Anti-malware defenses are struggling to keep up with constant floods of new, fast-evolving attacks but one thing that could help is if the infrastructure itself had security built in.
That's the idea with VMware's new AppDefense product, which lets companies restrict the types of operations allowed to applications running on virtualized servers.
This kind of behavior-based whitelisting would be a tough sell on user desktops, since users run a wide variety of applications and are constantly installing new software and updating existing software with new features.
That's not the case with servers.
"Most data center virtual machines have a single role, a single purpose in life," said Chris Corde, senior director of product management for AppDefense at VMware.
For example, if an application is trying to modify the operating system's kernel, or communicate with a command-and-control website, or engage in other inappropriate behaviors, a company could choose to send out an alert, quarantine the process, or shut down the application or server, wipe it, and restore from a golden image.
"We are looking at how the application behaves from a process perspective and a network perspective and using the hypervisor to enforce that," he said. "We're actually enabling a least privileged posture for applications."
AppDefense, which is a new product that customers would purchase separately, hooks into VMware's hypervisor and can also connect to third-party provisioning, configuration management, and workflow automation platforms.
It is currently only available for on-premises data centers, but a cloud version is on the road map, Corde said.
It's a big step forward for data center security, said Eric Ogren, founder and principal analyst at 451 Research.
"They still have to show that it executes," he said, "But it is absolutely the right idea. Security should be intrinsic to the operating environment."
It's especially important for situations where existing security products don't catch a problem.
"Often, you don't find out that there's something wrong until people are calling the help desk and saying that their applications are slow," he said.
Signature-based defenses in particular, like traditional antivirus software, are bad at catching new and fast-evolving threats.
"The ability to look at behavior systemically, and the ability for VMware to do something when it sees something awry, is a differentiator," Ogren said.
A delayed response can be particularly damaging in the case of ransomware or other types of destructive attacks that are designed to propagate quickly through enterprise networks.
"It can quickly spread, like a worm, throughout the environment," Corde said. "But when it does, it touches the network in a different way, and it's those types of behavior that we control and stop."
However, AppDefense might not necessarily pick up other behaviors that ransomware has, such as encrypting files.
"We are not looking at that type of behavior explicitly," he said.
VMware AppDefense was announced at the VMworld in conference in Las Vegas last week and is currently available for customers using VMware vSphere 6.5.
