Bromium implements a security model as old as society itself, with two powerful new twists: CPU enforced least-privilege and relative trust. Recently I’ve been thinking about parallels between what we implement in technology and our own human nature. It turns out there are many similarities.
The Bromium architecture feels familiar because it is: In society we protect ourselves by relying on our own instincts and the collected learning of others. Relative trust is the loom that weaves together the threads of our relationships. As children we trust our families to care for us. Later we develop friendships, play on teams and become colleagues and parents. We trust those we depend on and collaborate with, and distrust others.
But trust is not binary. It is a sophisticated, personal and continually evaluated assessment of relative confidence: “Untrusted” does not mean “bad” – it just means “unknown”, and trust is highly context specific. When we entrust someone with important information, we lose control of it. Greater trust brings the benefits of a deeper relationship but leaves us more vulnerable. So we instinctively apply the principle of least privilege: We limit what we share based on context and what is needed. Relative trust helps us to manage least privilege to reduce risk.
Our desire for privacy is also framed by trust: We seek to retain control over information that could be used against us. We also know that our trustworthiness is continually evaluated by others, based at least in part on their observation of our respect for “the duty of trust” – confidentiality – which is so important that it is formalized in our legal system. As Einstein put it: “Whoever is careless with the truth in small matters cannot be trusted with important matters.”
Trust is life’s most important navigation aid. As we make our way through the world, our relationships and their trust dynamics inevitably change. But if we faithfully respect least privilege, we maximize our privacy and security as well as the security of those who trust us. It’s not perfect, but as the famous American novelist E.L. Doctorow put it: “It’s like driving a car at night. You never see further than your headlights, but you can make the whole trip that way.”
Least privilege and relative trust are instinctive foundations of human operational security. We dynamically evaluate trustworthiness to control our risk, and thereby maximize our security.
Bromium maps these concepts into technology to help each endpoint to defend itself, monitor its own health, and quickly share threat information with other endpoints in its “society” so that they too can better protect themselves.
Before I continue, it may be helpful to compare Bromium to today’s endpoint security tools: Black-listing the “known-bad” (like today’s AV) is the equivalent of a background check for a new employee – useful for weeding out convicted criminals. But it can’t help in your inescapable daily interactions with hundreds of people you don’t know and can’t check up on – the vast majority of whom will be benign. The list will always be out of date, but perhaps more importantly, a sophisticated criminal will disguise himself as someone you trust – perhaps a policeman – exposing you to a social engineering attack. What about white-listing the “known good”? (The term itself ought to ring alarm bells). Can you imagine a starker showcase of its failure than the current US problem of police overreach? There is no such thing as “known good” – only “known privileged – and vulnerable to attack”.
Hardware-enforced least-privilege: Bromium enforces least privilege isolation on a per-task basis using endpoint CPU virtualization to ensure that there is no way for malware to access information, credentials, devices, networks or sites that it shouldn’t. This gives us the most rigorous enforcement mechanism possible. Users can safely access untrusted networks, sites and edit untrusted files. If one of them turns out to be nasty, it’s a “don’t care” – there’s nothing to steal, no user identity, credentials, or files are available, and the attacker cannot pivot to attack high value networks or sites. More importantly, the endpoint is protected from breach by the CPU enforced isolation of a micro-VM.
This may appear to cast trust in a binary light. What about relative trust – the tax form that I download, save, repeatedly edit and then submit? Relative trust requires that I disclose only the specific required/relevant information in a particular context, but not that I trust the document just to edit it. Bromium allows you to repeatedly edit and save an untrusted document – each time in a new micro-VM – without ever having to trust it (elevating its privileges and enabling an attacker to steal information). Forcing the user to trust, just to be productive, is bad design. Micro-virtualization solves this problem elegantly.
What about the over-trusting (or even malicious) user, who tries to place high-value information in an untrusted context – for example attaching a corporate file to a gmail? Data Loss Prevention policies state what information a user can paste/attach/upload/enter into an untrusted context and are enforced by the Microvisor.
And what of evaluating trustworthiness? Recall that a fundamental requirement in any system based on least privilege is an ability to evaluate and react to any “breach of trust”. Once again micro-virtualization offers an elegant solution: Unlike our human experience, and unlike today’s computer systems in which a successful breach gives the attacker full access to privileged information, the hardware confines of a micro-VM are perhaps 100,000 times more difficult to compromise than software based isolation. So instead of trying to detect an attack before it occurs, we can simply let the user get on with her task, and if an attack occurs, it will be obviously malicious. Because the isolated environment executes copy-on-write, we have full forensics and can provide detailed information about the attack.
We think it’s important to hold security vendors accountable: Ditch marketing BS in favor of defensible design and rigorous evaluation. Bromium uses virtualization backed security to make endpoints more secure by design. “Maybe” tools like next-gen AV can only hope to stop an unknown attack – but 99% of malware morphs into new, unknown variants in under a minute.
To highlight this we challenged attendees at InfoSec London to bring their own malware to the show. If it bypassed Bromium, they’d win £10K. In two days we safely browsed to over 4,800 sites, and opened more than1,500 documents and attachments. We protected unpatched Bromium-protected endpoints from 189 attacks, of which 10 were unknown to Virus Total. Researchers from an AV vendor even downloaded a custom attack that evades detection – and also failed to breach us.
Other vendors won’t publicly expose their products to unknown malware, because they just don’t know if they work.
Bromium doesn’t demand a leap of faith. Our product increases cost to the attacker by reducing the attack surface of the endpoint. But how can you be sure we’ve done a good job? We think you shouldn’t have to trust us. Each year we commission source code reviews and pen-tests by highly respected research organizations, and encourage our customers to conduct their own. None has ever surfaced any substantive issues.
This year we went a step further and quietly started to work with a few white hats. And though we were surprised when Tavis Ormandy (@taviso) of Google claimed he had identified two bugs that let him escape micro-VM isolation, I was quietly rather pleased. Tavis is one of the most respected ethical pen testers – and we hadn’t even given him our product! He willingly shared his findings and we spent a busy week validating them and discussing solutions with him. He was both gracious and helpful – and always impartial and data driven. The experience reaffirmed our commitment to an open engagement with the white hat community.
We will disclose details of what he found, after a 30 day embargo to allow our customers to patch. But there are some interesting facts we can share:
- Tavis found a bug in an early build of vSentry 3.1 with support for an old version of Chrome that was sent to a customer to evaluate a feature, and mistakenly uploaded. A skilled attacker armed with a chain of additional bugs could exploit our bug to achieve code execution in the host Chrome browser.
- Fortunately, in a typical Bromium production deployment the Bromium Enterprise Controller automatically updates Chrome protection via “App Packs” soon after Google releases a new version. Recent Bromium Chrome App Packs, for example, fix the known bugs you’d need to be able to exploit our bug.
- The same underlying issue was also present in our protection for IE. Again, fortunately, a typical Bromium deployment configuration mitigates this bug.
- We have verified that the machines we used at InfoSec could not have been breached because of the security policies and configuration applied, which were typical of a real-world deployment.
Bromium does not yet have a bug bounty program, and our terms for the challenge were specific to the product version and policies used at InfoSec. But we are nonetheless indebted to Tavis for his important contribution to our product. Bromium will pay him £10K, which he has stated he will donate to Amnesty International. Independently, as an acknowledgement of his sheer professionalism and as testament to his awesome white-hattery, I have personally matched the Bromium award with a donation in Tavis’s honor, as shown below (close to £10K at last week’s exchange rate). We are investigating the best way to properly run a bug bounty program, and won’t pay any further bounties (for any version of our product) until we have one set up.
We think it’s time security vendors are held accountable for their promises: Ditch marketing hyperbole in favor of defensible design and rigorous evaluation. We want to draw a bright line between technologies – like Bromium – that make endpoints more secure through careful design and rigorous testing, and “maybe” technologies – like next-gen AV – that can only be evaluated with yesterday’s attacks – when 99% of today’s malware morphs into new, undetectable variants in under a minute.
In this spirit we challenged attendees of InfoSec Europe last week to bring their own worst malware to the show. If it could bypass Bromium isolation and compromise an endpoint, they’d win £10K. No other security vendor would dare to expose itself like this, because they just don’t know if their products work. They may not even detect known bad. Bromium defeated every attack offered at InfoSec, including crypto-malware, the Black Energy attack on the Ukranian power grid, and malware hand-crafted by legacy endpoint security competitors. Perhaps as importantly, we delivered detailed forensics for each attack – even those that were unknown to Virus Total – on the show floor.
Defensible design substantially increases the cost to the attacker. It does not mean “perfect”. When we launched the challenge I said: “I want to be clear that we don’t think our product is unbelievable or even unbreakable. It’s just damn good.” All this is simply an effort to better protect our enterprise customers and their IP. But you don’t need to believe me. We welcome independent scrutiny and validation. In each of the past 5 years we have given our product and source code to many of the world’s best pen-testing organizations to validate.
The InfoSec Challenge was also a first step toward engaging with the white hat security community. Last week we also benefited from the rigorous testing of one of the world’s best, Tavis Ormandy of Google, who found a legitimate bug in our product. We are grateful, and are working with Tavis to ensure that he confirms that we’ve fixed it. As a result our product is better than it was before.
Why Bromium is Different
AV tries to protect each endpoint by detecting an attack. It tries (and often fails) to detect and protect each endpoint independently of all other endpoints, based on signatures from the vendor. This model is dead. Detection will fail at some point, giving an attacker the foothold he needs. More importantly, compromising a single endpoint is just a step on the path to an enterprise breach. Bromium Advanced Endpoint Security (AES) is different. It is an enterprise protection platform. Bromium AES:
- Reduces the attack surface of each endpoint; and
- Continuously monitors and correlates execution activity across all endpoints to reduce the enterprise attack surface.
Assuming that there will always be application and OS vulnerabilities, Bromium AES always increases the cost to the attacker by massively reducing the attack surface of each endpoint. We do this by:
- Hardware isolating user- and kernel-mode execution of each untrusted application task – in a micro-VM
- Ensuring that high-value information (IDs, credentials, networks, sites and files) is not available in a micro-VM
- Enabling persisted untrusted files to be safely accessed in isolation, in a micro-VM
- Discarding each micro-VM when the user closes the task, eliminating persistence and unwanted side-effects
- Continually monitoring each micro-VM and the host OS for signs of a breach, from the tamper-proof perspective of the Microvisor.
All with few or no changes to the user experience.
More importantly, it is time to move beyond a model where we bet the security of the enterprise on the security of a single endpoint. Instead we need to embrace a system in which endpoints collaborate to enhance enterprise-wide protection, detection and response. Even if a single endpoint is compromised, the system will detect the breach and automate a response, reducing the enterprise attack surface:
Protection is not based on detection. It’s always there. And when an endpoint identifies malicious or suspicious activity in a micro-VM or the desktop host, it shares this information in real time with the Bromium Enterprise Controller (BEC), which correlates execution activity across all endpoints to accelerate response.
Dark Reading recently published an article by Bromium’s Vadim Kotov, a senior security researcher on our Labs team. In the article, Vadim outlines whether medical devices are really at risk of being targeted by ransomware.
Key points from Vadim’s article include:
Laptops, tablets, phones, and other devices have screens, but pacemakers don’t, meaning a ransomware attack will require multiple stages. A “smart” pacemaker will probably be controlled by a computer or phone, so the attacker will need to go through these steps: first, hit a device with a display screen; second, perform additional reconnaissance and determine whether it has any IoT devices connected to it; third, lock the IoT devices found; and then finally, pop a ransom note to the user of that computer or phone.
It’s unclear if ransomware attacks on medical devices are viable. While it’s likely some criminals will eventually try to infect IoT devices with ransomware, it’s debatable whether it will reach the scale of current PC ransomware. Microsoft found ransomware is not as prevalent as other types of malware, which contradicts the ICIT report.
Ransomware hasn’t conquered the PC world, but it’s bringing enormous profits to authors. Does this mean the underground economy is in balance and we should not expect it to shift significantly to hit IoT, particularly pacemakers, anytime soon?
With ransomware hitting increasingly important targets, I can’t help but wonder if IoT devices will be next. I don’t think that’s going to come anytime soon. Though researchers have shown that a host of connected medical devices can be hacked, it’s another thing to hold data for ransom. Either way, it’s time to pay closer attention to the security of all connected devices.
You can read Vadim’s full article on the Dark Reading site here.
At Bromium we are getting a little tired of the “unbelievable” claims of Next-Gen AV vendors selling the modern day equivalent of snake-oil. So we decided to invite you to help. We invite you to bypass Bromium and other endpoint protection products at Infosecurity Europe 2016. If you can break them, you get applause and a gift card. (We do it all the time.) If you breach an endpoint protected by Bromium you’ll get £10,000 and we’ll put out a press release thanking you for your heroic efforts and congratulating you on your hack.
We’re going to sweeten the pot a bit: You can bring whatever you’d like, or email it to us, or download it at the show. No protection products or filters will stand in your way. Better still, the PCs in our stand are unpatched Windows 7 devices with vulnerable Java, Flash and Office apps so you can be sure your exploit will run. We’re even publishing the technical specs of the endpoints you need to breach, here.
I want to be clear that we don’t think our product is “unbelievable” or even unbreakable. It’s just damn good. It will take a hero like you to bypass Bromium, and we want to celebrate the heroes that work to keep enterprises secure – even though you have to use products from vendors that promise to secure you, but don’t.
We’d also like to ask you a favor: We’d like you to bring your own malware, and to challenge us and every other vendor at InfoSec to run it, on the spot. If they won’t, simply say “unbelievable” and head on back to Bromium for your gift card, and pat on the back. I’ll buy you a pint and we can exchange war stories from the front lines of infosec.
You Already Have Next-Gen AV – and it isn’t working
Today, more than 99% of malware morphs into new, undetectable variants in under a minute, making it impossible to detect before it executes. Vendors that say otherwise are simply lying. The cybersecurity industry continues to peddle false promises and failed technologies that don’t protect customers from today’s attacks. Our goal with the Bromium Bring-Your-Own-Malware Challenge is twofold. First, allow IT security professions to see for themselves the mind-blowing protection that micro-virtualization offers. We also want to shine a bright light on the false claims of other endpoint vendors, whose ‘detect to protect’ promises are bogus.
To participate, stop by the Bromium stand at InfoSec Europe (B220) with malware of your choosing or participate remotely by uploading the malware to our servers. Bromium will also provide real-time analysis of submitted malware to help you understand its methods and vulnerabilities. For technical details and conditions of the challenge please visit www.bromium.com/challenge.
If you survived the frothy clamor of RSAC16 you certainly left confused by the breathless promises of the 600 or so would-be cybercorns on the show floor. The security industry has reached a new crisis point: We are out of words! The security lexicon is exhausted so vendors are making ever more absurd claims. My favorites: “Machine Learning allows us to analyze all changes in behavior and predict risks and breaches before they happen”, and “Complete unified threat management and protection for your network, web, email, applications, and users”.
The cyber-meme has peaked, and the cold hard light has begun to sober up investors whose heady enthusiasm led to a profusion of new companies, each of which would definitely have stopped the Target hack. Now, just a few weeks later, as evidence mounts that the bubble has burst, boards are warning their companies to prepare for a storm. Silicon Valley can create unicorns, but they need too many VC rainbows to survive.
How did we end up here, and what does this mean for the security market?
The narrative of the industry has been increasingly dominated by those who stand to profit most from a message of doom and gloom. The press feeds on stories of breaches and pwnage. Vendors are complicit, and analysts fan the flames: Markets and Markets recently predicted that the cyber-security market will grow from $106.32 Billion in 2015 to $170.21 Billion by 2020, a Compound Annual Growth Rate (CAGR) of 9.8%. Investor mania has led to what BTIG refers to as the “Game of Clones” – a flood of “me too” vendors, over 90% of which have revenues under $20MM. CISOs tell me that they receive upwards of 25 unsolicited calls per day from vendors peddling nichey products, each of which needs to be evaluated, deployed, managed and maintained through its costly life-cycle.
Even if the market grows as predicted, the funding famine will cause many unprofitable companies to fail or pivot into services – only firms that are delivering value will survive. But I’m not of the view that the market will grow as predicted. There is a common flaw in such analyses, namely an assumption that enterprises will remain as vulnerable as today, over time. This is wrong. The rapid adoption of cloud computing will eliminate much of the traditional security market opportunity. Hybrid and public clouds are more secure (through better design) than traditional data centers. Cloud services also reduce the need for traditional security products. For example, if you adopt Office 365, you don’t need a “secure email gateway” – email security is a feature of the cloud service. If you adopt Azure AD, not only is the AD forest more secure, but in addition Microsoft can help identify credential misuse. On the endpoint, Windows 10 as a Service forces enterprises to keep current on patches, reducing the opportunity for attackers, and the OS benefits from virtualization based security and many other security enhancements. In summary, adopting new infrastructure will improve security more than any vendor widget could, and ought to reduce your overall spend over time. The market will grow, but in different ways: the broad adoption of connected / IoT capabilities in mainstream enterprises is a good example of a new market, with its own vulnerabilities and threats. Don’t expect Anti-Virus for your smart door lock though.
So, as we put the unicorns out to pasture, what does the market and opportunity look like? Enormous. The bad guys haven’t stopped hacking. Customers have an urgent need to stop breaches and quickly identify targeted attacks without haystacks of false alerts. That it is possible to secure an endpoint without any legacy network tools, or “detect to protect” tomfoolery is quite revolutionary, and Bromium customers appreciate being breach free. Revolutionary tech need not be mythical, expensive, or imaginary, like the unicorn.
Another RSA Conference is in the books and with it concludes Bromium’s annual State of Security Survey. The size of RSA Conference 2016 echoed the continued growth of the security industry with more than 500 companies exhibiting. There were many conversations about many security threats and solutions; of course, Apple and the FBI have been thrust front and center.
Bromium surveyed 100 RSA attendees in an effort to understand some of the attitudes, opinions and trends among security professionals. In some cases, these questions repeated similar questions asked at previous conferences, in other cases these questions highlighted more recent trends.
Bromium will be publishing a full report in the coming weeks, but in the interest of timeliness has shared the following results today:
First, Bromium asked “Are users your biggest security headache?” In previous surveys, nearly three-quarters of security professionals said “yes.” This trend continued at RSA Conference 2016 with 70 percent responding in the affirmative.
Next, Bromium asked RSA attendees to identify the source of their greatest security risk. In the past, Bromium determined that endpoint risk is five times greater than network or cloud. This trend continued at RSA Conference 2016: the endpoint remained the source of the greatest security risk (49 percent).
Bromium asked RSA attendees how quickly their organization implements patches for zero-day vulnerabilities. Fifty percent implemented patches in the first week, but more than a quarter took more than a month; results similar to its Black Hat survey. It’s interesting to note the similarity between these initial results, as it lends more significance to the statistics.
In an effort to understand more recent trends, Bromium ask RSA attendee if they or anyone they know had been infected with ransomware. It was a pretty even split: 49 percent said yes and 51 percent said no.
The launch of Windows 10 is another recent trend. Bromium determined 65 percent of RSA attendees have plans to evaluate or deploy Windows 10 in the next 12 months. However, it seems the industry still requires more education about the operating system.
When asked to identify which Windows 10 security feature would be most effective at combating cyber attacks, more than a quarter (27 percent) had no response. Among RSA attendees that did respond, nearly one-third (30 percent) selected Microsoft Passport (two-factor authentication) and more than a quarter (27 percent) selected Device Guard (visualization-based security only runs trusted applications).
Bromium asked RSA attendees to identify the most effective aspect of a cyber security architecture; 64 percent selected prevention as the most effective aspect of a cyber security architecture.
Conversely, Bromium asked RSA attendees to identify the least effective aspect of a cyber security architecture; 47 percent selected remediation and 36 percent selected prediction.
Finally, Bromium asked RSA attendees if Apple should comply with an FBI request to bypass the security of the Apple iOS. While a handful believe Apple should comply (or mentioned in conversation the issue was complex), overwhelmingly (86 percent) RSA attendees responded that Apple should not comply with the FBI. Clearly, the security industry is not comfortable with the weakening of security and privacy for a single case – once Pandora’s box is open, it can’t be closed.
It’s been almost five years since we launched Bromium at Structure 2011 – showing the world that we could use CPU virtualization to hardware-isolate individual OS tasks to enforce least-privilege separation. Our approach allows an un-patched / vulnerable endpoint (client, server, cloud) to protect itself, even on an unprotected network, by reducing the attack surface of the system by many orders of magnitude.
Today, as I unthinkingly click on links, docs and exes I will probably create and destroy 200 micro-VMs – each of which takes only a few tens of milliseconds to launch. Collectively Bromium users create and destroy tens of millions of micro-VMs per day – without knowing it. This is a rather arbitrary stat, but cool nonetheless. It’s probably close to the number of VMs booted and stopped in AWS in a day, and almost surely greater than the number in Azure or any other cloud. Quite an achievement, but we are a long way from done…
Our journey has taken a little longer than we thought it would, and has required our dev team to solve the fiercest of technical problems. But although micro-virtualization seemed like a crazy idea when we started, it is exciting to see the concept taking hold more broadly – with other vendors developing infrastructure abstractions that are philosophically aligned with our approach to using virtualization to enforce least-privilege. As we head into RSAC week, I want to use this blog to recap our approach and to showcase the work of other vendors & communities that are adopting light-weight “micro-virtualization” to solve problems in infrastructure security. Note that here I use the term “micro-virtualization” broadly – to mean lightweight, task-centric, hardware-isolated execution – and not to narrowly refer to Bromium’s use case or technology.
A working model for micro-virtualization
Micro-virtualization is a second-generation CPU virtualization technology that extends the isolation, control and security principles of hypervisor-based virtualization into an OS and its applications using CPU features for hardware virtualization to isolate individual application tasks or OS services. It provides a powerful hardware backstop for granular enforcement of generally accepted principles of separation by least-privilege, and reduces the attack surface of the system by taking advantage of an additional ring of hardware protection and the small code-base of a light-weight hypervisor that we call a Microvisor. Micro-virtualization can be used within the OS to protect high value services/data, and it can be added to an existing legacy OS+apps to isolate untrustworthy execution, such as tabs in a browser or documents. The Microvisor enforces least-privilege access control using hardware isolation. For example it can ensure that high-value files, networks, sites, shares and devices are not available to an untrusted, isolated task. This prevents an attacker from accessing valuable data, networks or sites, or accessing devices.
Micro-virtualization is simply an extension of well established principles of OS virtualization, and a traditional hypervisor can be augmented to support micro-virtualization. At Bromium we have augmented the Xen hypervisor, which we call uXen, to run both traditional VMs and hardware isolated tasks in micro-VMs.
A micro-VM is a hardware-isolated, least-privilege enforced execution construct that executes a component of an application (eg: a browser tab or a Docker container) or a component of an operating system (eg: Credential Guard in Windows 10). Unlike a user-mode “virtual container” or “sandbox”, a micro-VM supports execution of both user- and kernel-mode code – all of which is isolated from the rest of the system.
Micro-VMs execute in SLAT isolated memory and are subject to least-privilege control for access to all system resources – including device access, networks, sites, files, shares and access to critical OS services. Least privilege is enforced by the Microvisor when a micro-VM attempts to access a resource, resulting in a hypercall. During this enforcement, micro-VM execution is paused by the CPU. Fortunately, micro-virtualization generally does not require changes to be made to the isolated applications or tasks, through there are some use cases (eg: Credential Guard in Windows 10) where a system is modified to take advantage of micro-virtualization.
On an end-user device, the user is unaware of the presence of the Microvisor or micro-VMs. In the cloud, micro-virtualization can be used to hardware-isolate and enforce mutual separation between application components or container-based applications. Other use cases follow.
For use cases where micro-virtualization is used to ensure safe execution of untrusted code, the execution within a micro-VM is copy-on-write. Any changes to user- or kernel-mode memory or to system state (eg: file system, registry) are made to efficiently managed local copies that are isolated in the micro-VM and discarded when the task terminates. This eliminates persistence for malware or unwanted side effects of execution.
For use cases where micro-virtualization is applied to isolate tasks or services of high value, eg: Credential Guard in Windows 10, the micro-VM need only provide simple API-level access to its protected service. Such micro-VMs typically have no need for device access, network services or access to the user desktop. They must be protected from DMA attacks using an IOMMU, limiting the applicability of this approach to modern systems that offer such protection. Their implementation is simple because they have no impact on end user workflows, and can be hidden within an operating system, but they are necessarily a designed-in feature of the system that requires source code access.
Finally, because each micro-VM executes only a single task the job of identifying malicious execution in a micro-VM is also dramatically simplified. Using Microvisor-based introspection it is easy to detect the side effects of malicious execution when an attack has actually executed, as opposed to trying to detect malicious software or activity before it executes its attacks. The net consequence is that micro-virtualization enables a detection system to eliminate false-negatives (since the micro-VM is always discarded) and to reduce the rate of false-positives by waiting for clear evidence of an attack. Finally, the CoW execution “diffs” capture all changes to memory, the file system, registry and even packets sent/received, facilitating a rapid forensic analysis of the execution context to identify relevant threat information.
Lessons We’ve Learned
- Hardware isolation is the industry’s most robust tool for protection: Using the endpoint CPU to enforce the principle of least privilege is the best way to protect against attacks on the OS or its applications. Software abstractions – “virtual containers” and other software based endpoint protection can typically be easily bypassed. At the end of the day the real problem is the reliance on only two rings of CPU protected execution by all widely used OSes. Virtualization in effect allows us to dynamically grab an additional hardware protection ring on the CPU, use it to granularly enforce least privilege separation on legacy, vulnerable OS and app stacks, and reduce the attack surface of the system to the Microvisor, which is many orders of magnitude smaller than the OS itself.
- Micro-virtualization can be deployed and managed at scale: Adding micro-virtualization to existing,endpoints in the largest organizations has been challenging, but I’m proud to say we’re well on our way. We know the benefits that accrue: The endpoint protects itself “by design” on an unprotected network, running un-patched software, in the hands of a user who clicks on malware. The endpoint self-remediates and delivers precise, real-time forensics for each attack. Bromium receives reports daily of malware that bypassed millions of dollars of sophisticated network devices to face defeat in a simple micro-VM on the endpoint.
- Using micro-virtualization as an infrastructure building block to help secure endpoints by design – both clients and clouds – is both viable and within reach. It has the potential to revolutionize infrastructure security. We are still at the beginning of that journey but the benefits are incredibly powerful. Broader industry adoption of this technology/approach is required, and fortunately it is coming. Micro-virtualization is going mainstream: It’s been inspiring to see other vendors and communities build on the idea of ephemeral, hardware-isolated tasks/apps, to address a range of needs:
- Bromium has partnered with Microsoft to help harden Windows 10 using micro-virtualization “in the box”, but Microsoft is focusing also on other use cases – including the use of micro-virtualization for light-weight, hardware-isolated Hyper-V Containers on Windows Server 2016 and Azure.
- Windows 10 Credential Guard uses micro-virtualization to help prevent pass-the-hash attacks.
- CoreOS has followed Intel’s leadership in Clear Containers, embracing hardware-isolation for containerized Docker
- VMware projects Lightwave/Photon promise a light-weight virtualization abstraction to hardware-isolate containers.
- Docker’s recent acquisition of Unikernel Systems raises the tantalizing prospect for tiny, ephemeral, secured containers as building blocks for secure infrastructure.
- Micro-virtualization revolutionizes detection: In the hardware-isolated confines of a micro-VM there is no need to detect malware before it executes – it is OK to just wait for it to execute and to “do bad”. It is easy to spot malicious execution and its results, and all side-effects of execution can be recorded – every packet, memory change, file or registry change. When malware executes the Microvisor can deliver precise detailed forensic information in real time, before simply erasing the micro-VM, eliminating persistence.
Virtualization is a fundamental infrastructure building block – for secure cloud and mobile endpoints – that offers enormous benefits. Hardware enforced execution isolation improves security far more than any other technology. There is a fundamental IT lesson here: You should move forward fast. Adopt virtualization everywhere – clouds and clients, segment your networks, distrust your endpoints, assume your network is indefensible and that your users will click on bad stuff.
If you’d like more information or a demo, please reach out to me directly
Today we announced Bromium Advanced Endpoint Security, a product designed to protect enterprises throughout the threat life cycle. It includes our unparalleled ability to defeat undetectable attacks using micro-virtualization, introduces continuous endpoint monitoring for detection, and offers a powerful set of analytical tools to aid response. It enables security teams to quickly analyze their endpoint security threat posture and quickly respond to any attacks, with powerful tools for automatic remediation and an ability to quickly search for impact across all endpoints. Endpoints protected by Bromium AES collaborate in real time, sharing information about new attacks to enable rapid enterprise-wide protection.
This post provides a summary of our motivations and briefly describes the new features.
In its 2015 Data Breach Investigations Report, Verizon noted:
- Over 90% of breaches began with an end user mistake.
- Over 90% of breaches resulted from malware that took advantage of a vulnerability for which a patch had been available for over a year.
- In over 70% of the 2,100 breaches studied the malware used was unique to the targeted organization.
Humans will continue to click. It is unreasonable to expect endpoints to be always be patched or to have no legacy dependencies. Therefore they will be vulnerable. And today’s attacks are unlikely to be detected by network or endpoint security tools.
The Need: Protect, Detect and Respond
Gartner recommends two key solution components to address the challenge of targeted attacks: Tools that allow the security team to continuously monitor endpoints to detect and quickly respond to a breach in progress, and isolation to block and detect unknown attacks, as a complement to existing endpoint protection platforms. Bromium Advanced Endpoint Security includes features that address both needs:
- Endpoint Protection: AES uses endpoint CPU micro-virtualization to hardware-isolate each untrusted web site, document or executable to defeat attacks from the web, email, social media and USB. Endpoints are protected on untrusted networks, even if they are unpatched, and automatically self-remediate when attacked. Isolated malware cannot compromise the endpoint, steal data, or access the enterprise network or high value sites.
- Endpoint Monitoring of both the endpoint host OS and each hardware-isolated task, to deliver comprehensive task-centric detection of any malicious execution. AES records comprehensive forensic intelligence for each endpoint attack, auto-correlating low-level endpoint events to deliver detailed forensic information that enables security teams to quickly respond. BEM does not require that the endpoint CPU support hardware virtualization.
- Threat Analysis: AES leverages real-time events from Endpoint Monitoring agents, together with intelligence from a Bromium operated threat cloud service to deliver real-time forensic detail for each attack, with low false positives. Bromium Threat Analysis also offers each AES protected endpoint an ability to check all activity against a list of “known-bad” attacks as well as locally (organization specific) detected attacks. Via BTA endpoints collaborate to share information about newly detected attacks.
A Bromium AES protected endpoint:
- Hardware isolates each attack, without any need for signatures,
- Defeats the attack, preventing the attacker from gaining access to any valuable data,
- Prevents the attacker from gaining access to high value networks or sites,
- Shares detailed attack forensics with other endpoints so they can protect themselves, and
- Automatically self-remediates, erasing the attack from the endpoint
The product supports Windows 7, 8 & 10 and introduces endpoint protection for the first time for Mac OS X endpoints.
New: Endpoint Monitoring
Bromium Endpoint Monitoring (BEM) is new to this release together with enhanced tools for threat analysis. These provide real-time detection of malicious activity using introspection to observe execution both within each micro-VM and the endpoint host operating system, and provide live visualization and analysis of attacks using Bromium Threat Analyzer (BTA). The solution includes an ability to search endpoints in real-time for IOCs.
- Real time detection: As an attack is executing on the endpoint (within a micro-VM or on the host OS), the monitor alerts the Bromium Endpoint Controller that an attack is in progress and provides detailed real-time forensic data on that allows the attack to be visualized in increasing detail using Bromium Live Attack Visualization and Analysis (LAVA).
- Low TCO: Unlike so-called “big-data” monitoring solutions that collect vast amounts of data of questionable value in a centralized data store, BEM does not require investment in substantial server resources for endpoint monitoring data. Detection and event correlation are achieved on the endpoint itself.
- Tamper-proof monitoring. Existing endpoint security solutions run as software agents within the OS kernel. On a compromised endpoint they can be disabled by malware. BEM can use the Microvisor to make itself invisible to the host operating system and to malware.
- Improved detection due to context: BEM correlates low-level monitoring data collected, on the endpoint itself, to create an application flow that ties the events together into a graph. By observing the entire application flow BEM has a rich context for detection and dramatically reduced false alerts.
- Simple analysis: On seeing malicious behavior, BEM can present the entire Application Flow to the SOC admin providing a complete view of the attack tying together thousands of low-level monitoring. This saves a lot of time for SOC admin who for competitive solutions may have to manually perform the analysis across thousands of events.
- Customizable threat model: BEM can allow customization of threat model where large enterprises or government agencies can specify custom rules to flag malicious behavior. This threat model is applied in real-time to the Application Flow to identify malware.
- Easy deployment: BEM can be deployed to monitor all applications on endpoint or selective applications that pose higher risks. This provides the enterprise an ability to deploy the solution incrementally, for example by monitoring only non-internal applications thereby eliminating any risk of creating false positives from internal applications.
- “Trust but verify”: If your organization allows users to trust documents, sites or executables they access/download, the content will always first be executed in a micro-VM. If no malicious activity is detected it is still not possible to state with certainty that it is benign. Instead it is dynamically added to a “verify” list that is continually monitored whenever it is executed, lest malware emerge later.
Bromium Advanced Endpoint Security integrates unparalleled technology that allows enterprises to address two critical endpoint security needs:
- Continuously monitor endpoints to detect and quickly respond to a breach in progress
- Protect endpoints by design from undetectable targeted attacks using micro-virtualization to isolate, block and detect malware, as a complement to existing endpoint protection platforms.
Bromium Endpoint Protection turns the security problem on its head: It eliminates the need to “detect to protect”, because it protects the system by design. Clicking on a poisoned attachment is not a risk – a compromised task will simply be discarded when the user closes the application. Users can safely click on anything – and even when they make a mistake the system will defend itself. You can stop mandating new controls on the endpoint that hamper users, and rely solely on endpoint hardware to protect the endpoint from compromise.Bromium Endpoint Monitoring continuously gathers low-level event data from every endpoint, introspecting the OS and each hardware-isolated task. This data is fed back to Bromium Threat Analyzer, which immediately alerts the security team when malware executes at the endpoint, providing comprehensive forensic detail for each attack. Instead of aggregating large volumes of data in a server-side big-data store, BEM performs event correlation on the endpoint, dramatically reducing the volume of monitored data. The solution permits security teams to search for IOCs and presents low-false positive data to Bromium Threat Analyzer for any malware that executes on the endpoint, for example for a breach in progress. When monitoring isolated tasks, BEM can wait until malware strikes because the system is protected from attack, all the while gathering detailed insights into its behavior. Finally, malware that attacks an endpoint is automatically remediated when user closes the task. The endpoint is secure, even when running un-patchable legacy software.
Drop me a note if you’d like to learn more.
It has been said that those who fail to learn from history are doomed to repeat it. With that in mind, Bromium Labs today has published “Endpoint Exploitation Trends 2015,” a research report that analyzes the ongoing security risk of popular websites and software. The report highlights that software vulnerabilities and exploits in popular applications spiked in 2015 with vulnerabilities increasing nearly 60 percent and Flash exploits increasing 200 percent. The report also highlights common attack trends, including the resurgence of macro malware, the continuous growth of ransomware and the ubiquitous presence of malvertising.
Adobe Flash vulnerabilities and exploits are nothing new, but this spike is 2015 was noticeable. The continuous growth of malvertising is also noteworthy, with malvertising attacks detected on more than a quarter of the Alexa 1,000. Currently, Flash exploits and malvertising go hand-in-hand, so this trend represents how two vulnerable systems can be attacked to compromise an end user or an enterprise.
Flash is widely used – although we may be witnessing the slow death of Flash – which is one reason we see so many exploits and vulnerabilities for it. The second reason is that attackers tend to focus on the weakest link; as Internet Explorer and Windows have improved its attack mitigation, attackers have been driven to more easily exploitable technology, such as Flash.
Interestingly, as systems have become more advanced and secure, many attackers are relying on a dated technique, macro malware, which masquerades as a legitimate document, such as an invoice or tracking number. Macro malware requires the user to launch the attack, so these documents are spammed through phishing emails. The malware itself is obfuscated in large repositories of code pulled from legitimate projects, making it difficult of signature analysis to detect the attack.
Not all attackers are relying on these dated attacks; we have witnessed the explosive growth of ransomware, which has increased 600 percent since 2013. Not only is this a common attack vector, but it continues to evolve. Most recently, we have witnessed ransomware “as a service” that enables an attacker to obtain ransomware for free by agreeing to share the profits with its creator. Ransomware is distributed through every possible attack vector, from email spam and macro malware to drive-by downloads and malvertising.
In conclusion, the Bromium Threat Report “Endpoint Exploitation Trends 2015” highlights how attackers continue to use whatever attack works best, old or new. The spike in software vulnerabilities and exploits should be a first step for security teams to address; patching vulnerable machines has never been more urgent. With the rise in macro-malware, it is imperative to re-educate users about phishing emails. Hackers will attack the weakest point they can find, so security teams must adapt to remain secure. The most important thing to realize is that malware is hiding in plain sight: it is spammed through email as malicious documents and embedded in advertisements in some of the most popular web sites on the Internet.
Given this, it’s easy to see that the more software introduced into a network, the greater the attack surface becomes. Any successful security solution must fundamentally change the way security is provided by reducing the attack surface and decreasing software surface areas for attack.