It’s been a while since we covered Bromium, and it’s been even longer since we wrote about a specific laptop from a specific vendor (actually, maybe that’s never happened), but today brings news from RSA Conference that HP and Bromium have partnered to deliver the first laptop with Bromium’s virtualization-based security built-in. The product, dubbed HP SureClick, will initially be available on HP’s EliteBook x360 1030 G2, with more devices to follow in the coming months.
The most important element of this is that Bromium’s microvisor-based security model is continuing its move towards mainstream adoption. If you’re not familiar with Bromium, you can read up on our past coverage to get more detail, but the ten-cent tour goes something like this:
Each time you open, say, a tab in a browser, Bromium spawns a micro virtual machine to execute whatever code happens to come from that tab. This micro VM doesn’t carry with it a lot of overhead, relying the existing filesystem and memory instead of having to create new, individual virtual machines. Instead, it creates an isolation bubble around the code that is executing, presenting to it a full instance of Windows without actually giving it access to anything that can cause harm. In this way, users can safely browse the web or view potentially harmful documents without fear of compromising their machine. In the case of the browser, when the tab is closed, that micro VM is thrown away forever.
The best example of how this approach can help involves ransomware. With Bromium (and now HP SureClick, but more on that in a minute), the ransomware passed along by accidently clicking a nefarious link in an email is allowed to execute, but it can’t leave the confines of the micro VM. From a user’s perspective, if they see the warning that says they’ve been infected and need to pay to get their files unencrypted, all they simply have to do is close the browser tab and the ransomware is gone forever. It ran, but because it was isolated, it only affected what it thought was the real data, not the actual data itself.
HP’s security focus
This example and many more are why HP and Bromium worked out a partnership. HP has been pumping a lot of resources into security lately, focusing on built-in security as opposed to bolt-on components that need to be constantly updated and tested against. For example, they’ve created HP SureStart, a self-healing BIOS that contains runtime protection where if the BIOS is compromised, a golden copy that lives in electrically isolated memory is automatically re-loaded.
This latest step includes the Bromium technology in the form of HP SureClick that is built-in to the OS to protect users from themselves. Unlike the full Bromium product, SureClick is limited to browser-based threats. It supports Internet Explorer and Chromium (Chrome is not yet supported, though they are working on it), which are by far the most popular enterprise browsers. Users of Microsoft’s Edge browser on Windows 10 are already protected to some degree via a partnership between Microsoft and Bromium.
SureClick is effectively hands-off for the end user. There will be some user-facing capabilities that allow a user to trust a site for a certain period of time in the event that a site isn’t behaving as it should (say, in some weird situation where different SaaS apps need to share cookies between them and their respective tabs), but Bromium is confident that the work they’ve put into the platform will properly handle nearly every situation.
HP has included some centralized management capabilities in its SCCM-based Manageability Integration Kit (MIK) to allow admins to set policies for how to handle certain sites. In the beginning, the MIK will have a limited set of policies that are related to SureClick, but more will be added in the future. One example given to me was regarding how you’d deal with Google sites sharing information between tabs. If each tab is its own micro VM, does that mean that one tab can’t share information with the other? SureClick could be aware of this and place all Google-related tabs in the same micro VM, but you could also set the policy to keep everything isolated.
While I’m excited about this, the biggest drawback is obviously that HP SureClick is limited to HP devices (not because HP is bad, but because I want it on all devices!). For the time being, it’s actually limited to one specific device–the HP EliteBook x360 1030 G2, which was announced at CES this past January. If you want SureClick-like features in virtual machines, you’ll need to get in touch with Bromium, even if you’re an all-HP shop. Still, you have to start somewhere, and in the future, you can expect to find SureClick on more HP devices.
Overall, I think this is a smart move for HP. I’m excited to see big vendors buying into what Bromium is doing, especially because I’ve been a big fan of Bromium since they opened up shop in 2010. HP SureClick, combined with the existing partnership with Microsoft, shows that virtualization-based security is legitimate, and it could very well be the thing that breaks us free from the never-ending death spiral of traditional antivirus. In a way, you could say that this kind of technology creates an “idiot proof” endpoint by moving the security down a level, saving us from ourselves.
In the near future, I want to see HP SureClick in action and take a deeper dive into today’s Bromium. A lot has changed since we last wrote about them, including support for virtual machines and the arrival of a new CEO, so they are way overdue for a look. Stay tuned.