Security startup uses microvirtualization and hardware isolation to protect the perimeter from attacks.
According to the hordes of vendors, experts, and evangelists at last week's VMworld in San Francisco, virtualization is continuing its takeover of the enterprise, with even the network poised to go virtual. This paradigm shift creates new opportunities. One vendor looking to seize those opportunities is Cupertino, CA-based security startup Bromium. Founded in 2010, Bromium takes virtualization and applies it at the micro level for endpoint security that, if all works as the company claims, can secure enterprise networks at the macro level, from the perimeter on in.
Last week, I spoke to Bromium co-founder and CTO Simon Crosby about Bromium's microvirtualization concept. A 2007 InfoWorld Top 25 CTO, Crosby founded and served as CTO of XenSource prior to its acquisition by Citrix and then became CTO of Citrix's Virtualization and Management Division. In his opinion, traditional AV, network security appliances, and software sandboxes are all too vulnerable, while Bromium's solution is not.
The problem with most security solutions
Crosby and Bromium assert that most security solutions simply have too many vulnerabilities. Traditional antivirus (AV) relies on known virus signatures for detection and remediation, making AV useless against zero day exploits. AV also depends on patching and updating to maintain its already limited level of effectiveness. Many network security appliances, meanwhile, fail to detect advanced malware. In a recent Bromium blog post, Crosby pointed out that since these appliances often look for malicious activity, malware writers know to "wait for user interaction before they commence their attack," thereby bypassing network appliances.
And then there's the sandbox problem.
Software sandboxes—or virtual containers, depending on who's talking—have garnered some attention of late, with companies like Invincea (and, by extension, Dell DDP | Protected Workspace) and Trustware basing their solutions around the use of software to contain suspicious and malicious code. As Bromium demonstrated at Black Hat EU and Black Hat USA this year, however, sandboxes have serious vulnerabilities. One of those is a kernel mode vulnerability. "If I get you to browse to a website that feeds the kernel a poisoned font file, for example, the kernel will fail on its own, and I can just step over," Crosby told me.
That's not all, either. The other vulnerability Bromium demonstrated allows code to escape virtual containers due to a design limitation inherent in all sandboxes. "In every sandbox, there are several Windows system processes that are visible, that expose vulnerabilities. They have to be present, otherwise no application will run. So if there's a vulnerability in one of those Windows core services, you can jump from the user space to the kernel," Crosby explained. This is a "fundamental system limitation" of software sandboxes, he added.
Next page: Bromium's solution, what it costs, and who's using it
Bromium's solution: Hardware isolation of "micro-VMs"
In contrast to software sandboxes, Bromium's vSentry solution relies on hardware isolation for protection. vSentry is built on the Bromium Microvisor, a Xen hypervisor that creates "micro-VMs" for each untrustworthy task, whether that task is following a hyperlink, accessing a file, downloading an email attachment, or some other operation with the potential to endanger the endpoint and the network.
"When you click on a URL or do something else, vSentry will instantly do an in-memory, fast clone of the system, forking the entire OS" and creating a micro-VM for the task at "a minimum amount of state, pointed to memory," Crosby explained. That micro-VM only contains what's necessary for the task itself. No access to intranet, DNS, SaaS sites, or anything else that malware writers might hope to infiltrate or compromise.
"When malware shows up in the context of the task, it cannot break into the CPU," Crosby told me. He added that "we don't care about zero-days at all. They have nowhere to go. They can kill their own little slice of the system, talk to their botnet, do whatever they want—we don't care."
And vSentry's protection feels seamless. Crosby demonstrated vSentry to me by opening the console to show micro-VM creation and then clicking through links in an online list of known malware, looking for something to infect his laptop. The micro-VMs appeared nearly instantaneously—under 10 milliseconds, according to Bromium—and vanished, discarded by the system, just as quickly once each tab was closed and each task complete. I saw no compromise to end user experience.
This self-remediating, isolate-and-discard security model "empowers the user far more. The user can be on an untrusted network and the device will protect itself. Users don't always have to be on the VPN. The perimeter problem goes away when each device out in the world can protect itself," Crosby said. This may make make vSentry an attractive proposition to companies in the throes of adjusting to employees' new mobility expectations.
Threat intelligence for additional security
Those micro-VMs also serve another purpose: the collection of threat intelligence. "The moment you close that task, because we have the entire execution history of that task, we can produce an entire forensic log of exactly what happened," Crosby told me. With LAVA (Live Attack Visualization and Analysis), the company's behavioral inspection and analysis engine, security teams can look into threats, find new signatures, and fire the new intelligence "into other defensive mechanisms in the enterprise, making every endpoint device into a sensor," he said.
What vSentry costs, and who's using it
As one might expect, Bromium's solution doesn't come cheap, especially compared to traditional AV software. Crosby calls AV "a horribly commoditized business. If you look at McAfee for enterprise, they cost something like $5 per end user." In contrast, vSentry lists at $150 per end user.
"And people pay it, because we do the job," Crosby said.
Currently, Bromium's customers use vSentry and LAVA to protect high-value targets in industries like financial services (including the NYSE), government, and oil and gas. Future uses of vSentry need not be limited to the perimeter, however. Bromium focused on endpoints to avoid overlap or competition with existing hypervisor use cases, but while "this initial first use case on end user devices delivers great secure devices, you could use it anywhere," including further inside the network or cloud stack, he pointed out.
Will vSentry take the security space by storm? Named a 2013 Gartner Cool Vendor and backed by investors like Andreessen Horowitz and Intel Capital, the company doubled its customer base in the second quarter of this year. vSentry's price point might appear prohibitive for many organizations, but if Bromium can demonstrate superior protection in the face of the modern threat landscape, enterprises may find themselves ready to shell out for the benefits of microvirtualization.
Jude Chao is executive editor of Enterprise Networking Planet. Follow her on Twitter @judechao.