Menlo Securitys Tom McVey explains what he believes to be the greatest security risks to organisations right now, how best to resolve them and how Xtravirt and Menlo’s partnership together can deliver best in class business outcomes.
2020 has been a challenging year for businesses and the global Covid crisis has highlighted for many the importance of a having a cloud first IT strategy. In this podcast, Menlo Security speak to Xtravirt about how the accelerated adoption of cloud solutions through the crisis, has exposed new security vulnerabilities that are putting businesses and their staff at risk. With the average cost of a data breach estimated to cost a business $4m to clean up, it’s widely expected that shoring up web and email security will take priority in 2021.
03:13 – How IT security has changed and why it is so important since the world started working from home
06:55 – The main risks facing IT teams in 2020 and how it has changed because of COVID-19
09:47 – Menlo’s Core Isolation Technology and why it is more effective and efficient than alternatives
14:47 – How the adoption of cloud and remote working are forcing businesses to re-think traditional network security architectures like VPN
17:38 – What Secure Access Service Edge (SASE) is and how to get started
20:35 – How Menlo’s alliance with VMware is delivering advanced security to users of VMware Horizon, VMware SD-WAN by VeloCloud and Workspace ONE
22:51 – How the Menlo Security–Xtravirt partnership is delivering best in class business outcomes to enterprises
00:00:04 HOST
Hello and welcome to cloud insiders. The podcast that brings cloud down to earth brought to you by Xtravirt. From wherever you may be listening, I just want to say hello, welcome and thank you for joining us today. My name is Stuart Robinson and I’ll be your host for this podcast. I’m over the moon to be joined by Tom McVey a sales engineer over at Menlo. Hi Tom and thank you so much for joining us.
00:00:22 TM
Hi Stu, Yeah, thanks really great to to be here. I’m excited.
00:00:28 HOST
Thank you so much for coming on. I say it’s absolute brilliant to have you here. Now Tom is with us today because we’re talking about security. It’s a topic that we picked up on a few times in the history of the podcast, we’ve delved into the deep dark depths of SDN and Network security on more than a couple of occasions. But now it’s time to dust off the day glow, we’re going to talk security at the next level up.
00:00:50 HOST
As none of us really want to have lived it anyway, I’m going to talk about 2020 in the past tense. It was an interesting year. Many of us got very familiar with our own 4 walls, and in the world of IT and absolute world wind occurred. Suddenly entire workforces ran to work from home. IT decision makers were creating plans and making quick fixes to get everyone onto new systems and rules were bent, some corners were cut, but ultimately it was OK because it’s just for a couple of months, decades past. Well, probably not decades. But it’s kind of felt like it to most of us. Suffice to say, we’re now eight months in working with these quick fixes and IT teams have been or are now trying to get back fill the holes that were opened up.
That’s one dystopian view of how 2020 plans panned out for the IT teams. But let’s ask Tom now. As I mentioned at the top, you’re a sales engineer for Menlo, but could you tell us a little bit about yourself? What roads brought you to where you are now and a little bit about Menlo?
00:01:49 TM
Yeah, certainly I’m Tom. I’ve been working as a sales engineer for about 6 or 7 years now. I actually got started really young. Straight away out of college didn’t go to University, got a little apprenticeship, at small reseller and they gave me like way more responsibility than I deserved at that age and used that as a good experience to move up. I went to a company called Verona’s that do a lot of data protection and then I did a 10 year logarithm, so that’s more traditional security area around SIM technology, and that touches a whole lot of bases, so you see attacks coming from every factor, so I got a really good understanding of the big picture of security there and then moved to Menlo about seven months ago now just at the start of the year. I was quite lucky, I Just got in before the lock down and everything happened which I know some people were doing the job hunt during which it couldn’t have been that fun. But yeah, I’ve been really happy to join Menlo.
The technology very much excited me when I was going through interviews and yeah, happy to be able to run through them and their technology with you guys today.
00:03:00 HOST
Well, thank you very much. So all joking aside, 2020 has been a bit of a rocky year for everyone. Could you give us a brief overview of how IT security has changed and why it’s so important since the world started working from home?
00:03:13 TM
Absolutely. I think there’s been a huge change. As you said, a lot of organisation rushed towards getting their remote workers capable outside the office. And they did a lot of those quick fixes, so you would have, you know IT Department’s quickly rushing to get their laptops and other remote devices connected up and working so users could at least do things like email or maybe actually access a few resource, but they wouldn’t really take security into the forefront of that deployment so it would be unlikely that most organisations would have started that rush to get those users working from home with security at the forefront of their mind.
00:03:54 TM
And obviously focusing on productivity, which makes sense. So, what you’ve ended up with is a lot of our organisations that have very unprotected home workers. I’ve worked with multiple companies very recently that have just simply laptops deployed and that’s it. So basically, given all their home workers laptop, some of these aren’t even domain joined if they are domain joined then that’s better than most to be honest and then those laptops have no security on them really. You might be lucky if they have just a generic endpoint agent, then that’s good, but some of them won’t even have that. They’ll just have the generic Microsoft stuff.
00:04:30 TM
And then they previously were laptops that we use mostly inside of the network. So what’s happening there is they would have had the security from the security stack with the proxy, the email gateway, the firewall, but now they’re either having to VPN back in, which is again quite rare, or in a lot of scenarios I’m seeing them just go direct out to the Internet.
We have these laptops with bare bones, if any defensive technology on those machines are able to just go directly out to the Internet, they can click on any link They like they’ve got no proxy, they’ve got no visibility on what users are doing in that as well. So since they’re not using the VPN, they’re not going to the proxy. You can’t even see what they’re clicking on, they are especially vulnerable to phishing because any kind of payload in that is immediately accessible and dangerous. So if there’s a link that convinces a user that for them to click on, They can go ahead and click on that and there’s nothing to stop them from that dangerous web page from infecting them. And you know, just generally we’ve had a huge opening of threat Actors basically from the start of lockdown and attackers are making the best use of that because they’re all still at home right now, so the lockdown didn’t really affect the attackers to be honest. It’s opened up more areas for them and if anything, they’ve got more time to do the hacking. So yes, turbulent time for a lot of organizations, we’ve seen an increase in breaches for sure.
00:05:52 HOST
Thanks for bringing up breaches, how much would you say a data breach does cost a company at the end of the day?
00:06:01 TM
I think the average is hovering around $4,000,000. From the statistics I’ve seen, which is definitely not a small sum, but I think these only really include the costs for the cleanup operation as well. I think under the costs it’s quite hard to objectify Sometimes is the brand damage. So you could count on, you know, $4,000,000 to maybe repair it and get everything back up and running, but then You’ve also got to take into account the brand damage and are your customers actually going to be seeing user trustworthy source anymore.
00:06:39 HOST
Yeah, and so you’ve kind of mentioned a couple in there about the phishing and other kind of things that people are more susceptible to. But if we do a quick recap, what are the main risks facing IT teams in 2020 and how have they changed because of 2020?
00:06:55 TM
Yeah, I think I think the main risks pretty much stay the same from 2019 to 2020 in terms of which ones are the top risks. So it’s been for a while now, It’s been web and email at the top in terms of threat vectors for quite a long time, Maybe few years. Email especially. But they’ve become more potent now in 2020. So those those are the two most common attacks factors either E-Mail or web previous, but now as mentioned, since all these users are at home remote working, perhaps not really having the same Level of security they had in the office. Now, seeing that the same attacks being much more successful. So if a user does click on that dodgy link and goes to a malicious website, or if they click on or open an attachment in an email that was sent that is malicious, then those are actually executing properly and the malware is actually infecting the users at a much greater rate, whereas previously they may have been, you know, picked up by the antivirus or the firewall or the proxy and.
00:07:58 HOST
How many times and how often do you see this happening?
00:08:01 TM
I mean, yeah, we we see companies well then we speak with them quite often of having you know phishing attacks. I don’t think we’ve really spoken to a company, at all that hasn’t had some sort of fishing. We get them as well. I’ll get it through my email. Everyone I know has received some phishing. I get them through to my mobile. I had one pretty convincing literally yesterday that was saying you know Lloyds Bank. If you’ve logged into a new device, please click on this link to confirm it and I hadn’t obviously logged into a New device and I almost pressed it and just thought wait this is coming from a mobile number. It’s kind of strange, but they’re very, very convincing now and they come at you from every angle of each device that you use, not just your work email but your mobile number, instant messaging. It’s all over.
00:08:49 HOST
You do start to feel sorry for the guys. Have kind of got the less convincing ones. Like when you get the text from your bank saying this is your bank and we really need your bank details. I’m not even with the bank you’re claiming to be with..
00:09:03 TM
Exactly, yeah at least spearfish me you know rubbish through my my papers I’ve thrown out with all my address and information.
00:09:12 HOST
I’m not happy until I’ve seen you rummaging through my bins. Is what you’re trying to say.
00:09:16 TM
And I guess that’s one way to put it.
00:09:19 HOST
OK, so there are still a lot of attack vectors out there and arguably a growing number, especially with everyone working from home and then you have to take into account everyone’s hardware at home, which I’m guessing is another place people can get in, but let’s duck out of that doop and gloom for a little bit and stop talking about what could go wrong.
And let’s talk about how you fix it. Menlo have something called cloud isolation core technology. Can you tell us a little bit about that and why a business should be embracing it?
00:09:47 TM
Yeah, sure, so I mean, we obviously try and fix a lot of the problems we’ve we’ve spoken about. We work closely with this cloud transformation model ’cause if you think about it, the whole remote worker and COVID-19 situation has pushed cloud transformation for a lot of businesses. So you do see Not only remote workers existing, but also just, you know, companies generally attracting and diverging more attention to cloud platforms. And that’s exactly what Melon Security is. Where we’re cloud platform first. We’re basically a web and email security vendor, but we do the security in a bit of a different way, so you’ll be very aware. I’m sure everyone is aware of how generic proxies work And how they would work in the cloud as well. We are, generally, a web proxy in the cloud with email protection as well.
But the whole difference, as you mentioned to how we actually provide our security and our kind of unique selling point is our core isolation technology. So what this actually does is it’s a really unique way to remove any chance of executable contact coming into Contact with your end users devices, so as mentioned, when we have all these remote workers around, or even you know workers in the office or different distributed offices across the world, you have a scenario where users are reaching out to the Internet to integrate with technologies and access websites and open emails and attachments and documents and every company in the world needs that to happen. But those documents and websites have a risk associated to them. Every time a user goes and opens this content, they’re interacting with active code with executable code. So for example, with websites you’re running JavaScript with a document, if you download a PDF you’ll run macros that are embedded in there. All of these can be used to distribute and actually run malware.
If you download a PDF that contains ransomware and where it’s most likely going to actually use the macro within the PDF to deploy that, and if you open the PDF and your antivirus hasn’t already quarantined it, or your firewall hasn’t picked it up or anything, then if you actually open that, It’s kind of game over at that stage. You will be infected on your device for sure. How far it goes After that you will see how your adaptive security does.
What we want to do is separate that ability for the users to actually come into contact with that code. So if they if they come into contact with the executable malicious code, then it is kind of game over for them. So we want to remove that ability completely and we do that through a process called isolation and what it does is before the user actually comes into contact directly with this active code. They first connect to an isolated cloud container, so containers obviously are basically like really small, very lightweight VM’s in the cloud. These can be spooled up in about half a second, so we can kind of click our fingers and a small virtual container will will boot up in our cloud. The user will then connect to that container and basically the container takes all the risk for that user. So instead of their laptop running and executing this PDF on this website, it’s the container that then makes the final connection over to the website and then runs the Java scripts or it’s the container that makes a connection to the PDF document and runs the document and runs the macros.
So the worst case scenario in a Menlo situation, is we have a user that does click on this dodgy content and they could do go to a malicious link. But the worst case scenario is it’s actually the container that’s going to be infected, not them, since they’re never actually running that code, the container is. We simply render the content down to them so it’s the website, we will render that content. If it’s the document we provide them with a document preview and the user experience is very much up there.
I don’t hink there’s a significant degradation. I think it’s very hard for users to tell that they’re even being isolated, which is one of our key features. But at the end of the day, you’re really removing 100% of risk from web and email threats. I think for every organization that’s listening all of them would write email and web as their highest risk, the thing they divert the most time to and if they can actually get that your 100% success figure which is not an exaggeration, then yeah, I think it’s a good technology for them.
00:14:02 HOST
I think 100% success figure, that’s a pretty impressive number to be able to throw out there.
00:14:06 TM
Yeah, we do actually put our money where our mouth is on that, so we actually have a up to a $1,000,000 malware warranty. So if there is ever a breach through an isolated connection, we obviously believe that’s impossible and it hasn’t happened so far. But if that does happen, will basically refund any of our Customers contract values in full or up to 1 million dollars, so it’s not like we’re just kind of saying this stuff. We actually have something to prove it.
00:14:34 HOST
That’s pretty confident. so you’ve mentioned that isolation technology plays a part in cloud transformation. So what part does it play and where is the improvement on what we were doing in the past?
00:14:47 TM
Yeah, absolutely. So it’s kind of coming back to that VPN story mentioned before where you would have and a lot of organizations are in this situation right now. Especially after moving all of their workers to work from home. They don’t have a cloud first strategy for web or email protection and they have on premise, Maybe appliance based on virtual email security or web gateways and the only way that they can get those remote workers back through this security that they probably invested a fair amount of money into is the user VPN to tunnel the traffic back into the main HQ and then run it straight up in line, through those proxies, to basically get the functionality from them.And this is kind of a work around solution. Those proxies were never really designed to be, you know, VPN to to backhaul all of that traffic. It’s not the end of the world, it works, but it’s kind of inefficient, especially if those VPNs are used for actual generally quite important Applications or internal data that is really needed and that is the only way to get there.
If you have a bunch of people just browsing YouTube or browsing web, if that’s all going through the same tunnel, it can be disturbing that the space and the bandwidth that you need for those vital applications. That’s kind of going to a bit to waste. It’s a little bit inefficient, and it’s sort of subjective to break quite easily as well if the user doesn’t have a VPN connection running all the time, they’re not even going to be able to get to the Internet at all.
00:16:21 HOST
If there’s like an authentication change or if they have to manually update that on the VPN. A lot of the time and caused a lot of overhead, so it does make a lot more sense to essentially break out to the cloud instead. So instead of having your users who are at home and wanting to go to the Internet instead of backhaul and all that traffic to the main office, running it through your security and then going back out to the Internet again, and then all the way back through the same process. If the users can just break up directly to the Internet from home but still do it in a secure way. It’s obviously much more efficient to do that, and that’s why Menlo security, but also really any cloud proxy works well for that scenario because they can break out straight to the Internet.
We’re based on Amazon Web Services, so we’re kind of at the core of of most of the Internet, so there’s no real latency challenge, so you have a reduction in latency for those web resources while using a cloud proxy. And then you also have a reduction in the usage of your VPN because you’re not having to backhaul All of that traffic anymore.
00:17:23 HOST
That’s absolutely awesome, and I think we don’t know each other that well, but I think we both knew that a comment like this was coming. It’s time to get sassy. Can you tell us a little bit about sassy or secure access, Secure edges (SASE) is otherwise known.
00:17:38 TM
Sassy, yeah I love it. Yeah sure. So secure access secure edge (SASE).
It’s a new term coined by Garner and I’m sure everyone listening is aware of Garner, they’re a large, almost like a review organize. That’s probably the wrong word for them there that basically steer the cyber security industry in ways that they think it should go. Sounds like a lot of responsibility to go to just a single company, and it probably is, but they basically have quadrants that they rank security vendors on and they decide basically what we’re going to rank them on and SASE is a new thing for the web security quadrant. So this is where they want their vendors to go in the future. It is good because it gives you an idea of the future of the security industry because SASE is almost a brand new term, and there’s no real vendor that’s offering 100% SASE capability at the minute, but I’m sure that will be the case in the future.
00:18:45 TM
So what SASE is is essentially a combination of casbee firewalls service and zero trust principles, so it is the next generation of web security, but when we say web security, it’s not just browser based browsing security.
It’s, Sass application security. It’s full authentication in open web security. It’s cloud transformation security. It’s kind of these next Gen terms that are all kind of being welded together. So right now we have all of those functions everyone can have and use casbee. You can integrate zero trust principles into your organizations right now, but you don’t have a single vendor or piece of security that can actually cover all of those. You’ll need to have several different pieces. You’ll need an SD Wan so that you’re actually able to steer the traffic into these. You know, intelligent areas. You’ll need a casbee solution to understand what kind of data is actually being used in which applications, and set policy on that. You’ll need a firewall as a service because you’ll need to set up rules and policies from more of a global cloud area than you would Again, from a single network.
And then you also need to use. You know zero trust policies and that’s the four different products just off the top of my head there. And that’s not including all of them. So yeah, it’s kind of a bit divergent in a minute, but the idea is to bring all of these different technologies together under one banner, which is SASE. And that’s what Gartner is trying to push there.
00:20:21 HOST
Yeah, you mentioned SD-Wan and couple of other bits. Presumably this works well with most virtual desktop and workspace technologies such as Horizon, VMware Workspace One. What are the main technologies that you guys are working with in that space?
00:20:35 TM
Yeah, absolutely that that all fits the picture with Horizon, especially with cloud transformation, especially with the current situation. You know, having the virtual desktops just available kind of at a whim to boot up and down to dynamically scale that capability is super useful. And also fits the SASE picture of your kind of really dynamically, providing the amount of resource and security that are needed. So if you have Like you know, especially during this time, where you know airlines are a good example where they they have a bunch of stuff and a bunch of resources and the staff they’ve been able to put on furlough for a lot of this scenario. But the resources especially the servers if they if they have those as hardware, they’re really just going to waste at that stage, but with the virtual resource is they could actually spool down a huge section of their compute because they’re not using it anymore because they’re you know they’re not actually delivering as much business, and that’s going to save them a huge amount of money. It’s that kind of dynamic flexibility to actually be able to scale up and down that I think you know Horizon provides really well. We work really well with VMware and a lot of their products we have integrations with the SD-WAN Velocloud and Workspace one. Again is that SASE story, so you want your SD-Wan to be able to natively integrate and send the data required to those web security platforms like Menlo, that can provide you know the isolation technology and if that wasn’t the case and you didn’t have to separate products entirely for all of this, and it didn’t all work nicely together. Then it wouldn’t really be fitting in the SASE story, so we did ensure to make sure that we were able to integrate very easily with Velocloud and Workspace One. Essentially allows any of those VM Ware customers to very easily send the data and process those users to Menlo without having to deal with complicated group policies that that needs to be updated every so often.
00:22:51 HOST
So I mean, this is brilliant. It sounds like Menlo is really filling a hole in the existing market, especially as it’s helping to add substance to the defense of such big hitters as well, and I guess this is where the conversation between XV and Menlo must have begun. For anyone who doesn’t know, in the last few weeks, XV and Menlo have announced that they’re coming together in a partnership, and it looks like this relationship could really benefit a lot of customers. They both have so much to offer to each other. XV can include Menlo’s isolation, corner customer strategy discussions focused on addressing security concerns and deliver as an embedded part of VMWare solutions, especially for those based around Horizon offerings as we were just talking about. I have also heard on the Grapevine that XV including Menlo, as part of their managed service portfolio of products. Now Tom, you’ve been involved in this from the very beginning.
00:23:42 HOST
Can you just tell us what the key benefits are of this partnership that has been formed between extra and mainly?
00:23:48 TM
Yeah, of course. The best part of it is going to be for the customers, especially in other managed service customers, it’s going to be a great fit. Again, it’s furthering that SASE story, where it’s just making it very easy for those customers to achieve that secure edge, so you have the VMWare Horizon experience incapability. You’ve got the VMware products with Velocloud to actually enable that connectivity. If somebody signs up with, Xtravirt they’re not just getting the individual technologies and kind of having to model them together themselves. It’s kind of a full solution in that you have Horizon to uncover the scaling needs of a dynamic workforce that is going to be changing. It’s going to be having increases and decreases over the next few years and you’ll have lots of different locations added to that, and there’ll be a lot of changing to the workforce, so it’s important to have that horizon sort of virtual workspaces being able to be scalable and fit with that dynamic. Then you have you know Velocloud SD-WAN to control and figure out exactly where you want traffic to go and steer that traffic and then of course you know MENLO security can then act as a 100% layer of protection against web and email threats for those for the remote workers, but any workers within the offices as well, you can still have course use those isolated technologies, and that’s kind of a single solution. It’s not three different ones. You guys can deploy all of that. You can make sure it works all together.
You can do the contracting and the managed service to make sure that it stays working and is updated and it kind of actually delivers the full story. So yeah, I think it’s going to be very useful for the customers.
00:25:40 TM
Probably be pretty cost efficient as well, so you’ve got the reduction in the cost from VMWare horizon. The end users are now working from home anyway, which is a big reduction and we could see a lot of organizations maybe lowering their office space investing more in this kind of flexible strategy that XV offering because the you know the happy with the security. Because you know, there’s technologies like Menlo out there, it’s no longer a taboo to think we should move everything to the cloud. And suddenly that’s scary to a lot of people. That’s no longer the case, it’s more efficient. It’s for it’s cheaper, a lot of the time.
Organisations can really move to this next generation of working where they have. We have much lower amount of office space. They have really, you know, tuned and well designed and use technology that allows them to do this effective working from home in a Safe way, and they save costs from that. They save any reduction of breaches, they get extra productivity. Workers are happier, it’s just a win win win win win. So yeah, I think that’s really the best offering that I’ve seen as.
00:26:46 HOST
Well, that’s awesome, and once again you’ve come up with a wonderful title for our entire relationship, which is just Xtravirt and Menlo creating the complete package. I think you should work marketing. This is awesome stuff.
So besides my earlier statements of 2020 and the implications of doom, there is good news that technology is always evolving and there’s great people out there they’re always trying to help like the good people at Menlo always looking for new and better ways to keep your business safe.
00:27:16
Xtravirt also there to help. If you’re looking to embrace a cloud or digital workspace solution or looking to improve, or further secure what you already have talk to Xtravirt. They cherry pick the very best technology such as Menlo to ensure so you achieve your goals and thanks to their team of experts and years of experience can help you achieve these goals faster.
If you like the sound of Menlo and one to up your security game, or if you’d like to find out more about how Xtravirt can help you along your cloud journey, let’s go to xtravirt.com/contactus and we’ll be happy to chat. So I’d like to extend a very heartfelt thank you to Tom for coming on. For me, it’s really open, my eyes to some of the areas of security I’d not really thought of before and I’m hoping that those listening my take on board how to steal some of those gaps that might have occurred in the last year or so. If you’d like to learn more about Menlo or get hands on with their technology where’s best to do that?
00:28:08 TM
I would definitely recommend checking out try.menlosecurity.com. It’s super easy to use in about two or three minutes, you basically get hands-on feel with it, so there’s no data sheets or white papers to have to run through. Just go to try.melonsecurity.com and you can use isolation today.
00:28:26 HOST
Brilliant and tell me if anyone would like to reach out to you directly. How would one go about doing that?
00:28:31 TM
So I’m available of course on LinkedIn, so please feel free to get in touch my name on there is Thomas McVey. But of course if you’re interested in in Menlo as well. I worked for the EMEA team. If you get in touch with Menlo security, so a good chance I’ll be there to actually deliver a demonstration and run through.
00:28:49 HOST
And you’ve got quite a few videos up on YouTube that people can visit as well?
00:28:53 TM
So I’ve done a few YouTube videos on some of the benefits from Menlo’s point of view. So if you visit the Menlo security YouTube channel, have a look through those, I think they’re quite good.
00:29:05 HOST
I’ll stick the links to those in the description below, and if anyone would like to learn more about Xtravirt and how they can get you started with Menlo and a plethora of other cloud technology so you can go to Xtravirt.com and you can get in contact with us there on xtravirt.com/contactus or drop us an email info@xtravirt.com and if you like Cloud Insiders and want to find out more, you can visit us at Twitter at Cloud Insiders. You can get hold of us on team at Cloud.Insiders.FM and you can find this podcast. Anywhere you find your podcasts that we’re on iTunes, Spotify, Google Podcast, SoundCloud. The list goes on and all our episodes on YouTube as well.
So Tom, I’d like to thank you so much for coming on today. It’s been an absolute and genuine pleasure and to those listening, thank you so much and we hope to catch you again soon.
00:29:53 TM
Thank you so much.
Receive updates from the Xtravirt team, including information on new technologies and the expert analysis of cloud trends and strategies you should know about. Unsubscribe anytime using the link included in every email.