Menlo Security has taken a ‘Zero-Trust’ approach to web security and has built a platform that aims to eliminate 100 percent of web and email threats. Due to the sheer number of threats, the company argues that no one solution is able to identify and block all of the web-based security threats when hundreds of thousands of new attacks are being launched on a daily basis. To deal with this issue, Menlo Security has developed a platform that isolates all users’ web browsing on a remote server. In an exclusive interaction with Express Computer, Poornima DeBolle Co-Founder & Chief Product Officer, Menlo Security shared insights about the best practices enterprises need to follow, to avoid data breaches and ensure safe and secure functioning as per your understanding; and a surge in the adoption of cybersecurity products and solutions in India.
Some edited excerpts:
1. Could you give a brief about Menlo Security?
Menlo Security is a cybersecurity company that was started in 2013. We are over 500 employees worldwide. On the venture capital side, we’ve raised about US$ 260 million for Menlo Security to pursue our dream of creating the product that we are delivering to customers. We have received funding from some of the most well-funded venture capitalists like Vista Equity and General Catalyst, to name a couple of them.
Today Menlo Security offers a cloud security solution. There’s no hardware or software that we need to install on their premises, and they just need to point their computers to the Menlo Security service in the cloud. And then all of the features and the protection that we deploy in the cloud, they can benefit from. So, that is kind of the form that we deliver our product.
The best way to start our explanation is when you look at cybersecurity solutions, be it an antivirus solution or a sandbox or a firewall, or a secure Web gateway, most of the protections or all of the protections that these solutions deliver are based on what we call, “detection-based technologies”.
We have taken a ‘Zero-Trust’ approach to web security and have built a platform that aims to eliminate 100 percent of web and email threats. Due to the sheer number of threats, the company argues that no one solution is able to identify and block all of the web-based security threats when hundreds of thousands of new attacks are being launched on a daily basis. To deal with this issue, we have developed a platform that isolates all users’ web browsing on a remote server. By isolating all web content in these secure browsers, Menlo can prevent attacks from ever reaching users’ devices.
2. What is the role of the India center in Menlo’s, overall product development?
When we started to look for alternate centres that we wanted to invest in, we started with a clean slate. We looked at various different locations across the world, and Bangalore was one of them. And we specifically chose Bangalore because there’s amazing enterprise security talent in Bangalore from all of the years before when other enterprise companies were in Bangalore. The maturity of leadership and the maturity of the talent are just amazing, and can’t compare it to any other place, both in India and elsewhere. So, there’s really great talent here.
The second aspect of it, which is equally important is we didn’t want our Indian centre to be just an augmentation of our US effort. So, it’s not like we’re doing just quality testing or support or some small function of it. The team in India here, which is about 60 people or so, is a fully functioning, multi-functional product organisation.
By product organisation, it means we are ideating new products here. We’re building it entirely in India by collaborating with other teams after thorough security research in India. Menlo is doing customer support and professional services from India and all of the infrastructure that those organisations need is also supported by IT and security services here in India.
For Menlo, it’s kind of a multifunctional product organisation that is completely autonomous in its ability to create and deliver the product. So, we had that vision from day one, and we’re very happy to say that we’ve been able to accomplish that because we shipped our first product from our India team 10 months after we created the team. For me, it’s a great success story of the dream we had and what we were able to accomplish.
3. What best practices do enterprises need to follow now, so as to avoid data breaches and ensure safe and secure functioning as per your understanding?
First is defense in depth
It is important to focus on defense in depth, which means the network security is complemented by endpoint security, especially in the backdrop of this post-pandemic, hybrid environment. The end users are not behind a perimeter. Here, perimeter-less, work-from-home environment, defense in depth is super-important.
The second is cloud security
Security needs to be where the user is, legacy architectures meant that everybody VPNs, and come back to some central location, and then you apply security at that choke point. Now as people are adopting SaaS, and you want to go to your Office 365 directly from your home computer to Office 365, rather than kind of go through this choke point, it is important for the security delivered via the cloud to be there wherever your user is.
The third is the multifactor authentication
Over the last few months, and there have been compromises associated with it, multifactor or two-factor authentication is still one of the best methodologies to ensure that you are validating your users on a regular basis. That is now getting supplemented by some of the hardware tokens that help beyond this kind of MFA bypass attacks.
The last one is visibility and monitoring
Even after deploying all of the tools in that defense in depth and cloud architecture model, nothing can be foolproof, either as a product or because of some misconfigurations, so making sure you have robust visibility and audit capabilities is very important to make sure it’s kind of that belt and suspenders model, ensuring everything you assume to be safe is actually indeed safe, and if something is not, then you’re able to identify and remediate that as fast as possible.
4. Do you see a surge in the adoption of cybersecurity products in India?
Definitely. 50 percent of attacks are coming from categorised websites. 73 percent of them are coming from not-bad websites, but sites that people consider to be good. These new techniques, these attacks are really increasing in count compared to the last couple of years and the secure gateway or next-gen firewall cannot detect because it’s obfuscated.
India is having a great moment when it comes to cybersecurity products. Looking at any of the large cybersecurity companies out there, they’re having something like 200 percent growth year-over-year in the Indian market. So, I definitely feel like some of the kind of flagship security products in the world are being adopted and deployed on a large scale in India.
In terms of Internet penetration and sophistication of businesses, India is definitely among the top countries in the world, and we desire to deal with that kind of attack and penetrate those organisations is the same as anywhere else in the world, so we definitely see that there is a reason why there is that surge in cybersecurity adoption in India.
We definitely plan to grow our organisation here over the next few years to hundreds of product teams, we’re also expanding our sales and go-to-market efforts here to specifically engage with the Indian customers and the Indian market in general.
5. What are the plans for expansion and top priorities for the next 12 to 18 months for Menlo Security?
In terms of the next 12 to 18 months, we are really on a path to evangelise and educate the market about the umbrella term HEAT. We’ve really created a set of assets, for example, we have a website where a customer can go and test the security efficacy of their solution, and we evangelise and teach them about these evasion techniques, and they can click on a button and actually see if they’re protected against it, and we generate a report to show them if they’re protected against it or not. So, this concept of evangelising these new trends and educating the market is a very important dimension for us.
The second kind of capability that we’re delivering in our product is around creating visibility of this in the customer’s environment so it’s one thing to know and read about it, but the next thing is to turn it on in your environment and really see if it’s happening in your environment. And customer after customer, we’ve seen them recognising that this is happening in their environment.
And now once both of those things have been established, we want to bring our product and capabilities to bear and show them how to protect themselves against the evolving threats. So, our kind of goal for the next 12 to 18 months is really to educate the market about this, evangelise, and then deliver protections against these attacks to bring value to our customers. And on the success of that, Menlo will continue to grow as a company and grow our revenue, and then definitely look towards good outcomes from that for the entire company. Having said that, our primary mission will always be to bring customer value and grow our customer base and protect our customers from these evolving attacks.