Bromium mobilises endpoints to fight cyber attacks

Bromium evolves its micro-virtualisation security technology to gather threat intelligence from endpoints and automate checks and responses across an enterprise

Virtualisation-based security firm Bromium is enabling organisations to turn their traditionally weak endpoints into sources of security intelligence.

According to the company, its Bromium Secure Platform offers a complete departure from traditional detect-to-protect approach to security.

The platform is an evolution of Bromium’s micro-virtualisation technology that was developed to enable users to open any executable file, document or web page without fear.

According to Vanson Bourne research commissioned by Bromium, 85% of 400 CIOs polled in the UK, US and Germany said users are the weakest link in security, ignoring or forgetting the education, policies and procedures enterprises have put in place to prevent risky behaviour.

The core Bromium technology works by assuming all internet tasks are untrusted and automatically putting each task into its own virtual machine or micro-VM, which is destroyed when the task is completed.

If an attack occurs during any of these tasks, the malware remains contained and isolated inside the micro-VM, unable to escape and access any system or network resource.

Bromium claims this approach has no effect on user experience or performance and provides 100% protection from malware as it does not rely on any “detection” capability.

This approach is now open to most organisations as almost all are using endpoint devices with processors (CPUs) that support micro-virtualisation with third-generation virtualisation extensions, according to Ian Pratt, co-founder and president of Bromium.

“We have worked with CPU suppliers Intel, AMD and more latterly ARM about building in features which enable high-performance, more secure virtualisation by making the CPU understand about running VMs and have it do the hard work of providing that protection,” he told Computer Weekly.

Using micro-VMs, said Pratt, means that organisations can let ransomware and other malware run because attackers have nowhere to hide and nothing to steal.

“Because the malware is isolated in the micro-VM, it cannot steal password hashes and other credentials or access any file systems,” he said.

Defending the enterprise

The Bromium Secure Platform strengthens defences further by using threat intelligence gathered on the endpoint to defend the enterprise at large.

This means an organisation’s endpoints work like an army of connected informants, providing intelligence on real and imminent threats through the Bromium Sensor Network.

“The platform combines our patented hardware-enforced containerisation with a distributed machine learning Sensor Network to protect across all major threats and attack types,” said Pratt.

“This removes the guesswork associated with other threat intelligence systems because the micro-VM produces high-fidelity alerts with full kill-chain analysis.

“Organisations can effectively stand outside the micro-VM see how malware works, analyse attacks targeting them and collect evidence of how effective the technology is in defending against attacks,” he said.

In the case of ransomware, for example, organisations can see how the type of ransomware targeting them attempt to evade detection, how it escalates its privilege, how it generates encryption keys, how it persists and how it connects to its command and control servers.

Indicators of compromise

The platform also helps identify and stop insider attacks, said Pratt, by monitoring all user tasks and processes on the host to identify malicious insider activity and file-less threats such as PowerShell attacks.

“In a completely automated fashion, we can see the modus operandi of the attack and the indictors of compromise [IoCs],” said Pratt.

“If you are fully deployed with micro-virtualisation across your entire estate, you have a nice report, but there is nothing to do. If, however, you are only 50% deployed, you now have actionable threat intelligence that enables you to search your other machines for specific IoCs,” he said.

The platform, said Pratt, enables organisations to automate the search across the whole organisation for IoCs identified by the endpoints that have micro-VMs deployed.

In some organisations this has produced interesting results, he said, where PCs have been found to have connected to command and control servers, but are otherwise clean.

“The only conclusion we can draw is that users have inadvertently infected their PCs with ransomware, but have paid the ransom to restore the machine without informing the company,” said Pratt.

The platform enables organisations to automate responses to IoCs, such as blocking connections to command and control servers or other malicious sites.

Helping security teams

“In addition to taking the blame away from users, we need to stop over-burdening our security teams too,” said Pratt.

“They are drowning in data, using heuristics that – at best – detect known threats. Instead, arm your people with the tools needed to protect the enterprise at large while allowing your users more freedom to be productive and get their jobs done.

“That means being realistic about users and lifting the restrictions, protecting the endpoint from intrusion using isolation, giving your SOC [security operations centre] team high fidelity alerts and gathering meaningful intelligence to defend the enterprise at large,” he said.

Read more about threat intelligence

  • Threat intelligence tools are a growing market and enterprises need to be able to see through the hype to get the best product for them.
  • Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
  • Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.

Read more on Antivirus, firewall and IDS products