Vulnerability Management

Is Microsoft exposing the supply chain by hardening the enterprise Edge?

Microsoft has announced it is to harden the Edge browser for enterprise users.

The hardware-based sandboxing provided by Windows Defender Application Guard for Windows 10 Enterprise will serve to isolate Edge from malicious code.

According to Microsoft, Edge has less vulnerabilities than either Google Chrome or Mozilla Firefox on the Windows platform. However, it acknowledges that no major browser client is vulnerability free and with large enterprises increasingly being victim of targeted attacks, a new defence-in-depth security layer is required.

Windows Defender Application Guard for Windows 10 Enterprise adds that layer using Microsoft's Hyper-V virtualisation technology to isolate any threats and disrupt the attack opportunity.

"Application Guard is designed to stop attackers from establishing a foothold on the local machine," says John Hazen, principal program manager for Microsoft Edge "or from expanding out into the rest of the corporate network."

This approach is, of course, to be applauded as it not only isolates the threats from the network but removes them completely when the container is closed.

It does, however, leave the question of whether Microsoft should be making this kind of 'defence-in-depth isolation' through virtualisation based security available to a broader user base? Not least because unless such protection is made more widely available downstream, the supply chain (comprised of generally much smaller organisations) will surely remain vulnerable.

"Isolation technology is great, unless the attack is coming from a trusted site like your smaller supply chain organisation," Andy Norton, risk officer EMEA with SentinelOne confirmed in conversation with "in which case you're back to relying on traditional defences."

Norton worries that enterprises are creating "disparities in the consistency of protection", which will only increase the level of uncertainty around the effectiveness of their security operation. He'd rather see containment based on behaviour which addresses the same attacker foothold issue, but can be deployed in a consistent and invisible manner across the entire user and supply chain base.

Jamie Moles, principal security consultant at Lastline, is hopeful that Microsoft will eventually "push out to lower level customers as the technology proves itself in the field", but thinks this misses the real point. Which is moot given Microsoft Edge only holds about a five percent browser share.

Professor Steven Furnell from the IEEE warned that any hardening of security in one place (the large enterprise) increases the risk of attack focus shifting elsewhere (smaller concerns with less hardening) anyway.  Smaller organisations will become "a target for indiscriminate and opportunistic attacks" according to Prof. Furnell when other attack routes become closed off.

So how can smaller business, and those larger ones not using Edge, replicate the kind of protection being offered by Windows Defender Application Guard?

Ian Trump, security lead at LOGICnow,  told SC that their options include looking towards "premium anti-malware services which offer sandboxing, virtualising and for lack of a better term cloud based anti-malware services."

And Paul Ducklin, senior technologist at Sophos, argues that "no single technology, or policy, or procedure, or attitude is going to be enough on its own." Perhaps predictably, he points towards the like of Sophos' focus on 'Synchronised Security' bringing together myriad co-operating technologies to harden the modern, distributed IT environment as the answer. "Computer security is a journey, not a destination" Ducklin concluded.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.