Threat Forwarding Augments Threat Intelligence with Automated Triage and Categorization
Bromium customers have long had the option to securely transmit their proprietary threat data to Bromium analysts either manually or using our one-way Cloud Connector. Now, with Bromium Secure Platform 4.1.5, we’ve improved upon Threat Forwarding, introducing a two-way connection from the customer’s Bromium Controller directly to Bromium Cloud Services. This allows for automatic threat triage and classification—including true positive threat verification and identification of malware family names—both in real time and as new threat information develops.
How does it work?
Beginning with Bromium 4.1.5 (available now), customers can opt-in from their Bromium Controller to enable automatic Threat Forwarding through Bromium Cloud Services, building upon the real-time, cloud-based threat intelligence capabilities we introduced in Bromium 4.1.4. Two simple check boxes open new levels of intelligence.
Why should I opt-in to sharing my threat data with Bromium?
Quite simply, things change. Many malware samples take time to play themselves out completely, either by attempting to “sleep” through the initial analysis, or by rotating their command-and-control servers, download sites or payloads. The entire security industry has grappled with this problem for decades. With just a “single bite at the apple” on first entry, many initial verdicts based on preliminary threat intelligence information will later turn out to be incorrect. Automatic Threat Forwarding to the Bromium Cloud allows for multiple opportunities to identify and categorize threats, whenever new information becomes available, not just when the potential threat first appears.
Threat Forwarding with ongoing threat intelligence by Bromium Cloud Services and Bromium Threat Labs security analysts improves situational awareness and boosts security readiness with the most up-to-date threat information:
- Preliminary clean verdicts may be later identified as true threats, based on automated or manual analysis
- Initial positives may be recast as benign as more data is gleaned and anti-malware industry consensus evolves
- Unknown malware may subsequently become identified by specific family name
- Customer incident responders may converse with Bromium Threat Labs security analysts regarding specific alerts received
- Bromium may provide additional detailed reports beyond what is generated from the Bromium Controller
My data is sensitive. What safeguards are in place to protect it?
True positive malicious threats coming in from the outside world will, by definition, contain no proprietary or personally-identifiable information (PI or PII). If it’s really malware, then there should be no reservations about sharing it with Bromium. It’s only in the case of false positives (your documents) that there may be some cause for concern.
- Based on customer security requirements, the Malware Manifest file containing the actual malware contents (original document or executable file) can be optionally excluded, preventing Bromium from viewing the original source document with any PI or PII
Your data remains yours—neither source files nor specific threat indicators are ever shared with other Bromium customers or with third parties.
Why would there be false positives in my threat data?
False positives (FPs) happen in this industry as a function of being cautious—no honest security vendor is without them—but Bromium FPs are different from those of other vendors in three fundamental ways: First, since Bromium micro-VMs isolate a single application and/or document, they generate very high signal-to-noise ratios for curious things. Any anomalous, unexpected behaviors trigger Bromium alerts, some of which turn out to be benign upon later analysis. Second, Bromium alerts typically do not interrupt the user. Most customers configure Bromium micro-VMs to run continuously even after malware has been discovered running within them. Third and finally, since Bromium isolates threats and non-threats alike, eliminating the possibility of endpoint breaches or lateral movement, any Bromium-generated FPs don’t require your security teams to do anything immediately to remediate the situation! They can simply take the reports as informational, whether the alert ultimately proves to be a true threat or a false positive.
The value of sharing threat data
It is important to remember that when a Bromium isolation alert is generated, the endpoint is still protected through Bromium’s hardware-enforced application isolation. Bromium alert analysis is beneficial to help better understand the value that Bromium adds to any defense-in-depth strategy, and it also leverages Bromium threat data to protect other critical assets that are not secured by Bromium, through standard threat information feeds to other security systems.
Sharing threat data with Bromium helps organizations to better understand threats that Bromium has stopped and lets you be part of a broader initiative that shares threat information globally so that your organization is ready to protect against an attack before it happens. Threat Forwarding enables additional intelligence sharing and analysis benefits:
- Insights for global attack trends related to your organization or industry
- High-fidelity security alert confirmation and triage for action
- Participation in global threat sharing for improved security posture
Please see our Knowledge Base article for more information on Threat Forwarding.