Menlo Security Captures Malware in Containerized Microservices, Part Two

Last time we introduced Menlo Security, a web firm with a twist, making containers with the infected web services and malware trapped inside them disappear, preventing attacks from reach web browsers.

Using Menlo Security, employees and end-users could click through website after website, infected or otherwise and attacks would never reach their hardware or systems. Containers housing web services in Menlo Security vanish many times per click or web session, disposing of malicious traffic and code as fresh, clean, new containers appear for the next task.

The primary use is any web traffic port such as port 80 traffic. The real use case is for large concerns with employees who must surf any number of different types of websites as part of their jobs knowing that there is a lot of code coming at them including Java script from ad networks, flash, and various document types such as PDFs; we execute all that inside the container in our isolation platform giving those users a native experience while ensuring that nothing ever reaches those endpoints, explains Kowsik Guruswamy, CTO, Menlo Security.

The Basis for the Technology

Over the past 20-some years, approximates Guruswamy, security products whether anti-virus, next gen firewalls, or what have you have tried to first figure out whether something coming to an endpoint is good or bad and then make a policy decision based on risk. “Our thesis is that model is broken. We don’t really care whether something is good or bad. We just execute and run everything in containers. That way we never have to worry about false negatives or false positives,” says Guruswamy.

The only things that make it down the pipe to the endpoint once Menlo Security is deployed are rendering instructions and visual elements that the browser sees; existing security tools such as anti-virus and sandboxing tools won’t see anything good or bad because the only traffic is placement instructions in the browser for the font, text, and anything else, says Guruswamy. “No recognized code will be coming down from our cloud environment back to the enterprise perimeter,” says Guruswamy.

If on the other hand web services were to remain active week after week with no protection like Menlo Security’s offering, they would become increasingly infected and be able to pass threats on to the browser. With containers shielding the browser at a proxy in the cloud, attacks go no further than the briefly infected web services, which disappear with the containers after each use.

Results: Potentially No More Browser-Related Breaches

“Some of the popular breaches that have become public knowledge such as at The Huffington Post, Forbes, and Yahoo Tech were related to ad serving. The related ad network ran some really old piece of software. In some cases, software was PHP versions from 2006 with unpatched vulnerable code,” says Guruswamy. Menlo Security’s approach accounts for the lack of control over whether other networks maintain updated software by executing potentially bad code in a protective containerized layer.

“We dispose of those containers at very high rates, effectively at every click, every time you change domains, every time you close a tab. We don’t have to care anymore what these things are running and whether they are infected,” exclaims Guruswamy.

In Your Face Demonstrations

When demonstrating its capabilities, Menlo Security sees initial skepticism in the faces of customers considering its service. “Then we show them the demo and they express complete disbelief,” says Guruswamy. Menlo Security has the operational cloud infrastructure to deploy its solution even to very large concerns. “We have large customers in banking, we have international institutions with over 250K employees that are running this,” says Guruswamy.

Speaking of skepticism, my first counter to this technology was to ask whether a smart hacker could locate and exploit a vulnerability in the connection to Menlo Security, to the enterprise it serves, or in the traffic in between. Menlo Security answered that broadly.

Menlo Security locks its containers down and isolates them using mandatory access controls, knowing what the container solution is supposed to run inside it and ensuring that it can’t run anything else, says Guruswamy. “We even address things like false system access and system call restrictions,” Guruswamy says.

More interesting to me is the number of different triggers and alerts that Menlo Security has set up so that, if there is any question, the system will dispose of that container. The channel in between the cloud and enterprise is also encrypted.

Menlo Security’s adaptive clientless rendering net protocol is asymmetric in that it only allows the visual elements from the isolation platform to come back to the user’s browser; that channel has no provision for sending any code, so even if something is infected and tries to write to the channel at the protocol level, it can’t, explains Guruswamy.

David Geer

David Geer

David Geer’s work has appeared in ScientificAmerican, The Economist Technology Quarterly, CSO & CSOonline, FierceMarkets, TechTarget, InformationWeek, Computerworld,,, IEEE Computer Society’s Computer magazine, IEEE Distributed Systems Online, Government Security News, Laptop, Smart Computing, Technical Support, The Hosting Standard (Canada), (UK), SIGnature, Processor, and the Engineering News-Record. David served as a technician at CoreComm in Cleveland, OH prior venturing into writing.

David Geer has 24 posts and counting. See all posts by David Geer