eliminating email & web malware with isolation · hta, rtf, etc. word fetches remote object at...

Eliminating Email & Web Malware with IsolationCarlos A. Muñoz, CISSPRegional Director

Jon Peppler, Sr Director Channels

“It’s Safe to Click”

| © 2017 / Menlo Security, Inc. All rights reserved. 2

Detection for protection

Main Security Layers over time

firewalls anti-virus

1993

IDS Threat Intelligence

1998

IPS

behavioralanalysis

2003


Reactive, layered defenses stop

of threats.

Anti-Spam

Sandboxing

Access Security

Next Generation Firewall

Site Categorization

Anti-Phishing

Content Analysis

Anti-Fraud

DNS Security

Web Application Firewall

Next Generation Antivirus

DDoS Prevention

99%


But

Anti-Spam

Sandboxing

Access Security


Site Categorization

Anti-Phishing

Content Analysis

Anti-Fraud

DNS Security



DDoS Prevention

still gets through.

1%

CONTENTFILTERING

Content filtering is being circumvented

USER

Browser Zero-DayMalvertising

Plug-in ExploitsJavaScript

DownloadersZero Pixel IframesDocuments from

WebDrive-by

Downloads

SANDBOX

Delayed ExecutionVersion MismatchBenign Payloads

Sandboxing is being circumvented

Inbound


Today’s Advanced Protection Can't Block Malware in Active Content

3RD PARTY AFFILIATES

TRACKERSADSBEACONS

ANALYTICS

CDNs

Anti-Spam

Sandboxing

Access Security


Site Categorization

Anti-Phishing

Content Analysis

Anti-Fraud

DNS Security



DDoS Prevention


Attackers Use Trusted Sites for Phishing

Business and Economy 11679

Phishing sites leverage popular hosting services

Anti-Spam

Sandboxing

Access Security


Site Categorization

Anti-Phishing

Content Analysis

Anti-Fraud

DNS Security



DDoS Prevention


Site Categories Can and Do Change

Malicious sites can be registered in trusted category

9/26 10/01 10/06 10/11 10/16 10/21

News and Media

Category over 90 Day Period

Malware Sites

Anti-Spam

Sandboxing

Access Security


Site Categorization

Anti-Phishing

Content Analysis

Anti-Fraud

DNS Security



DDoS Prevention


DRIDEX

MICROSOFT WORD ZERO DAY

EXPLOITS

Modern Day ThreatsCommon attacker tactics over the past few years

AdGholas

MALVERTISING

DNC

CREDTHEFT


User clicks

DNCcredential theft

Other similar attacks: Google Phishing Attack, Netflix Phish, DocuSign Phish, and more…

Secure Email Gateway

Secure Web Gateway

URL is a categorized websiteNo email context

URL hosted on popular user sites, not known malicious

Sandbox finds no risk indicators

John Podesta email credential loss a Gmail “reset your password”

phishing email


AdGholas Campaignmalvertising

Secure Web GatewayExploit

DownloadExploit

Download

User clicks

Sandbox did not see any risk indicatorsBrowser Zero Day was CVE-2017-0222 exploited to drop Astrum Exploit Kit

Malvertising URL kept changing, couldn’t block ot

as known bad


Useropens doc

Secure Email Gateway

Secure Web Gateway

DRIDEX - Microsoft Word (Office) zero day exploit

DRIDEX

HTA, RTF, etc. Word fetches remote

object at URL

Endpoint is infectedURL not known malicious

Sandbox did not find any risk indicators

No Exploit Shell CodeNo Macros

No Active Code

There is always a “Patient Zero” because detection-based security, within Secure Email Gateways and Secure Web Gateways, rely on lagging information sources, threat research and analyzing traffic patterns to identify new threats.It is not a perfect approach.

The Patient Zero Problem


Isolation to Eliminate Email and Web Threats

VDI

VDI VDI

VDI VDI

2008

Endpoint Isolation

2010

Dedicated Browser Isolation

2015 - Present

Cloud Isolation Platform

– 10x advantage over VDI/visual streaming– Superior bandwidth utilization – send

rendering instructions vs. graphic content– Layout and painting on the endpoint saves

~10x CPU/memory


User experience preserved. User transparent technology.


The Current Approach

Execution happens locally, leaving browser vulnerable to attack


c l o u d

The Menlo Approach


c l o u d

The Menlo Approach

Browser Vulnerabilities

Flash/JavaExploits

WeaponizedDocuments

Executable DownloadDrive-ByDownload Links

WeaponizedAttachments

WinEXE

MP3

GZIPVisio

MS Office

JPGMS Project

ZIP

Autocad

Phishing Links

PDF

AgnosticExecutables


c l o u d

The Menlo Approach

Adaptive Clientless Rendering


A SeamlessExperience


Browser Functionality Preserved

Printing



Copy & Paste



Cookies & Syncing


Streaming Video

Isolation

Don’t Just Detect – Isolate!

USE CASES for:Secure Web Gateway

& Secure Email Gateway

TheMENLODifference


Menlo Isolation Platform: Protection Use Cases

1. “Isolate-all” web browsing, email links and documents

2. Isolate risky and uncategorized web sites3. Isolate email links & attachments only

4. Isolate personal web mail & attachments only5. Credential phishing protection

100% eliminate malware from web browsing & email links. Increase SOC productivity


Patented Isolation Engine and Adaptive Clientless Rendering

Menlo Security

Isolation Platform

FETC H

EXEC U TE

web

FETC H

EXEC U TE

Dispose after every sessionPHISHING

MALICIOUSEMAIL

WEAPONIZEDDOCS

INFECTEDWEBSITES

Corporate and Personal

Devices


Web Isolation

Menlo Security

Isolation Platform

Endpoint Browser

Menlo Security

Isolation Platform

Isolated Browser

Rendered O utput

D O M TreeWeb

HTTP REQUESTS

UNSAFE HTML, JAVASCRIPT AND

FLASH

ADAPTIVE CLIENTLESS RENDERING HTML 5

RENDERING UPDATES,

PROPRIETARY ENCODING

<body>

<script> <script>

(Flash)

Rendered O utput

D O M Tree

MP4

<body>

<video> MP4

new s.com


Web Isolation in the Enterprise

Secure Web Gateway

HTTP & HTTPS

Inbound

Outbound

Threat Protection

SWG Integrations

DLP CASB

CONTENT ANALYSIS

SANDBOXING

KNOWN MALICIOUS SITES

ANTI-VIRUS/HASH REPUTATION

Isolation Protection Capabilities

BROWSER ZERO DAY

JAVASCRIPT

DOWNLOADERS

PLUG-IN EXPLOITS

ZERO PIXEL IFRAMES

MALVERTISING

DOCUMENTS FROM WEB

DRIVE-BY DOWNLOADS

FLASH EXPLOITS

JAVA EXPLOITS

DATA URI

Existing Threat Protection PLUS 100% Defense


Phishing & Email Link Isolation

Menlo Security

Isolation Platform

FETC H

EXEC U TE

FETC H

EXEC U TE

User

webINFECTEDWEBSITES

WEAPONIZEDDOCUMENTS

webPHISHING

MALICIOIUSEMAIL

MS EXCHANGE

1

2 3

Eliminates drive-by exploits by isolating all email links

By opening all email links in safe isolation sessions, MSIP protects every user against targeted spear-phishing and drive-by exploits, thus eliminating “patient-zero” infections

Enables teachable moments

OFFICE365


Document Isolation

web

Native User Experience

Web Docs & Email Attachments

Menlo Security

Isolation Platform

Documents rendered in

Disposable Virtual Containers

Documents converted into HTML5 with no active content

Optional download of safe PDF (view-only) or original document

Any Device

Any OS

Any browser

ADAPTIVE CLIENTLESS

RENDERING (ACR)

RENDERING INFO ONLY,

100% MALWARE FREE


Eliminate Credential Phishing Threats With Isolation

Isolate Email Links

Menlo Security Isolation Platform

MALICIOUS EMAILRESTRICTED

RESTRICTED

USER NAME

PASSWORD

Restrict Inputs Train at Time-of-Click

Menlo’s Approach Scale


Multi-tenant from Ground Up

Auto-scale to Handle Any Load

Ops Management for SP & Large Enterprise

Global Enterprise Cloud

99.99% uptime on par with world-class service providers


Case Study: JP Morgan Chase

- 80% of malware emanating from uncategorized sites

- Blocking access led tocomplaints & lost productivity

- Implemented Menlo to Isolate Uncategorized & Risky Web

Step 1Isolate Risky Websites

- Eliminate All Risk from Web and Email for high value targets

Step 2Isolate All Web for High-Value Users

Step 3Isolate All Employees (250,000 users)

2016 Innovation Award for

partnership and strategic impact to

JPMC business

Menlo Security “It’s Safe to Click”