HP Threat Research Blog Revolutionize Endpoint Security with Application Isolation & Containment


August 26, 2018 Category: Uncategorized By: Gregory Webb Comments: 0

Revolutionize Endpoint Security with Application Isolation & Containment

  • US Defense Information Systems Agency (DISA) security experts are evaluating how organizations can better protect their endpoints from existing and Zero-Day threats with two endpoint security capabilities: Endpoint Detection and Response (EDR) and Application Isolation and Containment.
  • Multiple US federal government agencies have validated Application Isolation and Containment as a foundational security strategy.
  • Bromium has a revolutionary approach to securing endpoints that avoids reliance on detection (with its patient-zero dependencies) in favor of protection through safe, contained and self-remediating virtual environments.

Earlier this year the US Defense Information Systems Agency (DISA) acknowledged what many companies have been grappling with for some time: endpoint security solutions need to be “modernized” to protect against increasingly sophisticated and evolving threats. (See “The evolution of endpoint security” at https://www.disa.mil/NewsandEvents/2018/evolution-endpoint-security.)

Like most organizations, DISA have historically recommended and leveraged a multi-layered security posture, based on a detect-to-protect methodology. As the agency’s security experts assessed the evolving threats and the escalating number of state-sponsored attacks on US agencies, they came to an inescapable conclusion: Trying to predict the actions of bad actors and respond to a host of new, polymorphic and targeted attacks with current capabilities alone was not a winning strategy.

Although you might not work for a government agency, your company is very likely facing the same losing battle. With each new attack, security teams add more detection-based tools to the endpoint, temporarily shoring up the organization’s defenses, but only until the next attack. The predictable result? Traditional endpoint security solutions provide less and less actual protection and diminishing value, while bad actors continue to find and exploit vulnerabilities, outmaneuvering existing security measures.

To provide dramatically improved security in an increasingly dangerous cyberattack landscape with significant risk reduction, DISA is leading the way to better safeguard endpoints and protect data. Newer, hardware-based containment solutions are key part of that go-forward strategy. As Fredrick Cook, chief of DISA’s Endpoint Security Branch, explains, “Containment solutions are kind of like sandboxes for untrusted applications, where whatever that application does can’t harm the endpoint device. EDR assumes you’ve already been breached and helps to find anomalies and correlate them with similar behavior of other endpoint devices in the network so that everything can be inoculated at once.”

The notion of leveraging containment via virtualization might be breaking news for some, but not Bromium. For more than five years, Bromium has been developing and enhancing containment solutions while working with large, global customers in multiple industries and government agencies. We’ve gone through the experimental and gearing-up phases, taking solutions from startup to enterprise-grade with robust, proven security capabilities.

This level of protection is so foundational for a solid security strategy, the concept has been validated by and approved for use within multiple federal government agencies. The US National Security Agency (NSA) validated this security approach and named the then-emerging new category at the NSA Information Assurance Symposium in 2016: “Application isolation and containment is attractive because of its potential to … avoid complicated clean-up, thwart zero-day attacks and capture novel attacks,” where Bromium and our more secure and hardened architecture were specifically highlighted. In early 2018, Bromium also released a Secure Configuration Checklist to help its customers comply with the National Checklist Program (NCP) set forth by the National Institute of Standards and Technology (NIST) in an effort to further protect end-users and to bolster the security of federal operating systems used by the US Department of Defense (DoD), as well as systems used by civilian and state governments.

Most recently, the U.S. Department of Defense’s (DoD) Defense Information Systems Agency (DISA) published its first and influential Security Technical Implementation Guide (STIG) for Bromium’s isolation and containment security solution in June. The DoD issues STIGs for software solutions from vendors that meet or exceed their rigorous security requirements for use by military agencies. The new STIG guidelines allow the DoD and all its agencies and other federal agencies to deploy Bromium’s platform with the necessary technical policies, configuration settings, and implementation information to bring advanced security and threat intelligence to the endpoint. It’s also further validation for the isolation approach to enterprise security.

Hundreds of Millions of Risky Clicks Every Year

How do we both reduce business risk while protecting you with improved security? Here’s one specific way to quantify the value. Ask yourself how many times a day one of your users clicks on a link to an unknown and therefore risky website? Or open an email attachment from an external sender? Or even download and open files from Internet websites? Is it one, two, five or more risky clicks that your users average per day? If we assume the typical employees executes a conservative average of five risky clicks per day, and your organization has 1,000 users, that means there are 5,000+ risky clicks that occur every day.

That’s 25,000 or more every week, 100,000 or more every month, and more than 1 million risky clicks every year. That’s significant exposure to security incidents. Now imagine if you have 10,000 or even 100,000 users in your organization. The risk is staggering. That’s potentially hundreds of millions of risky clicks that happen every year inside your enterprise. And all it takes is a single user to click the wrong link one time and it could become a devastating breach. Given that most organizations are processing millions of risky clicks ever year, there’s simply no amount of user education or training that will prevent a risky click from eventually breaching your organization.

Bromium Approaches Security from a Different Point of View

Traditional detection-based methods require organizations first get owned with a patient zero and a compromised system. Bromium helps organizations avoid damage in the first place. Opening email attachments, downloaded files and performing all Internet activity in a secure virtual machine is as close to bullet-proof that one can get (given that outright disconnecting completely from the Internet isn’t an option).

The improved security from safe, contained and self-remediating virtual machines and real-time threat intelligence doesn’t rely on detection; we simply protect via hardware-enforced isolation and containment. Bromium creates a protected environment for each application. If a malware attack—such as ransomware—occurs within that environment, the threat remains isolated and unable to harm other applications or the underlying OS and hardware. To remove the threat, you simply close the application. No further action is required on the endpoint. Think of how much time and effort the city of Atlanta could have spared itself—not to mention the damage to its reputation—if users could have simply “closed” a ransomware attack as our customers do hundreds of times each week.

We seek to address the root of customers’ issues. Customers regularly tell us they are overwhelmed. Their Security Operations Center (SOC) teams are drowning in low-value security alerts—with an increasingly high rate or false positives—and are spending millions to review and address them. Meanwhile, advanced malware is still getting through because cyber criminals are focusing on the weak spots—email attachments, phishing links and downloads. Why hire vast threat hunting teams to manually comb through the data, looking for needles in haystacks when you can simply isolate and get the intelligence from self-contained detonation chambers as the breach occurs?

Bromium addresses the security needs of a modern enterprise. Our application isolation solution revolutionizes the endpoint security stack, eliminating the need for multiple endpoint security applications that are bloating nearly all endpoints. Only virtualization-based security can defend against the most sophisticated attack techniques, protecting users, data and machines with no impact on the user experience. Users can click with confidence and get their jobs done with full productivity and complete protection.

For more information about how Bromium can help your organization better protect your organization with application containment, request a demo or contact us.

About the Author

Gregory Webb
Bromium CEO

Recent Posts

2018-08-27T10:24:55-07:00August 26th, 2018|Uncategorized|

Leave A Comment