Cyber-rattling is a Convenient Excuse for Security Vendor Failures
Since the New York Times was hacked there’s been an increasing drum roll in the popular press about the growing threat of cyber-attack by nation states, especially China. The Mandiant report does a great job of making the case (with ample evidence) for its claims that an elite group of Chinese Army hackers are behind numerous attacks on US companies and government organizations. Yes, it is pretty bad out there. But it is our response that is telling: Strident denials and ominous Cyber-rattling – a story that speaks to our apparent need to always have an enemy and enables our politicians to appear to be taking a hard line. The press loves it (100M Google hits for “chinese hacker”), as do the security vendors, who are relieved that a mighty nation state is the reason for their downfall, while pleading in unison for customers to buy more of their products.
Everyone’s needs are met. Except yours, that is. Your infrastructure is actually getting plundered.
Something is wrong here. After all, you paid good money to your security vendors. What you get in response is a convenient smokescreenthat obscures the real issue at hand: The undeniable fact that the “detect to protect” paradigm of the security industry has passed its sell-by date. If the products worked, we’d be secure. But they don’t. So instead of pointing out our own shortcomings, we point to the massive efforts of a foreign power and its “cyber army” that no vendor could ever be expected to protect against. This is a collective lie by the security vendors.
To make things worse, I’ve been peppered all week with emails from K-Street Lobbyists looking to extract dollars from Bromium so that we can ensure that our products are mandated by future Cyber Laws. The security industry is in crisis – technologically bankrupt, and is attempting to influence lawmakers to mandate that we spend tax dollars on outmoded, useless technology at a time when we already know how to profoundly improve the security of our enterprise infrastructures, while empowering users and embracing the “Internet of Everything”.
What if you didn’t have to worry about being attacked? What if your devices simply shrugged off APTs and continued unchanged? Micro-virtualization makes this possible today.
Thanks to the relentless progress of Moore’s Law, we already have in every Intel PC (and soon, every mobile device) the key capabilities required to achieve practical, hardware-enforced protection that makes an endpoint hundreds of thousands of times harder to compromise than today. Bromium micro-virtualization uses Intel platform features for virtualization and security to dynamically, instantly and invisibly hardware-isolate each untrustworthy user-initiated task. Every time you open a document, access a web site, click on a link or a movie, that task is invisibly and instantly isolated by the CPU from the rest of your PC, limiting its access to information (files, networks and devices) and preventing it from modifying the system in any way. For example the browser tab for Facebook.com can only access the browser cookie for Facebook, and the untrusted web, but cannot access any other files, or reach deeper into the enterprise network or access USB devices. As soon as you close the document or navigate to another site the entire hardware-isolated task is discarded – automatically discarding all malware. The device remains gold, can be patched when convenient, and discards all malware – enabling IT to empower users to freely access the web and untrusted content.
In September of 2012 Bromium announced its first product, vSentry, for Windows 7. Since then, we have extended our support to cover Windows Server, and using Microsoft RDS, virtual desktops, legacy Windows XP PCs, non-Windows PCs and tablets. We are working hard on a Mac product, and Windows 8 and Android are in the works. Bromium has chalked up impressive engagements after only four months. It is encouraging to see the most valued brands in the US acknowledge that they need an entirely new approach to security and to employee empowerment.
This week NSS Labs completed the first public 3rd party evaluation of Bromium vSentry. We defeated every attack. But we expected nothing less, and we aren’t done yet – we have many more features to add beyond those that have been tested, which will in turn require validation. The NSS results vindicate our architecture and the incredible resilence of Intel hardware-based protection, but they do not give Bromium bragging rights. Instead, they establish a new bar for security vendor performance and offer you an opportunity to demand demand 100% protection from your current endpoint security vendors. If they don’t provide it, my suggestion is that you demand a 100% discount or a money-back guarantee if they fail to stop an attack.
It’s time for us to get very serious about cyber-crime. The future involves an immersive on-line existence for all of us. Getting serious has nothing to do with Cyber-rattling, and everything to do with transforming the trustworthiness of our infrastructure, starting with endpoints -relying on hardware-enforced security and an architecture that protects by design.