®
Virtualization Based Security Using Endpoint CPU Virtualization to Transform Enterprise Security
Mike Burwick, Principal SE [email protected] Detection: Shark or Dolphin?
© Bromium 2017 2 The key principles of attacks remain true
There will always be software vulnerabilities
Malicious code and threats will always exist
You will get owned You cannot anticipate the next move
© Bromium 2017 3 97% of malware is unique to a “99% of malware specific endpoint hashes are seen March 2016 for 58 seconds or less. In fact, most malware was seen only once.” The Failure of Detection
It is mathematically impossible* to detect all polymorphic or zero day malware in advance
*Limits of Static Analysis for Malware Detection *On the Infeasibility of Modeling Polymorphic Shellcode.pdf Andreas Moser, Christopher Kruegel, and Engin Kirda Yingbo Song, Michael E. Locasto, Angelos Stavrou Secure Systems Lab Technical University Vienna Dept. of Computer Science Columbia University © Bromium 2017 5 6 Detection vs Isolation
. Existing security solutions . Micro-virtualization protects today rely on detection through “CPU enforced Isolation” . Isolates untrusted content from the OS, . A threat must be detected before it files, network, etc. can be blocked . Leverages hardware virtualization for . Polymorphic & “0 day” malware maximum protection evades AV, white lists, IPS etc.
© Bromium 2017 6 7 Software Isolation Techniques
© Bromium 2017 7 Software vs Hardware Isolation
© Bromium 2017 88 Application.exe Application DLLs
Application Sandbox Task ~800 Win32 calls ~400 NT calls
NTDLL.DLL
ntoskrnl.exe win32k.sys
HAL Application.exe Application DLLs
CSRSS
SVCHOST WINLOGON Millions MSSECES of LOC > download LSASS > execute… Task > pwn3d! …
NTDLL.DLL CVE-2015-5119 ntoskrnl.exe win32k.sys (Hacking Team) HAL Application.exe Application DLLs
Application Sandbox
CVE-2015-2426
NTDLL.DLL
ntoskrnl.exe win32k.sys
HAL
CVE-2011-3402 Application.exe Application DLLs
Application Sandbox VM
NTDLL.DLL
ntoskrnl.exe win32k.sys
HAL Hypervisor 12 © Bromium 2016 13
Windows 10 Device Guard
Cryptographic Device integrity Virtualization Biometric sensors processor
UEFI Secure Boot TPM processor Processor based Using a biometric for prevents device provides tamper proof virtualization isolates authentication tampering and ensures integrity validation and critical system increases the level of OS starts with integrity prevents unauthorized components and data difficulty for an attacker access to sensitive and protects even in the to the highest level information event full system compromise
15 50% of the time On Windows 10 is spent in the browser
© Bromium 2017 16 Windows 10 Enterprise License Application.exe Windows 10 Result Application DLLs Credential Guard CSRSS • A compromised PC is SVCHOST less valuable to attackers WINLOGON • The device still has MSSECES access to enterprise LSASS network and ? … infrastructure (AD, Exchange, Intranet sites, shares) • Files/data can be stolen
• A keylogger / screen NTDLL.DLL scraper can steal non- Windows credentials ntoskrnl.exe win32k.sys WindowsHAL 10 VBS Hardware Isolation (client Hyper-V)
20 Copy-on-write execution in Microvisor Microhardware- virtualizationisolated memory
Intel VT-x CPU virtualization • Hardware isolated memory • Multi-core execution No device access
“need to know” access to system resources, files & Additional CPU networks security features Virtual file system & network 21 Protect Detect Respond
22 Real-time Detection & Analysis
Malware manifest
23 24 Weaponized e-mail attachments
Top 4 Embedded hyperlinks Ransomware within emails Attack Vectors Browser (drive-by) attacks Web application vulnerabilities
© Bromium 2017 25 Microvisor Windows Host
New Micro-VM per ‘user task’
Boot (Windows 7, 8, 10) 26 Windows 10 Kernel 10Kernel Windows Applications Applications
Windows Defender 3 Application Guard remediation for Edge Self - VBS VBS (Hyper - V) Protection Monitoring Monitoring 1 (diffs, of execution state of execution real Complete record record Complete Fed to SOC for - & hunting time analyticstime pcaps , files) Windows Windows 10 EnterpriseLicense 2 27 Bromium Complements Microsoft Security
• CG for pass-the-hash attacks • HVCI kernel code integrity • WDAG isolates Edge • ATP for cloud based EDR
Windows 7, 8 Protection & self-remediation for • Network-based attacks • File or data loss • Key-loggers & screen ATP scrapers • Ransomware • Persistent APTs • Pass-the-hash attacks • All malicious execution Tamper-proof real-time monitoring (EDR) of isolated tasks and the Windows desktop © Bromium 2017 28 Micro-virtualization for the masses…
© Bromium 2017 2929 Next Steps
. Learn how hardware- enforced isolation is transforming Microsoft security http://bit.ly/VBSPartnershi p . Watch this demo how Bromium stops ransomware on Windows 7, 8, or 10: http://bit.ly/GoodbyeRans omware
Evaluate your top threat vectors then talk to us.
© Bromium 2017 30