On paper, Bromium has all the ingredients to be a global cybersecurity giant. A president with an impeccable pedigree. The respect of the aerospace and intelligence sectors. An innovative product that stands traditional notions of endpoint protection on their head; 41 listed US patents to its name.
Yet it retains the aura of something of a novelty act (the company would no doubt prefer “best kept secret”) and is some way from being a household name, despite the best efforts of an active PR team, the sponsorship of a major recent report into cybercrime, and customers that include Europol.
Why? One answer may be that Bromium – which spins up a tiny virtual machine (VM) for every application, meaning users can click merrily on spearphishing links, knowing malware has merely been let into the equivalent to a VM isolation cell – was ahead of its time and the world’s hardware is only just catching up.
Early versions were slow, often required new hardware and were a work in progress. Yet with hardware now capable of supporting the idea and recognition from the NSA among others that virtualisation is a key component of cybersecurity as old “moat and castle” approaches systematically fail, it may well be Bromium’s hour.
Now Counts 170 Customers
The company, co-founded by virtualisation pioneer Ian Pratt, has been working on its product suite for seven years and now counts 170 customers across the US, Europe and Japan, including the Met Police.
Bromium uses application isolation and control to ensure malware cannot reach the host operating system, can’t read/write to the registry or the file system, can’t access the intranet or spread laterally, and can’t exploit the kernel or escape the container.
Bromium President Ian Pratt, the chief architect of Xen, a fellow of the Royal Academy of Engineering and a Cambridge computer science lecturer, freely admits initial versions were clunky.
“Three or four years ago you certainly knew you were running it, because it slowed the machine down a bit. Some companies had to go and buy new hardware. The CPUs they had in their existing machines didn’t necessarily have what’s called the third generation virtualisation extensions built into them,” he told Computer Business Review.
“We’ve benefited from the fact that CPUs are getting faster; they all have these extensions built into them now.”
What of privately held Bromium’s growth plans? Any plans for a funding round to push expansion? Ian Pratt told Computer Business Review: “I don’t remember when we did our last funding round but we’re not in a hurry to do another; we’re growing organically on our business proceeds.”
New Product Launch: “Protected App”
We spoke to him as Bromium today launched “Protected App”, an offering that builds a wall around critical applications on the endpoint, securing access to and from the host, even if the host is compromised; using hardware-enforced virtualisation on the endpoint, below the operating system (OS).
(As the VM is independent of the OS, kernel exploits of the Windows host will not impact Protected App).
The company says the new offering is targeted at safeguarding intellectual property (IP) and HVAs from threats such as keylogging, kernel exploits, memory and disk tampering, and man-in-the-middle attacks, with sensitive applications walled off from the endpoint.
It has the former CISO of the CIA agreeing, in a release it shared.
“Organizations have been fighting an ongoing cyber battle, but they have been let down by layered defenses failing to stop or slow down attacks. This failure has resulted in organizations feeling like they can’t trust their own networks or endpoints, which has forced them to move high-value services and IP off the network and restrict access,” Robert Bigman, the former CISO of the US intelligence agency.
“Protected App can be used by organisations to enable trusted client access for employees and third-party partners to your intellectual property from their ‘dirty’ networks and endpoints, without ever having to worry about their security posture.”
So Why Isn’t Bromium a World-Beater?
We put the question to Ian Pratt: “I think security is a difficult market. You go to the RSA and there are thousands of vendors all saying they’ve solved the problem; often with no credible background to support that. If you’re a busy CISO it can be hard to cut through the noise. CISOs come from a range of backgrounds. We find we’re doing well in countries like Germany where they typically have strong technical knowledge.”
“Word of mouth is also tricky as many companies don’t like to talk about the tools they’re using. Or you might have a CISO say ‘since we deployed your product we’ve had no breaches on any of our influence systems; but how do I show to my boss that that’s due to my being me being clever in buying your products as opposed to just, well, we haven’t been attacked?”
Partly for that reason the company launched Bromium Secure Monitoring, on the principle that if you’ve got a bit of malware squirming in a container in front of you, it’s a good chance to run analysis on the code.
The platform allows users to export analysis on formats including pre-configured STIX or MAEC reports for exchange with third-party stakeholders,along with MD5 signatures (a hash algorithm usually used to check file integrity) of file-based malware droppers.
The company says it is continually testing its product and runs a private bug bounty programme with BugCrowd. After initial 2016 embarrassment when a Google security expert managed to breach a Bromium virtual machine, it launched the programme and said nobody has escaped one of its micro-VMs since.