It happened so gradually that we almost didn’t notice it. The initial rush to establish remote work systems was fueled by frantic desperation and necessity. Businesses that never even considered having a remote workforce were thrown into the deep end to sink or swim. To facilitate flexible ways of working, many doubled down on Virtual Desktop Infrastructure (VDI), in-house hosted digital workstations that enable access to corporate assets and applications from remote devices and locations. Others chose to connect their workers via Desktop as a Service (DaaS), virtual desktop tools that are easily deployed and fully managed by third-party providers. But while the importance of securing physical endpoints like desktops, laptops and servers was top-of-mind during this time, these cloud-based virtual machines were, in fact, also endpoints that posed similar risks and broadened the attack surface substantially. Except many companies weren’t thinking of them like that.
After the initial adrenalin wore off, employers and employees eased into a kind of semi-comfort zone. Remote work was, well, working. But just as companies began to ponder when a return to a traditional office might be possible, their now thoroughly ensconced workforce was pondering why they’d ever want to go back. The idea of hybrid working schedules began to formulate, but the path forward was still not entirely clear. And while this tug of war is currently playing out in what is being called “The Great Resignation,” malicious actors are making the most of this perfect storm of device-hopping employees, decentralized IT services and new attack vectors.
While VDI and DaaS systems have been around for a while, they’re now seeing renewed relevance as the cornerstones of distributed work models, as they give users the ability to access their work desktops, applications and data from anywhere in the world, on any device. But despite their many benefits, they also provide new, more efficient ways for attackers and ransomware actors to ply their trade. The numbers would almost seem like parodies if they weren’t so chilling — for instance, Remote Desktop Protocol (RDP) attacks rose 241% in 2020, from 969 million to 3.3 billion. Like a wounded seal flopping in the ocean, the ripples of billions of new, often unsecured endpoints frantically popping up overnight were attracting sharks. If remote work is, indeed, here to stay (and it looks as if it is — an Accenture report found that 63% of high-revenue growth companies are using hybrid workforce models and that 83% of workers prefer hybrid), then there’s much work to be done to shore up security.
Consolidating Your Strategy to Secure Endpoints Everywhere
The truth is that even supremely vigilant organizations will face exposure through DaaS and VDI systems, due to the sheer number of new attack surfaces created by a remote workforce using a combination of company-provided and personal devices. What’s more, DaaS users are often IT admin users with higher levels of privileged access than a typical business user, which makes them high-value targets for attackers.
And while these services may be new to some organizations, they are already very familiar to malicious actors. Remote code executions (RCE) are code vulnerabilities that can be easily exploited — one of the more infamous, BlueKeep, has plagued Windows operating systems since Windows 2000. The same flaws that allow for unauthorized access to a singular desktop operating system are now amplified through remote desktop environments, and attacks are proliferating as a result.
But the remedy isn’t that severe. In fact, it’s really what any company should be implementing regardless of where, when, or on what devices their employees choose to work: adopt one cohesive strategy for securing every endpoint. Because trying to juggle separate policies for remote and/or BYOD workers and in-office employees will undoubtedly lead to operational headaches and potentially dangerous security gaps.
A comprehensive endpoint strategy should center on an “assume breach” mentality. Accept that some attackers will slip through and set about limiting what they can do and where they can go once they’re inside. That way, remote desktop or not, your business’s most critical assets will be protected.
Building a Master-Level Maze, Not Walls
Unfortunately, the “firewall” concept persists. There is still that sense that locking doors and setting up walls will keep the bad guys out. Cybersecurity simply doesn’t work that way anymore. Think of it less like putting up a wall and more like building a multi-level maze that’s nearly impossible to get through. Attackers may find entrances, but once inside their paths are impeded and stairs are obfuscated to the point of rendering them mostly harmless to the truly valuable information and systems.
Consider these three-pointers when building your own security labyrinth to confound attackers:
1: Extend strong endpoint protection to all VDI and DaaS instances
Building your “maze” begins with the understanding that any identity within your organization — whether remote worker, IT admin, third-party vendor, device or application — can become privileged under certain conditions. Implementing controls that can intelligently limit access to just what a user identity needs helps protect privileged accounts from unauthorized access, but they have to be enforced consistently.
Focus on extending existing endpoint security controls to every DaaS or VDI instance, even if the end-user happens to be using a BYOD device, to minimize the risk of data theft or system disruption. As part of this, consider tools that can help DaaS administrators easily remove local admins from all DaaS instances to minimize the risk of ransomware and other endpoint attacks.
2: Keep watch for insider threats
One of the major concerns organizations have about remote and hybrid work is that they can’t physically keep an eye on their workforce and therefore their systems are less secure. While a recent study showed that 52% of employees do feel they can get away with riskier behavior when working from home, the truth is that sitting in an office isn’t necessarily any more secure, as insider threats are a constant.
Rather than looking for one security silver bullet (spoiler: none exist), layer controls and detective mechanisms to help prevent malicious insiders from accomplishing their goals. For example, privilege deception functionalities can quickly detect and block lateral movement in the network/OS instance, minimizing the impact on the logged-in user and stopping the ripple effect across users sharing the same instance. Again, the goal is to architect something closer to a security ecosystem, rather than a series of flimsily locked gates.
3: Integrate endpoint security controls with MFA
When privileged access controls are integrated with multi-factor authentication (MFA) to enable secure VDI and DaaS instance logins, password-related risks drop substantially. “Step up” MFA can also help ensure safe and secure privileged access to applications — yet another way to build twists, turns and dead ends that can corral malicious agents and severely impede their plans to march through your system.
Not only does MFA coupled with endpoint privileged access controls minimize risk, but it also gives remote and hybrid employees increased flexibility in where and when they work — which is, of course, the point. When employees feel like they have more freedom and flexibility — and companies know every identity (human or application) is secure throughout the cycle of accessing critical assets — then hybrid, distributed work ceases to be a frantic necessity and becomes a viable professional reality.
Embracing distributed work doesn’t mean resigning your company to constant cybersecurity duress; it simply calls for a unified endpoint security strategy and a solid foundation of tools, technologies and policies. Cloud-based tools like VDI and DaaS can, and should, be tools for growth and don’t have to be a constant source of consternation or concern.
Shameless plug alert: By consistently enforcing least privilege, CyberArk Endpoint Manager can help your organization tackle these important steps, while still giving end-users the control they need to work efficiently.
Have three more minutes? Check out CyberArk Endpoint Privilege Manager in action as it removes local admin rights on a virtual workspace to reduce DaaS security risks. You’ll also see some privilege elevation examples for specific administrative tasks.