- Deploying Bromium frees-up end-users from having to worry about ransomware, viruses, Trojan horses, worms and other forms of malware.
- Bromium is a trouble free-experience for end users with hundreds of thousands of endpoints deployed globally and billions of micro-VMs launched globally.
- The key is helping end users understand how compliance protects your organization.
What’s it like to be a Bromium end user? In an ideal world, they wouldn’t even notice Bromium was there. And they wouldn’t notice a lot of other things, too.
Learn: Here’s how Bromium works
Things like viruses, Trojan horses, worms or sypware, for example. The whole point of Bromium is that it lets you go about your online business without risk of a breach. So your end users could spend a whole day browsing through the content from a hacker’s convention on the dark web – or just do their jobs – and still emerge without a trace of malware. Read more…
- Our semi-annual Bromium Labs Threat Report shows Microsoft software is getting harder to exploit.
- In response, hackers are getting cannier: focusing more on ransomware and watering-hole attacks, for example.
- These new threats mean that even though Microsoft’s systems are safer, users have to be more on their guard than ever.
- Download the report and then join our free webinar on September 28th featuring Rahul Kashyup, EVP and chief security architect at Bromium.
Microsoft’s software is now more secure. So you now need to be more on guard than ever.
You read that right: recent increases in Microsoft security may have made the company’s products more impervious to hackers, but ironically they may have put you more at risk.
Microsoft software has long been a favored target for cyber criminals, because we all use it all of the time. Microsoft is aware of this, and has been working hard to patch the vulnerabilities in its code. The effort seems to be paying off. Read more…
- Released today, Ed Amoroso’s 2017 TAG Cyber Security Annual – a practical guide for anyone serious about cybersecurity.
- Simon Crosby talks about his experience with Ed and why this compendium is worth your read.
- The Annual is a free download for anyone who’s interested.
When I was a grad student at Cambridge in the mid 90s, Ed Amoroso was already directing AT&T’s cyber security programs. He had both the vision to lead cyber security research at AT&T Labs, and the clout to deliver a real difference – to AT&T’s customers.
He is a CISO first and foremost.
He’s a practitioner who seeks technologies that can transform enterprise security without up-ending the organization. His path to success as CISO of AT&T will, I’m sure, be familiar to many – a rare combination of insight, inspiration, patience, hard work and dogged determination. When Ed retired, I assumed he’d hang up his gloves and relax after a fight well fought. I underestimated his determination to change the security landscape for the better – for all of us.
- Ransomware is this year’s most buzz worthy malware story.
- Access is easy – your end users simply click on something that appears trusted and the bad guys are in.
- While old methods attempt to stop the threat, we offer a different approach that will protect your data and your network.
- Watch how Bromium handles ransomware in this 90 sec demo.
The cybercriminal world is not much different from the commercial industry.
Just like you, bad guys are continuously trying to accelerate their business and get closer to the customer so they can maintain their competitive edge. Yep, they may not have a Board of Directors, but they do have business requirements and that pushes them to create new avenues for getting ahead.
Get it: Technical whitepaper on ransomware.
Upping their game. Read more…
“Gartner projects that half of enterprises will have started Windows 10 deployments by January 2017, with many enterprises planning to begin pilots for Windows 10 in the first half of 2016 and broadening their deployments in the latter part of the year,” according to an article in Information Week.
This aligns with trends in managing enterprise desktop computing that are striving to keep up with diverse business requirements while fighting a security landscape that sees hundreds of Indicators of Compromise (IOC) every day.
The good news is Windows 10 comes with a lot of promises for enterprise and government customers, particularly when it comes to security (read our take from Nov 2015). One of the major advances is enhancing OS security. Microsoft also notably added Virtualization-Based Security, or VBS, for advanced security built-in in the OS.
Microsoft is working to improve security.
Dan Allen is well known to those in the Citrix, VMware and Microsoft EUC communities as a rock-star EUC architect and performance engineer, having implemented some of the world’s largest and most complex TS and VDI deployments. Dan runs the Bromium field engineering team and has successfully implemented Bromium in our largest deployments. He has recently focused on optimizing the performance of our micro-virtualization support for Firefox, and passed on these insights. Since he’s elbow-deep in customer deployments, I’ve posted this for him.
Who wants faster Firefox? Everyone!
We know that Ad Blocking can dramatically increase performance and improve user experience, while reducing the overhead on CPU and memory of the browser. In a Bromium secured environment, many customers use Ad Blocking as a way to further enhance security and improve privacy and their users certainly appreciate the performance improvements that result. This is particularly important in VDI environments and on endpoints with relatively small memory configs. Ad Blocking also allows customers to optimize the density of their VDI desktops per server, because VMs no longer burn CPU and memory on useless Ads.
Next week at Intel Developer Forum 2016 I will be demonstrating a prototype feature of the Bromium platform that leverages Intel Secure Guard Extensions (SGX) to protect a user’s on-line credentials from theft. In this post I aim to briefly describe SGX and highlight its complementary use with micro-virtualization.
Today Bromium uses micro-virtualization to hardware isolate end-user tasks that access untrusted content and the web, to protect the endpoint host OS. Although we monitor the host (desktop) for signs of compromise using the same LAVA technology that gives us precise forensics for introspection of micro-VMs, we have always wanted to enhance the protection of the host from (for example) east-west attacks. We want to protect high-value information on the endpoint (eg: credentials) from theft using a clean, hardware based capability that does not rely on detection, and SGX is a key technology that helps us to achieve this.
Bromium implements a security model as old as society itself, with two powerful new twists: CPU enforced least-privilege and relative trust. Recently I’ve been thinking about parallels between what we implement in technology and our own human nature. It turns out there are many similarities.
The Bromium architecture feels familiar because it is: In society we protect ourselves by relying on our own instincts and the collected learning of others. Relative trust is the loom that weaves together the threads of our relationships. As children we trust our families to care for us. Later we develop friendships, play on teams and become colleagues and parents. We trust those we depend on and collaborate with, and distrust others.
But trust is not binary. It is a sophisticated, personal and continually evaluated assessment of relative confidence: “Untrusted” does not mean “bad” – it just means “unknown”, and trust is highly context specific. When we entrust someone with important information, we lose control of it. Greater trust brings the benefits of a deeper relationship but leaves us more vulnerable. So we instinctively apply the principle of least privilege: We limit what we share based on context and what is needed. Relative trust helps us to manage least privilege to reduce risk.
Our desire for privacy is also framed by trust: We seek to retain control over information that could be used against us. We also know that our trustworthiness is continually evaluated by others, based at least in part on their observation of our respect for “the duty of trust” – confidentiality – which is so important that it is formalized in our legal system. As Einstein put it: “Whoever is careless with the truth in small matters cannot be trusted with important matters.”
Trust is life’s most important navigation aid. As we make our way through the world, our relationships and their trust dynamics inevitably change. But if we faithfully respect least privilege, we maximize our privacy and security as well as the security of those who trust us. It’s not perfect, but as the famous American novelist E.L. Doctorow put it: “It’s like driving a car at night. You never see further than your headlights, but you can make the whole trip that way.”
Least privilege and relative trust are instinctive foundations of human operational security. We dynamically evaluate trustworthiness to control our risk, and thereby maximize our security.
Bromium maps these concepts into technology to help each endpoint to defend itself, monitor its own health, and quickly share threat information with other endpoints in its “society” so that they too can better protect themselves.
Before I continue, it may be helpful to compare Bromium to today’s endpoint security tools: Black-listing the “known-bad” (like today’s AV) is the equivalent of a background check for a new employee – useful for weeding out convicted criminals. But it can’t help in your inescapable daily interactions with hundreds of people you don’t know and can’t check up on – the vast majority of whom will be benign. The list will always be out of date, but perhaps more importantly, a sophisticated criminal will disguise himself as someone you trust – perhaps a policeman – exposing you to a social engineering attack. What about white-listing the “known good”? (The term itself ought to ring alarm bells). Can you imagine a starker showcase of its failure than the current US problem of police overreach? There is no such thing as “known good” – only “known privileged – and vulnerable to attack”.
Hardware-enforced least-privilege: Bromium enforces least privilege isolation on a per-task basis using endpoint CPU virtualization to ensure that there is no way for malware to access information, credentials, devices, networks or sites that it shouldn’t. This gives us the most rigorous enforcement mechanism possible. Users can safely access untrusted networks, sites and edit untrusted files. If one of them turns out to be nasty, it’s a “don’t care” – there’s nothing to steal, no user identity, credentials, or files are available, and the attacker cannot pivot to attack high value networks or sites. More importantly, the endpoint is protected from breach by the CPU enforced isolation of a micro-VM.
This may appear to cast trust in a binary light. What about relative trust – the tax form that I download, save, repeatedly edit and then submit? Relative trust requires that I disclose only the specific required/relevant information in a particular context, but not that I trust the document just to edit it. Bromium allows you to repeatedly edit and save an untrusted document – each time in a new micro-VM – without ever having to trust it (elevating its privileges and enabling an attacker to steal information). Forcing the user to trust, just to be productive, is bad design. Micro-virtualization solves this problem elegantly.
What about the over-trusting (or even malicious) user, who tries to place high-value information in an untrusted context – for example attaching a corporate file to a gmail? Data Loss Prevention policies state what information a user can paste/attach/upload/enter into an untrusted context and are enforced by the Microvisor.
And what of evaluating trustworthiness? Recall that a fundamental requirement in any system based on least privilege is an ability to evaluate and react to any “breach of trust”. Once again micro-virtualization offers an elegant solution: Unlike our human experience, and unlike today’s computer systems in which a successful breach gives the attacker full access to privileged information, the hardware confines of a micro-VM are perhaps 100,000 times more difficult to compromise than software based isolation. So instead of trying to detect an attack before it occurs, we can simply let the user get on with her task, and if an attack occurs, it will be obviously malicious. Because the isolated environment executes copy-on-write, we have full forensics and can provide detailed information about the attack.
We think it’s important to hold security vendors accountable: Ditch marketing BS in favor of defensible design and rigorous evaluation. Bromium uses virtualization backed security to make endpoints more secure by design. “Maybe” tools like next-gen AV can only hope to stop an unknown attack – but 99% of malware morphs into new, unknown variants in under a minute.
To highlight this we challenged attendees at InfoSec London to bring their own malware to the show. If it bypassed Bromium, they’d win £10K. In two days we safely browsed to over 4,800 sites, and opened more than1,500 documents and attachments. We protected unpatched Bromium-protected endpoints from 189 attacks, of which 10 were unknown to Virus Total. Researchers from an AV vendor even downloaded a custom attack that evades detection – and also failed to breach us.
Other vendors won’t publicly expose their products to unknown malware, because they just don’t know if they work.
Bromium doesn’t demand a leap of faith. Our product increases cost to the attacker by reducing the attack surface of the endpoint. But how can you be sure we’ve done a good job? We think you shouldn’t have to trust us. Each year we commission source code reviews and pen-tests by highly respected research organizations, and encourage our customers to conduct their own. None has ever surfaced any substantive issues.
This year we went a step further and quietly started to work with a few white hats. And though we were surprised when Tavis Ormandy (@taviso) of Google claimed he had identified two bugs that let him escape micro-VM isolation, I was quietly rather pleased. Tavis is one of the most respected ethical pen testers – and we hadn’t even given him our product! He willingly shared his findings and we spent a busy week validating them and discussing solutions with him. He was both gracious and helpful – and always impartial and data driven. The experience reaffirmed our commitment to an open engagement with the white hat community.
We will disclose details of what he found, after a 30 day embargo to allow our customers to patch. But there are some interesting facts we can share:
- Tavis found a bug in an early build of vSentry 3.1 with support for an old version of Chrome that was sent to a customer to evaluate a feature, and mistakenly uploaded. A skilled attacker armed with a chain of additional bugs could exploit our bug to achieve code execution in the host Chrome browser.
- Fortunately, in a typical Bromium production deployment the Bromium Enterprise Controller automatically updates Chrome protection via “App Packs” soon after Google releases a new version. Recent Bromium Chrome App Packs, for example, fix the known bugs you’d need to be able to exploit our bug.
- The same underlying issue was also present in our protection for IE. Again, fortunately, a typical Bromium deployment configuration mitigates this bug.
- We have verified that the machines we used at InfoSec could not have been breached because of the security policies and configuration applied, which were typical of a real-world deployment.
Bromium does not yet have a bug bounty program, and our terms for the challenge were specific to the product version and policies used at InfoSec. But we are nonetheless indebted to Tavis for his important contribution to our product. Bromium will pay him £10K, which he has stated he will donate to Amnesty International. Independently, as an acknowledgement of his sheer professionalism and as testament to his awesome white-hattery, I have personally matched the Bromium award with a donation in Tavis’s honor, as shown below (close to £10K at last week’s exchange rate). We are investigating the best way to properly run a bug bounty program, and won’t pay any further bounties (for any version of our product) until we have one set up.
We think it’s time security vendors are held accountable for their promises: Ditch marketing hyperbole in favor of defensible design and rigorous evaluation. We want to draw a bright line between technologies – like Bromium – that make endpoints more secure through careful design and rigorous testing, and “maybe” technologies – like next-gen AV – that can only be evaluated with yesterday’s attacks – when 99% of today’s malware morphs into new, undetectable variants in under a minute.
In this spirit we challenged attendees of InfoSec Europe last week to bring their own worst malware to the show. If it could bypass Bromium isolation and compromise an endpoint, they’d win £10K. No other security vendor would dare to expose itself like this, because they just don’t know if their products work. They may not even detect known bad. Bromium defeated every attack offered at InfoSec, including crypto-malware, the Black Energy attack on the Ukranian power grid, and malware hand-crafted by legacy endpoint security competitors. Perhaps as importantly, we delivered detailed forensics for each attack – even those that were unknown to Virus Total – on the show floor.
Defensible design substantially increases the cost to the attacker. It does not mean “perfect”. When we launched the challenge I said: “I want to be clear that we don’t think our product is unbelievable or even unbreakable. It’s just damn good.” All this is simply an effort to better protect our enterprise customers and their IP. But you don’t need to believe me. We welcome independent scrutiny and validation. In each of the past 5 years we have given our product and source code to many of the world’s best pen-testing organizations to validate.
The InfoSec Challenge was also a first step toward engaging with the white hat security community. Last week we also benefited from the rigorous testing of one of the world’s best, Tavis Ormandy of Google, who found a legitimate bug in our product. We are grateful, and are working with Tavis to ensure that he confirms that we’ve fixed it. As a result our product is better than it was before.
Why Bromium is Different
AV tries to protect each endpoint by detecting an attack. It tries (and often fails) to detect and protect each endpoint independently of all other endpoints, based on signatures from the vendor. This model is dead. Detection will fail at some point, giving an attacker the foothold he needs. More importantly, compromising a single endpoint is just a step on the path to an enterprise breach. Bromium Advanced Endpoint Security (AES) is different. It is an enterprise protection platform. Bromium AES:
- Reduces the attack surface of each endpoint; and
- Continuously monitors and correlates execution activity across all endpoints to reduce the enterprise attack surface.
Assuming that there will always be application and OS vulnerabilities, Bromium AES always increases the cost to the attacker by massively reducing the attack surface of each endpoint. We do this by:
- Hardware isolating user- and kernel-mode execution of each untrusted application task – in a micro-VM
- Ensuring that high-value information (IDs, credentials, networks, sites and files) is not available in a micro-VM
- Enabling persisted untrusted files to be safely accessed in isolation, in a micro-VM
- Discarding each micro-VM when the user closes the task, eliminating persistence and unwanted side-effects
- Continually monitoring each micro-VM and the host OS for signs of a breach, from the tamper-proof perspective of the Microvisor.
All with few or no changes to the user experience.
More importantly, it is time to move beyond a model where we bet the security of the enterprise on the security of a single endpoint. Instead we need to embrace a system in which endpoints collaborate to enhance enterprise-wide protection, detection and response. Even if a single endpoint is compromised, the system will detect the breach and automate a response, reducing the enterprise attack surface:
Protection is not based on detection. It’s always there. And when an endpoint identifies malicious or suspicious activity in a micro-VM or the desktop host, it shares this information in real time with the Bromium Enterprise Controller (BEC), which correlates execution activity across all endpoints to accelerate response.