Protecting your virtual endpoints in the new remote work frontier

Oct. 20, 2020
This pandemic has taught us that productivity isn't confined to the four walls of an office

As states begin to reopen, and businesses gradually welcome their employees back to the office, many companies have opted to continue participating in the worldwide work-from-home experiment. And the reasons are hardly surprising.

Working remotely has always offered employees more flexibility, but this pandemic has taught us that productivity isn't confined to the four walls of an office. As a result, corporations such as Twitter and Shopify have stated that they will allow their staff to work from home until the end of the year or even permanently. Considering WFH was sprung on employees almost overnight, it’s fair to say they’ve aced the transition.

However, for every benefit, there is also a challenge that both employees and employers must overcome. For one, merely ensuring that employees have access to the applications and tools they need to do their jobs is a challenge. With 56 percent of employees using their personal computers to work from home, this is especially true. The rise in personal computer use for working is one pressing reason why so many companies are deploying a virtual desktop infrastructure (VDI). By expanding out a virtual desktop environment to the edge, employees have streamlined consistent access to the applications and data needed to perform their jobs. VDI environments also offer a fast and cost-effective method to ensure that remote workers can remain productive. 

But the truth is that, because data is stored centrally, many enterprise organizations have formulated a false sense of security that their VDI instances are safe from an attack. This couldn’t be further from the truth.  Virtual desktops are still endpoints that are just as susceptible to an advanced attack as physical endpoints.  Threat actors specifically target unprotected VDI environments to steal credentials, establish a beachhead, and move laterally into the data center.

With Gartner reporting that 74% of CFOs are planning to shift previously office-based positions to work-from-home permanently, the pressure on security professionals to protect their colleagues from bad actors shows no signs of letting up. With the shift to VDI corresponding with enterprise endpoint attacks tripling during the recent shift to work from home, here’s a look at the challenges security teams are facing in moving to virtual environments.

Limited Memory and CPU Resources for Each Virtual Instance: When a new virtual desktop is created, the virtual machine monitor (or hypervisor) assigns the right amount of memory and CPU that’s needed for each child desktop to operate. This assignment typically considers all applications within the virtual environment and the number of child desktops required at any given time.

When it comes to non-persistent desktops that have to be reallocated with each new user session, this is a particularly important process. It’s critical to gain the most ROI from a VDI deployment, and the best way to do that and save on cost is to maximize the number of instances in-use at any given time on each host server/hypervisor combo.

However, the agents for most antivirus platforms, and especially the ones that use machine learning for detection, tend to consume significant memory. As a result, deploying one of these agents on a virtual desktop often reduces the number of virtual instances that can be run on the host server. It’s because of this that installing antivirus on these desktops often leads to an increase in costs since fewer desktops can be deployed on each host server and additional infrastructure needs to be installed to meet the same needs. Without these agents included, IT teams can deploy many more virtual instances on each host server.

Antivirus “Boot Storm” Has Performance Impacts: Antivirus products require regular updates to their signature database to function properly. Even next-generation antivirus software, which often leverages machine learning algorithms, requires regular updates. This is normal for these solutions to work properly, and on a physical endpoint, there isn’t an issue because physical endpoints have enough memory to receive updates with no performance impact. However, virtual desktops — particularly non-persistent ones — deployed with just enough resources can easily be overwhelmed if there are substantial updates required since the last time they were booted up.

Ideally, all signature or algorithm updates should occur on the golden image at the hypervisor level before spinning up new virtual instances. A golden image is a pre-configured template that allows you to deploy several remote desktops, applications, and virtual machines based on a single, core desktop image. If the golden image isn’t kept regularly updated, there’s a risk of an antivirus “boot storm” where multiple signature database updates are downloaded the instant the non-persistent child desktop comes online.

If this happens, there is a significant impact on user experience and a massive spike in network traffic. VDI vendors VMware and Citrix, in fact, recommend turning off automatic updates for antivirus products on non-persistent desktops to avoid having a boot storm occur.

Teams Must Overcome Unreliable Endpoint Telemetry: Endpoint detection and response (EDR) solutions require an agent to be installed on each endpoint, regularly sending telemetry back to a central console. In a physical endpoint environment, this means an agent on each workstation delivers the needed information back into the analytics engine. In a virtual environment, however, it does mean putting an agent on every virtual desktop as well as the host server.

The reality is that putting a single EDR agent on the host server provides minimal visibility into desktops, which is what the IT team would need to monitor all endpoints adequately. And because the data that an EDR solution ingests from all of these agents is immense, it would end up overwhelming resources on each virtual desktop and cause major network traffic at the same time.

In addition, virtual desktop instances aren’t designed to function the way an EDR platform needs to monitor them for threats accurately. As a result, the sheer amount of network traffic that an EDR agent generates would overburden the virtual desktop and consume much of the memory it needs to operate the VDI. Ultimately, this means that EDR wouldn’t provide any security benefits to a virtual desktop infrastructure.

Battling Network Limitations: Network traffic is generally expensive and, because virtual instances are created only when needed, companies using VDI often experience a highly variable network load. In both monitoring and detection, every additional agent creates extra weight on the network — making it easy to overload the virtual desktop and consume too many resources.

To limit the network load, detection solutions can restrict traffic to and from each virtual desktop. However, this can give attackers a bigger time window when a virtual desktop isn’t updated. This creates the risk of lateral movement, credential theft, or any number of other cyberattacks.

To account for this, some VDI vendors have introduced the ability to only update signatures based on what the specific virtual desktop is missing at the moment. Other IT leaders advise updating the golden image regularly to ensure that desktops have the most up-to-date information. This limits network load and can be expanded exponentially, depending on the number of virtual instances that are looking to be updated. Detection and monitoring solutions further will take necessary CPU resources, which additionally increases costs commensurate with the number of resources consumed

How to Secure Your Virtual Endpoints from Bad Actors: Despite the gaps described above, the benefits of virtual desktops have put them in high demand. But like any tool or resource your company deploys, any and all security concerns must be considered.

First of all, to overcome the challenges imposed by limited memory and CPU resources, deploying a lightweight agent is a good idea. The lighter the agent in your security solution, the less memory is consumed, which ultimately ensures you can increase the number of virtual desktops that can be deployed on each hypervisor. This limits your hardware spend and ultimately can help improve your ROI.

Taking a lightweight approach is in high demand by numerous government agencies across the globe who are looking to secure critical virtual infrastructure without spending additional money on more hardware. Our team at Morphisec has been working hand-in-hand with the U.S. Department of Homeland Security’s Silicon Valley Innovation Program to develop a solution that prevents attacks against critical financial infrastructure without reducing the overall performance of VDI environments.

Additionally, you should install a platform that doesn’t require updates. With antivirus boot storms a real problem, the golden standard for protection is a platform that doesn’t need updating on boot. You can get around the boot storm by keeping the golden image updated, but that only secures you against known threats. For unknown threats, the best option is a platform that doesn’t require updates to secure VDI against advanced evasive malware. This enables each child desktop to be “born secure” because it doesn’t need to worry about updating signatures or algorithms.

And lastly, use a hardening solution to limit the attack surface. Hardening is one of the best ways to add security to an endpoint. It’s next to impossible to harden a physical endpoint past a certain point, primarily because of the greater need for flexibility. This isn’t the case with a virtual desktop. Virtual desktops, especially non-persistent ones, can be more readily hardened compared to physical workstations. A solution that offers hardening capabilities is thus hugely beneficial.

While it’s highly unlikely that the office will become obsolete, working from home will become a more attractive option for millions of employees — whether it be a permanent shift or a part-time one. As a result, enterprises of all sizes are going to need to secure their virtualized infrastructures against advanced evasive malware. And they will need to do so with a security solution that avoids antivirus boot storm, doesn’t consume memory or CPU resources, doesn’t require frequent updates, and avoids the need for EDR-like endpoint telemetry.

About the Author:

Andrew Homer is the VP of Security Strategy at Morphisec and has numerous years of hands-on experience creating strategic technology partnerships and leading teams through growth phases. Prior to Morphisec, Andrew was Director of Business Development and Technology Alliances at RSA, where he led the company’s technology ecosystem, strategic alliances and embedded OEM partnerships. Over the past two decades, he has gained a wealth of both corporate and high-growth experience, having held business development positions at Dell, EMC and VMware. Andrew attended the University of Massachusetts, Amherst for his undergraduate degree and obtained his MBA from Babson College.

About the Author

Andrew Homer | VP of Security Strategy at Morphisec

Andrew Homer is VP of Business Development at cybersecurity startup Morphisec and has numerous years of hands-on experience creating strategic technology partnerships and leading teams through growth phases. Prior to Morphisec, Andrew was Director of Business Development and Technology Alliances at RSA, where he led the company’s technology ecosystem, strategic alliances and embedded OEM partnerships. Over the past two decades, he has gained a wealth of both corporate and high-growth experience, having held business development positions at Dell, EMC and VMware. Andrew attended the University of Massachusetts, Amherst for his undergraduate degree and obtained his MBA from Babson College.