A lot of new and interesting questions to work on. Is there anyone out there working one those? What are the incident response procedures for compromised virtual desktops?
Monday, January 31, 2011
Virtual desktops and incident response
I've just noted there is an odd silence regarding the push for virtual desktop environments and incident response. We went through strong growing pains related to incident response and finding/disabling desktops during security incidents. With the massive push for virtualization, not only on the server side but also on the client side, a lot of what has been done in that front will have to be revisited. What if you have just identified a compromised desktop VM on a big pool of virtualized desktops? Should you just kill that VM? Was there any risk of an hypervisor breach? If that's the case, how to deal with it? How to kill a bunch of desktops without causing massive user pain? Oh, you may think those cool "VMotion" like technologies will help, but can they also make things worse by transporting compromised VMs to "clean" pools?