Review: Breakthroughs in endpoint security

Despite advances in malware protection, endpoints get infected every day, even those running some form of anti-virus or other defense that the threat is able to circumvent.

In our recent roundup of anti-virus programs, we discovered several new techniques being employed by anti-virus companies to make PCs safer against advanced threats. Even so, many anti-virus companies we talked with acknowledged that their software can’t catch everything, especially within those commonly exploited areas that are tricky to defend.

But what if something could? There are companies employing hypervisors, virtualization containers and sandboxing at endpoints to keep malware away from files and off the network. These programs specifically protect those very areas that most antivirus has trouble with, sealing a hole that malware had used for years to infect even secure endpoints.

+ ALSO ON NETWORK WORLD Network access control vendors pass endpoint security testing  +

For this review, we installed and tested software from Invincea and Bromium. While they both attempt to accomplish the same thing, the techniques and technology employed by the two programs are vastly different. (VArmour was invited to participate, but declined.)

Bromium is a memory-intensive program that taps into processor hardware to drive a bare metal hypervisor that runs a full copy of Windows. When an end user opens a potentially vulnerable app or program, a new micro-VM is created. When the end user closes the app or program, those tiny virtual machines disappear, killing any malware.

Invincea is more lightweight and doesn’t require a hypervisor. Instead, Invincea creates containers to support specific vulnerable programs, and then uses an intense amount of scanning within those containers to detect and halt malware, ultimately closing an infected container and destroying any malware inside.

There are advantages to using either solution, and a couple of unique drawbacks, but either program might be perfect for buttressing security, depending on network configurations and administrator preferences.

Here are the individual reviews:

Bromium

Bromium consists of two main components, vSentry which is deployed at endpoints and Live Attack Visualization and Analysis (LAVA), which is installed at an organization’s security operations center, or at least on an administrator’s server or workstation. Most of our testing involved the vSentry portion of the software, though LAVA was also examined to provide analysis of targeted attacks.

The vSentry software works in conjunction with a processor’s hardware to help create local virtual machines. Intel first introduced virtualization technology (VT) in 2005 as part of the Pentium 4 architecture build, with AMD introducing its own version, AMD-V, about the same time. So most modern processors will support VT and thus be able to run vSentry, though some holes in the coverage of various product lines do exist, so it’s best to double check.

Once the software was installed on a test laptop, it was able to work with the VT to create a bare metal hypervisor for running programs, though this is mostly invisible to the user. We could see it working because we also had access to LAVA, which was monitoring the process.

On endpoints protected by vSentry, the software works with the processor to create a micro-visor for the current user, separate from the rest of the system. The entire copy of Windows is then loaded into that micro-visor for use by programs and applications. Those programs refer to the sandbox copy of Windows running in memory and never actually touch the actual software or system components. All exit points from the virtual machine, including access to the hard drive and the network card, are protected by being outside of the micro-visor.

In theory, almost any program could be run inside the vSentry micro-visor, so you could run an Oracle database if you really wanted. But that would be kind of silly since that’s not really going to be an attack vector. Instead, Bromium concentrates on the areas that cause standard protection programs the most trouble. This includes all browsers, Acrobat Reader, Java and every Microsoft Office document type.

Whenever one of those programs is run, vSentry creates a micro-virtual machine. Each micro VM exists only as long as the user needs to run the process. Once the document or browser window is closed, that VM fades out of existence, taking any potential malware to oblivion.

Though it’s similar to a sandbox, the fact that every process exists within its own micro-VM, which in turn only refers to the virtual micro-visor, creates layered security that would be nearly impossible for malware to circumvent.

A process called Copy On Write protects everything, even the virtualized copy of Windows running in the main micro-visor. For example, any malicious program trying to write to a .dll would be successful, but only within the micro-VM where the process is running. Everything needed to make that .dll change would be copied from the micro-visor, which is itself a protected area of the system, into the micro-VM before being written there. Malware can do whatever it wants within the micro environment, and can even be allowed to call out to command and control servers, but is immediately purged as soon as the process is ended.

In fact, Bromium can be set up to do nothing else beyond its core functions, and still be excellent protection for most systems and networks. It takes a little getting used to the idea of simply letting malware run. But the virtual environments that vSentry spawns makes the threat of malware more or less moot for a protected client, since malicious programs will only be able to take effect within a virtual environment and then disappear once the process is ended.

It’s possible that very smart malware might one day figure out how to escape from Bromium’s many virtual boxes, or that something could be targeted specifically with Bromium in mind, but as of right now, it seems fairly impregnable, especially when compared to security programs that make use of other technologies like signature-based protection or heuristics. The fact that the software is drawing upon the hardwired processor’s functions also helps to anchor security.

We visited known malware-infected Websites using a test machine protected by vSentry. Doing this triggered the installation of some really nasty programs on our test laptop, even ransomware in one instance. But it never escaped the micro-VM. We just closed the window and it was like nothing ever happened. Scanning the system after the micro-VM was closed yielded no trace of the malware.

Even malware that seemed to be established on the system was obliterated by simply closing the application, like an elaborate sand castle erased by the tide. And there was no protection on the test system other than vSentry, meaning there was no need for something like traditional anti-virus.

You can even save files to your hard drive as normal, as we did with an infected PDF document. When you save a file to your system’s hard drive, it shows up with a little orange Br symbol in one corner. This alerts a user that opening the file is possible, but that doing so will trigger a new micro-VM. The one Achilles’ heel we found is that Bromium only protects its own. If you take an infected PDF saved to a vSentry-protected laptop and open it up somewhere else, the malware will trigger again and likely infect the new machine if it doesn’t have similar protection. So if you are going to install Bromium, you need to make sure it’s on every endpoint, including employees working remotely, since missing one client could be the opening an attacker needs into your otherwise impregnable fortress.

The other slight negative against vSentry is that all those micro-VMs working with the main micro-visor requires a lot of system memory. Bromium recommends having at least 4G of RAM on every endpoint protected by vSentry. Our test system was an older laptop with 8G of RAM and it ran just fine, though it idled with about 40 percent of its available system memory in use, and that went up with each new protected process we started.

Where vSentry protects endpoints, the LAVA software can be used to identify threats and attackers though their actions. We first opened up malware using a client protected by vSentry, and then examined the specifics of the attack which were sent to the server running LAVA. From there, we could see everything that the malware was trying to accomplish, including calling home to its command and control server, which for our tests happened to be in Eastern Europe and China. When malware attempted to change system .dlls so that it could reinstall itself each time the infected endpoint rebooted, LAVA witnessed this and recorded that process. The malware wasn’t able to actually do any of what it wanted outside of the micro-VM, but it thought it was and allowed us to see its behavior. An MP5 hash for the infected program could also be created so that it could later be blocked throughout a protected network.

Administrators can also make use of LAVA to modify the behavior of vSentry. For example, you can enable vSentry users to load the Bromium Status Monitor on their clients, which can tell them how many micro-VMs they are running and how many resources those VMs are using. The Status Monitor is disabled for users by default to keep vSentry more or less invisible, but can be activated as part of say, an effort to increase security awareness. Doing so would not compromise or endanger those endpoints.

While Bromium vSentry and its LAVA component are designed to protect those areas where traditional antivirus and security programs often fail, by doing so it more or less protects the entire possible attack vector that most attackers try and use. Nothing we did could break out of its microvisor and micro-VMs, though allowing malware to simply run unabated, knowing that it can’t really do any harm, is something that most security personnel will find quite strange. You also have to have enough memory on every system you want to protect, and need to make sure that every possible client is covered.

Invincea

The flagship product from Invincea is Invincea Endpoint. It works by hijacking all Windows calls at the kernel level, which allows programs to run in containers without touching any core resources. At the same time, Endpoint constantly scans within those containers using Cynomix, an anti-malware scanning tool created using DARPA-funded research.

+ ALSO ON NETWORK WORLD Endpoint Security Technology Nirvana +

Endpoint loads up when a protected system boots and thereafter will place all the usual suspects that cause the most trouble for security programs into containers to run. This includes browsers like Internet Explorer, Chrome and Firefox as well as browser plug-ins like Java, Flash, Silverlight, QuickTime and Acrobat Reader, plus stand-alone programs such as Adobe Acrobat and any Microsoft Office applications or documents.

Specifically, Endpoint creates the containerized environment by inserting a virtual isolation layer between the operating system and those typically vulnerable applications. All communications between those programs and the host go through Endpoint, which presents each program with a virtual file system, giving each application only what it needs to run.

Only a small subset of the actual file system is made virtually available to each program. Should malware attempt to write to a protected endpoint’s file system, it will instead only be able to change the virtual system. In our testing, any type of activity like that was immediately detected by Endpoint, which quickly suspended and then closed the container, killing the malware in the process.

From a user’s point of view, Endpoint can be invisible, or it can denote its presence with little visual clues at an administrator’s preference. For example, a light green bar can be drawn around the edge of a browser window to give assurance that it’s running within the protected container. Alerts can likewise be silent, or pop-ups can inform users, for example, that malware was detected, which is going to force the potentially infected program to close, killing the container and the infection.

Everything running within the containers is going to be scanned by Cynomix for malware, but because Endpoint knows the programs that it’s protecting, it can enforce common-sense rules that are able to stop most malware attacks before they can even get started. For example, if a user loads up a PDF document and the program tries to open up a shell or launch a command line, then Endpoint is going to halt that process and quarantine whatever change the potentially infected file was trying to make.

Depending on how the administrator has Endpoint set, users can be notified of the potential attack or the container can automatically be closed, killing the malware. By default, Endpoint remains mostly invisible to a user, though for our testing we activated all notifications so that we could see Endpoint’s reactions to various malware attacks. In any case, administrators are always alerted about attack attempts against endpoints and can gather forensic data to put together profiles of attackers.

One of the most impressive aspects of Invincea Endpoint is that it requires very little processor power or memory. When running Endpoint on a modest desktop system, the memory usage allotted to the program never went above 90 megabytes even with half a dozen containers operating at the same time. Its CPU utilization hovered at an astonishing 1 percent. Just to see how far we could push its minimal resource usage, we installed Endpoint on a very old Pentium II laptop with 256M of RAM. It worked fine and the containers were able to protect the system against modern malware threats without bogging down its very limited processor and memory.

This might suggest that Endpoint would be a good choice for networks that contain a mix of both older and newer equipment, and that is true. However, one negative point against that happening is that Endpoint does not work properly with older versions of Microsoft Office programs. They have to be the 2010 version or newer, so our Pentium II in the testbed was out of luck for at least some of the protection.

The management server for Endpoint is extremely easy to use, with configuration changes for endpoints applied to groups, individuals or entire organizations in seconds. And because of the addition of Cynomix, it can be used to scan endpoints for pre-existing malware.

You can look at every process running on an endpoint and get information about it, such as how similar it is to other known malware variants and how many of the 30 anti-virus engines surveyed have identified the suspect as malware. Cynomix attempts to look at the heart of malware, owing to the fact that while there are thousands of new malware variants discovered or created every day, most of them are slightly altered copies of known programs.

On our test system, scanning with Cynomix prior to installing Endpoint ended up showing quite a few false positives, though an administrator would presumably only have to go through the list one time to ensure that every endpoint was clean and ready to be protected by Invincea Endpoint. That way you can be sure that you don’t lock the doors with an intruder already inside.

The management console can also be used to investigate attacks, including looking at everything that malware tried to accomplish from within its container. That way defenses can be created to stop future attacks, even if they never broke out of the containerized environment, so that they can be pushed even farther down the kill chain and away from corporate data.

Invincea Endpoint offers incredibly powerful protection in a surprisingly tiny resource footprint. Protected programs are effectively locked down and then scanned by Cynomix, so that they have little chance to try and get a foothold before they are detected and their virtual containers are collapsed. Endpoint offers a level of protection far beyond any of the standard protection schemes available today, yet the cost in system resources for that level of safety is comparatively tiny, allowing it to fit in almost anywhere.

John Breeden is an award winning reviewer and public speaker with over 20 years of experience. He is currently the CEO of the Tech Writers Bureau, a group of influential journalists and writers who work in government and other circles. He can be reached at jbreeden@techwritersbureau.com.