- Today Microsoft announced Virtualization-Based Security and micro-virtualization as a means to hardware isolate apps.
- That’s good news for customers, who are often let down by security vendors that over-promise and under-deliver.
- There is a better path forwards – making systems fundamentally more secure by design without relying on the silly notion that it is possible to detect attackers before they strike.
Bromium and Microsoft partnered in 2015 to build on a shared vision to use micro-virtualization to massively improve Windows endpoint security. As a result, Windows 10 already benefits from the hardware-enforced isolation as a core system security capability. This is an update on our partnership, introducing an important addition that promises to deliver substantial security benefits.
Get the Tech Lowdown: Microsoft and Bromium Partnership White Paper
Today on enterprise licensed versions of Windows 10 (on new PCs that support Device Guard) Virtualization-Based Security (VBS) offers a foundation for system security that is used to isolate key OS services to prevent theft of critical data if the operating system is compromised. Bromium extends VBS to protect endpoints from attacks that target vulnerable applications, and automates the complex and expensive “detect-protect-respond” cycle.
Windows 10 uses VBS to protect two key OS services:
- Hypervisor-protected Code Integrity (HVCI) protects the OS by ensuring that only securely designed (SDL compliant) code executes in the kernel.
- Credential Guard (CG) isolates credentials managed by the Local Authority Subsystem Service (LSASS) that manages authentication and authentication secrets such as the NTLM hash. Hardware isolation helps to prevent “pass the hash” attacks that use stolen credentials to penetrate the enterprise network.
Bromium extends VBS – isolating the execution of targeted applications such as the browser, documents, executables, downloads, attachments and media files.
We protect the endpoint from attacks that target vulnerable apps and let the endpoint automatically remediate itself. Bromium also facilitates tamper-proof endpoint monitoring. Moreover, with Bromium, you get to take advantage of the micro-virtualization that we pioneered on Windows 7 & 8, and deployed devices upgraded to Windows 10 that do not meet the stringent hardware requirements of Microsoft’s Device Guard and VBS.
Introducing Hardware-Isolation for the Edge Browser
On Monday, September 26, Microsoft announced a further enhancement on the VBS roadmap that shows its commitment to adopting virtualization as a strategic security capability in Windows 10. The announcement is also a validation of the fundamental value of micro-virtualization for security and vindication for Bromium.
“Microsoft and Bromium are partnering on a series of joint security scenarios that use Virtualization Based Security and micro-virtualization as a means to hardware isolate apps. Microsoft Edge uses Windows Defender Application Guard to protect the device, apps, data and networks from attacks launched through the browser. Bromium ships a robust full featured solution to protect the endpoint from malicious documents, executables, attachments, downloads and sites.”
In the Windows 10 release codenamed “Redstone 2” (that will ship in 2017), Microsoft will extend the benefits of VBS hardware virtualization to the application layer isolating the Microsoft Edge browser. This feature, called Windows Defender Application Guard (WDAG) aims to protect the endpoint from an attack that takes advantage of a vulnerability in Edge to launch an attack on the endpoint and then the enterprise.
If you want to be able to take advantage of VBS but are concerned by the fact that Microsoft only supports it in Windows 10, and targeted at new PCs, with UEFI Secure Boot, we are here to help. Bromium provides the security benefits of endpoint CPU virtualization to all vulnerable applications on all Windows 7, 8 and 10 endpoints – including Windows 10 on older BIOS-booted PCs upgraded to Windows 10.
Bromium complements WDAG in two ways:
- Bromium hardware-isolates execution of all (non-Edge) user initiated applications that access untrusted content – the web, files, media and executables. This is particularly useful when users depend on un-patched, legacy applications. Bromium serves the enterprise market, where Internet Explorer dominates, and which is currently experiencing an onslaught of attacks that use documents and executables.
- Bromium is a perfect complement to Microsoft Windows Defender and System Center Endpoint Protection. You should ditch your incumbent AV solution and adopt SCEP, benefiting also from Bitlocker and EMET, while taking advantage of the massive protection that results from VBS.
How Bromium Has Revolutionized Security
For the last 20 years the security industry has gone about trying to protect enterprises the same way, “detect-to-protect”. Per Gartner, when protecting 60% of customers has somehow become the industry benchmark for success for End Point Protection vendors there is something seriously wrong with the effectiveness of security today. Something needs to change.
Bromium, the pioneer of virtualization-based security with over 66 patents, provides seamless micro-virtualization to protect endpoints from malicious documents, executables, attachments, downloads, and sites. Beyond protection, Bromium uses micro-virtualization to empower security teams to automate the expensive and time-consuming protect-detect-respond cycle:
- Bromium seamlessly hardware-isolates execution of each user task that accesses the web, attachments, documents and files in a tiny micro-VM – protecting the endpoint from compromise from any external vector, and automatically remediating attacks. Isolated malware cannot access high-value information, credentials or the enterprise network or sites. Bromium records detailed, real-time forensic intelligence for each attack, and the endpoint self-remediates by automatically discarding each micro-VM, eliminating persistence.
- Intelligence built into your endpoints for accelerated hunting: Each Bromium protected endpoint is part of our Sensor Network with tamper-proof monitoring in a distributed breach detection system. The endpoint uses the protected vantage point of the Microvisor to monitor all execution of the OS and its applications (including isolated apps in micro-VMs) to detect malicious execution, and shares its intelligence with the security team in real-time to accelerate enterprise-wide response. The monitor is protected using micro-virtualization to prevent it from being disabled by malware.
- Endpoints collaborate to accelerate response: An endpoint that is attacked shares detailed forensic details of the attack with other endpoints via the Bromium Threat Cloud in real-time to accelerate enterprise-wide response. Bromium searches all endpoints for attack indicators to help security personnel to quickly find, investigate and remediate a compromised device.
- Endpoints self defending: The endpoint automatically discards the micro-VM when the user ends the task – eliminating persistence. No cleanup or re-imaging is required at all. Once the micro-VM is discarded so is the threat. Watch this demo to how Bromium deals with Ransomware.
Bromium is Here to Help With Your Migration to Windows 10
Adopting Windows 10 should be the most important security initiative for every organization. It offers many security enhancements over Windows 7 & 8 and introduces a powerful suite of hardware-assisted security technologies in Device Guard that help to ensure a secure boot, protect the OS kernel, isolate credentials in CG, and enable biometric authentication.
But Device Guard is device feature dependent. In particular, it mandates Secure Boot, which is supported on all new UEFI-booted PCs but is not available on BIOS-booted Windows endpoints upgraded to Windows 10. Fortunately most enterprise PCs support hardware virtualization (Intel VT-x/AMD-V), which is the only hardware requirement for Bromium. As a result, Bromium can deliver the benefits of hardware enforced protection to legacy Windows endpoints and to BIOS-booted Windows 10 PCs that have been upgraded from Windows 7 & 8.