VDI – The Un-Celebrated Cyber Security Tool
Over the years I have read, participated in, or attended hundreds of cyber security panels, presentations, and articles Most of the traditional tools found in an analyst’s toolbox are front and center; firewalls, segmentation, port-security, endpoint protection, command & control, and more recently artificial intelligence or machine learning as ways to build your depth in defense strategy. One tool that is rarely, if ever, talked about is Virtual Desktop Infrastructure, or VDI.
For years, VDI has been looked at as a tool to improve efficiency by centralizing desktop administration. It allows you to standardized on software versions across your company, ensure patches and updates are on every machine for every user, and it reduces your administration time down from thousands of desktops to just a few, or even one in some cases. There are two types of VDI infrastructure, and Access Automation describes a good description between persistent vs non-persistent VDI, if you would like to understand the differences better. While I disagree that persistent VDI is the only way to grant users customization of their desktop, believing that the combination of Roaming Profiles and Non-Persistent VDI give much of the same amount of customization to the user, the advantage non-persistent VDI implementations provides to thwart cyber-attacks makes the decision an easy choice for me.
Outside of restricting shadow it, or unapproved software, from being installed on your desktops the main advantage non-persistent VDI provides is TIME. According to a report published by US cyber-security FireEye, 76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during nighttime over the weekdays, and 27% taking place over the weekend. It is important to also note that these attacks are not the result of immediate payload download and execution, but instead are the result of prolonged network compromise and intrusion. In layman’s terms, that ransomware payload has been sitting on your desktop for days or weeks before executing when the company is at most vulnerable, with less employees providing slower responses to attacks.
Knowing this gives us an advantage. What if you can remove these payloads when they are first installed, but before they execute their payload? With just one tool, non-persistent VDI, you have the ability, if we take FireEye’s study as absolute truth, to reduce your ransomware attacks by 76%. Think about it, a VDI desktop that is destroyed upon logoff, or when it has been idle for some set amount of time. Your non-persistent VDI would only have, on average, 8 hours of life before being reset to its day one golden state. If your bring in human intuition into the factor, and by having your users logoff when they get those butterfly’s after clicking on a phish, you are reducing one of the main factors of any cyber-attack, the time to execute! Does it work? One CISSP, Tony Moua, once commented on a system I deployed: “I have never seen a more quiet system when I look at the endpoint protection logs”.
Many will argue that VDI should not be seen as technology that 100% stops cyber-attacks. Any argument against that sentiment would be foolish, because VDI is not 100% invulnerable to attacks. But it is a tool, and like all the other tools in the tool box, they are designed to provide security with their strengths, where other tools will help mitigate their weaknesses. With VDI, that strength is reducing the time payloads have to execute; along with unified patching. For me, these are valuable security feature few other tools possess.
In later blogs, I will most likely share non-persistent VDI designs I have deployed at mid-sized enterprise companies, as well as share strategy’s that will help your company embrace VDI as part of the new-normal. For now, just understand, there is another tool in your cyber security toolbox to help protect your enterprise, and that tool is VDI.
How are you trying to reduce the threat of ransomware. Let me know and leave your comments.