Securing Virtual Desktop Infrastructure (VDI)

By: Deep Instinct Product Management Team

With the recent release of v2.2, we have added several protection layers in order to deliver a complete cycle of protection for enterprises. Among the new added layers, we have added VDI compatibility. In this post we will cover what VDI security means, how it is used and how we ensure our customers VDI environment remains protected.

What is VDI and what are the main use cases & benefits?

As the usage of VDI has recently increased, it’s important to pay attention to the security challenges IT faces when implementing such infrastructure in an organization. Deep Instinct’s Endpoint Protection Platform provides a complete, lightweight and optimized solution for VDI environments which allows IT teams to gain the benefits of VDI and while not compromising the organization’s security level.

Deep Instinct Endpoint Protection Platform is certified and compatible with Citrix XenApp 7.15, Citrix XenDesktop 7.15 and Amazon Workspaces and compatible with vMware Horizon 7.

In this post, we will discuss what VDI security means, popular use cases, the security challenges it brings and how to deal with such challenges.

Desktop virtualization is a software technology that separates the desktop environment and associated application software from the physical client device that is used to access it. Virtual Desktop infrastructure (VDI) is a virtualization technology that hosts a desktop operating system on a centralized server in a data center. Desktop virtualization can also be provided in a Desktop-as-a-Service (DaaS) model, in which typically the provider takes full responsibility for the hosting and maintenance.

Popular Use Cases

Healthcare – As security is one of the biggest concerns in the healthcare industry, it is extremely convenient to use VDI in order to allow permission-based access to virtual desktops and staff members can use multiple devices throughout the day while maintaining the same user experience.

Education – In an educational institution, where students remain in a building during predictable hours, VDI comes in handy as it is a necessity to apply strict restrictions on what they can and cannot have access to. With VDI, the IT team can provide each student their own virtual desktop with any necessary restrictions for the duration of their enrollment. Then, after graduating, the IT team can delete the virtual desktop in a matter of seconds with only very few clicks.

A similar use case can be found for organizations with contingent employees.

Shift Workers – For organizations s that primarily hires  employees based on shifts, they can easily maintain less physical endpoints, as multiple workers work with the same physical machine while having a dedicated virtual desktop for each.

Benefits when implementing VDI

Reduced PC costs – VDI can reduce cost by providing more lightweight devices for employees and avoid upgrade or hardware acquisition costs associated with a refresh by extending the use of current VDI hardware.

Centralized desktop management – IT administrators can more efficiently manage user desktops, settings, and IT policies from one central point.

Patching processes – By installing patches to a master image that IT maintains (so that it can be shared among many users), IT can ensure that all end-user desktops are up to date and in sync.

Why AV/AEP (Advanced Endpoint Protection) deployments are still required and their security challenges

There’s no doubt that VDI is a great solution with many benefits when managing a modern IT environment, but improving the organization’s security should not be included among those benefits.

Just to mention a few of the security challenges IT need to address in VDI environments:

• File-less Attacks – (to name a few: Angler EK, Duqu 2, Kovter) The use of fileless attacks is increasing and becoming a more and more popular method used against organizations by attackers. Fileless attacks can harm VDI in the same way they harm non-VDI devices and the damage is “agnostic” to VDI – from credential stealing to keylogging, the risk to the organization stays the same when comparing VDI and non-VDI.
• Phishing Attempts – Users are still exposed to Phishing attack (either through emails or other ways of sharing data between users within the VDI environment)
• Data Leaks – In the typical case where the VDI machines are “always online” and users access cloud services, IT have even less control of the data (either outgoing nor incoming)
• Malware Propagation – In many cases, a VDI machine has access storage which is external (e.g. a network drive, documents repository), even for “non-persistent” machines (e.g. the user profile which is persisted to improve usability and productivity). This is extremely useful when an adversary tries to propagate a malware within the network.
• Re-imaging of a compromised device is still required – Though VDI Re-imaging might have a lower cost to IT, it still has some cost and impacts productivity (e.g. the user profile is being deleted), thus it’s needed to reduce such events
• Slow Vulnerability Patching – Update cycles might be centrally managed in VDI, but tends to be slower as there’s a need to update the golden image, which is a “wide-impact” operation done usually in a gradual manner (e.g. approval/certification process)

The challenges and complications when deploying VDI Security

On top of the challenges that come with deploying and AV in an enterprise, when it comes to deploying VDI security in an environment, there are some additional challenges, including:

Traditional AV/signature based/cloud based are:

• Hard to deploy and maintain in VDI (e.g. frequent golden image update)
• Every golden image update or event reboot (in non-persistent) requires signature update downloads (update size depends on how old the signature is)
• High footprint on a light-weight machine (which is in many cases the initial motivation to move to VDI, cost optimization) resulting in deploying more powerful VDI machines (which results in suboptimal cost)

In addition to the challenges mentioned above, it is still required to protect the server so the VDI machine isn’t exposed to attacks (e.g. browser based, doc files with malicious macros, file-less attacks).

Deep Instinct’s added value in VDI security

• Not signature based, the deep learning brain requires updates in low frequency (quarterly)
• No need for a constant full scan, thus reducing the need to maintain a “global I/S cache”
• Lightweight agent (<11MB & 1%CPU)
• Full protection compared to a physical device
• Full protection in offline/air gapped
• Full incident visibility and response
• Easy deployment and simple management best-practices
• Flexible licensing model

To sum up, the VDI environment comes with many benefits, but it is important to be aware of the security challenges that come with deploying it. Deep Instinct addresses those challenges while maintaining low footprints, seamless deployment and easy management.