their kid and can quickly tell is something when something's amiss. Their temperature is up, or they're crying more than usual. They know their kid's known good state.\nCorn's analogy goes further: Watching for deviations from the child's normal state makes it easier to identify an illness when it happens, rather than test for every possible condition that a kid may have all the time. The same is true of cloud applications.\nAnd what happens when an attack does get through? Since AppDefense is baked in to virtualized infrastructure, it\u2019s easy to craft an automated response that can move faster than any human can. Communications to and from the process can be blocked in a quarantine. The process can be frozen in place for forensic analysis later. It can even be shut down.\nAppDefense will be delivered as a cloud service, regardless of where the apps it protects are running, including on public and private clouds. This will allow VMware to quickly add more features. It also makes it easy for customers to deploy.\nIt also integrates with VMware\u2019s hypervisor vSphere and also its NSX virtual networking platform. That visibility into what\u2019s going on the hypervisor allows for the automated collection of that \u201cknown good state\u201d data that can be used to design security policies that are finely-tuned to the protect an application.\nThat information can be collected into what Corn described as an \u201capplication manifest,\u201d essentially a detailed list of everything that\u2019s known about the application related to that good state. If it\u2019s been patched or updated with new features, they\u2019re in the manifest. Everything about the application is observed.\n\u201cIf someone patches it, that\u2019s observed and it goes in the manifest. If malware has been used to manipulate how it\u2019s running, and what\u2019s running doesn\u2019t match what\u2019s in the manifest, then AppDefense can automate a response.\u201d\nAnd that, Corn says, opens up the door to a more automated approach to infrastructure overall. \u201cThere\u2019s a whole variety of actions that a security team might want to take that usually require a bunch of manual actions on their part,\u201d he said. "Automation speeds up the response.\nIn the end, Corn says, attacks are going to happen. "It comes down to ensuring the known good state," which AppDefense does he says. "When you're sure about that, then it's a lot easier to notice an attack when it happens."