Simon Crosby, Co-founder and Chief Technology Officer of Bromium, spoke with me recently about his company and the technology it has developed. I was eager to hear what Simon had to say because I knew it would be interesting, clever and a different, and very useful, view of technology. I've spoken with him many times in the past when he was with XenSource and later with Citrix. As with Bromium, the Xen hypervisor is at the core of what Simon was presenting.
What Bromium has to say about its technology
Bromium is delivering truly revolutionary enterprise security solutions with both vSentry® and LAVA. vSentry uses Intel® CPU features for virtualization and security to automatically hardware-isolate each Windows task that accesses the Internet or untrusted documents. Its architecture guarantees that all advanced targeted attacks will be defeated and automatically discarded when the task is completed. In addition, LAVA automates live attack visualization and analysis — giving security analysts unparalleled insight into attacks when they occur.
Our innovative solutions — which include vSentry deployed at the endpoint and LAVA (Live Visualization and Attack Analysis) deployed in the security operations center (SOC) — are built around the Bromium Microvisor, which leverages virtualization hardware built into modern Intel-powered devices to instantly create hardware-isolated micro-VMs for each end user task.
Bromium products are designed to deal with the inescapable realities of vulnerable software and targeted, persistent attacks that trick users into executing malware that is impossible to detect or prevent using traditional tools. If an attack occurs within a hardware-isolated micro-VM, it automatically remains isolated from CPU, memory, storage, device access and network access. When the user task is terminated, any malware is automatically destroyed.
Bromium has developed a very lightweight implementation of the Xen hypervisor, light enough that it can be used to create what the company calls "microenvironments." These micro virtual machines execute using Intel's latest hardware-based protection to protect Windows functions and processes.
Here's how Bromium visualizes this concept:
Functions are isolated into separate microenvironments that are strictly and meticulously controlled. Any attempts to insert malicious code, reach beyond allocated memory or execute unauthorized functions appear to work, but will not have an effect outside of its microenvironment. All attempts to violate guidelines are reported and analyzed.
As Simon was describing what Bromium's technology does, I was reminded of how ships are designed. Everything is in separate compartments. If one compartment is compromised, there is little to no impact on the rest of the ship.
Documents, presentations, spreadsheets, other external forms of content or executable images are marked as untrusted. Any use of these items is executed in an untrusted microenvironment. Untrusted applications may be executed and content can be viewed, edited and stored without fear that their use could compromise system security.
As with other conversations I've had with Simon, I was left thinking how simple this idea is and how wickedly difficult it would be to implement. I think that it is revolutionary and could change how organizations think about securing Windows desktops and servers. If security is a concern, I would recommend learning more about the company and what it is doing.