Blog We Have Answers: Questions from 2018 Cybersecurity Core Capabilities Webinar

14 Core Capabilities

February 1, 2018 Category: Government, Innovation By: Gavin Hill Comments: 0

We Have Answers: Questions from 2018 Cybersecurity Core Capabilities Webinar

  • Nicolas Chaillan, cybersecurity architect who worked for Homeland Security in the United States provided guidelines for your 2018 cybersercurity strategy.
  • It is based on what he built for – a strategy that takes the best of the best and delivers results based on the level of security you need.
  • His recommendations work for both the public and private sector and our free 2018 Cybersecurity Guide summarizes his information.

Yesterday we hosted an informative presentation by Nicolas Chaillan, former Special Advisor for Cybersecurity and Chief Architect for at the Department of Homeland Security. Nicolas recommends 14 core capabilities that an organization should address if your goal is defense-grade security.

Many thanks to everyone who joined us, and special thanks to the participants who posted questions during the webinar. Your questions are answered below, and if you would like to follow up on this conversation, please use the comments section below to continue the dialog.

Watch the on-demand presentation:

Download the free guide: 2018 Cybersecurity Guide

Mark your calendar for our next webinar, featuring IDC analyst Frank Dickson. Register for the February 22 webinar. Dickson will discuss his research, Validating the Known: A Different Approach to Cybersecurity. Register and if you can’t make it, we’ll send you the recording and IDC report.


Webinar Questions and Answers

There are 14 Capabilities. That’s a lot. How do I get started?

Security is complex and trying to tackle all 14 core capabilities at once would be overwhelming. The first step is to take advantage of the free technical gap analysis offered by Prevent Breach. It’s not a compliance checklist, but a thorough assessment, based on a comprehensive questionnaire that focuses on the technical aspects of your cybersecurity capabilities. After answering the questions, you receive a confidential grade that summarizes the results of the assessment, points out redundant tools and measures, and reveals existing security gaps.

When I conduct a risk assessment or gap analysis, my gaps are tremendous. How can I prioritize?

One of the main benefits of the technical cybersecurity gap analysis is to help you prioritize your security gaps, so you know what to focus on first. What’s more, you can repeat the assessment as often as you like to track progress, adjust priorities, and even perform predictive analysis to see how a purchase of a new solution or a strategy-shift might impact your security capabilities.

For instance, you can apply analytics to show you how adding Bromium’s application isolation to your security stack would help close the gaps in your defenses.

How do you protect legacy systems with software-defined perimeter?

Many government organizations still rely on legacy systems, which they access through a VPN. To increase security, agencies are beginning to switch to a Software Defined Perimeter (SDP)—technology that supports all of VPN capabilities such as device authentication and health checking, plus offers new features that are much better suited for today’s security needs. SDP works as an additional layer, offering user authentication and policy enforcement capabilities, so that access is only granted for the respective systems one may access, everything else is invisible.

Segmentation—as part of the new security stack—is paramount. Even when you have a legacy system that you are no longer able to get patches for, you can put that legacy application in a micro-VM. In the event when malware tries to exploit legacy application vulnerabilities, you can still contain a breach within that environment. You are not only segmenting from the SDP perspective, you are segmenting the application itself by using application isolation.

How does Bromium protect the operating system without being intrusive?

Application isolation means untrusted tasks are contained (via a micro-VM) so nothing can leave the container and infect the host or the network. Bromium micro-virtualization technology uses the Bromium Microvisor—a purpose-built hypervisor—in conjunction with the virtualization features built into Intel®, AMD® and other CPUs to create hardware-isolated micro-VMs for each task. These hardware-isolated micro-VMs provide a secure environment where user tasks are isolated from one another, the protected system, and the network. Bromium is sitting below the operating system, and if there is anything going on, such as a kernel exploit, it is completely contained inside a micro-VM respective to that application.

Watch: 90 Demo of Ransomware Detonating in a Micro-VM

How do you define what can be “trusted” inside Bromium?

It’s configurable—you can designate exactly what content can be trusted—both inside and outside the organization. You can configure it to trust absolutely nothing that’s coming from the outside (which we affectionately call “defense-grade security”), or you can choose to have the system automatically trust all internal shared files, for example.

Bromium isolation and protection also extends to files that have been downloaded and saved on a local machine. For example, if you receive an email that contains a malicious payload, save the attached file, then open it several days later, the file will still be treated as “untrusted” and opened inside a designated disposable micro-VM.

Do you recommend using Bromium in place of anti-virus (AV)?

At Bromium, we believe layered defenses are critical. Many organizations are still required to use AV to meet specific compliance requirements, for example, policies governing payment card protection (PCI DSS). AV can also be helpful in “reducing the noise,” that is, identifying and stopping known threats.

Traditional and next-gen AV solutions rely on detection-based techniques—somebody (patient zero) needs to be infected before signatures or models can be updated in order to stop it. Bromium protects before detection—isolating and containing applications and tasks just in case there is a threat. Bromium is the last line of defense.

We have customers who dropped their AV after deploying Bromium. However, if you choose to keep AV, it doesn’t have to be a cost center. Numerous free AV solutions are available today, enabling you to meet compliance regulations and reduce that noise level without spending considerable resources on licensing fees.

How does Bromium provide support for Meltdown and Spectre?

Attacking a machine using Meltdown requires the ability to run code on it. On a shared machine like a Terminal Server the attacker may already have a log in. But for a typical endpoint desktop or laptop the most likely vector will be the same way that such machines are regularly compromised: via a malicious web page, email attachment, downloaded file, etc.  The attacker will use a malicious web page or file to get execution on the machine, then leverage Meltdown to access information that might enable it to read sensitive data and escalate its privilege.

With Bromium, web pages, email attachments, documents, etc. are all opened in a dedicated micro-VM, isolated from the underlying physical system, and without access to any sensitive information. Even on a vulnerable CPU without Microsoft’s KVAS mitigation, if attackers used Meltdown to read kernel data in the micro-VM, they would not find anything sensitive to read—the micro-VM does not contain any of the hosts secrets, password hashes, etc. Even if they managed to take full control of the micro-VM, they would not be able to use Meltdown to access memory belonging to the host since the guest and host do not share an address space. Bromium endpoint users are protected against the likely routes for delivering Meltdown and Spectre attacks.

We have extensive blog series posted on our website reviewing the details of both Meltdown and Spectre, and explaining the inherent immunity that Bromium users have against these vulnerabilities.

Watch: Founder Ian Pratt Summarizes Meltdown and Spectre for Bromium Customers

Will Bromium work if it’s not connected to the Internet?

Absolutely. We have customers who are offline and not able to contact the Bromium Controller, the central management console, for six months or more (i.e. imagine if you’re working on a ship). Even without updates, these companies are continuously protected.

That’s because we don’t use signatures to detect malicious activity in the micro-VMs. We detect malicious behavior through behavioral analysis. It’s a lot easier to defend a moat than an ocean!

For example, when you open a Word document, it is isolated inside its own micro-VM. The only thing that exists inside that micro-VM is that specific Word document. Through behavioral analysis, we know exactly how a Word document should behave. Any deviation is instantly caught, and further analysis helps reveal if that document is malicious or not.

Want to see Bromium in action? Request a demo.

To learn more about the 14 Core Capabilities, download the 2018 Cybersecurity Guide.

We hope to see you on February 22 for our next webinar featuring IDC analyst Frank Dickson, who will discuss his research, Validating the Known: A Different Approach to CybersecurityRegister now.


About the Author


Gavin Hill
Vice President, Product and Strategy at Bromium

Recent Posts

2018-02-01T10:00:39-07:00February 1st, 2018|Government, Innovation|

Leave A Comment

See Bromium in Action

Request a demo and see how Bromium isolation will put an end to malware and attacks once and for all.