Skip to content
December 16, 2014 / clintonkarr

Chasing the White Whale: How Advanced Attacks Leverage Spear Phishing

Update: Breaking News: ICANN targeted in a spear phishing attack

Information security becomes increasingly important as the frequency of cyber attacks increases. From Target to Sony, the past 12 months have played host to the largest volume of attacks in recent memory. We are witnessing the rise of the targeted attack, which is frequently accompanied by spear phishing campaigns.


Phishing is not new. I recall receiving suspicious emails and messages on my America Online account in the 1990s, warning that my account would be suspended unless I replied to provide my password. Similar scams persist for online banking, eBay and PayPal. Cyber criminals show no signs of abandoning phishing because it continues to work.

In 2010, Google announced that it had been compromised by spear phishing during “Operation Aurora.” Likewise, RSA fell victim to spear phishing in 2011. More recently, the Target breach in 2013 can be traced back to a spear phishing email. It seems that the easiest way to infect a major enterprise is to ask an employee to click on an infected file.

Spear phishing is insidious because it preys upon the weakest link of information security systems, its users. Social engineering entices users to click on malicious documents and URLs by suggesting they may be related to work, such as budgets, invoices or shipping notification. Truly advanced attacks may leverage social networking, such as LinkedIn, to customize spear phishing emails.

Ultimately, the goal of these spear phishing attacks is to execute undetectable malware, which evades traditional security solutions, such as antivirus. Once the initial endpoint is compromised, the attack can proliferate across the network before exfiltrating data to command and control servers.

This Thursday, December 18, Bromium will be hosting a Webinar, “The Tip of the Spear: Defeating Spear-Phishing.” Join Bromium Sr. Director of Products Bill Gardner to learn:

  • Why cybercriminals are ramping up their spear-phishing attacks
  • The most common methods used in these attacks to ‘get the click’
  • A revolutionary new approach that can actually counter these attacks and secure both your endpoint and your network

Register today:

December 11, 2014 / clintonkarr

Picture This: Sony Hack Won’t Be the Last

The FBI has warned US companies of a wave of destructive cyber attacks, in light of the recent Sony hack. I commented to eSecurityPlanet and SecurityWeek:

“These attacks are troublesome, but not surprising. Earlier this year we witnessed Code Spaces shutdown after a successful attack destroyed its cloud back-ups. Likewise, the evolution of crypto-ransomware suggests attackers are targeting the enterprise with destructive attacks. These attacks are unlike the “cat burglary” of Trojan attacks, but much more brute force like a smash-and-grab or straight vandalism.”

An internal memo from Sony claims that “the malware was undetectable by industry standard antivirus.” It seems that what has become industry standard is the inability of detection-based solutions to prevent these major breaches. Recall that Target was breached, in spite of a major investment in detection-based security.


The reality of the situation is that major attacks against leading brands and organizations show no signs of stopping. In the past year we have seen Target, Home Depot, eBay and many others get breached. And these are only reported breaches. There are almost certainly more sinister attacks that have still gone undetected.

Additionally, it should be painfully apparent that detection-based solutions are ineffective at preventing cyber attacks. This should come as no surprise as more than 70% of breaches in the last 3 years can be traced to a failure of endpoint security. We are witnessing a wave of sophisticated attacks that almost always involve the endpoint and almost always go undetected.

Legacy solutions are failing because antivirus security is almost 30 years old. Savvy information security professionals are recognizing the need for a new approach. Bromium eliminates the need to detect malware in advance by isolating all content in a hardware enforced microVM and denying an attacker access to the protected organization. Bromium is positioned to protect against both known and unknown attacks, including malvertising, crypto-ransomware and spear-phishing, which can be leveraged in APTs.

Next Thursday, December 18, join Bromium Sr. Director of Products Bill Gardner to learn more about how and why advanced attacks leverage spear-phishing. Register here:

November 10, 2014 / Simon Crosby

Is it time to Fire your network protection vendor?

I hereby solemnly promise that Bromium will never have a product with “fire” in its name.  By now every vendor in the  next-gen IDS / IPS / Firewall / honeypot-as-ultimate-defense-against-the-dark-arts market has a next-gen “fire”-branded product that claims to protect against APTs.

“Fire” appliances are easy to sell, so Wall Street swooned for a while.  But they don’t deliver value.  They are expensive, cost even more to run, and don’t protect your endpoints.

Though the vendors’ gleefully assert that endpoint AV is useless against today’s “sophisticated attackers”, their solutions do little more than move AV into the network, with a focus on alerting rather than stopping attacks.  Even the worst AV suite can quarantine suspected malware, but with a “fire” product in your network you are deploying a variant of AV that can do little more than bleat.

How did we end up here?  Well, “fire” appliances are optimized for quick sales:  Persuade the customer to test the appliance on a span port on the network.   Show alerts for lots of bad stuff crossing the network, and the deal is done.   To ensure that there are lots of alerts, the vendors run legacy, unpatched VM images on the appliance that aren’t even properly licensed and bear no resemblance to the software on your actual endpoints.   But the result is terrific: Lots of events – and lots of purchase orders.

The worst thing about this racket is that these appliances don’t solve the security problem – they make it worse.

Bromium is working with a large enterprise with north of 50,000 employees.  Their security team receives 6,000 alerts per week from their “fire” product. Through de-duplication in their (expensive) SIEM, they typically reduce those down to 250 alerts a week – each of which is manually investigated – typically taking 2-4 hours, but often twice that, depending on the skill of the investigator.   And more often than not, the endpoint is re-imaged just because “it’s simpler” and “we don’t really know if malware executed; re-imaging is safer”. Investigation, analysis and remediation results in 500-1,000 hours of labor, per week, without accounting for end-user downtime.

The bad news: Over several months the security team has concluded that over 80% of the alerts are obviously false alarms – there was either no attack or the attack did not execute given the patch level of the endpoint.

They have conservatively calculated that they waste well over $1M/year on FALSE POSITIVES!

Typically 50 of 6000 alerts are attacks that would execute on the endpoint – under 1%.  This matches anecdotal evidence from Bromium customers that about 1% of their off net PCs see some form of malware each month.  Of course with vSentry, remediation is eliminated, and if the attack executes, it does so in the narrow confines of a micro-VM from which it can steal nothing and go nowhere.

Bromium aside – can you afford to invest in tech that is inaccurate, costs more to run than to buy, and still doesn’t protect the enterprise?


October 22, 2014 / Bill Gardner

Attack of the malicious document – what was old is new again

Recent zero day attacks targeting Windows using malicious Office documents should be a reminder to all of us that no attack vector ever truly dies, it just lurks in the background waiting for it’s time to come again. Malicious Office documents have not been a popular attack vector for several years, but it seems that what’s old is new again.

The recent crop of attacks seen in the wild use Word, PowerPoint and other Office documents to exploit serious vulnerabilities discovered in numerous versions of Windows. These attacks were targeted at major corporations and at least one attack compromised the Windows kernel. This is particularly concerning as kernel exploits can put the attacker in full control of the system and bypass all known forms of defense, including AV, sandboxes and behavioral blocking solutions.

The industry often seems to be distracted by “bright shiny objects” that are in the headlines and that are actively being exploited. That is no excuse however to neglect vectors that have been succesfully used in the past but that for whatever reason have lost favor for a period of time. Attackers are supremely adaptable and will focus on any vector that is vulnerable, particularly areas where defenders have been lulled into a false sense of security.

These document based attacks illustrate the point again that detection based strategies are no longer effective in providing the level of protection needed in the digital world we all operate in today. ANY digitial information that a user interacts with from the outside world holds the potential for attacking and compromising a system whether it has been recently known to deliver attacks or not. The only rational approach is to treat ALL information as if it is malicious.

The Bromium approach to isolation provides protection from just these types of kernel attacks. The Bromium Microvisor seperates security from the operating system or the media being protected. Bromium uses the security features built into modern hardware platforms to isolate attacks originating from the web, whether from downloaded documents or malicious web servers. Even sophisticated zero day attacks are defeated without any actions from either the user or the IT group.

According to Forrester Research Microsoft Office still dominates the enterprise productivity suite market. Bromium customers running the MS Office platform, inlcuding Office 2013 were protected against the new zero day attacks before the these attacks were ever developed or deployed. This type of new approach to the entire cyber security problem is what the industry, and vulnerable customers have been waiting for.

October 14, 2014 / Simon Crosby

Many Eyes Make Credible Security

We are proud to announce the successful results of an independent source-code review and penetration test of vSentry version 2.4 by the leading security consultancy  IOActiveacknowledged as one of the world’s leading security firms serving Global 1000 customers, and with an enviable reputation in software assurance and penetration testing.  We gave IOActive the source code for vSentry and tasked them with breaking it – with complete freedom to publish their findings, good or bad.

You’d be forgiven for thinking we’re nuts.   Why would we do this?

We are as tired as you are of the exaggerated claims made by security vendors – products that claim to secure your environment that … don’t really.  We think it’s time to change the conversation: When vendor claims are verifiable, customers can properly understand their security posture – and they will reject products that don’t deliver.  We’d like the industry to stop blaming the victims and focus instead on defeating attackers.

Bromium is single-mindedly committed to delivering a product that transforms the security of endpoints by design, using micro-virtualization – without relying on detection, fuzzy logic, better heuristics, big data, machine learning or other hail-mary passes. But we also recognize that we stand on the shoulders of giants – the security community whose diligence and dedication helps to protect us.  We want to deliver a product that offers the best possible defense, so we need the world’s best pen-testers to attack it.  We recognize that If we are to make credible claims of security by design, they must be validated by the best in the business.

When we asked our customers to recommend a firm with the right skill set and integrity, they were unanimous. IOActive has impeccable  credentials in research and analysis, and its hard-won reputation is born of leading edge research in pen-testing, reverse engineering, code review, social engineering, and hardware security.

IOActive conducted a comprehensive analysis of Bromium vSentry v2.4 over several months, using a team with expertise in the attack surface of applications, the Windows kernel, hypervisors and hardware virtualization.  They analyzed the vSentry product architecture and source-code and conducted a comprehensive run-time penetration test with the aim of escaping the isolation of a micro-VM, compromising the Microvisor, and attacking the Windows desktop.

We are proud that IOActive discovered no vulnerabilities that can be used to defeat or disable vSentry or compromise the endpoint.   Their work validated two key principles that guide development at Bromium:

  • First, we emphasize minimalism.  Xen is small, but micro-Xen is very substantially smaller.  We focus on reducing the attack surface so that we can reasonably claim to defend it.   We apply strict development standards, and all code is scrutinized by multiple developers.
  • Second, Bromium has (in Bromium Labs) a separate, elite team of security analysts. Their job is both to guide our architects and also to attack the product using an extensive set of automated probes and manual pen-tests, to ensure that developers haven’t slipped up.

IOActive added yet another degree of separation and an independent team of experts with source code access. vSentry passed their review with flying colors, and their insights and feedback have already been incorporated into the product.   Crucially, we have developed a powerful way to engage with leaders in the security community that credibly bolsters our own effort to deliver best-in-class products.   We are proud to be better at what we do, because we exposed our work to the best.

We are committed to regular 3rd party assessment of the security of our products because our customers depend on us to protect their most valuable assets, and because security is a problem that benefits from a  “many eyes” approach.  We hope that by setting an example we can convince other vendors to make a similar commitment to independent validation, and that over time customers will begin to demand that their vendors adopt this approach.

If you’d like to receive the IOActive report please email me.

October 3, 2014 / Gaurav Banga

Why is Bromium InDemand?

Recently LinkedIn recognized Bromium as one of the 10 most InDemand startups in the Bay Area. Thank you LinkedIn, and thank you Bay Area Tech Community!

A number of folks, prospective and current co-workers, investors, customers, and friends have periodically asked me: Hey Mr. CEO of hotshot startup, why is your company special? Why should someone want to come to work at Bromium, instead of going elsewhere to another startup or a big company?

What makes Bromium so special?

Two things…

Bromium is special because we have a deep sense of mission. Ensuring the security of Internet users and Internet-connected devices is one of the grand challenges facing us. The current state of affairs is very problematic: our computers and networks are easily and routinely subverted by the bad guys, resulting in great economic loss, and have deep public security implications. We are building mission-critical dependence into every aspect of human activities on cyber-infrastructure that is insecure at its core. We are building a house of cards!

People have lost their faith in the security of our computing infrastructure. Bromium’s mission is to restore trust in our computing systems.


Bromium is also a very special place because we have a very unique, and refreshing approach, with some fairly clever and innovative technology that we specially created to help address the cyber-security challenge.

Unlike the rest of the security industry, which relies on increasingly complex algorithms to try and detect malware in incrementally sophisticated ways (and falls further and further behind the bad guys) we rely on isolation to deliver security, using a really cool technology that we invented called micro-virtualization.

With micro-virt, we create disposable (virtual) computers for each Internet task that you need to work on, such as a visit to a website or opening a word document from an email attachment. These virtual computers are created and destroyed automatically behind the scenes as you click, you don’t see them!

Any Internet malware that you might inadvertently pick up is kept isolated, in its own micro virtual machine, and then eventually killed off and cleaned up when you are done with the task and close the browser tab or navigate to another website. All this happens without you having to worry about it or even think about it.

The outcomes we deliver for our customers are nothing short of amazing: in a world where there appears to be some much despair and angst around cyber-insecurity, a Brominated customer has a superior endpoint security architecture that greatly reduces their risk and their operations costs, while simultaneously empowering their employees.

Micro-virtualization is the result of many years of the Bromium team working on taking hypervisor technology to the next level. It builds on research and product work that my co-founders and I, and our numerous collaborators and co-workers did over the course of the last decade across many different use-cases of virtualization. This is deep systems work – the type you get to do at very few companies. We have engineers and teams that work at the UI layer, through the guts of Web Browsers and important applications like Office, through the various layers of OSX, Windows and Android, and finally in the hypervisor itself. Our engineers collaborate with each other and have a unique and powerful understanding of computer systems and the important business of cyber-security.

So if you are a software engineer, looking to build rocket-ship type technology for a great cause, or a sales person that wants to sell and put something very important and meaningful into the hands of every man, woman and child on the planet, then Bromium is one of the special few companies where you belong!

September 11, 2014 / Simon Crosby

Goldilocks and the 3 Theres



At VMWorld VMware SVP of Security Tom Korn described the hypervisor and virtual network environment of a virtual infrastructure platform as the “Goldilocks Zone” for application security in the software defined data center.  He was right.  And with an innocuous and kid-friendly soundbite – “the Goldilocks Zone” – VMware served notice on the data center security industry that it fully intends to be the vendor of choice for ensuring the security of (private) cloud hosted applications.

This move ought not to surprise us.  Back in 2007 VMware opened up APIs for 3rd party security vendors, inviting security vendors to take advantage of the hypervisor to secure workloads.  But an ecosystem failed to emerge – in my view because neither VMware nor the vendors really knew how to take advantage of hypervisor based introspection, and because virtual switching was still very immature.

Fast forward 7 years to an enterprise virtual infrastructure that is dominated by VMware, and an urgent need for cloud security solutions.  VMware is firmly in control of the “Three Theres” that are required for precise control of workload security:

  • Execution context: The typical VM contains a single application, and relatively straightforward understanding of the application behavior, coupled with an ability to introspect the VM during execution offers an opportunity to better secure its execution.
  • Storage context: The hypervisor owns the storage of each VM. Historically this has been block storage a VMDK – but increasingly (for example with their CloudVolumes acquisition) layered storage for a guest comprising multiple VMDKs (and their file systems) mounted dynamically gives the hypervisor an ability to differentiate and control storage access (for example: writes to a CloudVolumes app VMDK could be prevented or made Copy on Write). As it moves up-stack, the hypervisor has an opportunity to introspect and understand file/volume semantics – for example think about the ability to separate the user data and settings in a VDI VM.
  • Network context: The vSwitch has an ability to control and inspect traffic into a VM in a granular fashion. VMware calls these application-centric network controls “micro-services”.  Each application can have unique network security controls applied to it, enhancing the security not only of that workload, but of the private cloud in aggregate. Moreover, because of its proximity to the locus of execution the vSwitch can inspect traffic in ways that are inaccessible to other vendors in the data center ecosystem.

There would be no “Goldilocks” story without the 3 Bears and the concept of “just right”.   Similarly, there can be no cloud security story without the Goldilocks Zone – a place where execution can be inspected and controlled from each of the 3 “theres”: execution, storage and networking.  Being in full control of all of them is “just right” for delivery of a new generation of cloud security services.  It is interesting to note that the addition (via nesting – see part 2) of micro-virtualization on a traditional hypervisor like ESX provides even more granular isolation and control – for each VM, and therefore even more granular control of security.

The “Goldilocks Zone” of security is a unique opportunity for VMware to be the vendor of choice to secure virtualized workloads in the increasingly software defined data center.  None of the other hypervisor vendors is even close in terms of articulating as bold a vision in micro-services, granular storage control and execution control – and hence security. This differentiation is a key strength of VMware’s, and at the same time it points to the end of the road for every traditional datacenter security vendor.  We all know that AV is dead.   We know that a hypervisor is a better place to ensure execution white-lists are enforced, rather than in-kernel.  We now also need to realize that network security appliances will be on the block, together with traditional switching/routing gear.

Part 2 of this post will describe micro-virtualization, micro-services for micro-VMs and micro-VM introspection in more detail.  The similarities are startling.  The conclusion even more so: Virtualization alone (SDDC and PC) has a unique and profound ability to deliver a paradigm shift in enterprise security, securing the enterprise by design.


Get every new post delivered to your Inbox.

Join 21,776 other followers