Defeating Malware: Isolate and Sanitize

Rather than Detect

July 10, 2015

Stratecast Analysis by

Michael P. Suby

Stratecast Perspectives & Insight for Executives

Volume 15, Number 26

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 2

Defeating Malware: Isolate and Sanitize Rather than Detect

Introduction1

Detection has historically been at the foundation in the fight against malware infections. In theory, if malware can be detected, then actions can be taken to mitigate. Yet, as history has also shown, this “detect and then act” sequence has chinks in its effectiveness armor.

To be effective, malware detection and mitigation need to be comprehensive, accurate, intuitive (i.e., straightforward interpretation of detection alerts), and as rapid and scalable in operation as malware developers. Also, user transparency and a low tax on physical IT assets (bandwidth, storage, and computation) and staff (lifecycle administration and user helpdesk) are equally important, so the cost of waging the war does not offset the gains.

Indicators of inadequacies in anti-malware defenses are, however, present. First, legacy anti-malware approaches that rely on signatures for detection are in a constant catch-up race against malware developers along multiple tracks: volume, development speed, and sophistication. Moreover, there will always be a time lag between when evidence of a malware infection is detected and when a signature is developed and implemented. Malware will almost always claim a first victim. Second, recognizing that the signature-based approach has limitations, new approaches have entered the market. Most prominent of these is sandboxing. In sandboxing, suspicious programs are placed into a containerized environment where their behaviors are analyzed; and, if determined to be malicious, mitigation decisions follow.

Similar to the signature-based anti-malware approach, malware developers continually adapt to maintain their effectiveness, such as embedding detection evasion code into their programs. As articulated in the recent Frost & Sullivan report, Network Security Sandbox Market Analysis – APTs Create a “Must Have” Security Technology, sandboxing, like signature-based anti-malware defenses, is valuable, but is not a “silver bullet” defense.2 Third and most telling, new malware continues to be developed. Economically-rational cybercriminals will continue to spend time and talent in developing and distributing malware until anti-malware approaches become so pervasive and so effective that cybercriminals’ returns are marginalized—a point that has not yet arrived, and does not promise to arrive any time soon.

Rather than attempt to leapfrog malware developers with improved or supplemental malware detection approaches, approaches that are not reliant on detection offer an intriguing alternative. Menlo Security offers such an alternative.3 Summarily, the company’s approach has two principal technologies. The first is the Menlo Security Isolation Platform (MSIP), where a user’s Web sessions

1 In preparing this report, Stratecast conducted interviews with:

Menlo Security – Rick Kagan, VP of Marketing

Please note that the insights and opinions expressed in this assessment are those of Stratecast and have been developed through the Stratecast research and analysis process. These expressed insights and opinions do not necessarily reflect the views of the company executives interviewed.

2 This report was published in June 2015. For information on how to obtain this report or any other Stratecast or Frost & Sullivan report, please contact your account executive or email inquiries@stratecast.com.

3 https://www.menlosecurity.com/

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 3

are fully executed in temporary virtual containers that are external to the user’s device. Second, on the user’s local browser, only rendering information of the MSIP-executed Web sessions is received. Effectively, no active content—including potential malware—reaches the user’s device. In other words, the user’s Web sessions are sanitized of all active and potentially malicious content. Also, with MSIP operating as a Web session proxy, additional security functions can be conducted, such as blocking user input into unsanctioned Web sites. In addition to delving deeper into Menlo Security’s malware-defeating approach in this SPIE, we state our opinions on its market ramifications.

Malware’s Pervasiveness

Lest there is uncertainty regarding the malware threat, the anti-malware industry is replete with data on the volume and evolving nature of malware. Following is a sample of malware measurements from recently published cybersecurity threat reports:

Symantec reported that more than 317 million new pieces of malware were created in 2014; the majority being of the non-targeted (i.e., indiscriminate) variety.4

Intel Security, through its McAfee Labs, reported that its inventory of total malware samples increased 13% from the fourth quarter of 2014 to the first quarter of 2015; and now contains 400 million samples. As part of this total, new mobile malware increased by 49% over the same period. Also, new suspect URLs (includes malware and phishing hosts) totaled nearly 30 million in the first quarter of 2015.5

The channels for malware distribution are diversifying. Trend Micro reports material increases in instances of malvertising (i.e., malware delivered through the online advertising ecosystem).6 Also, malware masquerading as a mobile app eclipsed one million at the end of 2014, according to Symantec.7

A key point not to be overlooked in these malware measurements is that they represent detected malware; absent is the unquantifiable unknown.8

4 Symantec, Internet Security Threat Report, https://know.elq.symantec.com/LP=1542 (April 2015, Volume 20)

5 Intel Security, McAfee Labs Threats Report, http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf (May 2015)

6 Trend Micro, TrendLabs 1Q 2015 Security Roundup, https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/rpt-trendlabs-2015-1q-security-roundup-bad-ads-and-zero-days-reemerging-threats-challenge-tr.pdf, (June 2015)

7 ibid

8 Similar to other analysis of Web sites for instances of running vulnerable software, and therefore open to hosting of malware by hackers, Menlo Security determined that 20% of the Alexa (http://www.alexa.com/) top one million Web sites run vulnerable software, which includes popular Web sites that are listed as “safe” by URL categorization and rating services. See State of the Web 2015: Vulnerability Report, available at https://www.menlosecurity.com/.

A key point not to be overlooked in these malware measurements is that they represent detected malware; absent is the unquantifiable unknown.

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 4

Under the Hood of Menlo Security’s Malware-Defeating Approach

Concept simplicity is typically an essential attribute in effectively conveying the virtues of an alternative approach. Simplicity is apparent in Menlo Security’s malware-defeating approach. The side-by-side process flow comparison illustrated in Exhibit 1, below, between legacy anti-malware approaches and the isolation and rendering approach employed by Menlo Security, highlights the two principal differences:

Isolate – Rather than conduct all Web content fetching and execution in the user’s device, as with legacy approaches, Menlo Security relocates these functions to its Isolation Platform. The Isolation Platform, hosted in Amazon Web Services or as a virtual appliance for deployment in a private cloud or data center, has a ready inventory of disposable virtual containers (DVCs). Each DVC is a proxy Web session corresponding to a tab in the user’s browser. As the user opens a new browser tab, a fresh DVC is activated. When the user closes the browser tab, the associated DVC is wiped away; no session remnants or user data remain. Through this relocation of the fetching and execution of a user’s Web sessions to an external isolation environment, malicious and threatening activity occurs external to the user’s device.

Sanitize – Creating an external proxy of the user’s Web sessions with DVCs does not, on its own, completely stop malware and other malicious content from seeping onto the user’s device. This is the role of Adaptive Clientless RenderingTM (ACR). ACR sanitizes the Web session by removing all active content—malicious and benign. The outcome is that only rendered information of the Web session is presented on the user’s device. Contrasting with legacy anti-malware approaches, all active content is treated the same, so the need to detect malware evaporates. There are no malware signatures used, and no behavioral analysis on suspicious programs is conducted; these activities are, in essence, obsolete with Menlo Security. Furthermore, zero-day attacks that

leverage malware or malicious links require no special or rushed treatment. All new malware and malicious links are sanitized away upon their first appearance. There is no first victim.

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 5

Exhibit 1: Legacy Anti-Malware versus Menlo Security

Source: Menlo Security

This Menlo Security architectural approach sustains attributes that are well aligned with the requirements of an effective malware-defeating solution. Those attributes include:

Native User Experience – The relocation of fetch and execution functions to the Web session proxies in MSIP, and the pushing of rendering information to the user’s device does not, according to the company, change the “look and feel” of the user’s browser interactions. For users, session relocation and rendering are transparent.

High-Speed Performance – Seconds, even milliseconds, matter to users in their Web interactions. Depending on user circumstances, Stratecast believes that users’ Web interactions could be even faster with Menlo Security’s approach than without it. The reason for this is twofold: (1) relocation of the Web session fetching and execution to an industrial-grade environment, and (2) the potential lessening of bandwidth contention within the user’s access line (users’ wired and wireless connections to the Internet and then onto AWS data centers).

Recognizing that the AWS cloud platform was designed for virtually unlimited, rapid-scaling processing capacity, engineered for uncompromising bandwidth throughput within the AWS data centers, and equipped with multiple, ultra-high bandwidth connections with the core network operators serving the Internet, the relocation is an upgrade from consumer-grade fetch and execution (user’s environment) to industrial-grade (AWS environment). Second, to the extent that: (1) the rendering information is a smaller payload than user Web sessions executed locally, (2) the number of content-fetching roundtrips are fewer, or (3) both, this too could add to faster assembly of Web pages on the user’s screen.

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 6

Agnostic and Clientless – Web session relocation also eliminates dependencies at the user end. This feature is an attractive attribute in a connected world that is growing in diversity and number of devices. Any device type, any operating system, and any browser are supported by Menlo Security, without the overlay burden of client software or plug-ins. Aside from an initial configuration to redirect the user’s browser to the MSIP (e.g., by executing proxy auto-configuration through device management systems like Microsoft Active Directory), there are no other steps or conditions for getting users up and running.

Expanding Field of Coverage

How users and organizations have been victimized by malware and malicious content has followed the expansion in how users engage with Internet resources. With this expansion, the operating footprint of anti-malware solutions must also broaden to remain relevant. Furthermore, and given the option, organizations and consumers generally choose all-in-one solutions over a collection of specialized solutions, provided that cost and effectiveness are comparable.

Menlo Security’s core technologies—Isolation Platform and Adaptive Clientless Rendering—have been adapted to address three primary sources of malware infections: Web browsing, documents, and email. The company offers three services corresponding to these sources of infection: Web Isolation Service, Document Isolation Service, and Email Isolation Service. Brief descriptions of each follow, with attention paid to extra security measures that are present in these services.

Web Isolation Service

Menlo Security’s initial service, Web Isolation Service, defends against malware infections sustained through users’ Web site visits, by purging malware from the content delivered to the user’s browser. While highly distinctive—being malware-free by default—other security capabilities are also noteworthy.

Through the execution of the users’ Web sessions in MSIP, real-time observations of malicious intent are recognized, and used in: (1) conducting forensics, and (2) fingerprinting and categorizing Web sites. Operationally in the Isolation Platform, any attempt by software to execute unrecognized code causes the DVC to be frozen, a snapshot of the DVC is taken for use in forensics, and the DVC is then discarded. Even if malware is executed in the DVC, the ACR technology eliminates the pathway to the user’s device. Second, every Web response is analyzed in real-time, and a fingerprint of software used, and its version, is created (e.g., Apache, Drupal, IIS, WordPress, PHP). These fingerprints are compared to a list of common vulnerabilities and exposures (CVEs). They are also used by security administrators in establishing granular Web content filtering policies for their organizations.

Since the MSIP operates Web session proxies on behalf of users, the users’ actual IP addresses (i.e., where they are located) are hidden from the Web sites they visit. Rather, what these Web sites see and collect are IP addresses associated with AWS or the organization’s data center (when the MSIP is deployed as a virtual, on-premises appliance). This cloaking of the user’s actual IP address can be useful in efforts to protect user anonymity and privacy in their Web site visitations.

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 7

Document Isolation Service

Similar to Web Isolation Service, the Document Isolation Service leverages the MSIP and ACR technologies to strip Web-accessed documents of active content, malicious and benign. What the user views locally is a fully functional HTML5-converted version of the original document. Currently, document types that are supported by the Document Isolation Service include PDF, Word, Excel, and PowerPoint.

Recognizing that online document viewing does not accommodate all user circumstances, policy administrators can allow for safe versions of the accessed documents to be downloaded in PDF format to users’ devices. As safe versions, users are protected from potential malicious content, such as links to Web sites that are hosting malware, as the execution of those links is conducted in the Isolation Platform. In another administrator option, policies can be established that allow select document downloads in their original format with, if present, active content still in place. Policies of this nature can be highly granular based on any number of variables; e.g., user and Web site visited. As “original format” download policies invalidate the malware-defeating mechanism of this service, organizations should take care in defining policies (e.g., downloads only from sites of trusted Web sites); or take further anti-malware actions on the document, such as redirecting the document for malware assessment and mitigation before delivering to the user.

Email Isolation Service

This service neuters malicious links included in email (e.g., to a Web site hosting drive-by downloads, or a phishing site). In practice, a user’s email is forwarded from the user’s mail service (e.g., Gmail, Microsoft Exchange, or Office 365) to the MSIP. Any Web site that is not white-listed is re-written such that it is opened in the Isolation Platform in Protected Mode, and user keyboard input is blocked. White lists include well-known Web sites and sites specific to the Menlo Security customer.

In keeping with user transparency, users can still read content and navigate the Web site as they would normally do. However, the user cannot input any information; a mechanism that eliminates the risk of user divulging personal information (e.g., login credentials) into a phishing site. Similar to the Document Isolation Service, options are available with this service that allow user input. One method is administrator controlled. In this method, administrators allow user input after assessing a user request (e.g. delivered via email or through an internal helpdesk system). Although effective, this method may not provide the immediacy that the organization deems necessary. To that end, Email Isolation Service has an option that allows users to single-click from the Protected Mode (no input allowed) to Input-Enabled Mode. As users click to make this transition, this service feature can be configured to present the user with real-time risk information regarding data input.

Market Ramifications

With malware infections and the damages that these infections cause affecting commercial entities and consumers, both of these market segments are potential beneficiaries of Menlo Security’s malware-defeating approach.

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 8

Commercial

For organizations, both private and public, malware is a prevalent security concern, and one that consumes material resource time. Based on a recent global survey of information security (infosec) professionals, malware was second only to application vulnerabilities in these professionals’ list of top 10 security concerns.9 Seventy-one percent of the survey respondents indicated that malware was either a top or high

concern. Also, malware threats are diverse in intent, as shown in Exhibit 2.

Several types of malware-delivered threats, plus phishing, are among the most common security threats organizations encounter. Also noteworthy is that among infosec professionals in an incident response role, 85% of the survey respondents stated they spend a significant amount of time on remediating attacks and malware.

Exhibit 2: Security Threat Commonality

Q: Please indicate how common each of the security threats listed below is for your organization [23 threats were listed with 12 being malware-related].

Source: Frost & Sullivan

The continual rise in malware, as previously documented in this SPIE, the high prevalence of malware as a security concern, and, by association, the insufficiency of current anti-malware approaches creates a “perfect storm” in drawing attention to Menlo Security’s malware-defeating

9 This survey result and many others are contained in The 2015 (ISC)2 Global Information Security Workforce Study, available at: https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-(ISC)%C2%B2-Global-Information-Security-Workforce-Study-2015.pdf.

0% 10% 20% 30% 40% 50% 60%

Spyware/keylogger (malware)

Cyber-espionage

Brute force (hacking)

Backdoor (malware)

Command and control (malware)

Downloader (malware)

SQL Injection (hacking)

DOS and DDoS attacks

Privilege abuse (insider misuse)

Web app. attacks (excl. SQL injection)

Scan network (malware)

Phishing (social engineering)

Percent of Survey Respondents (n = 7,985)

Top 12 Security Threats based on Commonality (Rated 4 or 5 on a 5-point scale with 5 being "very common")

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 9

approach. Even so, security organizations are cautious. Few jump head-first into using new approaches without first giving thoughtful consideration to business and operational aspects. Three that Stratecast believes bear consideration are:

Snap-in – Will Menlo Security services easily snap into an organization’s existing IT and security technologies, which need to closely coexist (e.g., user directories, endpoint management systems, and email platforms), with minimal integration effort?

Reduction and Retirement – Will reduction in the use, or even complete retirement, of existing security technologies that have similar risk-reduction objectives as Menlo Security services be possible? What are the short- and long-term reductions in product purchases and licensing agreements? What are the impacts on infosec professionals’ time (e.g., quarantine and remediate malware-infected user devices)?

Exception Processing – With Menlo Security’s services operating out-of-the-box to purge active content and block user input into Web pages, but also accommodate policy exceptions, several potential unknowns come to the forefront for the would-be subscribing organization. How extensive will exception policies be, and how will users and their work routines be affected? How will secondary security processes be incorporated when a policy exception is granted?

Menlo Security’s Isolation Platform, active content-free ACR technologies and “slight touch” user device attributes all lend to “there is positive potential here,” especially with the first two considerations. The exact extent of that potential will be individualistic to each subscribing organization. Separately, exception processing is highly dependent on the organization (e.g., less for the more risk averse).

Positively, there is a means for organizations to assess these considerations with facts rather than speculation. Menlo Security services are available as cloud-delivered services. Combined with the aforementioned slight touch on user devices, the means for commercial organizations to try these services is straightforward. Through a small test group of user devices, organizations gain valuable experience in assessing how Menlo Security services can serve their malware-defeating and phishing-abatement objectives.

Consumer

Communication services providers (CSPs)—fixed line and mobile—and born-in-the-Internet age companies such as Amazon, Facebook and Google, directly engage with nearly every Internet-connected consumer, either as a conduit to the Internet or as a primary landing site. Also common is that each of these companies are accustomed to

delivering consumer services through network-based or cloud-based platforms (both are platforms that are external to user devices). In this regard, these companies represent a like-minded partner for Menlo Security’s malware-defeating and phishing-abatement services. Moreover, the device-, OS-, and browser-agnostic design of Menlo Security services represents a means for these providers to offer security uniformity to potentially all of a consumer’s or household’s connected devices (laptops, tablets, and smartphones), with limited up-front device preparation.

Although the enterprise, not the consumer market segment, is Menlo Security’s initial target segment, the company’s fresh approach could be a catalyst for growing consumer offerings by CSPs and providers of consumer online services. Naturally, porting enterprise-targeted services to

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 10

consumers requires feature enhancements. These are Stratecast’s top two recommended enhancements:

Broaden the Coverage of Malware Infection Points – Consumers’ time spent on the Internet through the browsers on their mobile devices pales in comparison to their time on mobile apps (14% versus 86%).10 With malicious apps evading vetting processes at app stores, these apps represent a material point of potential malware infection and phishing vulnerability for consumers. The same is true for the mobile advertising ecosystem. These are, however, two infection points that are not directly addressed by Menlo Security. Either Menlo Security or its provider partners need to broaden coverage in order to offer “wherever you go, whatever you do online, through any device—we have you protected” services to consumers.

Intuitive Self-Service – While default security settings will work for a large swath of consumers, some consumers will want to personalize their security policies for their risk tolerance level. Beneficially, intuitive self-service portals are how CSPs and online companies frequently deliver customizable services to their large consumer bases. Thus, this heavy lifting is not primarily on Menlo Security’s shoulders to accomplish; their provider partners could make this happen.

10 Khalaf, Simon, Apps Solidify Leadership Six Years into the Mobile Revolution, Flurry Insights, http://flurrymobile.tumblr.com/post/115191864580/apps-solidify-leadership-six-years-into-the-mobile, (1 April 2014)

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 11

Stratecast The Last Word

Traditional and even new approaches to detecting malware can only go so far in reducing this prevalent security risk in a connected world. Incomplete detection and the time lag in detection and then mitigation are the two primary deficiencies of a “detect and then act” approach. While not the death blow to detection-based approaches, they leave gaps for cybercriminals to exploit and force concerned organizations to address these gaps through supplemental security technologies and processes.

Menlo Security offers a fresh approach that eliminates the guesswork from malware detection. By sanitizing active content—malicious and benign—from users’ online activities, a safer online experience is assured. However, if a slower online experience or a change in users’ natural online rhythm is required to deliver higher safety, an undesirable trade-off is created. By using the scale, reach, and reliability of cloud computing, and the company’s proprietary rendering technology, Menlo Security eliminates this trade-off. Users and their organizations gain a safer online experience without compromising performance or rhythm.

Michael P. Suby

VP of Research

Stratecast | Frost & Sullivan

msuby@stratecast.com

SPIE #26, July 2015 © Stratecast | Frost & Sullivan, 2015 Page 12

About Stratecast

Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper-competitive Information and Communications Technology markets. Leveraging a mix of action-oriented subscription research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only attainable through years of real-world experience in an industry where customers are collaborators; today’s partners are tomorrow’s competitors; and agility and innovation are essential elements for success. Contact your Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives.

About Frost & Sullivan

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? For more information about Frost & Sullivan’s Growth Partnership Services, visit http://www.frost.com.

CONTACT US

For more information, visit www.stratecast.com, dial 877-463-7678, or email inquiries@stratecast.com.