Risk
10/11/2012
09:06 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bromium Strengthens Desktop Security Using Virtualization

Ex-Citrix CTO Simon Crosby says Bromium's vSentry technology isolates suspicious activity in a virtual machine, then identifies and flushes it when the VM is erased.

Bromium recently launched a new approach to desktop security that virtualizes end-user activities when they have the potential to bring in outside agents or malware. The move isolates and monitors potentially harmful actions and blocks suspicious activity once it is identified.

Most approaches to end-user security rely on upfront protection, such as antivirus software looking for identifiers of a virus or other malware in incoming messages. Each end-user device is loaded with protective software containing known attack signatures, then watches for them as the user undertakes connections to the Internet and other activity. But attack signatures can be varied more rapidly than end-user devices can be updated, and some malware creeps through into the enterprise anyway, Crosby said in an interview.

A user's Windows machine, equipped with Bromium's vSentry (launched Sept. 19), relies on isolation of suspect activity, along with an ability to block its access to restricted resources and flush it out of the system, said Bromium CTO Simon Crosby, who departed from Citrix last year.

Under Bromium's approach, "You don't need to detect malware early to be protected," Crosby said in an interview.

[Want to learn more about how Bromium uses microvisors and micro virtual machines to attack security threats? See Virtualization Pioneers Crosby, Pratt Tackle Cloud Security.]

Crosby is often the public voice of a former Cambridge University research team lead by Ian Pratt, which virtualized the x86 instruction set about two years after Mendel Rosenblum did at VMware. They set up a competing open source project, Xen, and then XenSource, a company to support it. XenSource was acquired by Citrix in 2007 for $500 million.

Bromium's vSentry can invoke a micro virtual machine in which to run any potentially hazardous task, such as opening an attachment to an email file or downloading programs from the Internet. If the activity shows any sign of mischief, such as trying to access a resource designated as restricted for the task involved, the process is interrupted and control over it handed off to the microvisor, a hypervisor managing a tiny virtual machine. A microvisor can launch hundreds of micro VMs simultaneously to safeguard multiple application tasks.

If a process calls on a spreadsheet to access data from a Sharepoint source on the internal network, and the spreadsheet would normally be allowed to do so, the process continues. If it tries to access the Windows kernel or overwrite a DLL to allow some function that it wishes to do, the attempt is written to a cache in the virtual machine, which makes it appear to an attacker that an attack has gone off as planned, according to information in a Bromium white paper.

But in fact, the microvisor running the process has blocked the attempt and started an event log as it assesses each further request of the process. Only those requests for files or data that meet a need-to-know standard-- e.g., would this process normally need to know the information that it's seeking?--are allowed.

Requests that don't meet the need-to-know standard are blocked, protecting restricted resources while creating a picture of what the process is seeking to do. Looking at that picture--reconstructing the sequence of events captured in the event log--gives security administrators a clear record of what they're dealing with.

That picture results in security administrators being able "to generate the signatures of malware" on their own and add them to the list in their firewalls and intrusion detection systems, Crosby said. With vSentry, they may in some cases be doing so before their antivirus vendor or other supplier has come up with the signature.

Any attack isolated to a micro VM is flushed from the system when the micro VM is shut down. No lengthy, interdisciplinary team of security, server, and network administrators needs to be called together to try to root out the attacker or undo its damage, Crosby said.

Telling a microvisor that a resource is restricted to particular types of activity is both a human IT function and a function of intelligence built into vSentry, according to information on the Bromium website. But it is not clear how much IT effort must be invested to make vSentry work as advertised.

Bromium plans to add the Macintosh to its protected end-user systems in the future, but no date has been specified.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/16/2012 | 7:23:55 AM
re: Bromium Strengthens Desktop Security Using Virtualization
So this opens another virtual machine and runs that particular task, opening an attachment, etc.., is that machine there for good or does a new machine get created every time a new task is preformed? It sound like a great idea to isolate and contain potentially dangerous malware. Overall for larger corporations who have to deal with threats daily this would save a lot of time, just shut down the vm, all good.

Paul Sprague
InformationWeek Contributor
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.