What businesses SHOULD know about enterprise browser security

July 25, 2024Hacker newsBrowser Security / Enterprise Security

The browser is the nerve center of the modern workspace. Ironically, the browser is also one of the least protected threats in today’s businesses. Traditional security tools provide little protection against in-browser threats, leaving organizations at risk. Modern cyber security requires a new defense-based approach the browser itself, which ensures security and seamless deployment.

In an upcoming live webinar (Register here), Or Ashed, CEO of browser security company LayerX, and Christopher Smedberg, Director of Cyber ​​Security at Advance Publishing, will discuss the challenges facing today’s businesses in the new world of hybrid work, the gaps in existing security solutions, and a new approach to securing today’s an enterprise workspace that focuses on the browser.

The browser is where the work happens

The browser is the key to an organization’s most important assets. It connects all organizational devices, identities, SaaS and web applications. The Forrester Workforce Study 2023 found that 83% of employees are able to do all or most of their work in a browser. Similarly, Gartner predicts that by 2030, enterprise browsers will be the primary platform for improving workforce productivity and security.

The main threats facing organizations today

The browser also has access to users’ online activities, stored credentials, and sensitive data, making it an attractive choice for attackers. Yet, ironically, the browser is also one of the least protected threats in today’s enterprise. Organizations today face a wide range of browser-based security threats. These include:

• Identity security and trust: Attacks aimed at gaining unauthorized access to a user’s account and credentials and using them to perform malicious actions. Such attacks can be carried out through phishing, account hijacking, credential theft, etc.
• GenAI data leak: Employees inadvertently insert or enter sensitive corporate data into GenAI chatbots, apps, or extensions. This data may include source code, customer information, financial data, or proprietary business information.
• Shadow SaaS: Employees using SaaS applications that have not been audited by IT due to personal convenience or frustration with operational processes. Or employees use personal credentials to access corporate applications. Either way, such use exposes the organization to data breaches, credential theft, and misuse.
• Contractors and third parties: People and business supply chain organizations rely on increased productivity and access to global talent. These entities have access to corporate data because they need it to do their jobs. However, they typically use unmanaged devices outside of the organization’s control that do not comply with the organization’s security policies. This greatly increases the risk of data loss or system hacking.

Why existing security solutions are not enough

A CISO’s security stack is filled with security tools. However, despite claims to the contrary, these solutions cannot adequately protect against web-based and browser-based threats. As a result, they leave CISOs with critical gaps that expose the organization to data loss and account hijacking.

For example:

• Secure Web Gateways (SWG): Protect against malicious websites, typically with URL/domain-level lists/feeds of known malicious websites.

Problem: SWGs combat zero-hour attacks/domains that are not in their database, as well as attacks that use embedded elements (eg a URL that is “clean” but contains an embedded element that is not scanned by the gateway). They also cannot protect against threats that use web page timeouts.

• CASB: Used for SaaS application security and identity management.

Problem: CASBs provide partial protection against shadow SaaS (for example, if it is not a pre-approved SaaS application) and cannot track user actions within the application (for example, when a sensitive file is downloaded, they should not). They also have difficulty encrypting some sites (like in-app encryption like WhatsApp, pinning a certificate, etc.).

• End agents (antivirus, DLP endpoint, EDR/XDR, etc.): Protect files by scanning and tagging them.
• Problem: These solutions are very file-centric, which means they have a hard time tracking data in motion (eg copying/pasting sensitive data into a GenAI program in a browser). Also, they don’t see what’s going on inside the browser.

Why it makes sense to move security to the browser

A browser-based approach becomes necessary to minimize the risks that employees face on a daily basis. Key benefits of a browser security solution include:

• Most of the user’s work takes place in the browser. For example, accessing cloud applications, engaging in online collaboration, or using various web tools. Integrating security directly into this environment provides protection at the very point of risk. This improves security, saves costs and minimizes disruption to user workflows.
• Organizations can track and control user activity more effectively with browser security. This includes tracking which SaaS applications users log into, the credentials they use, and monitoring actions such as copying/pasting sensitive data or interacting with Generative AI chatbots. Such capabilities enable real-time, contextual security intervention that prevents data leakage and misuse on the very platform where these risky interactions occur.
• Browser-based security works effectively regardless of the encryption methods used in data transmission. Sbecause this approach focuses on what happens at the user’s endpoint – directly in their browser – it can provide visibility into user actions and data processing without the need to decrypt traffic. This capability saves resources, preserves privacy, and enforces encryption standards while maintaining strong security.
• Traditional security measures lack technological progress. They often rely on URL reputation to block potentially malicious sites. However, this method can be bypassed or not catch newly compromised sites. Browser-based security increases protection by checking each element of a web page individually. This granular approach allows you to detect malicious scripts, iframes, or other embedded threats that may not be visible through URL analysis alone. This provides the deeper and more accurate analysis of web content required for modern web attacks.

Browser security flavors

There are three main types of browser security solutions:

• Browser extensions – These are security overlays “on top” of any existing browser. This approach simply adds the necessary security controls to the browser without requiring users to change the way they work. This allows employees to continue using their browser with minimal disruption. Combined with easy deployment, browser extensions enhance performance and content.
• Remote Browser Isolation (RBI) – Traditional approach to browser security. RBI executes the web page code in a containerized environment and “streams” the output to the user. However, this is very resource-intensive and expensive, introduces a lot of latency, and “breaks” modern web applications (eg if they have a lot of dynamic elements, etc.) due to compatibility issues.
• Corporate browsers – These tools have attracted a lot of attention. While they are a step in the right direction, they still force users to use a separate standalone app instead of existing browsers. This is a fundamental problem because it forces the user to change the way they work, which affects productivity and causes frustration. In addition, they are “noisy” and difficult to deploy, creating friction between users and, as a consequence, friction between IT and management.

Register for this webinar for exclusive information and tidbits to help you protect your modern workplace.