Don’t Block by Default or Allow by Default – Sanitize by Default

Adam Maruyama

By Adam Maruyama



So far, I’ve explored the accelerating web-based threat to government IT and highlighted the ubiquitous dilemma of Internet browser security in the government. In our ULTRA product, Garrison proposes a solution to the question of whether to block or allow unevaluated content by providing a third option: sanitizing unevaluated Internet resources like research databases, supplier/vendor sites, social media, and personal sites by transforming them into interactive video streams. ULTRA uses Garrison’s government-trusted hardware to process all webcode outside government systems and instead present a hardware-enforced, safe, and interactive video stream of content to the user. This approach comes with significant advantages to both security and productivity: it removes the risk of malicious code from websites you don’t trust compromising your endpoints and networks, and it enables employee productivity.

Let’s dive deeper into a couple of examples of the impact Garrison ULTRA can have for your network and productivity before looking deeper into the best-in-class security mechanism behind it:
Proposal Phishing: A procurement team at a government agency has just released a proposal for an emerging AI capability. Because the technology required is leading-edge and the proposal has set asides for small businesses, the team doesn’t recognize most of the vendors submitting responses. This enables a China-linked APT to send in a proposal including a link to a website that contains what seems to be legitimate information but contains a zero-day Chrome exploit in its webcode. Without ULTRA, the agency’s proxy might block the site because it was new – blocking dozens of other legitimate startups’ sites in the process, slowing down the procurement cycle while security teams reviewed dozens of unblocking requests – or it might classify the site as tech and allow the browser request through because the team’s job is intake of technology proposals, and endpoint detection and response software could miss the exploit because it has not previously been observed – providing the adversary a point of presence within the agency’s network. With ULTRA, the team would still be able to look at the site, but the code would be executed outside the network perimeter, not on the team’s endpoints, and any malware would be wiped from memory by ULTRA’s security mechanism – denying the adversary any kind of persistent presence in the network.

Snowstorm Drive-by: Washington, DC, is having one of its frequent unexpected snowstorms, and employees all over the area are scrambling to find out whether their children’s schools are closing early, and which routes are cleared to get home for an early dismissal. A Russia-linked APT group has conducted an AI-orchestrated attack against local TV stations and school websites, leaving most content unchanged while replacing the organizations’ logos with a visually identical malformed .webp images containing a new iteration of last year’s libwebp vulnerability. Without ULTRA, the sites would either be blocked – leaving employees scrambling to plan for an exigent weather event – or the clever drive-by hack, leveraging emergent events, would have an opportunity to compromise numerous endpoints – either providing the APT persistent presence within networks or deluging SOC teams with behaviour-based alerts across numerous departments and agencies. With ULTRA, employees would be able to view the legitimate information on the sites, and the.webp exploit would be isolated on Garrison’s infrastructure, to be cleared out via our patented secure reboot technology once users logged off for their harrowing but hopefully safer commutes.

You might ask how we’re so confident that Garrison’s technology would prevent these theoretical zero-days from escaping isolation and compromising federal networks, particularly with near-peer APTs behind them. You can find more details about our Garrison Guarantees here, but the simple answer is that we use cloud-hosted hardware and hardware security (hardsec) techniques that are trusted by the U.S. and UK’s most secure government agencies to protect their classified networks from zero-day, nation-state grade threats when connecting to high threat networks.

Instead of using the software-based security that is a target for so many adversaries, Garrison ULTRA dedicates a “SAVI node” comprised of two separate ARM processors for each active user’s browsing session. One of those processors executes all of the webcode and feeds it to the other processor via a stream of pixels and waveforms. The other processor then compresses the content and presents it to the user via an interactive video stream – so no code, malicious or otherwise, from sites browsed through Garrison ULTRA is ever executed on a device with a data path into our customers’ networks. Between sessions, each processor is reimaged from a known-clean golden image, ensuring no residual data or risk persists between sessions.

The secure-by-design two processor architecture we’ve built our solution upon isn’t just a security feature, either: using dedicated processing resources for each connection to ULTRA ensures a smooth and performative user experience, and creating a pixel-perfect image stream between processors ensures that websites aren’t mangled by software trying to remove risky portions of code or to save compute resources in a containerized web browser.

If you’d like to learn more about ULTRA and how it can fit into your organization’s next-generation cybersecurity model, contact us!