The incredible Bromium dev team has just delivered vSentry 1.1, which includes the first features that will allow us to extend the groundbreaking security capabilities of micro-virtualization to all enterprise desktops. vSentry 1.1 helps enterprises to secure Windows® XP, both 32 and 64 bit versions of Windows 7, and virtual desktops delivered with Microsoft Remote Desktop Services (including Citrix XenDesktop and VMware View).
Our goal is to enable enterprises to protect all desktops by design – whether native or hosted – using CPU features for virtualization to hardware-isolate each untrustworthy task, without impacting user experience.
Other than the imminent EOL of XP support, one of the key reasons to move off XP is that it is as much as 5 times more vulnerable than Windows 7. Hanging onto XP for presumed challenges of application compatibility is in my view not tenable: both Windows 7 and Windows 8 offer superb application compatibility, and leaving the enterprise massively exposed to malware is simply irresponsible. So if you haven’t started your migration, get on with it.
But increasing user mobility, and the potential use of tablets and other client form factors, including Macs, has thrown a wrench into what would traditionally have been a relatively straightforward enterprise PC upgrade – including hardware refresh. Suddenly the concept of “Bring Your Own Device” has been injected into discussions about the strategic planning for the future of the enterprise desktop. The young, cool and hip are great fans of this approach, as are senior executives, including CFOs are natural allies: if the user owns the device, that’s less for the enterprise to buy and maintain. As a result, many enterprises are evaluating VDI as a way to deliver Windows 7 to users on any client. But simply moving a user from XP to a VDI delivered Windows 7 desktop will not necessarily improve security – indeed it can make it worse.
Virtual desktops are vulnerable to exactly the same attacks as native PCs. If you doubt this, you’ll find considerable discussion and evidence on BrianMadden.com, penned by Shawn Bass – one of the most respected desktop technologists in the industry. A compromised virtual desktop puts the attacker in an ideal location – the data center – from which he can further penetrate the infrastructure. Moreover, since VDI desktops typically all appear on the same LAN segment (or VLAN), it is possible for attackers to spread laterally from one virtual desktop to another. Legacy signature-based AV protection doesn’t scale well in virtual desktop environments, despite the architectural modifications made by AV vendors, so the vast majority of VDI desktops today have no endpoint protection at all – leaving IT to rely solely on perimeter protection. And unfortunately a successful attack on a VDI desktop is just as likely to persist long enough for the attacker to succeed as on a traditional PC running AV – because VDI desktops are not refreshed on a time-scale relevant to security.
A security-centric analysis behooves us to ask how long it takes for an attack to execute and further penetrate the infrastructure, and the unsurprising answer – seconds – is the final proof that there is nothing that VDI can do to help security, though for paper-trail purposes it certainly appears to help with compliance. But users of virtual desktops will still be tricked into clicking on bad links, and opening poisoned documents and media that downloads malware onto the virtual desktop to attack the enterprise with the goal of stealing (elegantly centralized, but nonetheless accessible) enterprise data.
Now we can start to fix that. vSentry 1.1 will allow Bromium to begin to deliver the benefits of micro-virtualization and hardware based security to all enterprise desktops, reducing the enterprise attack surface for all users – without new management tools or skill sets. Our hosted virtual desktop capabilities begin with web based protection, but will rapidly evolve to support all untrustworthy content and services.
We believe that in the context of RDS and VDI it is also important to address security concerns related to the device to which the desktop is delivered – a PC, a thin client or a tablet, and even BYO PCs – including Macs. Each of these absolutely needs to be properly secured. Re-purposed legacy PCs are particularly worrisome because they typically only have AV and still need to be patched and managed. My recommendation would be to upgrade the client to modern PC hardware – a Windows 7 PC or Mac that has Intel VT support. This will allow you to take advantage of hardware-based security – such as micro-virtualization – to protect the delivered desktop or applications (the RDS/HDX/PCoIP client), and to protect the user when they browse the internet or interact with untrusted content from the client device. We hope to have more news about micro-virtualization for Macs early in 2013.
Finally, in vSentry 1.1 Bromium LAVA (Live Attack Visualization and Analysis) goes GA, having notched up several successful PoCs during Q3/4. Rahul Kashyap, our chief security architect, will explain those features in more detail. In addition, to help enterprises scale our solution across large numbers of endpoints, vSentry 1.1 includes the first version of the Bromium Management Server (BMS), which provides a centralized web service for vSentry policy management, collection of LAVA events from all desktops in the enterprise, and correlation of attack data. It also provides a centralized console for visualization and analysis of malware forensics. It also collects events from all vSentry enabled systems for input into enterprise security analysis systems such as SIEMs, 3rd party consoles such as McAfee ePO or Symantec SEP, or big data platforms such as Splunk.