The rise of remote work has been a major source of anxiety for cybersecurity professionals – and with good reason. In combination with the explosive growth in cloud and SaaS adoption, and the proliferation of connected devices, the work-from-anywhere model has led to a perfect storm of security risk and an ever-widening channel for data leakage. And web browsing sits in the eye of the hurricane.
The modern employee now spends the lion’s share of their time at work web browsing — with their day-to-day job functions relying on web-based SaaS platforms such as Gmail, Salesforce, and DropBox. Even in their leisure time, modern employees dedicate much of their connected lives to these browsing-based architectures — whether through traditional, purpose-built browsers like Chrome, Firefox, and Safari or through apps with browsing capabilities such as Facebook, Twitter, and LinkedIn.
Unsurprisingly, this all-encompassing trend of “browserization” has also made web browsing an increasingly attractive target of malicious actors. According to recent research from the National Technology Security Coalition, 32% of all malware now gets distributed via the web. Worse yet, as widespread as malware has become, a recent Google Transparency Report said that phishing sites are now even more rampant — outnumbering malware-infected sites 8 to 1. Finally, the number of zero-day browser exploits has been steadily climbing for years now, with 2022 already on-track to have the most browser-targeted CVEs ever.
Where prevailing solutions fall short
In response to these trends, we’ve seen a veritable flood of secure browsing tools and solutions hit the market, each promising to help weary CISOs get some much-needed sleep. The two most prevalent approaches to secure browsing — secure web gateways (SWGs) and browser isolation — have some undeniable merits, but even taken together they aren’t up to the task of turning aside the full breadth of today’s attack vectors.
1st-generation web security solutions such as SWGs are easy to deploy and manage, with the newest solutions in this class now offering a low-friction, SaaS deployment model. However, that convenience often comes at the expense of robustness, as the security capabilities of SWGs are decidedly limited — especially as it relates to dealing with encrypted content. SWGs also struggle to detect threats associated with dynamic content on the client-side — such as the recent spate of attacks in which hackers used CAPTCHA tests to hide malicious links in HTML files. As a percentage of the overall threat landscape, SWGs grow more limited by the day, as the pace of such novel attacks and new zero-day exploits continue to outpace their capabilities.
URL classification solutions have also failed to keep pace with the changing threat landscape. While real-time categorization engines have been a welcome improvement, they still offer no solution for the fact that existing websites are updated and repurposed all the time — meaning sites once categorized as safe can quickly become unsafe without being re-classified as such.
2nd generation products such as browser isolation tools close some of the gaps left by SWGs by physically isolating Internet users’ browsing activity from their local computers, networks, and infrastructure, to ensure cyber threats are contained and the impact minimized. However, browser isolation plugs these holes at the expense of functionality, performance, and user experience.
It’s exceedingly common for browser isolation tools to strip away foundational bits of functionality — such as copy and paste — while also subjecting users to latency and restricted access. Together, these issues work to hinder productivity and frustrate workers — leading to an undue burden placed upon IT administrators who need to monitor constantly for the use of shadow IT.
Worse yet, isolation tools also struggle to secure against some of the most widely-used attacks, such as credential harvesting, and routinely fall victim to more advanced attacks that use evasion techniques, such as VM escaping. The web has become beset on all sides by advanced phishing and credential harvesting efforts. According to the most recent trends report from the Anti-Phishing Working Group, Q1 2022 saw an all-time high of over 1 million phishing attacks, accompanied by a 7% increase in credential theft phishing against enterprise users.
Compromises and trade-offs grow tiresome
We’ve only just scratched the surface as to the myriad ways in which SWGs and browser isolation solutions — even when operating in conjunction — can get hacked by malicious actors. While each has their unique set of pros and cons, in the end, they ultimately fall short in the same way — by failing to strike a sustainable balance between user experience, security, and manageability.
Under the status quo, enterprises are spending untold sums for incomplete, problematic solutions that compromise productivity and user experience. More recently, the “secure enterprise browser” has emerged as a potential solution to current web security challenges. However, enterprise browsers may cause unwanted friction.
Employees do not want to sacrifice their preferred browser — which they trust, are used to working with, and has been integrated with policy, plug-ins, connected accessories, and saved passwords — in favor of enhanced security. Nor do they want the added complexity of having to separate their browsing activity across multiple browsers. At the same time, admins do not want to go through the hassle of installing and managing yet another endpoint agent and run the risk of incompatibility.
What next-gen solutions can deliver
In the age of “browserization,” the average enterprise now faces a daily flood of web connections that they don’t trust and can’t manage. Enterprises need security, visibility, and control — with identity and data policies that they can reliably enforce without undue friction for users or administrators.
After all, a security solution only works if employees use it. That’s why it’s imperative that next-generation products ensure security without compromising the user experience or requiring users to adopt new practices, tools, or habits. A truly next-generation browsing security solution should ensure every web session gets protected against the foremost cyber threats of the day. It needs to perform continuous analysis during all browsing sessions on all browsing-enabled applications, on any device — without disrupting the user experience and not relying on just a single point of scan.
All that might sound like a tall order, but I’d argue we’ve grown far too comfortable paying incredible sums of money for decidedly incomplete products in the cybersecurity field. Cybersecurity architectures today are increasingly complex and disjointed, relying on a patchwork of siloed, incomplete solutions. And with each additional layer bolted on, the costs, complexities and incompatibilities continue to mount — leading to frustration and encouraging non-compliance.
Rather than continue to cobble together a growing number of increasingly expensive, partial products, we need a comprehensive platform that effectively protects users from the latest, most advanced cyber threats in a more comprehensive and holistic way. Next-generation browsing security must move beyond half-measures, and address the entire web session — regardless of browser, app, or device.
Dor Zvi, co-founder and CEO, Red Access