Data Talks: Why Customers Trust Bromium to Let Malware Run on their Endpoints
- Bromium customers enthusiastically choose to let malware keep running in isolated micro-VMs 86% of the time
- This seemingly counterintuitive approach maximizes threat intelligence, made possible only by virtualization-based security
- Traditional solutions try to terminate malware upon discovery to minimize breaches, but often act too late and sacrifice learning
Let malware run. All of it. Ransomware, spyware, adware, trackware … the nastier the better!
I want malware running on my endpoint. Yes, on my real work PC, not a testbed or lab system. I also want it infesting all my coworkers’ live systems too. As much as possible. All day long, every day of the week. While this unusual desire may sound strange, controversial, or even self-destructive, you should probably ask for the same thing as well. Here’s why:
Unlike detection-based systems that aim to keep malware off endpoints, the Bromium Secure Platform is specifically designed to isolate malware inside individual micro-virtual machines, safely away from the host PC operating system, file system, registry, and the internal network. It does this while providing malware ample opportunity to strut its stuff safely confined in the micro-VM—to communicate with remote command and control servers over the internet, to download additional malicious payloads, to run commands on the victim’s system, and to do whatever else the attacker desires.
Browser exploits, zero-days, fileless malware … yeah, I’m looking at you!
If initial blocking has failed and a threat manages to execute on an endpoint—an all-too-common occurrence—typical security solutions try to detect the running malware and remove it as quickly as possible to minimize any damage that could be caused by the intrusion. And while Bromium customers can choose to terminate micro-VMs immediately upon initial malware identification, they overwhelmingly elect not to do so 86% of the time, instead allowing the malware to run unfettered within the safe isolation container throughout the entire user workflow.
The micro-VM continues to collect threat intelligence information about the malware for as long as the user has the infected file or web browser tab running. The micro-VM terminates only when the user is done with their workflow and closes the document or tab—which may be minutes, hours, or the end of the workday! All the while, continued data flows—perhaps from slow data exfiltration traffic, botnet heartbeats, or remote commanding.
Trojans, keyloggers, downloaders, credential stealers … bring ‘em on!
Why would anyone in their right mind want malware to run on their production systems, and even hope that it does? Well simply, the more malware that runs—and the longer it runs—the more we can learn about it.
Can’t we just quarantine malicious files immediately and delete them across the entire network estate? Yes, Bromium customers can certainly do this, but again, they mostly choose not to for very compelling reasons. Let’s say that a targeted attack sends the same email message to a hundred of an organization’s employees. The messages are all the same, including a phishing link with a shortened URL and a malicious Word document attachment. These components have been cleverly constructed to avoid front-line security defenses—including email malware scanners and sandboxes—and have now landed in your users’ inboxes, soon to be clicked by unsuspecting workers just trying to do their jobs.
Novel malware, signatureless attacks, obfuscated PowerShell, memory-only attacks … yes, please!
After the first malicious identification, we could simply blacklist the phishing site URL and quarantine the malicious Word file across the enterprise, but most of the time we don’t actually want to do this. Because that one Word document might in fact download different payloads from multiple command-and-control servers each time it’s opened—either by the same user or by each separate victim. Blacklisting on first occurrence denies subsequent learning.
Similarly, that single opaque phishing link may redirect to a different malicious domain URL every time it’s clicked—these tactics are trivial to implement and depressingly common across the threatscape. That’s why we don’t recommend our customers to block or quarantine on first instance of malicious sites or documents. The more times they run and the more people who run them, the more we learn!
Let it snow, let it snow, let it snow!
This festive holiday season, as clever attackers outsmart traditional defenses, Bromium Threat Labs wish you and yours a malware avalanche of epic proportions and a deluge of actionable threat intelligence—all safely in isolation of course!
- Confidently open email attachments from unknown senders while avoiding unpleasant holiday surprises
- Use your favorite browser for safe sites, automatically isolating risky phishing links or uncategorized websites
- Download files freely across the web without relying on risky detection or out-of-date blacklists