When you first log in, you are presented with the list of security scopes. A security scope defines the relevant configuration elements to protect an application and its constituent workloads. These configuration elements are like a blueprint or a birth certificate for the application. It contains a description, member workloads, rules, and behaviors. Security scopes are a grouping of data center assets (VMs, Containers, and so on) that make up an application or a regulatory scope.
You can send the security scope information to AppDefense by the following ways:
- Provisioning Events: Integrate and provision an application with AppDefense, such as vRealize Automation or Puppet to define appropriate and allowed behaviors.
- Create Scope: Manually create Scope. You can define a scope, begin learning behavior, and enforce rules.
A service is a tier or a role within a scope. Typically, homegrown applications have three services (Application, Web, and Database), but scopes can include more than three services (file server, print server, compliance server, and so on).
A member is a virtual machine (VM) within a service. Members or VMs in a service must have an identical operating system (means within a service, all the VMs must be homogeneous – either all Microsoft or all Linux).
VMs resides in the services created within a scope and functionality such as allowed behavior apply only within the context of services.
AppDefense has the following modes of operation:
- Discovery Mode: Guest virtual machine on which you have installed and configured AppDefense Guest Module must spend at least a week (7–14 days) in the Discovery Mode. The discovery mode helps to learn the specifics and also use IP Address and Port wildcard when a process exhibits many variations in the behavior.
After you create scopes and services, AppDefense enters Discovery Mode automatically. The system dynamically populates allowed behaviors based on a runtime view of the application over a period. During this time, all relevant activity is recorded as the application is functioning. The learning period for a workload or application must be at least a week (7–14 days). This information is later applied to the Protected Mode.
- Protected Mode: In Protected Mode, AppDefense enforces a least privilege posture (default deny) on the managed virtual machines. That means that any observed behavior that is not part of the machines profile throws an alarm.
Discovery Mode and Protected Mode are set at the scope level, where remediation actions are set at the service level.
Behaviors are process executions (CLIs) and network activities (inbound and outbound connections) exhibited within a service.
Once scopes and services are created, AppDefense enters Discovery Mode. AppDefense creates a list of allowed behaviors (for example, ports, processes) to build a blueprint or a whitelist of the natural state of the application. The system dynamically populates allowed behaviors based on a runtime view of the application over a period. During this time, all relevant activity is recorded as the application is functioning.
During this time, no action is needed as AppDefense is learning the environment automatically.
To know more about creating a workflow, refer to Overall Workflow Of Securing Applications Using AppDefense.