Stop the Bad by Only Allowing the Good
The rapid proliferation of malware and other cyber threats has brought about a serious need for organizations to change their approach to securing systems. The ability for cybercriminals to mass produce malware via sites that offer Ransomware as a Service, the proliferation of non-distributing multi-scanners, the explosion in the number of available exploit kits, and other factors have all lead to an increasing inability of signature-based defenses to stop cyber threats. Effective security can no longer rely solely on stopping known bad behavior and instead a fundamental shift is needed in how organizations approach security. Organizations need to instead begin to adopt a security strategy that focuses on only allowing known good behavior rather than on one of blocking known bad. Security can no longer be done purely reactively, as the best reactive security can do is provide protection today against yesterday’s threats.
There are several steps organizations can take with regards towards allowing only known good behavior in VMware virtualized environments. The potential for securing virtualized workloads has increased tremendously in recent years with technologies like micro segmentation allowing organizations to take a zero trust approach to network their virtual environments. Microsegmentation products, like VMware’s NSX, allow organizations to put a firewall in front of each virtual machine and use the firewall to only allow essential communications to and from the machine. This allows a network to be created with the least privilege approach in mind whereby any non-essential communication is blocked by default. This greatly restricts the ability of hackers, malware, and other threats from moving laterally within an organization and helps to keep threats contained to just a portion of an organization’s network. While microsegmentation is a hugely positive step in working to increase the security of virtualized workloads, it is important to remember that an effective security posture requires a defense in depth approach and that network segmentation, even to the point of zero trust, is not a panacea. Luckily the security advantages of virtualized workloads do not end there.
The unique relationship between a virtual machine and its hypervisor is beginning to open some door with regards to the defense of the servers that comprise an organization’s virtual environment. VMware’s recently launched AppDefense product has the ability to learn the intended state of virtual machines, such as normal running processes and the network communications they are associated with, and in doing so create an application baseline for each of the servers (or types of servers) running in an organization’s virtual environment. Once a baseline of this intended state is created within AppDefense, the product can be configured to raise an alarm if any behavior deviates from this intended state. As such a least privilege approach can be applied to virtualized workloads as well since only applications within the preapproved baseline will be allowed to run. AppDefense can also be configured to automatically block potentially malicious (i.e. non-base lined) processes from running and if integrated with NSX even has the potential to automatically isolate virtual machines from the network. Given the speed at which a compromised endpoint can be used as a staging ground to spread through an organization’s systems, such automated response is a huge benefit in keeping an incident as contained as possible. Moreover, the fact that AppDefense runs inside the hypervisor also provides a security advantage over more traditional endpoint solutions that run inside the endpoint itself. The isolation from the endpoint means that even if the endpoint itself is compromised, AppDefense itself is likely protected from compromise.
The potential for securing virtualized workloads has increased tremendously in recent years with technologies like microsegmentation allowing organizations to take a zero trust approach to network their virtual environments
The security benefits of AppDefense can be readily demonstrated by setting up a test environment that includes a Web application server that is intentionally vulnerable to cyber attacks, such as OWASP Mutillidae and protecting it with AppDefense. Conducting OS Command Injection and other attacks that can be used to launch malicious processes are normally readily accomplished against a server running Mutillidae, but as demonstrated in figure 1, AppDefense can easily detect and stop such attacks as the processes being launched will not be part of the intended state baseline. More information on testing AppDefense can be found in the latter half of the VMworld talk entitled Introducing VMware’s Transformative Data Center Endpoint Security Solution.
Organizations need to begin to transform their approach to security by creating an environment based on allowing known good rather than focusing on allowing known bad and within virtualized environments achieving this is more within reach than ever before.