An emerging technology that is poised to grow dramatically given the explosion of Work From Home (WFH) scenarios caused by the global pandemic, Browser Isolation Technology (BIT) has been labeled by some prestigious industry analyst firms as nascent.
But given the stakes, CISOs are taking a closer look at BIT, which is a cybersecurity software designed to physically isolate an Internet user's browsing activity (and the associated cyber risks) away from their local networks and infrastructure.
There are a number of companies focused on BIT, with different architectures and approaches, but the goal is essentially the same: to isolate the web browser and a user's browsing activity as a method of securing those browsers from attacks and reduce the risks of ransomware and other malware.
When BIT is delivered to its customers as a cloud hosted service, this is known as Remote Browser Isolation (RBI) which enterprises can leverage without having to own, maintain and manage server infrastructure.
There are also client-side approaches based on client-side hypervisors, which do not depend on servers at all to isolate their users browsing activity and the associated risks. In this case, browsing activity is virtually isolated on the local machine. If you have excess resources for maintenance of isolation on operating system, you can benefit from the advantages of local isolation.
One of the new generation cyber security entrepreneurs in the world is Halis Osman Erkan, who established his latest start up, Isoolate, which has developed BIT/RBI solutions to address what Erkan calls the “ongoing browser wars.”
“One of the most remarkable moments in the early history of Internet was the United States vs. Microsoft (News - Alert) trial,” Erkan said. “In this lawsuit, US Attorney General Janet Reno charged Microsoft with engaging in anti-competitive and exclusionary practices designed to maintain its monopoly in personal computer operating systems and attempting to extend that monopoly to Internet browser software. This was just the beginning of the browser wars.”
Reno wrote in 1998:
“The Department alleges in its complaint that Microsoft has engaged in a series of anti-competitive practices, including misusing its Windows operating system monopoly by requiring computer manufacturers, as a condition of getting Windows, to adopt a uniform boot-up or first-screen sequence that promotes Microsoft's products; secondly, by attempting to persuade NetScape, an Internet browser software competitor, not to compete with Microsoft and instead divide up the browser market; by engaging in exclusionary contracts with providers of Internet and online services and Internet content providers; and by forcing computer manufacturers to purchase and install Microsoft's Internet browser as a condition of getting its Windows operating system.”
She ended saying, “In short, Microsoft used its monopoly power to develop a choke-hold on the browser software needed to access the Internet.”
“Twenty-two years later, the browser wars are now taking place in cyberspace, in between Microsoft and Google (News - Alert)” Erkan continued. “Despite lessons learned, we are running into similar situations, not only originating from tech giants but rogue organizations all over the world, conducting advanced offensives using high technology tools, attacking enterprises and individuals, and resulting in the meltdown of freedom and commerce.”
Cyberattacks have exploded in 2020, in large part due to the speed at which enterprises and organizations needed to switch hundreds of thousands of employees to remote working. These have come on the heels of the famous Equifax breach in 2017, resulting in more than 147 million US taxpayers’ social security information to be breached. This resulted in a fine larger than half a billion dollars.
“Within such a ruthless and cruel cyber war environment,” Erkan said, “CEOs, CIOs and CISOs, and board of directors responsible for the governance of the business, including risk management, are trying to mitigate a growing attack surface. In my opinion with the minimum investment, the largest impact can be gained with remote browser isolation. As the largest part of that surface for modern enterprises are Internet browsers.”
Erkan claims that more than half the breaches responsible for issues is the content downloaded from Internet or a link clicked in an email that results in automatic downloading of malware, citing reports from Gartner (News - Alert). “With COVID-19, adversaries and criminals are seeing their moment, and sending deep fake emails designed to look like even they came from the World Health Organization, which has resulted in countless attacks on enterprise systems, caused by a single employee who trusted that email – and their browser.”
Right after the millennium, Microsoft’s Internet Explorer reached massive penetration world-wide, followed by Mozilla’s (News - Alert) popular Firefox browser, and Apple’s Safari. In 2008, Google’s Chrome browser open-sourced its code base, and Chrome immediately gained huge momentum, driven by the popular Google Search Engine. Microsoft’s response (Bing) did not perform as expected and today has less than 5% of the market vs. Google with nearly 80% of the market.
“A browser is the number one tool for online advertising,” Erkan said, “therefore Google Chrome, Microsoft Edge, Baidu and others are in fierce competition to grab more market share.” (Microsoft Edge failed, and Microsoft has now joined the Google Chromium project). “Web Browsing ecosystem designed and optimized for advertising un-intentionally becomes the number one apparatus for attackers. In a targeted phishing campaign, which attacker does not want to send funny videos, including a phishing link to 30-40 years old white collars, working in the finance industry, in the tri-state area, and who owns cats? That’s what web browsing and its advertisement ecosystem are designed for; otherwise, we would have been paying for web browsers. No thought this is conflicting with any enterprise’s policies.”
“Given so many applications that now use the browser, including real time voice, video and collaboration tools, storage and sharing platforms, location-based services, and more, the reliance on the browser is pervasive and will never change. The situation is only growing worse and growing worse by the day. Because they are the friend of cyber criminals, browsers are now inherently evil, and while the competitive browser battles will continue, the real World War III is coming from cyber space which is why it is no longer an option to not take control of browsers if you are a business, government agency, educational institution or other entity where data and assets are of high value.”
So how do we solve for this? Erkan explained that it is important to enable employees to be productive, while also protecting assets.
“In an enterprise, you are generally allowed to use a very limited Internet Browser, allowing only a few sites, and ending up with a bad end-user experience. For example, a manager of a branch in a global bank was complaining that whenever she wants to use the Internet to perform a search on an individual applying for a loan (which is a part of the investigation) she had to talk to the IT department. This is a huge efficiency loss. Financial institutions are spending huge time, effort and money on educating their employees, who generally have degrees in Business Administration not in engineering, about browsers, their safe usage, phishing attacks and similar threats that may occur.”
Solutions do exist, Erkan said, noting that “the only solution that will work sustainably and cost-efficiently is isolating the browsers in a sandbox environment. “Isoolate eliminates vulnerabilities effectively through Isoolate remote browsers. The application is protected with an invisible isolation layer; users can seamlessly interact with the services without noticing that it is a live stream of a remote browsing session. On the other hand, malicious activities are not possible since there is no access to application code; the only interaction is made through pixels. Isoolate can render the whole application or just the critical parts as payment gateway interfaces such as 3D Secure.”
In 2017, Gartner identified remote browser (browser isolation) as one of the top technologies for security. The same Gartner report also forecast that more than 50% of enterprises would actively begin to isolate their internet browsing to reduce the impact of cyberattacks over the coming three years.
In October 2018, Gartner released a report on remote browser isolation. According to Menlo Security, “It ruffled feathers a bit throughout the cybersecurity industry by suggesting that enterprises can no longer assume that their traditional detect-and-respond security strategy was enough to stop all web-based malware attacks. Analyst Neil MacDonald argued that enterprises should stop trying to detect every attack and instead focus on ‘containing the ability of the attacker to cause damage and reduce the surface area for attack.’”
Fast forward to 2020, and according to Market Research Media, the remote browser isolation (RBI) market is forecast to reach $10 Billion by 2024, growing at CAGR 30% in the period 2019-2024.
Asked if COVID-19 has accelerated demand for RBI, Erkan said, “The pandemic has accelerated the demand for every quality cybersecurity solution, including RBI. Especially applying on-premises cybersecurity measures to any location that the employee is working is the key, we call this as “protection for the new normal”. The real issue, however, is that we are 100% at war with cyber criminals today, regardless of these uncertain times – we’re seeing attacks grow at a perilous rate, and by taking the challenge to the edge and by protecting individuals and organizations at the front line – through securing the browser – we can fight back and win.”
Arti Loftus is an experienced Information Technology specialist with a demonstrated history of working in the research, writing, and editing industry with many published articles under her belt.
Edited by Maurice Nagle