Skip to content
October 22, 2014 / Bill Gardner

Attack of the malicious document – what was old is new again

Recent zero day attacks targeting Windows using malicious Office documents should be a reminder to all of us that no attack vector ever truly dies, it just lurks in the background waiting for it’s time to come again. Malicious Office documents have not been a popular attack vector for several years, but it seems that what’s old is new again.

The recent crop of attacks seen in the wild use Word, PowerPoint and other Office documents to exploit serious vulnerabilities discovered in numerous versions of Windows. These attacks were targeted at major corporations and at least one attack compromised the Windows kernel. This is particularly concerning as kernel exploits can put the attacker in full control of the system and bypass all known forms of defense, including AV, sandboxes and behavioral blocking solutions.

The industry often seems to be distracted by “bright shiny objects” that are in the headlines and that are actively being exploited. That is no excuse however to neglect vectors that have been succesfully used in the past but that for whatever reason have lost favor for a period of time. Attackers are supremely adaptable and will focus on any vector that is vulnerable, particularly areas where defenders have been lulled into a false sense of security.

These document based attacks illustrate the point again that detection based strategies are no longer effective in providing the level of protection needed in the digital world we all operate in today. ANY digitial information that a user interacts with from the outside world holds the potential for attacking and compromising a system whether it has been recently known to deliver attacks or not. The only rational approach is to treat ALL information as if it is malicious.

The Bromium approach to isolation provides protection from just these types of kernel attacks. The Bromium Microvisor seperates security from the operating system or the media being protected. Bromium uses the security features built into modern hardware platforms to isolate attacks originating from the web, whether from downloaded documents or malicious web servers. Even sophisticated zero day attacks are defeated without any actions from either the user or the IT group.

According to Forrester Research Microsoft Office still dominates the enterprise productivity suite market. Bromium customers running the MS Office platform, inlcuding Office 2013 were protected against the new zero day attacks before the these attacks were ever developed or deployed. This type of new approach to the entire cyber security problem is what the industry, and vulnerable customers have been waiting for.

October 14, 2014 / Simon Crosby

Many Eyes Make Credible Security

We are proud to announce the successful results of an independent source-code review and penetration test of vSentry version 2.4 by the leading security consultancy  IOActiveacknowledged as one of the world’s leading security firms serving Global 1000 customers, and with an enviable reputation in software assurance and penetration testing.  We gave IOActive the source code for vSentry and tasked them with breaking it – with complete freedom to publish their findings, good or bad.

You’d be forgiven for thinking we’re nuts.   Why would we do this?

We are as tired as you are of the exaggerated claims made by security vendors – products that claim to secure your environment that … don’t really.  We think it’s time to change the conversation: When vendor claims are verifiable, customers can properly understand their security posture – and they will reject products that don’t deliver.  We’d like the industry to stop blaming the victims and focus instead on defeating attackers.

Bromium is single-mindedly committed to delivering a product that transforms the security of endpoints by design, using micro-virtualization – without relying on detection, fuzzy logic, better heuristics, big data, machine learning or other hail-mary passes. But we also recognize that we stand on the shoulders of giants – the security community whose diligence and dedication helps to protect us.  We want to deliver a product that offers the best possible defense, so we need the world’s best pen-testers to attack it.  We recognize that If we are to make credible claims of security by design, they must be validated by the best in the business.

When we asked our customers to recommend a firm with the right skill set and integrity, they were unanimous. IOActive has impeccable  credentials in research and analysis, and its hard-won reputation is born of leading edge research in pen-testing, reverse engineering, code review, social engineering, and hardware security.

IOActive conducted a comprehensive analysis of Bromium vSentry v2.4 over several months, using a team with expertise in the attack surface of applications, the Windows kernel, hypervisors and hardware virtualization.  They analyzed the vSentry product architecture and source-code and conducted a comprehensive run-time penetration test with the aim of escaping the isolation of a micro-VM, compromising the Microvisor, and attacking the Windows desktop.

We are proud that IOActive discovered no vulnerabilities that can be used to defeat or disable vSentry or compromise the endpoint.   Their work validated two key principles that guide development at Bromium:

  • First, we emphasize minimalism.  Xen is small, but micro-Xen is very substantially smaller.  We focus on reducing the attack surface so that we can reasonably claim to defend it.   We apply strict development standards, and all code is scrutinized by multiple developers.
  • Second, Bromium has (in Bromium Labs) a separate, elite team of security analysts. Their job is both to guide our architects and also to attack the product using an extensive set of automated probes and manual pen-tests, to ensure that developers haven’t slipped up.

IOActive added yet another degree of separation and an independent team of experts with source code access. vSentry passed their review with flying colors, and their insights and feedback have already been incorporated into the product.   Crucially, we have developed a powerful way to engage with leaders in the security community that credibly bolsters our own effort to deliver best-in-class products.   We are proud to be better at what we do, because we exposed our work to the best.

We are committed to regular 3rd party assessment of the security of our products because our customers depend on us to protect their most valuable assets, and because security is a problem that benefits from a  “many eyes” approach.  We hope that by setting an example we can convince other vendors to make a similar commitment to independent validation, and that over time customers will begin to demand that their vendors adopt this approach.

If you’d like to receive the IOActive report please email me.

October 3, 2014 / Gaurav Banga

Why is Bromium InDemand?

Recently LinkedIn recognized Bromium as one of the 10 most InDemand startups in the Bay Area. Thank you LinkedIn, and thank you Bay Area Tech Community!

A number of folks, prospective and current co-workers, investors, customers, and friends have periodically asked me: Hey Mr. CEO of hotshot startup, why is your company special? Why should someone want to come to work at Bromium, instead of going elsewhere to another startup or a big company?

What makes Bromium so special?

Two things…

Bromium is special because we have a deep sense of mission. Ensuring the security of Internet users and Internet-connected devices is one of the grand challenges facing us. The current state of affairs is very problematic: our computers and networks are easily and routinely subverted by the bad guys, resulting in great economic loss, and have deep public security implications. We are building mission-critical dependence into every aspect of human activities on cyber-infrastructure that is insecure at its core. We are building a house of cards!

People have lost their faith in the security of our computing infrastructure. Bromium’s mission is to restore trust in our computing systems.

InDemand-Startups-2014-Update

Bromium is also a very special place because we have a very unique, and refreshing approach, with some fairly clever and innovative technology that we specially created to help address the cyber-security challenge.

Unlike the rest of the security industry, which relies on increasingly complex algorithms to try and detect malware in incrementally sophisticated ways (and falls further and further behind the bad guys) we rely on isolation to deliver security, using a really cool technology that we invented called micro-virtualization.

With micro-virt, we create disposable (virtual) computers for each Internet task that you need to work on, such as a visit to a website or opening a word document from an email attachment. These virtual computers are created and destroyed automatically behind the scenes as you click, you don’t see them!

Any Internet malware that you might inadvertently pick up is kept isolated, in its own micro virtual machine, and then eventually killed off and cleaned up when you are done with the task and close the browser tab or navigate to another website. All this happens without you having to worry about it or even think about it.

The outcomes we deliver for our customers are nothing short of amazing: in a world where there appears to be some much despair and angst around cyber-insecurity, a Brominated customer has a superior endpoint security architecture that greatly reduces their risk and their operations costs, while simultaneously empowering their employees.

Micro-virtualization is the result of many years of the Bromium team working on taking hypervisor technology to the next level. It builds on research and product work that my co-founders and I, and our numerous collaborators and co-workers did over the course of the last decade across many different use-cases of virtualization. This is deep systems work – the type you get to do at very few companies. We have engineers and teams that work at the UI layer, through the guts of Web Browsers and important applications like Office, through the various layers of OSX, Windows and Android, and finally in the hypervisor itself. Our engineers collaborate with each other and have a unique and powerful understanding of computer systems and the important business of cyber-security.

So if you are a software engineer, looking to build rocket-ship type technology for a great cause, or a sales person that wants to sell and put something very important and meaningful into the hands of every man, woman and child on the planet, then Bromium is one of the special few companies where you belong!

September 11, 2014 / Simon Crosby

Goldilocks and the 3 Theres

Goldilocks

 

At VMWorld VMware SVP of Security Tom Korn described the hypervisor and virtual network environment of a virtual infrastructure platform as the “Goldilocks Zone” for application security in the software defined data center.  He was right.  And with an innocuous and kid-friendly soundbite – “the Goldilocks Zone” – VMware served notice on the data center security industry that it fully intends to be the vendor of choice for ensuring the security of (private) cloud hosted applications.

This move ought not to surprise us.  Back in 2007 VMware opened up APIs for 3rd party security vendors, inviting security vendors to take advantage of the hypervisor to secure workloads.  But an ecosystem failed to emerge – in my view because neither VMware nor the vendors really knew how to take advantage of hypervisor based introspection, and because virtual switching was still very immature.

Fast forward 7 years to an enterprise virtual infrastructure that is dominated by VMware, and an urgent need for cloud security solutions.  VMware is firmly in control of the “Three Theres” that are required for precise control of workload security:

  • Execution context: The typical VM contains a single application, and relatively straightforward understanding of the application behavior, coupled with an ability to introspect the VM during execution offers an opportunity to better secure its execution.
  • Storage context: The hypervisor owns the storage of each VM. Historically this has been block storage a VMDK – but increasingly (for example with their CloudVolumes acquisition) layered storage for a guest comprising multiple VMDKs (and their file systems) mounted dynamically gives the hypervisor an ability to differentiate and control storage access (for example: writes to a CloudVolumes app VMDK could be prevented or made Copy on Write). As it moves up-stack, the hypervisor has an opportunity to introspect and understand file/volume semantics – for example think about the ability to separate the user data and settings in a VDI VM.
  • Network context: The vSwitch has an ability to control and inspect traffic into a VM in a granular fashion. VMware calls these application-centric network controls “micro-services”.  Each application can have unique network security controls applied to it, enhancing the security not only of that workload, but of the private cloud in aggregate. Moreover, because of its proximity to the locus of execution the vSwitch can inspect traffic in ways that are inaccessible to other vendors in the data center ecosystem.

There would be no “Goldilocks” story without the 3 Bears and the concept of “just right”.   Similarly, there can be no cloud security story without the Goldilocks Zone – a place where execution can be inspected and controlled from each of the 3 “theres”: execution, storage and networking.  Being in full control of all of them is “just right” for delivery of a new generation of cloud security services.  It is interesting to note that the addition (via nesting – see part 2) of micro-virtualization on a traditional hypervisor like ESX provides even more granular isolation and control – for each VM, and therefore even more granular control of security.

The “Goldilocks Zone” of security is a unique opportunity for VMware to be the vendor of choice to secure virtualized workloads in the increasingly software defined data center.  None of the other hypervisor vendors is even close in terms of articulating as bold a vision in micro-services, granular storage control and execution control – and hence security. This differentiation is a key strength of VMware’s, and at the same time it points to the end of the road for every traditional datacenter security vendor.  We all know that AV is dead.   We know that a hypervisor is a better place to ensure execution white-lists are enforced, rather than in-kernel.  We now also need to realize that network security appliances will be on the block, together with traditional switching/routing gear.

Part 2 of this post will describe micro-virtualization, micro-services for micro-VMs and micro-VM introspection in more detail.  The similarities are startling.  The conclusion even more so: Virtualization alone (SDDC and PC) has a unique and profound ability to deliver a paradigm shift in enterprise security, securing the enterprise by design.

September 8, 2014 / Simon Crosby

Next-Gen IDS/IPSs: Caught between a ROC and a hard place

The market appears to have revisited its irrational exuberance about next-gen network IDS/IPSs, perhaps because every major security vendor has one (truth be told, throwing traffic at a set of cloud- or appliance-hosted sacrificial VMs isn’t rocket science).

But there’s another challenge too: these devices are caught between a ROC and a hard place: They often overwhelm IT with false alerts and (provably) will fail to detect some genuine attacks. So it is important to understand their strengths and weaknesses and to carefully plan their use.

The tech:  Potentially threatening traffic entering the network is forwarded to a VM running on the appliance.  The idea is that if it contains malware, the attacker will compromise the VM and the appliance will detect this and  alert the security team.  Typically only a subset of traffic is forwarded to a VM because attempting to execute all traffic in a small number of honeypot VMs is typically not (practically or economically) feasible.

  • In passive mode (IDS), the appliance reports information that can help security teams identify a compromised user device, whereas
  • In in-line mode (IPS) the appliance must decide in real-time whether the traffic contains malware or not. It blocks the connection if an attack is detected.   If not, it passes the traffic to the client.

If the malware is on an existing black-list (eg: VirusTotal) detection is easy, but if not, detection depends on  the vendor’s “advanced” detection capabilities. Here’s the rub:

  • If the user is off-net or mobile, the next-gen IDS/IPS will likely be blind to their activity.
  • Sophisticated malware is often crypted to ensure that it will bypass existing black-list (signature based) detection methods. So, if the bad guy is determined to get in, the standard detection tools won’t help. (The same is true for endpoint AV).   So, most vendors claim “advanced execution detection” that aims to identify tell-tale signs of unknown malware when it executes on the appliance.
  • Sophisticated malware is often “sleepy” – and next-gen IDS-aware.  It can detect that it is running in a VM and simply waits (sleeps) until it reaches an actual endpoint before executing its attack. A next-gen IDS/IPS will therefore fail to detect an attack.
  • An alert issued by the IDS/IPS for malware that executed on the device relies entirely on the malware actually executing in a honeypot VM.  Key questions to ask the vendor include how you can ensure that the software on the appliance is the same as the software on your endpoints.  If it isn’t precisely the same, then the appliance is basically useless.  You may see floods of alerts for attacks that would never execute on your endpoints given their particular patch levels.
  • Finally, several vendors ship their own versions of Windows VMs on their appliances.  As Richard Stiennon has pointed out, this likely conflicts with Microsoft’s license terms.  You should ensure that your vendor indemnifies your company for any future licensing problems.

Detection’s Limits

Ultimately, next-gen IDS/IPS platforms are detection centric, and detection has fundamental limits that are mathematically provable.  Stick with me – I’ll try to make the theory simple to understand (Here’s a primer, and some state-of-the-art research).

A detector must be evaluated for accuracy by evaluating the frequency of its {True Positive, True Negative, False Positive, False Negative} results:

  • TP: The frequency of samples where an attack was correctly identified
  • TN: The frequency where a non-attack was correctly identified
  • FP: The frequency of false alarms, and
  • FN: The frequency of a real attack bypassing the detector.

These can be plotted on a graph called the Receiver Operating Characteristic (ROC), and can be shown as the areas of intersection of two statistical distributions that plot the the detection result for both non-attack traffic and real attacks.

roc1

Every detector has a threshold at which it will trigger an alarm (the green line).  A better detector separates the two curves more cleanly, and careful choice of the threshold is critical for accurate separation of real attacks from normal traffic.  The goal is to accurately detect attacks, without increasing False Positives or False Negatives, but no detector is perfect:

  1. The detector will fail (FN) at some point and the attacker will succeed. (Yep, it’s a definite)
  2. Building a good detector is a careful balance of trading off false positives (which leave security teams swamped) against false negatives (which are very bad news).
  3. Unfortunately today’s rapidly moving cyber-landscape it is impossible to build a reliable detector for polymorphic/crypted malware:

“The challenge of signature–based detection is to model a space on the order of 2^(8n) signatures to catch attacks hidden by polymorphism. To cover thirty-byte decoders requires O(2^240) potential signatures; for comparison there exist an estimated 2^80 atoms in the universe.”

The Result: “Compromise-first Detection”

“Compromise-first detection” happens when a detector is unable to distinguish between attack and non-attack traffic, causing significant overlap of the two distributions , as shown below.  The ratio of the TPF to FPF is sometimes called the Signal to Noise Ratio (SNR).  A low SNR loses True Positives in a sea of False Positives, training IT to ignore warnings.

roc2

Compromise-first detection is a very big deal. Delays in signature distribution together with detector inaccuracy aid attackers, and the cost of remediation is high: all systems that might have been penetrated must be re-imaged – and if the alert is a false positive, the entire exercise is a waste of time.

The net-net for any network-based detection technology is that it likely:

  • Costs a lot more to run (in terms of increased operational headcount and complexity) than the sticker price on the box.
  • Doesn’t stop attacks that it detects – because operating such appliances inline impacts performance substantially.
  • Doesn’t deliver alerts that are meaningful given the patch level of your endpoints
  • Cannot stop the compromise

Wouldn’t it be so much better if endpoints could simply defeat each attack, accurately inform IT without false alarms, and self remediate?  Well, they can!

September 3, 2014 / clintonkarr

Black Hat Survey: End Users Remain Biggest Security Headache as Compromised Endpoints Increase

Earlier this year, Bromium published “Endpoint Protection: Attitudes and Opinions,” a statistical analysis of more than 300 information security professionals. The results revealed that endpoints are vulnerable, anti-virus is ineffective and end users are a weak link.

These results were significant, so earlier this August, Bromium conducted a similar survey at Black Hat. Our Black Hat survey was a poll of less than 100 respondents, so these results may be considered less statistically significant; however, they are still interesting.

Man having a headache at home

Similar to our previous research, Bromium found that nearly 75 percent of respondents believe that end users are their biggest security headache. As noted previously, the Verizon Data Breach Intelligence Report found that 71 percent of breaches were a result of an attack on end user devices, so these results should come as no surprise.

User devices can be compromised in a moment by drive-by downloads, system vulnerabilities and e-mail attachments, a challenge is only exacerbated by mobile workers connecting to untrusted networks, yet it can be time-consuming and expensive for information security teams to fix these problems. The alternative, locking down system resources, is not a popular option because it greatly reduces productivity with a negative user experience.

Are users your biggest security headache?

 

Yes                                         74%

No                                          14%

Don’t Know                         11%

 

 

It is easy to understand why end users are such a headache when you consider the results of some of the other questions that were asked. Case in point: Bromium research determined that the total number of compromised endpoints has increased for the majority of respondents in the past 12 months.

 

In the past 12 months, has the total number of compromised endpoints in your organization:

 

Increased                             51%

Stayed the

same                                     34%

Decreased                           14%

 

 

These compromised endpoints create additional work for information security professionals since they have to be cleaned and remediated, which results in lost productivity for both the users and admins. Investing in anti-virus solutions is not enough, as respondents indicated they had to remediate compromised endpoints that had anti-virus on a monthly, weekly or even daily basis.

In the past 12 months, how frequently have you had to remediate a compromised endpoint that had anti-virus installed?

 

Monthly                                34%

Weekly                                  29%

Daily                                      20%

Never                                    14%

Not Sure                               3%

 

 

Ultimately, the reason that end users are such a headache for information security professionals is because endpoint protection solutions, such as anti-virus, are so ineffective. The majority of respondents believe their endpoint protection detection rates are less than 50 percent, which would explain why the overwhelming majority of respondents are also not confident in the ability of their current endpoint protection solution to detect unknown threats.

 

What are your current endpoint protection detection rates?

 

Less than 25 percent        23%

Between 25 and 50

percent                                 34%

Between 50 and 75

percent                                 34%

More than 75 percent        9%

 

 

Are you confident in the ability of your current endpoint protection solution to detect unknown threats (e.g. zero-day attacks) 

Yes                                         34%

No                                          66%

 

 

Symantec has declared that antivirus “is dead.” You have to agree when you consider these poor detection rates. Endpoint protection is a multi-billion dollar industry, yet security professionals are not confident in these solutions.

End users will remain a primary target for attacks because of the value they hold. Therefore, the market must adapt to meet the demands of a post-AV era. A defense-in-depth architecture can be limited by a common vulnerability in the Windows kernel; indeed, Bromium Labs refers to this as LOL (layers on layers). Instead, organizations should invest in complimentary advanced threat protection solutions.

Bromium vSentry and LAVA provide an advanced threat protection suite that delivers proactive endpoint protection for the post-AV era. Bromium vSentry isolates all tasks in micro-virtualization to contain all threats, while Bromium LAVA provides real-time visibility and analytics. Bromium micro-virtualization enforces security by design, instead of relying on signatures to detect the undetectable. Bromium is returning confidence to endpoint protection solutions.

August 14, 2014 / Dan Wolff

The Rise and Fall of Enterprise Security

Every day, enterprises are bombarded by rapidly multiplying and morphing advanced threats—and current network and endpoint security solutions aren’t capable of defeating these targeted attacks. This year a major IT analyst wrote: “Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms. All organizations should now assume that they are in a state of continuous compromise.”

The fundamental problem with security today is the legacy operating systems and applications we use today were developed with little concern about the potential for introduction of hostile or “untrustworthy” applications or data. Unfortunately these systems have not kept pace with the growth in connectivity, and our computer systems still have no way to decide whether a document or an application is trustworthy or hostile. Malware continues to exploit the interaction between and within the software installed on a system to achieve its goals with little protection provided by the system itself.
To compensate, the entire IT security industry responded by developing new technologies to mitigate the threat of the day, whether its sandboxing, whitelisting, host web filtering or the latest trend in network sandboxing to identify threats already in the network (see chart below). The growth in security spend is up 294% since 2006 to $21B (source Gartner), while the reported data breaches have exploded, where there were 614 reported breaches in North America, disclosing over 91M records.

graph of bubbles

2013 614 reported breaches, 91,982,172 records

IT has had no choice but to assert control over users – and the networks, applications, media, websites, and documents they use. Every day companies deploy a unique mix of endpoint and network technologies that are without fail complex, expensive and many times require adding staff just to run them. This approach is imperfect and will surely fail: productive employees must collaborate and communicate and they often create their own “shadow” infrastructure. When this happens, a single click can lead to the next major cybersecurity breach. It is provably impossible to protect the enterprise against the unknown, undetectable zero-day attack with traditional, legacy cybersecurity tools.

The fact is that users are still getting infected with APTs and other malware, in spite of all of this spending. Looking at the following Virus Bulletin report, you can see how today’s antimalware products get an “F” grade for protection:

vb

https://www.virusbtn.com/vb100/rap-index.xml

…and these are not advanced threats! I talk to many customers who say their overall protection rate is under 50%….meaning over 50% of threats get past their current defenses!

How is this happening? Malware is now designed to evade detection. By leveraging zero day exploits, polymorphism and the rapid evolution of web technology, malware evades “detection” based security solutions and infiltrates the organization by exploiting the inherent trust between operating system components. It may be weeks or months before a successful attack is discovered. Meanwhile valuable information can be stolen or critical infrastructure can be disrupted by the attackers.

Here is a brief overview of key protection technologies and their limitations in dealing with modern attacks.

Intrusion prevention system (IPS)
(IBM, McAfee Network Security Platform, Cisco, et al) Defends networks against known attacks that have signatures by detecting and blocking in the network datastream. Includes some behavioral detection for certain threats. Limitations:

• Can’t block without a signature.
• Needs to be implemented at every ingress/egress access point.
• Costly, complex, and noisy, especially for geographically distributed networks.
• Absolutely no protection for mobile users outside of the network.
• They are mostly signature based, but rely on some behavioral tools.
• Encryption of network traffic stream can essentially blind network IPS.
• Network admins HATE to have more bumps in the line and IPS adds a bump.

Network Sandboxing
(Dhamballa, FireEye, McAfee, et al) Detects infiltrations from targeted attacks, after the attack is in the network. Limitations:

• Does not stop or remediate threats to endpoints.
• Costly and noisy.
• Requires expert-level security personnel constantly monitoring events. (See the Target breach for a prime example)

Web content filtering
(Websense, McAfee, BlueCoat, et al) Blocks access to known malicious websites to protect against web exploits and Trojan attacks. Limitations:

• Only blocks known malicious IP addresses.
• Needs to be implemented at every ingress/egress access point.
• Protection is diminished for mobile users and partners accessing retail network.

NAC
(Forescout, Bradford Networks, Cisco, et all) Ensure only ‘clean’ systems access the network. Quarantine vulnerable systems and enforce network segmentation. Limitations:

• Complex to deploy and manage.
• False quarantines are common and cause major headaches and IT calls.
• Does not deal with remote users.

SIEM
(McAfee, HP, IBM, et al)
Real-time SOC alerting, integrated endpoint intelligence. Limitations:
• Creates copious amounts of data that must be interpreted in to actionable intelligence.

Endpoint Antivirus and other detection-based solutions
(Symantec, McAfee, Kaspersky, Trend Micro, Sophos, et al) Detect known threats on endpoints. Limitations:

• Cannot keep up with the rapid influx of new threats and variants.
• Can’t block without a file signature or behavioral rule.
• Only known threats or behaviors
• Many false positives
• Remediation usually required even if threat is detected
• Limited attack intelligence

Host intrusion prevention systems (HIPS)
(Symantec, McAfee HIPs, et al) Intercepts many zero day attacks in real time by detecting common behaviors. Limitations:

• Has a chance to catch a zero day attack, but can still miss many advanced threats
• High operations overhead to configure and maintain.

Hardware enhanced detection (McAfee Deep Defender) Loads as a boot driver and looks for rootkit behaviors before the OS loads. Limitations:

• Only detects/blocks some kernel mode rootkits. Does not block user mode rootkits.
• Consumes ~10% of CPU cycles while providing limited protection.

Application whitelisting
(Bit9, McAfee Application Control) Controls which applications are allowed to install and run on an endpoint by matching authorized programs (the whitelist) to a database of “good” applications. Can be an effective way to block execution of malicious executables. Limitations:

• Blocks users from downloading and using new tools and programs without IT involvement.
• Not integrated with other security tools, is hard to manage and requires business process changes. Also requires a large database of known good applications.
• Successful on servers, which don’t change often, but is largely unusable on end-user systems.
Software Sandboxing
(Invincea (Dell Protected Workspace), Sandboxie, Trustware)
Creates a “sandbox” environment within the Windows OS to analyze execution of untrusted applications. Restricts the memory and file system resources of the untrusted application by intercepting system calls that could lead to access to sensitive areas of the system being protected. Limitations:

• Advanced malware can bypass any sandbox to take advantage of kernel mode vulnerabilities.
• User-mode malware can escape from any sandbox, permitting it to elevate its privileges and disable or bypass other forms of endpoint protection and compromise endpoints, including data theft.
• Changes the user experience, causing support calls and training requirements.

Hardware enabled isolation via micro VM
(Bromium) Isolates every user task in a hardware-based micro-virtual machine (micro-VM). Limitations:

• No known limitations in defeating zero day kernel exploits
I should also mention: End-users have emerged as the weak link in enterprise security. With the proliferation of web, email and social communication, users are one click away from compromising their desktop. Mobile laptop users are further exposed as they have limited protection from the corporate network based security mechanisms. Current defenses can be cumbersome to use and manage. All too frequently employees are given admin rights to enable their free use of any software. ..unfortunately this also gives attackers a leg up when going after critical information like credit card numbers and intellectual property.
There is a better way forward

Patching can never keep up. Nor can detection. Or humans for that matter. The Bromium architecture offers the first ever approach that turns the received wisdom of the security industry on its head: Bromium vSentry® uses proprietary micro-virtualization technology to isolate content delivered via Internet browsers, documents, email, and more. Malware that may enter the Bromium Micro-VM® through vulnerable applications or malicious websites is unable to steal data or access either the protected system or the corporate network and is automatically discarded when the web session or document is closed by the user.

Task-level isolation means you can ignore browser vulnerabilities

Bromium vSentry automatically and instantly isolates vulnerable user-initiated tasks, such as opening an unknown web page in a new browser tab or an email attachment from an unknown sender. It can create hundreds of micro-VMs dynamically, in real time, on an endpoint. Users are not prompted to “allow” or “deny” actions and can focus on getting the most from their system without worrying about threats. The end point will self-remediate, discarding all changes made by the task, automatically. No need to rush out untested patched, impractical browser usage policies or new technologies that are known to be vulnerable. In short, you can relax knowing that any threats are isolated.

Its time to stop the merry-go-round and head scratching and gain control of your infrastructure.

To learn more about Bromium’s game-changing security architecture, please visit http://www.bromium.com.

Follow

Get every new post delivered to your Inbox.

Join 20,113 other followers