The way we work has changed dramatically over the past decade. Browser security, once an afterthought lumped into the realm of web and network security, is now at the forefront of our new cloud-native and SaaS-based reality. To secure web usage, remote browser isolation (RBI) was once a one-size-fits-all solution, but with remote working now the norm, organizations have required solutions that go beyond traditional methods.
The browser – a hotbed for highly evasive attacks
The browser has become the main point of entry for cyberattacks. Even though phishing attacks may begin in email or text settings, they ultimately lead users to a malware-infested webpage. Our 2023 State of Browser Security Report found that browser-based phishing attacks increased 198% in the second half of 2023 compared to the first.
Today’s modern tactics used by cybercriminals are not so cookie-cutter anymore, either.
We have witnessed the rise of highly evasive and highly adaptive threats that are bypassing traditional web security tooling. To prove this point, evasive attacks – attacks that utilize a range of techniques meant to evade traditional security controls – makeup 30% of all browser-based phishing attacks.
So, what should organizations be doing to win the race against these fast-evolving, browser-based attacks?
It requires a new and innovative approach to browser security, one that doesn’t force companies to overhaul the browsers they are already using or add yet another attack surface.
Browser usage has exploded in recent years, exposing a giant attack surface that companies are struggling to manage and cover. And, traditional network-based security controls aren’t detecting zero-hour phishing attacks that deliver ransomware and steal credentials. Our team, over 30 days, detected more than 11,000 zero-hour phishing attacks that exhibited no signature or digital breadcrumb. This means that no existing Secure Web Gateway (SWG) or endpoint tool could detect and block those attacks.
Additionally, the team discovered that 75% of phishing links are hosted on known, categorized, or trusted websites, meaning that traditional security tools wouldn’t easily identify them as malicious or fly-by-night websites.
A timeline of browser security
The Internet has become the main avenue in which employees work, communicate, and access data. Remote browser isolation (RBI) took the world by storm and was at one point one of the top security technologies, per Gartner. It involves isolating each web session and tab through a secure cloud browser, then providing a “sanitized” stream of data to the end user’s browser, whether that be on a laptop, phone, PC, etc. This method was extremely popular, with many vendors implementing the technology rapidly.
Browser security extensions then entered the scene, providing a way for companies to implement their security policies across browsers both on managed and unmanaged devices. The browser extension approach proved highly popular, given it didn’t require companies to replace their entire browser but rather add security policies to what they already use.
Most recently, enterprise browsers were introduced, to implement entirely new browsers for employees to use. These replacement browsers work by enforcing all corporate work to go through them. For example, if an employee enters a link that leads to sensitive company information into a regular browser, the traffic would be redirected to go through the new enterprise browser instead. However, these replacement browsers skim over the real issue at hand, ignoring the complexities that inevitably arise. This band-aid approach to securing browsers opens an entirely new attack surface for IT and security teams to manage, not to mention a less-than-ideal and complex end-user experience.
For partners, third-party vendors, and contractors, the solution becomes fuzzier.
In summary, the enterprise browsers we are seeing emerge are not compatible with the Bring-Your-Own-Device (BYOD) reality we currently live in.
Organizations also need automated browser configuration assessment and instant attack surface analysis. There are thousands of settings and updates every two to four weeks within browsers. During 2023, 175 CVEs classified as high or critical were issued and over 125 new features were added to Chromium, the open-source web browser project that underpins both Google Chrome and Microsoft Edge. It takes considerable time to manually track configuration settings and feature additions. The lack of automated tooling has left a significant security gap within these enterprises.
A new method is needed, one that embraces the cloud-based, remote workforce we operate in and honors the user experience.
Read More:
AI for Enhanced Enterprise Solutions: Insights from TrailblazerDX Webinar
A new approach to browser security management in 2024
A solution that has emerged to transform browser security involves combining a secure cloud-based browsing capability and a centrally managed software module. Presented as an extension for all local browsers, organizations can easily implement and deploy from extension marketplaces.
In stark contrast to legacy VDI systems, the approach of marrying an extension with a cloud-based security element delivers modern secure remote access for unmanaged users and devices. It supports safe browsing, web filtering, isolated cloud browsing, exploit protection, and zero-trust access without frustrating end users and is significantly more cost-effective than VDI, network infrastructure-based, or replacement browser approaches.
In essence, this approach turns any browser into a secure enterprise browser, without the added security risk, complexity, and annoying end-user experience that the other approaches present.
Employees – using both unmanaged and managed devices – spend 80% of their workday on the browser, yet it is still not treated as an endpoint in need of targeted security and protection. And, we’ve explored that local browsers, pure RBI tooling, and replacement browsers are subject to attack.
Even with advanced local browser posture management reducing the attack surface and defending against local browser exploits, the installed footprint of the browser represents a risk.
Case in point – traditional approaches to cyber security are failing.
Phishing regularly evades all existing protections, and ransomware doubled in 2023 to over $1B in payments. Organizations should employ a cloud-delivered secure enterprise browsing solution to stop these attacks, once and for all. This will, in the end, allow them to realize the full benefits of a layered security architecture and a defense-in-depth strategy.
The result?
A safe, secure, and easy-to-navigate browsing experience for all.
Recommended:
