Browser Security Without Compromising on Productivity or Experience
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Tal Zamir of Perception Point breaks down integrating browser security without compromising on productivity or experience.
A key access point for critical applications and collaboration solutions, web browsers are an essential tool for business productivity– up there with email and morning coffee. Between growing digitization and remote work, workforces have grown more and more reliant on browser-based apps and extensions, which provide employees with increasingly creative ways to work and interact.
Unfortunately, many modern breaches also start in the browser, making it a common entry point for attackers to compromise an organization’s network and data. Some recent examples include non-email phishing campaigns, malvertising campaigns, and insider threats:
- Phishing campaigns now use various channels such as social media, instant messaging, or voice calls to lure users into visiting malicious websites and to steal their credentials or payment information.
- Malvertising campaigns use online advertisements to deliver malware or redirect users to malicious websites. For example: a user searching for the Zoom app and ending up installing ransomware on their endpoint.
- Insiders and third parties can intentionally or erroneously use the browser (on a corporate or a third-party device) to access unauthorized websites, download malware, exfiltrate enterprise data, or bypass security controls.
While most organizations have email, web filtering, and endpoint security in place, they still lack browser-focused security controls that can effectively stop such modern threats before the damage is done.
Glaring Gaps in SWG and EDR Solutions
Secure web gateways (SWG) have been around for decades, mainly for the purpose of filtering unwanted web categories and known-bad websites/malware (primarily through a signature-based approach). However, they lack the ability to deeply and fully inspect content in a dynamic manner– because of cost or performance reasons. As a result, they miss a lot of advanced phishing attacks that leverage a variety of evasion techniques to avoid detection.
Furthermore, they lack visibility into the actual browser and the user’s activity in the browser. For example: if a user copy-pastes/prints sensitive data from an enterprise web app, SWGs will not be able to identify this activity, block or audit it. If a user installs a malicious browser extension that steals all of the data directly from the user’s browser, they have no way of telling that it happened as these solutions do not live in the browser on the “client side.”
On the client side, Endpoint Detection and Response (EDR) products also don’t shed light on what’s happening in the browser itself. They are mainly focused on post-execution detection of malware (e.g. executables) after the malware has already been downloaded and launched; at that point, the detection and remediation parts of EDR can kick in, but in many cases, it’s already too late. Because they lack that browser visibility, they aren’t effective at stopping phishing and social engineering attacks that take place in the browser, and cannot block insiders/third parties from exfiltrating data through the browser in a variety of ways.
This is becoming a bigger pain for IT and security teams in the current remote/hybrid work era, in which users are working with fewer security controls at home, using their own devices, and more and more work is being outsourced to vendors, freelancers, and contractors. Users rightfully push back on attempts to install corporate apps on their personal devices, fearing for their privacy and for any harm such apps can do to their devices.
Users are also using more cloud-based SaaS web apps than ever before, and asking them to tunnel their traffic through a proxy or gateway would lead to additional friction and cost.
Modern Browser Security: Choose the Non-Intrusive Way
A new category of “browser security” is emerging, offering a refreshing approach to securing browsers and web threats, which is focused on the browser itself rather than taking a gateway approach. However, within this new category, there are two main streams that are very different in nature.
Enterprise Browsers
The enterprise browser approach replaces standard Chrome/Edge/Safari browsers with a custom-made browser which is based on Chromium. Users are expected to install this new corporate app on all of their devices to access enterprise web apps.
While giving the enterprise more control over this custom browser, the approach is intrusive and disruptive in nature:
- Users need to agree to the installation of an app/agent on their devices (including personal/BYOD/third-party devices).
- Users cannot enjoy the latest features that top browsers offer. For example, Edge now offers deep integration with OpenAI, and Chrome is soon to follow. This kind of integration will not be available for other Chromium-based browsers.
- Enterprises that have invested in browser management via Chrome Enterprise or Microsoft Endpoint Manager will have to reinvent the wheel and create new policies and paradigms for managing this custom-built browser.
- Zero-day vulnerability updates coming from Google/Microsoft may take longer to apply to these custom browsers, leaving the organization vulnerable for longer periods of time (they can’t get same-day updates).
- Many of these vendors focus on DLP controls and rely on third-party detection technologies to detect malicious content in files or URLs, leading to inferior overall browser security.
- Enterprises will need to integrate these custom browsers with other products in the enterprise ecosystem and with other web technologies, resulting in additional ongoing maintenance efforts. Choosing to go with a non-standard browser and replacing it across all devices is a hard choice for organizations with significant tradeoffs.
Security-Focused Browser Extensions
This approach provides a security-focused browser extension that is deployed on existing standard browsers like Chrome, Edge, or Safari. The extension does not require any agent/app deployment and can be centrally applied to browser work profiles without any user interaction and without invading the user’s privacy on non-work profiles.
Once an extension is active, it can provide protection against a variety of advanced browser-focused attacks, including:
- Protection against advanced phishing and social engineering attacks that only detonate in the user’s browser and require the user’s interaction in the actual browser before they become visible.
- Protection against advanced malware/ransomware that can be downloaded by users via sophisticated campaigns such as the recent malvertising campaigns, including the ability to deeply inspect and decrypt malicious content hidden deep within these downloads.
- Insider and third-party threat protection by auditing and limiting what users can do when accessing sensitive enterprise web apps and data.
It is important to pick browser extension vendors that keep websites/files as they are and do not modify them, as modifications can lead to a wide range of website and file compatibility issues.
Browser Security Can Be Easy
The browser extension approach offers a way out of the market’s current impasse. Security-focused browser extensions are fully compatible with existing browsers and the wide web/enterprise ecosystems. They do not require any tunneling of traffic or remoting, all while keeping users fully productive and able to enjoy the latest browser innovations and updates. Furthermore, browser security cannot just be a standalone product that a large in-house security team needs to operate. Browser security can now be synchronized with security offerings for other channels (e.g. email security, cloud app security), which equips enterprises with a 360-degree view of threats they face across all attack vectors.
Browser security is now a crucial aspect of enterprise security as a whole. Thanks to the expanded capabilities of browser extensions, it is now practical and easy to boost the security of all user browsers without changing employees’ experience and without creating IT friction.