Bromium release vSentry 1.1: trustworthiness for more desktops in the enterprise?

Bromium have released vSentry 1.1 which will brings Bromium’s benefits of micro-virtualization and hardware based security to a far wider range of enterprise desktops. This is the release you’ve been waiting for: and if you’ve not been waiting, this is definitely the release to consider.

We’ve spoken before about Bromium when they unveiled their micro-virtualization trustworthy security vision. Bromium’s message and focus was simple “standard workspace security is reactive, not proactive“. Whatever you have in terms of anti-virus or malware detection is only good once a new threat is found,  understood,  a patch created and deployed. This poses the very important question “what is the impact of the time delay between threat found and threat contained?”.  Bromium’s goal was to dramatically reduce that “and”.

You may contest, “ah, but I can solve this workspace threat issue by making physical desktops, virtual desktops”. This is not the case. We evidenced this in Virtual desktops (VDI) are different, but not hugely better in terms of security, than physical desktops. You do not deliver better security by simply virtualizing the desktop.

So what does vSentry v1.1 bring? How is it better than v1? What can this mean for your organisation?

What is New in Bromium vSentry 1.1?

Bromium had/have a compelling trustworthy message when v1.0 was released. To a large extent, you could take the stance that vSentry v1 didn’t need to solve an organisation’s workspace trustworthiness issue, but it did need to raise it.

This is indeed, an excellent stance if you’re not overly concerned about early volume of  sales. Still, Bromium definitely caused a conversation and debate on what value different desktop delivery methods had in terms of trustworthiness. vSentry’s initial release had demonstrable benefit but only on specific Intel hardware, only on a Windows x64 OS.

I’d presented the solution to a number of customers, the concept was well received; the delivery requirements, less so.

In Bromium vSentry v1.1 you now have:

  • Wider OS Support: vSentry 1.1 supports Windows XP and both 32 and 64 bit versions of Windows 7 – all be it the requirement of the OS on a device with Intel-VT are still maintained, although to be fair newer devices have this capability.
  • Live Attack Visualization and Analysis (LAVA): LAVA’s focus is to provide visibility to the actual point of attack and relevant information in an actionable manner. LAVA is built on an engine that gives relational, temporal and functional evidence as the attack occurs. LAVA utilises the fact that Bromium’s vSentry provides unique advantages in analysing advanced malware targeting endpoints. Now (if they so wish) your security team can analyse the nature, timing and type of attack. Is it ad hoc attempts kicking your security tyres, is it a concerted and focused attack.
  • Bromium Management Server: is a centralized web service for vSentry policy management, collection of LAVA events from all desktops in the enterprise, and correlation of attack data.  It also provides a centralized console for visualization and analysis of malware forensics:  it collects events from all vSentry enabled systems for input into enterprise Security Information and Event Management systems, third party consoles such as McAffee, ePO or Symantec SEP, or big data platforms such as Splunk.
“What..”, I hear you ask, “Windows XP”? Yep. “Even though Windows XP has a widely referenced EoL in 2014?” Yep.
Undoubtedly a pragmatic move from Bromium. Users don’t care about their desktop OS, they care about their data and applications. XP, or Windows 7 at x32 is and will be, a deployment consideration for many organisations. vSentry 1.0 gave an overly restrictive environment usage with an x64 only deployment. With vSentry v1.1 you have a wider OS deployment support, all be it reliant on the devices having direct Intel VT support, but that is wider deployment option than it has been before.

What about my virtual desktops?

I read with interest the post Bromium’s announcement of v1.1 also included references to Microsoft RDS, Citrix XenDesktop and VMware View. There’s interesting I thought. A common problem for desktop/workspace delivery scope starts as either mass migration to virtualised desktops, or maintaining full physical desktops  when the smoke clearing reality is that a mix is more relevant.

Yet, Bromium’s microvisor solution relies on the the device supporting Intel VT. As at the time of writing, Intel VT only supports a single owner process. This means that – in a VDI environment each VM would be unable to have Bromium’s microvisor installed: Bromium requires ownership of VT for vSentry, but in a hypervisor based environment, that ownership already belongs to the hypervisorIn a presentation virtualisation solution, say Microsoft RDSH (to which you might have added Citrix XenApp) on physical hardware this isn’t such a problem: although many do virtualise their RDSH environments today.

Where vSentry could be of use is on the client device (with a dedicated OS) providing protection of the end-point prior to you connecting to your hosted desktop environment, or type#2 hypervisor. For example, your  VPN service could require that an end-point have vSentry installed/enabled (which is now easier given wider OS support), giving you greater assurance that the device’s client software wouldn’t be compromised when that user connects to applications and data in your network. Although now, you’d have to manage a disparate set of devices running vSentry: which is possible now with the Bromium Management Server.

For Bromium to be able to deliver a vsentry VDI option, giving greater trustworthiness in a hosted XenDesktop/View environment – Intel (or AMD) need to provide a multi-user VT capable service. Or do something very clever within the hypervisors available. Christmas is coming, perhaps a time to pen a quick request to Santa: I’m confident you’ve been good. Don’t let me down.

Is Bromium vSentry the Security Solution for You?

There is far wider support for devices used in the enterprise. Still no Apple Mac solution (yet, this looks to change in 2013 ). Older non-VT devices aren’t supported: but really, you have to keep running that old kit? If you’ve bought devices without VT perhaps time to revisit your cost model? The concept would be very useful for  hosted desktop providers, Desktone for example, being able to incorporate the service into their environments but at the moment that is some way off.

Still, a greater level of trustworthiness through wider platform support and the introduction of the Bromium Management Server and LAVA are key to managing the service and adding value to the core capability. Yes, still no direct VDI and there are devices to you may manage that still need to be considered Mac, Smartphones, Tablets. That said, Bromium have a compelling message:  while they have not yet solved all the choices between security and management, with the broader OS support and improved management the core of your end user estate can make benefit of vSentry’s trustworthy solution. Bromium’s difficulty remains convincing those who already have anti-malware/virus solutions that vSentry adds value – and here is where the analysis capabilities of LAVA will come into play allowing a better understanding of what is going on in your organisation allowing you to better plan and educate rather than fire-fight and mend.