Most VDI shops don't bother with malware threat analysis because virtual desktops are generally considered secure. But malware attacks can happen during the boot process or even through the user profile and settings layer.
This could be a great value-add for certain VDI scenarios.
Those centralized virtual desktop images share physical resources, so potential threats can cause great damage to the organization if hypervisor isolation is broken, said Chris Morales, a security analyst at 451 Research, a research firm based in Washington, D.C.
IT administrators might also forgo malware threat analysis because of the performance hit those tools cause. In a virtual desktop infrastructure (VDI) deployment with hundreds of sessions running concurrently on a single server, doing a malware threat analysis via a memory dump is computationally taxing on that shared pool of resources. The memory dump file can involve a significant amount of disk I/O during data transfer, which drains desktop performance resources in the process.
A malware analysis tool that doesn't drain performance resources could end up being a great virtual desktop security play and specifically, for Desktop as a Service providers, said Guise Bule, CEO of tuCloud, a hosted nonpersistent virtual desktop vendor based in Anaheim Hills, Calif.
An update to HBGary Inc.'s Active Defense malware analysis tool could alleviate those performance bottlenecks, allowing more organizations to take a proactive approach to cyber-security for VDI. When the next version of Active Defense is released at the end of April, IT pros will be able to opt for a memory-only, runtime analysis option that reads the pseudo-physical memory abstraction on the guest operating system instead of generating an image and dumping the data to a disk, according to Jim Butterworth, chief security officer at HBGary.
This allows for a quicker return of the analysis, but more significantly, it doesn't put a strain on the shared resources required to obtain those results, he said.
Active Defense uses a color-coded threat severity score for the thousands of existing malicious codes attempting to penetrate an organization's network. Administrators can locate, identify and respond to threats accordingly.
Virtual desktop security attacks delay malware analysis
Though it draws several comparisons to Bromium Inc.'s vSentry approach to security, Active Defense is best suited to VDI deployments because of the new runtime analysis feature, whereas vSentry's use of sandboxing individual processes within a hardware microvisor is best suited to 64-bit Windows 7 fat PCs, 451 Research's Morales said.
There are plenty of VDI performance monitoring tools from SolarWinds, EG Innovations, OpenNMS and others, but they don't typically do malware analysis, Morales said. Conversely, many existing malware analysis tools aren't designed to be run within a virtual desktop production environment.
"Pairing a nonpersistent desktop with a proactive security tool like that would mitigate cyber-risks and make a heck of a lot of sense," tuCloud's Bule said. "Since that nonpersistent desktop is completely disposable, any changes made to that image are killed when the session ends."
"It's isolating physical risk profiles into containers, thus creating a honey trap separate from the rest of the network for hackers to hack," Bule said. "This could be a great value-add for certain VDI scenarios."
On the other hand, for large organizations not overtly concerned with a robust cyberdefense -- such as, for example, a university with public terminals -- they might be more than satisfied with running antivirus software on the back end of their VDI deployment, he said.
"If you're a small or medium-sized shop and only have a few IT guys, there's no way you're using a tool like this," 451 Research's Morales said. "It's a more advanced, time-consuming approach to cyber-security."
Active Defense currently works on Microsoft's Hyper-V and VMware's vSphere. It costs $49 per node, with discounts for bundled nodes.