Introduction to vSphere Platinum with AppDefense

VMware vSphere Platinum delivers advanced security capabilities fully integrated into the world’s leading hypervisor for complete data center protection. It combines vSphere and VMware AppDefense in a purpose-built, operationally simple solution with minimal overhead and performance impact.

VMware AppDefense is the only hypervisor-native workload protection platform for enterprise virtualization and security teams that delivers the most secure virtual infrastructure and simplifies micro-segmentation planning. AppDefense reduces the attack surface by modeling intended application behavior, monitoring for anomalous behavior, and providing deep application visibility, reputation scoring, and security.

vSphere Platinum contains two AppDefense components:

  • AppDefense Plug-In in vCenter
  • AppDefense Management Console

Follow the steps below to experience vSphere Platinum including interactive dashboards, contextual security alerts and more.

Overview


  • Section 1:  Accessing the vSphere Platinum Environment
  • Section 2:  Walkthrough of vSphere Platinum with AppDefense Plug-In
  • Section 3:  Walkthrough of AppDefense Manager

Before you Begin


In order to complete this product walkthrough please make sure you have the following:

  • A valid account in the VMware TestDrive environment, sign up here if you do not have one.

 

Section 1:  Accessing the vSphere Platinum Environment

To login to the vSphere Platinum environment, perform the following steps.

First, open a web browser of your choice and navigate to portal.vmtestdrive.com. Select LOG IN. If you do not already have an account please reference the instructions found here.

Enter your TestDrive Username and Password and select ENTER.

Next, locate the vSphere Platinum product under the Transform Security tab.

mceclip0.png

Click LAUNCH and LAUNCH VIA WORKSPACE ONE.

mceclip2.png

A new tab will open with Workspace ONE. Enter your TestDrive Username, then hit Next.

mceclip0.png

On the next screen, enter your TestDrive Password then hit Sign in.

mceclip1.png

Next, search for the vSphere Platinum desktop. Click to open into the desktop either via HTML access or Horizon Client access.mceclip3.png

Now you'll be on the vSphere Platinum RDSH desktop. At this point you can begin the walkthrough steps listed below.

mceclip4.png

Section 2:  Walkthrough of vSphere Platinum with AppDefense Plug-In

The AppDefense Plug-In for vSphere Platinum integrates application security capabilities directly in the vSphere Client.

2.1 Accessing AppDefense Plug-In

On the desktop, launch on the shortcut named “vSphere Platinum” (or open a Chrome browser and enter https://vca-1.vmwtd.com/ui).

mceclip6.png

If presented with a certificate warning, click on Advanced then click on Proceed to vca-1.vmwtd.com (unsafe).

 

mceclip2.png

 

mceclip3.png 

Log in with the following credentials:

  • Username:  appddemo@vsphere.local
  • Password:  vmwareDemo1!

mceclip11.png

Once logged in, click on MenuShortcuts, then click on AppDefense under Monitoring category.

mceclip15.png

mceclip14.png

(Please note: due to the read-only permission level for TestDrive users, the AppDefense widget icon might be displayed differently.)

2.2  Dashboard

You will first see a Dashboard containing a visualized snapshot of key information about your connectivity and health of the organization’s environment monitored by AppDefense.

mceclip16.png

There are six sections on the dashboard:

1.  Online Trust Analysis (Connected): Shows if the behaviors collected by AppDefense are given scores based on Application Verification Cloud. The Application Verification Cloud component combines multiple reputation and threat feeds with machine learning models to enable application control, continuous vulnerability analysis of workloads, and high-fidelity alerts to respond to security incidents more quickly and effectively.

2.  AppDefense (Connected): Displays connection status with the AppDefense Manager.

3.  Hosts: Displays host connection status with AppDefense.

4.  Virtual Machines: Displays VM connection status with AppDefense.

5.  Risk Vetted Processes: Shows breakdown of risk level of processes based on reputation scoring at organizational level. Unverified risk means either AppDefense Plug-In is not connected to the Application Verification Cloud, or AppDefense cannot identify risk of the process.

  • Click Go to AppDefense Manager to navigate directly to AppDefense Manager and view more detailed information and analysis at scope or service levels.  See Section 3 below for login details and walkthrough.

6.  Low Reputation Processes: Lists top processes ordered by risk level (from high to low). Click View all to list of all processes and their details.

  • You can click on any individual process (e.g., nmtui) to view the VM instances, where the process happened.mceclip19.png
  • You can also click on VM (e.g., APP-TIER-2-V) at the bottom to view processes ran on this VM.  (Hit refresh icon in the upper right of the vSphere Client if data does not appear.)mceclip18.png
  • Click on any process (e.g., explorer.exe) to view details, including inbound and outbound connections.mceclip20.png

 

Section 3:  Walkthrough of AppDefense Manager

AppDefense Manager is the SaaS manager console that enables you to define rules and policies around the “known good state”, providing security enforcing and alerting beyond the visibility provided inside the vSphere Platinum Plug-In.

3.1  Accessing AppDefense Manager

On the desktop, launch the shortcut named “AppDefense Manager” (or open a Chrome browser and enter http://appdmanager-1.vmwtd.com/).

Log in with the following credentials:

  • Username: cloud-admin@cords.com
  • Password: vmwareDemo1!

mceclip21.png

 

3.2  Dashboard

When you log in to the AppDefense Manager, you will first see a Dashboard containing a visualized snapshot of key information about your organization’s environment.

mceclip22.png

There are four sections on the dashboard:

1.  Protection coverage: displays the number of Virtual Machines (VMs) in the organization and their status.

  • Red color indicates VMs that haven’t been protected by AppDefense.
  • Yellow color indicates VMs in Discovery Mode, from which AppDefense is learning the behaviors.
  • Green color indicates VMs that are protected by AppDefense.

2.  Alerts: displays deviations of intended behaviors that considered critical or serious.

3.  Scopes in discovery: displays scopes in Discovery Mode and their metrics.

4.  Provisioning events: displays events when AppDefense integrates with provisioning systems (such as vRealize Automation or Puppet) to define appropriate and allowed behaviors.

3.3  Scopes

On the left navigation pane, there are two security scopes — KeepLearning (with mceclip23.png icon) is in Discovery Mode, and E-Commerce without any icon is in Protected Mode.

A scope defines what the intended state and specific allowed behaviors of an application should be – deem it as a “blueprint or birth certificate for the application”.

mceclip24.png

First, click KeepLearning under Scopes to view an individual security scope in Discovery Mode. On the screen, you will see a dashboard called Discovered Behavior.

As the number of new behaviors decreases over time, more behaviors are learned by AppDefense. Users can use this chart to make confident decision on when to move the application from Discovery Mode to Protected Mode.

mceclip25.png

Then, let’s look at another scope example in Protected Mode. Click E-commerce under Scopes. There are three tabs here:

1.  Scope Dashboard:  visualizes real-time metrics about the application to easily locate suspicious activities. There are four sections:

  • Protected Behavior: displays the allowed behaviors and alerts trend over time. During Discovery Mode (e.g., KeepLearning scope), you will see Discovered Behavior instead. Click REVIEW DISCOVERY MODE BURNDOWN to view the burndown chart before and after setting the scope to Protected Mode.mceclip27.pngmceclip28.png
  • Service Reputation by Process: color-codes the reputation scoring for different services in scope.mceclip29.png
  • Windows ML Analysis: tracks the core process behavior analyzed by the AppDefense Machine Learning (ML) engine.appdnew.png
  • Windows Integrity Checks: verifies operating system and the AppDefense guest agent integrity module. The integrity alert in 3.3 is shown here.mceclip31.png

2.  Application Topology:  enables viewing large amount of complex application behavior data easily in an interactive graphic. You can:

  • Get a high-level view of the services defined in the scope.mceclip32.png
  • Click on individual service to view service-level connections and reputation summary.mceclip33.png
  • Click on icons to view different types of processes and network connections.mceclip34.png

3.  Services allows you to drill down to behaviors, members (VMs in a service), and rules within each service.

 Each behavior is rated with Behavior and Reputation scores from the App Verification Cloud mceclip35.png

3.3.  Alerts

On the left navigation pane, click Alerts to view a list of uncleared alerts. 

After the scope is set to Protected Mode, any deviation from the “known good state” triggers an alert or event. Each deviation is rated with a severity level based on App Verification Cloud. Only uncleared critical or serious deviations are shown here to help users prioritize efforts on crown jewels.

On this page, two critical alerts have been triggered that need remediations. 

  • First one is triggered by the malware detection that identifies process (.exe) with bad reputation score, indicating a ransomware attack on a Windows VM. 
  • Second one is an integrity alert, indicating a malicious modification of the kernel code on a Windows VM. 

Click on one of the alerts on this list to review details.

mceclip38.png

mceclip37.png

mceclip39.png

On the alert details page, click Actions to address the alert by either accepting the risk or taking the appropriate remediation action (e.g., “Snapshot). For demo purpose, users are only given read-only access, so the “Confirm Snapshot” button is disabled. Remediation action could also be automatically enforced and configured at the scope level.

mceclip40.png

mceclip41.png

3.4  Events

Lastly, at the bottom of the left navigation pane, click the settings ( mceclip42.png icon). Then click Events in the pop-up menu. 

 mceclip43.png

For informational or minor deviations, they are classified as events and shown here. As an example, a recent Windows server update triggers an upgrade event with informational severity level on this screen. 

 mceclip44.png

For Additional Support

Review Our Knowledge Base

Contact AppDefense Sales

Have more questions? Submit a request

Please sign in to leave a comment.