How Are You Addressing Desktop IT Security at Scale?
Let’s talk about the current state of desktop security in the enterprise. With the security landscape rapidly changing in recent years, I’d like to break down how vendors and organizations have adapted, as well as what you can do to improve your security posture and reduce your exposure to risk.
The Threat Landscape is Evolving
In 2019, I had the pleasure of attending a workshop by the awesome Patrick Coble who shared his amazing insights about general enterprise security, and EUC-related security topics. He discussed how two of the biggest areas for risk are browsers and email. Five years on from that workshop, this still rings true. If anything, the rate of attacks on enterprises has increased significantly over those years.
From my perspective as an IT professional and general employee within multiple enterprises, organizations have become better at providing security training to their workers. In the past, security training was quite static and the same course would need to be completed by employees every year. Fortunately, it appears organizations are updating their training and providing information in a timelier manner. For example, many organizations were quick to put policies in place around the use of generative AI technology by their employees. InfoSec teams have also become so good at crafting fake phishing emails to test and train their workers. It’s becoming an art form in the profession. Some fake phishing emails have even been reported on by tech outlets and not always for the best reasons. My point being that InfoSec teams are doing a great job of raising employee awareness of threats.
As a result, awareness and caution of employees when browsing the web has improved in the past five years and thankfully browser security is also improving. We have seen innovation in the form of secure browser solutions, such as Citrix Enterprise Browser and the recently announced Parallels Browser Isolation. Recently, Island was valuated at 3 billion dollars and received 175 million in Series D funding, so eagle-eyed investors clearly believe in the value of isolation and containerization for browsers in the enterprise.
While all this innovation and increased employee awareness is certainly grounds for optimism, the matter of the fact is cyber-attacks continue to increase. The advent of a zero-trust philosophy and zero-trust approach from tech companies such as Microsoft is an indication that raising awareness and trying to secure the most likely points of entry is NOT enough. Every organization should assume that they WILL be breached. With that in mind, we must ask the question, WHEN a hacker gains access to a corporate desktop, what will they look for and where do the weaknesses lie?
Application Vulnerabilities Are a Hacker’s Dream
The most obvious goodies for hackers to go after is access to a user account, service account, kernel driver or process that runs with administrative, system and/or elevated permissions. Once this level of access is ascertained, they have the keys to the castle. Due to the nature of Windows, the need for elevated accounts, service accounts, and some Kernel drivers is a reality. You can try to reduce your dependence on these as much as possible, but in some cases, the benefits of applications utilizing these types of accounts and services are essential. With this reality, you must secure these components such as service accounts as much as possible by routinely automatically rotating the passwords of service accounts, enforcing multi-factor authentication on Administrator and elevated accounts and of course, keeping Windows and all applications installed on your desktops up to date.
That last point is easier said than done and is becoming quite the hot button issue. Cyber gangs have been exploiting vulnerabilities on average within seven days of public disclosure, which gives enterprises very little time to deploy updates to protect themselves. if a hacker gains access to a desktop in your organization and checks the Windows patch level and the versions all of the applications installed on the machine to see if they are on the latest version and patch level only to discover that one or more update has not been installed that could be the Achilles heel of your entire organization that will be targeted to bring it crashing down, costing millions.
The good news is Microsoft is making Windows Updates easier to implement by reducing the need to reboot machines to complete patching and offering a Windows Autopatch service to help streamline the deployment of Windows Updates. Windows Updates can also now be used for updating certain vendors’ drivers and firmware, if you choose to allow it. Microsoft also introduced Windows Package Manager that can be implemented to streamline updates for other third-party applications. Unfortunately, most applications being managed and updated by the service and via other Package Managers on the market are traditional Windows installer types that remain inherently susceptible to install failures, application conflicts, corruption, and exposure to bad actors.
The very nature of traditional Win32 Applications delivered with traditional distribution or layering solutions pose a security risk. Applications’ files, registry, and other components typically get installed targeted at the machine level providing visibility to all users and processes. Some cyber-attack campaigns involved hackers searching for common utilities on machines such as WinRaR. Upon finding it, the utility would be used to extract a malicious payload. This way if an organization restricted downloads in their environment, the malware or ransomware could just find what it needs on the corporate network rather than on the internet. The best solution to reduce the surface layer for attack when it comes to applications on your network is to deploy and manage them in application containers.
This certainly appears to be a goal for Microsoft with their MSIX container format. Unfortunately, at the time of recording this video, not all Windows applications will work in this format. Regardless of the compatibility rate, Microsoft is correct in believing containers will play a big part on Windows application management, application, security and general Windows desktop security.
On a previous episode of this series, I covered some of the benefits Containers bring when it comes to application management such as the ability to quickly and dynamically deliver applications and application updates, as well package and manage applications programmatically. This is something Developers and infrastructure teams have been doing for years with solutions like Docker. In a time where the number of cyber-attacks is increasing, yielding more and more vulnerabilities being exploited, it is imperative you are able to quickly deploy application updates.
Some enterprises have selectively decided to enable auto updates within certain applications. Unfortunately, application updates frequently fail. These failure rates compound when vendors leverage dated package formats such as MSIs and EXEs – making it even more regrettable MSIX has had a slow uptake from vendors. As a result, enterprises who enable auto updates are subjecting themselves to the possibility of failed application updates due to shortcomings of vendor package formats. When updates go awry, you’re on the hook to reactively fix them, which can be extremely time-consuming. While Package Managers do help expedite the deployment of application updates, the same blind spot exists due to dated package formats.
Application Containers Limit Risk Exposure
Application containers ARE the solution. They eliminate issues like application conflicts, failed uninstalls and updates, plus they are extensible. So much so that existing Win32 applications from vendors can be automatically packaged into containers and deployed to any modern OS. Containers are perfect for the automation of packaging and management of applications and lower the risk when deploying patches quickly due to the fact applications deployed as containers can be rapidly rolled back to a previous version, if needed.
Application containers also provide isolation and true user targeting which limits the exposure of application files, registries, and components to entitled users. They can prevent copying in and out of the container space to ensure integrity of the containers and the local desktop plus the payload can be uniquely encrypted per machine.
All these benefits address the most complicated area of Windows desktop security: the Applications. There are hundreds or thousands of them in enterprise IT environments and they require updates more often than ever. Because no two applications are the same, managing them may seem like an insurmountable challenge, especially for understaffed EUC teams who rely on traditional package formats and tooling. The need to modernize Windows application management has never been greater. IT teams and Microsoft alike are recognizing the need for application containers. I’d go as far as saying they are essential to the future of Windows desktops.
Subscribe to the Office of the Technologist
And on that point, I would like to encourage you to check out some of our great articles on extending DevOps capabilities to the management of your Windows applications with containers. Be sure to follow us on YouTube for more videos on the state of EUC and subscribe to our Office of the Technologist email list below for all the latest Windows technologies and trends.