Virtual machines (VMs) have become ubiquitous in the enterprise by offering flexibility, scalability, and cost savings. But widespread adoption has outpaced traditional security controls, which often rely on runtime access or agent-based monitoring.
Dan Petrillo, vice president of product marketing at ReversingLabs (RL), said in a recent webinar that VMs can be blind spots for threats, exposing organizations to malware, vulnerabilities, supply chain risks, and compliance gaps.
"VMs are really a great technology that comes with a lot of benefits. But as is the case with almost any new technology, it means a new attack surface. And it also means that a lot of the controls that we've had in place don't map directly."
—Dan Petrillo
Traditional security controls aren't built for the infrastructure supporting VMs, Petrillo said. That's because VMs are large and complex, and running them through traditional scanning engines or trying to continuously pull telemetry from them can be difficult. Post-deployment visibility can be a problem, too — made worse by VM sprawl.
Here are eight essential strategies for rethinking your VM security.
[ See Webinar: Securing Your Virtual Machines: How to Identify Risk in VMs ]
1. VM security controls need to equal those for physical machines
When VMs are deployed by users such as software developers, security may be lax. "An end user may claim that the VM will be only operational for a few hours and then they will shut it down," explained Matt Stern, CSO of Hypori. "But then they forget to shut it down completely, and now there is an attack surface available for exploitation."
2. Tooling must scale to meet the challenges posed by VMs
A single physical system can host hundreds of VMs, which can be churned out from templates very quickly, said Lyndsi Hughes, a senior systems engineer in the CERT division of Carnegie Mellon University's Software Engineering Institute.
"Security teams must have the tooling in place to handle the number of virtual machines at the top end of the virtual environment scale, as well as a rapidly changing number of hosts in the environment as VMs are spun up and torn down."
—Lyndsi Hughes
3. Ensure that your golden images are free of vulnerabilities
Golden images serve as a master template for deploying new instances of a VM. If those base images aren’t properly hardened or vetted, vulnerabilities will be propagated at scale, said Heath Renfrow, CISO and co-founder of Fenix24.
Ideally, a golden image will be built on a base that is fully patched and stripped to the minimum OS packages and services, said Peyton Smith, founder and CEO of Specular. Smith also recommended installing security controls such as secure boot, TPM/virtual TPM, and disk encryption and adopting host-based firewall rules, EDR, and logging agents so every VM clone is born compliant. And a penetration test performed against a golden image before it's deployed will identify hidden vulnerabilities, he said.
Carnegie Mellon University's Hughes advised using an up-to-date OS when provisioning a golden image, which will limit the number of known software vulnerabilities.
"Deploying a virtual machine with an immutable operating system offers the added benefit of preventing undesired changes to the system after it is deployed because, in short, the immutable operating system makes the files on the system read-only."
—Lyndsi Hughes
Security teams should also monitor golden images over time, said Andy Lewis, senior technical product manager at RL. "There's a natural decay process. You've got a brand-new golden image and everything's fresh and clean. There aren't any vulnerabilities. There's nothing going on. But over time that changes," Lewis said.
"I've got one customer, for example, that'll refresh their golden image every six months. If you scan that six-month-old image, all of a sudden it's got vulnerabilities by the bucketful. What does that tell you? What it tells you is you need to pay attention to what is going on with auto-update."
—Andy Lewis
Chad Cragle, CISO of Deepwatch, advised organizations to store golden images in a version-controlled registry and review them periodically for compliance with current security standards.
4. Scrutinize your development — and test your VMs
Development and test machines are the No. 1 target of threat actors, said Hypori's Stern. If a malicious actor is able to introduce at the development stage malicious code that is a zero day or otherwise undetected, you are in trouble, he said.
"[That] is a win for them. The goal of every malicious actor is to make something wrong look legitimate."
—Matt Stern
5. Keep user data separate from VMs
Stern recommended storing user data in a separate encrypted container. VMs should be destroyed when not in use, with fresh ones deployed when needed. And the user data should only be accessible using the user's private key. "In this way the OS of the VM can be deployed fresh and updated, while the risk of the end user suffering data loss or compromise is minimized," he said.
6. Ensure that VM infrastructure is securely designed and implemented
Hughes advised keeping hypervisors fully up to date with the latest available patches. They should also be securely configured to limit access to authorized individuals via approved and authorized means. This configuration may include disabling access to certain interfaces on the hypervisors and requiring multifactor authentication.
7. Implement network segmentation for higher security
Hughes said segmentation can prevent unwanted traffic flow between VMs and other systems within the computing environment. For example, it may be desirable to permit only system administrators to have SSH access to a VM that hosts a web service. This access could be granted only to systems in particular network segments.
8. Continuously monitor VMs
Deepwatch's Cragle said VMs need to be monitored for configuration drift, missing patches, unauthorized changes, and new vulnerabilities. Real-time visibility can be achieved through agents or API tools feeding into a centralized SIEM. Continuous vulnerability scanning and runtime protection can detect VM misalignments.
Auto-remediation workflows, such as restarting failed agents, disabling open ports, or reapplying hardened configurations, reduce exposure time. VMs should be evaluated based on usage.
"Review long-running instances and automatically retire them. Integrating VM management into the broader security operations framework ensures they aren't overlooked over time."
—Chad Cragle
A modern VM strategy is now a requirement
The most effective modern VM security approaches focus on automated processes, persistent monitoring activities, and enforcement through policy as code, said Ensar Seker, vice president of research and CISO at SOCRadar.
"The combination of cloud-native tools with zero-trust segmentation and AI-driven analytics leads to superior detection and response capabilities. The shift toward ephemeral VMs within hybrid environments makes perimeter-based defenses inadequate because security solutions need to track workloads dynamically."
—Ensar Seker
Hypori's Stern said to never allow end users to deploy their own VMs. "Deploy automated systems that are fully configured, managed, monitored, and controlled to build a heterogeneous security environment for the enterprise," he said.
"Do not treat VMs as a special system that does not need to be under the enterprise umbrella. That is a recipe for badness."
—Matt Stern
