Menlo Security takes a clever swipe at the vexing problem of endpoint protection. The startup aims to neutralize malware that rides in on Web and email traffic by inserting a cloud-based proxy, in the form of an LXC container, between the Web site and the user’s device.
The container includes a full copy of the user’s OS and browser. The browser session runs inside the container, where all Web and email content, including active content such as Java, are executed.
The system then passes on only the presentation layer of the session to the browser. The result is that the user can see content and interact with the site, but no malicious code runs on the user’s machine.
“You browse with your native browser, we only copy the browser rendering tree, so you get a mirror image without taking risk,” said CEO Amier Ben-Efraim in an interview. “We kept execution contained and away from the end point, but preserve the presentation.”
When the browsing session is finished, the container is eliminated.
Administrators can force users through the Menlo service via a browser proxy setting, so employees at home or on the road using a corporate device are still protected. Menlo notes administrators can push the proxy setting to users via Active Directory. No agent or other endpoint software is required.
Menlo can terminate SSL sessions, allowing it to handle encrypted Web traffic.
A variety of security vendors such as FireEye offer similar technology by running executables in a sandbox environment to look for malicious behavior.
Menlo’s key innovation is that rather than try to guess which executables have malicious intent, the container doesn’t care. It simply doesn’t let any active content touch the endpoint. This avoids the problems with false positives and false negatives that can bedevil detection-based security products.
Dealing With Documents
While the concept of isolation makes sense, the Web isn’t just a passive medium. Users need to interact with forms and documents, and download materials.
If a user needs to edit a document online, the platform captures the user’s keystrokes and passes them on to the site.
However, if a user actually need to download a document and be able to edit a local copy, the administrator has to make a policy exception that allows the raw file to be downloaded. This creates a potential management headache as the organization has to determine who’s allowed to download raw files, and also potentially exposes the endpoint to malware.
The isolation environment is available as a public cloud service (hosted on AWS), or as a virtual appliance that customers can run in their own data centers.
The isolation platform supports Windows, MacOS and Android on the OS side. For browsers it supports Chrome, Firefox, Safari, and Internet Explore version 9 and forward.
Pricing starts at $150 per user per year, with volume discounts available.
The security industry has tried proxies before, with varied success. Menlo’s isolation concept is intriguing, and while the container and cloud elements feel a little buzzwordy, it’s also a sensible adoption of these technologies.
And the world is already full of products that play the ‘Is this malware?’ guessing game. By sidestepping the detection issue, Menlo avoids a lot of the problems you get with AV, IDS/IPS, and so on.
On the other hand, Menlo inherits the problems that come when you insert yourself in the application path, including latency risks and the requirement to successfully render Web content via an ever-growing combination of OS and browser versions.
But those are small challenges compared to the potential to disrupt user workflow. The browser is user productivity tool number one, and you mess with it at your peril. Users will howl if a security system forces them to open a help desk ticket once, and will find a workaround if it happens twice.
The onus is on Menlo to be good enough that users don’t know it’s there, while still providing meaningful protection. If the startup has cracked this nut, it will likely have its choice of lucrative exits.
I think Menlo is worth a look, but test it thoroughly with a mix of Web apps, browsers, and user groups before you sign a check.
About Menlo Security
Co-founder and CEO Ben-Efraim was VP of cloud security at Juniper Networks. Several other principals have Juniper backgrounds as well, including co-founder and Chief Product Officer Poornima DeBolle; and CTO Kowsik Guruswamy.
The company has a total of $35.5 million in VC investment from two rounds. Investors are General Catalyst Partners, Osage University Partners, and Sutter Hill Ventures.