Computer security relies on a simple principle: Keep the bad stuff out. This might mean using clever gear to monitor your network. Or it might take the form of antivirus software that keeps nasty worms from burrowing into a PC. But if heinous code does get through, there’s little to do other than find a place to cry.
A startup called Bromium flips traditional logic on its head—and lets attackers right inside the castle walls. When users run Bromium’s software, which will be available later this year, every time they open an e-mail attachment or a browser tab or another application, it creates a temporary, virtual compartment to house the task. Like a nurse observing a quarantined patient, the software watches the cordoned-off code. If it senses misbehavior—such as malware trying to exploit a security hole in Adobe Reader—it dissolves the compartment before damage can be done to the rest of the computer. “The bad guys will always get in,” says Simon Crosby, the co-founder and chief technology officer at Bromium. “It’s about limiting what they can do.”
Like Crosby, a number of the top executives at Bromium came from XenSource, a big-brained startup that did pioneering work in the software virtualization field now dominated by VMware. The software maker Citrix Systems bought XenSource for $500 million in 2007. Crosby and his co-founders formed Bromium—a name they say simply sounded cool and wasn’t taken—in 2010 in Sunnyvale, Calif. The startup has raised about $36 million from top-tier investors.
One of them is Intel. In recent years the chipmaker has started including special security technology in its products. Intel’s hardware-based bodyguards create much stronger barriers against attacks than software and can prevent, say, a malicious application from reading and remembering users’ keystrokes as they enter passwords. Bromium’s software, in essence, manages the functions in these new Intel chips.
David Johnson, an analyst with Forrester Research, says traditional security measures are “beginning to break down” as attackers grow ever more sophisticated. “New exploits regularly elude traditional antivirus and anti-malware and can be notoriously difficult to eradicate,” he says. “Bromium’s approach is unique because it addresses security by essentially assuming that any [application] is compromised at any time and then limiting the effects of it or the damage a given attack can do.”
It also helps that Bromium is lean. Most PCs contain about 100 million lines of code. Every day, hackers look for vulnerabilities to exploit in that mind-bogglingly large set. Bromium kept its application small to avoid the same problem. “Bromium has about 100,000 lines of code, so it’s much easier to harden and secure that,” says Paul Burns, the president of industry analyst Neovise. Burns calls Bromium’s approach “very innovative” but adds that “we’re going to need a bit more time to see the impact.”
Crosby says Bromium’s solution is practical because it doesn’t require users to be hypervigilant, always worrying about what they click on and downloading security updates. “We’re gullible,” he says. “This is about building computing systems that let humans do what they want to do.”