Over the last decade many enterprises have tinkered with Virtual Desktop Infrastructure (VDI) as an alternative to PCs. A VDI user accesses a remote, virtualized Windows desktop OS delivered “as a service” from the enterprise datacenter or service provider to a PC/Mac, thin client, Chromebook or a tablet. But there’s another model for virtual desktops – one that is more secure, lower cost, and fully empowers the user: A Windows 10 PC or tablet, coupled to the cloud. The “virtual” bit here is the virtualization of data and cloud app access, and the use of virtualization on the client device, for security
VDI is promoted as the best solution for IT teams facing desktop challenges: All VDI desktops boot from the same “gold” OS, so there’s only one image to patch; Data (emails, files, documents) are centrally stored; and users can access their applications and data from many devices, including personal gear. But though it offers benefits in compliance, VDI is at best a partial solution:
- Though it seems secure – it does help a bit – VDI isn’t a security solution: Users will still click on bad things in their virtual desktop; moreover today’s VDI-aware malware persists across patching, rebuilds and reboots; and the session is only as secure as the access device – a compromised Bring Your Own (BYO) PC can steal login credentials and data. There are two endpoints to secure – the VDI desktop and the user device.
- VDI brings real costs: Servers, virtual infrastructure to run the desktop; additional license costs; data center space, power and cooling; and tons of infrastructure complexity – there are more things that can go wrong.
- The end-user experience, whilst good, is not perfect. It is still a challenge to deliver video and real-time media to a VDI user, and techniques like flash-redirect can be exploited as security holes.
But the idea of EUC tightly coupled with the cloud is spot on. Re-thinking the model slightly delivers a desktop that is manageable, secure and compliant, and that users will love. Windows 10 on a PC, tightly coupled with a cloud service such as Office 365 with SkyDrive is the perfect virtual desktop. What’s more, it is the lowest cost EUC solution.
Let’s peel the onion back slowly. Local execution is what users want – for personal and corporate apps, and in particular media rich experiences. Remoting protocols are fine for truly legacy applications. A Windows 10 device that is coupled to the cloud using SkyDrive, Box or even Citrix ShareFile keeps data centralized and backed up, but gives the user maximum freedom for offline access. Virtualizing data access is a more powerful concept than virtualizing and remoting execution. And powerful SaaS apps – such as Office 365 – offer richer functionality when you’re online, but are powerful and productive when you’re not.
But we aren’t done: Windows 10 with Virtual Secure Mode (virtualization security) uses virtualization locally to make the endpoint much more secure – with a secure boot process and protected credential store. Windows as a Service ensures that devices are always patched, enabling IT teams to get out of patching – forever. Windows 10 also offers built-in data loss protection (DLP) that can help ensure that files cached locally cannot be inappropriately accessed – again making use of the cloud: Azure AD. This gives IT the opportunity to get out of running their AD system too.
The delivery of end user computing and applications as a service – the original motivation for VDI – is superior when the applications in the cloud deliver more value than local applications do. Office 365, with Office Graph and its tight coupling to the core productivity suite, delivers far more value to end users than simply running local versions of the traditional fat Win32 applications, but when you’re offline local apps still work great.
Finally, the integrated Enterprise Mobility Management (EMM) capabilities in Windows 10 (offered in the Microsoft EMS suite) give enterprises the ability to manage Windows 10 devices with the granularity and precision that they expect for their iPads and smartphones. Encrypted at rest, remotely wiped if lost, and easy provisioning of next-gen universal apps that are vastly more secure.
There will always be legacy applications that need to be delivered to users. RDSH is a proven way to do this. Windows 10, and Office 365, with EMS, address enterprise EUC challenges with a solution that users want. Add virtualization or micro-virtualization to the client device for security to achieve a solution that is local, touchable, zippy; more secure and manageable; and that uses cloud services for management, security and to deliver a more compelling set of EUC services.
Today, Bromium released “Endpoint Exploitation Trends 1H 2015,” a Bromium Labs threat report that analyzes security trends from the first six months of 2015. One of the primary themes to emerge from the report should come as no surprise: cyber criminals are attacking targets that have the most users. Pragmatically, this means that malvertising campaigns are being conducted primarily through news and entertainments Web sites and that Flash has been exploited more than any other popular software this year. It’s no surprise that exploits targeting the Windows Kernel are getting more popular for launching targeted attacks. The discovery of Duqu 2.0 targeting high-profile groups including a large cybersecurity company clearly proves this. As the industry adopts application sandboxing on popular apps, kernel exploits are expected to gain more attention by malware authors.
Hackers continue to innovate. Malware evasion technology continues to evolve to bypass the latest detection mechanisms deployed by security professionals. Ransomware has exploded in growth, more than doubling in size year-over-year. In 2013, there were just two ransomware families; today there are 16.
If you’re interested in these trends, you should read the full report; however, it is also interesting to note that this report does not address the recent Hacking Team disclosures since it only analyzed the first six months of 2015. Bromium Labs has conducted a thorough analysis of the Hacking Team, which is worth reading, but today I want to talk about the bigger trends and how they relate to this threat report.
In July, the Hacking Team, an Italian surveillance company was compromised, leaking customer lists, source code and internal emails. In the coming days and weeks, a Pandora’s Box of exploits and vulnerabilities was unpacked; Flash, Internet Explorer and even Java were targeted.
These Flash exploits were incorporated into the Angler, Neutrino and Nuclear exploit kits. This development ties back into our research, as discussed in “Endpoint Exploitation Trends 1H 2015:”
In the past six months Adobe Flash Player took the coveted top space as the most exploited application. From an exploitation point of view, the architecture of Adobe’s AVM has multiple flaws allowing attackers to craft ROP shellcode on the fly thus bypassing ASLR and DEP. This combined with evasion techniques described in this report makes a nasty combination, with practically every user vulnerable.
Angler Exploit Kit
All the Web attacks we’ve seen are still operated using exploit kits. We found Angler to be the most prevalent exploit kit for the last six months. Lately we have been seeing CVE-2014-6332 also known as ‘IE Unicorn vulnerability’ and several Flash exploits, such as CVE-2014-0497 and CVE-2015-0311 for propagating malware. Aside from that Nuclear Pack and Fiesta remain relatively popular.
These Flash exploits, coupled with this newest Flash zero-day, prompted Mozilla to temporarily block Flash from Firefox. Facebook’s CSO wants to kill Flash. YouTube has dropped Flash for HTML5 and streaming video site Twitch.tv is making the same commitment. Will it really make any difference?
If these trends show us anything, it is that hackers have read “Who Moved My Cheese?” Internet Explorer was the most exploited software in the first half of 2014, but this year it is Flash; next year it will be whatever is easiest for attackers to compromise. What these trends really demonstrate is that all software is vulnerable.
More than 110 million records have been compromised in the first six months of 2015, which really demonstrates that the security industry is ineffective. I’ve written before about the challenge of patching never-ending zero days and I’ve called out the security industry on the vicious cycle of “assuming compromise.”
Security is almost always an afterthought when developing technology. Perhaps someday in the future, suppose 100 years from now, technology will be secure by design, but in the meantime we are living in a “lawless” era of vulnerabilities and compromise. Detection-based technologies are trying to solve an unsolveable problem.
The only way to prevent compromise is to prevent the initial unauthorized access. Threat isolation enforces the principle of least privilege to achieve this goal; unknown and untrusted content is isolated from access trusted systems. Bromium vSentry is a perfect example of this threat isolation; micro-virtualization isolates each vulnerable user task, preventing it from modifying the operating system or gaining network access.
Zero day vulnerabilities and exploits have been back in the news again recently. The recent breach of Hacking Team revealed insights into the grey market for zero-day exploits as well as new exploits against Adobe Flash and Microsoft Windows. Here we are just a couple of weeks later and 4 new zero day vulnerabilities in Microsoft Internet Explorer were revealed by HP’s Zero Day Initiative group.
Zero Day exploits are often considered to be the ultimate weapon in the hackers’ arsenal. After all, how do you detect and block something if no one knows it exists? Zero Days attacks are considered to be so dangerous that the security industry developed ethical guidelines on how to deal with the discovery of software flaws or vulnerabilities that could provide attackers with a new “undetectable“ weapon.
For the most part the industry has followed these guidelines by notifying the makers of the vulnerable software of the problem and allowing them to develop and release a fix or “patch” for the vulnerability to ensure that bad guys can’t use it to attack users or organizations. This process has come under criticism by some when vendors don’t develop patches “quickly enough” leaving potential victims exposed if bad guys manage to discover and exploit the vulnerabilities during the “window of vulnerability”.
Of course all of these concerns are based on the inability of the industry to reliably detect and block Zero Day exploits. Bromiums’ approach to the problem of malware, isolating all POTENTIAL malware entering the system in a hardware enforced microVM changes the equation completely. Encountering a true Zero Day attack in a system protected by Bromium is now an opportunity for the defender to quickly and reliably identify the new vulnerability rather than an opportunity for the attacker to execute an undetectable attack.
Most cyber-attacks are financially motivated, and developing Zero Day attacks can be an expensive proposition. With Bromium it is much cheaper for the defender to defeat and expose the attack than for the attacker to develop and deploy the attack. With this fundamental change in the profit equation it is just a matter of time before the latest announcement of a new Zero Day becomes just a matter of passing interest to software developers rather than a hot story demanding headlines around the world.
This week micro-virtualization helped to make your organization more secure.
The Hacking Team breach laid bare the resourcefulness and sophistication of today’s determined attackers, and the ease with which they operate. It also cast into stark relief the fact that only micro-virtualization can stop these attacks. Every other technology fails with certainty: Network Sandboxes, AV, HIPS, application control, attack mitigation, hosted browsers and application sandboxes can’t save you. But don’t expect those vendors to admit it.
As other security research teams struggled to investigate the HT 0-days on air-gapped networks, the Bromium Labs team safely observed each attack as it wreaked havoc in a micro-VM. We published our first research within 48 hours of the breach, followed by a detailed analysis of the Hacking Team’s RAT.
Within days, customers told us that our product successfully isolated, automatically remediated, and delivered threat forensics for newly weaponized HT 0-day attacks – often delivered to the endpoint together with new sandbox escapes – underlining the futility of kernel-based protection. The speed with which malware writers incorporated HT’s government grade exploits into new attacks on commercial targets is breathtaking.
The unsung heroes of the past week are the researchers and developers who quickly pulled together and tested patches: Yesterday Microsoft released patches for 6 new kernel CVEs, 3 of which permitted privilege elevation. Adobe also issued emergency patches for Flash. Unfortunately there are certainly other closely guarded exploits in the hands of other threat actors, so patch your endpoints immediately if they are not protected by Bromium. We are proud to have protected our customers from compromise, and to have helped with the research & response effort.
There is a single, stark difference between Bromium and every other endpoint protection / detection & response tool. Only Bromium defeats each attack by design – delivering detailed, real-time alerts, before automatically remediating the endpoint. How are you going to protect your enterprise against the next attack?
Last month, I blogged about a Flash zero day. This month, two more Flash zero days have emerged as the result of the Hacking Team leaks. These critical vulnerabilities have some security experts calling for a new approach to Flash.
ZDNet reports that Mozilla has blocked all version of Flash in Firefox by default. To clarify, Mozilla is only blocking actively exploited versions of Flash, until it is patched. However, many information security professionals would love to be able to block Flash completely. Discussions from around the Internet paint Flash as an outdated technology, which is becoming obsolete because of HTML 5. There is even a social movement, Occupy Flash, which has the goal to “rid the world of the Flash Player plugin.”
In light of the Firefox block, even Facebook is calling for the end of Flash.
In June, Brian Krebs blogged about his experience disabling Flash for a month. After 30 days, he found that he barely missed it:
I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.
Well known browser plugins such as Flash often have unknown vulnerabilities, but is it realistic to disable Flash at your organization? The outcry from users would be swift and severe. In some cases, the impact may be limited to impacting some streaming video sites like YouTube, but in other cases Flash is built into the legacy code of enterprise applications.
Where does this leave organizations? They remain vulnerable to zero day attacks if they leave Flash enabled and unpatched. And yet, even when a patch emerges, a new set of challenges comes with it: do you race to deploy the newest patch? Or do you test to make sure it integrates with legacy systems?
Of course, the third option is to deploy threat isolation security solutions. This latest zero-day and others like it can be secured by isolating the browser in a micro-VM (such as Bromium vSentry). By isolating the threat, security and ops teams granted the grace period needed to test and deploy these critical patches.
A chain is only as strong as its weakest link. Today the weak link is Flash, tomorrow it will be something else. The internet today is a constantly changing and expanding chain made up of potentially weak links. Disabling flash is a good move, but in the end it’s just another reactive band aid. Unless a new approach to security is taken we will be back in the same position with a different link next week or next month
Bromium has partnered with Microsoft to ensure Bromium micro-virtualization and Windows 10 will work better together to provide the most secure endpoint solution on the market. Windows 10 offers powerful new protections that make it the most secure Windows version ever. Bromium micro-virtualization complements the security of all versions of Windows by isolating and eliminating vectors used by cyber attacks. The partnership brings together new security capabilities in Windows 10 and Bromium micro-virtualization, and will enable customers to secure and manage their endpoints with Systems Center Endpoint Protection and Active Directory.
Our partnership with Microsoft validates micro-virtualization as a foundation for future endpoint security and assures customers that Bromium security products are compatible with and complementary to Microsoft security technology. Microsoft and Bromium together make Windows endpoints secure, defeating each attack by design, and delivering real-time threat insights that help to stop breaches.
Windows 10 Security is backed by device hardware
Windows 10 offers many security enhancements beyond those in Windows 7 and 8. Several key features specifically leverage endpoint device hardware to harden the platform – a trend that is increasing on all endpoints. The following diagram, drawn from a Microsoft presentation, summarizes them.
- Identity protection: Windows 10 uses device hardware capabilities to securely authenticate the user, removing the need for 3rd party two-factor authentication, and ensuring that users are properly authenticated by the device before being granted access to applications and data.
- Data protection: Capabilities include enhanced BitLocker encryption for data at-rest, and Microsoft Azure-backed Data Loss Prevention that ensures that enterprise data in the wrong hands is unreadable.
- Threat resistance: Windows 10 can be remotely managed using enterprise mobility management software such as Microsoft Intune which can enforce device-wipe, encryption and other widely used security techniques used to manage mobile devices. It also introduces a capability called Device Guard that implements application control to ensure that only known-good, signed applications can run.
- Device security: Finally, Microsoft has introduced device security capabilities including UEFI secure boot that permits an attested secure bootstrap of the OS using cryptographic verification of the initial state of key OS files. Windows 10 also introduces a capability called “virtual secure mode” (VSM) that uses endpoint CPU virtualization to protect key system data such as credentials, so even if Windows is compromised, the attacker cannot use locally cached credentials to reach deeper into the enterprise infrastructure. VSM relies on the use of client virtualization technology, implemented in the Windows hypervisor Hyper-V. VSM places the Windows Local Security Authority Subsystem Service (LSASS) credential store under control of the client hypervisor, where it is out of reach of malware that compromises the operating system. This eliminates so-called “pass the hash” attacks in which an attacker uses stolen credentials from a compromised endpoint to gain access to other systems in the infrastructure.
New PCs, laptops and Windows tablets have the hardware capabilities that are needed to take advantage of the hardware-assisted security features of Windows 10. The device must support UEFI secure boot and include a Trusted Platform Module (TPM) to permit a secure bootstrap and to securely store keys for encryption at rest. It must also support hardware virtualization, minimally VT-x or AMD-V to permit the use of VSM. Additional hardware features (that are OEM and device specific) are required for hardware-assisted biometric user authentication. Every PC in enterprises today already supports hardware virtualization.
Bromium micro-virtualization enhances Windows security
Windows 10 improves the resilience of the endpoint to an attack. It also helps to prevent breaches because most start with a compromised endpoint. Like Windows 7 and 8 before it, Windows 10 will of course still be exposed to attacks delivered via the usual vectors: Users accessing the web, consuming media, opening attachments, accessing files from USB devices and cloud storage, legacy Java and other applications that can’t be patched, and content delivered from social sharing applications. Bromium eliminates these attack vectors by seamlessly and automatically hardware-isolating the execution of each task that interacts with untrusted content, using micro-virtualization. Bromium supports the enterprise installed-base of Windows 7 and 8 today, and will support enterprise adoption of Windows 10.
Endpoint compromise is the start of a breach
Today’s targeted attacks take advantage of vulnerabilities that result from the challenges of today’s enterprise IT practices:
- IT teams struggle to keep up with the need to patch endpoints when new vulnerabilities are disclosed because they need to be sure that applications will still run and that users won’t be impacted. But malware developers are agile. Verizon reported that in 2014 over 90% of breaches resulted from a compromised endpoint where malware took advantage of a vulnerability for which a patch had been available for over a year. And most newly disclosed vulnerabilities are attacked within a month.
- Enterprises have a heavy dependency on legacy applications, browsers and plugins, many of which are vulnerable to attack. For example, many companies have a heavy dependence on legacy Java applications, ActiveX components, productivity suites and applications that require backward compatibility with legacy browsers.
- Today’s detection-centric security tools, including Anti-Virus and network intrusion detection tools are incapable of detecting targeted attacks. Verizon reports that in up to 90% of the 2,100 breaches it studied in 2014, the malware used was unique to the targeted organization. In such circumstances there is no way to detect attacks using legacy tools.
- Finally, over 90% of breaches studied by Verizon in 2014 were the result of a mistake on the part of a computer user or administrator that ultimately led to an endpoint compromise. It is unreasonable to believe that training can solve this problem, because attackers are sophisticated and know their targets well.
It is difficult or impossible to address these issues. Instead, what is needed is an approach that secures the endpoint by design – whether or not it has been patched, without any presumed knowledge of the attacker, and without impacting the user. Bromium complements the “in the box” security of Windows by eliminating vectors of attack and malware persistence.
Using virtualization features on the endpoint CPU, the Bromium Microvisor hardware isolates the execution of all user-initiated tasks that access content from an untrusted source: The web, media, untrustworthy documents, files, attachments, and detachable storage, including USB drives, and cloud storage, and legacy executable types such as Java, Flash and other browser plugins. Hardware isolation is the only approach that has been shown to massively increase endpoint security – hence its adoption by both Microsoft and Bromium. Software sandboxes – included in all browsers, document viewers and media plugins and even marketed as an anti-malware solution – are unable to defend against determined attackers that exploit zero-day vulnerabilities.
Whenever the user accesses content from any untrusted source, the Microvisor automatically and invisibly hardware-isolates the Windows task using a technique called micro-virtualization that executes the task in a tiny CPU-isolated micro-VM that cannot modify Windows or gain access to enterprise data, networks or sites. The Microvisor protects desktops that have not been patched, defeats and automatically discards malware, and eliminates costly remediation – keeping users productive.
Micro-virtualization uses endpoint CPU features for virtualization to hardware-isolate each untrusted user task – those that access external content – in a micro-VM. Valuable data, networks and devices are not available in a micro-VM – so an attacker cannot steal data, access devices such as a webcam, or penetrate the enterprise network. Execution within a micro-VM is ephemeral, with all changes to system state saved in a throw-away cache, so malware cannot persist. When the task ends the micro-VM and the throw-away cache are simply discarded – with any malware. This makes Bromium protected endpoints self-remediating – eliminating any possibility of malware persistence. When an endpoint is attacked, malware may execute in the context of a micro-VM, but no content of value is available to be stolen, and the attacker cannot pivot onto the enterprise network to further his attack.
A Bromium protected endpoint thus:
- Hardware isolates each attack, without any need for signatures,
- Defeats the attack by preventing the attacker from gaining access to any valuable data or OS state,
- Prevents the attacker from gaining access to high value networks or sites,
- Automatically self-remediates, erasing the attack from the endpoint.
Windows 10 VSM uses hardware isolation to enhance protection for valuable credentials – moving critical data deeper into the castle, as it were. Bromium micro-virtualization eliminates vectors of attack on the endpoint – preventing attackers from entering the castle. The two technologies are complementary and result in an endpoint security architecture that is massively secure.
Bromium LAVA delivers real-time forensics for targeted attacks
Windows 10 improves endpoint security through sound design principles. Its use of hardware isolation to protect endpoint credentials increases the difficulty faced by an attacker seeking to penetrate the enterprise. Micro-virtualization is a complementary technology that also uses hardware virtualization to eliminate attacks on the endpoint.
The CISO needs to secure the entire enterprise, including legacy systems. Bromium protects legacy Windows systems using micro-virtualization, and in addition offers the security team real-time insight into actual attacks as they occur, without false-alarms, together with the forensic intelligence that enables the security team to quickly secure the entire enterprise. This is made possible through micro-VM introspection and Live Attack Visualization and Analysis (LAVA).
During execution of each hardware isolated task in a micro-VM, all state is captured: memory changes, process creation and destruction, DLL injection, all packets sent/received, file system and registry changes are recorded. Unlike traditional detection-centric approaches that rely on detecting malware before it executes, the hardware confines of a micro-VM ensure that the system is protected at all times, so it is possible to wait for malware to actually attack the system before alerting the security team.
When malware executes in a micro-VM, the entire forensic trace for the task is instantly forwarded to the Security Operations Center where it provides complete details of the attack, the methods used, communication with remote Command and Control sites, and targets. This can be used to immediately protect the rest of the enterprise, for example by blocking the attack using other security assets such as proxies, firewalls and intrusion prevention systems – in real time and without false-alarms. Finally, Bromium delivers attack intelligence to other tools using standard formats such as STIX and MAEC that can be shared between organizations. Bromium integrates with Microsoft Active Directory and Systems Center Endpoint Protection to give security professionals a single, consistent and powerful platform for managing the endpoint and its security.
Windows 10 offers new features for device security that are backed by device hardware capabilities that enhance endpoint resilience. Adoption of Windows 10 should be a priority for every enterprise.
Bromium micro-virtualization is a complementary hardware-backed security technology that eliminates vectors of attack. Combined, the two approaches make Windows endpoints massively secure by design. Micro-VM introspection delivers powerful real-time insights into the nature of each attack, eliminating false alerts, and providing detailed forensic information that allows security teams to respond enterprise-wide to defeat each attack.
After the OPM breach many friends and colleagues who have served the US government feel angry and are worried that they and their families are exposed and vulnerable to attack. I felt the same when Aetna sent me a breach notice for my daughter. Who has their data? How will it be used to attack us? It’s sickening.
The resignation of the head of OPM won’t help. Accountability in this context has no meaning. A new head of IT will arrive, and the infrastructure will still remain vulnerable, and millions of citizens’ PII will still be up for grabs. The Federal Reserve Bank and the US Navy will still use Windows XP, and when I next visit, I’ll once again hear stories about how hard it is to move the infrastructure forward. Enough! Doing nothing is not an acceptable posture.
There is good and bad news in this story. The bad is obvious, but the good is that I’m seeing for the first time a realization that we have to fundamentally fix our nation’s computing infrastructure. A realization that buying more security widgets that fail to detect the bad guy, isn’t going to help. I’m seeing customers realize that software sandboxes can’t stop Hacking Team 0days (that are already being used to attack us) and that legacy AV is quite simply not enough. And while its great to read about recommendations from analysts that you purchase breach detection tools, that’s a woefully bad response, because the bad guy has probably already won.
I’m hopeful that what will emerge on the part of practitioners is a determination to stop the breaches. Now we need some simple recipes to make it a lot harder to penetrate our vulnerable infrastructure.
Here are two simple steps that every organization can take to dramatically enhance their security.
- Move your PCs (and VDI desktops) onto a separate network segment that is logically in the DMZ, and treat every PC like an untrustworthy BYOD mobile device. Never trust it. Assume that it is the enemy, because in this context it is.
- Micro-virtualize the endpoint. Eliminate the attacks – even the HT 0days – by design. Over the last 30 days we have seen targeted zero day attacks on our customers’ endpoints at a shocking scale. One customer has experienced a unique targeted attack every single day. Why is this shocking? Remember that Bromium is the last line of defense. Every one of these attacks has flown through the proxy, next-gen firewall, IPS, IDS and any other network widget, and it has survived every form of signature and behavioral analysis. Thankfully we stop these attacks – every one – without knowing good from bad.
Bromium is here to help – we have the expertise to help you make your infrastructure more secure – whether or not you use our product. And we can enable you to shrug off the next attack. For us this is personal – as I know it is for you. Feel free to give us a call just to benefit from our advice.