A lot of security breaches that occur in desktop environments occur because desktop admins make unauthorized changes in order to “get the job done”. It is easy enough to lock down a desktop so that end-users only have minimal access rights but the more you lock down a desktop the more you can affect the user productivity. A very simple example is when a desktop admin adds a standard user to the local admin security group, providing the user with additional capabilities as a shortcut to resolve their productivity issues. This is the event that I have chosen to focus on in demonstrating the integration of our products to automate a secure desktop solution. The event that I have chosen to demonstrate is irrelevant in the context of the solution and has been chosen purely for demonstration purposes. This demonstration of an Automated Secure Desktop solution can therefore be customized to suit any number of use-cases. The power in this solution is the integration of vRealize Orchestrator, which will execute a workflow using the content from the trigger to achieve the desired outcome. The desired outcome that I have configured, for demonstration purposes, is to isolate the desktop using NSX.
In order to integrate the VMware products that form the Automated Secure Desktop Solution, we first need to understand the process of information. At a high level this can be defined by “Monitor, Detect, Orchestrate and Remediate”.
- The monitoring is done using the Log Insight agent to monitor the Windows Event Log.
- The security breach is detected using a custom query in the Log Insight Server.
- The orchestration step is the most critical step and it leverages vRealize Orchestrator to perform a number of custom tasks.
- The remediation is accomplished by using NSX to isolate the desktop.
The power behind using this framework is that it forms a highly customizable solution that can be used to achieve a number of outcomes for the customer. This specific solution relies upon Log Insight and vRealize Orchestrator to be used at the “Detect” and “Orchestrate” steps, however the monitoring and remediation can be customized. For example, you don’t need to use NSX to isolate a desktop, you could choose to just enable a higher level of debug logging, restrict access to the internet, refresh the desktop or simply email or SMS the user to alert them of the security issue.
Monitoring for a security incident
We are using a Windows 10 virtual desktop as the end user device and the Log Insight agent is installed within the image. The Log Insight Windows Agent collects events from Windows event channels and forwards them to the Log Insight server. By default, the Log Insight Windows Agent collects events from the Application, System, and Security channels. Within the Windows 10 Operating System we configure the local security policy to enable logging on the modification of local security groups to the Security channel log. These logs are then made available in the Log Insight Server for further analysis.
Detect the incident has occurred
Log Insight is an excellent log management and analytics platform that makes it very simple to detect when the incident occurs. A custom query within Log Insight is created to analyze the ingested logs and alert will be raised when the event is found. Rather than sending an email alert, the Log Insight query is configured send a Webhook, which is essentially an API call that includes the content of the alert as a JSON block.
It is at this point where a Webhook Shim needs to be utilized to translate the API call from Log Insight into a format that vRealize Orchestrator will accept. The Webhook Shim is a critical component that facilitates the integration of Log Insight and vRealize Operations Manager to vRealize Orchestrator. The simplest way to deploy the Webhook Shim is via a Docker container on a PhotonOS VM. The VMware Cloud Management Blog has outlined the details here: VMware Blog – Webhook Shim on Docker
Orchestration of the tasks
vRealize Orchestrator is the central component that brings the entire solution together. vRealize Orchestrator allows us to expand the capabilities of this solution to more than just an automated remediation task. During the orchestration stage in this demonstration we have analyzed the alert content from Log Insight and then used the data to retrieve additional user details from Active Directory, display a pop up message on the user’s desktop, send an email to the relevant authorities and then execute the remediation task. The remediation task in this case was to isolate the desktop from the network, however by using vRealize Orchestrator the remediation task can be configured to be any other action to suit the customer requirements. Examples of this might include
- Increase the debug logging level on the desktop.
- Send SMS alert messages.
- Recompose the desktop back to default settings.
- Isolate the desktop from the internet.
- Restrict application installs.
- Or so many other tasks that can be configured in vRealize Orchestrator.
Automatic Remediation of the incident
As part of the orchestration stage, the final task is to execute the remediation task. We are using a Horizon virtual desktop that is connected to the corporate network by an NSX virtual switch. NSX provides a significant capability for security and control of desktop infrastructure by employing software defined policies that are applied to workloads and users. Within seconds of the breach occurring the desktop has been effectively isolated from the network by applying a security tag to the virtual desktop.
The automated secure desktop solution has integrated Horizon virtual desktops, Log Insight, vRealize Orchestrator and NSX to provide a solution that detects the incident has occurred and automatically remediates the issue without any administrative input. This has been a fairly straight forward demonstration of what is a highly customizable solution. I have chosen to leverage Log Insight to detect the incident and execute a workflow within vRealize Orchestrator, however there are other options available to get to this stage. Not only does vRealize Orchestrator have a public API but it can also be integrated with external solutions through plug-ins, or you could use vRealize Orchestrator to ingest the data directly via email, SNMP traps or API calls to third party products.
This solution has been demonstrated publically in order to provoke thought and discussion about the integration and possibly solutions that the wider VMware product suite can offer. I would be interested to hear about similar solutions that have been used at our customer sites and how you approached the integration.