Tech Throwdown: Invincea FreeSpace vs. Micro-Virtualization

Transcription

1 Tech Throwdown: Invincea FreeSpace vs. Micro-Virtualization May 2014

2 Table of Contents Summary... 3 A Hot Market Advanced Threat Protection for the Endpoint... 3 Hype Meets Real World Let s do a Throwdown... 4 Architectural Comparison... 5 Invincea FreeSpace Virtual Container Architecture... 5 Micro-Virtualization Virtual Container Architecture... 6 Hardware Dependencies... 7 Virtual Desktop Infrastructure (VDI) Limitations... 7 Microsoft Volume Licensing Required can double desktop license costs... 8 No Malware Detection Capability... 8 Host OS Kernel and System Drivers not fully isolated... 8 Vendor Claims Marketing Hype and the Realities of Deployable Defenses... 9 Throwdown Comparison... 9 Throwdown Comparison Checklist Conclusion and more information Invincea, Inc University Drive, Suite 460 Fairfax, VA USA Tel: info@invincea.com , Invincea, Inc. All rights reserved. Invincea, the Invincea Logo, Invincea FreeSpace, Invincea Management Service are trademarks of Invincea, Inc. All other product or company names may be trademarks of their respective owners. All specifications are subject to change without notice. Invincea assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. INV_WP_microvirtualization_ Page 2 of 12

3 Summary It seems every week there is a new flash-bang technology or vendor that purports to be the latest silver bullet solution to advanced threats. The result from all these market claims is buyer confusion and a healthy dose of skepticism for vendors silver bullet claims. This paper is the first in a series of Tech Throwdowns where we compare another vendor s micro-virtualization approach against Invincea FreeSpace. In it, we describe the technical differences between the two different types of virtual container architectures, then present the side-by-side Throwdown against best for business criteria. We conclude with a Throwdown form for you to take the Throwdown challenge for yourself. A Hot Market Advanced Threat Protection for the Endpoint Each day, users are successfully targeted by a variety of adversaries with the goal of getting a beachhead on corporate networks to subsequently compromise the network for data breach, including customer data, intellectual property, mergers and acquisition deals, and future plans. Traditional security solutions have used signatures of threats to try and find these adversaries on the network. However, the nature of a targeted attack means techniques that rely on signatures will not detect these attacks. As a result, enterprises are looking for non-signature-based techniques to counter advanced threats and targeted attacks. Page 3 of 12

4 As attacks have become more targeted and persistent, and malware more sophisticated and specialized, a market for solutions to defend against these threats has emerged. John Grady IDC Research, Security Products, August 2013 It seems every week there is a new flash-bang technology or vendor that purports to be the latest silver bullet solution to advanced threats. The result from all these market claims is buyer confusion and a healthy dose of skepticism for vendors silver bullet claims like The World s Most Secure Endpoint Solution (see exhibit below from tradeshow). Is it really? Let s explore the claim. Hype Meets Real World Let s do a Throwdown To help cut through all the marketing hype of various vendors, we are putting on a Tech Throwdown (Bobby Flay style) series with key criteria to compare alternative solutions when looking at advanced threat protection solutions. For a more comprehensive comparison of alternative architectures and technologies, please see Buyer s Guide for Advanced Threat Protection Solutions 1. The Throwdown is intended for the reader to perform his or her own comparison of alternative technologies, architectures, and products to determine what is best for his or her business. To aid in evaluation, we provide background on the different approach architectures, then provide a Throwdown comparison for the reader to take and decide what approach is best for business given the various deciding criteria when it comes to protecting your enterprise from advanced threats: deployability, scalability, performance, usability, security, and cost. Instead of focusing on just one of these criterion, we address them all because we know that s how evaluators and buyers conclude what s best for their business and ultimately what it takes to protect your business from the threats you face while going online. 1 Page 4 of 12

5 In this Throwdown, we compare Invincea FreeSpace to a micro-virtualization product. We use micro-virtualization in quotes only because it is a term invented by a vendor, not an actual recognized architecture. Architectural Comparison Both Invincea FreeSpace and the micro-virtualization approach use a virtual container architecture (as defined by Gartner Research) to address threats, both conventional and targeted. In the following we describe the virtual container architectures. Invincea FreeSpace Virtual Container Architecture The virtual container based architecture breaks from the traditional detection-based approaches that have long dominated endpoint security. Figure 1 shows the virtual container architecture employed by Invincea FreeSpace. The fundamental difference between a virtual container architecture and a traditional detection-only architecture is the virtual container implements a protect first design. Figure 1: Invincea FreeSpace Virtual Container Architecture The container-based architecture is flexible enough to determine which applications get containerized, though some configuration of the container is often necessary to ensure correct interoperability with the system. The applications shown in Figure 1 reflect the attack surface from threats your users face: and Web. In particular, Invincea supports browsers, document editors, Adobe reader, Java, and other plug-ins these applications support. When evaluating a virtualization container architecture, be sure to understand which browsers and applications are supported out of the box. Coverage of Internet Explorer (older and current versions you run), Firefox, and Chrome are important to ensure that users are protected with the browser they use. The virtual container architecture is just that virtual. Users do not interact with containers they interact with applications as expected, but are protected from Page 5 of 12

6 compromising their system and network in case the content inside the container is malicious. A virtual container is like a transparent detonation chamber with one exception: rather than testing content for maliciousness and making a decision, the application with its content always runs inside the container so your users are always protected. If any malware detonates inside the container (a malicious document, executable, or web page), it is isolated from infecting the host and network. Detection and capture of forensics is a key differentiating feature of different virtual container solutions. Some containers only contain malicious threats. Invincea FreeSpace will also detect when a detonation event has occurred inside the container, indicating malware is running. Once observed, Invincea FreeSpace collects artifacts from the malware while killing the malicious processes that spawn, preventing further exploitation of the network. The key attributes of Invincea s virtual container architecture are: Scalable with number of applications, windows, and tabs that run inside the container Low performance overhead in memory, on disk, and CPU that is constant No additional latency Hardware (CPU vendor and generation) independent and agnostic Interoperable with other endpoint software Seamless UX Detection of 0day exploits, unknown malware, targeted attacks Reporting of forensics to cloud-managed server Proven to scale to hundreds of thousands of machines Easy deployability and maintenance Out of the box support for standard browsers and document editors/viewers No special licensing required for Microsoft OS and products Extensible to other software applications as desired by users Cost efficient Micro-Virtualization Virtual Container Architecture Recently, the term micro-virtualization has been introduced to describe a form of Type II virtualization that virtualizes single processes running within an operating system. While few technical details 2 about micro-virtualization have been published, what little has been released indicates that, the Xen hypervisor has been forked to create a microvisor to virtualize tasks rather than virtualizing the full operating system, where a task is defined to be an untrusted process and the OS libraries it calls. 2 Microvirtualization for the Security Architect_0.pdf Page 6 of 12

7 Figure 2 shows a micro-virtualization architecture on a Windows7 system. As shown, the u-visor is hosted on the Windows7-64 bit operating system. Xen is classically a Type I hypervisor that runs bare metal and virtualizes the entire operating system, rather than single processes or tasks. Thus, this fork of Xen represents a form of Type 2 virtualization. Figure 2: A micro-virtualization architecture The microvisor has some important design distinctions from other virtual container approaches that drive some system trade-offs we describe here. One key difference is that the microvisor is hardware limited to the Intel VT-x processor instruction set extensions in order to virtualize the supervised process. Hardware Dependencies Using the VT-x ensures that the micro-vm can VM Exit (the equivalent of a hardware interrupt on conditions such as a page fault) on a pre-defined set of VM fault conditions. The ability to VM Exit on a pre-defined set of VM fault conditions has been marketed by the vendor as hardware-enforced isolation caveat emptor. The hardware dependency to the Intel chipset means it will only run on certain CPUs Intel i3, i5, i7 CPUs and requires additional BIOS level configuration of each machine to enable VT extensions at boot time. Virtual Desktop Infrastructure (VDI) Limitations One trade-off with employing VT-x instructions with a virtual container is you cannot run other hypervisors at the same time at least not for current generation deployed desktop CPU architectures that do not support nested virtualization. For instance, you cannot run this microvisor on a virtualized desktop (VDI) because the virtual desktop runs on a Type I hypervisor, nor can you run another Type II VM such as a virtual machine (VMware, VirtualBox, or Parallels) on a machine running the microvisor. Another trade-off is if other security solutions using VT-x, such as McAfee DeepSafe/DeepDefender, cannot run concurrently with the microvisor because of the VT-x conflict. Page 7 of 12

8 Microsoft Volume Licensing Required can double desktop license costs The microvisor provides each virtualized process a reference gold image copy of the host operating system. The micro-visor then employs copy-on-write semantics to any changes to the gold image to gain performance efficiencies for each u-vm. This means each virtualized process references a gold copy of the host OS in memory for the set of system libraries (imported DLLs) and operating system services it needs. The requirement to run a gold copy of the host OS image creates a huge memory, system management, and configuration requirement for this architecture. It will typically take over 1 GB of memory to run the gold copy image, which in turn is a major contributing factor for machine specs to be 8GB of memory. In addition, the approach creates major licensing challenges in working with Microsoft software, including requiring special enterprise licensing of MS Office. Patch management, traditionally difficult for many organizations, must now be coordinated with the gold image to stay in synch with the host OS image. No Malware Detection Capability While malicious changes to the gold image of the system will not persist after the target process is terminated, the exploit code can run for the lifetime of the micro-vm. Without detection capability, this approach means the user and her data is put at risk for the lifetime of the uvm if and when the user encounters malware. Host OS Kernel and System Drivers not fully isolated While certain OS libraries and services are virtualized from the gold image, many devices such as the printer, file system, and network that the virtualized process (e.g., browser, MS Office) needs access to, are not virtualized themselves. Instead, these devices are managed by the host OS itself, as long as the microvisor provides access to the device. These exceptions are coded as policies to allow virtualized programs to connect directly to the host OS devices including to printer services, host and network file systems, and other core kernel drivers. Since network, printer, file system, and other I/O devices are managed by the host OS, the device drivers in the host OS kernel can be exploited to compromise the host OS exactly what microvisor was purported to prevent, but now must allow by exception. In summary, the core attributes of the micro-virtualization architecture are: Hardware limited to certain CPUs with BIOS modification required Memory intensive requiring machines with 8GB of physical memory Overhead created with each new task browser tab, window, or application for each additional micro-vm making it unscalable as number of tabs and windows opened grows Special licensing required for Microsoft OS and Microsoft Office to support type 2 virtualization Interoperability with other software and devices requires creation of policies per application that creates policy infrastructure overhead while simultaneously creating holes in micro-vm Page 8 of 12

9 Lack of detection makes malware infections invisible to enterprise when infections occur on users machines. Unproven after 2 years in market. Largest deployment measured in 10s, not 10 thousands. Best suited for traditional sandbox style analysis of malware in Security Operations Centers by malware analysts rather than enterprise deployment to users. Vendor Claims Marketing Hype and the Realities of Deployable Defenses On the vendor claim from the beginning of this paper that a micro-virtualization product is the world s most secure endpoint solution, we point to an old axiom in security: the world s most secure computer is one you never turn on, nor can be turned on. In the case of this vendor claim, if the endpoint protected by micro-virtualization can t be put into production because of all of its limitations, then perhaps it is the world s most secure endpoint solution. On the other hand, if you would like to be able to use your machines and deploy a solution to protect your network from targeted attacks, then Invincea is the clear winner in this Tech Throwdown. Throwdown Comparison The following table presents a side-by-side comparison of two products implementing alternative virtual container architectures based on best for business criteria. We invite you to do your own side-by-side comparison with the form at the end. Invincea Product(s) FreeSpace Enterprise v3.3 Invincea Management Service 2.0 Micro-Virtualization Bromium vsentry 2.0 Approach and Use Cases Implementation Approach Secure Virtual Container (hardware agnostic) Hardware-dependent micro-vm fork of Xen hypervisor Use Cases Requirements and Supported Applications Anti-malware Anti-Phishing Document + PDF Protection Java Isolation Auto-remediation Application Isolation Windows XP EOL Protection Adversarial Threat Attribution Incident Response Analysis Windows OS support Windows XP 32 Windows 7 32-bit Windows 7 64-bit Windows 8 32-bit (v4) Windows 8 64-bit (v4) Anti-malware Anti-Phishing PDF Protection Java Isolation Auto-remediation Incident Response Analysis Windows 7 32-bit Windows 7 64-bit Page 9 of 12

10 Hardware Support Minimum Host Physical RAM Required No dependencies (Any x86/64 chipset) Intel VT-x, VT-d, + EPT only 512 MB+ 4 GB documented 8 GB real-world Required RAM allocation MB constant 1 GB+ CPU usage Number of processes (initial launch) Number of processes (subsequent) Browser Support Application Support Restore time after browser patch applied < 5% at launch < 1% sustained Not disclosed s+ (plus a copy of Windows OS) s+ (plus a copy of Windows OS) Internet Explorer Chrome Firefox Adobe Acrobat Adobe Reader (PDF) Adobe Flash Apple QuickTime Microsoft Excel 2010/2013 Microsoft PowerPoint 2010/2013 Microsoft Word 2010/2013 Microsoft Outlook helper apps Microsoft Silverlight Java s Internet Explorer Firefox Adobe Reader (PDF) Java MS Office limited support 15 minutes Microsoft LMS Server + Enterprise Licensing for MS Office Compatibility with other hypervisor software Remote Desktop Services Deployment and Management Not required Supported VMWare View Citrix XenDesktop Microsoft Remote Desktop Required Not supported VMWare View Citrix XenDesktop Microsoft Remote Desktop Number of organizations protected Largest number of hosts protected (single org) Hardware OEM partnerships On-premise Management Service Nearly 15,000 10s 70, s Dell Latitude laptops, OptiPlex desktops, Precision workstations, Dell Venue Windows8 tablets (v4) Yes None Yes Page 10 of 12

11 Cloud-hosted Management Service (option) Security Event Information Management and Threat Intelligence Partnerships Yes Not Supported Pre-built Integrations Open API for 3 rd party integration Threat Intelligence / Adversarial Attribution integration Cost Intel (McAfee) epo HP ArcSight RSA Security Analytics (NetWitness) IBM Security (Q1 Labs) QRadar Splunk ForeScout CounterACT Yes ThreatGRID ThreatStream ReversingLabs isight Partners VirusTotal Palo Alto Networks Wildfire None Yes Palo Alto Networks Endpoint license pricing $39.99/device annual subscription $150/endpoint lifetime Page 11 of 12

12 Throwdown Comparison Checklist Conclusion and more information This paper presents the business and security realities of user-targeted threats across an organization. Legacy technologies are not adequate in addressing the modern issues with user threats, and organizations should seriously evaluate if repurposing pointsolutions can meet their current and future needs specific to advanced malware threats. For more information on the Invincea platform and protecting against user-targeted exploits and other forms of security threats, please contact: Website: Phone: or Page 12 of 12