Virtualisation is at the core of modern IT infrastructures. From data centres to public, private, and hybrid cloud environments, virtual machines are now essential to business operations. As virtualised workloads grow in importance, so does the need to secure them.
A key component that enables virtualisation is the hypervisor. More than a simple infrastructure layer, hypervisors can play a central role in securing virtualised workloads. This principle is the foundation of what’s called hypervisor-based security, a cybersecurity approach that leverages virtualisation technology to protect virtualised environments against threats.
In this article, we explore what hypervisor-based security is, its key applications, benefits, operational considerations, and growing significance.
Understanding virtualisation and the role of the hypervisor
To understand hypervisor-based security, it's helpful to start with the basics: virtualisation and hypervisors.
What is virtualisation?
Virtualisation is a technology that allows multiple virtual machines (VMs) to run on a single physical server. Each VM operates independently, as if it were a separate computer, with its own operating system and applications, while sharing the underlying physical resources. This is achieved by abstracting the resources of the physical server and allocating them to each VM. Virtualisation allows to use physical resources more efficiently, improves scalability, and provides a more flexible IT infrastructure.
What is a hypervisor?
A hypervisor, also known as a virtual machine monitor (VMM), is the software layer that makes virtualisation possible. It sits between the physical hardware and VMs. The hypervisor manages VMs, the allocation of physical resources (such as CPU, memory, and storage), and ensures VMs operate independently without interfering with each other.
There are two types of hypervisors:
- Type 1 hypervisors, also called bare-metal hypervisors, are installed directly on the host machine’s physical hardware.
- Type 2 hypervisors, also known as hosted hypervisors, run on top of the operating system of the host machine.
Since hypervisors control virtualised environments, they offer a unique vantage point to secure them. That’s where hypervisor-based security comes in.
What is hypervisor-based security?
Traditional security approaches are either host-based or network-based.
- Host-based security solutions run on individual machines (the ‘hosts’) and protect the operating system, applications, and data on each host. They often use agents to monitor and enforce security policies at the host level.
- Network-based security solutions rely on the network infrastructure to protect it against cyberattacks, unauthorised access, and data theft. They monitor and control traffic across the network rather than individual machines.
Hypervisor-based security solutions are integrated into the hypervisor itself, leveraging the hypervisor’s unique position as the virtualisation foundational layer. This gives hypervisor-based security solutions a strategic advantage in monitoring and securing workloads, allowing them to perform security functions and provide protections that are not possible, practical, or optimal with traditional approaches.
What are the main applications of hypervisor-based security?
Hypervisor-based security is used in several areas to enhance security in virtualised environments. Let’s look at the main applications.
Microsegmentation
A well-known application is microsegmentation, which divides a network into smaller, isolated segments (also known as ’microsegments’) – at the level of individual workloads, applications, or even processes – to reduce the attack surface and limit lateral movement of threats. This helps in protecting critical assets and ensuring that even if one segment is compromised, the damage is contained. While hypervisors isolate virtual machines, microsegmentation is not a built-in capability and requires specialised tools. Some of these are hypervisor-based, leveraging the hypervisor’s control over virtualised environments to enforce segmentation policies.
Malware Analysis Sandboxing
Another established application is malware analysis sandboxing. Sandboxes allow security teams to execute potentially malicious code or files in a controlled, isolated environment to study its behaviour without putting production systems at risk. A key limitation of traditional sandboxes is that sophisticated malware can detect the sandbox environment and alter their behaviour or remain dormant to evade detection and analysis. Hypervisor-based sandboxes, running outside of the guest operating system, remain ‘invisible’ to malware, enabling more accurate and effective analysis.
Security Monitoring & Threat Detection
Although still emerging, hypervisor-based security is gaining traction as a promising approach for real-time monitoring and threat detection in production environments. As cyber threats grow more sophisticated and EDR bypassing and tampering become more common, the need for security solutions to address blind spots is increasing. Hypervisor-based security monitoring and threat detection solutions can be a key component of defence-in-depth strategies, providing an additional layer of protection that mitigates the gaps left by traditional approaches. By layering defences, organisations ensure that if one layer fails, others remain in place, reducing the risk of a single point of failure and strengthening resilience against threats. Besides, hypervisor-based solutions offer unique security and operational benefits, which we will explore in the next section.
Digital Forensics & Incident Response
Digital Forensics & Incident Response (DFIR) involves investigating threats, gathering evidence, and responding to security incidents. The goal is to identify incidents’ root cause, contain breaches, and prevent future attacks while preserving evidence for legal and compliance purposes. Like security monitoring and threat detection, hypervisor-based security is emerging as a valuable approach for forensic analysis and incident response in virtualised and cloud environments, though it is not yet widely adopted.
What are the benefits of hypervisor-based security, and practical aspects to consider?
Hypervisor-based security offers several key advantages over traditional approaches. However, as with any cybersecurity method, there are practical aspects to consider for implementation.
Benefits
Isolation for Evasion & Tamper Resistance
Hypervisor-based security solutions leverage the virtualisation architecture by placing security controls outside the virtual machines, ensuring they remain physically isolated from potential threats and protected from direct attacks or manipulation. When malware gains kernel-level privileges within a VM, it can disable or tamper with security tools running inside that system. By operating outside the VM, hypervisor-based solutions eliminate this risk, making security mechanisms inherently resistant to evasion and tampering – even against attackers with the highest level of access within the guest OS.
Stealth
Operating from an external, isolated layer, hypervisor-based security solutions are effectively ‘invisible’ to malware. This stealthiness makes it significantly harder for threats to detect them, preventing malware from altering their behaviour or directly targeting the security defences once aware of their existence.
Comprehensive & In-Depth Visibility
Hypervisor-based solutions provide deep visibility into virtualised workloads, including system calls, kernel events, in-memory activity, and volatile system data. This enhanced visibility enables more accurate and detailed analysis and makes it harder for malware to conceal their actions.
Operational Efficiency & Scalability
By operating at the virtualisation layer, hypervisor-based solutions can monitor multiple VMs simultaneously, improving scalability in large environments. This approach removes the need for host-based agents, streamlining security operations and minimising resource overhead.
Key Considerations for Operational Implementation
Infrastructure Compatibility
Hypervisor-based security is highly effective in virtualised environments but not applicable to the broader IT infrastructure. Moreover, some applications of the approach are still emerging, and native integrations with virtualisation and security vendors are not yet fully developed.
Deployment Complexity
Implementing hypervisor-based security requires a deep understanding of virtualised environments and can introduce complexities in large-scale deployments.
Despite this, the benefits of hypervisor-based security – its isolation, stealth, tamper resistance, and deep visibility – make it a compelling alternative to traditional approaches.
Why is hypervisor-based security gaining momentum?
The growing significance of hypervisor-based security is driven by broader technological and security factors.
The Prevalence of Virtualisation
Virtualisation is no longer a trend; it’s a core element of cloud computing, data centres, and enterprise IT infrastructure. Most organisations today rely on virtualised environments, whether on-premises or in the cloud, and implementing security solutions specifically designed to protect them is essential. Since hypervisor-based security operates at the hypervisor level – the foundational layer of virtualisation – it offers a natural fit for protecting these environments.
Introspection Capabilities Becoming More Widely Available
Although hypervisor-based security has been an active research area for over a decade, only recently have the necessary tools and frameworks matured enough to support routine use in production environments. In the past, the lack of robust tools, libraries, and support limited the adoption and effectiveness of introspection – the process of examining the internal state and activities of a virtual machine from the hypervisor level – for security purposes. Recent advances have addressed these gaps, and introspection capabilities are becoming more widely available and commoditised, further strengthening the case for hypervisor-based security solutions in modern virtualised environments.
Evolving Threats
Cyber threats grow more sophisticated and attackers increasingly develop techniques to bypass and disable security defences, creating a critical window for executing normally detectable activities. Once limited to advanced threat actors, these techniques are now more accessible due to AI and underground marketplaces. Hypervisor-based security provides an additional layer of defence against such attacks, ensuring security mechanisms remain intact even against evasive threats.
All in all, the widespread use of virtualisation and the complexity of securing virtualised environments have created new security gaps. As traditional security tools often struggle to keep up with evolving tactics from sophisticated threat actors, hypervisor-based security solutions emerge to help close these gaps and mitigate risks from advanced threats in virtualised environments.
Conclusion
Hypervisor-based security is becoming a key element of any comprehensive cybersecurity strategy. By adopting hypervisor-based solutions, businesses can enhance their ability to prevent, detect, and respond to threats, ensuring the security of their virtualised environments. As IT infrastructures’ complexity and cyber threats’ sophistication continue to grow, hypervisor-based security can play a critical role in protecting organisations from cyber attacks. It may even set a new gold standard, offering a new level of security guarantees for virtualised environments.
