We've covered Bromium and the microvisor approach to desktop security before, even having Simon Crosby on our Brian & Gabe LIVE podcast to explain what Bromium is all about. Today, their vSentry product was announced. Without rehashing old articles (click the links about to read/listen about the technology), Bromium uses what's called a "microvisor" to isolate applications from the host OS by putting each thread inside a tiny "micro-VM." This micro-VM (maybe we can call that a uVM?) is created based on the host OS, and is not a full-on installation of Windows. Each micro-VM is 100% isolated from the others. vSentry does this by using copy-on-write (the same technology behind Linked Clones) to spawn a micro-VM using only what is needed for the application to run.
The catalyst behind vSentry is that in today's world, applications and users have to interface with the outside world. It can't be avoided, and because of that, IT departments are forced to play catch-up for every single piece of malware, virus, and hack in the world. Sure, anti-malware and antivirus solutions catch things, but only after someone else recognizes them.
vSentry's approach is to isolate the applications (and each of their individual threads) that need to communicate with the outside world from each other and the host OS by running them in a micro-VM, also called Microkernel Virtualization. Doing so means that any threat is not only contained within a micro-VM, but is also destroyed the moment that thread or application is closed. This is all done with no interaction from the user, and in most cases they are completely unaware that any sort of trickery is going on behind the scenes. This currently requires Intel VT, and only works on physical desktops, not in VMs.
Since the micro-VMs are spawned from the host, it is imperative that the host is 100% clean of any malware. If, for instance, a malicious browser add-on has been installed, each micro-VM will be spawned with the same malware, negating any security that it would have otherwise provided. While I want to use this on my mother-in-law's computer, I'd first have to wipe it and start from scratch. That said, if you are certain your host is clean, installation is just a simple MSI file and is not a destructive process.
Centralized configuration is done via SCCM, group policy or XML files that can be used by solutions like Altiris or McAfee ePO. With it, you can specify certain web sites that are secure by default (intranet sites, for instance) and are exempt from executing in a micro-VM, as well as security settings to ensure that, for instance, you're using a known DNS server. If, for example, you're on a public WiFi network, vSentry will virtualize certain threads that it may not normally due to the fact that the DNS server is not trusted.
While most of that has been known for a while, Bromium also announced a new feature of vSentry called LAVA, or Live Attack Visualization and Analysis. LAVA takes advantage of the fact that each micro-VM is isolated and, rather confidently, can watch and log how malware acts, even going so far as to let a malware process finish so that it can record exactly what is happening. vSentry knows how IE is supposed to act, for instance, and anything out of the norm is detected and traced. This allows them to discover zero-day attacks, identify and catalog malware signatures, and detect root kits.
In the right hands, this information would be exceptionally valuable. Imagine if there were 1 million vSentry users worldwide, there would be 1 million completely secure honeypots, each with any number of micro-VMs, available to detect and analyse attacks in real time.
LAVA logs can be uploaded and consumed by forensics tools, but I imagine a time when technology such as this is automatically logged and uploaded to, say, a large internet security firm like Symantec, Trend, or McAfee. Or, perhaps one of those companies would be interested in buying Bromium. The value of that kind of automatically generated information from so many locations has got to be huge.
Bromium vSentry is licensed to enterprises, and cost information at this point is relatively up in the air. When pried for a ballpark list price, all I could get was "north of $100," but I'm unaware if that's per device or user. Obviously there are volume discounts. Given the unique approach to Windows security and the increasing reliance on services coming from insecure sources, I'd say vSentry is worth a look.