Enforcing Strong Task Isolation on Endpoints

Most experts would agree that the endpoint PC continues to represent the softest spot in an enterprise security architecture. One reason for such weakness is the proximity of the PC to that human user – the one every CISO team member knows is probably making bad decisions about cyber security. Another more powerful reason is the fragility of endpoint operating system software to even the most rudimentary exploits. Windows computers, in particular, have been notorious over the years in allowing cyber attacks, and this is not likely to change soon. In response to this weakness, new cyber security techniques are emerging that protect endpoints using clever CPU virtualization that can isolate untrusted tasks, thus making the system more resilient to malware. As part of the research for my 2017 TAG Cyber Security Annual (you can download the PDF volumes at https://www.tag-cyber.com/), I had the pleasure to sit down with my longtime friend and colleague, Simon Crosby, CTO of Bromium, so that he could help enlighten me on the technical details of isolation, virtualized execution, and containment.

EA: Simon, as CTO of Bromium, what sort of endpoint vulnerabilities and attacks are you seeing these days? Do viruses, for example, still find their way onto PCs?

SC: Sadly more than 90% of enterprise breaches start with a click. This includes malicious attachments, malware downloads, malvertising, Java usage, Websites, infected media, improper USB use, and infected executables – all punching holes in the perimeter. Conventional “detect to protect” tools fail, both at the network perimeter and the endpoint, because virtually all malware morphs into new, undetectable variants in under a minute, making signatures useless. And the thousand-fold increase in crypto malware signals a shift from manual breaches with stealthy infiltration and data theft, to machine-timescale breaches that can bring an organization to its knees before the first alert. So the answer to your question is that yes, malware still finds its way onto PCs.

EA: What can the enterprise security team do to protect their endpoints? Is the protection of PCs a lost cause?

SC: First of all, security teams need to recognize that the traditional “detect to protect” approach using signatures will continue to fail. Moreover, there will always be exploitable application and operating system software vulnerabilities, not to mention foolish users. So these common themes will not go away. Since the typical breach results from the failure to protect a single endpoint, the overall endpoint protection architecture must be rethought, perhaps using the collected capabilities of all endpoints collaborating together. This collaborative approach can reduce the attack surface of each endpoint by using micro-virtualization, continuous monitoring, and execution correlation across all endpoints.

EA: You mention micro-virtualization. What do you mean by this specifically, and how does it work?

SC: Micro-virtualization is a security technique that uses CPU-enforced isolation using CPU features for virtualization to invisibly isolate each task that processes untrusted files or sites. This includes each tab in the browser, each mail attachment, downloaded files or files from a USB key, media, and executables. An isolated task is called a micro-VM, and contains no valuable information or credentials, cannot access the enterprise network or SaaS sites, and is discarded when the user closes the task, eliminating malware persistence. The user is unaware of micro-VMs. Security in a micro-VM is further enhanced by monitoring for signs of attack. Using this method, the endpoint protects itself and provides real-time intelligence for each attack with a minimum of false alarms.

EA: You said the endpoints collaborate together? What do you mean by this?

SC: We regard each endpoint as a sensor in a distributed breach detection system. The way it works is that the endpoint first monitors its own execution to detect malicious execution and share its intelligence with the security team in real-time to accelerate enterprise-wide response. The monitor is protected using micro-virtualization to prevent it from being disabled by malware. The endpoint also self-remediates to remove malware that has executed in a micro-VM. Endpoints then share their attack insights in real time with the Bromium Enterprise Controller (BEC) which correlates them. The BEC immediately and automatically searches all endpoints for evidence related to the detected attack to help security personnel respond to any East-West movement of an attacker through the network.

EA: How hard is it to design endpoint protection that prevents malware, but also allows users to access the content they need for their jobs?

SC: It requires great care in product design to ensure that the user experience for any application that accesses untrusted content remains unchanged. A key design principle is to minimize complexity. The use of CPU enforced isolation, for example, is attractive because it doesn’t require adding a whole bunch of new protection code, as you find with many operating system and application software vendors trying to protect their products. In addition, every effort has to be taken to ensure that existing endpoint agents will function as they always have, and not every endpoint security vendor has been successful in this regard.

EA: How does virtualization play into enterprise protection? Is this how you create separation between, for example, a browsing session and the real operating system?

SC: Ultimately the value of virtualization is granular isolation, which leads to better security. This has certainly been the case in the enterprise data center, where companies like VMware have articulated the security benefits of micro-segmentation for many years. The use of virtual security for endpoints is also becoming more evident, but there are some technical differences. For example, micro-virtualization on the endpoint is task-specific, with each browser tab or document operating in its own micro-VM and associated environment. In addition, CPU-enforced protection on the endpoint, afforded by virtualization, is key to granular isolation and reducing the attack surface. So it should come as no surprise that operating system vendors like Microsoft are beginning to recognize that virtualization is a building block of a more secure operating system in the future.

EA: Is it reasonable to say that Microsoft PCs are less secure than Macs? And a follow-up question is whether strong task isolation evens the score.

SC: Apple users think they are more secure, but the truth is that Macs represent such a small fraction of enterprise endpoints that they really aren’t particularly interesting to most attackers looking for valuable business assets. Admittedly, Macs are growing more popular in the C-Suite, and since executives are high-value targets, we will see more targeted Mac attacks. But remember that it isn’t only the operating system that’s the problem. Any vulnerable application is enough for a good hacker, and every operating system has its share of issues. Fortunately micro-virtualization can be used to protect both PCs and Macs – and my belief is that this may be the strongest hope any security team will have to gain full security control of their endpoint PCs. One parenthetical comment is that protection of endpoints running old, unusual, or proprietary operating systems remains a challenge. Since this includes important endpoints such as POS devices and SCADA controllers, the endpoint security industry will have to continue improving and innovating in the coming years.