A few weeks ago, Jack briefly mentioned how security vendor Menlo Security has recently attracted $75 million of Round D funding. Menlo Security does web and email security by remotely executing webpages on a server, and then displaying them on the endpoint by using what they call “adaptive clientless rendering.” So we decided to take a closer look at how they stack up against other remote browsing options we’ve looked at.
How Menlo’s remote browser works
Menlo Security has an online demo where you can try the available product, so this is where I started. It’s pretty simple; you go to the demo site and it spins up a browser in the cloud. It then lets you browse a few media-rich websites, there are a few other demos that download documents converted to safe PDF, show how phishing sites are blocked, etc.
To be honest, it’s a pretty underwhelming experience because you are basically just looking at a document and some websites. However, I rather think the underwhelming demo is the point. It feels and looks pretty much the same as a local browsing experience to an end user; it was smooth and responsive, and I couldn’t spot any lag or remoting artifacts.
This is a server-side solution with the approach that the internet is hostile and material from it should just be kept off the corporate network, the same philosophical security model we reviewed in Garrison’s hardware-based product. This is opposed to the other remote browsing model—the BYOD-oriented approach that Jack has been excited about, where you use it to secure corporate web/SaaS apps on unmanaged endpoints.
The browser supplied is a Chromium variety running in containers on AWS. Protocol-wise, they have an asymmetric Websocket JSON stack, i.e., not just server-to-client streaming but allowing certain client data to be returned (mouse movements, etc.). The browser is destroyed at the end of each session (non-persistent) on the zero-trust assumption that it has been compromised.
The Menlo team
With this tech becoming increasingly mainstream since remote browsing appeared at number two on the list of “Top Technologies for Security in 2017” at Gartner’s Security and Risk Management Summit, I had a chat with Menlo’s CTO, Kowsik Guruswamy to find out a few technical details and also to gauge if they were a credible player and likely to be a significant player. Kowsik and his team were impressive, the leadership is stacked with folks from the security ecosystem but it was the detail and experience with which they were able to talk about the challenges they and customers had experienced backed up by data and figures that convinced me they knew what they were doing.
Menlo’s investors include American Express Ventures, Engineering Capital, Ericsson Ventures, General Catalyst, HSBC, JPMorgan Chase, Osage University Partners, and Sutter Hill Ventures. Some big credible names but most interestingly several of their investors are also Menlo customers. Several of their large investors have deployed Menlo’s solution at scale with specific deployments of 250k, 110k, and 220k users. Currently, Kowsik estimates that Menlo supports around 2 million real customer users.
Handling localization and data breach issues
It was very clear from the details that Menlo has a level of maturity and got to grips with some of the finer nuances of remoting and had some good answers. I asked if they had had to adapt to account for localization issues when using AWS regions and Kowsik could immediately cite how they have additional infrastructure (NAT gateway to ensure a “local IP” is seen) to handle customers in Hong Kong. They use the AWS Singapore datacenter; without this additional infrastructure, a customer in Hong Kong would see localized website content such as ads, weather, clocks, and search as if they were in Singapore. This kind of odd browsing experience can lead to users disliking a solution. The document-isolation technology aspect (converts files/documents to a safe, scrubbed HTML5 for viewing or a safe PDF file for offline use cases) is very comprehensive.
Interestingly, Kowsik discussed having some large-scale hotel chain customers, a sector where we’ve seen some of the nastiest data breaches (Marriott/Starwood last year); this was within the context of the insights/analytics part of their offering. This type of feature is often overlooked, but I think it’s important for anyone evaluating a security product to consider. How do you justify your security product budget when you significantly reduce breaches that lowers the level of awareness?
Menlo tracks potential breaches, false positives, and percentage of documents accessed with potential threats to allow IT administrators to evaluate the time savings and potential breach costs avoided, even if that might mean dealing with false positives (e.g., blocked sites that were safe but a sysadmin would have spent time evaluating/whitelisting, etc.). In one customer, they found that 30% of links received in emails were for phishing sites. In the case of the hotel chain, it went from five malware infections per month due to users' internet browsing that were detected by AV (anti-virus) that had to be cleaned up to none over the last three years. To me, these were impressive figures that he was willing to back up with data.
Menlo’s use of AWS is invisible to the user, but their development processes seem sound with integrated builds of their AWS VM image in tandem with a virtual appliance for those wishing to deploy on-premises in their own datacenter for regulatory compliance or choice. This process means that long term, if there was demand or there were other drivers, Menlo could expand to other clouds or migrate from AWS if wanted. Kowsik also covered some details of their development focus on scalability. Always good when a C-level exec knows and cares how the product is being built!
Menlo operate a per-user pricing strategy, with the cost per user dependent upon the actual numbers; beyond this I failed to elicit specific figures from them. This is an easy model for consumers to understand, and similar to many SaaS cloud products. such as Jira and Salesforce. There are an increasing number of remote browsing comparisons being written about and many have debated the scalability and server densities possible (e.g., VDI vs. container overheads, etc.). Whilst ultimately this will affect the end price point, unless you are looking at on-premises options (owning your own SAN), for the cloud options all you really need to decide is whether the end price is acceptable and if the service good enough; how Menlo achieve that is really their problem.
Remote browsing competitors
WEBGAP is another vendor with what fundamentally is a similar technology model to Menlo and one of the few remote browsing offerings with completely transparent pricing (a simple $5 per user, per month, including support). Menlo’s the first vendor I’ve spoken to that has revealed such large existing deployment figures; for a customer with 250,000 users a $5 to $10 a head hypothetical revenue would stack up to a rather nice earner, and the venture capital flowing into this sector makes a lot of sense. Menlo however seem to have the edge on the enterprise package vs. many in this market, the support infrastructure and real large-scale blue-chip deployments feel familiar and what is the normal in corporate EUC.
Back in July 2017, Symantec purchased Fireglass, an Israeli web isolation startup for a reported $250M. Founded in 2013, Fireglass had previously attracted an estimated $22 million in investments. Symantec rapidly integrated the technology into their own solutions. The recent $75 million Menlo raised, had us wondering whether all this money piling into these technologies is in the hope of a similar big bucks acquisition; but having talked to Menlo, they seem to have a solid standalone business, particularly as many of their investors are also, and unusually, large-scale customers with a vested interest in continued access to the technology. The scale of the deployments, but also the investment and hiring going on at Menlo worldwide, is significant.
Zero-trust browsing experience
It’s another endorsement of the zero-trust security model of remote browsing as seen in the Citrix Secure Browser, a SaaS product we like and have covered. But, as Jo Harder wrote back in 2017, “I struggled with the use case for this functionality and wondered why anyone would need it. But for IT organizations that subscribe to web apps exclusively, the low cost for Citrix Secure Browser may indeed be warranted.” My own sentiment now is that with Menlo, Symantec, WEBGAP, and others offering a focused SaaS product, the Citrix Secure Browser falls into that weird category where it probably isn’t relevant to the mainstream virtualized Citrix EUC/VDI customer. For customers seeking a standalone SaaS remote browser, Citrix probably isn’t the vendor they would go to with others so focused on developing and marketing/selling these.
Menlo’s certainly playing the enterprise game seriously and gaining traction; I did a quick Google search and found credible press coverage in Korea. Additionally, they have a worldwide presence and attend security conferences. It should be noted that Menlo offers more than just their remote browsing product. They also sell a Secure Web Gateway (SWG) with the remote browsing functionality built on top; Gartner even named Menlo a visionary in their 2018 SWG vendor magic quadrant.
Often, I find myself skeptical when large amounts of VC are involved, the potential revenues often don’t stack up and the businesses seem high on buzzwords and low on substance. In this case, I actually felt this product is likely to be around and Menlo themselves are in it for the long term, too.