The problem lies in the existing security strategies that customers are employing to protect data center endpoints. We are specifically referring to the endpoints within the data center where applications are hosted, not end user endpoints, like laptops or phones.

The legacy approach to protecting applications is to monitor endpoints for known threat signatures. Think of antivirus software. AV software has a massive database of known malware signatures, which it uses to identify threats on an endpoint.

The problem with this approach is that if the security solution hasn't seen the threat before, there is no signature to match, and therefore, the threat will be missed. This means that any brand new (or zero-day) threats will go undetected.

ML approaches to endpoint threat detection have become more prominent in recent years, in order to address this problem of identifying unknown threats. The idea is that by aggregating data from as many parts of the environment as possible, machine learning and AI algorithms can be used to sort out and distinguish normal behaviors from threats. The problem with this approach is noise. These solutions take in so much data, from so many different corners of the environment, that it is incredibly difficult for them to accurately detect threats. As a result, they tend to produce a high number of false positives:

Application security must evolve to keep up with the speed of modern development practices, and VMware has developed a unique approach to solving this problem. In contrast to traditional security solutions, which focus on chasing threats, VMware AppDefense leverages its position in the hypervisor to learn the intended state of an application and immediately respond to deviations from that state. This level of application visibility results in more accurate security policies and faster remediation, simplifying the prevention of malicious behavior. This result is a common source of truth for IT and security teams, making it easy for them to collaborate on compliance, security incident investigation, and incident response.

AppDefense builds context by gathering the inventory of virtual machines and the application details from automation and provisioning tools, such as vCenter, Puppet, and Ansible, in order to understand the intent of a particular machine and application. It then monitors the behavior of the VM, operating system, processes, and application, and correlates this information with the intent that's defined during provisioning. AppDefense creates a blueprint based on known good behavior for how the machine and application should be functioning and communicating, by using machine learning.

Once the blueprint has been established, it is stored in a secure partition of the hypervisor. AppDefense monitors for any changes, detecting and preventing any deviations from the intended, established state, ensuring the integrity of applications, infrastructures, and the operating system. When a threat is detected, it can natively respond through a variety of capabilities and through NSX Data Center for enforcement and containment.