Dr Ian Pratt, Global Head of Security for Personal Systems at HP, explains why virtualisation is the key to the future of cyber security.
Teiss recently caught up with Dr Ian Pratt, who last year (September 2019) sold his fourth start up, Bromium, to HP. Bromium’s main product was based on micro-virtualisation and has been integrated into HP’s security solutions. According to Dr Pratt, it allows cyber security to be built in to computer systems, from the hardware up, allowing businesses to stay well ahead of attackers.
It’s been a long journey. Ian first became interested in this area when working on “virtual air gaps” for the military. Intelligence analysts typically have access to multiple sources of information that must be kept compartmentalised. This has traditionally been achieved by giving analysts multiple computers, each with their own screen and keyboard, connected to separate networks – creating an “air gap” between the different information sources. Ian developed a system that created strongly isolated virtual environments on the same physical laptop, that could be connected to a single untrusted network. The isolation ensures that even if one data source is compromised that cannot be used to compromise other data sources.
This stimulated the idea of storing business and personal data on the same device. The personal data could be managed as the user desired; but the business account would be locked down with security and constraints. Early results were disappointing. Despite the deployment of a variety of security tools, the businesses virtual machines were still getting compromised – not by the user directly, but by the user doing risky things in the course of their jobs such as opening email attachments, and existing security tools were very unreliable in protecting them.
Ian realised that the problem was that, in cyber security, everything is detection-based: there are models of what is “bad” such as viral signatures or behaviours and when these are spotted they can be blocked.
Unfortunately, the bad guys were getting better and better at evading detection, for instance by making small changes to their malware, often using automated techniques. Worse, they began specialising: some hackers were people who look for vulnerabilities, others were people who write the lures; and others were people who fulfil the attack. An ecosystem of highly skilled inter-dependent criminals was developing.
So Ian looked for a different way of securing devices. He went back to the idea of dividing machines into several watertight parts. Solving this problem would help with security because you could simply create a new part, a virtual machine, to perform a risky action such as opening an unknown file.
This idea was the birth of micro-virtualisation.
Virtualisation is a great way of getting a strong boundary around data. A virtual machine monitor (VMM) uses a lot less code that a computer’s operating system, and it is code that had been written more recently, using all the various tools that now exist for securing code. As a result, VMMs have a much smaller and more hardened “attack surface” than an operating system. Fine grained virtualisation – micro-virtualisation – leverages the ability to create VMs that is built into moderns CPUs. A computer can have dozens of VMs running at any one time, one for each document, say – and every individual document is harmless even if it is malicious, as it can’t access other documents or infect them.
You can also use VMs for running high-value applications and data, which you want to be protected even if the host operating system has become compromised. You might use them when performing sensitive tasks such as talking to your bank or reading classified material.
Micro-virtualisation works very differently from other end point security systems, most of which simply look out for bad things like virus signatures. Instead HP, using Bromium’s technology, can put security features right into the hardware. Security chips inserted into machines can power up even before the CPU comes to life: “hardware-powered security” as Ian calls it.
Relying on detection to protect computer networks is failing. Many dangerous files are not recognised by anti-malware. And criminals don’t even have to insert malware to compromise a system: they can simply trick people into sharing their login details.
Micro-virtualisation can protect against this by preventing a criminal who has penetrated one part of a network from moving deeper or laterally across. Principles like access control are built into the VM approach. And you are using a small, trusted code base that you can be confident maintains those principles.
Of course, micro-virtualisation can’t solve every information security problem. But it can solve many fundamental cyber security issues. And while the idea has been around since about 2010, now that HP has taken it up, it’s likely that we will see its use in security increase substantially across busines and consumer devices. Micro-virtualisation for the masses is here.
Dr Ian Pratt is Global Head of Security for Personal Systems at HP.
Main image courtesy of iStckPhoto.com