Digital transformation, the rapid embrace of hybrid/remote work models, and myriad other factors contribute to the reality that most work today is conducted in web browsers. Forrester estimates that enterprise employees spend 75% of their device time in web browsers. Cybercriminals are well aware of how much time people are spending in web browsers and as a result, are increasingly targeting the browser as an initial access point to the network. What’s more, they are leveraging sophisticated tactics that evade detection-based security tools and other defense methods that previously helped keep organizations safe.
In 2024, browser security will be a primary focus for security and business leaders due to the following trends.
Highly Evasive and Adaptive Threats (HEAT) Will Dominate Modern Attack Techniques
The cybercriminal playbook changes rapidly, oftentimes faster than security teams and their defenses can keep up. This has been a well-known weakness in the landscape and yet, after years of technological innovation, we are still facing threats that are weaving past what many consider to be the most comprehensive security platforms. For example, Highly Evasive Threats exploit vulnerabilities in web browsers, using a variety of evasive techniques to get around detection-based security tools. These threats include multi-factor authentication (MFA) bypass, HTML smuggling, leveraging malicious password protections, and Legacy URL Reputation Evasion (LURE).
Recently, we have seen many breaches in headlines that fall into the category of highly evasive threats, including Legacy URL Reputation Evasion (LURE), wherein attackers evade URL filtering security defenses by creating or infiltrating trusted websites with malware, flying through web filters that attempt to categorize domains based on trust. Using similarly evasive techniques, SEO poisoning is a type of cyberattack that attempts to exploit SEO algorithms for malicious purposes. It involves the manipulation of website content and code to raise its ranking on search engine results pages (SERPs). For example, researchers have seen the top result for a Honda manual lead to a Russian cybercriminal site, highlighting that the scale of SEO poisoning is at a level we haven’t seen in previous years. A recent example of a threat that evaded security tooling was seen in the recent Ducktail malware campaign, in which threat actors sent out malware camouflaged as a PDF file hidden among images of authentic products from well-known companies. In this case, cybercriminals strategically evaded detection tools by infiltrating trusted images and links.
Highly Evasive Adaptive Threat campaigns are well-crafted, thought out, and have very high success rates. Cybercriminals don’t like reinventing the wheel if they don’t have to, and we will surely see an increase in these types of attacks in 2024 due to this proven success rate. Because of this, organizations must consider advanced browser security solutions that can thwart these attacks.
Browser Security Will be on the Roadmap of Every CISO
The browser will continue to be a conduit for highly evasive threats. We are not necessarily witnessing an increase in the frequency of attacks, but rather attacks that are far more effective, despite the continued investment in security infrastructure.
According to Gartner, worldwide end-user spending on IT security is projected to total $215 billion in 2024, an increase of 14.3% from 2023. Organizations are spending billions of dollars on security tooling, yet security attacks continue to make headlines daily. CISOs recognize the danger of highly evasive threats and are addressing browser security as part of their strategic plans for 2024 and beyond. However, there are multiple routes to consider.
Enterprise browsers, separate and controlled browsers for use in corporate environments, are gaining a lot of market momentum. In a tight economy, Palo Alto Networks is buying Talon for $625 million. Island.io has raised $285 million and even giants like Microsoft and Google are updating their browsers with enterprise browser capabilities. This rich market is a recognition of the importance of browser security, however, CISOs are already grappling with an ever-expanding attack surface.
Adding another browser only compounds this issue. Add that to how difficult it can be to ensure seamless integration between your SaaS applications and the enterprise browser, and they are now faced with a hefty decision on how to construct the right architecture.
Despite the hype, enterprise browsers are currently limited to unmanaged devices, by contrast, hundreds of thousands of corporate devices are not installing a new browser, resulting in a mismatch of security posture that still needs to be reconciled. As much excitement as there is in the enterprise browser market, this solution still leaves a significant gap and adds unnecessary complexity.
To secure the browser, CISOs will look to different offerings that go beyond installing a new enterprise browser.
From cyber teams’ ability to manage existing browsers like Chrome and Edge to browser extensions for the last mile of security, browser security is the hot item on every security leader’s agenda. CISOs and their teams will be focused on determining which approach secures their infrastructure the best without adding more attack surface.
Despite Companies Pushing for it, Many employees are not Going Back to the Office Full Time
The work-from-home revolution that started during the pandemic has already lasted much longer than most people originally planned. Despite what many corporate leaders may envision, no enterprise company is going to have 100% of its workforce back in the office full-time – all day, five days a week. According to a recent Pew Research study, 35% of workers who can work remotely are doing so full-time, up from only 7% before the pandemic. Although these employees are slowly trickling in year by year – 43% who can work remotely did so full-time in January 2022 and 55% in October 2020 – it is impossible to go back to a pre-pandemic work reality.
Although many large companies are implementing new in-person mandates, we will not see a mass migration back into the office in 2024 for most companies, specifically for SMBs. Since a hybrid workforce is here to stay, enterprises need to ensure the workers are productive and secure, independent of their location. Browser security, zero-trust access to enterprise applications, and SaaS security will continue to be center stage in 2024.