As a recovering beat up sysadmin, one of my least desired tasks was management of enterprise Anti-Virus. I’ve had experiences with multiple vendors, but there was always one consistent truth … I could never get 100% endpoint compliance or stability.
My AV clients across the globe would repeatedly suffer one or multiple fates. They’d quit downloading definitions, they’d miss a zero day (or just ignore something that had been out there forever), they’d flood the network to download a new complete set of updates, or, worst of all, would encounter a BSoD from some false positive.
One of my least favorite memories was being presented with an exec’s inoperable laptop, full of the result of surfing sites of ill repute. And the question was never, “what life choices led you to repeatedly visit this collection of content on your company issued laptop?” but more of, “how long’s it gonna take you to get this fixed, Adam?”
Missed definition updates. Crashing client AV apps. Systems not reporting in. Road warrior laptops unable to get their defs. Branch office workstations pulling from another location over spoke connections. Awkward conversations. Wash, rinse, repeat.
It’s impossible to advance your organization’s mission when you’re dealing with this minutia, at the severest and most critical level, daily. And, you’re fighting this war on hundreds if not thousands of fronts. My brothers and sisters, I feel your pain.
So, to get us all out of this Sisyphean task (and spare us embarrassment) what’s the better way than obsessing over endpoint management? What do we do instead to win this war?
Endpoint Security without endless insecurity
Reduce the scope of attack by providing the desktop and applications VIRTUALLY from a secured environment.
A big part of what keeps your servers secure is that fact that they stay in the same spot on your fixed server network. Protected behind a smart enterprise level firewall and never touching any unsecured network, they are purpose driven and therefore abnormalities can be much easier identified and addressed.
Did you know that you can secure your desktops and interactive applications the same way you secure your server hardware and network? You can, by running the desktops and apps within your datacenter, then presenting them to any devices as if they were running locally. We call this desktop and app virtualization.
It’s a lot more realistic to be able to protect all resources in your datacenter(s) or cloud than disparate endpoints spread across the globe by offering them virtually. In effect, those desktops and applications, wherever they are actually used and interacted with, never leave your internal network. When using desktops and apps virtually, all users get, wherever they are located, is an experience presented as if it is running locally.
These virtual desktops and applications aren’t going anywhere. They’re staying right there in your datacenter, the compute and network occurs right there. Your element of risk whenever the wild and free surfin’ exec goes on vacation on a North Korean beach is greatly reduced, as no production traffic traverses the network unsecured. What you mostly care about is within a short walk from your office (or within your secured cloud environment; it is 2018 (or whatever year you’re reading this) after all).
Bottom line is that these desktops and apps have fixed points of entry and access that you can feasibly control, monitor, alert, and remediate upon.
Offer quick resolution to any issue. Better yet, you can make this virtualized desktop and app experience “read only” (retaining no changes and reverting to pristine condition upon reboot).
Also, make the endpoints themselves read only. You can also make use of “zero” clients that retain no modifications from spec. With offerings allowing you to operate or convert any endpoint to a compliant zero client (at a similar cost as client based AV), we can be assured any managed endpoint’s sketchy status never impacts our organization’s security.
Here’s one vendor’s option I’m a big fan of. Note: I have no tie to this organization; I only really love the concept!
Take away privilege from unmanaged/unknown/unprotected equipment. Perhaps your company is being kind (or cheap) and giving BYOD (Bring Your Own Device) a try. Your employees can bring whatever device they’ve got and feel most comfortable working with to the table. But … if these devices don’t run up to date AV? Are they connecting from the neighborhood dive bar’s wifi? Then those devices don’t get on the company network at all, or, they only get access to only select, limited services you provide (along with a nice notice to contact the helpdesk). And in the event we need to take access and applications the organization owns away from personal device, they go *poof* without touching an employee’s game progress and pics of the kids.
Never, ever allow unmanaged devices to connect over a client based VPN. I would propose considering not using client based VPN’s at all. This is for both performance and security reasons. A VPN client installed locally in effect places whatever machine it runs on within your internal network. You would (hopefully) never allow a home PC to plug into your corporate network; don’t let it run a client based VPN and connect. Performance wise, with a client based VPN, you are at the mercy of your internet connection speed. With app and desktop virtualization, we highly compress the experience, which again, is only graphic presentation awaiting your keystrokes and mouse clicks. This should offer superior performance every time.
Use multiple factors of authentication. This way if a user gives up their password, they’ve still got a second, everchanging form of authentication to provide. There’s a range of options available to provide this service. Just make sure your authentication requires “something a user knows (a complex password) and something they have (a constantly changing second factor).”
Centralize your data or provide only secured access to data sources with an overlay (a single point of access to multiple storage locations). Don’t let your organization’s, or worse yet your customers’ information, sprawl across multiple storage locations outside of the control of IT. That’s begging for ransomware or data leakage.
And finally, we monitor the hell out of our systems. You need your infrastructure to tell you when something abnormal is occurring.
Doing all of the above will greatly reduce your exposure to threats. No, it will not eliminate them entirely, sorry, as there’s still a human in the equation, but we at least sleep better at night knowing it may not matter as much if a random Windows XP running machine in Timbuktu had it’s AV service disabled.
How do we accomplish ALL of this?
I don’t keep it a secret. I propose and position Citrix solutions for a living. I do it because I’ve experienced life as a sysadmin with and without, and I can testify to both the ease to my life and the value to my business from a user experience and security perspective. We can help you on the journey. If for whatever (erroneous) reason you don’t choose our products, I’d ask you at least choose a comparable, if lesser, one. Or rather, choose many, because no other vendor offers every solution I list here, except for Citrix.
Virtual Desktops and applications – Citrix’s flagship, and your most important service, the end user computing experience, should offer a reliable, standard experience, always accessible from any endpoint or network (should your security requirements be met). These desktops should also be able to be reverted to spec with a simple reboot to make for the easiest possible troubleshooting and security event remediation. You mistype a URL and encrypt/ransomware the OS? You download something phishy? You delete everything from system32? Reboot and have a nice day, you’re back in business. Additionally, these virtual desktops and applications can be deployed rapidly, scaled to your needs, using any hypervisor, on any storage, or within any cloud environment. https://www.citrix.com/products/citrix-virtual-apps-and-desktops/
Secured Proxy with Endpoint Analysis – To provide flexibility in the access you grant your employees and 3rd parties, implement Gateway technology, Endpoint Analysis and Secure Access on your entry point within Citrix
Application Delivery Controller (ADC) : https://support.citrix.com/pages/netscaler-gateway-epa
Secured, offloaded internet browsing: Citrix Secure Browser allows you to redirect web surfing to a hosted service that doesn’t reside on your network. Known, “good” web surfing? You can keep that internal. Anything else? You can offload that onto Citrix’s cloud hosted browser offering. Great for both security and removing traffic from your network! https://www.citrix.com/virtualization/secure-browser.html
Analytics: Citrix Analytics provides monitoring and alerting for both performance and security events. Are logins from the CEO’s executive assistant coming in from overseas even though you just saw her walking down the hall? Is an employee suddenly downloading a copy of every file from the shared network folder onto his home PC? These are things traditional AV won’t alert you to. Citrix Analytics can, and will also allow automated remediation of said events! https://www.citrix.com/products/citrix-analytics/
Secured file sharing and access, regardless of the location of the files: Citrix Content Collaboration takes file storage from traditional network server shares and disparate cloud services and makes it all conveniently available, securely. Data can be accessed, edited, and shared in a manner enforced by configurable policy. Files can be shared, expired, and “time bombed” even after being downloaded. Ransomware and data hostage is preventable and if necessary, recoverable. https://www.citrix.com/products/citrix-content-collaboration/
To summarize, time spent hovering over endpoint AV could be devoted to truly securing (and offering better performance within) the entirety of your environment. Make the switch today to virtualization, get some productivity back into your day … and get you some sleep!
hit me up in the comments section or contact me directly if you have any questions regarding this article or anything else regarding desktop and app virtualization. Disclaimer: the opinions expressed within this posting are mine alone and are not representative of any other organization or entity.