Bromium unveils micro-virtualization trustworthy security vision

One year after announcing that he and XenSource co-founder Ian Pratt were leaving Citrix to launch Bromium with former Pheonix Technologies CTO Gaurav Banga; Simon Crosby was back at the GigaOM Structure conference in San Francisco today to unveil Bromium’s micro-virtualization technology together with its plans to transform enterprise endpoint security. Bromium, despite the occasional blog post calling into question the security limitations of current desktop virtualization solutions and despite today’s announcement of the Bromium Microvisor,  has very little to do with desktop virtualization. Desktop virtualization whether it be VDI, or IDV or anything in between, is a management technology, a means of getting an appropriately specified endpoint configuration in front of the user. Bromium has set itself a bigger challenge, one that is applicable to every endpoint and every operating system – the extension of the precepts of trustworthy computing to mainstream operating systems.

The Committee on Information Systems Trustworthiness’ publication, Trust in Cyberspace, defines such a trustworthy system as one which

does what people expect it to do – and not something else – despite environmental disruption, human user, and operator errors, and attacks by hostile parties. Design and implementation errors must be avoided, eliminated, or somehow tolerated. It is not sufficient to address only some of these dimensions, nor is it sufficient simply to assemble components that are themselves trustworthy. Trustworthiness is holistic and multidimensional.

This is a challenging goal, not least because Bromium does not own the operating system(s) where it intends to operate, but if successful it has the potential to transform the face of both IT security and operations and not just on the endpoint.

Bromium’s products are built on the Bromium Microvisor™ – which Bromium describes as a second-generation virtualization technology that applies the isolation and security principles of virtualization to tasks running within the operating system of a PC or mobile device – completely hidden from the user, who enjoys an unchanged native desktop user experience. The Microvisor automatically identifies vulnerable tasks and isolates it using Intel hardware-assisted virtualization (Intel VT) controlling access to all OS services and resources, automatically blocking and discarding threats, as they occur. The removal of the dependency on anti-malware signatures and patches creates a significant opportunity for change to IT operations. The continual escalation of malware threat, attack, detect, block, threat … will no longer apply. A Bromium protected desktop does not need to know the threat signature, or heuristic identifier to provide a high degree of assurance that any threat can be contained. Patching will no longer be the priority it is today leading to lower operational overhead and improved system availability. Even with the best will in the world, anti-malware signature updates and patches are not immune to the unwanted consequences of change; there have been numerous recorded instances where widespread failures have been directly traced back to inadequately tested malware countermeasures.
Bromium’s beta customers are currently deploying  the Bromium Microvisor in conjunction with conventional anti-malware solutions, however in the future it may be possible to dispense with conventional anti-malware tools altogether. Having said that this change will not come overnight, adjusting to a trustworthy computing approach is not without challenges. Not only does the core technology come with a considerable learning curve, but IT organizations that measure the success of their anti-malware efforts by the number of times threats are detected and the success of their remediation efforts by patching volume or service restoration time following threat detection will need to rethink their success factors adjust to trustworthy computing.
One advantage that Bromium can provide is significantly greater flexibility of response in dealing with malware infections. One of the challenges of addressing zero day threats is the difficulty in identifying them and developing appropriate countermeasures. Dedicated systems, called honeypots, need to be put in place that can be exposed to threats, infected, and investigated; something that few organizations can afford. Bromium’s tech allows any organization to make a choice between harmless containment or eradication knowing that under either circumstance the threat can do no harm. The very nature of this change effectively democratizes malware detection allowing any organization that chooses to do so the opportunity of participating without the need to dedicate sophisticated systems to the process.

Bromium’s initial focus will be on enterprise Windows desktops, but it doesn’t have to stop there. Not only are Bromium’s core trustworthy computing technologies equally applicable to any mainstream operating system, but can be applied equally well to any platform with hardware assisted virtualization;  mobile,  data center, and cloud services platforms, and could well extend to the high-value industrial control and SCADA systems that have been the source of significance high profile incidents. Bromium’s decision to to focus its initial efforts on desktop computing makes sound sense. Cloud computing may be seeing the lion’s share of publicity, but with over 800 million enterprise desktop worldwide, with over 50 million lines of code to exploit the enterprise desktop is by far the largest target for the malware industry and in the greatest need of additional protection. At the same time, the anti-malware business is ripe for disruption. Trend lines suggest that the leading edge of security innovation lies with malware developers and not with countermeasures developers. In some respects, the changes presaged the Bromium view of  trustworthy computing are already underway. The rapid growth in the zero-day exploit sales business where a single iOS exploit might change hands for $250,000 will inevitably see well-documented zero-day attacks being used for purposes beyond their original intent, at which point no amount of conventional anti-malware protection in the world will make a difference. Yesterday, Google revealed new analysis of five years’ worth of data gathered by its Safe Browsing service. The overall number of infected sites peaked in 2009, however this good news was offset by more disturbing news of a resurgence in dedicated attack sites. At the same time phishing site growth has also risen dramatically, with over 300,000 new sites being found each month in Q1 2012, compared to only a few thousand sites being identified each month five years ago.