HP says its new SureStart self-securing BIOS technology will not only prove a technology differentiator for its notebook products, but also management and services differentiator for channel partners.
Introduced this week, SureStart is a new technology that will be introduced on HP’s high-end PCs, promising to ensure that a computer’s BIOS is known to be good before it will boot the machine up. Vali Ali, chief technologist for security and software for business PCs at HP, said the technology will provide solid protection against advances persistent threats that attempt to hide themselves in BIOS – the technology is virtually impossible to avoid short of changing the motherboard on the system.
“The trust of the whole system builds on top of BIOS, and modern operating systems rely on the security of BIOS to make sure the system as a whole is secure,” Ali said. “SureStart is a game changer and a mindset changer. It allows us to ensure the trust of the core root of trust for the system.”
Developed out of HP Labs, SureStart inspects BIOS before it runs, and if it detects anything out of the ordinary, replaces it with a known-good BIOS configuration.
While others have offered self-healing BIOS capabilities in the past, Ali suggests SureStart is different because the mechanism is “electrically isolated” from the rest of the system, and runs its self-check and BIOS diagnostic and repair before the first line of BIOS code is executed. That should mean it’s able to evade attacks that attempt to hide from antivirus software by hiding in BIOS, like 2011’s Mebromi Trojan. The technology is able to run its validation – and if necessary replace the BIOS with a known-good BIOS – without introducing noticeable delay in the bootup process, Ali said. The technology is invoked, and checks the system, every time the computer’s power state is altered – whether it’s turned on, off, or put in sleep or hibernate mode.
The technology is able to get online during its validation, and if necessary update a system’s BIOS via the cloud without beginning to invoke the operating system, and because that introduces out-of-bound connectivity, it also introduces the ability for channel partners to pull BIOS logs and identify attacks on a customers as part of a security audit or ongoing managed security service. That’s part of a broader management opportunity the technology enables. Its logs are WMI-compliant, so they can be pulled and analyzed by a variety of console management tools, and SureStart is manageable at a policy level, allowing channel partners to set customer-wide policies for allowing or disallowing BIOS updates, and ensuring a common, known-to-work BIOS image across a customer’s environment.
HP is betting that SureStart will be a nugget of innovation that will help it differentiate itself in a struggling, crowded, and commoditized PC marketplace. But for solution providers, it affords another avenues of PC-centric managed services and managed security services, and joins the likes of Intel’s vPro as a technology that makes it easier to manage machines from before first power-on through to operating system run up.
Matt Smith, director of channel marketing for HP’s Printing and Personal Systems Group, said SureStart presents solution providers with a device that is much more self-healing and therefore should star in reliability, and also gives channel partners another route to diagnose further security issues in a client’s environment.
Positioned right, SureStart may also help draw security-conscious customers towards the company’s top-of-the-line commercial products. SureStart is due to debut in the company’s recently-launched mobile workstation products, and in its soon-to-be-released EliteBook commercial notebook family. Ali suggested the technology will waterfall down across the HP lineup over time, but for now, will remain the domain of the company’s top of the line products.
“We’re first to market on this. That’s giving our resellers peace of mind that they can invest in our highest-end products,” Smith said. “It’s quick to pay them back for that investment, for that innovation.”