How web isolation can help boost defences against evasive and adaptive cyber threats

HEAT is a pressing threat to our daily lives, and it’s not just about the climate-related phenomenon. Rather, HEAT stands for highly evasive, adaptive threats. This is a type of cyber threat that uses evasive techniques to avoid detection by commonly known defensive mechanisms like firewalls, URL filtering, sandboxing, phishing detection, and antivirus software.
 

For example, in Legacy URL Reputation Evasion, threat actors would create pseudo websites in an attempt to circumvent an organisation’s security protocols. Typically, organisations would have security policies which blocks access to certain websites based on a set of rules. These rules can include requiring the website to have been active for more than six months or to be part of predefined categories that have been marked as safe.
 

But threat actors today understand how these policies work and are using that knowledge to their advantage, says Poornima DeBolle, the Co-founder and Chief Product Officer of cybersecurity solutions provider Menlo Security.
 

They can, for instance, set up a website and have it categorised as something they know the organisation has indicated is safe. They will then let the website sit for a few months. Once the site has fulfilled the criteria of an organisation’s security policy, it will then be used for an attack. This was recently the case in the SolarMarker campaign, which saw threat actors delivering malware through websites typically categorised as ‘good’.
 

People are figuring out what companies have in their security solutions, and figuring out very smart ways to go around it, DeBolle says. In fact, HEAT attacks rose by over 200 per cent in the second half of 2021 alone.
 

“Anytime a user connects directly to the internet or to links coming from an email, they are taking a lot of risks,” DeBolle says. “We wanted to do something that was secure by architecture.”
 

It is with these ever-evolving threats in mind that DeBolle and her team devised their solution: web isolation.

What is web isolation?

Web isolation works by having a platform that functions as an air gap between users’ devices and untrusted content found on the web. Think of it as looking at the website through a bulletproof glass. “Rather than connecting directly to the internet, you connect to the Menlo [isolation] platform,” DeBolle explains.
 

The platform then accesses the backend of the site and generates a text file known as a rendering tree, which allows the users to view and interact with the site’s content safely.
 

By accessing the backend of the website, Menlo can also preemptively identify potential threats before it enters an organisation’s network. For example, DeBolle told GovInsider that Menlo has protected organisations from a threat called the Emotet malware.
 

The malware generally spreads through malicious documents. When users mistakenly access these documents, the malware then downloads and installs a remote access tool which threat actors can use to gain further access into a device or network.
 

Recently, the malware has been spreading through password-protected files, DeBolle says. Since these files are protected, security software like firewalls have no way to inspect the contents of the documents.
 

But with Menlo’s isolation platform, the file is stored safely on the platform and away from the user’s device. Once the user has entered the password to access the file, the Menlo platform is then able to inspect the document without it ever reaching the user’s devices.
 

“[Menlo] provides an avenue for internet access in a safe and controlled manner. The product reduces the risk of inbound threats infecting our network, thus reducing overall costs for the organisation, particularly as our devices no longer get infected by drive-by downloads,” wrote a review by a government CIO on Gartner.

Reverse isolation

During the pandemic, organisations discovered a newfound concern. With employees working from home and using their own devices, organisations needed to find a way to provide their employees access to applications and company data in a secure manner.
 

“You’re not protecting the user, but you’re worried about an untrusted user connecting to a trusted application,” DeBolle explains.
 

To address this, Menlo flipped their isolation platform, introducing a new solution called the Menlo Private Access. “What it does is that only Menlo-trusted browsers connect to the platform. That way, there is no possibility of the application being exposed to unknown user strings and other types of attacks,” DeBolle explains.
 

Much like web isolation, Menlo Private Access functions as an air gap between untrusted user devices and the organisation’s applications and networks. This way, unauthorised users will have no way of accessing an organisation’s network, unless explicit authorisation is given.

Where security and user experience meets

“Anytime you do a security initiative where the end user is affected, or doesn’t have a good user experience, then it does not succeed,” DeBolle says. This is why Menlo’s platform is designed to not just provide a secure user experience, but also a seamless one.
 

Most web isolation platforms work by capturing static snapshots of websites and displaying that information for users. But while users are able to view the content, their ability to interact with the site through these snapshots is limited. Additionally, capturing and transmitting these snapshots often uses a large amount of bandwidth which creates additional lag time.
 

In contrast, Menlo’s approach of using the rendering tree and presenting text files ensures that users are able to interact with the site with minimal lag time, since text files require much less bandwidth to process.
 

Additionally, Menlo’s platform runs on the AWS cloud, DeBolle reveals. This means that they benefit from the rapid computing speed of the cloud as well as its connection with other websites. As a result, Menlo’s platform is able to fetch and deliver content much more quickly than user devices, since they sit in closer proximity to these other sites on the cloud.
 

Menlo’s isolation platform is therefore able to help users surf the net securely without any compromise in latency or user experience, DeBolle says.

Cybersecurity as a community effort

“I sincerely believe that you have to work with your vendor community to deliver the best outcome for the customer,” DeBolle says. Since Menlo’s focus is on web isolation, they work with over 300 partners to ensure organisations can have the best possible security.
 

For instance, organisations who would like to have the protection afforded by a firewall can adopt solutions from other cybersecurity providers like Palo Alto, whose solutions are compatible with Menlo’s web isolation software.
 

Besides partnering with fellow cybersecurity vendors, DeBolle believes that cybersecurity providers also need to play the role of security advisors to help organisations strengthen their defensive posture.
 

“Things are evolving so much all the time that constant conversation and exchange of information is very important,” she says. By interacting regularly with their customers, Menlo is able to update them on threats detected in their networks and keep them updated on key cybersecurity happenings.