Coolest news of the week: Bromium releases vSentry, adds LAVA - a realtime threat analysis feature. - Gabe Knuth - BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.
Gabe Knuth's Blog

Past Articles

Coolest news of the week: Bromium releases vSentry, adds LAVA - a realtime threat analysis feature.

Written on Sep 20 2012 7,406 views, 7 comments


by Gabe Knuth

 

We've covered Bromium and the microvisor approach to desktop security before, even having Simon Crosby on our Brian & Gabe LIVE podcast to explain what Bromium is all about. Today, their vSentry product was announced. Without rehashing old articles (click the links about to read/listen about the technology), Bromium uses what's called a "microvisor" to isolate applications from the host OS by putting each thread inside a tiny "micro-VM." This micro-VM (maybe we can call that a uVM?) is created based on the host OS, and is not a full-on installation of Windows. Each micro-VM is 100% isolated from the others. vSentry does this by using copy-on-write (the same technology behind Linked Clones) to spawn a micro-VM using only what is needed for the application to run. 

The catalyst behind vSentry is that in today's world, applications and users have to interface with the outside world. It can't be avoided, and because of that, IT departments are forced to play catch-up for every single piece of malware, virus, and hack in the world. Sure, anti-malware and antivirus solutions catch things, but only after someone else recognizes them. 

vSentry's approach is to isolate the applications (and each of their individual threads) that need to communicate with the outside world from each other and the host OS by running them in a micro-VM, also called Microkernel Virtualization. Doing so means that any threat is not only contained within a micro-VM, but is also destroyed the moment that thread or application is closed. This is all done with no interaction from the user, and in most cases they are completely unaware that any sort of trickery is going on behind the scenes. This currently requires Intel VT, and only works on physical desktops, not in VMs.

Since the micro-VMs are spawned from the host, it is imperative that the host is 100% clean of any malware. If, for instance, a malicious browser add-on has been installed, each micro-VM will be spawned with the same malware, negating any security that it would have otherwise provided. While I want to use this on my mother-in-law's computer, I'd first have to wipe it and start from scratch. That said, if you are certain your host is clean, installation is just a simple MSI file and is not a destructive process.

Centralized configuration is done via SCCM, group policy or XML files that can be used by solutions like Altiris or McAfee ePO. With it, you can specify certain web sites that are secure by default (intranet sites, for instance) and are exempt from executing in a micro-VM, as well as security settings to ensure that, for instance, you're using a known DNS server. If, for example, you're on a public WiFi network, vSentry will virtualize certain threads that it may not normally due to the fact that the DNS server is not trusted.

While most of that has been known for a while, Bromium also announced a new feature of vSentry called LAVA, or Live Attack Visualization and Analysis. LAVA takes advantage of the fact that each micro-VM is isolated and, rather confidently, can watch and log how malware acts, even going so far as to let a malware process finish so that it can record exactly what is happening. vSentry knows how IE is supposed to act, for instance, and anything out of the norm is detected and traced. This allows them to discover zero-day attacks, identify and catalog malware signatures, and detect root kits.

In the right hands, this information would be exceptionally valuable. Imagine if there were 1 million vSentry users worldwide, there would be 1 million completely secure honeypots, each with any number of micro-VMs, available to detect and analyse attacks in real time. 

LAVA logs can be uploaded and consumed by forensics tools, but I imagine a time when technology such as this is automatically logged and uploaded to, say, a large internet security firm like Symantec, Trend, or McAfee. Or, perhaps one of those companies would be interested in buying Bromium. The value of that kind of automatically generated information from so many locations has got to be huge.

Bromium vSentry is licensed to enterprises, and cost information at this point is relatively up in the air. When pried for a ballpark list price, all I could get was "north of $100," but I'm unaware if that's per device or user. Obviously there are volume discounts. Given the unique approach to Windows security and the increasing reliance on services coming from insecure sources, I'd say vSentry is worth a look.

 

 
 




Our Books


Comments

Icelus wrote re: Coolest news of the week: Bromium releases vSentry, adds LAVA - a realtime threat analysis feature.
on Thu, Sep 20 2012 9:31 AM Link To This Comment

This is great news, it's really cool stuff. I would definitely want to purchase this for my home use.

With regards to pricing, I am sure they will initially have it as per device because it runs as a device specific application and is used for all users connecting to it.

Once the hardware limitations of vSentry gets solved by Intel which allows VT to be shared and enables vSentry to be used in a virtualization environment (Client/Server Hosted VMs) then they might introduce per user licensing.

Bromium vSentry supports the BYO mantra. Security is a consumer demand as much as it is an enterprise demand.

I am disappointed that Bromium bashes Desktop Virtualization because of it's current place in the market. In reality it is another execution environment that enterprises are using and is in demand, especially for remote access which also coincides with the BYO mantra.

This hardware limitations are identified, so it should be looked at solving, instead of dismissing the importance of Desktop Virtualization. They aren't dismissing the importance of Macs are they?

Bromium has supposedly mastered the security of a Windows Traditional Desktop and soon on the horizon will be Macs, hopefully Windows Virtualized Desktops will be next.

FYI - I am from a SMB Federal Government department with very limited IT staff servicing the science community. Users have Macs, Traditional Windows desktops, and soon-to-be VDI. We can only provide the OS and core apps, they manage their own apps. Sometimes we don't even provide the OS.

Andy Wood wrote re: Coolest news of the week: Bromium releases vSentry, adds LAVA - a realtime threat analysis feature.
on Thu, Sep 20 2012 11:52 AM Link To This Comment

Where does Bromium bash Desktop Virtualisation? Was it this? blogs.bromium.com/.../vdiaas-is-a-pain-in-the-aas

That's not bashing, thats just stating facts. desktop virtualisation has been used for security - but it can be improved on;  its not always a great user experience. VDI environments can be reset for sure - but they are still open to attack

What Bromium offer is a different take on that: one that (in v1) runs on a local device

A problem with it (as is) is it relies on you having a modern laptop running win7x64. I work in a similar space to you: that spec is beyond a lot of devices we have. Where we do have devices that can support it, we're still running instances of XP. There is going to be a hefty cost to implement this solution. Ideally (for Bromium) there are a lot of customers not in that position.  

I'd like to see a VDI/TS offering if only to provide a level of trustworthiness to those (many) devices we have that are just not upgradeable. Hopefully that comes soon.

From what I've seen of the product so far I think a "consumer" version is some way off too. Mind, solve the policy based management ;and allow it to operate as a paid-for-service and you've a powerful sales picth.If MS's Windows InTune incorporated a Bromium microvisor option - that'd be very very interesting.  

Simon Bramfitt wrote re: Coolest news of the week: Bromium releases vSentry, adds LAVA - a realtime threat analysis feature.
on Thu, Sep 20 2012 4:45 PM Link To This Comment

I agree with Andy that a consumer version is some way off. The biggest challenge that Bromium here is that for vSentry to work it needs to be able to "trust" the platform that it is running on. As things stand today the only way to ensure that trust is to have vSentry installed by the hardware vendor along with the operating system. The time and effort needed would be no more than a distraction at present. At the same time it's not clear if the average consumer would appreciate the benefits of a $100 plus software package that on the surface competes with a free antivirus product.

Desktop virtualization is not totally beyond reach, organizations that have adopted blade PCs as part of a VDI solution will be able to take advantage of vSentry immediately, similarly solutions like Wanova (now VMware) Mirage that do not rely on a client hypervisor will also be able to use vSentry. But for the moment neither mainstream VDI nor client hypervisor platforms can take advantage of vSentry. Dodging the technical nuance this is largely a question of ownership of VT. Type I hypervisors (client and server) a based on the understanding that they own VT, but so is vSentry. They can't both own VT so they cannot coexist on the same hardware. it may well be possible for Bromium to work with type I hypervisor vendors to incorporate the vSentry technology but that's pure speculation for the moment. Having said that, Simon Crosby did offer some hints about the possibility of RDSH support in the future, when I interviewed him >  www.virtualizationpractice.com/bromium-vsentry-a-next-generation-hypervisor-to-end-malware-woes-18290

regards

Simon

Tal Klein wrote re: Coolest news of the week: Bromium releases vSentry, adds LAVA - a realtime threat analysis feature.
on Thu, Sep 20 2012 6:40 PM Link To This Comment

Awesome perspective, Gabe. Thanks for giving us a shout! I can't wait to put vSentry in your hands for a hands-on review.

Icelus - As Andy articulated, the only problem I have with VDI is that the vendors go around masquerading it as a security solution. It's not.

Andy & Simon - Spot on.

Look folks, we totally realize this is not for everyone. We're coming out of the gate stating the following:

1. vSentry 1.0 is for enterprise deployed Windows 7 64 bit laptops and desktops with VT (i3 or higher) and 4 gigs of RAM (or more)

2. vSentry 1.0 is for companies who are actively targeted by advanced persistent threats or nation state attacks

3. vSentry 1.0 is for security teams who have done everything they can to defeat malware but are still confronting attacks their existing defenses can't defeat

4. vSentry is a 1.0 product. We'll be adding a lot of features and functionality in the coming weeks. We're on an eight week release cycle. We're working on an OSX version (as well as other platforms). We're working on BYO. We are working on lots and lots of stuff. It took us over a year and a half to get to 1.0, so if 1.0 is not for you, please stick with us and we promise to take less time to give you what you want.

A special thanks to everyone who didn't chime in with "isn't this just sandboxing?" and "hasn't this been done before?" - the answer to both, as you can imagine, is: no.

-Tal

Icelus wrote re: Coolest news of the week: Bromium releases vSentry, adds LAVA - a realtime threat analysis feature.
on Thu, Sep 20 2012 6:58 PM Link To This Comment

@simon

I read your blog and thanks for the info. Per user pricing makes sense too.

I wonder where RDSH virtual servers would fit? Will they tie you to traditional servers like they do with desktops?

Also, Citrix Remote PC would seem to work well with vSentry too.

Client and server hosted desktops are primarily used for management of OS and core apps for internal and external use. Simon Crosby and Tal have bashed the technologies in 3 blog posts so far.

My work environment is roughly half macs and half PC. This is not the norm and I wager that there are more virtual desktops than macs in the enterprise. Due to this I believe that Bromium is dismissing the CHVD, SHVD, RDSH use cases because of hardware incompatibility with their product instead of what they are actually saying which is "it's not the norm" and "bad UX".

Bromium vSentry looks very promising.

Simon Bramfitt wrote re: Coolest news of the week: Bromium releases vSentry, adds LAVA - a realtime threat analysis feature.
on Fri, Sep 21 2012 3:14 PM Link To This Comment

@Icelus

> I wonder where RDSH virtual servers would fit?

Physical servers only, but then the 'cost' of not running on hypervisor is much lower here so should not be  problem.

Citrix Remote PC should no be a problem either - unless it is installed over XenClient etc.

> I believe that Bromium is dismissing the CHVD, SHVD, RDSH use cases because of hardware incompatibility with their product instead of what they are actually saying which is "it's not the norm" and "bad UX".

I would expect nothing less of Tal :)

Simon

Icelus wrote re: Coolest news of the week: Bromium releases vSentry, adds LAVA - a realtime threat analysis feature.
on Fri, Sep 28 2012 2:42 PM Link To This Comment

Do you want better Security OR Management? Pick one.

The ultimate solution will be using hardware virtualization for management AND security advantages. Enable the microvisor to be managed by a hypervisor and you will future proof the product, otherwise be limited to non-virtualized deployments only.

It's an amazing product. The security benefits (albiet small and not game changing like this) is still good enough to switch considering the major management benefits of VDI. Single instance management is not a joke and the operation reward is incredibly significant.

I am seeing VDI proposals of 10k and up in the Federal Government. The Security VS. Management debate must stop. Bromium should not lock you in on your management infrastructure.

FUD around VDI from Bromium has made me very concerned with their vision.

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.