Virtualization Technology News and Information
Q&A: Interview with Simon Crosby - Bromium Micro-Virtualization

People have been waiting to find out more about what Xen virtualization veterans Simon Crosby and Ian Pratt have been up to with their latest startup, Bromium.  And this was the week to find out!  When Bromium news finally broke, the Web exploded.

To find out more, I went straight to the source and spoke with Simon Crosby, co-founder and CTO of the company.  Who better to speak with and get the color commentary that is required to understand a new technology?

VMblog:  For the three or four people reading VMblog who may not have heard of Bromium yet, can you provide a little bit of background on the company and the story behind its founding?

Simon Crosby:   Ian and I have worked with Gaurav since 2008, when Phoenix first started to develop its BIOS integrated Xen client hypervisor. We've had ongoing conversations as a result of our XenClient work, and Gaurav's HyperSpace work, about the limitations of both approaches, and about 18 months ago those coalesced around two imperatives: First, a commitment to delivering the benefits of virtualization on the client, without a change in the end user experience. Second, a commitment to doing so without any new management skills or tools. We hit upon the idea of using virtualization not for VMs, but for tasks in the OS, and thus Bromium was born.

VMblog:  You've been in stealth mode for a year or so now, what are you announcing at this time?

Crosby:   Bromium is announcing that the company is emerging from stealth mode by describing its proprietary micro-virtualization technology, and that it has raised $26.5M Series B funding from lead investor Highland Capital Partners, new investor Intel Capital, and existing investors Andreessen Horowitz and Ignition Ventures.

VMblog:  One of the million dollar questions, when will you be shipping product? 

Crosby:  We're in beta now, but micro-virtualization is more than a product. We're announcing a new trustworthy computing architecture upon which we will be building products across platforms and devices.

VMblog:  Tell us what separates Bromium from other desktop security companies.

Crosby:  Legacy security solutions attempt to detect and block malware using signatures or behavioral analysis. This black-listing approach can only detect known threats and fails to stop sophisticated malware that is used for today's targeted attacks. White-listing - allowing only trusted applications, such as a corporate browser or pdf reader - is ineffective because attackers take advantage of the fact that enterprises are slow to update their software, and use malicious content and documents to exploit supposedly trustworthy applications.

The "whack a mole" approach to creating a new signature or patch to detect and block the latest attack, or developing a new security product for a new kind of vulnerability is unsustainable. The security industry needs to address the fundamental shortcomings of the current approach, and adopt a new architecture that transforms computer systems into trustworthy endpoints that are secure by design.

Bromium micro-virtualization offers a completely new approach to endpoint security that relies on isolation rather than detection and blocking of threats. Malware isolated by micro-virtualization is unable to steal data or access either the Windows system or corporate network and is automatically discarded when the web session or document is closed by the user.

Bromium micro-virtualization is designed to defeat the foundations of malware. Each micro-VM is optimized and provisioned for the specific task at hand and is hardened against the installation of malicious code. Today's software presents millions of lines of code and a seemingly infinite number of possible interactions and vulnerabilities that hackers exploit to gain control of a system. Bromium delivers significant attack-surface reduction as a direct result of micro-virtualization which delivers an inherently more secure platform for running risky tasks.

If unknown malware does manage to exploit the application performing the protected task only that single short-lived task will be compromised. Malware cannot gain access to other applications or tasks, the OS itself, the protected file system, the corporate network, or enterprise SaaS applications. Since each task is run in a hardware-isolated, hardened and independent container within the OS environment, threats can't propagate and compromised sessions can't be used for surveillance or to launch attacks on other systems in the network. Malware is not allowed to persist and is automatically removed on closing the web browser tab, document or attachment.

VMblog:  Explain if you would why micro-virtualization is important for mobility and consumerization.

Crosby:  Today's technology trends of mobility, cloud computing, and the consumerization of IT mean that end users want more freedom to choose where and how they access the data and applications needed to do their jobs. As a result, it is much more difficult for IT to do their job: protect enterprise data and networks while empowering end users to be productive.

There is a mismatch between the computing systems we rely on, and the way humans use them. Users access applications and domains beyond IT's control, from systems that are vulnerable - making it easy to compromise enterprise security. To address this, IT needs a system architecture that is trustworthy by design.

Bromium micro-virtualization utilizes hardware virtualization to automatically isolate untrustworthy tasks, thereby protecting sensitive assets and data while seamlessly allowing end users to access the information and resources they require. It is an unprecedented implementation of trust-based computing that is practical for the administrator and delightful for the end user.

VMblog:  How does Bromium secure endpoints? And who is the target audience for Bromium?

Crosby:  Bromium's products are built on the Bromium Microvisor - a second-generation virtualization technology that applies the isolation and security principles of virtualization to tasks running within the operating system - completely hidden from the user. The Microvisor automatically identifies each vulnerable task and instantly isolates it within a micro-VM, which is a lightweight, hardware- backed isolation container that polices access to all OS services and resources. Micro-VMs run natively, with full performance, but continuously protect the system - even from unknown threats: A micro-VM can only access OS services or devices via simple enlightenments which cause the virtualization hardware to pause execution of the micro-VM and hand control to the Microvisor.

The Microvisor uses hardware virtualization to guarantee that task-specific mandatory access control policies will be executed, in a safe, trusted execution context. It imposes tight control on access to sensitive data, networks and other resources. Bromium micro-virtualization is the only technology that can safely enable trusted and untrusted applications and data to coexist on a single system with guaranteed mutual isolation.

VMblog:  In your opinion, what is the largest challenge that companies run into with securing the desktop?

Crosby:  Simply said: Today's desktop security solutions can't protect the enterprise from end-user mistakes, nor can they defend the infrastructure from zero day threats and polymorphic malware.

Anti-Virus systems detect malware by using signatures that are developed from samples of attacks that have successfully compromised other users. The addition of heuristics and cloud based lookups has decreased the time needed for AV systems to detect known attacks, but with over 3 billion unique pieces of malware discovered in 2011 alone, today's attackers have little problem avoiding these systems. Anti-virus does provide detection of most known forms of malware and provides protection against those attacks that are targeted at the areas vSentry does not currently address such as exploits of shared internal network servers.

Application White-listing Solutions restrict end users from using "non-approved" programs on their systems. This approach typically has a large impact on user productivity which often results in users finding "workarounds" such as performing critical tasks on mobile or home products. Application whitelists provide no protection from attacks targeted at the "approved" programs which remain vulnerable to zero day or targeted attacks routinely delivered within the content the applications are tasked with processing.


Once again, a special thanks to Simon Crosby for again taking time out to speak with VMblog and helping to educate its readers.

Published Friday, June 22, 2012 7:05 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2012>