Menlo Security Co-Founder on zero-days, computer vision, and AI-developed ransomware

Image created by DALL-E 3.

Cybercriminals are always finding new ways to wreak havoc. With both threat hunters and hackers using modern tools like machine learning and artificial intelligence, the race to stay ahead intensifies.

Realising that phishing and malware persist as top security concerns for enterprises, cybersecurity firm Menlo Security decided to focus its resources on protecting the web browser.

Poornima DeBolle, Co-Founder and Chief Product Officer of Menlo Security, sat down with Frontier Enterprise to discuss the company’s genesis, zero-day threats, and the role of AI against cybercriminals.

What prompted you to start Menlo Security?

My CEO (Amir Ben-Efraim) and I met at Check Point Software back in ‘97-’98 when we were working there. Then we were at Altor Networks, which later got acquired by Juniper Networks. Upon leaving Juniper, one of the things we observed was that everything in security relied on, “I know something, and so I can stop it.” Take the antivirus, for example. “I’ve seen this before. I have a signature for it. So if I see it again, I can stop it.”

Poornima DeBolle, Co-Founder and Chief Product Officer, Menlo Security. Image courtesy of Menlo Security.

Take a malicious website as another example. The first time you visit a website, you may be clueless about its nature. But once I know it’s bad, I can now stop you from accessing it by categorising it as bad. This prompted us to take a moment after Juniper and step back to gain a fresh perspective. Then, within that landscape, FireEye emerged as the new kid on the block, right? Suddenly, there was a sandbox, something the bad guys hadn’t anticipated. This led to quite a lot of success in discovering malicious activities since now you’re opening potential threats in a sandbox. Yet, it was still detection-based. I’m going to open it in real time, identify the malicious activity, and then block it.

So, we thought about it and we said, “Is there a method or architecture where you don’t need prior knowledge?” What if you assume everything is bad? This resonates with the concept of zero trust. If you presume everything is bad, you trust nothing. If you’re architecturally safe, then you’re always safe. This line of thought led to our idea of isolating the user or placing them in an isolation container. We began exploring what elements could be isolated to ensure user security. Eventually, we landed on the browser as it’s essentially your window to the world. By 2013, measures like locking down USB ports were already commonplace, restricting the use of USB sticks.

Our idea was along the lines of, “Can we create an architecture where you’re secure by design, not because you have a better security team, or something better?’ That was essentially the genesis of Menlo. It took us about two years to kind of parse through all of that noise, talk to other CISOs and the like, and figure out, ‘Okay, here’s where we can create a product and offer value.’ I believe we rolled out our product in 2015.

The security industry right now is much more fragmented than it was 10 years ago. Do you see this fragmentation persisting, or do you see more consolidation?

At a high level, I do think there will be consolidation. The reason isn’t so much because there’s a major new wave of consolidation. It’s more of when you deploy everything in your data centre—let’s say a firewall, an IPS, and then something else, and they’re all stacked right there in front of you. If something didn’t work between two of them, it was all within your purview to debug and solve. Now, with cloud security, the scenario changes. If a user goes to, let’s say, a file proxy, and then you decide to use a different provider for another function, you’re moving from one cloud proxy to another. Debugging issues in such a setup becomes a nightmare, right? You’re not only debugging the product but also the connection, the latency, and all these other factors. So, there’s definitely a user desire to simplify and consolidate. But at the same time, when you’re consolidating, the question is, what’s your primary goal? For some, it might be, “I need to get a ZTNA solution.” Their choice of vendor will be very much determined by, “How do I get this first thing?” No vendor has all the features today.

So, they might start with, “Hey, this is my current pain, I’m going to pick the vendor that best addresses this pain today and rely on the vendor to develop in the right way.” The choice of where you start your consolidation journey is very personal, or very enterprise-specific. I think there’s definitely a customer desire to simplify and consolidate, and there are solid technical reasons to do so.

Zero-day attacks continue to be a massive issue for enterprises, given that they do not possess any signatures. How do you respond to those?

That’s exactly what we address. Especially when it comes to browser zero days, a browser isolation architecture is ideal. Zero days occur because there’s a bug in the software, but the risk with zero days is that they’re going to get exploited. The exploitation happens when attackers leverage the zero day to deliver malicious code to the target. And for that code to execute, it needs an environment as the first foothold. This is where isolation comes in. We prevent any execution on-prem. All of our execution happens in the cloud.

One of the main reasons, actually, our largest customers, the US Department of Defense, value our solution is due to its cloud-based internet isolation feature, which they call CBII. For them, just imagine there was a Google Chrome zero day; they’re not going to patch 3.2 million users in a short period of time, or even in a medium period of time. The browser isolation architecture is a relief, essentially saying, they don’t have to worry about it. They often refer to the traditional approach as “patching and praying.” Browser isolation — and I admit I’m obviously biased — is probably one of the best architectures when it comes to browser zero days.

From a security standpoint, how do you leverage AI?

Let’s address the protection aspect first, because it’s interesting from a product standpoint. We process billions of web sessions every day with north of 8 million, 9 million users on the platform. It’s impossible for any human to process any intelligent data out of that level of transactions, so we definitely use AI to reduce the noise-to-signal ratio.

The other place where we get very high-fidelity data, is in terms of, “Here’s what you should pay attention to.” Our research team, Menlo Labs, have a lot of tools like that which they use. Based on their usage of data, we float that into the product. One of the features we have, called HEAT Shield, functions like this: when a user is looking at a website in isolation, we see exactly what the user is seeing. From that perspective, we take that information, and run it through computer vision.

When you look at what the bad guys can do with AI, I am maybe a little bit more skeptical that they can write some fancy malware based on just AI, because then I wouldn’t need 300 engineers writing our product; I could be doing it myself. I would be doing the good part of it and reducing our costs.

But jokes aside, while you can ask AI to write a piece of code, you still need to refine that code to make it work and have the knowledge of how you’re circumventing security measures. The starting point will indeed accelerate, giving a quicker start to anyone unfamiliar with the process. Those who already have a starting knowledge can reach their goal faster. The acceleration is real, but I don’t think AI is going to magically write ransomware.

What are the most exciting developments from your R&D labs at the moment?

One of the products that I just described is the HEAT Shield, which I think is super exciting. We began its development about 18 months ago and we’ve been testing it continuously along the way. What’s been interesting is, upon its availability, it almost perfectly intersected with the rise of MFA bypass attacks and adversary-in-the-middle attacks, among others. I believe we are probably the only solution that can recognise and block these attacks immediately. It’s been a very fulfilling innovation for us. Now, the next step is getting customers to use it and validating its effectiveness in the market. Several of our customers are in the PoC stage, and we’ve seen really good efficacy in real-world environments. We are very proud of that one.