Monday, 12 March 2018

Getting started with VMware AppDefense - Part 3

Getting started with VMware AppDefense - Part 1
Getting started with VMware AppDefense - Part 2
Getting started with VMware AppDefense - Part 3

Now that we have successfully deployed the host and guest modules and verified that the status of both the hosts and guest VMs are active, we can now start configuring an application scope and start protecting an application.

Log into the AppDefense SaaS portal and you should initially be greeted by the dashboard page.  Instantly you can see the number of VMs that are unassigned, in discovery or protected:

In order to protect a VM with AppDefense, we need to create an application scope and then add a VM to the scope.  Imagine an application scope as a group of data centre assets that make up an application or regulatory scope.  To add a scope click on the plus icon next to Scopes and give it a suitable name and click Create:

We now need to create a service.  A service is made up of one or more VMs that perform a function within an application.  An example could be a three-tier application with three services (web, app and DB).  All VMs within a service is expected to homogeneous and have the exact same allowed behaviour and rules.  Click on the Add Service button within the scope:

Enter a Service and optional Service Type (From a predefined list) and Service Description and click Next:

Select the VMs that you want to add to the service.  It's simpler to sort via the State field to show all VMs that have the guest module installed and enabled.  Select the VM or VMs and click Next:

You now have the option to manually enter allowed behaviour by entering information about the process and any inbound/outbound connection required.  You can just leave this blank and click Finish as AppDefense will learn the behaviour:

Once you click finish the service is added to the scope and AppDefense automatically starts to learn the behaviour of the application.  You can add additional services if required based on the application.  You need to leave AppDefense in learning mode for a long enough period of time for it to capture all expected behaviour.  This will vary depending on the application role but a full month cycle should be enough.

Once you have left AppDefense for a suitable period of time you should see the behaviour that has been learnt:

You can change the view by selecting the column icon in the top right-hand corner and expand.  You may also notice that we take process reputation threat and trust scores via the Carbon Black integration:

Once you are confident that AppDefense has had enough time to sufficiently learn the application (Don't worry, you can put it back into learn mode or manually add processes if something has been missed) it's time to start enforcing known good.  Click on the Verify and Protect button at the top of the application scope:

Verify the details and click Verify and Protect:

Once protecting you will notice that we now have a new tab in the scope called rules:

by default, all options are enabled and set to Alert only.  You can enable or disable specific rules depending on what you are particularly interested in protecting and also modify the action.  To modify the action click on the three dots icon in the top right hand corner and click Edit Service:

Select the Rules tab and then you have the option to enable or disable specific rules, change the remediation action from the following options (Quarantine required integration with NSX):

You also have the option to either set the enforcement to Automatic or manual:

With the default options set alerts will be visible within the AppDefense portal with regards to any violations.  This allows you to continue monitoring the application before setting the remediation action block or quarantine.  The following alert show what happens when a violation occurs.  In this example I initiated an SSH session via putty to

The alert is visible within AppDefense and you can drill down an view the actual behaviour:

Since we have set the remediation action to alert when can review the alert and then make a decision on what we want to do next.  In This example I select Power Off:

Confirm Power Off:

The command is then pushed to vCenter and the VM is powered off:

Hopefully, the last three getting started with AppDefense articles has left you wanting more if so I plan on blogging more in the future so keep tuned.