We've seen user isolation in the cloud before and some of it is very effective. Typically, users are directed to a cloud service that spots malware and then refuses to deliver content that is infected. Menlo Security's Isolation Platform has an interesting twist. It duplicates the user experience, defangs anything it sees, and delivers clean content to the user - all without the user realizing anything ever was wrong. It is not device dependent and only requires the use of a compatible browser - and that pretty much is all of them.
The Isolation Platform is available either as a cloud service or an on-premises virtual appliance for VMware vSphere 5 and above. It also is a two-way system that not only removes malware from web browsing and email and prevents damage for compromised websites, it also prevents users from exfiltrating sensitive data or responding to fraudulent messages.
There is a myth that a simple sandbox is all that is needed to execute malicious software safely. The truth is that many sandboxes operate at a layer that permits sophisticated malware to sense their presence and work around them. The Isolation Platform creates a virtual container for every browsing session and it creates new containers every time the user switches domains. So, within a single browsing session, the platform may create and destroy dozens of containers as the user moves from domain to domain.
When the user browses to a domain, they do it through the Isolation Platform. That is a simple redirection - a proxy - pushed out to users through Active Directory by the AD administrator. As soon as the platform sees a user browsing to a domain - any domain - it creates a virtual container. The virtual container is a self-contained environment and the activity of the website or email is monitored by the container and the platform. If the content starts to do something, malicious damage is confined to the container.
Passive content usually passes through after being checked for hidden active components. Active content is monitored and, if necessary, cleaned before it is passed to the user. By the time the content gets to the user, there no longer is any active content. Only safe static elements are sent. What that means is that the active elements have executed in the container and the container has captured the static result and sent it alone to the user. No active content executes on the user's computer. If the organization has trusted internal applications that need to run on the user's computer, they can be whitelisted to pass straight through without being isolated in a container.
One of the things we liked was the way the Isolation Platform deals with document-borne malware. While Flash and Java are executed in the container - the obvious approach - often there is malicious content in a document that does not execute until the document is opened on the user's computer. Menlo has a slick way of protecting against this eventuality: it converts documents to HTML 5 format before delivering. At this point they will behave as any other web content and if there is something malicious that survives the conversion it will execute in the container, not on the user's computer. If the user wants to download the document, the platform reconverts it back into a safe version of the original document and allows the download.
Administering the Isolation Platform is simplicity itself. Mostly, the administrator console consists of a collection of dashboards which give a threat picture of the platforms actions. There are three basic dashboards: overview, threat analysis and traffic analysis. Part of what the threat analysis dashboard does is take notice of vulnerable websites. According to Menlo, about a third of the top one million websites are running vulnerable software. Knowing that helps the platform identify malicious content from sites that are likely to be infected. Those vulnerable sites are isolated automatically by the platform. All of this information is reported on the dashboards.
While there is little administration required to run the Isolation Platform successfully, there is an opportunity to set up specific threat rules. These rules let the administrator control, to some extent, how the platform deals with specific types of threats. Some actions, for example, may be considered threats by some organizations and not by others. So, some organizations may wish to allow, for example, Python code to execute. Some may not. That preference can be selected by the administrator when they set up the various rules allowed by the platform. Policy setup is simple. During the policy configuration, whitelisting - or what the platform calls "Isolation Bypass" - is set up. This allows certain domains to be ignored. So, for example, internal applications can run undisturbed.
Overall, we really liked this offering. While other products do similar things in a similar manner, we found that the Menlo Isolation Platform has a level of sophistication and reliability that we have not yet observed in other products.
Product Isolation Platform
Company Menlo Security
Price $150 per user.
What it does Prevents impact of malware by isolating all user activity and cleaning any malicious files before presenting to the user.
What we liked Simplicity - nothing to install on the client - and effectiveness.