I came away from my last conversation with Bromium so excited about their platform that I had to give it a shot. It’s been years since I saw it in action, and in the beginning it was a little rough around the edges. I love the idea of a hardware-level security platform that lets users be users and protects them from themselves, but in addition to the growing pains of a new platform built on the complicated premise of microvirtualization (see how I used “premise” properly?), it was also limited by the fact that only a small percentage of the hardware used in enterprises could support it. To top it all off, since Bromium vSentry required key infrastructure components that only the largest of organizations had, there wasn’t a great way to evaluate the product. Somewhere, buried in a storage closet in TechTarget’s San Francisco office, is a laptop with a super-secret hack on it that allows for testing a very early version of vSentry.
It was that complicated!
Today, things are different, and when I told VP of Services (and former Citrite and BriForum speaker) Dan Allen I would like to take a test drive, he shot the bits right over. Within a few minutes it was running inside a Parallels VM. No management console (they have one, I just didn’t need it to get started), no KMS server, no nothing. There I was, running vSentry on a Parallels virtual machine on my own laptop, in the time it took to make lunch. I never dreamed that was possible five years ago!
All this was the inspiration for today’s article. Years ago, when were first introduced to Bromium, I remember thinking something along the lines of, “Holy crap, this is awesome. Too bad we won’t all be able to use this.” Now it looks like this is available for just about everyone. Here’s why.
We first covered Bromium in July 2012 when co-founder and CTO Simon Crosby posted an article on our site explaining, in his own words, what micro-virtualization was all about. The key takeaway from the concept is that vSentry leverages hardware virtualization, and in 2012 only a small portion of the available endpoint hardware had the capabilities that vSentry required.
Today, it’s safe to say that most typical enterprise PCs have the require capabilities: VT-x and EPT for Intel, and AMD-V with RVI for AMD. In fact, all i3, i5, and i7 processors since 2010 have the necessary feature set to support vSentry. That probably means that even your mom’s computer will work.
In addition to broad endpoint support, hardware virtualization has matured to the point where hypervisors can pass hardware virtualization instructions from the guest OS to the physical hardware, which enables vSentry to work inside virtual machines. The same thing that lets me use vSentry in Parallels means that it can be used in VDI.
Until recently, Bromium recommended 8GB of RAM in order to maintain performance. This is mainly due to the fact that when memory is at a premium (say, less than 8GB), vSentry will suspend the micro-VMs. When you switch to a browser tab that has been suspended, it can take a few seconds to wake up, which is perceived as lag. This 8GB minimum was especially painful in VDI scenarios.
With the help of some advanced scheduling, vSentry implementations on VDI can now work with as little as 4GB of RAM. The suspend/resume happens less often, and when it does, it’s faster. Bromium still recommends 5GB of RAM for VDI for the best possible experience, though. (For physical desktops, the minimum recommended is now 6GB instead of 8GB.)
For a demonstration of vSentry running on older hardware, check out Dan Allen’s blog where he used a 2010- era Lenovo ThinkPad Edge that featured a 1st generation Intel i3, 4GB RAM, and a 250GB SATA hard drive.
Hardware wasn’t the only limiting factor in the earlier days of vSentry. The actual implementation process was difficult, too. Requirements have varied over the years, but what’s clear is that today it’s about as straightforward as any other security platform.
The installer itself comes packaged as an MSI, so you can deploy it any way you want. The only snag I ran into was that on both of the machines I used, I was told that my version of Firefox needed to be replaced with the Extended Support Release (ESR) version as opposed to the normal, personal version, that most people use. I replaced my version with the ESR, and everything proceeded nicely.
When I experienced the Firefox warning, I asked Dan if there were other prerequisites and what a typical cleanup process would be like. This is his response:
“We do have some prerequisites, but we also have PreCheck tool we can run to collect information to get ahead of any issues before we roll out. Our management server also does a good job of collecting information and reporting on potential issues. Our deployment package is just a simple MSI file, so it is easy to deploy us with any tool such as SCCM, BigFix, Altiris, or even via GPO. From an application compatibility perspective the only two things to be aware of is that we protect Office 2010 or later and we only protect the ESR edition of Firefox, which is what most enterprises that officially support Firefox use. We can still run on a system that has Office 2007 or the personal version of Firefox, we simply will not protect those applications if the user runs them.”
Day to day usage
Though I haven’t spent much time talking about the ins and outs of micro-virtualization (you can read Simon’s article for that), it’s important to understand what’s going on behind the scenes at a high level to understand the day-to-day usage of vSentry. When vSentry is first installed, it takes a snapshot of the machine that it then uses as the template for all future micro-VMs. This snapshot process is called “initialization,” and on the physical machine I tried it on it took about 10 minutes to complete.
The catch with the initialization process is that if you install something that vSentry can protect, say, Office, after you install vSentry, it won’t be in the micro-VM template and won’t be protected. Thankfully, vSentry notices this and re-initializes the micro-VM as-needed, and you can kick the process off yourself if you want to.
Other than that, you forget that it’s there. Sometimes if you get a little tab happy, vSentry will shut down a micro-VM or two that will take a second to get started again, but that falls inside the margin of slop already associated with your browser of choice.
Back to the original question…
It looks like all the major problems have been solved. vSentry is way easier to deploy, and it runs faster than ever. So why isn’t everyone running this?
I’ve written before that micro-virtualization and AI-based threat detection and analysis are new enough that they are off the radar of a lot of companies, especially when you factor in that it’s super easy to just keep writing that check to McAfee each year and carry on doing business-as-usual. But as the war against viruses and malware, a.k.a. the “Bad Guys,” wages on it seems like it’s time for something new.
Microsoft has endorsed virtualization-based security in Windows 10 with Credential Guard and Device Guard, followed by Windows Defender Application Guard for Edge. HP has incorporated a slightly watered-down version of vSentry into their latest line of laptops. That is some significant validation from industry heavyweights!
Plus, when you factor in the cost of vSentry and how competitive that is with traditional endpoint security products, you’d have to think that Bromium vSentry is on the verge of mainstream adoption. vSentry yearly subscriptions run $75/device/year with increasing discounts at volumes over 250 devices or with multi-year subscriptions. Perpetual licenses are also available.
So I’ll ask you directly—have you looked into vSentry? If yes, what’s holding you back? If not, well, you should.