The Gately Report: Menlo Security Tackling Browser Attacks, AI Threats
Plus, a new trojan designed to steal facial biometric data.
![Web browser security Web browser security](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt98bdf3f840310387/65aeb5f9172b6a040a3dce6a/Web_Browser_Security.jpg?width=700&auto=webp&quality=80&disable=upscale)
marketinggraphics/Shutterstock
Channel Futures: What types of partners does Menlo Security work with and what does it have to offer them?
Todd Wilson: Our primary partners today are distribution VARs across the globe. We do have a couple MSPs and some SIs that we work with, but I would say predominantly focused on the VARs and VADs. We are going to be launching an enhanced partner services and managed services program later this year to help bolster that. We just launched training in December as kind of that stage gate to get to that bigger partner services program. We've got a great number of routes to market and we’re looking to enhance those SIs and service providers a little bit better.
CF: What sort of growth is Menlo Security experiencing and what role do partners play in that growth?
TW: Partner revenue grew 41% year over year, so that was a huge number. Our contribution grew even higher, almost at 98% as far as percent to revenue. So our partners are top of the spear. We were what I would call below market as far as partner contribution. Now we're above market on that and we're continuing to make that investment because we have a great product, we solve five really great use cases, and our partners are hearing those requests, like generative AI and VDI replacement. So what we're doing is investing in those partners to help them bring that opportunity to us. And then, of course, helping them convert.
CF: What’s the latest with Menlo Security’s Boost partner program? How is it helping partners better meet their customers’ needs and grow revenue?
TW: The latest was the training that came out back in the December time frame. We had good training before. Now they can get trained on everything, including professional services. So if they want to learn how to launch Menlo and a 200,000-user enterprise and every little widget and side use case that gets out there, it's all documented in our partner portal, which is amazing. That's something I was never able to do in my past, to take, say, our customer success and deployment content, and put it in one place for partners to get to. That's the biggest thing that we were able to accomplish, really giving our partners the detailed learning at their time when they want it so that way they don't have to worry about coming to my team or wherever that might be to get help. They can click a button, watch a five-minute video and get the details.
We have a lot of great enhancements coming to our Heat suite, to our product across the board. Starting Feb. 20, we're doing global roadshows with that content, but also drip campaigns and other details … to talk about all these really new enhancements and how they're able to deliver these enhancements to their customers to help drive more revenue.
CF: Is Menlo Security attracting new partners? If so, what’s bringing them to Menlo Security?
TW: In the last year, we went through a partner rationalization, what I call the focus partner plan, where we really looked at the top partners per region and focused our revenue numbers on those. So that way we were feeding the channel, investing in those partners. We've got that nice sum of money that we're using to make that investment again this year.
So last year that was a focus and this year is definitely looking to add on. [We're] bringing in those boutique partners. There's one in the Southeast United States that we’re courting, and in the Southwest as well, that have unique value propositions, more professional services, acting more like an SI in many ways. So yes, we are bringing on more partners this year, but it's definitely a focused approach because we want our partners to see seven figures of revenue. We don't want to see them see five figures of revenue. So it’s definitely smart growth.
CF: What’s the latest in terms of feedback from partners? Are their needs changing?
TW: Their needs are ever changing, and the thing that comes top of mind to me is a lot of partners are trying to scale back their product set. They don't want 300 products on their line card, but under 100 so that way they're very focused. In that, they're also looking at the services aspect. Can they service those 100 products? Is there a motion there? There’s a great partner who lives down the road from me that I talk to and do lunch once a quarter with, and what I'm hearing from him is obviously he loves Menlo, that's why he does lunch with me, but how does he get that next service and compliance piece to go with Menlo to help keep that customer engaged and enriched? So the long tail is keeping that customer engaged with the value-added services so that way they continue to buy the main product services.
CF: What do you find most surprising and dangerous about the current threat landscape?
TW: Most surprising is hackers are finding vulnerabilities in the largest software houses across the world. Granted it shouldn't be surprising because they are the largest software houses, the most used. Some of these vulnerabilities that we see out there, Citrix Heartbleed comes top of mind. This company's been around forever. They've been doing hundreds, millions of users for years and you would think they'd invest in their own teams to find this before anyone else. So that's been the most surprising. And it’s obviously most interesting as well, because now how do you solve that challenge? And sometimes the only solution is to rip and replace, which is tough for enterprises when they've got these decades-long investment.
CF: Is the evolving threat landscape shaping Menlo Security’s overall business, product and channel strategies?
TW: One hundred percent. So from the product landscape, we came out with a product called Heat Shield back in June when it was officially launched. It had been out for a couple months before that. I'm a credit union guy; I've been using this credit union for 15 years and I get emails every day that look like they're from the email address, the right domain, everything. And if you're smart enough, you can figure out the little nuances. But to the untrained eye, it's your credit union. Our Heat Shield product uses 70-plus pieces of data, plus artificial intelligence (AI), machine learning (ML) and computer vision to then look inside that and determine this is not the exact site. There's a hacker toolkit out there that they can literally go to AmericanExpress.com, and I've got a demo video of it that I send my partners, where they literally took American Express and built it, and it looks just like American Express, but a little bit off, and unless you have Menlo's product in place, you would never know that this is a phishing site because to the normal eye, it looks the same. I had a partner over in Europe. In their name is an o, and they used a zero and made it look exactly the same as the Okta page.
These hackers are really good at what they do, so this feature product set that Menlo offers is unique. And as I go to partners and I show it to them, they’ll say, "I have five customers that came to me with this issue because either their core page was duplicated or one of their vendors' was. And all you need is one set of credentials. We're creatures of habit. We use the same password for 50 sites; let's be honest. You get one and you get the Okta page and boom, you've got full access. And for our partners, they're hearing this use case, so I'm sending them this video over and over again: "Hey, watch for 2 minutes, it's great."
In terms of partner enhancements, we are adding micro demos to our partner portal so that way if a partner has an idea that this customer might have this issue, they can go on and watch the demo, and see how it works. Does that fit the use case? Yes. So self-enablement for our partners to understand the use cases, but also our continued drip campaigns to keep them informed.
CF: What can partners expect from Menlo Security in 2024?
TW: No. 1 is investment. We were able to grow the channel so well this year that we added two headcount. Every other channel leader I'm talking to isn't adding headcount. So I think that's huge kudos to Menlo. We're adding headcount to help continue to drive our partners and help enable them. In addition to that, we're going to hit every major city. There are a number of partner advisory boards already on the calendar. Dubai and Japan are already set. Ones in America, EMEA and APAC are not officially published yet, but coming very soon. We're investing to enable and get partners with our reps or even our customers in some aspects to learn about why these customers have picked Menlo. We've got the biggest customers in the world: the U.S. Department of Defense, the biggest banks across every region and health care systems of entire countries that are protected by Menlo. And getting them to show up, talk to our customers or our partners to hear about their use cases is the best thing I can do to help them. We're doing a lot of what I would call field-level activities to get our partners up to speed, but then also delivering via the partner portal some additional content so that way it's at the touch of their hands. And, of course, there’s the learning and the badges to help them get accredited as well.
In other cybersecurity news …
Researchers at cybersecurity provider Group-IB have warned of a sophisticated new trojan designed to steal facial biometric data and use it to produce deepfakes of victims which can bypass banking logins.
The GoldPickaxe malware is available for Android and iOS, and developed by a suspected Chinese cybercrime actor dubbed GoldFactory, according to Group-IB. The infection chain begins with threat actors impersonating government officials, convincing the victim to use messaging app Line to communicate and trick them into downloading a trojan-laden app disguised as a digital pension application, or one providing other government services.
The Android app is downloaded either from a fake Google Play page or spoofed corporate website. For the iOS version, it could leverage the TestFlight developer platform, or the threat actors could trick the victim into installing a mobile device management (MDM) profile, which gives them control over the device. The threat actors cite personal information they have obtained about the victim to increase their chances of success, according to Group-IB.
The victims of this malicious activity are predominantly located in the Asia-Pacific region. While the current evidence points to a particular focus on two APAC countries, there are emerging signs that GoldFactory’s geography of operations may be extended beyond Vietnam and Thailand. Group-IB sent notifications to the brands impersonated by GoldFactory’s trojans
Jason Soroko, Sectigo’s senior vice president of product, said biometric authentication should rarely be used as a sole form of authentication.
“It is a very handy PIN code replacement in most cases,” he said. “Why isn't it more secure? It's because your fingerprints, your face and your voice are not secrets. In the case of the GoldPickaxe malware, what is novel here is the recording of video in order to create deepfakes of the victim, in order to cause further social engineering. This is a scary development, but it is not surprising. Deepfakes are very effective in social engineering. It should be noted that the trojan mobile application that is installed by the victim has been made available via a fake Google Play store, and for iOS devices, the victim needs to utilize unusual installation methods. I suspect this means that Android users are targeted for this attack more than iOS for this reason, but everyone should be aware to not be convinced to install fake applications.”
![Zimperium's Krishna Vishnubhotla Zimperium's Krishna Vishnubhotla](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt0c8fa4079a7fdf71/65d0fe3c91536a040a15fc98/Vishnubhotla_Krishna_Zimperium_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Zimperium's Krishna Vishnubhotla
Krishna Vishnubhotla, Zimperium’s vice president of product strategy, said facial recognition data on smartphones is encrypted and stored in a secure area of the processor, such as a secure enclave or trusted execution environment, which isolates it from the device's main operating system and applications to prevent unauthorized access.
“This data is anonymized, converting facial features into a mathematical model rather than storing actual images, and is kept locally on the device to minimize the risk of external breaches,” he said. “Despite these security measures, risks remain, particularly if the device is physically compromised or if vulnerabilities within the device's security hardware or software are exploited by sophisticated attackers. Furthermore, the potential for unauthorized access by malicious apps due to permissions mismanagement or software flaws poses a continuous threat, emphasizing the need for ongoing vigilance and regular security updates to mitigate these risks.”
Deepfakes are a type of digital manipulation that alters or synthesizes someone's appearance in videos or photos convincingly, Vishnubhotla said.
“These manipulations often use AI and ML technologies,” he said. “It's important to note that the risk of deepfakes doesn't only come from facial-recognition data stored on smartphones. Instead, it arises from the broader ecosystem of digital facial data.”
The LockBit ransomware gang claimed responsibility for the January Fulton County, Georgia, cyberattack and threatened to publish "confidential" documents if the ransom wasn’t paid by Feb. 16.
Initial reports by the county on Jan. 29 acknowledged a “cyber security incident," confirming widespread system outages, including phone, court and tax systems, but gave no further details.
It wasn't until almost three weeks later and only after LockBit claimed the attack that officials acknowledged the outage was a ransomware attack, but still offered no details on the attack itself. Many of the county’s systems were still down and the investigation is ongoing.
“There is evidence that suggests this incident was the result of a ransomware incident caused by financially motivated actors,” the county said in its latest notification. “It is important to note that there is no evidence or reason to believe that this incident is related to the election process or other current events.”
Fulton is Georgia’s largest county and home to the state’s capital, Atlanta.
Steve Hahn, executive vice president of BullWall, said this attack is part of a larger trend. Cities all across the United States are under attack by Russian threat actors. Oakland, California, declared a state of emergency when nearly all services, all the way to their city hall, were shut down. In that instance the threat actor stole and released data as well. Hundreds of U.S. cities have been the victim of these attacks.
“In the past, these Russian threat actors were strictly financially motivated,” he said. “Since the war in Ukraine, the attacks have become increasingly targeted and not just getting the ransom, but also hurting us financially, hitting supply chains that could impact inflation, hitting hospitals and cities providing life saving services to maximize the human impact. The other new trend is the threat actor is typically getting command-and-control access prior to the attack. This means they have administrative-level rights, they steal data, then set up their ransomware attack in a way that no preventative tool can stop it.”
Emily Phelps, vice president of Cyware, said effective cybersecurity is challenging for even the most well-resourced organizations. Local governments have additional resourcing challenges that further complicate protecting the critical data of their citizens.
“Organizations, across sectors, must become more proactive in their cyber defense strategies,” she said. “This starts with advanced threat intelligence that can be automatically operationalized across a security team. Context-rich threat intelligence enables security teams to prioritize critical threats and take rapid action. Intelligence sharing organizations (ISACs) are also an important component that can provide relevant intelligence to industry organizations to improve effectiveness and efficiency.”
The LockBit ransomware gang claimed responsibility for the January Fulton County, Georgia, cyberattack and threatened to publish "confidential" documents if the ransom wasn’t paid by Feb. 16.
Initial reports by the county on Jan. 29 acknowledged a “cyber security incident," confirming widespread system outages, including phone, court and tax systems, but gave no further details.
It wasn't until almost three weeks later and only after LockBit claimed the attack that officials acknowledged the outage was a ransomware attack, but still offered no details on the attack itself. Many of the county’s systems were still down and the investigation is ongoing.
“There is evidence that suggests this incident was the result of a ransomware incident caused by financially motivated actors,” the county said in its latest notification. “It is important to note that there is no evidence or reason to believe that this incident is related to the election process or other current events.”
Fulton is Georgia’s largest county and home to the state’s capital, Atlanta.
Steve Hahn, executive vice president of BullWall, said this attack is part of a larger trend. Cities all across the United States are under attack by Russian threat actors. Oakland, California, declared a state of emergency when nearly all services, all the way to their city hall, were shut down. In that instance the threat actor stole and released data as well. Hundreds of U.S. cities have been the victim of these attacks.
“In the past, these Russian threat actors were strictly financially motivated,” he said. “Since the war in Ukraine, the attacks have become increasingly targeted and not just getting the ransom, but also hurting us financially, hitting supply chains that could impact inflation, hitting hospitals and cities providing life saving services to maximize the human impact. The other new trend is the threat actor is typically getting command-and-control access prior to the attack. This means they have administrative-level rights, they steal data, then set up their ransomware attack in a way that no preventative tool can stop it.”
Emily Phelps, vice president of Cyware, said effective cybersecurity is challenging for even the most well-resourced organizations. Local governments have additional resourcing challenges that further complicate protecting the critical data of their citizens.
“Organizations, across sectors, must become more proactive in their cyber defense strategies,” she said. “This starts with advanced threat intelligence that can be automatically operationalized across a security team. Context-rich threat intelligence enables security teams to prioritize critical threats and take rapid action. Intelligence sharing organizations (ISACs) are also an important component that can provide relevant intelligence to industry organizations to improve effectiveness and efficiency.”
The massive spike in browser-based phishing attacks presents an opportunity for Menlo Security and its partners to help overwhelmed security operations centers (SOCs).
That’s according to Todd Wilson, Menlo Security’s vice president of global channels. Menlo Security recently reported a 198% increase in browser-based phishing attacks in the second half of 2023 compared to the first half of the year. When specifically looking at attacks classified as evasive, the researchers observed a 206% increase.
“These are overloading the SOC, and as they overload the SOC, they're trying to figure out what's real, what's fake, how do I manage it and how do I triage it,” he said. “Menlo just blocks it at the gate. So when we've been implemented, we've seen a 70% reduction in these alerts to the SOC, which then allows them to be more proactive and more active. But also for the partners, it gives them more time to help bring in more products to make them more efficient. If your SOC is running at 120%, you're not able to deploy something new to help them do other things, [so] look at other avenues."
Data security posture management (DSPM) is a new, up-and-coming technology, but overwhelmed SOCs aren’t able to implement it, Wilson said.
“So by bringing Menlo, we're able to reduce those alerts, give them more time to look at the less top-level applications or intrusions, and be able to be more proactive,” he said. “And then, of course, that turns into partner services because then they can sell services on every other product to help make that product better.”
Menlo Security Generative AI Report
Menlo Security also released its 2023 generative artificial intelligence (AI) report that showed 55% of generative AI inputs contained sensitive and personally identifiable information (PII). Despite warnings, employees continue to include sensitive and corporate data in their generative AI prompts.
![Menlo Security's Todd Wilson Menlo Security's Todd Wilson](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt0953d9f9fe50d798/65d0fa597962e6040af2fb42/Wilson_Todd_Menlo_Security.jpg?width=700&auto=webp&quality=80&disable=upscale)
Menlo Security's Todd Wilson
“Menlo's been out there talking about generative AI for probably eight months now and we've gotten a lot of great traction,” Wilson said. “Partners keep telling me that they're seeing customers ask for it, but not really implementing it until the past two months. Now, customers are starting to implement controls. And our unique value proposition is the way that we translate that session and can do things like cut-and-paste controls. We have this large semiconductor manufacturer that bought Menlo through one of our distributors, and what they're looking to do is allow their teams access, but then also be able to put the right guardrails in place that their IP didn't get there. It's been a huge use case for partners, and now the company that makes the iPhone and other companies like that have bought our generative AI controls because of the need for generative AI, but also the need for security.”
Scroll through our slideshow above for more from Menlo Security and more cybersecurity news.
About the Author(s)
You May Also Like