HP Threat Research Blog Achieving Cyber Resilience with Next-Gen AV and Bromium Application Isolation

March 28, 2017 Category: Uncategorized By: Gavin Hill Comments: 0

Achieving Cyber Resilience with Next-Gen AV and Bromium Application Isolation

  • Detection-based techniques will always be one step behind the attacker.
  • Extend NGAV using next gen virtualization with application isolation and control.
  • Applications with the sensitive data are completely hardware-isolated from the host.

In 2016, organizations spent over $80 billion on cybersecurity, while cybercriminals made $3 trillion in profit. Cybersecurity is a constant arms race and when a new technique is identified to subvert a security solution cybersecurity vendors react, and vice versa.

Let’s face it, your organization is probably already breached and you don’t even know it.

Accepting that premise has driven the need for an entire new breed of security solutions that fall in the EDR category. Even with advances in security technologies, like NGAV solutions that employ artificial intelligence, there has been little to no improvement in malware detection. In fact many traditional AV vendors have been using AI for a number of years already.

So what’s gone wrong? Why are cybersecurity vendors still losing the race?

The answer is fairly simple, but solving the problem is extremely complex!

Detection-based techniques will always be one step behind the attacker. Not much has changed in the last 25+ years in cybersecurity. Most techniques rely on detection-based techniques to identify and stop a threat before any damage is done. But it’s simply not enough. In fact, even with modern machine-learning techniques, proactive detection has dropped in the last year by 15% compared to previous years.

Should you remove your NGAV?

The answer is no and here’s why. Detection-based techniques employed in NGAV solutions – like Cylance, Invincea and Windows Defender – are an essential part the security stack. Their solutions help find and stop the known bad out there. The question is: how do you stop what’s unknown. How can you respond to the threats that are constantly morphing and bypassing layered defenses. How can your organization achieve cyber resilience?

By extending NGAV using next-gen virtualization with application isolation and control, organizations are provided with effective protection against zero-days and new threats that would normally slip through. Bromium is a transformative leader in virtualization-based security used for application isolation and control. This level of protection is so foundational for a solid security strategy, it has been validated by the NSA (note: ironically their site has a certificate issue, click through to see the content). Presented at the NSA Information Assurance Symposium in 2016, the presentation says, “Application isolation and containment is attractive because of it’s potential to…avoid complicated clean-up, thwart zero-day attacks and capture novel attacks.”

Every organization employs security strategies and solutions to protect their intellectual property. But that intellectual property is created and used by employees on the same vulnerable applications that attackers exploit to gain access into the enterprise. With application isolation and control, there are a number of significant security benefits that an organization can achieve  without impacting user workflows.

Isolation of Applications to Protect the Host

When an application vulnerability is exploited in a malicious file opened by the end user, the host is not infected. That’s because Bromium applies the principle of least privilege using CPU hardware-enforcement. The malicious file is completely isolated from the host in a micro-VM. The same process is applied for every browser tab or task where the microvisor enforces access control to resources on the system.

Isolation of Applications Protected from the Host

Even with dramatic security improvements in operating systems like Windows 10, breaches are at an all-time high. If we consider that the primary driver behind security is to protect intellectual property (IP). It would seem logical to protect the application accessing the IP, regardless of where the application runs (contractor, third party systems, or BYO devices).

In the event the host is compromised, the application with the sensitive data is completely hardware-isolated from the host. The host operating systems is not even aware of the application running on the system because the application is protected by CPU hardware-enforced isolation.

Watch How Hardware-Enforced Security Transforms Business

At RSAC Cryptographers’ panel, Whitfield Diffie calls for a change in security to use hardware-enforced security to isolate threats. Virtualization-based security is just that, it’s transformative and helps customers have the competitive edge.

Welcome to the new Bromium.

About the Author

Gavin Hill
Vice President, Product and Strategy at Bromium

Recent Posts

2017-03-28T11:30:33-07:00March 28th, 2017|Uncategorized|

Leave A Comment