Virtual desktop security is always a critical topic when enterprises leverage virtual desktop infrastructures, or VDI, as part of their internal IT strategy. In recent months, however, VDIs have grown in importance as more people work from home; deploying virtual desktops is one way to ensure that remote employees are securely accessing the data and applications they need to do their jobs.
Prior to the rise in remote employees, according to Spiceworks research, 32 percent of enterprises used virtual desktops in some capacity. This percentage was higher among enterprises, with 50 percent of the ones Spiceworks surveyed using VDI in some capacity, compared to 24 percent of small businesses. Perhaps in a sign of desktop virtualization’s longevity, Spiceworks predicts that VDI use will grow to 69 percent among enterprises by 2021.
This makes it clear that VDI isn’t going away anytime soon. The organizations that use them, such as our customer Citizens Medical Center, have gained substantial benefits from deploying VDI within their IT stack. With how valuable virtual desktops have turned out to be, oftentimes the security in place for these endpoints may not have been strong. This is a problem; as virtual endpoints are still endpoints and need strong protection to ensure that remote employees are protected and can access the applications they need when they need them.
Antivirus Alone Isn’t Enough for Virtual Desktop Security
When it comes to protecting virtual desktops against cyberattacks, organizations often leverage a scaled-down version of their antivirus solution. This is a best practice handed down from the likes of VMware and Citrix themselves to ensure the best user experience in both VMware Horizon View and Citirix XenApp.
VMware specifically recommends using non-persistent desktops instead of persistent ones, for example. The reason behind this is that the virtual desktop is refreshed to a known clean state on logout, which mitigates the risk of persistent cyberattacks. That said, there are still several recommendations from both vendors for how to improve the user experience for VDI.
Among the suggestions from VMware, to ensure the best virtual desktop experience, users should:
- Limit real-time scanning to local drives only
- Run a virus scan on master images before putting them into production
- Remove any unnecessary antivirus actions or processes from the desktop’s startup or login routines
- Disable heuristic scanning
- Disable auto-updates of antivirus software
As a result of these changes, antivirus software often is limited in its protection of virtual desktops. This is a good thing from the user perspective. Disabling automatic AV updates also means virtual desktop users can avoid a “boot storm” caused by the AV’s signature database having to update hundreds of virus definitions at once. By disabling heuristic scanning, which is common in next-gen AV platforms that use machine learning algorithms for virus detection, users retain a similarly streamlined experience.
Similarly, from an ROI perspective, limiting the resource-usage of each child desktop means that more instances can be spun up on each host-server. If antivirus products consume too many resources, then that limits the number of instances that each host-server can generate. More desktop images preserves density, and enables enterprises to gain the full value from their VDI implementations.
That said, both of these courses of action leave VDI instances somewhat unprotected. Virtual endpoints also require security against cyberthreats. Even with a non-persistent virtual machine, the reality is that a hacker could still attack and breach the endpoint while in use. This is important to understand, as one of the more persistent myths about VDI is that they’re more secure than physical endpoints. If anything, the limited memory resources of VDI mean there are fewer options for protection.
Virtual Desktops Don’t Gain Security from EDR
Endpoint detection and response solutions require an EDR agent to be placed on each endpoint, constantly sending telemetry back to a central console. In a physical endpoint environment, this means placing an agent on each workstation that then delivers the needed information back into the EDR’s central data store where it is interrogated for malicious behavior.
In a virtual environment, this means putting an agent on every virtual desktop alongside the hypervisor and host server. Putting a single EDR agent on the hypervisor/host server only will not offer enough visibility into the activity taking place on each of the child desktops, which the IT team would need to fully monitor all endpoints.
The data that an EDR solution ingests from all these agents is enormous, which would consume needed memory resources on each virtual desktop. In addition, EDR agents cause a major network traffic as this is multiplied by the number of virtual instances in flight at any given time.
This network traffic isn’t like the boot storm that could happen when an AV signature database updates. It would be a consistent flow of traffic and endpoint data back from every single virtual desktop all the time, which results in huge data storage requirements for all this information.
Virtual desktop instances aren’t designed to function the way an EDR platform needs them to. The sheer amount of network traffic that an EDR agent generates would overwhelm the virtual desktop and consume much of the memory needed to operate a VDI. As a result, EDR wouldn’t provide any security benefits to a VDI.
Virtual Desktop Security Benefits from Moving Target Defense
VMware and Citrix both make good recommendations for how to adapt antivirus platforms to secure virtual desktops against cyber attacks. That said, antivirus software can’t provide VDIs the security they need against fileless attacks, evasive malware, zero days, or in-memory exploits.
And truly having strong virtual desktop security means protecting endpoints against those advanced cyber threats. That’s where the lightweight agents of moving target defense technology enter the picture. Because moving target defense is designed to morph application memory and then step out of the way, there is no runtime component to consume memory resources needed to operate a virtual desktop.
The deterministic nature of moving target defense protection also means there’s no signature database to update, eliminating the possibility of a boot storm on startup. Additionally, the moving target defense agent is copied to every virtual instance, allowing persistent and non-persistent virtual desktops to be “born secure” and automatically hardened against advanced threats. For this reason, moving target defense should be a key addition to the security of any virtual desktop infrastructure.
Strong VDI security is a crucial need in our increasingly work-from-home world. To make that happen, organizations need traditional antivirus on the golden image to ensure you have protection from known file-based threats and moving target defense to protect each virtual instance against fileless attacks, evasive malware, unknown zero days, and in-memory exploits. Only then can IT teams rest easy and know they’re protected against the most dangerous cyberattacks.