A security startup co-founded by executives from Citrix, Xen.org, and Phoenix Technologies emerged from stealth today and shed light on its new technology that employs small virtualized containers to isolate malware and prevent it from infecting the underlying operating system or other members of the enterprise network.

The goal of these so-called "micro-VMs," created by startup Bromium, is to stop attacks in their tracks at the endpoint, going on the assumption that you can't prevent users from mistakenly clicking a malicious link or opening an infected document -- and that the bad guys are bypassing perimeter defenses, so they are already inside the user endpoint, either via the browser or email inbox, for example. The idea is to make the move to BYOD, cloud, and mobility simpler for security.

Gaurav Banga, co-founder and CEO of Bromium and former CTO and senior vice president of engineering at Phoenix Technologies, says the new security firm is applying virtualization specifically for security, and in a different way.

"We are taking the latest and greatest capabilities available to us in hardware and the lessons learned in first-generation virtualization, and what we're able to do is isolate an individual task," Banga says. So visiting a Web page or opening an email attachment each would be sealed in its own micro-VM, a self-contained module that self-destructs, along with the malware, when the user goes to his or her next task, he says, and it's all invisible to the user.

[ It's more about containment now, not stopping the attacker. Relying solely on perimeter defenses is now passe -- and naively dangerous. See Damage Mitigation As The New Defense. ]

Security via virtualization isn't new. Invincea, for example, places the browser, email attachments, and PDF files in a virtual environment in order to protect the underlying system from infection: It separates the browser, attachment, and PDF from the desktop operating system in a sandbox-type setup.

Organizations increasingly are looking at virtualization as a security tool, aside from just a data center optimization strategy. Steve Durbin, global executive vice president of the U.K.-based Information Security Forum, a global nonprofit whose members include Procter & Gamble, IBM, Swisscom, and Nokia, says its members are interested in how to use virtualization technology for security purposes. "Virtualization is something our members have been looking at very keenly because it's about trying to maintain integrity in the access route. If you can virtualize, you come remove some of the user-related issues ... and access the data and protect it," Durbin says.

Bromium's Microvisor detects potentially vulnerable tasks and places them in hardware-isolated micro-VMs, which Banga describes as lightweight and invisible to the user. "The most common way to program Bromium is to say, 'Here are a bunch of applications that are safe to run because I built them and I know who the vendor is,'" Banga says. "Anything that's unknown, any piece of code, JavaScript, PDF," etc., is automatically placed into a micro-VM container while that task is under way.

"We effectively have cells that are micro-VMs based on Intel VT [technology]. You can have hundreds of micro-VMs to isolate individual vendor's tasks and the user would not see any of it" or experience any performance trade-offs, he says.

Unlike sandboxing, the technology protects the operating system as well. "A sandbox is trying to create a little Windows inside a big Windows, and the little Windows has to be compatible and more secure. That's an oxymoron ... sandboxing struggles with that," Banga says. "We do hardware isolation, and we don't care what's running in the OS."

Bromium's mantra is that its micro-virtualization approach makes PCs and mobile devices "trustworthy by design" because it automatically blocks and kills malware. Its products remain in beta for now, mostly among financial services, government agencies, and pharmaceutical companies.

Banga says Bromium focuses on allowing the user to do his or her work with a mobile device while also reducing the attack surface. "It ultimately comes down to how to build a robust system against human mistakes," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.