Browser Isolation: An Essential New Web Security Layer

The threat landscape changes at extraordinary speed. According to a recent analysis by Palo Alto Networks, some 200,000 new domains come online every day, 70% of them malicious, suspicious, or “not safe for work.”[1] What’s more, many only exist for a few hours before they blink off, to be replaced by others. In this fast-changing environment, no single security solution can protect against all threats. That’s why browser isolation is so important: It provides an additional security layer for blocking malware and malicious links, helping you safeguard your people and digital assets far more effectively.

No Single Security Technology Can be 100% Effective

To safeguard web users against phishing and other attacks, security providers typically profile sites to identify signs that they may be malicious or suspicious. But it’s impossible for any security product to identify all potentially malicious sites when hundreds of thousands of them appear every day and vanish just as quickly.

Exacerbating the problem, a fast-growing phishing-as-a-service industry has emerged, as a recent report from Cyren points out. These cybercriminals have made it easy to launch phishing sites and campaigns for as little as $50-$80 per month, using sophisticated templates that impersonate platforms including Sharepoint, Office 365, and LinkedIn. In the first half of 2019 alone, Cyren found over 5,000 unique new phishing kits.[2] As Mimecast Senior Product Marketing Manager Duncan Mills observes, these “democratize web-based cybercrime, making it easy for anyone to launch a phishing attack. Compounding the problem, they’re being rolled out onto these new domains at a very high rate.”

What’s more, says Mills, higher-end phishing kits and services embed more built-in tactics to evade detection. “For example, they’ll host Office 365 phishing sites on Azure, so their sites present a valid Microsoft SSL certificate. And they use encoding techniques to obfuscate words and logos that are indicative of phishing. So they may change a few pixels in a PayPal logo so it presents a different fingerprint,” because they know security companies flag sites containing suspicious PayPal logos.

Top security providers know these techniques, and can protect you from most malicious sites, most of the time. But criminals’ techniques keep evolving, and even a single compromise can be disastrous. For instance, phishing site-related account takeovers are now often integrated into sophisticated multi-stage spear phishing attacks. Once attackers enter your network, they move quickly: according to recent CrowdStrike research, they “break out” in an average of less than 2 hours, gaining the deeper access they need to move laterally across the network.[3]

Mills points out another problem: the final stage of malware detection typically includes sandboxing. But sandboxing can take minutes to decide if a piece of code is safe. Web users can’t wait that long, so web security systems typically deliver a file to users, and then scan it. If it’s malware, “patient zero” has already been infected. Modern ransomware can start encrypting files in as little as three seconds, so by the time it’s recognized, you can have a serious incident on your hands. Responding is difficult even if you’re the rare organization that’s fully staffed with all the security expertise you need.

What Browser Isolation Does and How It Works

Security pros have long understood that no single technology will ever be infallible: that’s why they’ve depended on layering as a key strategy for hardening their environments.

This new layer of web security aims to create an unbridgeable gap between the user’s browsing session and the rest of your IT environment, so attacks can’t cross over, compromise users, and infiltrate your systems.

Some browser isolation solutions operate on the client side, often using some form of virtualization. With these solutions, you have to manage the client code, and you might worry that you’re not getting true physical isolation, since risky browsing still occurs on the same device.

As Gartner’s 2018 report noted, remote browser operation based on server-side solutions provides stronger isolation. In this scenario, all browsing activity occurs on a remote server, physically remote from the user—and that’s where potentially malicious downloadable content stays as well. All that’s streamed to the user’s device are the pixels or other instructions needed to present the same display they would see if they were running a local browser. The user’s keyboard and mouse movements are sent back to the server for execution.

Early server-side solutions relying on virtualization were often expensive and difficult to scale. Some newer solutions use containerization instead, making them easier to deploy widely at lower cost.

There’s one more high-level choice to make: deploy browser isolation on servers or appliances you own, or purchase it as a service? As with other IT applications—and increasingly, security services such as email and web gateways—the SaaS model offers compelling advantages. Upfront costs are lower. Cloud-based SaaS infrastructures scale remarkably well, so it’s easier to roll out browser isolation wherever you want it. IT organizations can offload application management. So, too, the provider is responsible for guaranteeing performance. By meeting that commitment, they overcome a traditional concern about remote browsing: performance.[5]

Considerations in Choosing a Solution

Of course, you’ll want to test the browser isolation technology and user experiences you’re considering. As you do, here are a few questions to ask:

Is the browser isolation solution well integrated with your existing email and web security? For example, can you use common policies, and manage them through a shared dashboard? Can you make a website read-only, so users can’t even input their credentials on potentially unsafe sites?

Is it flexible? Do you have granular control over tradeoffs of complexity, user experience, cost, and protection? Can you use policies and risk scoring to control which types of sites and users are required to use browser isolation, based on your risk tolerance?

Is it efficient? Some products require large amounts of bandwidth. Protocols and encoding techniques can make a big difference. For example, as Mills observes, X.264 video stream encoding is exceptionally efficient (which is why it’s used by YouTube, Facebook, and Vimeo). Mills says that X.264, combined with well-designed lightweight streaming protocols, can actually use less bandwidth to display some sites via remote browsing than if they were accessed directly on a local browser.

Does it promote easier, more cost-effective incident investigation? Can you easily get visibility on target content run through the isolated browser? Can you explore that content remotely without having to create and manage your own isolated test environment?

The Bottom Line

The best way to keep web-based malicious content out of your network is to keep it far away from users. Cloud-based browser isolation services help you do that, by keeping malicious content on someone else’s server. Today’s best container-based solutions are efficient, cost-effective, flexible, and easy to manage—providing an important additional layer of security to complement secure web and email gateways.

[1] “Newly Registered Domains: Malicious Abuse by Bad Actors,” Palo Alto Networks

[2] “Evasive Phishing Driven by Phishing-as-a-Service,” Cyren

[3] “What is Network Lateral Movement?,” CrowdStrike

[4] “Innovation Insight for Remote Browser Isolation,” Gartner Inc.

[5] “The Promise of Browser Isolation: A Panacea with a UX Problem?,” Computer Business Review