At Citrix, Pratt concentrated on developing XenDesktop and XenServer for general public use. He was asked to explore how virtualization could be used to solve security challenges faced by some of the most sensitive government agencies. To keep information securely compartmentalized, different information repositories are frequently kept of physically separate systems and networks to avoid compromise of one system leading to compromise of another. Although secure, this is very inconvenient for the users. “We were able to give them accessibility from a single device—desktop, laptop, tablet—using a hypervisor to provide strong isolation between the different sources,” comments Pratt.
Citrix took this concept of endpoint isolation to the commercial market, running two virtual machines (VM) on a single physical machine. The idea was to allow enterprises to provide users with a personal VM that the user can use and customize as they wish, and an enterprise VM that the enterprise security team would “lock-down” with all the various security controls and products available to them – much more so than the user would normally tolerate. However, it became apparent in customer deployments that even using the best available security products in the strictest configuration the enterprise VM was still becoming compromised with malware – detection had failed.
We created a situation, where there is nothing to steal and nowhere to go and no way to persist, which spectacularly rendered malware impotent
In 2011, Pratt, along with Simon Crosby and Gaurav Banga, founded Bromium. The vision of the firm was to develop a different approach cybersecurity, one that delivered protection through isolation rather than relying on detection, and hence could defeat even polymorphic and truly novel malware. Bromium developed a revolutionary new approach called micro-virtualization, where a new VM is created for every task that the user performs -- every document, website, email message etc would each run in their own VM. Hence, if a given website or document turns out to be malicious the attack cannot spread outside of the VM for that particular task. Once task completion occurs, the malware if any is discarded along with that VM and a new VM is created for the next task. “We created a system, where there is nothing for malware to steal, nowhere for it to migrate to, and no way for it to persist; We have rendered malware impotent,” says Pratt. In addition, when malware is running in a VM, Bromium is able to record its execution, providing hugely valuable threat intelligence about the latest attack techniques.
Bromium’s approach can also be used to run an organization’s most valuable applications and data within VMs, providing robust protection even if the physical machine is already compromised or the user or administrator has malicious intent. In conclusion, Pratt says, “Not having to rely on the security of applications or even the operating system because you know it is going to be in one of these VMs has certainly changed the game, and it has radically improved the security posture of our customers.”
Bromium Announces Protected App®, New Product Offering to Isolate and Secure Critical IP
Bromium®, Inc., the pioneer and leader in virtualization-based endpoint security that stops advanced malware attacks via application isolation, has announced the release of Protected App®, which allows organizations to establish robust, end-to-end protection around their critical IP and high-value assets (HVA). Protected App will address the challenges of a shrinking security perimeter, and the loss of trust many organizations have experienced after constant breaches compromising their networks.
Bromium Protected App safeguards organizations’ intellectual property (IP) and HVAs from threats such as keylogging, screen capture, memory tampering, and man-in-the-middle attacks, with sensitive applications walled off from the endpoint.
“Organizations have been fighting an ongoing cyber battle, but they have been let down by layered defenses failing to stop or slow down attacks. This failure has resulted in organizations feeling like they can’t trust their own networks or endpoints, which has forced them to move high-value services and IP off the network and restrict access,” commented Robert Bigman, Former CISO of the CIA. “Protected App can be used by organizations to enable trusted client access for employees and third-party partners to your intellectual property from their ‘dirty’ networks and endpoints, without ever having to worry about their security posture.”
“Zero Trust as a concept is solid, but in practice it’s become a real barrier to user productivity,” comments Gavin Hill, VP Product & Strategy, Bromium. “Some organizations deploy second PCs that employees must use if they want to access critical IP, which doubles hardware costs and restricts workflow. It’s clear that we need a new approach to Zero Trust that secures networks and applications but doesn’t affect workflow.”
Protected App is the first to use hardware-enforced virtualization on the endpoint, below the operating system (OS), ensuring total isolation for applications from the operating system while securing the network connection to server applications hosting critical IP. “Protected App builds a wall around remote and virtual desktop applications on the endpoint, allowing employees to access sensitive applications without the need to use a second PC or risk infection from a compromised endpoint or network,” explains Hill.
This allows users to work seamlessly between their endpoint and sensitive applications, even if the host PC has been compromised. To the end user, all activity is performed on their endpoint. This means they can work as they always do, but the connection to the sensitive data and IP is running completely isolated in a micro virtual machine (VM), which the host OS cannot see.
Bromium Protected App will defend organizations from:
• Keylogging – keystrokes in Protected App are invisible to the host and the host cannot inject keystrokes into Protected App
• Man-in-the-middle – as the connection from client to server is across a secured VPN connection
• Kernel exploits – as the VM is independent of the OS, kernel exploits of the Windows host will not impact Protected App
• Memory tampering – the protected VM running Protected App is walled off from the host PC making it impossible to access the memory
• Disk tampering – the protected VM running Protected App is walled off from the host PC making it impossible to access the disk and the disk is encrypted
• Screen capture – prevent remote access tools from capturing or recording users’ screens
• Registry updates – as the root of trust is below the OS, kernel exploits of the Windows host will not impact Protected App
• Prevent copy & paste, downloading, printing and screen capture exploits
Hill concludes, “The security perimeter is shrinking, and the old castle and moat concept of security is dead. Even if you do trust your own network and devices, remote working, cloud computing and the connected economy all mean that your apps and data are going to be accessed from environments you have no control over and can’t trust. Our vision for Protected App is all about making this access frictionless and secure.”