Micro virtual machine security is a tried-and-true endpoint protection tactic
When VMware Inc. announced its Project Monterey strategy to redefine the data center last week, executives effused about the potential of the distributed processing model to redefine cybersecurity.
Using a combination of software-defined networks and microprocessor-equipped network interface cards running the full vSphere server virtualization stack, security specialists will be able to deploy large numbers of individualized firewalls to protect applications, containers and even individual services. “Imagine you could create a little tiny firewall and a little tiny [intrusion prevention system] and attach it to each service,” Tom Gillis, VMware’s general manager of networking and security, said in an interview with SiliconANGLE.
But the idea of protecting applications and processes at a granular level isn’t new. HP Inc. has been shipping security software based on a similar concept for more than three years. Sure Click, which is included in every HP business computer, provides micro hypervisors, or virtual machine monitors, that can be dedicated to individual tasks on a personal computer to isolate them against attacks. Processes running in a VM get enough resources to do their job but can’t access the hardware or the file system, rendering them powerless to do harm.
The product is based on technology developed by Bromium Inc., which the PC and printer maker acquired last year. Bromium co-founder Ian Pratt, who is now the global head of security at HP, was formerly a senior faculty member at the U.K.’s University of Cambridge Computer Laboratory, where he was the principal architect of Xen, the open-source hypervisor that some of the world’s biggest cloud providers use for virtualization.
Micro VMs provide nearly total endpoint protection by changing the rules of engagement, Pratt told SiliconANGLE. Instead of engaging in a cat-and-mouse game of trying to anticipate an attacker’s actions, the software neutralizes the playing field.
For example, upon clicking a Word document attachment in an email, an action that he described as “the most dangerous thing you can do on a PC,” Sure Click transparently launches a virtual machine and opens the document inside it. “The document has just the resources required for that task and that VM exists just for the life of the attack and is then disposed of,” he said.
Pratt demonstrated by opening a Word file infected with ransomware. The action triggered an attack, but the malware was isolated within the temporary VM and disappeared when the instance was closed. The technology is equally effective in protecting browser instances and any other processes that don’t need to access the hardware directly, he said.
VMs are a better isolation chamber than software containers because “a hypervisor has a code base that’s orders of magnitude smaller and we’re able to take advantage of built-in analytics,” Pratt said. Administrators can also track micro VMs across a network for analysis. “You can watch attacks playing out and build heat maps of the tactics they’re using” as well as identify risky sites and zero-day exploits, which are attacks that have never been seen before. The performance penalty of the micro VM is minimal, amounting to about 100 milliseconds for each process.
Sure Click is far less ambitious than Project Monterey, which VMware sees as an architecture for sharing resources across entire data centers. It’s also limited to endpoints, whereas VMware sees Project Monterey spanning entire clouds.
But as an endpoint security tool, micro VMs are a tried-and-true tactic that has been in use for some time. HP has been shipping the technology for over four years and “we’ve had no reported breaches,” Pratt said.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.