Q&A with Tal Klein of Bromium
VSM: Could you give an overview of Bromium and what you’ve been doing since launching last June?
TK: We’ve been busy building the Bromium Microvisor! Bromium’s micro-virtualization technology will secure enterprise desktops and user access to enterprise and cloud hosted applications by protecting corporate data at all times and deflecting advanced persistent threats. It will empower users without increasing risk, and enable IT to securely navigate the challenges posed by tech-savvy employees who are mobile and mix consumer and work activities on the same device.
Bromium micro-virtualization will enable users to safely access untrusted data, applications, networks and media. Our revolutionary architecture is built with the assumption that users will make mistakes, and that advanced malware will be undetectable. Bromium micro-virtualization will guarantee that an attacker could not gain access to sensitive data or applications, or persist an attack, even on PCs that have not been patched.
VSM: What is the Bromium Microvisor™ and how does it differ from a hypervisor?
TK: Bromium’s products are built on the Bromium Microvisor – a second-generation virtualization technology that applies the isolation and security principles of virtualization to tasks running within the operating system - completely hidden from the user. The Microvisor automatically identifies each vulnerable task and instantly isolates it within a micro-VM, which is a lightweight, hardware-backed isolation container that polices access to all OS services and resources. Micro-VMs run natively, with full performance, but continuously protect the system – even from unknown threats: A micro-VM can only access OS services or devices via simple enlightenments which cause the virtualization hardware to pause execution of the micro-VM and hand control to the Microvisor, which enforces access control.
A hypervisor virtualizes whole OSes, and the Bromium Microvisor isolates tasks in a single Windows instance, without VMs.
VSM: What can we expect to see from Bromium? When will your product be available?
TK: We’re in beta now, but micro-virtualization is more than a product. We’re announcing a new trustworthy computing architecture upon which we will be building products across platforms and devices.
VSM: What sets Bromium apart from other security solutions available for the desktop?
TK: Legacy security solutions attempt to detect and block malware using signatures or behavioral analysis. This black-listing approach can only detect known threats and fails to stop sophisticated malware that is used for today’s targeted attacks. White-listing - allowing only trusted applications, such as a corporate browser or pdf reader - is ineffective because attackers take advantage of the fact that enterprises are slow to update their software, and use malicious content and documents to exploit supposedly trustworthy applications.
The “whack a mole” approach to creating a new signature or patch to detect and block the latest attack, or developing a new security product for a new kind of vulnerability is unsustainable. The security industry needs to address the fundamental shortcomings of the current approach, and adopt a new architecture that transforms computer systems into trustworthy endpoints that are secure by design.
Bromium micro-virtualization offers a completely new approach to endpoint security that relies on isolation rather than detection and blocking of threats. Malware isolated by micro-virtualization is unable to steal data or access either the Windows system or corporate network and is automatically discarded when the web session or document is closed by the user.
Bromium micro-virtualization is designed to defeat the foundations of malware Each micro-VM is optimized and provisioned for the specific task at hand and is hardened against the installation of malicious code. Today’s software presents millions of lines of code and a seemingly infinite number of possible interactions and vulnerabilities that hackers exploit to gain control of a system. Bromium delivers significant attack-surface reduction as a direct result of micro-virtualization which delivers an inherently more secure platform for running risky tasks.
If unknown malware does manage to exploit the application performing the protected task only that single short-lived task will be compromised. Malware cannot gain access to other applications or tasks, the OS itself, the protected file system, the corporate network, or enterprise SaaS applications. Since each task is run in a hardware-isolated, hardened and independent container within the OS environment, threats can’t propagate and compromised sessions can’t be used for surveillance or to launch attacks on other systems in the network. Malware is not allowed to persist and is automatically removed on closing the web browser tab, document or attachment.