Malware and exploits have a distinct advantage: they always get the first move. Traditional antimalware and security tools are reactive and based on detecting and blocking known threats. A threat can’t be known, however, until it exists and affects something or someone first. It’s a poor model for defense. Microsoft proposes to change that with Device Guard.
There are already controls in place within Windows that make determinations about whether or not an application can be trusted and should be allowed to execute. The Achilles heel of that approach is that some rootkits and exploits are capable of compromising Windows at the kernel level–below where those decisions are made. That means the malware itself can alter, override, or circumvent those decisions and execute anyway.
Device Guard takes the protection to a new level. It uses technology embedded at the hardware level, combined with virtualization, to separate the decision-making process from the Windows operating system. Microsoft’s Chris Hallum explained in a blog post that this isolation prevents malware and exploits from executing, even in the event that the attacker has full access to the system. “This gives it a significant advantage over traditional anti-virus and app control technologies like AppLocker, Bit9, and others that are subject to tampering by an administrator or malware.”
Microsoft already has support from most of its biggest OEMs to produce hardware capable of supporting Device Guard. HP, Acer, Lenovo, Toshiba, Fujitsu and others will manufacture systems designed for the new Microsoft security controls.
Microsoft doesn’t expect customers to simply stop using traditional antimalware. Hallum stated, “Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t, such as JIT-based apps (e.g.: Java) and macros within documents.”
In essence, Device Guard seems to offer a sort of whitelisting capability. IT organizations will have significant control and the ability to customize the apps that are allowed to execute. Device Guard can be configured to simply allow all applications signed by a specific trusted vendor, or IT organizations can authorize each individual signed app. No matter how Device Guard is set up, the premise is that only the applications pre-approved to execute will be allowed to run on a system protected with Device Guard.
I sat down with Chris Hallum yesterday at the RSA Security Conference, and he was passionate about Device Guard. He apologized in advance for using the trite and melodramatic term “game changer,” but he truly believes that Device Guard represents a sea change in how Microsoft customers defend against malware and exploits.
Organizations that are tired of being one step behind the attackers and constantly reacting to yesterday’s new exploits will appreciate the proactive nature of Device Guard and the ability to prevent any unauthorized or malicious code from executing. Only time will tell if Device Guard is the savior that Hallum thinks it is.
Do you think Device Guard will provide the security that is currently missing in Microsoft software? Let us know your thoughts in the discussion thread below.