More and more security decision makers have come to realize that the browser is the ultimate frontline against multiple cyber threats. This insight has led them to add Browser Isolation solutions to their security stacks. However, we have lately witnessed an increasing trend of security professionals who are moving away from these solutions and towards Secure Browser extensions. These newer solutions are perceived as a better alternative for securing the browser attack surface.
In this article we’ll analyze this trend and try to explain the rationale behind this approach. First, we’ll review the different capabilities each approach offers. Then, we’ll show that a secure browser extension addresses a far wider range of web-borne threats. It enables the modern workforce to fully leverage their browsers’ productivity potential, while the browser isolation approach is far more limited in its risk coverage. Browser isolation also degrades the browsing user experience in a manner that makes it a mismatch to the modern browser-oriented work environment.
Let’s start with a short recap on what browser isolation is and how it works.
Browser Isolation 101: Airtight Protection Against Endpoint Threats
Browser isolation solutions provide a virtual environment for browsers to run in. This means that downloaded code isn’t permitted to run on the actual machine before the solution examines its behavior and ensures it is indeed benign. This approach is extremely effective in mitigating the impact of browser exploits and the download of malware files. Even if the exploitation was successful and the malware was downloaded, neither of them reaches the actual machine.
It’s easy to see that in terms of its direct value proposition, browser isolation is a natural progression of traditional endpoint protection. The concept of having a local sandbox, or even a purposely-created virtual machine, for secure execution of exploit-prone processes, has been implemented in various forms throughout the last decade. This has made the adoption of browser isolation a natural ‘defense-in-depth’ step for hardening the existing EDR\NGAV protection.
Today’s Workspace is No Longer the Endpoint But the Browser Itself
However, as time has passed, organizations have come to realize that this approach may not be good enough. This is due to two main reasons:
- Resource consumption: All sandbox solutions, including browser isolation, are infamously known for greedy CPU consumption, which inevitably degrades the protected machine’s performance. In fact, this is the main reason this approach has been abandoned by leading endpoint protection vendors.
- Partial coverage: While browser isolation delivers sound protection against endpoint threats, it offers little to no protection against the wide landscape of web-borne risks.
Let’s elaborate on the topic some more.
Browser Isolation Struggles to Meet the Security and Productivity Challenges of the Modern Web-Based Enterprise
A decade ago, employees mostly worked with data files on the local host. But today, the browser has taken over as the predominant workspace in the enterprise environment. This change occurred in accordance with modern browsers offering a wide range of security features, as well as an unwavering commitment to user experience. Deploying a browser isolation solution creates a load on the machine’s resources that directly leads to poorer browser performance. One of the essential rules of thumb is that any security control that gets in the way of employees doing their work will be disabled, sooner or later. This is what is happening to browser isolation solutions today.
Additionally, web-borne risks are any type of threat delivered by the browser: phishing and other types of malicious web pages, malicious access to SaaS applications via compromised credentials, and browser-based data leakage. However, browser isolation solutions have only partial and limited visibility into web pages’ content. Their visibility into SaaS apps is limited to basic discovery at the hostname level, with no insights into user identity or actual usage. In terms of monitoring the actual behavior of the web page itself, they have visibility only into the pre-rendered HTML code. And in terms of enforcement, browser isolation solutions lack configurable granularity . They are limited to crude controls, such as disabling a browsing event such as paste or screen capture across every destination or app, which renders them ineffective due to the productivity disruption they entail.
The problem is that these web-borne risks are increasingly becoming a dominant part of the enterprise threat landscape. And while browser isolation solutions might excel against malware exploits, they offer little against a wide range of attacks that organizations no longer can afford to ignore.
As opposed to these solutions, the secure browser extension approach addresses these threats fully. Let’s understand why that is:
Secure Browser Extension 101: Deep Session Inspection of Every Browsing Event
Secure browser extensions are installed on top of a commercial browser, like any other extension. From their browser location, they have granular visibility and control of every event within the browsing session. This enables them to provide continuous monitoring, risk analysis, and policy enforcement throughout the web session, based on the behavior of both the user itself as well as the visited webpage.
This approach is extremely effective in preventing web-borne threats in the following manner:
Secure Browser Extension vs. Phishing and Other Malicious Web Pages
Secure browser extensions have visibility into the actual rendered web page as it gradually builds within the browser. Armed with that visibility, they can detect early signs of phishing, malware downloading, and malicious data capture. Upon detection of these signs, the secure browser extension can either terminate the session altogether or disable the risk within the page itself.
Secure Browser Extension vs. Malicious Access to SaaS and Web Apps
In the same manner a secure browser extension has visibility into the web page, it also visibility into the user and its activity. With that visibility, it can continuously monitor the user’s behavior in SaaS apps, profile their baseline behavior, detect whenever there’s a deviation from this behavior that may imply an account takeover, and, upon such detection, block the user from accessing the app.
Secure Browser Extension vs. Browser-Based Data Leakage
The visibility of the secure browser extension into every browsing event makes it extremely effective against data leakage. Actions such as ‘share’, ‘download’, or ‘screen capture’ can be limited or banned. In a similar manner, pasting or typing sensitive information into GenAI tools, such as ChatGPT, can be easily controlled and prevented (learn more about the GenAI’s true data exposure Risk on this latest report).
The Rationale: Protect the Exposed Browser Attack Surface Rather than Hardening the Existing Endpoint Protection
It’s easy to understand the reasoning behind the shift from browser isolation to secure browser extensions. Most organizations will not install more than one security solution on their browsers. When choosing the solution, it makes more sense to choose one that addresses a wide array of currently unattended threats, rather than adding another endpoint protection layer.
It’s true that secure browser extensions offer less protection against zero-day exploits compared to browser isolation tools. However, it should be noted that these exploits are becoming a rather uncommon phenomena. Even upon occurrence they are after all fairly covered by today’s EDR\NGAV solutions. It all boils down to choosing between a solution for an existing gap and an additional precaution against a threat that is already mostly covered. It is really a no-brainer.