Today we announced Bromium Advanced Endpoint Security, a product designed to protect enterprises throughout the threat life cycle. It includes our unparalleled ability to defeat undetectable attacks using micro-virtualization, introduces continuous endpoint monitoring for detection, and offers a powerful set of analytical tools to aid response. It enables security teams to quickly analyze their endpoint security threat posture and quickly respond to any attacks, with powerful tools for automatic remediation and an ability to quickly search for impact across all endpoints. Endpoints protected by Bromium AES collaborate in real time, sharing information about new attacks to enable rapid enterprise-wide protection.
This post provides a summary of our motivations and briefly describes the new features.
In its 2015 Data Breach Investigations Report, Verizon noted:
- Over 90% of breaches began with an end user mistake.
- Over 90% of breaches resulted from malware that took advantage of a vulnerability for which a patch had been available for over a year.
- In over 70% of the 2,100 breaches studied the malware used was unique to the targeted organization.
Humans will continue to click. It is unreasonable to expect endpoints to be always be patched or to have no legacy dependencies. Therefore they will be vulnerable. And today’s attacks are unlikely to be detected by network or endpoint security tools.
The Need: Protect, Detect and Respond
Gartner recommends two key solution components to address the challenge of targeted attacks: Tools that allow the security team to continuously monitor endpoints to detect and quickly respond to a breach in progress, and isolation to block and detect unknown attacks, as a complement to existing endpoint protection platforms. Bromium Advanced Endpoint Security includes features that address both needs:
- Endpoint Protection: AES uses endpoint CPU micro-virtualization to hardware-isolate each untrusted web site, document or executable to defeat attacks from the web, email, social media and USB. Endpoints are protected on untrusted networks, even if they are unpatched, and automatically self-remediate when attacked. Isolated malware cannot compromise the endpoint, steal data, or access the enterprise network or high value sites.
- Endpoint Monitoring of both the endpoint host OS and each hardware-isolated task, to deliver comprehensive task-centric detection of any malicious execution. AES records comprehensive forensic intelligence for each endpoint attack, auto-correlating low-level endpoint events to deliver detailed forensic information that enables security teams to quickly respond. BEM does not require that the endpoint CPU support hardware virtualization.
- Threat Analysis: AES leverages real-time events from Endpoint Monitoring agents, together with intelligence from a Bromium operated threat cloud service to deliver real-time forensic detail for each attack, with low false positives. Bromium Threat Analysis also offers each AES protected endpoint an ability to check all activity against a list of “known-bad” attacks as well as locally (organization specific) detected attacks. Via BTA endpoints collaborate to share information about newly detected attacks.
A Bromium AES protected endpoint:
- Hardware isolates each attack, without any need for signatures,
- Defeats the attack, preventing the attacker from gaining access to any valuable data,
- Prevents the attacker from gaining access to high value networks or sites,
- Shares detailed attack forensics with other endpoints so they can protect themselves, and
- Automatically self-remediates, erasing the attack from the endpoint
The product supports Windows 7, 8 & 10 and introduces endpoint protection for the first time for Mac OS X endpoints.
New: Endpoint Monitoring
Bromium Endpoint Monitoring (BEM) is new to this release together with enhanced tools for threat analysis. These provide real-time detection of malicious activity using introspection to observe execution both within each micro-VM and the endpoint host operating system, and provide live visualization and analysis of attacks using Bromium Threat Analyzer (BTA). The solution includes an ability to search endpoints in real-time for IOCs.
- Real time detection: As an attack is executing on the endpoint (within a micro-VM or on the host OS), the monitor alerts the Bromium Endpoint Controller that an attack is in progress and provides detailed real-time forensic data on that allows the attack to be visualized in increasing detail using Bromium Live Attack Visualization and Analysis (LAVA).
- Low TCO: Unlike so-called “big-data” monitoring solutions that collect vast amounts of data of questionable value in a centralized data store, BEM does not require investment in substantial server resources for endpoint monitoring data. Detection and event correlation are achieved on the endpoint itself.
- Tamper-proof monitoring. Existing endpoint security solutions run as software agents within the OS kernel. On a compromised endpoint they can be disabled by malware. BEM can use the Microvisor to make itself invisible to the host operating system and to malware.
- Improved detection due to context: BEM correlates low-level monitoring data collected, on the endpoint itself, to create an application flow that ties the events together into a graph. By observing the entire application flow BEM has a rich context for detection and dramatically reduced false alerts.
- Simple analysis: On seeing malicious behavior, BEM can present the entire Application Flow to the SOC admin providing a complete view of the attack tying together thousands of low-level monitoring. This saves a lot of time for SOC admin who for competitive solutions may have to manually perform the analysis across thousands of events.
- Customizable threat model: BEM can allow customization of threat model where large enterprises or government agencies can specify custom rules to flag malicious behavior. This threat model is applied in real-time to the Application Flow to identify malware.
- Easy deployment: BEM can be deployed to monitor all applications on endpoint or selective applications that pose higher risks. This provides the enterprise an ability to deploy the solution incrementally, for example by monitoring only non-internal applications thereby eliminating any risk of creating false positives from internal applications.
- “Trust but verify”: If your organization allows users to trust documents, sites or executables they access/download, the content will always first be executed in a micro-VM. If no malicious activity is detected it is still not possible to state with certainty that it is benign. Instead it is dynamically added to a “verify” list that is continually monitored whenever it is executed, lest malware emerge later.
Bromium Advanced Endpoint Security integrates unparalleled technology that allows enterprises to address two critical endpoint security needs:
- Continuously monitor endpoints to detect and quickly respond to a breach in progress
- Protect endpoints by design from undetectable targeted attacks using micro-virtualization to isolate, block and detect malware, as a complement to existing endpoint protection platforms.
Bromium Endpoint Protection turns the security problem on its head: It eliminates the need to “detect to protect”, because it protects the system by design. Clicking on a poisoned attachment is not a risk – a compromised task will simply be discarded when the user closes the application. Users can safely click on anything – and even when they make a mistake the system will defend itself. You can stop mandating new controls on the endpoint that hamper users, and rely solely on endpoint hardware to protect the endpoint from compromise.Bromium Endpoint Monitoring continuously gathers low-level event data from every endpoint, introspecting the OS and each hardware-isolated task. This data is fed back to Bromium Threat Analyzer, which immediately alerts the security team when malware executes at the endpoint, providing comprehensive forensic detail for each attack. Instead of aggregating large volumes of data in a server-side big-data store, BEM performs event correlation on the endpoint, dramatically reducing the volume of monitored data. The solution permits security teams to search for IOCs and presents low-false positive data to Bromium Threat Analyzer for any malware that executes on the endpoint, for example for a breach in progress. When monitoring isolated tasks, BEM can wait until malware strikes because the system is protected from attack, all the while gathering detailed insights into its behavior. Finally, malware that attacks an endpoint is automatically remediated when user closes the task. The endpoint is secure, even when running un-patchable legacy software.
Drop me a note if you’d like to learn more.