Protecting the virtual desktops

Despite the persistent myth of security-by-default, virtual infrastructures need protection every bit as much as physical ones. Almost all existing threats are relevant for virtual machines, too.

Desktop virtualization (Virtual Desktop Infrastructure, or VDI) has become a de facto standard in many organizations. The two greatest business reasons for this are cost reduction and the simplification of some system administration tasks. In addition, the use of VDI technology allows for quick, off-the-shelf workstation creation and management of employees’ mobile access to corporate resources using a wide variety of devices.

Despite the persistent myth of security-by-default, virtual infrastructures need protection every bit as much as physical ones. Almost all existing threats are relevant for virtual machines, too. You may read more on VDI technology, its advantages and disadvantages, and its need for protection in this article. Here, we focus on the tools Kaspersky Lab developed specifically to protect virtual environments.

Why conventional security solutions aren’t suitable for virtual environments

First, let’s look at where standard solutions fall short with regard to virtual environments. Actually, the main problem is a direct consequence of the principal benefit of virtualization — saving resources. After all, what does a hypervisor do with available memory and processing power? It distributes them among multiple virtual machines. Consequently, the more intensive processes run on each of them, the fewer machines the infrastructure can support. In addition, the entire system’s fail-safety suffers as a result of the lack of resources.

Meanwhile, the same software runs on each machine. That is, the CPU of the physical server where the virtual infrastructure is deployed actually fulfills multiple copies of the same task. And then there is another problem — so-called activity storms. They are particularly troublesome in environments where many virtual machines with the same software are deployed. For an easy example, let’s look at security solutions.

Software resource consumption is changeable. Security products are on standby most of the time, anticipating an attack, but occasionally they need to scan the entire machine. Just imagine that scanning starts on all virtual machines simultaneously. The result? Overloading and slowing across the system.

How Kaspersky Security for Virtualization | Light Agent protects VDI

To protect virtual environments, Kaspersky Lab adopts two approaches, both of which are implemented in Kaspersky Security for Virtualization. The first is Kaspersky Security for Virtualization | Agentless, which doesn’t need to be installed on the virtual machine; it operates in infrastructure only under the control of VMware vSphere. The second is Kaspersky Security for Virtualization | Light Agent which installs a light (but fully functional) version of the security solution on each machine. It can be deployed on a variety of platforms: VMware, Microsoft Hyper-V, Citrix, and KVM. We believe Light Agent is the most effective way to protect VDI because it fully supports the most popular solutions for desktop virtualization, Citrix XenDesktop and VMware Horizon.

The core of our solution is the use of a dedicated virtual machine (Security Virtual Machine, or SVM), which comprises all of the specific tools to combat cyberthreats. Essentially it assumes the function of a security solution for other virtual machines with light agents installed. This configuration enables the agents to send in the data for analysis and receive and execute instructions; as well, an SVM can orchestrate scanning tasks on different light agents according to the workload of the host.

The presence of the light agent can effectively protect virtual machines because of its direct access to a VM’s memory and core system processes. The agent also engages advanced security technologies, such as web control, applications control, and devices control.

Memory processing control is particularly important now because cybercriminals tend to avoid detection by developing malware that operates in RAM only (without the need to save files to disk). Light agents help to combat such advanced techniques in virtual machines. Moreover, the methods based on tracking the behavior of processes help to detect malware with obfuscated code (disguised or confused to impede analysis and understanding of working algorithms), which cannot be detected at the file system level.

The Automatic Exploit Prevention feature in Kaspersky Security for Virtualization | Light Agent enables it to prevent the exploitation of vulnerabilities, including attacks by zero-day (newly discovered and previously unknown) exploits.

One of the most potent proactive layers of VM security is the Applications Control with dynamic allowlists. Its use prevents any applications from running unless they are listed as trusted software by the system administrator or included in Kaspersky Lab’s regularly updated cloud database of reliable software.

It is also worth mentioning that the light agent’s presence allows Kaspersky Security for Virtualization to detect and prevent port scanning (a trick often applied by hackers at the stage of gathering data about the target machine).

The preceding is not a complete list of technologies implemented to protect virtual environments. While developing Kaspersky Security for Virtualization | Light Agent, we also paid much attention to prudent resource management. In particular, the central security virtual machine (SVM) supports a shared cache, which allows files to be scanned on one of the nodes only and never to be checked repeatedly (because their check data is already stored in the cache).

Thanks to all of these technologies, our light agent–based solution on the one hand provides a reliable level of protection for virtual environments, and on the other hand does not overload the infrastructure and therefore saves resources.