With 80% of web attacks being browser-borne, organizations are constantly exposed to various attacks when employees use their browser. These include drive-by downloads, malvertising, malicious code injection, cross site scripting and many others.
As a result, organizations are constantly searching for effective ways to protect against web-borne risks, threats and attacks. Some organizations turn to browser isolation security solutions in an attempt to deal with these attack vectors. In this article I will elaborate on why this approach is outdated and inefficient and argue that there are better and more secure browser security solutions to be considered.
What is Browser Isolation?
When a user visits a website, the browser retrieves the site’s files from a web server and then graphically renders the page on the device screen. From a security perspective, this is a prominent attack surface because it involves running code from an unknown source on the device.
Browser isolation is a technology that separates the process of loading web pages from users’ physical devices. That way, files and code cannot reach the user’s device and its operating system, which prevents potentially malicious code from running on a user’s device and reduces malware downloading risks.
In other words, browser isolation protects browsing activity from code-based threats by moving Internet activity away from a company’s local networks and infrastructure.
The Downsides of Browser Isolation
The browser isolation approach has many problems, including latency issues, user frustration, high costs, a subpar security posture and inefficiency. Furthermore, we believe browser isolation is no longer relevant in today’s threat landscape.
Some of the main challenges with browser isolation include:
Poor Latency and User Experience
Browser Isolation is disruptive to the user. If the browser isolation is hosted on a public cloud or a geographically distant data center, the end user will usually experience poor browser speed and performance. Furthermore, every time users want to launch the browser, they will need to first hop through the browser isolation application. This may cause frustration, especially if the application is not updated in accordance with the browser, which can lead to some websites simply not working in browser isolation.
In addition, the isolation process severely disrupts dynamic web applications, as they are JavaScript heavy and include a lot of client-side code rendering. With most SaaS applications operating that way, browser isolation is not a relevant tool for cloud-positive organizations.
Burdensome to the IT Team
The aforementioned latency and compatibility issues consume a lot of the IT team’s time as well. IT teams are required to install and update the browser isolation software on every endpoint device and then to attend to all the bugs and problems that arise. This challenge becomes more complicated when there are many employees to attend to, with remote work and when third-party contractors also use the organization’s software.
This leads to IT teams endlessly dealing with compatibility issues, unresponsive websites or suboptimal browsing while distracting them from more important tasks.
High Costs
Browser isolation is not only uncomfortable to use, it is also pricey. Browser isolation solutions require all of an organization’s web traffic to be routed through the cloud. This continuous encoding of the traffic requires significant bandwidth, which makes the process of browser isolation resource-intensive and thus costly to the company. Third-party public cloud infrastructure, on which the isolation service is hosted, often incur additional costs that are also passed along to customers. All in all, these make isolation solutions very expensive for organizations to use.
Browser Isolation is Used Sporadically and Leaves the Organization Exposed
As explained above, browser isolation is expensive and is disruptive to users. As a result, organizations often choose to use it only in specific settings. For example, the company can require its use only in teams with access to especially sensitive data or alternatively exempt the use of browser isolation when users access well-known domains such as Google, Microsoft or AWS.
This is unfortunate as we’ve seen numerous phishing attacks that exploit AWS or Microsoft domains in the past year. Phishing campaigns have become more sophisticated and some manage to use legitimate domains to spread malware and steal personal data. So when the organization allows for partial use of the browser isolation, it remains exposed to real, prevalent phishing attacks.
Overall Ineffective Against Phishing Attacks
Even if it is used without interruption, browser isolation is mostly ineffective against phishing attacks. Browser isolation logic relies on blocking cyber attacks by preventing malicious web code from running on the user’s device. However, most phishing attacks don’t run weaponized code, but rather steal credentials or other personal data inserted by unsuspecting users.
Phishing attacks rely on input actions by users on websites that seem legitimate. In fact, most browser-borne attacks today include a user interaction that the browser isolation cannot prevent. To put it plainly, phishing attacks don’t run code, so browser isolation is virtually useless against these attacks.
This is a major security gap as phishing attacks are a huge threat and growing more widespread every year. Research by the UK government found that of businesses that reported having cyber security breaches or attacks in the last year, 83% have been subject to phishing attacks. Ingenious phishing and malware attacks pose a serious threat that can cause organizations harm in many ways: financial losses, privacy leaks, data loss and more.
Redundant with Chrome’s Site Isolation
To top it all, it turns out browser isolation is already an existing security feature in Google Chrome. The feature, called Site Isolation, is enabled by default in Chrome ever since its version 67 update in May 2018. It places pages from different websites into different processes, each running in a sandbox that limits what the process is allowed to do. This isolation is a specific type of client-side browser isolation that loads the webpages on a user device, but uses sandboxing to keep website code and content separate from the rest of the device.
The difference between the two mechanisms is that Site Isolation lacks the physical separation of harmful code from the device,while Remote Browser Isolation runs the website code on cloud infrastructure outside the user’s device. However, this difference is of little significance because attack vectors that are able to escape sandboxes, then attack the device, are relatively rare.
Vulnerabilities that include sandbox escape are considered somewhat “high-level” attacks. They are rare, require complicated technological expertise, and are constantly sought after by security researchers. Google, for example, rewards considerable sums of money to researchers who reported said vulnerabilities to the company, as part of their bug bounty reward program.
All this is to say that these exploits are of such sophistication and ingenuity that they can probably surpass other conventional security features like Remote Browser Isolation as well. Put simply, standard RBIs probably won’t block them either.
Browser Isolation isn’t working: It’s time for a new era in Browser Security
Nowadays the browser is an extremely important and irreplaceable working tool. In the past, browser isolation answered a real need which is to protect users from malicious code that lurks in the web. However, the changing threat landscape, namely the rise of non-code executing phishing and the advent of client-side site isolation, have rendered RBI ineffective and irrelevant. Isolation is like going swimming in an astronaut suit – not very helpful and very burdensome.
It is time for a holistic approach to browser security that can yield better results for users and for the organizations cyber security needs. LayerX security provides the core positive elements that made RBI useful: real-time monitoring and governance over users’ interaction on the web and protection from malware. Most importantly though, it delivers real protection against browser-borne phishing attacks without interfering with the user’s experience.
A good solution for browser security has to allow users to use the browser seamlessly and enjoy its advantages in terms of productivity and efficiency. Then, building on the existing security features of the browser, give that crucial extra layer for blocking the most relevant attacks.