Skip to content
November 10, 2014 / Simon Crosby

Is it time to Fire your network protection vendor?

I hereby solemnly promise that Bromium will never have a product with “fire” in its name.  By now every vendor in the  next-gen IDS / IPS / Firewall / honeypot-as-ultimate-defense-against-the-dark-arts market has a next-gen “fire”-branded product that claims to protect against APTs.

“Fire” appliances are easy to sell, so Wall Street swooned for a while.  But they don’t deliver value.  They are expensive, cost even more to run, and don’t protect your endpoints.

Though the vendors’ gleefully assert that endpoint AV is useless against today’s “sophisticated attackers”, their solutions do little more than move AV into the network, with a focus on alerting rather than stopping attacks.  Even the worst AV suite can quarantine suspected malware, but with a “fire” product in your network you are deploying a variant of AV that can do little more than bleat.

How did we end up here?  Well, “fire” appliances are optimized for quick sales:  Persuade the customer to test the appliance on a span port on the network.   Show alerts for lots of bad stuff crossing the network, and the deal is done.   To ensure that there are lots of alerts, the vendors run legacy, unpatched VM images on the appliance that aren’t even properly licensed and bear no resemblance to the software on your actual endpoints.   But the result is terrific: Lots of events – and lots of purchase orders.

The worst thing about this racket is that these appliances don’t solve the security problem – they make it worse.

Bromium is working with a large enterprise with north of 50,000 employees.  Their security team receives 6,000 alerts per week from their “fire” product. Through de-duplication in their (expensive) SIEM, they typically reduce those down to 250 alerts a week – each of which is manually investigated – typically taking 2-4 hours, but often twice that, depending on the skill of the investigator.   And more often than not, the endpoint is re-imaged just because “it’s simpler” and “we don’t really know if malware executed; re-imaging is safer”. Investigation, analysis and remediation results in 500-1,000 hours of labor, per week, without accounting for end-user downtime.

The bad news: Over several months the security team has concluded that over 80% of the alerts are obviously false alarms – there was either no attack or the attack did not execute given the patch level of the endpoint.

They have conservatively calculated that they waste well over $1M/year on FALSE POSITIVES!

Typically 50 of 6000 alerts are attacks that would execute on the endpoint – under 1%.  This matches anecdotal evidence from Bromium customers that about 1% of their off net PCs see some form of malware each month.  Of course with vSentry, remediation is eliminated, and if the attack executes, it does so in the narrow confines of a micro-VM from which it can steal nothing and go nowhere.

Bromium aside – can you afford to invest in tech that is inaccurate, costs more to run than to buy, and still doesn’t protect the enterprise?


October 22, 2014 / Bill Gardner

Attack of the malicious document – what was old is new again

Recent zero day attacks targeting Windows using malicious Office documents should be a reminder to all of us that no attack vector ever truly dies, it just lurks in the background waiting for it’s time to come again. Malicious Office documents have not been a popular attack vector for several years, but it seems that what’s old is new again.

The recent crop of attacks seen in the wild use Word, PowerPoint and other Office documents to exploit serious vulnerabilities discovered in numerous versions of Windows. These attacks were targeted at major corporations and at least one attack compromised the Windows kernel. This is particularly concerning as kernel exploits can put the attacker in full control of the system and bypass all known forms of defense, including AV, sandboxes and behavioral blocking solutions.

The industry often seems to be distracted by “bright shiny objects” that are in the headlines and that are actively being exploited. That is no excuse however to neglect vectors that have been succesfully used in the past but that for whatever reason have lost favor for a period of time. Attackers are supremely adaptable and will focus on any vector that is vulnerable, particularly areas where defenders have been lulled into a false sense of security.

These document based attacks illustrate the point again that detection based strategies are no longer effective in providing the level of protection needed in the digital world we all operate in today. ANY digitial information that a user interacts with from the outside world holds the potential for attacking and compromising a system whether it has been recently known to deliver attacks or not. The only rational approach is to treat ALL information as if it is malicious.

The Bromium approach to isolation provides protection from just these types of kernel attacks. The Bromium Microvisor seperates security from the operating system or the media being protected. Bromium uses the security features built into modern hardware platforms to isolate attacks originating from the web, whether from downloaded documents or malicious web servers. Even sophisticated zero day attacks are defeated without any actions from either the user or the IT group.

According to Forrester Research Microsoft Office still dominates the enterprise productivity suite market. Bromium customers running the MS Office platform, inlcuding Office 2013 were protected against the new zero day attacks before the these attacks were ever developed or deployed. This type of new approach to the entire cyber security problem is what the industry, and vulnerable customers have been waiting for.

October 14, 2014 / Simon Crosby

Many Eyes Make Credible Security

We are proud to announce the successful results of an independent source-code review and penetration test of vSentry version 2.4 by the leading security consultancy  IOActiveacknowledged as one of the world’s leading security firms serving Global 1000 customers, and with an enviable reputation in software assurance and penetration testing.  We gave IOActive the source code for vSentry and tasked them with breaking it – with complete freedom to publish their findings, good or bad.

You’d be forgiven for thinking we’re nuts.   Why would we do this?

We are as tired as you are of the exaggerated claims made by security vendors – products that claim to secure your environment that … don’t really.  We think it’s time to change the conversation: When vendor claims are verifiable, customers can properly understand their security posture – and they will reject products that don’t deliver.  We’d like the industry to stop blaming the victims and focus instead on defeating attackers.

Bromium is single-mindedly committed to delivering a product that transforms the security of endpoints by design, using micro-virtualization – without relying on detection, fuzzy logic, better heuristics, big data, machine learning or other hail-mary passes. But we also recognize that we stand on the shoulders of giants – the security community whose diligence and dedication helps to protect us.  We want to deliver a product that offers the best possible defense, so we need the world’s best pen-testers to attack it.  We recognize that If we are to make credible claims of security by design, they must be validated by the best in the business.

When we asked our customers to recommend a firm with the right skill set and integrity, they were unanimous. IOActive has impeccable  credentials in research and analysis, and its hard-won reputation is born of leading edge research in pen-testing, reverse engineering, code review, social engineering, and hardware security.

IOActive conducted a comprehensive analysis of Bromium vSentry v2.4 over several months, using a team with expertise in the attack surface of applications, the Windows kernel, hypervisors and hardware virtualization.  They analyzed the vSentry product architecture and source-code and conducted a comprehensive run-time penetration test with the aim of escaping the isolation of a micro-VM, compromising the Microvisor, and attacking the Windows desktop.

We are proud that IOActive discovered no vulnerabilities that can be used to defeat or disable vSentry or compromise the endpoint.   Their work validated two key principles that guide development at Bromium:

  • First, we emphasize minimalism.  Xen is small, but micro-Xen is very substantially smaller.  We focus on reducing the attack surface so that we can reasonably claim to defend it.   We apply strict development standards, and all code is scrutinized by multiple developers.
  • Second, Bromium has (in Bromium Labs) a separate, elite team of security analysts. Their job is both to guide our architects and also to attack the product using an extensive set of automated probes and manual pen-tests, to ensure that developers haven’t slipped up.

IOActive added yet another degree of separation and an independent team of experts with source code access. vSentry passed their review with flying colors, and their insights and feedback have already been incorporated into the product.   Crucially, we have developed a powerful way to engage with leaders in the security community that credibly bolsters our own effort to deliver best-in-class products.   We are proud to be better at what we do, because we exposed our work to the best.

We are committed to regular 3rd party assessment of the security of our products because our customers depend on us to protect their most valuable assets, and because security is a problem that benefits from a  “many eyes” approach.  We hope that by setting an example we can convince other vendors to make a similar commitment to independent validation, and that over time customers will begin to demand that their vendors adopt this approach.

If you’d like to receive the IOActive report please email me.

October 3, 2014 / Gaurav Banga

Why is Bromium InDemand?

Recently LinkedIn recognized Bromium as one of the 10 most InDemand startups in the Bay Area. Thank you LinkedIn, and thank you Bay Area Tech Community!

A number of folks, prospective and current co-workers, investors, customers, and friends have periodically asked me: Hey Mr. CEO of hotshot startup, why is your company special? Why should someone want to come to work at Bromium, instead of going elsewhere to another startup or a big company?

What makes Bromium so special?

Two things…

Bromium is special because we have a deep sense of mission. Ensuring the security of Internet users and Internet-connected devices is one of the grand challenges facing us. The current state of affairs is very problematic: our computers and networks are easily and routinely subverted by the bad guys, resulting in great economic loss, and have deep public security implications. We are building mission-critical dependence into every aspect of human activities on cyber-infrastructure that is insecure at its core. We are building a house of cards!

People have lost their faith in the security of our computing infrastructure. Bromium’s mission is to restore trust in our computing systems.


Bromium is also a very special place because we have a very unique, and refreshing approach, with some fairly clever and innovative technology that we specially created to help address the cyber-security challenge.

Unlike the rest of the security industry, which relies on increasingly complex algorithms to try and detect malware in incrementally sophisticated ways (and falls further and further behind the bad guys) we rely on isolation to deliver security, using a really cool technology that we invented called micro-virtualization.

With micro-virt, we create disposable (virtual) computers for each Internet task that you need to work on, such as a visit to a website or opening a word document from an email attachment. These virtual computers are created and destroyed automatically behind the scenes as you click, you don’t see them!

Any Internet malware that you might inadvertently pick up is kept isolated, in its own micro virtual machine, and then eventually killed off and cleaned up when you are done with the task and close the browser tab or navigate to another website. All this happens without you having to worry about it or even think about it.

The outcomes we deliver for our customers are nothing short of amazing: in a world where there appears to be some much despair and angst around cyber-insecurity, a Brominated customer has a superior endpoint security architecture that greatly reduces their risk and their operations costs, while simultaneously empowering their employees.

Micro-virtualization is the result of many years of the Bromium team working on taking hypervisor technology to the next level. It builds on research and product work that my co-founders and I, and our numerous collaborators and co-workers did over the course of the last decade across many different use-cases of virtualization. This is deep systems work – the type you get to do at very few companies. We have engineers and teams that work at the UI layer, through the guts of Web Browsers and important applications like Office, through the various layers of OSX, Windows and Android, and finally in the hypervisor itself. Our engineers collaborate with each other and have a unique and powerful understanding of computer systems and the important business of cyber-security.

So if you are a software engineer, looking to build rocket-ship type technology for a great cause, or a sales person that wants to sell and put something very important and meaningful into the hands of every man, woman and child on the planet, then Bromium is one of the special few companies where you belong!

September 11, 2014 / Simon Crosby

Goldilocks and the 3 Theres



At VMWorld VMware SVP of Security Tom Korn described the hypervisor and virtual network environment of a virtual infrastructure platform as the “Goldilocks Zone” for application security in the software defined data center.  He was right.  And with an innocuous and kid-friendly soundbite – “the Goldilocks Zone” – VMware served notice on the data center security industry that it fully intends to be the vendor of choice for ensuring the security of (private) cloud hosted applications.

This move ought not to surprise us.  Back in 2007 VMware opened up APIs for 3rd party security vendors, inviting security vendors to take advantage of the hypervisor to secure workloads.  But an ecosystem failed to emerge – in my view because neither VMware nor the vendors really knew how to take advantage of hypervisor based introspection, and because virtual switching was still very immature.

Fast forward 7 years to an enterprise virtual infrastructure that is dominated by VMware, and an urgent need for cloud security solutions.  VMware is firmly in control of the “Three Theres” that are required for precise control of workload security:

  • Execution context: The typical VM contains a single application, and relatively straightforward understanding of the application behavior, coupled with an ability to introspect the VM during execution offers an opportunity to better secure its execution.
  • Storage context: The hypervisor owns the storage of each VM. Historically this has been block storage a VMDK – but increasingly (for example with their CloudVolumes acquisition) layered storage for a guest comprising multiple VMDKs (and their file systems) mounted dynamically gives the hypervisor an ability to differentiate and control storage access (for example: writes to a CloudVolumes app VMDK could be prevented or made Copy on Write). As it moves up-stack, the hypervisor has an opportunity to introspect and understand file/volume semantics – for example think about the ability to separate the user data and settings in a VDI VM.
  • Network context: The vSwitch has an ability to control and inspect traffic into a VM in a granular fashion. VMware calls these application-centric network controls “micro-services”.  Each application can have unique network security controls applied to it, enhancing the security not only of that workload, but of the private cloud in aggregate. Moreover, because of its proximity to the locus of execution the vSwitch can inspect traffic in ways that are inaccessible to other vendors in the data center ecosystem.

There would be no “Goldilocks” story without the 3 Bears and the concept of “just right”.   Similarly, there can be no cloud security story without the Goldilocks Zone – a place where execution can be inspected and controlled from each of the 3 “theres”: execution, storage and networking.  Being in full control of all of them is “just right” for delivery of a new generation of cloud security services.  It is interesting to note that the addition (via nesting – see part 2) of micro-virtualization on a traditional hypervisor like ESX provides even more granular isolation and control – for each VM, and therefore even more granular control of security.

The “Goldilocks Zone” of security is a unique opportunity for VMware to be the vendor of choice to secure virtualized workloads in the increasingly software defined data center.  None of the other hypervisor vendors is even close in terms of articulating as bold a vision in micro-services, granular storage control and execution control – and hence security. This differentiation is a key strength of VMware’s, and at the same time it points to the end of the road for every traditional datacenter security vendor.  We all know that AV is dead.   We know that a hypervisor is a better place to ensure execution white-lists are enforced, rather than in-kernel.  We now also need to realize that network security appliances will be on the block, together with traditional switching/routing gear.

Part 2 of this post will describe micro-virtualization, micro-services for micro-VMs and micro-VM introspection in more detail.  The similarities are startling.  The conclusion even more so: Virtualization alone (SDDC and PC) has a unique and profound ability to deliver a paradigm shift in enterprise security, securing the enterprise by design.

September 8, 2014 / Simon Crosby

Next-Gen IDS/IPSs: Caught between a ROC and a hard place

The market appears to have revisited its irrational exuberance about next-gen network IDS/IPSs, perhaps because every major security vendor has one (truth be told, throwing traffic at a set of cloud- or appliance-hosted sacrificial VMs isn’t rocket science).

But there’s another challenge too: these devices are caught between a ROC and a hard place: They often overwhelm IT with false alerts and (provably) will fail to detect some genuine attacks. So it is important to understand their strengths and weaknesses and to carefully plan their use.

The tech:  Potentially threatening traffic entering the network is forwarded to a VM running on the appliance.  The idea is that if it contains malware, the attacker will compromise the VM and the appliance will detect this and  alert the security team.  Typically only a subset of traffic is forwarded to a VM because attempting to execute all traffic in a small number of honeypot VMs is typically not (practically or economically) feasible.

  • In passive mode (IDS), the appliance reports information that can help security teams identify a compromised user device, whereas
  • In in-line mode (IPS) the appliance must decide in real-time whether the traffic contains malware or not. It blocks the connection if an attack is detected.   If not, it passes the traffic to the client.

If the malware is on an existing black-list (eg: VirusTotal) detection is easy, but if not, detection depends on  the vendor’s “advanced” detection capabilities. Here’s the rub:

  • If the user is off-net or mobile, the next-gen IDS/IPS will likely be blind to their activity.
  • Sophisticated malware is often crypted to ensure that it will bypass existing black-list (signature based) detection methods. So, if the bad guy is determined to get in, the standard detection tools won’t help. (The same is true for endpoint AV).   So, most vendors claim “advanced execution detection” that aims to identify tell-tale signs of unknown malware when it executes on the appliance.
  • Sophisticated malware is often “sleepy” – and next-gen IDS-aware.  It can detect that it is running in a VM and simply waits (sleeps) until it reaches an actual endpoint before executing its attack. A next-gen IDS/IPS will therefore fail to detect an attack.
  • An alert issued by the IDS/IPS for malware that executed on the device relies entirely on the malware actually executing in a honeypot VM.  Key questions to ask the vendor include how you can ensure that the software on the appliance is the same as the software on your endpoints.  If it isn’t precisely the same, then the appliance is basically useless.  You may see floods of alerts for attacks that would never execute on your endpoints given their particular patch levels.
  • Finally, several vendors ship their own versions of Windows VMs on their appliances.  As Richard Stiennon has pointed out, this likely conflicts with Microsoft’s license terms.  You should ensure that your vendor indemnifies your company for any future licensing problems.

Detection’s Limits

Ultimately, next-gen IDS/IPS platforms are detection centric, and detection has fundamental limits that are mathematically provable.  Stick with me – I’ll try to make the theory simple to understand (Here’s a primer, and some state-of-the-art research).

A detector must be evaluated for accuracy by evaluating the frequency of its {True Positive, True Negative, False Positive, False Negative} results:

  • TP: The frequency of samples where an attack was correctly identified
  • TN: The frequency where a non-attack was correctly identified
  • FP: The frequency of false alarms, and
  • FN: The frequency of a real attack bypassing the detector.

These can be plotted on a graph called the Receiver Operating Characteristic (ROC), and can be shown as the areas of intersection of two statistical distributions that plot the the detection result for both non-attack traffic and real attacks.


Every detector has a threshold at which it will trigger an alarm (the green line).  A better detector separates the two curves more cleanly, and careful choice of the threshold is critical for accurate separation of real attacks from normal traffic.  The goal is to accurately detect attacks, without increasing False Positives or False Negatives, but no detector is perfect:

  1. The detector will fail (FN) at some point and the attacker will succeed. (Yep, it’s a definite)
  2. Building a good detector is a careful balance of trading off false positives (which leave security teams swamped) against false negatives (which are very bad news).
  3. Unfortunately today’s rapidly moving cyber-landscape it is impossible to build a reliable detector for polymorphic/crypted malware:

“The challenge of signature–based detection is to model a space on the order of 2^(8n) signatures to catch attacks hidden by polymorphism. To cover thirty-byte decoders requires O(2^240) potential signatures; for comparison there exist an estimated 2^80 atoms in the universe.”

The Result: “Compromise-first Detection”

“Compromise-first detection” happens when a detector is unable to distinguish between attack and non-attack traffic, causing significant overlap of the two distributions , as shown below.  The ratio of the TPF to FPF is sometimes called the Signal to Noise Ratio (SNR).  A low SNR loses True Positives in a sea of False Positives, training IT to ignore warnings.


Compromise-first detection is a very big deal. Delays in signature distribution together with detector inaccuracy aid attackers, and the cost of remediation is high: all systems that might have been penetrated must be re-imaged – and if the alert is a false positive, the entire exercise is a waste of time.

The net-net for any network-based detection technology is that it likely:

  • Costs a lot more to run (in terms of increased operational headcount and complexity) than the sticker price on the box.
  • Doesn’t stop attacks that it detects – because operating such appliances inline impacts performance substantially.
  • Doesn’t deliver alerts that are meaningful given the patch level of your endpoints
  • Cannot stop the compromise

Wouldn’t it be so much better if endpoints could simply defeat each attack, accurately inform IT without false alarms, and self remediate?  Well, they can!

September 3, 2014 / clintonkarr

Black Hat Survey: End Users Remain Biggest Security Headache as Compromised Endpoints Increase

Earlier this year, Bromium published “Endpoint Protection: Attitudes and Opinions,” a statistical analysis of more than 300 information security professionals. The results revealed that endpoints are vulnerable, anti-virus is ineffective and end users are a weak link.

These results were significant, so earlier this August, Bromium conducted a similar survey at Black Hat. Our Black Hat survey was a poll of less than 100 respondents, so these results may be considered less statistically significant; however, they are still interesting.

Man having a headache at home

Similar to our previous research, Bromium found that nearly 75 percent of respondents believe that end users are their biggest security headache. As noted previously, the Verizon Data Breach Intelligence Report found that 71 percent of breaches were a result of an attack on end user devices, so these results should come as no surprise.

User devices can be compromised in a moment by drive-by downloads, system vulnerabilities and e-mail attachments, a challenge is only exacerbated by mobile workers connecting to untrusted networks, yet it can be time-consuming and expensive for information security teams to fix these problems. The alternative, locking down system resources, is not a popular option because it greatly reduces productivity with a negative user experience.

Are users your biggest security headache?


Yes                                         74%

No                                          14%

Don’t Know                         11%



It is easy to understand why end users are such a headache when you consider the results of some of the other questions that were asked. Case in point: Bromium research determined that the total number of compromised endpoints has increased for the majority of respondents in the past 12 months.


In the past 12 months, has the total number of compromised endpoints in your organization:


Increased                             51%

Stayed the

same                                     34%

Decreased                           14%



These compromised endpoints create additional work for information security professionals since they have to be cleaned and remediated, which results in lost productivity for both the users and admins. Investing in anti-virus solutions is not enough, as respondents indicated they had to remediate compromised endpoints that had anti-virus on a monthly, weekly or even daily basis.

In the past 12 months, how frequently have you had to remediate a compromised endpoint that had anti-virus installed?


Monthly                                34%

Weekly                                  29%

Daily                                      20%

Never                                    14%

Not Sure                               3%



Ultimately, the reason that end users are such a headache for information security professionals is because endpoint protection solutions, such as anti-virus, are so ineffective. The majority of respondents believe their endpoint protection detection rates are less than 50 percent, which would explain why the overwhelming majority of respondents are also not confident in the ability of their current endpoint protection solution to detect unknown threats.


What are your current endpoint protection detection rates?


Less than 25 percent        23%

Between 25 and 50

percent                                 34%

Between 50 and 75

percent                                 34%

More than 75 percent        9%



Are you confident in the ability of your current endpoint protection solution to detect unknown threats (e.g. zero-day attacks) 

Yes                                         34%

No                                          66%



Symantec has declared that antivirus “is dead.” You have to agree when you consider these poor detection rates. Endpoint protection is a multi-billion dollar industry, yet security professionals are not confident in these solutions.

End users will remain a primary target for attacks because of the value they hold. Therefore, the market must adapt to meet the demands of a post-AV era. A defense-in-depth architecture can be limited by a common vulnerability in the Windows kernel; indeed, Bromium Labs refers to this as LOL (layers on layers). Instead, organizations should invest in complimentary advanced threat protection solutions.

Bromium vSentry and LAVA provide an advanced threat protection suite that delivers proactive endpoint protection for the post-AV era. Bromium vSentry isolates all tasks in micro-virtualization to contain all threats, while Bromium LAVA provides real-time visibility and analytics. Bromium micro-virtualization enforces security by design, instead of relying on signatures to detect the undetectable. Bromium is returning confidence to endpoint protection solutions.


Get every new post delivered to your Inbox.

Join 20,795 other followers