Bromium: Better Security Through 'Microvisors'

Bromium isolates tasks in tiny Xen hypervisors, then kills the hypervisor when the task is done.

It's the ultimate "don't try this at home" experiment: Put a computer running famously insecure software and an unpatched version of Windows on a network, leave it unpatched and see what happens. Would you?

Well, says, Simon Crosby, if that computer is protected with Bromium, it'll be fine. How does he know? Because his computer is in exactly that state. "My PC runs Windows 7, and it's never been patched. It runs legacy Java and legacy everything else, it sits on an unprotected network, and I pick up no malware."

It's a brash statement from someone known for such statements. But Crosby, co-founder and CTO of Bromium, and founder of XenSource prior to that, believes it's accurate. Bromium isolates each task -- a tab in the browser, document or attachment -- in a tiny micro-VM that is isolated on the endpoint CPU using hardware features for virtualization. Each micro-VM is ephemeral and executes copy on write, so malware cannot persist. When the task is completed (for example, the Web page is closed), the micro-VM is deleted -- along with any malware it contains.

'When Bad Stuff Happens, We Just Don't Care'
"If bad stuff happens, there's nothing in there [the microvisor] to steal," Crosby said. "It's a least-privilege environment with a virtual file system and a microservices virtual network, which we control. The [virtual] network can only talk to untrusted stuff like the outside Internet. It can never talk to anything in the enterprise; none of the high-value [assets]. So when bad stuff happens, we just don't care."

Bromium's core product is vSentry, which is built on the microvisor. The microvisor is based on the Xen hypervisor, and leverages a PC's hardware (it's currently not available for Macs) for isolation. Despite potentially having multiple hypervisors open on a PC, Crosby said that system performance isn't a concern. "Hardware capabilities on run-of-the-mill CPU are sufficient now to [separate] individual tasks from each other, and deliver [the microvisor] very fast and with an absolutely unchanged experience to the end user."

Bromium, Crosby said, "Works extremely granularly to isolate independent tasks from each other, and in so doing, provides an unheard-of level of protection for legacy code."

Bromium Enterprise Controller
One thing lacking in its lineup was a strong management tool, and Bromium says it's addressed that with the June 3 release of Bromium Enterprise Controller (BEC), which offers "one-click deployment, policy orchestration, monitoring and threat management for enterprise endpoint infrastructure," according to a company press release.

Some of the features offered by the BEC include scalable deployment; granular policy management; monitoring and analysis of security events via a centralized dashboard; and integration with other security systems.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


Subscribe on YouTube