The browser is the nerve center of the modern workspace. Ironically, however, the browser is also one of the least protected threat surfaces of the modern enterprise. Traditional security tools provide little protection against browser-based threats, leaving organizations exposed. Modern cybersecurity requires a new approach based on the protection of the browser itself, which offers both security and frictionless deployment.
In an upcoming live webinar (Register here), Or Eshed, CEO of browser security company LayerX, and Christopher Smedberg, Director of Cybersecurity at Advance Publishing, will discuss the challenges facing modern enterprise in the new hybrid-work world, the gaps found in existing security solutions, and a new approach to securing the modern enterprise workspace, which is centered on the browser.
The Browser is Where Work Takes Place
The browser is the key to the organization's critical assets. It connects all organizational devices, identities, and SaaS and web applications. Forrester's Workforce Study 2023 found that 83% of employees are able to accomplish all or the majority of their work within the browser. Similarly, Gartner predicts that by 2030, enterprise browsers will be the core platform for delivering workforce productivity and security.
Key Threats Facing Organizations Today
The browser also has access to users' online activities, stored credentials and sensitive data, making it an enticing choice for attackers. Yet, ironically, the browser is also one of the least protected threat surfaces of the modern enterprise. Organizations today face a wide range of security threats originating or occurring in the browser. These include:
- Identity security and trust: Attacks aimed at gaining unauthorized access to a user's account and credentials and leveraging them to commit malicious activities. Such attacks can be facilitated through phishing, account takeover, credential theft, and more.
- GenAI data leakage: Employees inadvertently pasting or typing sensitive corporate data into GenAI chatbots, applications, or extensions. This data might include source code, customer information, financial data, or proprietary business information.
- Shadow SaaS: Employees using SaaS applications that weren't vetted by IT due to personal convenience or frustration with operational processes. Or, employees using personal credentials to access corporate applications. In either case, such use exposes the organization to data breaches, credential theft, and misuse.
- Contractors and 3rd-parties: The human and business supply chain organizations rely on to drive productivity and get access to global talent. These entities have access to corporate data, since they require it to perform their jobs. However, they usually use unmanaged devices outside of the organization's control, which do not conform to the organization's security policies. This significantly raises the risk of data loss or system compromise.
Why Existing Security Solutions Are Not Enough
The CISO's security stack is packed with security tools. However, despite being told otherwise, these solutions cannot adequately protect against web-borne and browser-based threats. As a result, they leave CISOs with critical gaps that expose the organization to data loss and account takeovers.
For example:
- Secure Web Gateways (SWG): Protect against malicious websites, usually with lists/feeds of known malicious sites, at the URL/domain level.
The challenge: SWGs struggle with 'zero-hour' attacks/domains that are not in their database, as well as with attacks which use embedded elements (i.e., the URL is 'clean' but contains an embedded element which is not scanned by the gateway). They also cannot protect against threats that exploit web page timeouts.
- CASB: Used for securing SaaS applications and managing identities.
The Challenge: CASBs provide partial protection against shadow SaaS (e.g., if it is not a pre-approved SaaS application), and cannot track user activity within the application (e.g., if uploading a sensitive file they're not supposed to). They also struggle with some sites' encryption (e.g., in-app encryption like WhatsApp, certificate pinning, etc.).
- Endpoint agents (anti-virus, endpoint DLP, EDR/XDR, etc.): Protect files by scanning and tagging them.
- The Challenge: These solutions are very file-centric, which means they struggle to track data in motion (e.g., copy/pasting sensitive data to a GenAI application in the browser). In addition, they don't have visibility into what's happening inside the browser.
Why It Makes Sense to Move Security Into the Browser
A browser-based approach is becoming essential to minimize risks employees are encountering on a daily basis. The main advantages of a browser security solution include:
- Most of the user work happens within the browser. For example, accessing cloud applications, engaging in online collaborations, or using various web-based tools. Integrating security directly into this environment provides protection at the point of risk itself. This enhances the security posture, saves costs, and minimizes the disruption to user workflows.
- Organizations can more effectively monitor and control user activities with browser security. This includes tracking which SaaS applications users log into, the credentials they use, and overseeing actions like copy/pasting sensitive data or interacting with Generative AI chatbots. Such capabilities allow for real-time, contextual security interventions that prevent data leaks and misuse within the very platform where these risky interactions occur.
- Browser-based security operates effectively irrespective of the encryption methods used in the data transmission. Since this approach focuses on what happens at the user's endpoint—directly within their browser—it can provide visibility into user actions and data handling without needing to decrypt the traffic. This capability saves resources, respects privacy, and safeguards encryption standards, while still maintaining a strong security posture.
- Traditional security measures lack technological advancement. They often rely on URL reputations to block potentially harmful sites. However, this method can be circumvented or fail to catch newly compromised sites. Browser-based security enhances protection by inspecting each element of a web page individually. This granular approach allows for the detection of malicious scripts, iframes, or other embedded threats that might not be apparent through URL analysis alone. It ensures a deeper and more precise scrutiny of web content, required for today's web-based attacks.
Browser Security Flavors
There are three main types of browser security solutions:
- Browser extensions - These are security overlays 'on-top' of any existing browser. This approach simply adds the required security controls to the browser without requiring users to change the way they work. This allows employees to keep using their browser with minimal disruption. Combined with easy deployment, browser extensions drive productivity and content.
- Remote browser isolation (RBI) - The traditional browser security approach. RBI executes web page code in a containerized environment and 'streams' output to user. However, it is extremely resource intensive and expensive, introduces high latency, and 'breaks' modern web apps (e.g., if they have a lot of dynamic elements, etc.) due to compatibility issues.
- Enterprise browsers - These tools have garnered plenty of attention. While they are a step in the right direction, they still mandate users to use a separate standalone application, in place of existing browsers. This is a fundamental problem because it forces the user to change the way they work, impacting productivity and creating frustration. In addition, they are 'noisy' and complicated to deploy, creating user friction, and, consequently, IT and leadership friction.
Register to this webinar to get special insights and tidbits that will help you secure your modern workplace.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.