Problem solve Get help with specific problems with your technologies, process and projects.

Micro-virtualization for desktop security: One step ahead of bad guys

Bromium's vSentry uses micro-virtualization technology to protect your desktops from Internet-born malware. Desktop security may never be the same.

Bromium released its vSentry product last week, finally delivering the technology that Simon Crosby and Ian Pratt...

have been talking about ever since they left Citrix in June 2011.

That may seem like a short turnaround, but the desktop virtualization world has been buzzing about what the former Citrix CTO and Pratt could possibly be doing to enhance desktop security. The answer, in one word, is micro-virtualization.

How micro-virtualization works

Micro-virtualization, at least in vSentry, is the act of virtualizing individual processes and threads. Processes represent the actual application running on a system, and threads are subsets of those processes. When something is "multi-threaded," it's because the process has the intelligence to run multiple threads on different processors, doling out tasks to each one and switching between them as needed.

The most important thing you can do when deploying vSentry is to make sure the host is 100% clean.

Bromium's vSentry, by way of micro-virtualization, identifies new processes and threads and launches them in a tiny virtual machine (VM) they call a micro-VM. This micro-VM is managed by a sort of hypervisor called Microvisor. Each process and thread lives in its own micro-VM, so there could be dozens or hundreds running at the same time. If you took this approach with a standard virtualization hypervisor, that would mean there were dozens or hundreds of individual Windows VMs running.

The Microvisor optimizes this process by spawning micro-VMs out from the host OS, taking only the bits needed to virtualize and isolate the processes and threads. When the process or thread has stopped, the micro-VM is thrown away.

Microvisor vs. the bad guys

The benefits of vSentry micro-virtualization are numerous, but to understand them, we need to back up a bit. Bromium looks at desktop security differently than the rest of the desktop management world.

Traditionally, we lock desktops down and add anti-malware and antivirus tools to protect them from insecure sources. Employing some sort of desktop virtualization moves the desktop into the data center to protect it from exposure to external, insecure locations. But, no matter what we do to secure our devices, we're always behind the bad guys.

Bromium vSentry's primary mission is to protect the host from Internet-connected applications. By launching each process and thread in a micro-VM, it can completely isolate the activities happening within Internet Explorer from the host OS, for instance, while still using all the aspects of the host OS. You can configure the Microvisor to trust certain sites and not execute them in a virtualized way, such as your corporate intranet or SharePoint site. Configuration is done by Group Policy, System Center Configuration Manager, Altiris, McAfee ePO and similar tools. 

The Bromium vSentry user experience is transparent, as you would expect from a company founded by people with both virtualization and desktop backgrounds. In fact, the installation process itself isn't destructive. Simply install an MSI file and carry on with your business. Despite this, know that the most important thing you can do when deploying vSentry is to make sure the host is 100% clean.

More on Bromium micro-virtualization

Simon Crosby Q&A: Micro-virtualization plans

Desktop security software gets proactive with app sandboxing

Bromium releases vSentry, adds LAVA

If, for instance, the host has malware on it already, that malware will be spawned inside each micro-VM, and that eliminates all protections. Bromium's vSentry is not a tool that will help you fix a poorly managed or secured desktop environment. It will only keep a pristine environment pristine.

What's LAVA?

As part of the vSentry release, Bromium also named a new feature called Live Attack Visualization and Analysis (LAVA). LAVA uses the fact that each micro-VM is completely isolated and knows what behavior to expect from each process or thread. Because of this information, it can actively identify malware that it encounters and even let it completely execute before shutting it down.

That allows it to log data about the malware so you can identify malware signatures for use with security solutions. It's like a malware aquarium: You can watch it all you want, and when you're done, you can flush it away like it never happened.

Where Bromium goes from here

Bromium has made quite an entrance in the desktop virtualization market, but there is room for growth. The vSentry product only supports Intel VT-enabled physical desktops. VT is required by the Microvisor to spawn, manage and secure the micro-VMs.

The folks at Bromium are decidedly anti-VDI, so I suspect it will be a while before we see a tool that works with Citrix XenDesktop or VMware View, but it's not impossible. I intend to find out if this works with physical Remote Desktop Session Host (RDSH) servers, because that would be a single OS running on VT-enabled hardware. This capability could be quite helpful for RDSH security.

Make no mistake. Bromium vSentry is a very elegant desktop virtualization tool. List pricing for it is said to be "north of $100," but it's hard to get a firm price out of the company. The target client for Bromium is enterprises, and I'm certain there will be aggressive discounts for high-volume purchases. 

I can’t think of a reason not to give Bromium vSentry a shot in your environment. For the first time ever, you might be ahead of the curve when it comes to Internet-born malware and viruses.

This was last published in September 2012

Dig Deeper on Virtual desktop software and vendors



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of the "micro-virtualization" approach to desktop security?
The folks at Bromium are decidedly anti-VDI is an understatement. They have made a very cynical move to align perfectly with Microsofts vison of continued lock in to the Fat PC running a native Windows OS.

There is no reason why Bromiums tech could not work in software format, but these guys get that their solution helps lock in M$'s ambitions, its why they rubbish VDI, they know that its a threat to their value.

This is doubly cynical being that the men behind this made their first fortune through VDI, for them to start badmouthing it because they have a new product undermines their credibility, but for them to go after the security of VDI the way they do when launching a new security product is in very poor taste.

If you are in the security business, the only time you rubbish another technology is if it does not work, not because its competitive to your solution.

Before Bromium came along, the desktop virtualization space has long been deploying security solutions which leverage non-persistency intelligently to mitigate against cyber threats.

The idea that we stick to the Fat PC paradigm in order to be safe is a fallacy and Bromium should know better than to pander to Microsofts ambitions by refusing to leverage their platform in VDI environments.

My own company builds cyber-defence platforms for the US federal government leveraging non-persistency in desktop virt, our solutions are highly effective and have been in production for a number of years, I for one will not have Bromium rubbish the VDI space's security credentials just because they have their own agenda.

I would say that we should view all new security solutions with intense distrust until they have been proven in production and doubly so when the vendors are rubbishing any other solution that leverages virtualization for security purposes.

Do my customer really have to rip out all their existing PCs and buy new high-end ones with VT chips to properly secure their desktop estates and networks ?

No, VDI already did that and we use much less hardware.

Please do not feed the trolls, Bromium have been trolling the VDI space with FUD for a while now and they should be thought of badly for such behaviour.
Because I am trying to move away from using Fat PCs and refreshing them every 4 years in an expensive way.
Great write-up, Gabe! This is so much clearer than the confusing piece James Furbush posted on SearchEnterpriseDesktop where he stated this was "just another sandboxing solution". I look forward to a third party (you??) technical deep dive on the tech, hopefully one is coming soon.
Very cool start. With a way to guarantee trusted context it is potentially the ultimate backstop for layered security.
Great opp't for systems with the Intel vPro Platform
This is very interesting
Need a demo to trial version to test.
Low security.
This is a natural by-product of the Virtualized environments and it is a good cantainment architcture that can meet the growing needs of the VM's. I think this is a good first step. the next step is the integration of an AI that oversee the many Micro VM's and integrate into an intuative mangement system/containment environment.
I have seen this approach in existing security solutions. It's terrific !