Advice Can Be Dangerous – Why Critical Thinking Matters

Author: 1 Comment Share:


Since our first customer deployment four years ago, we believe no Bromium protected endpoint has been breached.

And that’s not for want of trying.  Annual pen-tests and source code reviews by the world’s best are fundamental to what we do. We collaborate with researchers to continually evaluate, attack and improve our product.

Bromium is the back-stop that  protects the endpoints of the most sensitive agencies of four major democracies. Our product is deployed at large scale and is subject to nation-state attacks. It delivers detailed forensic information for attacks with vanishingly low false-positive rates. There are no false negatives.

We protect the “unprotectable”: unpatched endpoints that depend on legacy software, on unprotected networks, targeted by nation state adversaries.  And we win.  

An attacked endpoint always self-remediates.  And delivers forensic detail for each attack with uncanny detail and negligible false alerts. The solution actively hunts for signs of a breach, across all endpoints – EDR without humans. (Gartner distinguishes us as operating the world’s largest such deployment). It also includes features superior to data loss protection (DLP) – delivering multi-level security if needed.  And remarkably, it’s compatible with the legacy endpoint suites that rank highly and don’t really work.

So you’d think a reputable analyst firm would redrawn-chartagree that we’re good at endpoint protection. But clearly, based on a new report, defeating each attack is not enough. Bromium is positioned as a complete outlier. (Chart redrawn for copyright reasons).

Either we have a bad product and no strategy, or these are seriously confused analysts.

So who got the wrong end of the stick? In a spirit of self-criticism, we’ll take some flak. But let’s be clear – these guys don’t get it.

It was silly of us to participate. We were naïve to think that Bromium would make sense in an evaluation against legacy Endpoint Protection Suite criteria. The Bromium solution is revolutionary and legacy criteria are irrelevant. Maybe we were penalized because our solution took longer to deliver than we would have liked – this is complex stuff and was only deployed at scale a couple of years ago. Unfortunately, most of our customers can’t talk to analysts about the critical role we play in their security. And admittedly it was foolish to agree to an evaluation that didn’t actually evaluate any products.

These reports recommend the status quo. I think these analysts genuinely failed to understand that hardware-enforced least-privilege (micro-segmentation and micro-virtualization) is the only way to fundamentally change the odds in today’s environment of machine-timescale attacks. It’s disappointing that their criteria favor the legacy EPP vendors whose products are close to useless in practice. I suspect they also believe that NG-AV vendor stories of artificial intelligence (AI) magic are a valid strategy. Sadly they fail to realize that AI is widely available to today’s attackers, whose  tools are already superior; and that ultimately machine-learning can’t solve the halting problem.

Most of these technologies are free with Windows or included in your Microsoft EA.  The analysts promise a separate report about Microsoft, but I bet it makes commercial sense to produce a  chart that fee-paying vendors  are free to reproduce that doesn’t show that Microsoft is better than most of the commercial tools.

You should be wary of analysts that don’t evaluate products.  One of the highest ranked products  implements a “man in the middle” (MITM) attack on the user that cannot be avoided.  Another has been widely criticized by the security community as “the way in”  for attackers seeking to compromise an endpoint.  That these analysts don’t know this is unforgivable

There is great free research available. Consider these three excellent recent free reports, that also cover the competitive landscape (there’s one from BTIG, TAG-Cyber, and Networking Security from Bank of America Merrill Lynch).

A Bit More Detail: What They Got Wrong

The three core criteria for assessing each product were:

  • Prevent malware and exploits from executing
  • Detect malicious activity post-execution
  • Remediate and contain malicious activity and potential vulnerabilities

There’s a rather glaring contradiction between the first two, but let’s not quibble.

  • Perhaps we scored badly because Bromium seamlessly hardware-isolates the execution of every task that might be malicious, without having to detect whether or not it is malicious beforehand.
  • Perhaps we failed because malware typically does execute – in the CPU enforced isolation of an anonymized micro-VM where there is nothing to steal, and from which it is impossible to access networks, sites, credentials or files of value.
  • Perhaps we failed even though Bromium protected endpoints always self-remediate (even if an attack is un-detectable) eliminating any persistence.

It is unthinkable that Bromium would not score perfectly on each of these criteria, yet the reviewers didn’t give us a good score.  For example, we scored 1.88/5 in prevention, 3.6/5 in detection, and 1.55/5 in remediation. Jaw-droppingly shocking for a product that has executed flawlessly in every category.

Perhaps the analysts failed to understand that Bromium is an enterprise protection platform.

We use the combined capabilities of all endpoints (including servers) as a distributed Sensor Network.


If an endpoint is unable to protect itself, Bromium monitors its execution for signs of post-breach activity, given the up-to-the-second forensic capabilities from its peers in the Sensor Network.  If Bromium detects that an endpoint has been compromised, it isolates the entire device from the enterprise network, and lets security pros remotely investigate and remediate.

The real frustration is professionals like you need solid advice.

This really frustrates me because security people need help figuring out where to map their security strategy. You purchase analyst research to guide you through the complexities of security offerings and attacker methods. But if analysts aren’t capable of understanding how the market is shifting and how new technologies are changing the game, their advice will not help you.

I’d love to get into more detail about the flawed analysis, but for legal reasons I’m not able to. Permit me, as an alternative, to offer you absolute honesty in a one-to-one discussion of Bromium and our competitors (yes, I have recommended competitive products before). If you are interested in serious analysis that might help your organization, drop me note to Crosby at Bromium and I’ll be happy to chat with you.

Editor’s note: you can also reach out to Simon on Twitter @simoncrosby.

Previous Article

Your Enterprise Security Secret Weapon – Put Your Endpoints to Work

Next Article

2016 Forrester WAVE Report Includes Bromium as Endpoint Solution for Serious Security

You may also like

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *