Endpoint Security for Macs: Protecting Virtualized Desktops

Endpoints – the computing devices used by employees and partners to access corporate networks – are a vulnerable target for hackers who exploit everything from their unsuspecting users to unpatched operating systems. This is true for both physical and virtual endpoints, and includes the need for security for physical and virtual Mac endpoints.  

The CrowdStrike 2022 Global Threat Report found that skilled attackers can find unprotected endpoints on a network in seconds, and move from the initial point of compromise to other systems in an average of one hour and 38 minutes. 

A 2022 report from The Ponemon Institute found that in the past year, 54 percent of respondents experienced an average of 5 attacks on their organizations’ endpoints, at an average cost of $360,000 per attack. 

As Macs become more popular in business, IT professionals must ramp their efforts to secure Mac endpoints and avoid possible data breaches. While Macs are generally considered more secure than Windows systems, their growing use makes them a more attractive target. 

MIT researchers have also identified a flaw in Apple’s latest M1 processor that can allow hackers to guess the pointer authentication code (PAC) that confirms a program has not been maliciously changed. Using this PAC could allow hackers to unleash attacks on the operating system kernel, making the need for endpoint protection software more critical. 

The security challenge is made more difficult by the fact that 62% of detected attacks used custom-built tools or stolen credentials to evade detection by traditional antivirus products, as reported by CrowdStrike in Q4 2021.

As businesses turn to more physical and virtualized Mac endpoints for use cases such as application development and DevOps, they must devote more attention to securing both physical and virtual Mac endpoints virtual machines.

Endpoint Security for Mac Best Practices

Endpoint security refers to the tools and processes that protect endpoints from security breaches, alerts IT professionals to them and helps mitigate the attacks. This ranges from educating users about misleading emails seeking their user credentials to blocking the transfer of data from and to USB devices to backups and disaster plans, and more.

A comprehensive Mac endpoint security strategy must include:

• Installing security patches as soon as they are available and tested.
• Educating users about the dangers of phishing attacks in which hackers trick users into disclosing their access credentials, and deploying anti phishing solutions on endpoints.
• Forced disk encryption to prevent hackers from compromising the operating system or data. 
• Installing and updating antivirus software.
• Using the mobile device management (MDM) capabilities provided by Apple that allow administrators to remotely update software and device settings, monitor policy compliance and wipe or lock devices. 
• Considering anti-malware solutions that go beyond the AV capabilities included in the Mac OS. Such solutions can help protect against malware that is not contained in, and thus identifiable as, as the files many antivirus tools scan. 

IT professionals may also consider: 

• Deploying advanced endpoint detection and response (EDR) solutions that include proactive capabilities such as scans for security gaps.
• Using Apple’s Endpoint Security Framework (ESF) to gather real-time data from endpoints to more quickly detect threats and automatically protect against them. 
• Implementing a zero trust policy throughout the enterprise, including for endpoints, which requires users or devices to be authenticated, authorized and continuously validated before accessing applications or data.  

The Role of VDI

Virtual desktop infrastructure (VDI), such as the MacStadium’s Orka Workspace, delivers the MacOS experience from the cloud to any device that supports a Web browser. This can greatly reduce the cost of not only endpoint hardware but of its administration and can provide extra layers of security beyond those possible with physical endpoints.

While virtual Mac endpoints face the same threats as physical endpoints, their attack surface is limited to the macOS virtual machine provided to each user. In addition, these VMs are delivered from controlled cloud-based infrastructure, which is usually far more secure than the multiple networks managed by an enterprise, or those at a user’s home or the Wi-Fi hot spots in public spaces. 

Enterprises can make these virtualized desktops even more secure by adding identity management features to that assure users are who they say they are as well as encryption of data passing through the broker that connects virtual desktops with the cloud infrastructure. Such brokers also isolate the cloud infrastructure from attacks and provide services such as user authentication and authorization. 

In a virtualized environment, administrators can more quickly isolate, analyze, destroy, and reset a compromised desktop than with physical Mac endpoints. It also allows administrators to give users the ability to access and modify data while using secure links and controls to prevent them from cloning data to a physical device.  Using MDM, for example, the VDI can be locked to prevent any code from being uploaded or added to the environment via USB drives or other local sources to prevent the uploading of malware or data not permitted by the company.

Among other security features, the MacStadium Orka Workspace provides multiple layers of firewalling with the ability to white list for only known IP addresses, and/or to use DNS to block access to suspicious servers. It also proxies each user to a virtual desktop that is created upon request, avoiding a potentially insecure direct network connection. Other Orka Workspace protection for virtual Mac endpoints includes: 

• Terminating users who have a poor security posture.
• Instantly updating users’ operating systems and applications, as well as the virtual machines that provide virtual desktops.
• Controlling access to sensitive data.
• Auditing users’ activity and history.
• Enhancing multi-layer security with fully dedicated infrastructure.

IT professionals seeking to implement endpoint security for Macs best practices in a virtualized environment should also ensure that only authorized users can access the management console for the virtual infrastructure, and regularly monitor the infrastructure for suspicious activity. 

In short, VDI provides enterprise-grade control, management, and delivery of the desktop resources from the cloud, allowing administrators to more easily isolate, log and analyze possibly compromised endpoints. Customers have found them really useful for international development teams and short-term contract workers whose workspaces are difficult and sometimes impossible to secure.

A Virtual Approach to Security

With the rise of Macs in the enterprise, and a growing number of attacks, Mac endpoint security is more essential and challenging than ever.  Endpoint security for Mac best practices require not only educating users about threats, reliable backup and disaster recovery plans and zero-trust policies but endpoint-specific tools such as forced disk encryption and the ability to lock down or remotely wipe devices.  

In addition to these protections, virtual Mac desktops can benefit from security within the virtual desktop infrastructure. This includes proxies to eliminate direct back end connections, and the use of firewalls to block connections to suspicious Web sites and allow access to only a “white list” of approved sites.

While Macs are more secure than other computing platforms, their growing popularity makes them a more attractive target for hackers. Taking the same clear precautions as with other computing endpoints is essential. Taking advantage of a well-managed virtual desktop infrastructure can supplement these protections to create secure, flexible and cost-effective endpoints for use cases such as contract workers and development teams.