The rise of cloud applications and infrastructure makes the Web browser the logical place for instituting security controls to protect users from online threats. A growing number of networking and cybersecurity companies are following the trend and jumping into the secure-browser and browser-isolation market.
Palo Alto Networks, for example, is reportedly in talks to acquire Talon Cyber Security, a provider of local browser isolation technology. Startups such as Surf Security offer secure enterprise browsers, while consumer cybersecurity firms such as Gen — created by the merger of NortonLifeLock and Avast — and SquareX have begun offering secure browsers to the home market.
Finding ways to protect browser-based businesses are the newest market that’s heating up, with more companies every quarter attempting to fill the needs of cloud-native businesses, says Paddy Harrington, a senior analyst in Forrester’s security and risk group.
“With users spending that much time in browsers — whether it’s business productivity apps, email, or just personal browsing — if an attacker is going to target that user or endpoint, it’ll come through the browser,” Harrington says. He adds that different companies and users may have different requirements. “There’s no one right solution for every user — it’s part of the reason why, recently, enterprise browser vendors have been adding a browser security extension to their portfolio. This gives them better coverage to the enterprise’s needs.”
Secure browser and browser isolation make up an increasingly crowded market. Networking and Internet infrastructure firms, such as Cisco, Citrix, Cloudflare, Fortinet, Menlo Security, and Zscaler, have incorporated remote browser isolation into their product portfolio, while Check Point added a local browser isolation plugin, Harmony Browse. Talon Cyber Security is not the only startup to tackle integrating isolation into the browser. The approach — dubbed the enterprise browser or local browser isolation — has been taken by a variety of other firms, such as Authentic8, Island, LayerX, and Seraphic Security.
“Browser security is the emerging requirement that’s been driven by the consolidation of enterprise applications and associated clients into Web applications that are accessed through the browser,” says Mark Guntrip, senior director of cybersecurity strategy at Menlo Security.
Remote, On-Premises, or Local Isolation
The focus on the browser comes as more employees increasingly do their work through through the browser using software-as-a-service (SaaS) or Web applications. The majority of workers use the browser for all their work, while another third does most of their work in the browser, according to business intelligence firm Forrester Research.
The shift to more browser-based business is attracting attackers as well. Consumer cybersecurity firm Gen, for example, claimed to block approximately 180 million Web-based attacks in the second quarter.
“A very large quantity of successful cyber-attacks originates from the Web and either transit through a person’s Web browser or target the browser application directly,” says Ben Wadors, director of browser and search at Gen.
Companies have traditionally taken one of three different approaches: placing their technology in the cloud as a remote browser isolation (RBI) service; in an on-premises appliance; or as a custom browser or browser plugin, known as local browser isolation (LBI) technology.
As a remote browser isolation solution, for example, Menlo Security sits between its customers’ browsers and the Web resources being accessed. When a request is made, the RBI solution connects to the site and renders it in its cloud-based browser, shielding the user’s browser from any malicious activity, Menlo Security’s Guntrip says.
“In this way, the website that’s being visited only knows about the cloud browser that we operate; they have no idea about the end user on the other end of the connection,” he says. “All content that is accessed is processed and executed within our virtual cloud browser, ensuring that nothing malicious can reach the endpoint.”
Browser Isolation Is Critical for Zero Trust
The accelerated adoption of cloud applications and services during the coronavirus pandemic has resulted in cybersecurity firms rushing to fill gaps in the corporate cybersecurity controls. Zero trust solutions will often require more authentication and continuous monitoring, but also require protecting users’ interactions with the Web and cloud applications, according to Forrester.
In the end, companies just need to start to deploy some sort of browser security solution, says Forrester’s Harrington.
“Too many businesses run browsers within their enterprise and rely on other security solutions to provide protection,” he says. “Plenty of users have Chrome on their corporate laptop synched to their personal account, which can expose passwords, bring in malicious cookies, or unsupported and potentially dangerous extensions.”
Instead, companies should create unified policies for their browsers, and then add security controls to monitor and enforce those policies.