I recently had the opportunity to speak with Gaurav Banga, CEO of Bromium. While at VMworld, VMblog had a chance to catch up with Simon Crosby during a video interview to find out what Bromium was announcing at the time and to find out what the company had been up to. And then two days ago, Tal Klein of Bromium submitted a great set of predictions for 2013.
Given the chance to talk malware and security trends with the CEO of this very interesting company, I jumped at the opportunity. Here is our conversation:
VMblog: Let's jump right in. Why
do you believe malware detection systems are becoming increasingly incapable of
protecting us against IT security breaches?
Gaurav Banga: Businesses have relied on information security technologies
and malware detection mechanisms in order to prevent attackers from penetrating
IT infrastructure and stealing information. All
existing technologies rely on knowing the definition of "bad" a priori in order
to protect. This methodology is implemented in existing security products as
signatures, firewall or blacklist rules, behavioral models for malware, etc. Existing technologies are thus incapable of defending
against modern attacks that exploit operating system and application
vulnerabilities before signatures or updated models can be created and
distributed.
Detection-based systems detect new malware much too late,
leading to stolen corporate documents, or worse, a compromised corporate infrastructure.
VMblog: And what IT
security threats exist today verses years past?
Banga: Today's
users rely heavily on the Internet (Cloud) to accomplish their daily
activities. Users are also very mobile, and increasingly "social". Our user
today is very easy to target, because they interact with the world outside the
enterprise so much and in so many ways.
The
security model that IT has to implement has to go around so many different
types of programs & content that the user uses, often without wanting IT to
know- in a personal context, and often in a context where IT can exercise no
control without locking down the user.
Attackers
take advantage of users who exchange information with other users through email
and the web, and try to uses applications on the Internet. In straightforward
ways, an attacker can design his malware to bypass even state of the art
detection systems and trick the user into letting him in. The more personal
information available on the Internet, the easier it is to target users.
VMblog: If
malware detection tools are becoming a thing of the past, what are your
thoughts on the security trends of the future?
Banga: Since every existing security technology
relies on the detection of threats, they are incapable of blocking attacks that
have never been seen before. It is
important to remember that next-generation malware is persistent, utilizing
organizational data available on social networking sites and elsewhere on the
Internet to create these highly targeted attacks aimed at users who are easily
reachable through web and email. With that in mind, we must be forward thinking
design our security strategy with the assumption that the bad guy will get in.
That single assumption will start most
organizations along a completely different path than they are today. We need to
think in terms of hard isolation of the different compute contexts for the
enterprise and for users, and implement effective isolation between those
contexts in a way that makes sense and is highly usable.
VMblog: How
do advanced persistent threats measure up against spear phishing attacks and
other threats against the enterprise?
Banga: Advanced persistent threats are much more devious
than any other type of threat because they target the user in order to
compromise the enterprise. APTs prey on unsuspecting users by appearing as
legitimate websites, emails and documents that trick those users into letting the
attack in and escalating privilege, thus compromising the corporate desktop. This
is then used as a launch pad to attack and compromise the enterprise infrastructure
and information. As more and more of our
personal information becomes available on the Internet, the easier it is to
target users individually with a higher likelihood that they will click the bad
link or open the poisoned attachment. Who among us wouldn't open an attachment or
follow a web link that appears to be from our manager, or trusted collaborator?
Once in, an APT can stealthily propagate
through the enterprise, can access enterprise information, and stay hidden for
a long time by continuously transforming itself. APTs are also increasingly aware of the
various nuances of enterprise user behavior - such as the fact that there is very
likely no hard outbound firewall active when a user is at home, and use such methods
to exfiltrate enterprise information without being discovered. A typical APT infection can go undetected for
100s of days, and the cost of the breach to the enterprise nearly impossible to
estimate.
VMblog: Is
there one way to protect against the increasing number of security attacks
penetrating enterprises today?
Banga: We will always have to continue evolving
security solutions - our adversary will continue to evolve their attacks and
exploit vulnerabilities we didn't know we had. That is why Bromium has taken a vastly
different approach to advanced persistent threats than other security
solutions.
We use hardware-enforced isolation to
contain and discard threats, even undetectable attacks without disrupting the
user, therefore defeating and automatically defeating malware. Our product,
vSentry, is built on our security-focused Microvisor that automatically,
instantly and invisibly hardware-isolates each vulnerable Windows task in a
micro-VM. This stops all attacks from gaining access to the endpoint, enterprise
data or network infrastructure.
VMblog: What
else can we expect to see coming from Bromium?
Banga: Currently vSentry runs on Windows 7
and comes with core management support for deployment within the typical
enterprise. Expect to see greater platform support in the very near future. We
are also adding enhanced intelligence and capabilities into our LAVA micro-VM
introspection feature-set which will allow security teams to dissect the "long
tail" and intent of an attack by allowing it to run into its logical conclusion
without risk to the corporate information or infrastructure.
###
Once again, I'd like to thank Gaurav Banga, CEO of Bromium, for taking time out to speak with VMblog.