Remote Browser Isolation
A Zero Trust Cybersecurity Solution
The cat and mouse game of cybersecurity became the status quo over 40 years ago. A never-ending cycle started with the first computer virus, Creeper, in 1971. Hackers create new attacks, and organizations respond. Repeat. As hackers bypass existing security controls, organizations create and deploy new tools. Repeat. Hackers defeat new tools, and organizations go back to the whiteboard. Repeat. The Greeks knew this scenario. For an eternity, Sisyphus was sentenced to push a large rock up a steep hill, only to find it rolling back just before reaching the top.
Why can’t we break the cycle? With the frequency and sophistication of attacks increasing, organizations had to fight fires and did not develop a security technology architecture or strategy that could break the cycle.
The solution became part of the problem, the cybersecurity equivalent of the medieval castle and moat. Kingdoms add layer after layer of security to compensate for newly discovered weaknesses in existing layers. We rarely remove layers, so complexity, the enemy of cybersecurity, increases, along with the need for more experts to operate the tools. Like medieval kingdoms, organizations spend more and more on cybersecurity, yet attacks still get through.
Like Hans Brinker, the boy who put his finger in the dike to stop the leak and save the town, security professionals make heroic efforts. Unlike Hans Brinker, stopping the small problem does not stop the large problem of cyberattacks.
It’s time to stop and reevaluate how we’re building our security architectures. No security is perfect, so we protect what matters most, most. No one has an unlimited budget, so we focus on the best value. No one knows all threat types hackers will create or all vulnerabilities they will exploit, so we don’t rely on detection. We know the frequency of attacks will increase in the future, so our strategy must scale. The silver lining to cybersecurity spending is we can reallocate the time lost to chasing false alerts and reimaging compromised machines to tasks that help improve business functionality and productivity.
As in life, there’s no such thing as no risk for cybersecurity. We have a choice between the status quo and security strategies that decrease risk and costs. You may ask yourself, if I choose Zero Trust for my long-term security strategy, what should I do first for Zero Trust in 2020?
What is my Largest Attack Surface?
No matter what industry your organization is in, there is a good chance you are already working to assess and identify areas at risk for a cyberattack. If you are in a heavily regulated industry, your organization carries an even heavier burden requiring you to demonstrate how you are securing those vulnerabilities. What is the largest attack surface I can shrink to reduce your risk and lower your compliance costs?
Organizations cannot afford to disconnect from the internet, yet internet connectivity breaks isolation and opens the door to our largest area of vulnerability.
Attacks coming from internet make up the largest exposed attack surface in most organizations, an estimated 98% of all endpoint compromises.1 Almost all successful attacks on users originate from the public internet and many involve web-based attacks.2
The browser is the only application on the endpoint that regularly downloads and executes code from both trusted and untrusted networks. Because ports 80 and 443 on corporate firewalls are always open to web traffic, there is a direct connection between internal users and external websites, even if it passes through a web proxy. It’s not surprising that hackers never run short of attacks to exploit the inherent vulnerabilities associated with browser code and plug-ins.
With the largest portion of the attack surface allocated to a single threat vector, our biggest opportunity is to secure the browser, maximum impact with minimum effort.
1Riley, Steve; MacDonald, Neil; and Young, Greg, “It’s Time to Isolate your. Services from the Internet Cesspool,” Gartner, September 2016.
2“Innovation Insight for Remote Browser Isolation”, Neil MacDonald, Gartner, 2018
The Zero Trust Security Strategy
So how do we secure what matters most, most? The best way to ensure that no attack can damage your network or endpoint is to deny access to all potential attacks. The Zero Trust security model asserts “never trust, always verify.” No attack can penetrate your network and access your endpoints when you don’t trust the internet and replace the direct connection between internal users and external websites with Zero Trust isolation. The Zero Trust model extends to all attack types: web, email, files, and web apps. Zero Trust enables truly preventative security that stops threats before giving them access to your system.
The first step in securing the largest area of vulnerability and biggest portion of the attack surface is through the browser. How do we implement a policy of Zero Trust in the browser?
What is Browser Isolation?
Browser isolation is a preventative cybersecurity architecture where the web browser runs isolated from the local network and endpoints. When a user browses the web, the web objects are fetched and executed in isolation, not on the endpoint. Only the display, streamed as harmless pixels, reaches the endpoint. Grounded in the principles of Zero Trust security, the solution intercepts threats and denies access to incoming code, preventing it from harming the endpoint and network.
Browser Isolation Types
The browser isolation solution is available in different architectures to match customer deployment models. The isolation process can take place on an endpoint or through a gateway. On the endpoint, isolation can happen as a virtual browser. Through the gateway, the browser runs as a virtual machine or in a container. From there, the browsing session is relayed back to the user through either DOM mirroring or pixel streaming processes.
Gateway Browser Isolation
Gateway isolation is isolation performed by separating the browsing process from the endpoint. Full web isolation is possible because an appliance or cloud service stops incoming threats before they reach the endpoint and secures them in a disposable virtual environment before returning the rendered web page to the user. The gateway can direct each web request from the endpoint to the isolation solution, no software installation needed. By applying isolation technology to the entire network, rather than individual endpoints, all external web content is isolated and rendered outside of the network, and never allowed to access endpoint devices. This network isolation strategy effectively eliminates the web browser as the primary vector for cyberattacks on businesses.
Endpoint Browser Isolation
Endpoint isolation takes place on the user’s endpoint. This architecture introduces complexity from software installation on every endpoint, limited device support, and resource requirements to run the isolation software. If any endpoint does not have isolation installed, it creates a gap for attacks to penetrate the organization.
Running software-based or hardware-assisted isolation on a local machine has inherent risks. No software is perfect. The isolation can be breached through targeted attacks, giving hackers full access to all files and resources on the endpoint and a pivot point inside the local network. Vendors have offered hardware-assisted endpoint isolation, which sounds good in theory, but is not viable in customer environments. Enterprises cannot deploy and maintain the solution due to the hardware and software dependencies coupled with the complexity of the deployment, configuration, and updates.
Isolation depends on virtualization to be secure, performant, and affordable. When running remotely, a virtual browser may use virtual machines or containers. Both provide the functionality and security required. The choice is about performance and deployment density. How quickly do new sessions startup? As virtual browser sessions multiply, how do the underlying compute and memory resources scale? A disposable browser provides an extra layer of protection because the solution creates a new container or VM at session startup then disposes of the container/VM at session end. No remnants of user activity, such as web cookies, browser history, or file downloads, remain.
Partial Isolation isn’t True Isolation
Every browser session requires the fetch, execute, and render functions to complete before the end user can see the web page. With gateway isolation, the fetch and execute functions perform remotely. The rendering function performs through one of two processes, pixel streaming or DOM mirroring, one of which can be run remotely, the other locally.
The DOM mirroring approach to web isolation maintains the actual content type and the dynamic way it is represented in the web browser. Web isolation via DOM mirroring actively monitors the currently loaded webpage tab for any changes, translates those changes into DOM commands, stripping away underlying active content, and sends those commands to a user’s device. In this manner, a ‘safe’ web page is rendered on the user’s device and is automatically updated in sync with the original webpage. The risk is partial isolation because some web objects are delivered to the endpoint for rendering.
While DOM mirroring reduces risk, it does not provide full isolation. Pixel streaming is a full isolation solution
With pixel streaming, the information processed through the fetch and execute functions is then rendered remotely as harmless pixels then streamed back to the user. Pixel streaming delivery allows all fetch, execute, and render functions to be performed remotely, away from the endpoint allowing for complete and comprehensive isolation that does not allow delivery of any outside code to the endpoint.
Choosing the Right Type of Isolation
Choosing the right type of browser isolation for your organization can be tricky, but it doesn’t have to be. Knowing how isolation works will help you determine which execution methods work best for you.
Another major consideration for isolation buyers is in understanding what service will be like once you are a customer. Be sure you understand what the vendors agree to in a Service Level Agreement (SLA) and before making the purchase decision, take the product for a test drive and run a proof of concept to make sure it meets your requirements.
Implementing a Zero Trust strategy with remote browser isolation will reduce the cybersecurity risk to your organization, without changing the end-user experience, and allow your IT Security teams to simplify your security strategy, lower your costs, and deliver immediate protection. Simply put, if you could stop breaches before they happen, would you choose not to?”
To learn more about the Isla Isolation Platform, visit www.cyberinc.com to request a demo.
Cyberinc helps you experience a safer Internet by proactively stopping web, email, and document-based threats. Cyberinc’s Isla platform uses cutting-edge isolation technology to neutralize threats and prevent them before they have a chance to act, simplifying the security strategy and delivering immediate protection. Cyberinc is trusted by businesses of all sizes and governments around the world.