Three years ago, Bromium vSentry introduced the world to a new way of tackling the continual battle with malware. Don’t bother trying to detect it; don’t bother trying to patch against it. Instead, let it run, learn from it, and don’t let it do anything harmful.
As an approach to addressing the threat of malware, letting it run doesn’t sound that smart. But once you look a little closer, it becomes evident that this approach is typically superior to other alternatives. As demonstrated by the continual stream of zero-day threats, detection and patching are of only limited value. Patching, by definition, always occurs after the fact. Worse, patching is change, and all change carries with it a degree of risk. While software vendors generally do a very good job of ensuring that updates are adequately tested, there have been many high-profile examples of patches gone bad. Detection too is after the fact. Granted, it is possible to detect patterns that indicate a potential threat in advance of a specific malware signature being identified, but this approach is never 100% successful.
Of course, just letting it run is not much of a defense against malware. What vSentry does is use what Bromium calls a microvisor—a micro-hypervisor—to isolate each individual task in its own execution environment and, through that, to control access to system resources. Employing the principles of least privilege security grants individual tasks no more rights than are necessary for them to perform their specific function. Any attempt by the task to exceed its authority causes it to become trapped. The individual tasks are locked inside their own hardware-isolated micro-VMs. A set of policies governs what these are permitted to do, ensuring the tasks cannot perform unauthorized activities, which shields the rest of the environment from harm. Whenever an isolated task attempts to access system resources—files, networks, devices, or the clipboard—or to interact with the user, vSentry interrupts execution and passes control to the microvisor, which applies task-specific policies governing access. If, for example, a browser script attempts to read/write to My Documents, vSentry can step in to prevent access. The script runs but is prevented from causing harm. vSentry also addresses in-memory threats. If the browser downloads and runs any malware, all disk and memory writes performed by the task are intercepted and protected through copy-on-write. Any malware that succeeds in gaining a foothold is immediately discarded, and the defaults are restored as soon as the task finishes executing.
Whereas vSentry addresses the challenge of letting malware run while preventing it from doing harm, Bromium’s second product, LAVA, addresses the other half of Bromium’s approach to malware. LAVA, for “Live Attack Visualization and Analysis,” does exactly what its name implies. Providing a real-time graphical representation of attacks, LAVA can uncover precise details of attacks, including who is the target, what technique is being employed, and to what end, enabling enterprise security teams to quickly analyze and take action against threats as they happen.
vSentry’s biggest weakness has been that it has lacked proper enterprise-grade management services, instead relying on group policies or XML files delivered using solutions like SCCM, Alteris, or McAfee ePO. It is not the biggest shortcoming in all the world, and trivial in comparison to the problems that Bromium is here to solve, but it is nevertheless a source of friction that could slow response to fast-changing threat scenarios and potentially inhibit large-scale deployment in marginal use cases. Now, however, that is changing with the introduction of Bromium Enterprise Controller (BEC).
BEC provides all the expected policy-based management services for vSentry, with granular policy management that can be applied at group and individual levels. BEC is not just a management platform: it also publishes threat intelligence in real time to security information and event management (SIEM) systems, and it can share threat data in STIX format to enable cooperation with third parties in fighting cyber-threats.
As far as announcements go, BEC lacks the impact of either vSentry or LAVA, but it is clearly a significant milestone in Bromium’s development, enabling it to transition from science project to mainstream security platform.