President and co-founder Ian Pratt tells CBR’s Ellie Burns why the security industry needs to abandon its current ‘futile’ detect-to-protect approach, instead putting trust in virtual machines to secure every single click.
Imagine a world where you can click on anything and nothing bad happens. Music to security pros’ ears no doubt, but a scenario which could become a much welcomed reality thanks to security startup Bromium.
The VC-backed security firm is looking to turn the endpoint security game on its head, declaring that detection is futile and proposing micro-virtualisation as the solution for all.
In a world where attackers only need succeed once, Bromium co-founder Ian Pratt argues that detection is useless in the malware fight, a fact which has been known since 1937.
“We have known since the work of Alan Turing in 1937, when he was at Cambridge, where he proved something called the Halting Problem. The detection of malware maps onto that problem and basically what it says is no matter how fast a computer you have, no matter how much artificial intelligence you have, you cannot solve the problem.”
The current problem, in the security industry, Pratt explains, is that detection always relies on a patient zero.
“If you look at the security industry as it is today, every
product on the market fundamentally relies on detection through the means by which it operates. It has to have some notion of what is bad, whether that’s hashes, signatures, or some sort of behavioural model.
“If you think about that for a moment, that means that there is always going to be a patient zero, some unlucky soul that gets something new.”
However, Bromium does propose a solution to the malware problem, one that has its origins in an US Intelligence project Pratt worked on when at Citrix. US Intelligence analysts, at the time, had various sources of information, all of which could not cross over or mix. The analysts would rely on large trestle tables in their offices, on which would sit a series of PC’s with an air gap separating the machines ensuring no cross-contamination of sources.
Pratt was part of a team which deployed virtual air gap separation and consolidated all the machines down to a single laptop. The seed of inspiration was sown from that project, with the company Bromium launched off the back of a ‘crazy idea which we didn’t really know was technically possible.’
Explaining the ‘crazy idea’, Pratt told CBR’s Ellie Burns:
“We had this crazy idea that suppose it was possible for every task you wanted to perform on a machine – so every website you go to, every document you open – imagine if you could create a virtual machine just for that task.
“So almost every click would create a new virtual machine.
“That virtual machine only exists for the life of that task and only has access to the resources needed for that task. When that task finishes – when I close that document or click a link taking me to a different website – then we are going to destroy that virtual machine and create a new one for the new task.”
In the real world, this would be like unwrapping and plugging in a new computer for every task, every click of the mouse. Then when you click on a new link or open a document, you throw the computer away and unwrap a brand new desktop. Bromium’s way, thank goodness, is much more environmentally friendly.
Not only is it much greener then throwing away 100 desktops a day, it also creates a thinking of ‘so what’. So what if the attachment is malicious, so what if the malware compromises the browser – everything is contained in that disposable virtual machine.
After three years of looking into performance issues, user experience and filing 67 patents and working with CPU vendors, Bromium brought that crazy idea to fruition. Now, the startup boasts that it creates and destroys more virtual machines than AWS, having created over one billion virtual machines.
“It is a different way of trying to solve the problem, it’s not relying on detection,” Pratt told CBR.
“Trying to secure the applications, trying to secure the operating system even, is an impossible task. You’ve got a hundred million lines of code running on a PC, much of it written during the 1980s before there was even the concept of a web browser and when security was not front and centre of what people were thinking about.
“They weren’t designed for the internet, and its futile trying to defend them. You are much better off saying we are going to create a new instance every time.”
Bromium’s use of virtual machines not only protects against infection, but it also solves the user problem currently plaguing business. Its a much repeated tagline that employees are the weakest link, with Bromium’s own research testifying to that way of thinking. 85% of CIOs polled by the company said that end users were the weak link in their company, ignoring or forgetting the education, policies and procedures put in place to prevent risky behaviour. However, ‘no amount of training is going to solve the problem’, says Pratt, with the beauty of virtual machines being that it takes the onus off employees and end-users and pushes the responsibility back to IT.
“We need to accept that it’s unfair and futile to put the onus on users to defend the enterprise; prohibition is not the way,” said Bromium CEO Gregory Webb.
“HR needs to be able to open attachments, a marketer needs to look at social media without having to worry; it is simply impractical to lock people down or expect them to be the last line of defense.”
Bromium advocates that changing human behaviour is not the way companies should approach security, with end-users shackled by the ‘detect-to-protect’ approach. Instead, with virtual machines, workers can go about their day freely without fear of reprisals if anything malicious is clicked.
It seems that the huge change Bromium is selling – to isolate rather than detect, work freely rather than prohibit – is starting to gain traction, with Pratt saying that the company is now “at the point where we have a real business.”
The company has so far relied on venture capital, raising tens of millions from well-known investors such as Andreessen Horowitz and Intel Capital. Winning a ‘cool vendor’ moniker by Gartner and partnering with tech giants like Microsoft has raised the company’s profile, pushing it further along the road on its way to becoming less reliant on VC.
“It’s always much better if you can grow the business on the back of sales as opposed to taking more money from VCs.
“We are very close to that point now; we came out with our first product almost three years ago now and the folks that bought it initially were the folks where security is paramount. Now it’s becoming much more mainstream, with even sectors like retail now investing.”
Of course it is not just the financials which make a company, but also its leadership team. Pratt was there from the beginning, bringing a wealth of experience to the startup. Some may know the co-founder in his earlier guise of XenSource executive, having led the Xen Project from its humble beginnings at Cambridge University, to when it was acquired by Citrix for $500 million.
After three years at Citrix, Pratt moved onto Bromium, his fourth startup. With Cambridge the company’s engineering HQ, Pratt has put his academic life on hold to lead the company as President.
As President, he is certainly leading an exciting proposition which seeks to end prohibition and reinvent endpoint protection.
“Einstein is famously quoted as saying the definition of insanity is doing the same thing and expecting different results; yet this is exactly what the security community is doing,” said Pratt.
“We call this a ‘Cyber Drug War’, because the industry’s unwavering focus on punishing the user is much like failed global attempts at prohibition. This is why we need to forget next gen. We need to start again.”