®

Virtualization Based Security Using Endpoint CPU Virtualization to Transform Enterprise Security

Mike Burwick, Principal SE [email protected] Detection: Shark or Dolphin?

© Bromium 2017 2 The key principles of attacks remain true

There will always be software vulnerabilities

Malicious code and threats will always exist

You will get owned You cannot anticipate the next move

© Bromium 2017 3 97% of malware is unique to a “99% of malware specific endpoint hashes are seen March 2016 for 58 seconds or less. In fact, most malware was seen only once.” The Failure of Detection

It is mathematically impossible* to detect all polymorphic or zero day malware in advance

*Limits of Static Analysis for Malware Detection *On the Infeasibility of Modeling Polymorphic Shellcode.pdf Andreas Moser, Christopher Kruegel, and Engin Kirda Yingbo Song, Michael E. Locasto, Angelos Stavrou Secure Systems Lab Technical University Vienna Dept. of Computer Science Columbia University © Bromium 2017 5 6 Detection vs Isolation

. Existing security solutions . Micro-virtualization protects today rely on detection through “CPU enforced Isolation” . Isolates untrusted content from the OS, . A threat must be detected before it files, network, etc. can be blocked . Leverages hardware virtualization for . Polymorphic & “0 day” malware maximum protection evades AV, white lists, IPS etc.

© Bromium 2017 6 7 Software Isolation Techniques

© Bromium 2017 7 Software vs Hardware Isolation

© Bromium 2017 88 Application.exe Application DLLs

Application Sandbox Task ~800 Win32 calls ~400 NT calls

NTDLL.DLL

ntoskrnl.exe win32k.sys

HAL Application.exe Application DLLs

CSRSS

SVCHOST WINLOGON Millions MSSECES of LOC > download LSASS > execute… Task > pwn3d! …

NTDLL.DLL CVE-2015-5119 ntoskrnl.exe win32k.sys (Hacking Team) HAL Application.exe Application DLLs

Application Sandbox

CVE-2015-2426

NTDLL.DLL

ntoskrnl.exe win32k.sys

HAL

CVE-2011-3402 Application.exe Application DLLs

Application Sandbox VM

NTDLL.DLL

ntoskrnl.exe win32k.sys

HAL Hypervisor 12 © Bromium 2016 13

Windows 10 Device Guard

Cryptographic Device integrity Virtualization Biometric sensors processor

UEFI Secure Boot TPM processor Processor based Using a biometric for prevents device provides tamper proof virtualization isolates authentication tampering and ensures integrity validation and critical system increases the level of OS starts with integrity prevents unauthorized components and data difficulty for an attacker access to sensitive and protects even in the to the highest level information event full system compromise

15 50% of the time On Windows 10 is spent in the browser

© Bromium 2017 16 Windows 10 Enterprise License Application.exe Windows 10 Result Application DLLs Credential Guard CSRSS • A compromised PC is SVCHOST less valuable to attackers WINLOGON • The device still has MSSECES access to enterprise LSASS network and ? … infrastructure (AD, Exchange, Intranet sites, shares) • Files/data can be stolen

• A keylogger / screen NTDLL.DLL scraper can steal non- Windows credentials ntoskrnl.exe win32k.sys WindowsHAL 10 VBS Hardware Isolation (client Hyper-V)

20 Copy-on-write execution in Microvisor Microhardware- virtualizationisolated memory

Intel VT-x CPU virtualization • Hardware isolated memory • Multi-core execution No device access

“need to know” access to system resources, files & Additional CPU networks security features Virtual file system & network 21 Protect  Detect  Respond

22 Real-time Detection & Analysis

Malware manifest

23 24 Weaponized e-mail attachments

Top 4 Embedded hyperlinks Ransomware within emails Attack Vectors Browser (drive-by) attacks Web application vulnerabilities

© Bromium 2017 25 Microvisor Windows Host

New Micro-VM per ‘user task’

Boot (Windows 7, 8, 10) 26 Windows 10 Kernel 10Kernel Windows Applications Applications

Windows Defender 3 Application Guard remediation for Edge  Self  -  VBS VBS (Hyper - V) Protection Monitoring Monitoring 1 (diffs, of execution state of execution real Complete record record Complete Fed to SOC for - & hunting time analyticstime pcaps , files) Windows Windows 10 EnterpriseLicense 2 27 Bromium Complements Microsoft Security

• CG for pass-the-hash attacks • HVCI kernel code integrity • WDAG isolates Edge • ATP for cloud based EDR

Windows 7, 8  Protection & self-remediation for • Network-based attacks • File or data loss • Key-loggers & screen ATP scrapers • Ransomware  • Persistent APTs • Pass-the-hash attacks • All malicious execution  Tamper-proof real-time monitoring (EDR) of isolated tasks and the Windows desktop © Bromium 2017 28 Micro-virtualization for the masses…

© Bromium 2017 2929 Next Steps

. Learn how hardware- enforced isolation is transforming Microsoft security http://bit.ly/VBSPartnershi p . Watch this demo how Bromium stops ransomware on Windows 7, 8, or 10: http://bit.ly/GoodbyeRans omware

Evaluate your top threat vectors then talk to us.

© Bromium 2017 30