Working anytime and anywhere, that’s what end users want. But, you as an IT security professional, want to be certain your employers are protected in the Virtual Desktop Infrastructure (VDI) environment. This puts you in an impossible predicament.
Your organization chose desktop virtualization in part due to the greater flexibility, the simplicity in its management and the cost-efficiency. By accommodating as many simultaneous application sessions on as little virtual server resources as possible, it was possible to save a lot money. Unfortunately, too often does the antivirus solution seem to throw a spanner in the works.
A bad marriage
A traditional antivirus solution fundamentally fits terribly in a virtualized desktop environment. This is because traditional antivirus solutions focus on recognizing (corrupted) files based on their external features (“file hashes”). Considering the enormous amount of corrupted files detected over the past years, an antivirus solution uses a gigantic database where known corrupted and known reliable files have been included.
Of course, the value of this antivirus database is determined by its actuality. And that’s exactly where the problem is. At the startup of every new VDI session, this database is per definition outdated and must therefore first of all be actualized. Loss of valuable time and resources is a result. When the (non-persistent) VDI session is once again rejected at the end of the day, the actualized antivirus database is in fact thrown away again. Obviously, this process reiterates itself the following day. For every session. Every day.
To avoid all too large budget overruns and due to pressure from management, CISOs regularly choose to reduce the security measures on their VDI servers. After all, for this reason, more users are tended to without having to purchase extra server capacity. It isn’t simply about the “nice to have” security features, but irresponsible concessions are knowingly made to the security level within the organization.
The solutions you shouldn’t choose
In practice, you see many organizations find solutions to this recurring problem. Some organizations choose to invest in more server capacity, but that is costly (which people would actually like to reduce through virtualization). Consequently, there are also CISOs that feel compelled to just turn off the entire antivirus solution, so the users can at least continue with their work. Both not a good idea.
Time to say goodbye
Except the performance challenges the traditional antivirus solutions bring, these solutions don’t offer proper protection any more against modern attack techniques from malicious parties. After all, a standard antivirus solution only looks for threats packaged in a file. Usually just for files seen before. Hackers know that and make sure their files simply change form or more often, they choose attacks that don’t need any files as a delivery mechanism, the so-called “fileless attacks”.
The defeated compromise
A real “next generation” endpoint security solution isn’t fixated on recognizing files. Instead, it’s focused on recognizing suspicious behaviors of the system, which provides protection against both file-based as well as fileless threats, irrespective whether these have been seen before or not.
Suchlike advanced endpoint security solutions working in this manner, don’t depend on a database on descriptions about what is good and what is bad. Instead, these solutions are always up-to-date. So, even when starting a new VDI session. For every session. Every day.
If you choose a modern endpoint security solution like this, you can with confidence make the most of the available server resources without having to do make concessions at the security level.
Eric van Sommeren is Director Sales Northern Europe for SentinelOne. He shares his passion for endpoint security software as a guest blogger for EASI.