Hello, CyberTech community. Welcome to our CyberTech Top Voice interview series.
In this engaging CyberTech Interview, we talk with Menlo Security’s VP of Security, Andrew Harding. As part of our “Cybersecurity Awareness Month” engagement, we sat down with Andrew to understand the enterprise browser security trends for 2025. Andrew dives into the rise of browser-based cyber threats and the risks posed by unsecured web browsers, pointing to the current dangers that organizations face in the evolving cybersecurity landscape. He discusses the key steps security teams must take to protect their enterprises with a proactive, multi-layered approach to browser security.
Join us as we discuss the future of cybersecurity with CyberTech Top Voice Andrew Harding and learn how Menlo Security can help your organization stay ahead in 2025.
Hi Andrew, welcome to the Cybersecurity Top Voice Interview Series. Please tell us a little bit about your journey. How did you start at Menlo?
Andrew Harding: I have been working in cyber defense and network security for a long time. I started in transport and data security because it seemed like an important requirement when the Web was emerging.
before joining Menlo Security, I helped out with leading zero trust and remote access systems, and one of the biggest Wi-Fi products, at a time when wireless networking was missing sufficient security capabilities. That led to opportunities in data center security and participation in some high-profile responses in the Middle East and Crimea. I have been lucky that my interests and needs in the industry have aligned over time.
Menlo Security is a mission-driven organization that aligns with my own vision–and the need for browser security could not be more clear. Menlo’s innovations are well-timed to expand beyond the most secure environments, such as the U.S. Department of Defense. We are now defending the broader enterprise landscape while also enabling a new, “secure by design” approach to remote and hybrid work.
How does Menlo Security differentiate itself in the browser security space, and what unique solutions does it offer?
Andrew: Evasive threats are the new normal. Today’s threats are designed to slip past some of the traditional security tools. At Menlo Security, we call these “Highly Evasive and Adaptive Threats (HEAT),” and they are well-crafted, thought out, and have very high success rates. They exploit vulnerabilities in web browsers, using a variety of techniques to get around detection-based security tools.
Menlo Security defends businesses from such cyberattacks by eliminating the threat of malware completely from the web, documents, and email. This is where legacy network and endpoint-based security solutions fall short, because they can’t defend against browser-based threats. Menlo adds secure cloud browsing to a traditional private-access architecture and then augments it with AI-driven defenses that operate within the full context of browser sessions. Network inspection and endpoint detection agents simply can’t do this.
Secure Cloud Browsing is the next generation of remote browser isolation, and it’s much more than that.
The AI-driven defenses complement the world’s most scalable cloud browsing experience. The Menlo Cloud analyzes over 400 billion web sessions each year, and we’re trusted by major global businesses, including Fortune 500 companies, eight of the ten largest global financial services institutions, and large governmental institutions.
What market challenges prompted the development of this solution, and how does it overcome the limitations of existing browser security options?
Andrew: The modern workforce runs on browsers. In fact, 75% or more of the workday is spent in a browser. Menlo Secure Enterprise Browsing addresses the gap that traditional security approaches have left. The network contains this byzantine labyrinth of controls and the endpoint is more hotly contested ground than ever. None of these traditional approaches solve the problem. The Menlo Security Enterprise Browser solution is the industry’s first cloud-delivered solution that turns any leading browser into a secure enterprise browser. There’s no need to reject the browsers that users prefer and that web applications have been built for.
Menlo invites the local browser into a layered security architecture.
Given that humans are often the weakest link in cybersecurity and that cybercriminals frequently target browsers to exploit vulnerabilities and steal sensitive data, what measures can organizations take to strengthen their defenses against these threats?
Andrew: Yes, the sobering reality is that humans are often the ultimate target. Some attacks go after the browser and deliver malware, but many others rely on a user making a mistake. When cybercriminals target the browser, sometimes it’s delivering malware via JavaScript and tricking the user into executing it. And other times they exploit a vulnerability that allows remote code execution without user interaction.
Still, other attacks simply fool a user into giving up their credentials. Even with employee training and clear, consistent reminders about phishing, users make mistakes. The fraudulent websites can be very convincing.
Menlo helps by putting machine-vision “eyes” on content and removing the burden from end users. Menlo also reduces such alerts by over 70%, so we help out security analysts, too.
95% of undetectable malware is spread through web browsing. What risks do unsecured web browsers pose to organizations and individuals?
Andrew: Most organizations do not have comprehensive visibility into or control over browser behavior. Unsecured web browsers are a gaping attack surface waiting for cybercriminals to exploit. These cybercriminals know that most traditional security tools inspect the expected threat vectors in the network. Depending on URL reputation databases and block lists for protection leaves a huge gap in coverage. But with better visibility into the local browser, organizations would be able to detect fake pages and prevent unsuspecting users from entering their credentials.
Your team released research this year on browser-based threats and the dangers of generative AI. We would like to hear more about it.
Andrew: Absolutely.
At the beginning of 2024, we released research that examined the state of browser security and found that there was rapid growth of Highly Evasive Adaptive Threats (HEAT) targeting the browser. In particular, the Menlo Labs Threat Research Team detected a 198% increase in browser-based phishing attacks in the second half of 2023 compared to the first. And when specifically looking at attacks classified as evasive, the researchers observed a 206% increase.
More recently though we found some fresh insights that highlight the evasive nature of browser-based attacks in 2024. During 2024, there has been more than one widely exploited vulnerability a month that impacted replacement browser installations. These are really dangerous campaigns. It has happened nine times this year. Nine times. During August 2024, still more operating system and browser exploits were reported. In August, the Menlo Labs Threat Research Team exposed new “Living Off Trusted Sites” (LOTS) attacks. These findings were a follow up to our 2024 Global Cyber Gangs Report in June. During Black Hat conference a month later, we discovered cybercriminals exploiting trusted sites to pass through network defenses, such as SWGs and SSE/SASE services. LOTS attacks and other tactics, such as HTML smuggling and last-mile reassembly, enable these attacks to deliver ransomware and other malware. In each of these attacks, AI-driven defenses from Menlo Security stopped them.
Shortly after we released these findings, Google Chrome announced a zero-day vulnerability that can crash a browser or be exploited to run arbitrary code on an endpoint. CVE-2024-7971 could lead directly to a ransomware breach. This problem was discovered by Microsoft, and Chrome has been patched. It has been confirmed that the vulnerability has been actively exploited in the wild. Chromium-based replacement browsers that use the V8 JavaScript engine were likely vulnerable. These findings are important because they point towards the need for a secure browsing experience that specializes in finding and stopping evasive attacks. The Menlo Secure Enterprise Browser solution protects against these threats. With Menlo, untrusted code does not run in the local browser, and untrusted scripts cannot access client endpoint networks or enterprise server systems or workloads. The Menlo architecture, which runs all active content in the Menlo Cloud, stops all of these threats. Trusted sites cannot be used as a way in.
36 percent of all security breaches begin with a phishing attack. What are the top 3 things the security teams need to do to secure their enterprises and how to secure a browser-centric organization?
Andrew: There’s a common misconception that organizations need an endless collection of flashing tools to react to cyber threats. Of course, it’s necessary to look at your entire attack surface and prioritize the areas that pose the most risk to your business. We need to look at threat origins and prevent attacks, not just detect them.. If we focus on web-based email and phishing attacks, then we can stop phishing. Security teams that cover the browser reduce their workload while reducing the risk to their enterprise. By treating browsers as critical enterprise assets, organizations can prevent phishing attacks altogether.
So number one: add browsers to your security strategy.
Next, I’d look at legacy systems that can be upgraded or replaced if you adopt a “secure-by-design” and “zero trust” mindset that includes browser security. A modern approach to browser security can actually reduce expenditures on legacy tools and make room for new things, like AI security.
The third thing to do is inspect your incident response plans: Can you reduce the alerts you have to manage?
Can you speed the response with updated forensics? Browser security can help here, too.
Could you share some insights on the newly launched Menlo Security Enterprise Browser Solution?
Andrew: Earlier this year, we launched our Enterprise Browser solution, a secure browsing approach that lets businesses implement digital safeguards without ditching the browsers they know and love. In essence, it is a set of powerful capabilities and extensions on the foundation of Menlo’s Secure Cloud Browser that enhances existing web browsers with cloud-delivered browser security.
Instead of forcing users to get their entire workplaces to adopt a new browser — thus expanding the enterprise attack surface — Menlo’s new approach protects data and users with end-to-end visibility and dynamic policy enforcement directly inside browser sessions to block zero-hour phishing, malware, and ransomware attacks. The new capabilities include:
- Menlo Secure Application Access, which extends effortless zero-trust access to more users, devices, and applications
- Menlo Security Browser Posture Manager, which provides easy browser configuration assessment and instant attack surface analysis
- Menlo Security Last-Mile Data Protection that goes beyond traditional DLP technology, applying protection in the cloud that extends copy-paste control, user-input limits, watermarking, and data masking to the endpoint.
We have spent much of 2024 deploying the new capabilities and adding to the solution, including collaboration with Google. We crossed $100M ARR this year and we’re grateful that enterprises see the value in the new capabilities.
In today’s world of data breaches and cybersecurity incidents, many browser developers prioritize functions and features that improve privacy and security. Can you walk us through privacy and security-focused browsers?
Andrew: All the leading browsers on the market are privacy and security-focused. The question is: do they support the enterprise browsing features necessary to protect users, secure access to applications, and defend associated data against loss.
And, are they ultimately effective?
Further, managing the local browser installed on a device so that features that create security exposure can be disabled is important to prevent breaches and security incidents that can be traced to the use of a browser. It is the use of the browser, as important as the browser, that needs to be considered and where risk needs to be managed. Combining a leading browser such as Chrome with accessible security controls that enable visibility into sessions while defending against attack is the only approach that provides the security enterprises need in the current threat environment.
What are your predictions for the cybertech market in 2025?
Andrew: I believe in 2025 we will see a handful of new developments, many of which point to the need for secure enterprise browsing capabilities.
First, I predict that AI-powered attacks will comprise many of the evasive attacks we will witness. These attacks are ones that are being missed by traditional network or endpoint security tools. Second, I believe fraudulent websites will expand to include deepfakes, further exploiting innocent victims to give up sensitive information.
I also predict that we will see an increase in ransomware delivery against critical infrastructure through the browser, along with supply chain attacks evolving to target SaaS platforms.
Due to changes in regulatory scrutiny and the threat environment, it will also be increasingly difficult to exhibit due care without browser controls. This is a key reason why browser security will continue to emerge as a top priority for the CISOs. When taking a closer look at their security stacks, CISOs will shift away from legacy access architectures (old-school VPNs) towards browser security to defend against the latest threats.
Thank you, Andrew, for joining us today. We look forward to having you back on CyberTech Insights soon!
Recommended CyberTech Insights: The Cybersecurity Gap: Why Even the Best-Trained Teams Still Vulnerable to Attacks
To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com
About Andrew
Andrew Harding sees browser security as a significant gap in completing cyber defenses and in his role as VP of Security Strategy at Menlo Security, he is committed to delivering solutions that make every browser a secure enterprise browser. Throughout his career, he has contributed to the security architecture of the Internet. His inventions in endpoint security, lawful intercept, mobility, networking, and overlay networks defend networks and infrastructure around the world. He has worked with teams to define and lead market segments in network security, mobility, networking, and endpoint security. Prior to Menlo Security, he held senior product management, strategy and product marketing positions at companies including Danaher, Juniper Networks, Aruba Networks, and Cisco. He lives in the Santa Cruz Mountains, near Monterey Bay, in California.
About Menlo Security
Menlo Security protects organizations from cyber threats that attack web browsers. Menlo Security’s patented Cloud-Browser Security Platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end user-experience. Menlo Security is trusted by major global businesses, including Fortune 500 companies, eight of the ten largest global financial services institutions, and large governmental institutions. The company is backed by Vista Equity Partners, Neuberger Berman, General Catalyst, American Express Ventures, Ericsson Ventures, HSBC, and JPMorgan Chase. Menlo Security is headquartered in Mountain View, California.