Bromium released its vSentry product last week, finally delivering the technology that Simon Crosby and Ian Pratt have been talking about ever since they left Citrix in June 2011.
That may seem like a short turnaround, but the desktop virtualization world has been buzzing about what the former Citrix CTO and Pratt could possibly be doing to enhance desktop security. The answer, in one word, is micro-virtualization.
How micro-virtualization works
Micro-virtualization, at least in vSentry, is the act of virtualizing individual processes and threads. Processes represent the actual application running on a system, and threads are subsets of those processes. When something is "multi-threaded," it's because the process has the intelligence to run multiple threads on different processors, doling out tasks to each one and switching between them as needed.
The most important thing you can do when deploying vSentry is to make sure the host is 100% clean.
Bromium's vSentry, by way of micro-virtualization, identifies new processes and threads and launches them in a tiny virtual machine (VM) they call a micro-VM. This micro-VM is managed by a sort of hypervisor called Microvisor. Each process and thread lives in its own micro-VM, so there could be dozens or hundreds running at the same time. If you took this approach with a standard virtualization hypervisor, that would mean there were dozens or hundreds of individual Windows VMs running.
The Microvisor optimizes this process by spawning micro-VMs out from the host OS, taking only the bits needed to virtualize and isolate the processes and threads. When the process or thread has stopped, the micro-VM is thrown away.
Microvisor vs. the bad guys
The benefits of vSentry micro-virtualization are numerous, but to understand them, we need to back up a bit. Bromium looks at desktop security differently than the rest of the desktop management world.
Traditionally, we lock desktops down and add anti-malware and antivirus tools to protect them from insecure sources. Employing some sort of desktop virtualization moves the desktop into the data center to protect it from exposure to external, insecure locations. But, no matter what we do to secure our devices, we're always behind the bad guys.
Bromium vSentry's primary mission is to protect the host from Internet-connected applications. By launching each process and thread in a micro-VM, it can completely isolate the activities happening within Internet Explorer from the host OS, for instance, while still using all the aspects of the host OS. You can configure the Microvisor to trust certain sites and not execute them in a virtualized way, such as your corporate intranet or SharePoint site. Configuration is done by Group Policy, System Center Configuration Manager, Altiris, McAfee ePO and similar tools.
The Bromium vSentry user experience is transparent, as you would expect from a company founded by people with both virtualization and desktop backgrounds. In fact, the installation process itself isn't destructive. Simply install an MSI file and carry on with your business. Despite this, know that the most important thing you can do when deploying vSentry is to make sure the host is 100% clean.
If, for instance, the host has malware on it already, that malware will be spawned inside each micro-VM, and that eliminates all protections. Bromium's vSentry is not a tool that will help you fix a poorly managed or secured desktop environment. It will only keep a pristine environment pristine.
As part of the vSentry release, Bromium also named a new feature called Live Attack Visualization and Analysis (LAVA). LAVA uses the fact that each micro-VM is completely isolated and knows what behavior to expect from each process or thread. Because of this information, it can actively identify malware that it encounters and even let it completely execute before shutting it down.
That allows it to log data about the malware so you can identify malware signatures for use with security solutions. It's like a malware aquarium: You can watch it all you want, and when you're done, you can flush it away like it never happened.
Where Bromium goes from here
Bromium has made quite an entrance in the desktop virtualization market, but there is room for growth. The vSentry product only supports Intel VT-enabled physical desktops. VT is required by the Microvisor to spawn, manage and secure the micro-VMs.
The folks at Bromium are decidedly anti-VDI, so I suspect it will be a while before we see a tool that works with Citrix XenDesktop or VMware View, but it's not impossible. I intend to find out if this works with physical Remote Desktop Session Host (RDSH) servers, because that would be a single OS running on VT-enabled hardware. This capability could be quite helpful for RDSH security.
Make no mistake. Bromium vSentry is a very elegant desktop virtualization tool. List pricing for it is said to be "north of $100," but it's hard to get a firm price out of the company. The target client for Bromium is enterprises, and I'm certain there will be aggressive discounts for high-volume purchases.
I can’t think of a reason not to give Bromium vSentry a shot in your environment. For the first time ever, you might be ahead of the curve when it comes to Internet-born malware and viruses.