Bromium has partnered with Microsoft to ensure Bromium micro-virtualization and Windows 10 will work better together to provide the most secure endpoint solution on the market. Windows 10 offers powerful new protections that make it the most secure Windows version ever. Bromium micro-virtualization complements the security of all versions of Windows by isolating and eliminating vectors used by cyber attacks. The partnership brings together new security capabilities in Windows 10 and Bromium micro-virtualization, and will enable customers to secure and manage their endpoints with Systems Center Endpoint Protection and Active Directory.
Our partnership with Microsoft validates micro-virtualization as a foundation for future endpoint security and assures customers that Bromium security products are compatible with and complementary to Microsoft security technology. Microsoft and Bromium together make Windows endpoints secure, defeating each attack by design, and delivering real-time threat insights that help to stop breaches.
Windows 10 Security is backed by device hardware
Windows 10 offers many security enhancements beyond those in Windows 7 and 8. Several key features specifically leverage endpoint device hardware to harden the platform – a trend that is increasing on all endpoints. The following diagram, drawn from a Microsoft presentation, summarizes them.
- Identity protection: Windows 10 uses device hardware capabilities to securely authenticate the user, removing the need for 3rd party two-factor authentication, and ensuring that users are properly authenticated by the device before being granted access to applications and data.
- Data protection: Capabilities include enhanced BitLocker encryption for data at-rest, and Microsoft Azure-backed Data Loss Prevention that ensures that enterprise data in the wrong hands is unreadable.
- Threat resistance: Windows 10 can be remotely managed using enterprise mobility management software such as Microsoft Intune which can enforce device-wipe, encryption and other widely used security techniques used to manage mobile devices. It also introduces a capability called Device Guard that implements application control to ensure that only known-good, signed applications can run.
- Device security: Finally, Microsoft has introduced device security capabilities including UEFI secure boot that permits an attested secure bootstrap of the OS using cryptographic verification of the initial state of key OS files. Windows 10 also introduces a capability called “virtual secure mode” (VSM) that uses endpoint CPU virtualization to protect key system data such as credentials, so even if Windows is compromised, the attacker cannot use locally cached credentials to reach deeper into the enterprise infrastructure. VSM relies on the use of client virtualization technology, implemented in the Windows hypervisor Hyper-V. VSM places the Windows Local Security Authority Subsystem Service (LSASS) credential store under control of the client hypervisor, where it is out of reach of malware that compromises the operating system. This eliminates so-called “pass the hash” attacks in which an attacker uses stolen credentials from a compromised endpoint to gain access to other systems in the infrastructure.
New PCs, laptops and Windows tablets have the hardware capabilities that are needed to take advantage of the hardware-assisted security features of Windows 10. The device must support UEFI secure boot and include a Trusted Platform Module (TPM) to permit a secure bootstrap and to securely store keys for encryption at rest. It must also support hardware virtualization, minimally VT-x or AMD-V to permit the use of VSM. Additional hardware features (that are OEM and device specific) are required for hardware-assisted biometric user authentication. Every PC in enterprises today already supports hardware virtualization.
Bromium micro-virtualization enhances Windows security
Windows 10 improves the resilience of the endpoint to an attack. It also helps to prevent breaches because most start with a compromised endpoint. Like Windows 7 and 8 before it, Windows 10 will of course still be exposed to attacks delivered via the usual vectors: Users accessing the web, consuming media, opening attachments, accessing files from USB devices and cloud storage, legacy Java and other applications that can’t be patched, and content delivered from social sharing applications. Bromium eliminates these attack vectors by seamlessly and automatically hardware-isolating the execution of each task that interacts with untrusted content, using micro-virtualization. Bromium supports the enterprise installed-base of Windows 7 and 8 today, and will support enterprise adoption of Windows 10.
Endpoint compromise is the start of a breach
Today’s targeted attacks take advantage of vulnerabilities that result from the challenges of today’s enterprise IT practices:
- IT teams struggle to keep up with the need to patch endpoints when new vulnerabilities are disclosed because they need to be sure that applications will still run and that users won’t be impacted. But malware developers are agile. Verizon reported that in 2014 over 90% of breaches resulted from a compromised endpoint where malware took advantage of a vulnerability for which a patch had been available for over a year. And most newly disclosed vulnerabilities are attacked within a month.
- Enterprises have a heavy dependency on legacy applications, browsers and plugins, many of which are vulnerable to attack. For example, many companies have a heavy dependence on legacy Java applications, ActiveX components, productivity suites and applications that require backward compatibility with legacy browsers.
- Today’s detection-centric security tools, including Anti-Virus and network intrusion detection tools are incapable of detecting targeted attacks. Verizon reports that in up to 90% of the 2,100 breaches it studied in 2014, the malware used was unique to the targeted organization. In such circumstances there is no way to detect attacks using legacy tools.
- Finally, over 90% of breaches studied by Verizon in 2014 were the result of a mistake on the part of a computer user or administrator that ultimately led to an endpoint compromise. It is unreasonable to believe that training can solve this problem, because attackers are sophisticated and know their targets well.
It is difficult or impossible to address these issues. Instead, what is needed is an approach that secures the endpoint by design – whether or not it has been patched, without any presumed knowledge of the attacker, and without impacting the user. Bromium complements the “in the box” security of Windows by eliminating vectors of attack and malware persistence.
Using virtualization features on the endpoint CPU, the Bromium Microvisor hardware isolates the execution of all user-initiated tasks that access content from an untrusted source: The web, media, untrustworthy documents, files, attachments, and detachable storage, including USB drives, and cloud storage, and legacy executable types such as Java, Flash and other browser plugins. Hardware isolation is the only approach that has been shown to massively increase endpoint security – hence its adoption by both Microsoft and Bromium. Software sandboxes – included in all browsers, document viewers and media plugins and even marketed as an anti-malware solution – are unable to defend against determined attackers that exploit zero-day vulnerabilities.
Whenever the user accesses content from any untrusted source, the Microvisor automatically and invisibly hardware-isolates the Windows task using a technique called micro-virtualization that executes the task in a tiny CPU-isolated micro-VM that cannot modify Windows or gain access to enterprise data, networks or sites. The Microvisor protects desktops that have not been patched, defeats and automatically discards malware, and eliminates costly remediation – keeping users productive.
Micro-virtualization uses endpoint CPU features for virtualization to hardware-isolate each untrusted user task – those that access external content – in a micro-VM. Valuable data, networks and devices are not available in a micro-VM – so an attacker cannot steal data, access devices such as a webcam, or penetrate the enterprise network. Execution within a micro-VM is ephemeral, with all changes to system state saved in a throw-away cache, so malware cannot persist. When the task ends the micro-VM and the throw-away cache are simply discarded – with any malware. This makes Bromium protected endpoints self-remediating – eliminating any possibility of malware persistence. When an endpoint is attacked, malware may execute in the context of a micro-VM, but no content of value is available to be stolen, and the attacker cannot pivot onto the enterprise network to further his attack.
A Bromium protected endpoint thus:
- Hardware isolates each attack, without any need for signatures,
- Defeats the attack by preventing the attacker from gaining access to any valuable data or OS state,
- Prevents the attacker from gaining access to high value networks or sites,
- Automatically self-remediates, erasing the attack from the endpoint.
Windows 10 VSM uses hardware isolation to enhance protection for valuable credentials – moving critical data deeper into the castle, as it were. Bromium micro-virtualization eliminates vectors of attack on the endpoint – preventing attackers from entering the castle. The two technologies are complementary and result in an endpoint security architecture that is massively secure.
Bromium LAVA delivers real-time forensics for targeted attacks
Windows 10 improves endpoint security through sound design principles. Its use of hardware isolation to protect endpoint credentials increases the difficulty faced by an attacker seeking to penetrate the enterprise. Micro-virtualization is a complementary technology that also uses hardware virtualization to eliminate attacks on the endpoint.
The CISO needs to secure the entire enterprise, including legacy systems. Bromium protects legacy Windows systems using micro-virtualization, and in addition offers the security team real-time insight into actual attacks as they occur, without false-alarms, together with the forensic intelligence that enables the security team to quickly secure the entire enterprise. This is made possible through micro-VM introspection and Live Attack Visualization and Analysis (LAVA).
During execution of each hardware isolated task in a micro-VM, all state is captured: memory changes, process creation and destruction, DLL injection, all packets sent/received, file system and registry changes are recorded. Unlike traditional detection-centric approaches that rely on detecting malware before it executes, the hardware confines of a micro-VM ensure that the system is protected at all times, so it is possible to wait for malware to actually attack the system before alerting the security team.
When malware executes in a micro-VM, the entire forensic trace for the task is instantly forwarded to the Security Operations Center where it provides complete details of the attack, the methods used, communication with remote Command and Control sites, and targets. This can be used to immediately protect the rest of the enterprise, for example by blocking the attack using other security assets such as proxies, firewalls and intrusion prevention systems – in real time and without false-alarms. Finally, Bromium delivers attack intelligence to other tools using standard formats such as STIX and MAEC that can be shared between organizations. Bromium integrates with Microsoft Active Directory and Systems Center Endpoint Protection to give security professionals a single, consistent and powerful platform for managing the endpoint and its security.
Windows 10 offers new features for device security that are backed by device hardware capabilities that enhance endpoint resilience. Adoption of Windows 10 should be a priority for every enterprise.
Bromium micro-virtualization is a complementary hardware-backed security technology that eliminates vectors of attack. Combined, the two approaches make Windows endpoints massively secure by design. Micro-VM introspection delivers powerful real-time insights into the nature of each attack, eliminating false alerts, and providing detailed forensic information that allows security teams to respond enterprise-wide to defeat each attack.