Virtualization Technology News and Information
Q&A: Interview with Bromium Talking Malware and Security Trends

I recently had the opportunity to speak with Gaurav Banga, CEO of Bromium.  While at VMworld, VMblog had a chance to catch up with Simon Crosby during a video interview to find out what Bromium was announcing at the time and to find out what the company had been up to.  And then two days ago, Tal Klein of Bromium submitted a great set of predictions for 2013.   

Given the chance to talk malware and security trends with the CEO of this very interesting company, I jumped at the opportunity.  Here is our conversation:  

VMblog:  Let's jump right in.  Why do you believe malware detection systems are becoming increasingly incapable of protecting us against IT security breaches?

Gaurav Banga:  Businesses have relied on information security technologies and malware detection mechanisms in order to prevent attackers from penetrating IT infrastructure and stealing information. All existing technologies rely on knowing the definition of "bad" a priori in order to protect. This methodology is implemented in existing security products as signatures, firewall or blacklist rules, behavioral models for malware, etc. Existing technologies are thus incapable of defending against modern attacks that exploit operating system and application vulnerabilities before signatures or updated models can be created and distributed.

Detection-based systems detect new malware much too late, leading to stolen corporate documents, or worse, a compromised corporate infrastructure.

VMblog:  And what IT security threats exist today verses years past?

Banga:  Today's users rely heavily on the Internet (Cloud) to accomplish their daily activities. Users are also very mobile, and increasingly "social". Our user today is very easy to target, because they interact with the world outside the enterprise so much and in so many ways.

The security model that IT has to implement has to go around so many different types of programs & content that the user uses, often without wanting IT to know- in a personal context, and often in a context where IT can exercise no control without locking down the user.

Attackers take advantage of users who exchange information with other users through email and the web, and try to uses applications on the Internet. In straightforward ways, an attacker can design his malware to bypass even state of the art detection systems and trick the user into letting him in. The more personal information available on the Internet, the easier it is to target users.

VMblog:  If malware detection tools are becoming a thing of the past, what are your thoughts on the security trends of the future?

Banga:  Since every existing security technology relies on the detection of threats, they are incapable of blocking attacks that have never been seen before.  It is important to remember that next-generation malware is persistent, utilizing organizational data available on social networking sites and elsewhere on the Internet to create these highly targeted attacks aimed at users who are easily reachable through web and email. With that in mind, we must be forward thinking design our security strategy with the assumption that the bad guy will get in.

That single assumption will start most organizations along a completely different path than they are today. We need to think in terms of hard isolation of the different compute contexts for the enterprise and for users, and implement effective isolation between those contexts in a way that makes sense and is highly usable.

VMblog:  How do advanced persistent threats measure up against spear phishing attacks and other threats against the enterprise?

Banga:  Advanced persistent threats are much more devious than any other type of threat because they target the user in order to compromise the enterprise. APTs prey on unsuspecting users by appearing as legitimate websites, emails and documents that trick those users into letting the attack in and escalating privilege, thus compromising the corporate desktop. This is then used as a launch pad to attack and compromise the enterprise infrastructure and information.  As more and more of our personal information becomes available on the Internet, the easier it is to target users individually with a higher likelihood that they will click the bad link or open the poisoned attachment. Who among us wouldn't open an attachment or follow a web link that appears to be from our manager, or trusted collaborator?

Once in, an APT can stealthily propagate through the enterprise, can access enterprise information, and stay hidden for a long time by continuously transforming itself.  APTs are also increasingly aware of the various nuances of enterprise user behavior - such as the fact that there is very likely no hard outbound firewall active when a user is at home, and use such methods to exfiltrate enterprise information without being discovered.  A typical APT infection can go undetected for 100s of days, and the cost of the breach to the enterprise nearly impossible to estimate.

VMblog:  Is there one way to protect against the increasing number of security attacks penetrating enterprises today?

Banga:  We will always have to continue evolving security solutions - our adversary will continue to evolve their attacks and exploit vulnerabilities we didn't know we had. That is why Bromium has taken a vastly different approach to advanced persistent threats than other security solutions.

We use hardware-enforced isolation to contain and discard threats, even undetectable attacks without disrupting the user, therefore defeating and automatically defeating malware. Our product, vSentry, is built on our security-focused Microvisor that automatically, instantly and invisibly hardware-isolates each vulnerable Windows task in a micro-VM. This stops all attacks from gaining access to the endpoint, enterprise data or network infrastructure.

VMblog:  What else can we expect to see coming from Bromium?

Banga:  Currently vSentry runs on Windows 7 and comes with core management support for deployment within the typical enterprise. Expect to see greater platform support in the very near future. We are also adding enhanced intelligence and capabilities into our LAVA micro-VM introspection feature-set which will allow security teams to dissect the "long tail" and intent of an attack by allowing it to run into its logical conclusion without risk to the corporate information or infrastructure.


Once again, I'd like to thank Gaurav Banga, CEO of Bromium, for taking time out to speak with VMblog. 

Published Thursday, November 15, 2012 6:21 AM by David Marshall
Q&A: Interview with Bromium Talking Malware and Security Trends « VT News - (Author's Link) - November 15, 2012 7:26 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2012>