Data Talks: Bromium Analyzes Live Running Malware from a Unique Threat Vantage Point
- Bromium Threat Labs debuts a new multi-part blog series called Data Talks
- The series features highlights of “live capture” threat research using aggregated data voluntarily reported by Bromium customers
- Look for deep-dives, trends, and predictions to guide you when you know that detection isn’t enough to keep you safe
Today we’re kicking off a new multi-part blog series called Data Talks, highlighting the unique threats we see in our Bromium Threat Labs from real malware that actually ran on live customer endpoints. In this series, we’ll talk about high-level trends and predictions, as well as take a deep-dive into specific threats that our customers have voluntarily reported to Bromium and allowed us to share.
Bromium’s Unique Vantage Point
Bromium’s position in the security value chain is unique. Think of your security stack as a set of nets and traps designed to catch as much malware as possible. But c’mon, you know in your heart that you’re never gonna catch all of it. If you could, the security industry would have solved the malware problem a long time ago and we’d have nothing more to talk about.
Better to think of a security stack as a set of nested strainers that catch almost all the drips but still let a few fall through. Bromium provides application isolation and control on the host PC, using virtualization-based security as the last line of defense against threats that inevitably make it past all other defenses.
Other defenses try to block malware before it runs or stop execution in mid-flight using various detection techniques. Bromium’s unrivaled role is that it provides an ironclad backstop for when detection inevitably fails. Thirty years of anti-malware experience has proven that detection will never be 100% effective. And if your defensive stack cumulatively detects 97% of incoming malware—or even 99.5%—far too many threats will still escape detection at enterprise scale and activate live on your user’s endpoints.
So how is Bromium different? We see sophisticated, targeted threats that actually ran on real customer endpoints—safely within single-use, host-based, disposable micro-virtual machines while users were working—a far cry from out-of-band, autonomous artificial sandbox simulations where malicious intent can only be imputed. These are threats that other systems completely missed, and they would have been permitted to run directly on host PCs if not for Bromium isolation. When a single missed detection can lead to a devastating breach, Bromium’s value is clear.
Why Read Another Threat Blog?
We get it: you’re busy defending your networks against a constantly changing threatscape, and are continuously bombarded by blogs claiming that they have new information you can’t get anyplace else. With only so much available time to read and so few sources shedding actionable new light on problems that directly affect you, why take the time to digest this one? Here’s why:
- Bromium threat data comes exclusively from highly evasive malware that ran on real customer endpoints, exercised by flesh-and-blood human users during genuine business workflows. This increases the chances that malware code paths will execute fully.
- Bromium is truly the last line of defense. Our alerts are overwhelmingly “true positives” that catch threats other security controls have already missed. The malware we see would never have reached a Bromium micro-virtual machine if other security solutions had detected it.
- Bromium users overwhelmingly elect to let discovered malware continue to run—safely ensconced in micro-VMs—after it has been identified running on the endpoint, further enhancing the value of their Bromium threat intelligence collected.
Data Collection Methodology
Bromium uses opt-in, anonymized threat data from customers who voluntarily participate in our threat-sharing initiative to improve their own situational awareness and help guide future Bromium product development. Participating customers represent a cross-section of various industries and organization sizes. It’s not all PCs isolated by Bromium, as many targeted threats are too sensitive to share, and numerous Bromium customers—specifically in government—are prohibited from sharing their threats with any outside parties. We’ve found some of this data so interesting and so unique that we decided to share it with the security industry. That’s what this blog series is all about.
After Black Hat, we’ll explore the trend toward file-based attacks and away from browser-based threats, plus what this means for the cybersecurity industry and to security practitioners like you. We look forward to sharing our Bromium Threat Labs research with you.