Security startup isolates untrusted content in virtual machines

Security-software startup Bromium is shipping its first product, a virtualization client that runs any untrusted content inside its very own virtual machine -- a microVM -- protecting the underlying operating system and whatever content is stored on the physical machine from theft and malware infection.

The software, VSentry, is aimed at stopping threats that have never been seen before and so can't be detected by signature-based defenses. It also lets end users access whatever content they want to without risk of infecting their own machines or other machines on corporate networks, the company says.

BACKGROUND: Startup Bromium takes aim at cloud security

FOUNDERS: Former Citrix CTO says virtualization will solve security problems

The software filters applications, Web pages, attachments -- anything that customers define with a rule set -- and automatically runs them in separate microVMs, which are destroyed when users are done with each task.

For example, if all Internet content is considered untrusted, anything downloaded from the Internet runs in a microVM that is set up on the fly within 30 milliseconds so the user experiences no perceptible delay.

This process ensures that malicious content or code can't access anything else on the machine, says Gaurav Banga, Bromium's CEO. Hundreds of microVMs can run at one time.

Whatever task is running inside a microVM has access to what appears to be an unused Windows 7 computer with no access to files and file systems other than what is necessary to run the process with the microVM. If a Web browser accesses an untrusted website it has visited before and for which it has cookies, VSentry will supply the cookies to the microVM, Banga says.

If the site updates its cookies during that visit they are retained for use the next time the browser visits that site, he says. If a browser opens up multiple windows, each window gets its own microVM which remains open until that window is shut down.

Untrusted content that moves from computer to computer within an enterprise -- such as shared documents -- moves with a provenance stamp on it that indicates whether or not it should be opened in a microVM, preventing a document with malicious code embedded in it from permeating the network, he says.

Underlying these microVMs is the Microvisor, similar to a hypervisor but that generates virtual environments for individual objects rather than entire virtual computers. The goal of VSentry is to protect the operating system from corruption, Banga says.

VSentry is deployed like an application and takes control of some parts of the machine hardware such as CPU and memory, but not the entire machine as would a bare-metal hypervisor. "It's as bare metal as it needs to be, but doesn't need to be in control of the entire machine," Banga says. MicroVM access to memory and cache must go through the Microvisor, for example. But trusted applications have direct access to system resources without going through VSentry.

This access to the hardware is accomplished via virtualization support for virtualization found in certain x86 processors. Devices built on ARM processors can't be served by VSentry until ARM Version 7 comes out sometime next year, Banga says. It will include the necessary support for virtualization.

Because VSentry is tied directly to the hardware, its Microvisor is very secure, says Edward Haletky, president and CEO of The Virtualization Practice. "You'd have to break the hardware," he says, and that is very difficult due to the chips' sensitivity. "If you attacked it, you'd literally fry it."

Businesses should look at VSentry as part of a defense-in-depth strategy, he says, but home users might consider it as their only defense if they start off with a clean machine, Haletky says.

The software is suited to mobile workers who use hotel networks and other publicly accessible networks with unknown security. Users could access a public access point via one microVM and VPN into a corporate network with another, preventing attacks from affecting the laptop being used, he says.

The software incorporates a capability called Live Attack Visualization and Analysis (LAVA), which can view and record any attacks that unfold within a microVM, Banga says. This information can be used to answer requirements of regulators and auditors about what threats a business faced and how it dealt with them.

The initial version of VSentry has some limitations. It only works on Windows 7 machines, but versions for Windows 8 and Mac OSX are in the works, Banga says, as are Android versions suitable for smartphones and tablets.

The software assumes it is running on a clean machine and has no provision for dealing with one that is already infected, but that will be addressed in future versions, he says. If the machine is not clean or if the user gains rights to alter it, "All bets are off," he says.

So far VSentry can't run on virtual desktops, but later versions will. It also can't run on traditional virtual machines, but Banga regards that as a niche case that doesn't come up much in corporate settings.

Management of VSentry software can be carried out via Microsoft System Center and Active Directory and any other management platform that can work on top of Active Directory. Policies about what is trusted and what is not can be pushed via Active Directory. Bromium is working on interoperability with HP's ArcSight management and McAfee ePolicy Orchestrator.

Banga says businesses will be able to lift restrictions on what Web content workers access, potentially improving productivity by reaching sites such as social networks that might have been banned because they were too high a security risk. It gets rid of the tradeoff businesses have to make between security and functionality, he says.

The company says it has 43 customers, none of whom were available to talk about it, Banga says.

Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter @Tim_Greene.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place