The Cranky Admin

The Bromium Security Hypervisor

Endpoint security with game-changing potential.

• By Trevor Pott
• 06/15/2017

Despite all the talk about containers as the future of the datacenter, it's rare to find a vendor actually using them for something other than densely packing in DevOps-y "cloud native' workloads. Most container "management" solutions aren't remotely easy to use and the overall solutions are of limited utility. And then there's Bromium.

Bromium's goal isn't to enable you to launch 5,000 nginx instances on your dual processor server. It isn't to replace VMware with some eldritch horror made out of YAML, JSON and command-line git pulls. Bromium uses containers to isolate applications from one another for security reasons, with the endpoint being its current area of expertise.

Bromium uses hardware-assisted virtualization technologies such as VT-x, AMD-V and so forth to create containers for applications. By tapping into the hardware virtualization technologies, Bromium can more completely isolate applications from themselves and from the operating system.

Impressive demos usually entail things like opening an infected e-mail in Outlook, or going to an infected Web site in Chromium, watching the malware launch, attempt to take over or encrypt the computer, and fail because the malware can't affect anything outside of its container. Bromium works closely to understand the individual applications it is containerizing. This allows it to understand what level of access applications need to the local disk, network resources and so forth.

This careful understanding of how applications work allows Bromium to be virtually invisible. An end user doesn't realize that every time they open a Word document, for example, Bromium is opening a separate instance in a separate container. They also don't see the underlying management software carefully monitoring everything that application is doing and looking for abnormal behavior.

Bromium can tell if any known -- and many unknown -- forms of malware attempt to execute. Even if the exploit used is completely unknown, every chunk of code that tries to do anything inside a Bromium container is logged and its behavior checked. Some of this is handled through signatures pushed down from the Bromium, some through heuristics.

If Bromium encounters something odd in a container, it will be recorded. This can then be sent back to the mothership, depending on your settings and security/privacy requirements. The more customers Bromium has encountering the wild and wacky, the better protected everyone is.

This is endpoint security done right.

Beyond the Endpoint
As you can imagine, however, Bromium's approach to containerization has utility beyond the endpoint. I envision it being used for automated intrusion detection, A/B testing, QA and more. What Bromium could do for patch management alone boggles the mind.

Imagine if you could profile how an application you are hosting "should" work by running it through its paces in the lab. You then push a patch to a limited number of instances and then detect any abnormalities in behavior as they process production workloads. All the while each instance is completely isolated from the next, and from the operating system, so if one is compromised -- or a patch is bad -- it can't cause anything else to crater.

This could lead to DevOps and continuing integration actually being done right. We could move from "using your customers as alpha testers" toward something a little bit more structured and less likely to regularly implode. We could even have some hope that a single compromised server somewhere doesn't lead to an OPM-class data loss event.

There are even shades of a potential app marketplace in how they handle containers. Imagine Software-Defined Networking (SDN) with this technology.

Tortoise and Hare
Bromium is an unholy combination of a next gen security company, SELINUX, a container solution and hardware assisted virtualization. I am excited by Bromium. I want to start bodging it into everything. I see uses for it everywhere, and I believe I could build an unassailable empire on top of what Bromium has built.

For all my nerdy interest, however, Bromium seems to be interested in a slow, more paced approach to their technology. They don't have unlimited resources and as such prefer to stick with what has thus far brought them success: securing the endpoint.

That doesn't mean Bromium will stay that way forever. Give me a few hundred million to add engineering talent, and the result will be a redefinition of information technology security across the board. Enterprise endpoints, servers, consumer desktops, networking and even the Internet of Things.

Bromium is in a dangerous place right now. They're a clear acquisition target, and generally a threat to everyone pushing security software, a hypervisor or container management software. I suspect it won't be long before the big names figure out just exactly how useful Bromium's technology is, and then the battle is on.

Bromium could be bought and used to rebuild glories lost by one of today's tech titans. They could try for their own empire and end up corporately murdered by a fearful competitor. They could fail due to inadequate ambition.

As Essential as BIOS?
Or…they could win. They could become a "security hypervisor" as critical to every computer as a BIOS. I haven't seen a company this close to redefining the entire industry in quite some time. Bromium has shown us what can be done with containers when security nerds really go to town on them.

If nothing else, I want to see this technology used to solve the IoT security crisis. For the first time, I see hope there. How much of the rest of our security problems -- on-premises and off -- could be solved if the right people got together and put Bromium's tech to the test?