Startup Wraps User Tasks In Virtual Containers

Bromium announces micro-VM technology that protects the OS, network, from users security missteps

A security startup co-founded by executives from Citrix, Xen.org, and Phoenix Technologies emerged from stealth today and shed light on its new technology that employs small virtualized containers to isolate malware and prevent it from infecting the underlying operating system or other members of the enterprise network.
The goal of these so-called micro-VMs, created by startup Bromium, is to stop attacks in their tracks at the endpoint, going on the assumption that you cant prevent users from mistakenly clicking a malicious link or opening an infected document -- and that the bad guys are bypassing perimeter defenses, so they are already inside the user endpoint, either via the browser or email inbox, for example. The idea is to make the move to BYOD, cloud, and mobility simpler for security.
Gaurav Banga, co-founder and CEO of Bromium and former CTO and senior vice president of engineering at Phoenix Technologies, says the new security firm is applying virtualization specifically for security, and in a different way.
We are taking the latest and greatest capabilities available to us in hardware and the lessons learned in first-generation virtualization, and what were able to do is isolate an individual task, Banga says. So visiting a Web page or opening an email attachment each would be sealed in its own micro-VM, a self-contained module that self-destructs, along with the malware, when the user goes to his or her next task, he says, and its all invisible to the user.
[ Its more about containment now, not stopping the attacker. Relying solely on perimeter defenses is now passe -- and naively dangerous. See
Damage Mitigation As The New Defense
. ]
Security via virtualization isnt new. Invincea, for example, places the browser, email attachments, and PDF files in a virtual environment in order to protect the underlying system from infection: It separates the browser, attachment, and PDF from the desktop operating system in a sandbox-type setup.
Organizations increasingly are looking at virtualization as a security tool, aside from just a data center optimization strategy. Steve Durbin, global executive vice president of the U.K.-based Information Security Forum, a global nonprofit whose members include Procter & Gamble, IBM, Swisscom, and Nokia, says its members are interested in how to use virtualization technology for security purposes. Virtualization is something our members have been looking at very keenly because its about trying to maintain integrity in the access route. If you can virtualize, you come remove some of the user-related issues ... and access the data and protect it, Durbin says.
Bromiums Microvisor detects potentially vulnerable tasks and places them in hardware-isolated micro-VMs, which Banga describes as lightweight and invisible to the user. The most common way to program Bromium is to say, Here are a bunch of applications that are safe to run because I built them and I know who the vendor is, Banga says. Anything thats unknown, any piece of code, JavaScript, PDF, etc., is automatically placed into a micro-VM container while that task is under way.
We effectively have cells that are micro-VMs based on Intel VT [technology]. You can have hundreds of micro-VMs to isolate individual vendors tasks and the user would not see any of it or experience any performance trade-offs, he says.
Unlike sandboxing, the technology protects the operating system as well. A sandbox is trying to create a little Windows inside a big Windows, and the little Windows has to be compatible and more secure. Thats an oxymoron ... sandboxing struggles with that, Banga says. We do hardware isolation, and we dont care whats running in the OS.
Bromiums mantra is that its micro-virtualization approach makes PCs and mobile devices trustworthy by design because it automatically blocks and kills malware. Its products remain in beta for now, mostly among financial services, government agencies, and pharmaceutical companies.
Banga says Bromium focuses on allowing the user to do his or her work with a mobile device while also reducing the attack surface. It ultimately comes down to how to build a robust system against human mistakes, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Startup Wraps User Tasks In Virtual Containers