Kowsik Guruswamy, Menlo Security
Kowsik Guruswamy, Chief Technology Officer, Menlo Security
What is this isolation method you’re talking about?
Well, what makes the web experience risky today are these codes, these scripts that are coming in. If you take away all of the scripts, all the interactive elements, the web is almost benign. It’s this interactivity that we’ve added over time, the thing that makes the web so lively, is the very thing that ultimately delivers breaches and infections.
Most of the security products today don’t do justice to keep users safe. So, the concept of isolation is very simple. Instead of playing a game of trying to gure out what is good and what is bad, we assume that everything is bad; we take all these scripts and run them in the cloud.
So, what actually happens?
Say I want to visit Hardwarezone. We put the Menlo cloud in the middle, and when the Menlo cloud receives my request to go to Hardwarezone.com, it basically gives me a brand new browser in the cloud. And it is this browser that ends up going to hardwarezone.com and executes all the scripts with the assumption that everything is bad. When I’m done, and I close this browser in the cloud, everything gets deleted. That browser in the cloud? Also gets deleted. The whole session is completely erased. If there was actually an infection, it doesn’t have a place to linger any more and there is nothing to infect.
Our rst breakthrough was being able to do this with millions of users all doing browsing across the internet. Think of the massive scale, having a million browsers in the cloud and managing it all. The second part, which is also super interesting, is that for the user, you wouldn’t be able to tell the difference. All of the interactivity that you’re used to, the menus, scrolling, videos, everything still works, and feels exactly as before.
Is this similar to server-side compression, that you send an optimized stream to the end user?
It’s more similar with a virtual desktop. But, a VDI environment is choppy and slow, you can’t really copy and paste, and there’s just a lot of issues with video streaming technologies. What we’ve gured out is a way to take just the visual components of the isolated browser, and bring that into my (local) browser. End users don’t have to install anything or do anything different really. The combination of being able to do this at scale while preserving the user experience is the magic Menlo brings to the table.
This sounds like a catch-all solution to cybersecurity. Why isn’t isolation a thing?
We’re just getting started. It will be a thing at some point. The company was formed at 2013, and our rst product was only launched in January 2015. Our rst customer was JP Morgan Chase.
Well what I meant was this approach to cybersecurity. Why hasn’t anyone thought this before?
Well there are a few companies that started doing this, and they have some variance of what we do - in terms of executing a browser in the cloud. But, the part that’s super unique to us is our rendering technology. Some of the others do this like what I told you before, they run a browser in the cloud and send it to you via a video stream. Some others do this by making you install a new browser, which then connects to their browser. If you look at the history of cybersecurity, any technology that forces the user to change their behaviour or do something unnatural, has never succeeded. The user will simply go around because it’s too cumbersome. Security by shackles doesn’t work.
For this to succeed, we’ve taken a lot of effort to make sure the end user doesn’t know Menlo is in the middle. We’ve done a number of pilots where a small set of trial users have been put behind the Menlo platform over the weekend. They go home on a Friday, then IT comes in
and sets it up. Monday morning they come in to work, they don’t know they’re isolated.
You mentioned that traditional methods like anti-virus and rewalls don’t do justice...
If you look at the history of cybersecurity, the anti-virus was introduced around 1987, I think, and the initial rewalls came around the same time. I built the rst commercial in-line intrusion prevention system around 2002. Over the course of 20 years, many products were built around the threats at the time, so what happened was that their shelf lives would be limited. Two to three years would go by after a new technology is introduced and a whole new class of problems would emerge and they would become obsolete.
The thing about isolation, because we’re not playing the detection game, this is effectively future proof. So, if there was a new type of threat that comes in six months from now, we don’t need to change anything to combat that threat. Just by the virtue of moving the execution of all the active code to the cloud, solves that problem.
Isn’t this just like sandboxing?
Well, a sandbox is still a way to do good vs. bad. Let’s say you have a Word document with macros. What a sandbox does is try to load the Word document in a simulated environment, and let the document run its course to see if the macros executed tried to encrypt your le system (like in a ransomware attack). If it picks up these signals, it ags the le as bad. If it doesn’t, then ok, the Word document is ne and given back to the user. So, the sandbox is still a type of anti-virus. Instead of applying signatures, it performs a kind of behavioural analysis.
Again, we’re not trying to make a decision if a website is good or bad. We’re just saying, execute (everything) remotely. We basically have this disposable browser in the cloud.
If everything goes through your cloud, how do you stop that from getting infected?
Well, one of the things that we’re not doing, is that we’re not trying to build a better browser. What we’re using in the cloud is Chrome. The entire Menlo isolation platform architecture is built under the assumption that the isolated browser is not somehow better than you (the user). We assume that this browser can be compromised.
So if it does, the question becomes whether the infection can move laterally within our cloud, and if it can somehow still deliver the infection to the user. Without going into too much technical detail, what we’ve done is to make sure that this cannot happen. So, even if the browser on the cloud gets infected, that infection has no place to go.
Would isolation still work hand-in hand with traditional anti-virus?
If you talk to cybersecurity vendors, they will try to convince you there is this notion of a risky web. I think that’s completely silly, because nobody knows which slice of the web is risky. Anything good can go bad and so forth. Our whole vision and philosophy in the way we’re building the product and the type of things we’re doing is under the assumption that we need to get to the point where we isolate the entire internet for all the people. Because that’s the only way to keep it risk free.
The thing about isolation, because we’re not playing the detection game, this is e(ectively future proof.