Menlo Security, known for its Secure Web Gateway technology, today announced a new approach to data loss prevention that it says will redefine how data is monitored.
The product, called Menlo Security Cloud DLP, repurposes the company's isolation technology to monitor data leaving the enterprise, making it visible even if the data is masked or encrypted. It is part of Menlo's Global Cloud Proxy platform, which monitors internet traffic coming into the enterprise to protect against malware, ransomware and zero-day attacks. The two products work hand in hand, said Menlo Security co-founder Poornima DeBolle.
This approach puts Menlo's technology at the front of the endpoint protection process, where it can see user activity and interaction with applications.
"It's basically remote execution for a browser environment and helps prevent all of the vulnerabilities in browser environments that have become easy for attackers to abuse," explained Eric Hanselman, an analyst at 451 Research.
In other words, Menlo Security's isolation core is the intermediary, so the solution actually controls the entire connection. For example, instead of a user's browser pointing directly to Microsoft's website to access Office 365, it goes through the Menlo environment. As it traverses that environment, the product checks that everything is secure. So if a user downloads a malicious piece of code, for example, it won't impact anything else because it is being executed in an isolated environment.
Unlike most data loss prevention tools, which rely on some type of end-user agent and API integrations that can have delays or be bypassed, Cloud DLP's solution is agentless. It can examine data for movement, passing, copying and pasting instead of using agents to manage those activities.
This is the right time for a solution like this, Hanselman said.
"In the cloud today, there are just simply too many vulnerabilities, too many exploits and too many users willing to click on too many things, and it's just not possible to keep up with them," he said. "With the traditional approach to DLP, you have an endpoint agent sitting on the back end of the email server, trying to cover as many different points of interaction as possible. That's getting more difficult all the time."
There are numerous use cases for this type of technology, especially for organizations handling sensitive data. That includes not only regulated industries such as financial services, healthcare and government, but industries like retail, whose customer support teams have access to sensitive information like credit card data.