“Gartner projects that half of enterprises will have started Windows 10 deployments by January 2017, with many enterprises planning to begin pilots for Windows 10 in the first half of 2016 and broadening their deployments in the latter part of the year,” according to an article in Information Week.
This aligns with trends in managing enterprise desktop computing that are striving to keep up with diverse business requirements while fighting a security landscape that sees hundreds of Indicators of Compromise (IOC) every day.
The good news is Windows 10 comes with a lot of promises for enterprise and government customers, particularly when it comes to security (read our take from Nov 2015). One of the major advances is enhancing OS security. Microsoft also notably added Virtualization-Based Security, or VBS, for advanced security built-in in the OS.
Microsoft is working to improve security.
Dan Allen is well known to those in the Citrix, VMware and Microsoft EUC communities as a rock-star EUC architect and performance engineer, having implemented some of the world’s largest and most complex TS and VDI deployments. Dan runs the Bromium field engineering team and has successfully implemented Bromium in our largest deployments. He has recently focused on optimizing the performance of our micro-virtualization support for Firefox, and passed on these insights. Since he’s elbow-deep in customer deployments, I’ve posted this for him.
Who wants faster Firefox? Everyone!
We know that Ad Blocking can dramatically increase performance and improve user experience, while reducing the overhead on CPU and memory of the browser. In a Bromium secured environment, many customers use Ad Blocking as a way to further enhance security and improve privacy and their users certainly appreciate the performance improvements that result. This is particularly important in VDI environments and on endpoints with relatively small memory configs. Ad Blocking also allows customers to optimize the density of their VDI desktops per server, because VMs no longer burn CPU and memory on useless Ads.
Next week at Intel Developer Forum 2016 I will be demonstrating a prototype feature of the Bromium platform that leverages Intel Secure Guard Extensions (SGX) to protect a user’s on-line credentials from theft. In this post I aim to briefly describe SGX and highlight its complementary use with micro-virtualization.
Today Bromium uses micro-virtualization to hardware isolate end-user tasks that access untrusted content and the web, to protect the endpoint host OS. Although we monitor the host (desktop) for signs of compromise using the same LAVA technology that gives us precise forensics for introspection of micro-VMs, we have always wanted to enhance the protection of the host from (for example) east-west attacks. We want to protect high-value information on the endpoint (eg: credentials) from theft using a clean, hardware based capability that does not rely on detection, and SGX is a key technology that helps us to achieve this.
Bromium implements a security model as old as society itself, with two powerful new twists: CPU enforced least-privilege and relative trust. Recently I’ve been thinking about parallels between what we implement in technology and our own human nature. It turns out there are many similarities.
The Bromium architecture feels familiar because it is: In society we protect ourselves by relying on our own instincts and the collected learning of others. Relative trust is the loom that weaves together the threads of our relationships. As children we trust our families to care for us. Later we develop friendships, play on teams and become colleagues and parents. We trust those we depend on and collaborate with, and distrust others.
But trust is not binary. It is a sophisticated, personal and continually evaluated assessment of relative confidence: “Untrusted” does not mean “bad” – it just means “unknown”, and trust is highly context specific. When we entrust someone with important information, we lose control of it. Greater trust brings the benefits of a deeper relationship but leaves us more vulnerable. So we instinctively apply the principle of least privilege: We limit what we share based on context and what is needed. Relative trust helps us to manage least privilege to reduce risk.
Our desire for privacy is also framed by trust: We seek to retain control over information that could be used against us. We also know that our trustworthiness is continually evaluated by others, based at least in part on their observation of our respect for “the duty of trust” – confidentiality – which is so important that it is formalized in our legal system. As Einstein put it: “Whoever is careless with the truth in small matters cannot be trusted with important matters.”
Trust is life’s most important navigation aid. As we make our way through the world, our relationships and their trust dynamics inevitably change. But if we faithfully respect least privilege, we maximize our privacy and security as well as the security of those who trust us. It’s not perfect, but as the famous American novelist E.L. Doctorow put it: “It’s like driving a car at night. You never see further than your headlights, but you can make the whole trip that way.”
Least privilege and relative trust are instinctive foundations of human operational security. We dynamically evaluate trustworthiness to control our risk, and thereby maximize our security.
Bromium maps these concepts into technology to help each endpoint to defend itself, monitor its own health, and quickly share threat information with other endpoints in its “society” so that they too can better protect themselves.
Before I continue, it may be helpful to compare Bromium to today’s endpoint security tools: Black-listing the “known-bad” (like today’s AV) is the equivalent of a background check for a new employee – useful for weeding out convicted criminals. But it can’t help in your inescapable daily interactions with hundreds of people you don’t know and can’t check up on – the vast majority of whom will be benign. The list will always be out of date, but perhaps more importantly, a sophisticated criminal will disguise himself as someone you trust – perhaps a policeman – exposing you to a social engineering attack. What about white-listing the “known good”? (The term itself ought to ring alarm bells). Can you imagine a starker showcase of its failure than the current US problem of police overreach? There is no such thing as “known good” – only “known privileged – and vulnerable to attack”.
Hardware-enforced least-privilege: Bromium enforces least privilege isolation on a per-task basis using endpoint CPU virtualization to ensure that there is no way for malware to access information, credentials, devices, networks or sites that it shouldn’t. This gives us the most rigorous enforcement mechanism possible. Users can safely access untrusted networks, sites and edit untrusted files. If one of them turns out to be nasty, it’s a “don’t care” – there’s nothing to steal, no user identity, credentials, or files are available, and the attacker cannot pivot to attack high value networks or sites. More importantly, the endpoint is protected from breach by the CPU enforced isolation of a micro-VM.
This may appear to cast trust in a binary light. What about relative trust – the tax form that I download, save, repeatedly edit and then submit? Relative trust requires that I disclose only the specific required/relevant information in a particular context, but not that I trust the document just to edit it. Bromium allows you to repeatedly edit and save an untrusted document – each time in a new micro-VM – without ever having to trust it (elevating its privileges and enabling an attacker to steal information). Forcing the user to trust, just to be productive, is bad design. Micro-virtualization solves this problem elegantly.
What about the over-trusting (or even malicious) user, who tries to place high-value information in an untrusted context – for example attaching a corporate file to a gmail? Data Loss Prevention policies state what information a user can paste/attach/upload/enter into an untrusted context and are enforced by the Microvisor.
And what of evaluating trustworthiness? Recall that a fundamental requirement in any system based on least privilege is an ability to evaluate and react to any “breach of trust”. Once again micro-virtualization offers an elegant solution: Unlike our human experience, and unlike today’s computer systems in which a successful breach gives the attacker full access to privileged information, the hardware confines of a micro-VM are perhaps 100,000 times more difficult to compromise than software based isolation. So instead of trying to detect an attack before it occurs, we can simply let the user get on with her task, and if an attack occurs, it will be obviously malicious. Because the isolated environment executes copy-on-write, we have full forensics and can provide detailed information about the attack.
We think it’s important to hold security vendors accountable: Ditch marketing BS in favor of defensible design and rigorous evaluation. Bromium uses virtualization backed security to make endpoints more secure by design. “Maybe” tools like next-gen AV can only hope to stop an unknown attack – but 99% of malware morphs into new, unknown variants in under a minute.
To highlight this we challenged attendees at InfoSec London to bring their own malware to the show. If it bypassed Bromium, they’d win £10K. In two days we safely browsed to over 4,800 sites, and opened more than1,500 documents and attachments. We protected unpatched Bromium-protected endpoints from 189 attacks, of which 10 were unknown to Virus Total. Researchers from an AV vendor even downloaded a custom attack that evades detection – and also failed to breach us.
Other vendors won’t publicly expose their products to unknown malware, because they just don’t know if they work.
Bromium doesn’t demand a leap of faith. Our product increases cost to the attacker by reducing the attack surface of the endpoint. But how can you be sure we’ve done a good job? We think you shouldn’t have to trust us. Each year we commission source code reviews and pen-tests by highly respected research organizations, and encourage our customers to conduct their own. None has ever surfaced any substantive issues.
This year we went a step further and quietly started to work with a few white hats. And though we were surprised when Tavis Ormandy (@taviso) of Google claimed he had identified two bugs that let him escape micro-VM isolation, I was quietly rather pleased. Tavis is one of the most respected ethical pen testers – and we hadn’t even given him our product! He willingly shared his findings and we spent a busy week validating them and discussing solutions with him. He was both gracious and helpful – and always impartial and data driven. The experience reaffirmed our commitment to an open engagement with the white hat community.
We will disclose details of what he found, after a 30 day embargo to allow our customers to patch. But there are some interesting facts we can share:
- Tavis found a bug in an early build of vSentry 3.1 with support for an old version of Chrome that was sent to a customer to evaluate a feature, and mistakenly uploaded. A skilled attacker armed with a chain of additional bugs could exploit our bug to achieve code execution in the host Chrome browser.
- Fortunately, in a typical Bromium production deployment the Bromium Enterprise Controller automatically updates Chrome protection via “App Packs” soon after Google releases a new version. Recent Bromium Chrome App Packs, for example, fix the known bugs you’d need to be able to exploit our bug.
- The same underlying issue was also present in our protection for IE. Again, fortunately, a typical Bromium deployment configuration mitigates this bug.
- We have verified that the machines we used at InfoSec could not have been breached because of the security policies and configuration applied, which were typical of a real-world deployment.
Bromium does not yet have a bug bounty program, and our terms for the challenge were specific to the product version and policies used at InfoSec. But we are nonetheless indebted to Tavis for his important contribution to our product. Bromium will pay him £10K, which he has stated he will donate to Amnesty International. Independently, as an acknowledgement of his sheer professionalism and as testament to his awesome white-hattery, I have personally matched the Bromium award with a donation in Tavis’s honor, as shown below (close to £10K at last week’s exchange rate). We are investigating the best way to properly run a bug bounty program, and won’t pay any further bounties (for any version of our product) until we have one set up.
We think it’s time security vendors are held accountable for their promises: Ditch marketing hyperbole in favor of defensible design and rigorous evaluation. We want to draw a bright line between technologies – like Bromium – that make endpoints more secure through careful design and rigorous testing, and “maybe” technologies – like next-gen AV – that can only be evaluated with yesterday’s attacks – when 99% of today’s malware morphs into new, undetectable variants in under a minute.
In this spirit we challenged attendees of InfoSec Europe last week to bring their own worst malware to the show. If it could bypass Bromium isolation and compromise an endpoint, they’d win £10K. No other security vendor would dare to expose itself like this, because they just don’t know if their products work. They may not even detect known bad. Bromium defeated every attack offered at InfoSec, including crypto-malware, the Black Energy attack on the Ukranian power grid, and malware hand-crafted by legacy endpoint security competitors. Perhaps as importantly, we delivered detailed forensics for each attack – even those that were unknown to Virus Total – on the show floor.
Defensible design substantially increases the cost to the attacker. It does not mean “perfect”. When we launched the challenge I said: “I want to be clear that we don’t think our product is unbelievable or even unbreakable. It’s just damn good.” All this is simply an effort to better protect our enterprise customers and their IP. But you don’t need to believe me. We welcome independent scrutiny and validation. In each of the past 5 years we have given our product and source code to many of the world’s best pen-testing organizations to validate.
The InfoSec Challenge was also a first step toward engaging with the white hat security community. Last week we also benefited from the rigorous testing of one of the world’s best, Tavis Ormandy of Google, who found a legitimate bug in our product. We are grateful, and are working with Tavis to ensure that he confirms that we’ve fixed it. As a result our product is better than it was before.
Why Bromium is Different
AV tries to protect each endpoint by detecting an attack. It tries (and often fails) to detect and protect each endpoint independently of all other endpoints, based on signatures from the vendor. This model is dead. Detection will fail at some point, giving an attacker the foothold he needs. More importantly, compromising a single endpoint is just a step on the path to an enterprise breach. Bromium Advanced Endpoint Security (AES) is different. It is an enterprise protection platform. Bromium AES:
- Reduces the attack surface of each endpoint; and
- Continuously monitors and correlates execution activity across all endpoints to reduce the enterprise attack surface.
Assuming that there will always be application and OS vulnerabilities, Bromium AES always increases the cost to the attacker by massively reducing the attack surface of each endpoint. We do this by:
- Hardware isolating user- and kernel-mode execution of each untrusted application task – in a micro-VM
- Ensuring that high-value information (IDs, credentials, networks, sites and files) is not available in a micro-VM
- Enabling persisted untrusted files to be safely accessed in isolation, in a micro-VM
- Discarding each micro-VM when the user closes the task, eliminating persistence and unwanted side-effects
- Continually monitoring each micro-VM and the host OS for signs of a breach, from the tamper-proof perspective of the Microvisor.
All with few or no changes to the user experience.
More importantly, it is time to move beyond a model where we bet the security of the enterprise on the security of a single endpoint. Instead we need to embrace a system in which endpoints collaborate to enhance enterprise-wide protection, detection and response. Even if a single endpoint is compromised, the system will detect the breach and automate a response, reducing the enterprise attack surface:
Protection is not based on detection. It’s always there. And when an endpoint identifies malicious or suspicious activity in a micro-VM or the desktop host, it shares this information in real time with the Bromium Enterprise Controller (BEC), which correlates execution activity across all endpoints to accelerate response.
Dark Reading recently published an article by Bromium’s Vadim Kotov, a senior security researcher on our Labs team. In the article, Vadim outlines whether medical devices are really at risk of being targeted by ransomware.
Key points from Vadim’s article include:
Laptops, tablets, phones, and other devices have screens, but pacemakers don’t, meaning a ransomware attack will require multiple stages. A “smart” pacemaker will probably be controlled by a computer or phone, so the attacker will need to go through these steps: first, hit a device with a display screen; second, perform additional reconnaissance and determine whether it has any IoT devices connected to it; third, lock the IoT devices found; and then finally, pop a ransom note to the user of that computer or phone.
It’s unclear if ransomware attacks on medical devices are viable. While it’s likely some criminals will eventually try to infect IoT devices with ransomware, it’s debatable whether it will reach the scale of current PC ransomware. Microsoft found ransomware is not as prevalent as other types of malware, which contradicts the ICIT report.
Ransomware hasn’t conquered the PC world, but it’s bringing enormous profits to authors. Does this mean the underground economy is in balance and we should not expect it to shift significantly to hit IoT, particularly pacemakers, anytime soon?
With ransomware hitting increasingly important targets, I can’t help but wonder if IoT devices will be next. I don’t think that’s going to come anytime soon. Though researchers have shown that a host of connected medical devices can be hacked, it’s another thing to hold data for ransom. Either way, it’s time to pay closer attention to the security of all connected devices.
You can read Vadim’s full article on the Dark Reading site here.
At Bromium we are getting a little tired of the “unbelievable” claims of Next-Gen AV vendors selling the modern day equivalent of snake-oil. So we decided to invite you to help. We invite you to bypass Bromium and other endpoint protection products at Infosecurity Europe 2016. If you can break them, you get applause and a gift card. (We do it all the time.) If you breach an endpoint protected by Bromium you’ll get £10,000 and we’ll put out a press release thanking you for your heroic efforts and congratulating you on your hack.
We’re going to sweeten the pot a bit: You can bring whatever you’d like, or email it to us, or download it at the show. No protection products or filters will stand in your way. Better still, the PCs in our stand are unpatched Windows 7 devices with vulnerable Java, Flash and Office apps so you can be sure your exploit will run. We’re even publishing the technical specs of the endpoints you need to breach, here.
I want to be clear that we don’t think our product is “unbelievable” or even unbreakable. It’s just damn good. It will take a hero like you to bypass Bromium, and we want to celebrate the heroes that work to keep enterprises secure – even though you have to use products from vendors that promise to secure you, but don’t.
We’d also like to ask you a favor: We’d like you to bring your own malware, and to challenge us and every other vendor at InfoSec to run it, on the spot. If they won’t, simply say “unbelievable” and head on back to Bromium for your gift card, and pat on the back. I’ll buy you a pint and we can exchange war stories from the front lines of infosec.
You Already Have Next-Gen AV – and it isn’t working
Today, more than 99% of malware morphs into new, undetectable variants in under a minute, making it impossible to detect before it executes. Vendors that say otherwise are simply lying. The cybersecurity industry continues to peddle false promises and failed technologies that don’t protect customers from today’s attacks. Our goal with the Bromium Bring-Your-Own-Malware Challenge is twofold. First, allow IT security professions to see for themselves the mind-blowing protection that micro-virtualization offers. We also want to shine a bright light on the false claims of other endpoint vendors, whose ‘detect to protect’ promises are bogus.
To participate, stop by the Bromium stand at InfoSec Europe (B220) with malware of your choosing or participate remotely by uploading the malware to our servers. Bromium will also provide real-time analysis of submitted malware to help you understand its methods and vulnerabilities. For technical details and conditions of the challenge please visit www.bromium.com/challenge.
If you survived the frothy clamor of RSAC16 you certainly left confused by the breathless promises of the 600 or so would-be cybercorns on the show floor. The security industry has reached a new crisis point: We are out of words! The security lexicon is exhausted so vendors are making ever more absurd claims. My favorites: “Machine Learning allows us to analyze all changes in behavior and predict risks and breaches before they happen”, and “Complete unified threat management and protection for your network, web, email, applications, and users”.
The cyber-meme has peaked, and the cold hard light has begun to sober up investors whose heady enthusiasm led to a profusion of new companies, each of which would definitely have stopped the Target hack. Now, just a few weeks later, as evidence mounts that the bubble has burst, boards are warning their companies to prepare for a storm. Silicon Valley can create unicorns, but they need too many VC rainbows to survive.
How did we end up here, and what does this mean for the security market?
The narrative of the industry has been increasingly dominated by those who stand to profit most from a message of doom and gloom. The press feeds on stories of breaches and pwnage. Vendors are complicit, and analysts fan the flames: Markets and Markets recently predicted that the cyber-security market will grow from $106.32 Billion in 2015 to $170.21 Billion by 2020, a Compound Annual Growth Rate (CAGR) of 9.8%. Investor mania has led to what BTIG refers to as the “Game of Clones” – a flood of “me too” vendors, over 90% of which have revenues under $20MM. CISOs tell me that they receive upwards of 25 unsolicited calls per day from vendors peddling nichey products, each of which needs to be evaluated, deployed, managed and maintained through its costly life-cycle.
Even if the market grows as predicted, the funding famine will cause many unprofitable companies to fail or pivot into services – only firms that are delivering value will survive. But I’m not of the view that the market will grow as predicted. There is a common flaw in such analyses, namely an assumption that enterprises will remain as vulnerable as today, over time. This is wrong. The rapid adoption of cloud computing will eliminate much of the traditional security market opportunity. Hybrid and public clouds are more secure (through better design) than traditional data centers. Cloud services also reduce the need for traditional security products. For example, if you adopt Office 365, you don’t need a “secure email gateway” – email security is a feature of the cloud service. If you adopt Azure AD, not only is the AD forest more secure, but in addition Microsoft can help identify credential misuse. On the endpoint, Windows 10 as a Service forces enterprises to keep current on patches, reducing the opportunity for attackers, and the OS benefits from virtualization based security and many other security enhancements. In summary, adopting new infrastructure will improve security more than any vendor widget could, and ought to reduce your overall spend over time. The market will grow, but in different ways: the broad adoption of connected / IoT capabilities in mainstream enterprises is a good example of a new market, with its own vulnerabilities and threats. Don’t expect Anti-Virus for your smart door lock though.
So, as we put the unicorns out to pasture, what does the market and opportunity look like? Enormous. The bad guys haven’t stopped hacking. Customers have an urgent need to stop breaches and quickly identify targeted attacks without haystacks of false alerts. That it is possible to secure an endpoint without any legacy network tools, or “detect to protect” tomfoolery is quite revolutionary, and Bromium customers appreciate being breach free. Revolutionary tech need not be mythical, expensive, or imaginary, like the unicorn.
Another RSA Conference is in the books and with it concludes Bromium’s annual State of Security Survey. The size of RSA Conference 2016 echoed the continued growth of the security industry with more than 500 companies exhibiting. There were many conversations about many security threats and solutions; of course, Apple and the FBI have been thrust front and center.
Bromium surveyed 100 RSA attendees in an effort to understand some of the attitudes, opinions and trends among security professionals. In some cases, these questions repeated similar questions asked at previous conferences, in other cases these questions highlighted more recent trends.
Bromium will be publishing a full report in the coming weeks, but in the interest of timeliness has shared the following results today:
First, Bromium asked “Are users your biggest security headache?” In previous surveys, nearly three-quarters of security professionals said “yes.” This trend continued at RSA Conference 2016 with 70 percent responding in the affirmative.
Next, Bromium asked RSA attendees to identify the source of their greatest security risk. In the past, Bromium determined that endpoint risk is five times greater than network or cloud. This trend continued at RSA Conference 2016: the endpoint remained the source of the greatest security risk (49 percent).
Bromium asked RSA attendees how quickly their organization implements patches for zero-day vulnerabilities. Fifty percent implemented patches in the first week, but more than a quarter took more than a month; results similar to its Black Hat survey. It’s interesting to note the similarity between these initial results, as it lends more significance to the statistics.
In an effort to understand more recent trends, Bromium ask RSA attendee if they or anyone they know had been infected with ransomware. It was a pretty even split: 49 percent said yes and 51 percent said no.
The launch of Windows 10 is another recent trend. Bromium determined 65 percent of RSA attendees have plans to evaluate or deploy Windows 10 in the next 12 months. However, it seems the industry still requires more education about the operating system.
When asked to identify which Windows 10 security feature would be most effective at combating cyber attacks, more than a quarter (27 percent) had no response. Among RSA attendees that did respond, nearly one-third (30 percent) selected Microsoft Passport (two-factor authentication) and more than a quarter (27 percent) selected Device Guard (visualization-based security only runs trusted applications).
Bromium asked RSA attendees to identify the most effective aspect of a cyber security architecture; 64 percent selected prevention as the most effective aspect of a cyber security architecture.
Conversely, Bromium asked RSA attendees to identify the least effective aspect of a cyber security architecture; 47 percent selected remediation and 36 percent selected prediction.
Finally, Bromium asked RSA attendees if Apple should comply with an FBI request to bypass the security of the Apple iOS. While a handful believe Apple should comply (or mentioned in conversation the issue was complex), overwhelmingly (86 percent) RSA attendees responded that Apple should not comply with the FBI. Clearly, the security industry is not comfortable with the weakening of security and privacy for a single case – once Pandora’s box is open, it can’t be closed.