VMware AppDefense and Carbon Black Cloud offer a converged set of security services and consolidate multiple endpoint security capabilities with an agentless experience on vSphere workloads and a single lightweight sensor on endpoints, making it easy to add new capabilities whenever you need them.
Follow the steps below to experience AppDefense and Carbon Black Cloud including interactive dashboards, contextual security alerts and more.
- Section 1: Accessing the AppDefense and Carbon Black Experience
- Section 2: Walkthrough of vSphere with Intrinsic Security Plug-In
- Section 3: Walkthrough of CB PSC (Predictive Security Cloud) & Workload Protection
Before you Begin
In order to complete this product walkthrough please make sure you have the following:
- A valid account in the VMware TestDrive environment, sign up here if you do not have one.
- TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP 4172
- An Horizon Client installed on your machine.
Section 1: Accessing the AppDefense and Carbon Black Experience
To login to the experience, perform the following steps.
Enter your TestDrive Username and Password and select ENTER.
Next, locate the AppDefense product under the Intrinsic Security tab.
Click LAUNCH and LAUNCH VIA WORKSPACE ONE.
A new tab will open with Workspace ONE. Enter your TestDrive Username, then hit Next.
On the next screen, enter your TestDrive Password then hit Sign in.
Next, search for the Carbon Black Cloud desktop. Click to open into the desktop either via HTML access or Horizon Client access.
Now you'll be on the Carbon Black Cloud RDSH desktop. At this point you can begin the walkthrough steps listed below.
Section 2: Walkthrough of vSphere with Intrinsic Security Plug-In
The AppDefense Plug-In in vCenter Server integrates application security capabilities directly in the vSphere Client.
2.1 Accessing Intrinsic Security Plug-In
On the desktop, launch on the shortcut named “vCenter Server” (or open a Chrome browser and enter https://vca-1.vmwtd.com/ui).
If presented with a certificate warning, click on Advanced then click on Proceed to vca-1.vmwtd.com (unsafe).
Log in with the following credentials:
- Username: email@example.com
- Password: vmwareDemo1!
Once logged in, click on Menu > Shortcuts, then click on AppDefense under Monitoring category.
You will first see a Dashboard containing a visualized snapshot of key information about your connectivity and health of the organization’s environment monitored by AppDefense.
There are seven sections on the dashboard:
1. Online Analysis: Displays the mode in which the AppDefense Plug-in is deployed in vCenter Server. Expand the widget to see this instance is deployed in SaaS mode.
2. AppDefense: Displays the connection status. The icon in this instance shows that AppDefense is deployed in the SaaS mode and is connected properly with the AppDefense Manager.
3. Hosts And VMs: Displays the number of hosts and VMs that are configured, available, or unsupported by AppDefense. Expand the widget and you can click on a number to view the detailed list of the hosts or VMs.
4. Process Reputation: Displays the reputation for all the processes monitored by AppDefense. The status is displayed as:
- Suspicious: Suspicious processes are in a red color. If Suspicious, you must investigate further into the process. You can take immediate remediation action using AppDefense Service (SaaS).
- Trusted: Trusted processes are in a green color. Trusted reputation is modeled and trusted by the analysis engine.
- Unknown: Unknown process means that the reputation is not yet modeled by the analysis engine. Unknown processes are displayed with a dark gray color.
5. Critical Vulnerabilities: Displays only critical vulnerabilities for Windows, Linux, and for vCenter Server and ESXi.
6. Windows ML Analysis: Tracks the core process behavior analyzed by the AppDefense Machine Learning (ML) engine. This view is applicable only for the Windows VMs.
7. Windows Integrity Checks: Verifies operating system and the AppDefense guest agent integrity module. This view is applicable only for the Windows VMs.
- Click on the red section to see details of the alert.
- Click on the Member name APP-TIER-2-V to see details of the alert.
From within the same window as above, you can also view the processes of this particular VM. Click on Guest Monitoring then click on any process name to view details, including inbound and outbound connections (if any).
Below we have clicked on powershell.exe.
Using the dropdown in the CLI section, we have selected "..ject Net.WebClient).DownloadString('htt...".
This view shows the outbound connections associated with a PowerShell command that was run inside the VM.
Section 3: Walkthrough of CB PSC (Predictive Security Cloud) & Workload Protection
The VMware CB Predictive Security Cloud offers a converged set of security services and consolidates multiple endpoint security capabilities with an agentless experience on vSphere workloads and a single lightweight sensor on endpoints, making it easy to add new capabilities whenever you need them. The PSC’s simple, cloud-based single console is easy to access, configure, and use, with over 125 integrations with SIEM platforms, threat intelligence, and network security products that help you get more value from your existing security investments all while helping you operate faster and more effectively.
3.1 Accessing Carbon Black Cloud
On the desktop, launch the shortcut named “Carbon Black Cloud” (or open a Chrome browser and enter https://defense-prod05.conferdeploy.net).
Log in with the following credentials:
- Username: firstname.lastname@example.org
- Password: vmwareDemo1!
When you log in to the CB PSC, you will first see a Dashboard containing a visualized snapshot of key information about your organization’s environment. The dashboard provides a high-level overview of your environment and enables you to quickly navigate to items of interest. You can customize the dashboard tiles and display data for specific time periods and policies.
Alerts indicate known threats and suspicious behavior across endpoints. Turn group alerts ON to efficiently manage and dismiss alerts across multiple devices. Turn group alerts OFF to manage alerts individually.
For this walkthrough there is a set a pre-generated attacks that we will walk through. Please ensure that your time frame is set to 1 day.
Once the time frame has been set to 1 day you should see a few alerts in the alerts dashboard for either app-tier-1-v or app-tier-2-v. Optionally, you can change the time frame to a longer period to see earlier alerts.
Click on the > sign to the left of the status column to expand and view additional information, including the TTPs associated with the alert.
Priority Alerts and Other Activity
Alerts are separated into two categories, indicated by the color of the alert:
- Threat: Coded with the color red, located in the Priority filter. These alerts are highly likely to be malicious activity.
- Observed: Coded with the color yellow, located in the Other activity filter. These alerts are a set of behavioral data that have not been raised to the level that requires a response, but do have interesting behavior.
Alert severity indicates the relative importance of an alert; you can use this to identify events that might require rapid triage and response. Alert severity is loosely mapped to the Attack Stages Panel on the dashboard.
- Level 1 and 2 alerts: Detect activities such as port scans, malware drops, changes to system configuration files, persistence, etc.
- Level 3, 4, and 5 alerts: Detect activities such as malware running, generic virus-like behavior, monitoring user input, potential memory scraping, password theft, etc.
- Level 6+ alerts: Typically an active exploit, reverse command shells, process hollowing, destructive malware, hidden processes and tool sets, applications that talk on the network but should not, etc.
The Target value acts as a multiplier when calculating the threat level for detected issues and resulting alerts. Target values are defined by the policy to which a device belongs.
- Low Target Value: Results in a lower threat level.
- Medium Target Value: Represents the baseline/default (no multiplier).
- High/Mission Critical Target Values: Both values increase the threat level under the same circumstances. You may see two or more alerts with identical descriptions but with different alert severities.
Access a visualization, or process tree, of your alerts by clicking the Alert Triage icon from the Alerts page.
Each event in the attack stream (process, file, or network connection) is shown in the process tree as a node with the attack origin displayed on the left and each subsequent event shown from left to right as the attack progressed. Click a node to view additional information and take action in the Selected Node collapsible panel.
- Operating System/Root Node: The root node at the far left of the process tree represents the host device on which the original activity took place. The root node icon represents the operating system that was running on the device.
- Gears/Processes: Processes that have run or are still running.
- Documents/Files: Files that were created on disk.
- Network Connections/IP addresses: IP addresses are shown as network connection icons.
Note: If an operation is denied, an exclamation point (!) displays next to the denied process. If a process is terminated, an X displays next to the terminated process.
- Invoked: A solid line indicates that one process invoked another process, file, or network connection. Injected: A dashed line indicates that one process injected code into another process.
- Read Memory: A dotted and dashed line indicates that one process attempted to read the virtual memory of another process (but did not inject into the process).
- Accessed Target: A dotted line indicates that one process attempted to enter another process (but did not inject into the process).
The Actual Attack
In viewing each of the executed processes on the selected node you get a detailed view on how that process was executed during the that phase of the attack / execution.
On the right had side you will get additional details on the policy action, the reputation and the actual command line arguments of the process.
Enriched events are events that have been determined to be of interest. The Carbon Black Cloud analyzes unfiltered data on all endpoints to highlight events that may be of interest based on types of behavior more likely to be associated with malicious activity, including 110+ core behaviors known to be leveraged by attackers.
Certutil.exe downloading content from a suspicious website. We are able to do DNS resolution when available as well as show the command line execution along with the alert severity and TTP’s tied to this event.
With Live Query, you can ask questions of endpoints and quickly identify areas for improved security and IT hygiene. You can run recommended queries created by Carbon Black security experts or craft your own SQL queries. Live Query is powered by Osquery, an open source project that uses an SQLite interface. Access is dependent on user role authorization.
You can use our built-in queries to search the environment for specific vulnerabilities or common misconfigurations from an IT Hygiene perspective as well as many others.
VMware Virtual Machine Inventory
The integration of CB Defense for VMware provides security and IT operations teams with enhanced visibility into complex, multi-guest applications, their related network traffic, and suspicious endpoint behaviors.As well as providing an inventory view for the Soc and security related users so they can get a better understanding of whats running inside of the virtual environment.