Skip to content
August 27, 2015 / clintonkarr

TechCrunch: Psychology of Insecurity

Today, TechCrunch has published “The Psychology of Insecurity” by Bromium CTO Simon Crosby. You can read the whole article here:

The recent Ashley Madison hack isn’t the only high-profile one to make headlines this summer. The personal and private information of more than 21.5 million current and former federal employees and over a million unique fingerprint scans were leaked in an attack on the Office of Personnel Management (OPM) that is believed to be the work of the Chinese. Government officials said longtime security lapses left the OPM vulnerable to hackers. As a result of the OPM hack, Director Katherine Archuleta has been forced to resign.

Why do we keep reading about a litany of breaches? Don’t cyber pros understand they are looking after our most sensitive personal data? Yes they do, but to understand their actions demands a more detailed examination of the psychology of security from the perspective of the security professional.

August 25, 2015 / Bill Gardner

Why Malvertising Matters

Malvertising has been back in the news recently. Malvertising

This is no surprise to us here at Bromium, check out the report we issued on malvertising via YouTube last year.

In our paper we concluded that ad networks could be leveraged by, or even replace attack kits to target organizations and effectively distribute malware by the bad guys. Unfortunately this appears to be coming true. The question is what impact will this trend have on our organizations?

The answer is that this trend has the potential to have a tremendous negative impact on our security. Why? Because malvertising often powers drive by downloads that can compromise a system without ever requiring the user to do anything but visit a popular, legitimate web site that is unwittingly part of a malvertising network.

Let’s face it, we have all been focused on spear phishing attacks that have factored into so many successful breaches in recent years, and that is one reason this new attack channel is so dangerous. Conventional wisdom is that if you filter your users from accessing obscure, “uncategorized” or unknown web sites, or sites with poor “web reputation” scores with a web gateway that you will be safe from drive by attacks.

Malvertising effectively bypasses web filters, after all, who is going to black list YouTube or many of the popular news sites we have been seeing delivering malvertising payloads? These sites are selected by the attackers to have pristine web reputations and bypass current defenses.LAVA Bootkit

Malvertising is a very effective delivery channel for targeted waterhole attacks as well. The image included is a snippet of a Bromium LAVA trace we received from a customer earlier this year showing delivery and isolation of a very nasty Bootkit from an IT support oriented web site via a malvertisement. Very nasty indeed, undetectable by AV engines (we tested it against AV comparatives with no hits) and targeted at the right people in the organization if your goal is to establish a privileged beach head in an organization.

So malvertising really does matter if you are concerned with security. I am sure we will be hearing and seeing more on this topic as the future unfolds….

August 12, 2015 / clintonkarr

Bromium Black Hat Survey: Endpoint Risk Five Times Greater Than Network or Cloud

Today, Bromium published “Black Hat 2015: State of Security,” a report that analyzes the results of a survey of more than 100 information security professionals at Black Hat 2015.

Key findings from “Black Hat 2015: State of Security” include:

  • The Endpoint Is the Source of Greatest Security Risk — The majority of information security professionals cited the endpoint as the source of the greatest security risk (55 percent). The second most common response was insider threats (27 percent). Network (9 percent) and cloud (9 percent) were selected less frequently.

  • Security Professionals Pan Flash — The overwhelming majority of security professionals believe their organization would be more secure if it disabled Flash (90 percent); however, 41 percent believe disabling Flash would make their organization less productive or break critical applications.

  • Implementing Security Patches Is a Challenge — The majority of organizations implement patches for zero-day vulnerabilities in software, such as Flash and Internet browsers, in the first week (50 percent first week; 10 percent first day); however, 22 percent take more than a month to deploy.

  • Critical Infrastructure Is at Risk of Cyber Attack — The majority of Black Hat attendees cited financial services (30 percent), energy (17 percent), healthcare (17 percent) and government (12 percent) as the verticals at the most risk of cyber attacks. Interestingly, financial services was also selected as the vertical that has implemented the best security practices (60 percent).

  • Windows 10 Improves Security, But Not Enough — The majority of information security professionals believe Windows 10 improves security (56 percent), but many (33 percent) believe these improvements are not enough.

Most notably, information security professionals find the endpoint is by far the source of the greatest security risk. This is only logical when you consider how frequently end users connect to untrusted networks such as hotels and coffee shops. Even more concerning is the end user’s tendency to click on any Web site and open any email, which are the most common sources of malware.

The survey illustrates the challenge with hardening against malware attack vectors. If 90 percent of information security professionals think their organization would be more secure with Flash disabled, why don’t they disable Flash? The unfortunate reality is that security often takes second priority to operations. A fact further illustrated by 40 percent of information security professionals noting that disabling Flash would break critical applications. Likewise, 22 percent of information security professionals have to wait more than a month to implement critical patches – most likely because of operations teams.

The end result is an increased risk of cyber attack on critical infrastructure, financial services in particular. The good news is that financial services are well prepared; financial services are typically more tech savvy and early adopters of new technology.

Speaking of new technology, the majority of information security professionals seem happy with Windows 10. Windows 10 adds better sandboxing and whitelisting capabilities, but security pros still feel it is inadequate due to the latent attack surface.

Bromium vSentry addresses many of the challenges with micro-virtualization to isolate threat. Threat isolation prevents data breaches by maintaining a strict separation between user tasks and the system host. Even unpatched zero days cannot be exploited to any permanent gain. The battle for the endpoint continues to wage and information security professionals are right to be concerned with the risk, but Bromium is here to help.

August 11, 2015 / clintonkarr

Breaking the Unbreakable Comb: The Importance of Bug Bounty Programs

When I was a kid, I remember going to the barber shop with my brother, who was given an “unbreakable” comb by the barber. My brother promptly snapped it into two pieces. It was not unbreakable to him.


I am reminded of this story because Oracle CSO Mary Ann Davidson published (and subsequently deleted) a blog post decrying security researchers that “reverse engineer” Oracle software to identify vulnerabilities, claiming it was a violation of Oracle’s licensing agreements.

Davidson made many inflammatory remarks that have incensed the security community, such as comparing bug bounty programs to boy bands with companies throwing their underwear at security researchers (gross). And yet, Davidson admits “Ah, well, we find 87% of security vulnerabilities ourselves.”

Ah, well, that still leaves a pretty significant security gap, doesn’t it?

In regard to patching vulnerabilities, Davidson contends “We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.’”

It’s a strange attitude for a CSO. In contrast, tech giant Microsoft recently announced that it was doubling its bug bounty program from $50,000 to $100,000. Recently United Airlines rewarded a researcher with one million miles for identifying a bug. Even Tesla pays a nominal reward.

To give Davidson the benefit of the doubt, as CSO of Oracle, it is her job to improve its security. As Davidson notes “I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues.”

This opinion seems pretty similar to comments Microsoft security chief Mike Reavey made in 2012, “I don’t think that filing and rewarding point issues is a long-term strategy to protect customers.”

Perhaps Oracle will experience the same change of heart as Microsoft, now that Davidson’s comments have been made public. To be certain, Oracle is sure to be feeling the heat from the security community.

As CSO security reporter George Hulme aptly Tweeted:

“BREAKING NEWS: APTs and cyber criminals announce they will no longer reverse engineer Oracle because it is a violation of the terms”

In other words, when security vulnerability research is outlawed, only the outlaws will research security vulnerabilities to exploit Oracle users.

Recently, Bromium Chief Security Architect Rahul Kashyap spoke with CSO about responsible vulnerability disclosure, concluding that “Full Disclosure is a spirit, it’s an attitude — you cannot kill that easily with laws and layers of documentation.”

July 31, 2015 / Simon Crosby

The Best Virtual Desktop Ever: Windows 10 on a Surface Pro 3

Over the last decade many enterprises have tinkered with Virtual Desktop Infrastructure (VDI) as an alternative to PCs.    A VDI user accesses a remote, virtualized Windows desktop OS delivered “as a service” from the enterprise datacenter or service provider to a PC/Mac, thin client, Chromebook or a tablet.  But there’s another model for virtual desktops – one that is more secure, lower cost, and fully empowers the user: A Windows 10 PC or tablet, coupled to the cloud.  The “virtual” bit here is the virtualization of data and cloud app access, and the use of virtualization on the client device, for security

VDI is promoted as the best solution for IT teams facing desktop challenges: All VDI desktops boot from the same “gold” OS, so there’s only one image to patch; Data (emails, files, documents) are centrally stored; and users can access their applications and data from many devices, including personal gear. But though it offers benefits in compliance, VDI is at best a partial solution:

  • Though it seems secure – it does help a bit – VDI isn’t a security solution: Users will still click on bad things in their virtual desktop; moreover today’s VDI-aware malware persists across patching, rebuilds and reboots; and the session is only as secure as the access device – a compromised Bring Your Own (BYO) PC can steal login credentials and data. There are two endpoints to secure – the VDI desktop and the user device.
  • VDI brings real costs: Servers, virtual infrastructure to run the desktop; additional license costs; data center space, power and cooling; and tons of infrastructure complexity – there are more things that can go wrong.
  • The end-user experience, whilst good, is not perfect. It is still a challenge to deliver video and real-time media to a VDI user, and techniques like flash-redirect can be exploited as security holes.

But the idea of EUC tightly coupled with the cloud is spot on.  Re-thinking the model slightly delivers a desktop that is manageable, secure and compliant, and that users will love.  Windows 10 on a PC, tightly coupled with a cloud service such as Office 365 with SkyDrive is the perfect virtual desktop.  What’s more, it is the lowest cost EUC solution.

Let’s peel the onion back slowly. Local execution is what users want – for personal and corporate apps, and in particular media rich experiences.   Remoting protocols are fine for truly legacy applications.  A Windows 10 device that is coupled to the cloud using SkyDrive, Box or even Citrix ShareFile keeps data centralized and backed up, but gives the user maximum freedom for offline access.  Virtualizing data access is a more powerful concept than virtualizing and remoting execution. And powerful SaaS apps – such as Office 365 – offer richer functionality when you’re online, but are powerful and productive when you’re not.

But we aren’t done: Windows 10 with Virtual Secure Mode (virtualization security) uses virtualization locally to make the endpoint much more secure – with a secure boot process and protected credential store.  Windows as a Service ensures that devices are always patched, enabling IT teams to get out of patching – forever.  Windows 10 also offers built-in data loss protection (DLP) that can help ensure that files cached locally cannot be inappropriately accessed – again making use of the cloud: Azure AD.  This gives IT the opportunity to get out of running their AD system too.

The delivery of end user computing and applications as a service – the original motivation for VDI – is superior when the applications in the cloud deliver more value than local applications do.  Office 365, with Office Graph and its tight coupling to the core productivity suite, delivers far more value to end users than simply running local versions of the traditional fat Win32 applications, but when you’re offline local apps still work great.

Finally, the integrated Enterprise Mobility Management (EMM) capabilities in Windows 10 (offered in the Microsoft EMS suite) give enterprises the ability to manage Windows 10 devices with the granularity and precision that they expect for their iPads and smartphones.  Encrypted at rest, remotely wiped if lost, and easy provisioning of next-gen universal apps that are vastly more secure.

There will always be legacy applications that need to be delivered to users.  RDSH is a proven way to do this.  Windows 10, and Office 365, with EMS, address enterprise EUC challenges with a solution that users want. Add virtualization or micro-virtualization to the client device for security to achieve a solution that is local, touchable, zippy;  more secure and manageable; and that uses cloud services for management, security and to deliver a more compelling set of EUC services.


July 29, 2015 / clintonkarr

Endpoint Exploitation Trends (but what of Hacking Team!?)

Today, Bromium released “Endpoint Exploitation Trends 1H 2015,” a Bromium Labs threat report that analyzes security trends from the first six months of 2015. One of the primary themes to emerge from the report should come as no surprise: cyber criminals are attacking targets that have the most users. Pragmatically, this means that malvertising campaigns are being conducted primarily through news and entertainments Web sites and that Flash has been exploited more than any other popular software this year. It’s no surprise that exploits targeting the Windows Kernel are getting more popular for launching targeted attacks. The discovery of Duqu 2.0 targeting high-profile groups including a large cybersecurity company clearly proves this. As the industry adopts application sandboxing on popular apps, kernel exploits are expected to gain more attention by malware authors.

Threat Report Exploits

Hackers continue to innovate. Malware evasion technology continues to evolve to bypass the latest detection mechanisms deployed by security professionals. Ransomware has exploded in growth, more than doubling in size year-over-year. In 2013, there were just two ransomware families; today there are 16.


If you’re interested in these trends, you should read the full report; however, it is also interesting to note that this report does not address the recent Hacking Team disclosures since it only analyzed the first six months of 2015. Bromium Labs has conducted a thorough analysis of the Hacking Team, which is worth reading, but today I want to talk about the bigger trends and how they relate to this threat report.

In July, the Hacking Team, an Italian surveillance company was compromised, leaking customer lists, source code and internal emails. In the coming days and weeks, a Pandora’s Box of exploits and vulnerabilities was unpacked; Flash, Internet Explorer and even Java were targeted.

These Flash exploits were incorporated into the Angler, Neutrino and Nuclear exploit kits. This development ties back into our research, as discussed in “Endpoint Exploitation Trends 1H 2015:”


In the past six months Adobe Flash Player took the coveted top space as the most exploited application. From an exploitation point of view, the architecture of Adobe’s AVM has multiple flaws allowing attackers to craft ROP shellcode on the fly thus bypassing ASLR and DEP. This combined with evasion techniques described in this report makes a nasty combination, with practically every user vulnerable.

Angler Exploit Kit

All the Web attacks we’ve seen are still operated using exploit kits. We found Angler to be the most prevalent exploit kit for the last six months. Lately we have been seeing CVE-2014-6332 also known as ‘IE Unicorn vulnerability’ and several Flash exploits, such as CVE-2014-0497 and CVE-2015-0311 for propagating malware. Aside from that Nuclear Pack and Fiesta remain relatively popular.

These Flash exploits, coupled with this newest Flash zero-day, prompted Mozilla to temporarily block Flash from Firefox. Facebook’s CSO wants to kill Flash. YouTube has dropped Flash for HTML5 and streaming video site is making the same commitment. Will it really make any difference?

If these trends show us anything, it is that hackers have read “Who Moved My Cheese?” Internet Explorer was the most exploited software in the first half of 2014, but this year it is Flash; next year it will be whatever is easiest for attackers to compromise. What these trends really demonstrate is that all software is vulnerable.

More than 110 million records have been compromised in the first six months of 2015, which really demonstrates that the security industry is ineffective. I’ve written before about the challenge of patching never-ending zero days and I’ve called out the security industry on the vicious cycle of “assuming compromise.”

Security is almost always an afterthought when developing technology. Perhaps someday in the future, suppose 100 years from now, technology will be secure by design, but in the meantime we are living in a “lawless” era of vulnerabilities and compromise. Detection-based technologies are trying to solve an unsolveable problem.

The only way to prevent compromise is to prevent the initial unauthorized access. Threat isolation enforces the principle of least privilege to achieve this goal; unknown and untrusted content is isolated from access trusted systems. Bromium vSentry is a perfect example of this threat isolation; micro-virtualization isolates each vulnerable user task, preventing it from modifying the operating system or gaining network access.

July 24, 2015 / Bill Gardner

Zero Day vulnerabilities – much to do about nothing

Zero day vulnerabilities and hacking teamexploits have been back in the news again recently. The recent breach of Hacking Team revealed insights into the grey market for zero-day exploits as well as new exploits against Adobe Flash and Microsoft Windows. Here we are just a couple of weeks later and 4 new zero day vulnerabilities in Microsoft Internet Explorer were revealed by HP’s Zero Day Initiative group.

Zero Day exploits are often considered to be the ultimate weapon in the hackers’ arsenal. After all, how do you detect and block something if no one knows it exists?  Zero Days attacks are considered to be so dangerous that the security industry developed ethical guidelines on how to deal with the discovery of software flaws or vulnerabilities that could provide attackers with a new “undetectable“ weapon.

For the most part the industry has followed these guidelines by notifying the makers of the vulnerable software of the problem and allowing them to develop and release a fix or “patch” for the vulnerability to ensure that bad guys can’t use it to attack users or organizations. This process has come under criticism by some when vendors don’t develop patches “quickly enough” leaving potential victims exposed if bad guys manage to discover and exploit the vulnerabilities during the “window of vulnerability”.

Of course all of these concerns are based on the inability of the industry to reliably detect and block Zero Day exploits. Bromiums’ approach to the problem of malware, isolating all POTENTIAL malware entering the system in a hardware enforced microVM changes the equation completely. Encountering a true Zero Day attack in a system protected by Bromium is now an opportunity for the defender to quickly and reliably identify the new vulnerability rather than an opportunity for the attacker to execute an undetectable attack.

Most cyber-attacks are financially motivated, and developing Zero Day attacks can be an expensive proposition. With Bromium it is much cheaper for the defender to defeat and expose the attack than for the attacker to develop and deploy the attack. With this fundamental change in the profit equation it is just a matter of time before the latest announcement of a new Zero Day becomes just a matter of passing interest to software developers rather than a hot story demanding headlines around the world.

July 16, 2015 / Simon Crosby

Micro-virtualization: The only way to defeat Hacking Team 0-days


This week micro-virtualization helped to make your organization more secure.

The Hacking Team breach laid bare the resourcefulness and sophistication of today’s determined attackers, and the ease with which they operate. It also cast into stark relief the fact that only micro-virtualization can stop these attacks.  Every other technology fails with certainty: Network Sandboxes, AV, HIPS, application control, attack mitigation, hosted browsers and application sandboxes can’t save you.  But don’t expect those vendors to admit it.

As other security research teams struggled to investigate the HT 0-days on air-gapped networks, the Bromium Labs team safely observed each attack as it wreaked havoc in a micro-VM.  We published our first research within 48 hours of the breach, followed by a detailed analysis of the Hacking Team’s RAT.

Within days, customers told us that our product successfully isolated, automatically remediated, and delivered threat forensics for newly weaponized HT 0-day attacks – often delivered to the endpoint together with new sandbox escapes – underlining the futility of kernel-based protection.  The speed with which malware writers incorporated HT’s government grade exploits into new attacks on commercial targets is breathtaking.

The unsung heroes of the past week are the researchers and developers who quickly pulled together and tested patches:  Yesterday Microsoft released patches for 6 new kernel CVEs, 3 of which permitted privilege elevation.   Adobe also issued emergency patches for Flash.  Unfortunately there are certainly other closely guarded exploits in the hands of other threat actors, so patch your endpoints immediately if they are not protected by Bromium. We are proud to have protected our customers from compromise, and to have helped with the research & response effort.

There is a single, stark difference between Bromium and every other endpoint protection / detection & response tool.  Only Bromium defeats each attack by design – delivering detailed, real-time alerts, before automatically remediating the endpoint.  How are you going to protect your enterprise against the next attack?



July 15, 2015 / clintonkarr

Flash Vulnerabilities Show No Signs of Slowing

Last month, I blogged about a Flash zero day. This month, two more Flash zero days have emerged as the result of the Hacking Team leaks. These critical vulnerabilities have some security experts calling for a new approach to Flash.

ZDNet reports that Mozilla has blocked all version of Flash in Firefox by default. To clarify, Mozilla is only blocking actively exploited versions of Flash, until it is patched. However, many information security professionals would love to be able to block Flash completely. Discussions from around the Internet paint Flash as an outdated technology, which is becoming obsolete because of HTML 5. There is even a social movement, Occupy Flash, which has the goal to “rid the world of the Flash Player plugin.”

In light of the Firefox block, even Facebook is calling for the end of Flash.


In June, Brian Krebs blogged about his experience disabling Flash for a month. After 30 days, he found that he barely missed it:

I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.

Well known browser plugins such as Flash often have unknown vulnerabilities, but is it realistic to disable Flash at your organization? The outcry from users would be swift and severe. In some cases, the impact may be limited to impacting some streaming video sites like YouTube, but in other cases Flash is built into the legacy code of enterprise applications.

Where does this leave organizations? They remain vulnerable to zero day attacks if they leave Flash enabled and unpatched. And yet, even when a patch emerges, a new set of challenges comes with it: do you race to deploy the newest patch? Or do you test to make sure it integrates with legacy systems?

Of course, the third option is to deploy threat isolation security solutions. This latest zero-day and others like it can be secured by isolating the browser in a micro-VM (such as Bromium vSentry). By isolating the threat, security and ops teams granted the grace period needed to test and deploy these critical patches.

A chain is only as strong as its weakest link. Today the weak link is Flash, tomorrow it will be something else. The internet today is a constantly changing and expanding chain made up of potentially weak links. Disabling  flash is a good move, but in the end it’s just another reactive band aid. Unless a new approach to security is taken we will be back in the same position with a different link next week or next month

July 13, 2015 / Simon Crosby

Bromium Partners to Bring Micro-virtualization to Windows 10


Bromium has partnered with Microsoft to ensure Bromium micro-virtualization and Windows 10 will work better together to provide the most secure endpoint solution on the market. Windows 10 offers powerful new protections that make it the most secure Windows version ever. Bromium micro-virtualization complements the security of all versions of Windows by isolating and eliminating vectors used by cyber attacks. The partnership brings together new security capabilities in Windows 10 and Bromium micro-virtualization, and will enable customers to secure and manage their endpoints with Systems Center Endpoint Protection and Active Directory.

Our  partnership with Microsoft validates micro-virtualization as a foundation for future endpoint security and assures customers that Bromium security products are compatible with and complementary to Microsoft security technology. Microsoft and Bromium together make Windows endpoints secure, defeating each attack by design, and delivering real-time threat insights that help to stop breaches.

Windows 10 Security is backed by device hardware

Windows 10 offers many security enhancements beyond those in Windows 7 and 8.  Several key  features specifically leverage endpoint device hardware to harden the platform – a trend that is increasing on all endpoints. The following diagram, drawn from a Microsoft presentation, summarizes them.


  • Identity protection: Windows 10 uses device hardware capabilities to securely authenticate the user, removing the need for 3rd party two-factor authentication, and ensuring that users are properly authenticated by the device before being granted access to applications and data.
  • Data protection: Capabilities include enhanced BitLocker encryption for data at-rest, and Microsoft Azure-backed Data Loss Prevention that ensures that enterprise data in the wrong hands is unreadable.
  • Threat resistance: Windows 10 can be remotely managed using enterprise mobility management software such as Microsoft Intune which can enforce device-wipe, encryption and other widely used security techniques used to manage mobile devices. It also introduces a capability called Device Guard that implements application control to ensure that only known-good, signed applications can run.
  • Device security: Finally, Microsoft has introduced device security capabilities including UEFI secure boot that permits an attested secure bootstrap of the OS using cryptographic verification of the initial state of key OS files. Windows 10 also introduces a capability called “virtual secure mode” (VSM) that uses endpoint CPU virtualization to protect key system data such as credentials, so even if Windows is compromised, the attacker cannot use locally cached credentials to reach deeper into the enterprise infrastructure.  VSM relies on the use of client virtualization technology, implemented in the Windows hypervisor Hyper-V.  VSM places the Windows Local Security Authority Subsystem Service (LSASS) credential store under control of the client hypervisor, where it is out of reach of malware that compromises the operating system.  This eliminates so-called “pass the hash” attacks in which an attacker uses stolen credentials from a compromised endpoint to gain access to other systems in the infrastructure.

New PCs, laptops and Windows tablets have the hardware capabilities that are needed to take advantage of the hardware-assisted security features of Windows 10.  The device must support UEFI secure boot and include a Trusted Platform Module (TPM) to permit a secure bootstrap and to securely store keys for encryption at rest.  It must also support hardware virtualization, minimally VT-x or AMD-V to permit the use of VSM.  Additional hardware features (that are OEM and device specific) are required for hardware-assisted biometric user authentication.  Every PC in enterprises today already supports hardware virtualization.

Bromium micro-virtualization enhances Windows security

Windows 10 improves the resilience of the endpoint to an attack.  It also helps to prevent breaches because most start with a compromised endpoint.  Like Windows 7 and 8 before it, Windows 10 will of course still be exposed to attacks delivered via the usual vectors: Users accessing the web, consuming media, opening attachments, accessing files from USB devices and cloud storage, legacy Java and other applications that can’t be patched, and content delivered from social sharing applications.    Bromium eliminates these attack vectors by seamlessly and automatically hardware-isolating the execution of each task that interacts with untrusted content, using micro-virtualization.  Bromium supports the enterprise installed-base of Windows 7 and 8 today, and will support enterprise adoption of Windows 10.

Endpoint compromise is the start of a breach

Today’s targeted attacks take advantage of vulnerabilities that result from the challenges of today’s enterprise IT practices[1]:


  • IT teams struggle to keep up with the need to patch endpoints when new vulnerabilities are disclosed because they need to be sure that applications will still run and that users won’t be impacted. But malware developers are agile.  Verizon reported that in 2014 over 90% of breaches resulted from a compromised endpoint where malware took advantage of a vulnerability for which a patch had been available for over a year.  And most newly disclosed vulnerabilities are attacked within a month.
  • Enterprises have a heavy dependency on legacy applications, browsers and plugins, many of which are vulnerable to attack. For example, many companies have a heavy dependence on legacy Java applications, ActiveX components, productivity suites and applications that require backward compatibility with legacy browsers.
  • Today’s detection-centric security tools, including Anti-Virus and network intrusion detection tools are incapable of detecting targeted attacks. Verizon reports that in up to 90% of the 2,100 breaches it studied in 2014, the malware used was unique to the targeted organization.  In such circumstances there is no way to detect attacks using legacy tools.
  • Finally, over 90% of breaches studied by Verizon in 2014 were the result of a mistake on the part of a computer user or administrator that ultimately led to an endpoint compromise. It is unreasonable to believe that training can solve this problem, because attackers are sophisticated and know their targets well.

It is difficult or impossible to address these issues.  Instead, what is needed is an approach that secures the endpoint by design – whether or not it has been patched, without any presumed knowledge of the attacker, and without impacting the user.  Bromium complements the “in the box” security of Windows by eliminating vectors of attack and malware persistence.

Using virtualization features on the endpoint CPU, the Bromium Microvisor hardware isolates the execution of all user-initiated tasks that access content from an untrusted source: The web, media, untrustworthy documents, files, attachments, and detachable storage, including USB drives, and cloud storage, and legacy executable types such as Java, Flash and other browser plugins.  Hardware isolation is the only approach that has been shown to massively increase endpoint security – hence its adoption by both Microsoft and Bromium.  Software sandboxes – included in all browsers, document viewers and media plugins and even marketed as an anti-malware solution – are unable to defend against determined attackers that exploit zero-day vulnerabilities.

The Microvisor

Whenever the user accesses content from any untrusted source, the Microvisor automatically and invisibly hardware-isolates the Windows task using a technique called micro-virtualization that executes the task in a tiny CPU-isolated micro-VM that cannot modify Windows or gain access to enterprise data, networks or sites.  The Microvisor protects desktops that have not been patched, defeats and automatically discards malware, and eliminates costly remediation – keeping users productive.


Micro-virtualization uses endpoint CPU features for virtualization to hardware-isolate each untrusted user task – those that access external content – in a micro-VM.  Valuable data, networks and devices are not available in a micro-VM – so an attacker cannot steal data, access devices such as a webcam, or penetrate the enterprise network. Execution within a micro-VM is ephemeral, with all changes to system state saved in a throw-away cache, so malware cannot persist.  When the task ends the micro-VM and the throw-away cache are simply discarded – with any malware.   This makes Bromium protected endpoints self-remediating – eliminating any possibility of malware persistence.  When an endpoint is attacked, malware may execute in the context of a micro-VM, but no content of value is available to be stolen, and the attacker cannot pivot onto the enterprise network to further his attack.


A Bromium protected endpoint thus:

  • Hardware isolates each attack, without any need for signatures,
  • Defeats the attack by preventing the attacker from gaining access to any valuable data or OS state,
  • Prevents the attacker from gaining access to high value networks or sites,
  • Automatically self-remediates, erasing the attack from the endpoint.

Windows 10 VSM uses hardware isolation to enhance protection for valuable credentials – moving critical data deeper into the castle, as it were. Bromium micro-virtualization eliminates vectors of attack on the endpoint – preventing attackers from entering the castle.   The two technologies are complementary and result in an endpoint security architecture that is massively secure.

Bromium LAVA delivers real-time forensics for targeted attacks

Windows 10 improves endpoint security through sound design principles.  Its use of hardware isolation to protect endpoint credentials increases the difficulty faced by an attacker seeking to penetrate the enterprise.   Micro-virtualization is a complementary technology that also uses hardware virtualization to eliminate attacks on the endpoint.

The CISO needs to secure the entire enterprise, including legacy systems. Bromium protects legacy Windows systems using micro-virtualization, and in addition offers the security team real-time insight into actual attacks as they occur, without false-alarms, together with the forensic intelligence that enables the security team to quickly secure the entire enterprise.  This is made possible through micro-VM introspection and Live Attack Visualization and Analysis (LAVA).

During execution of each hardware isolated task in a micro-VM, all state is captured: memory changes, process creation and destruction, DLL injection, all packets sent/received, file system and registry changes are recorded.  Unlike traditional detection-centric approaches that rely on detecting malware before it executes, the hardware confines of a micro-VM ensure that the system is protected at all times, so it is possible to wait for malware to actually attack the system before alerting the security team.


When malware executes in a micro-VM, the entire forensic trace for the task is instantly forwarded to the Security Operations Center where it provides complete details of the attack, the methods used, communication with remote Command and Control sites, and targets.  This can be used to immediately protect the rest of the enterprise, for example by blocking the attack using other security assets such as proxies, firewalls and intrusion prevention systems – in real time and without false-alarms.  Finally, Bromium delivers attack intelligence  to other tools using standard formats such as STIX and MAEC that can be shared between organizations.  Bromium integrates with Microsoft Active Directory and Systems Center Endpoint Protection to give security professionals a single, consistent and powerful platform for managing the endpoint and its security.


Windows 10 offers new features for device security that are backed by device hardware capabilities that enhance endpoint resilience.  Adoption of Windows 10 should be a priority for every enterprise.

Bromium micro-virtualization is a complementary hardware-backed security technology that eliminates vectors of attack. Combined, the two approaches make Windows endpoints massively secure by design.  Micro-VM introspection delivers powerful real-time insights into the nature of each attack, eliminating false alerts, and providing detailed forensic information that allows security teams to respond enterprise-wide to defeat each attack.

[1] Source: Verizon Data Breach Report 2015


Get every new post delivered to your Inbox.

Join 31,862 other followers