Can a hypervisor be used as a security layer?

Can a hypervisor be used as a security layer?

According to Trustwave’s most recent Global Security Report, the average time from intrusion to detection of a breach is around 49 days. With more advanced malware – also known as Advanced Persistent Threats (APT’s) – detection times can be much higher.

These advanced attacks use various methods to escape detection. But there’s something that every attack – whether the latest and greatest state-sponsored malware or a yet-to-be-disclosed zero-day vulnerability - has in common; they all require at least a little memory to exist and execute.

“All malware leaves a memory footprint,” says Liviu Arsene, Senior E-Threat Analyst at Romanian security provider Bitdefender. “I pull my hair out every time I hear about fileless attacks. There is no such thing. It's still code. All of these advanced tools, they all require some sort of memory footprint.”

However, it can be hard to find traces of malware. Today’s malware is adept at hiding itself within systems; just because Windows says there’s isn’t an executable file using up lots of memory doesn’t mean that’s actually true.

“The disadvantage of having an agent inside in the machine is that it's dependent on information coming from the Operating System.”

Bitdefender’s newest technology claims to solve the problems of threats lying to agents and hiding in the raw memory of virtualised systems. Called Hyper-Visor Introspection, it provides live memory introspection at the hypervisor level. Instead of using OS-reliant agents in each Virtual Machine, the technology ‘detects and secures infrastructures directly at hypervisor level, through a security virtual appliance.’

“If you can tap into that physical layer, below the operating system, that means you have complete visibility into the operating system without actually relying on information from the Operating System.”

The company claims the solution could have stopped outbreaks of the WannaCry ransomware before they occurred.

“We went below the Operating System to tap into the raw memory of each machine,” says Arsene. “That's something cool because no one actually ever decided to pursue that challenge - to actually use a hypervisor as a security layer - it's only ever been used for virtualisation.”

“Regardless if it's a zero-day vulnerability or a rootkit, as long as you see memory and you're able to analyse it in real time, look at and understand it and what's going on in there, you can detect [threats].”

For now, HVI is only available for Citrix’s virtualisation products.

“Citrix actually agreed to open up their Hyper Visor through a bunch of APIs that allows our introspection engine to look at raw memory.”

Although those APIs are available to anyone who wants to develop similar tools, Arsene is confident the market isn’t about to be flooded with competition.

“The ability to interpret what's going on within memory, to extract that semantic meaning, is far beyond anyone's capabilities, at least in the next 2 or 3 years.”

“There are only a handful of people in the world that can code the introspection engine. You're talking about Machine Code, Assembly Code, working with instructions at the CPU level. It's as hardcore as it possibly gets.”

There are hopes, but no definitive timelines, for bringing the product to the likes of VMWare  - which is due to release its own security product this year - and Microsoft’s Hyper-V. But the onus is on those companies to open up their APIs to allow Bitdefender in.

“We already have the experience in telling them the requirements for those APIs, they just have to do the coding.”


Transylvanian tech

Started and still based in Bucharest, Bitdefender is probably Romania’s biggest technology export. But the country has slowly been gathering a reputation in recent years as an emerging technology hub. We at Connect have been writing about the technology scene not only in the capital Bucharest, but also cities such as Cluj for a few years now.

And we’re not the only ones. The country is well-known for its plethora of STEM talent, excellent connectivity, low prices, and government incentives (IT workers haven’t paid the standard 16% salary tax in the country for over a decade). And while it’s predominantly known for outsourcing, there is a growing interest in entrepreneurship. The site lists nearly 400 local companies, while TechHub Bucharest hosts regular meetups.

“As a country, we have a strong background in science, IT, and Maths. That's why there's no shortage of IT skills,” says Arsene. “Our company is 100% Romanian-based. 600 people out of 1200 are engineers and development. There's no outsourcing, everything is written internally by Romanian engineers.”

However, talent hasn’t yet turned into money. Just €11.3 million ($13.2 million) was raised by 20 startups in 2016, a mild increase on the €10.7 million ($12.5 million) raised by 15 startups in 2015. While Arsene agrees there is no shortage of innovation coming out of the country, he also admits the local technology struggles to sell itself as well as it should.

“Ask any developer what's the purpose of the thing he built, and he'll say 'oh it just makes my life easier. I don't know about everybody else, it just works for me.”

“We have the technical skills but we lack sometimes the marketing and sales skills. Developers have a hard time selling and pitching products.”


Also read:
InfoShot: The rise of the European Unicorn
Euro-Unicorns a different breed to US species
Romania’s tech sector breeds jobs


«Millennials talk careers: Guen X Dang


Typical 24: Matt Hebden, dyzio»
Dan Swinhoe

Dan is Senior Staff Writer at IDG Connect. Writes about all manner of tech from driverless cars, AI, and Green IT to Cloudy stuff, security, and IoT. Dislikes autoplay ads/videos and garbage written about 'milliennials'.  

  • twt
  • twt
  • Mail

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?