The idea to build a browser security platform has been on my mind for several years. In the last decade, I have seen and experienced the browser security world from both sides of the barricade. First, during my service as an information warfare specialist in the IDF Intelligence directorate, and then in my career as a security researcher. It was always clear to me that the browser is the main gateway to the world, which means it is where the biggest risks reside.
Ever since the early days of the commercial web, security vendors perceived web access as a network security challenge. They “forced” one of two alternative security solutions upon it: network security tools (SSEs, Firewalls, Secure Web Gateways, and any form of DNS level security) and browser isolations, a niche solution that sandboxes websites rendering. The first solution goes as far as labeling URLs/Hostnames as “good” or “bad”, while the latter only sandboxes web code, rather than securing from all relevant web threats and risks.
As a young practitioner this was disturbing to me. No solution was able to provide the much needed insights into user interaction over the web and into data movements in and out of the browser. Most web attacks (like malware distribution and phishing) involve human actions. Yet none of the existing solutions was effective against them.
To better understand this, let’s get inside the head of the bad guys. Waldo, a hypothetical threat actor, wants to hack an average network of an average organization with an average security program (AKA EDR + SSE + email security solutions). To get inside the system, he needs initial access (thanks for ATT&CK, MITRE!). Exploiting applications and public facing servers isn’t an easy task, physical compromise isn’t a realistic option for most attackers, and supply chain compromise is above Waldo’s paygrade. Waldo’s most obvious choice would be to aim for the human factor with a phishing site or a web-borne drive-by malware. Statistics show that at least 3% of employees will click on any link, hand over credentials or download any file. It’s simply a numbers game.
All that Waldo needs now is to set up some simple landing pages on a seemingly-trusted URL and send them to the victim by email or through any one of the plentiful collaboration and messaging platforms out there. What is a trusted URL? A web address that network security tools won’t mark as suspicious; or in other words – an address that seems like any other address. Waldo only needs to build his landing pages on known hostnames, and his task is much easier. With plenty of SaaS applications, cloud service providers and sites hostnames sold on the dark web, Waldo now has near endless high reputation hostnames to use in his attacks.
Time after time during my professional career I have seen annoyingly simple attacks using this approach and going undetected. Attackers easily find reliable and trusted hosting platforms for their attacks by using compromised sites, SaaS applications and cloud service providers. Statistics show that up to 80% of attacks are now arriving from high reputation websites! I have extensively researched these attack patterns and found out an alarming figure – the chances of a network security tool catching quality web borne threats in zero hour is almost nonexistent.
Our ‘Aha!’ Moment: Risks are More Than Threats
When David Vaisbrud (LayerX’s Co-Founder & CTO with whom I worked closely during my military service) and I started researching the browser security domain, we realized that the reason network security tools fail to address browsing risks is technical, resource-intensive and functional.
When network security tools attempt to analyze what is happening inside a web session, they have to decide whether to terminate its encryption based on the URL alone and its emulation. This process degrades the user experience, since it slows down connectivity speed. Emulating all web traffic also takes up tremendous network resources from the security vendors. These resource heavy termination, emulation and analysis costs only increase over time, as the web becomes more and more complex. The traditional vendors are hence becoming increasingly challenged in their attempts to secure web access.
But these activities don’t even ensure security. In modern web apps, the URL doesn’t provide too much information about the site’s content. As more and more businesses migrate to the cloud, the web and the complexity of modern web apps is intensified, which makes network security tools unfit to analyze modern browsing content.
At that point we reached this moment:
The limitations in detecting browser threats are also valid for anything browsable! Network security tools are just the wrong tool for analyzing data security and risks in SaaS applications, dynamic web apps, browser extensions and anything cloud related. It is as effective as trying to eat soup with a fork …
It is time for a security solution that protects the organization from browser risks
Given that the browser is the number one productivity platform of the modern workforce and presents a wide range of security risks, a modern security solution has to address the browser itself. It has to be a solution that is deployed at the edge, beyond the end-to-end encryption. This deployment method is the only way to provide deep session visibility, as the only means of in-depth data and identity analysis, without breaking the user experience.
There are two ways to provide this client-side deployment: a new and customized “enterprise” browser (either Chromium or Firefox-based) or by using an enterprise browser extension.
When considering those two alternatives, their pros and cons and the way organizations would use them, we came to the conclusion that the extension approach is by-far more effective and functional for the modern enterprise. After talking to countless CISOs, we realized that the built-in capabilities of commercial browsers, such as cross-device syncing, ease-of-use and web compatibility, are the top criteria for browser choice. In other words, CISOs were telling us “We would like a solution that adapts itself to the way we work, instead of having to change the way we work to fit the solution”.
The idea of replacing the browser is fundamentally counterproductive and not security-oriented. It’s similar to fighting car accidents by focusing on the car alone: The best way to reduce the number of car accidents isn’t to replace all the vehicles but to provide drivers with tools and monitoring that keeps them out of trouble. When the security vendor asks the customer to change in order to consume it, the security stops being a business enabler. It is just a no-go in today’s productivity oriented world.
A User-First Security Solution
“Be user-first” became our product mantra when building LayerX. We aspired to build the easiest to use security solution, while bringing as much value as possible, without friction, to both users and security practitioners.
With an enterprise browser extension and integrations to browser management tools and identity providers, we built something truly extraordinary. Our platform provides the deepest visibility into every browsing session, granular controls over web session behavior and user actions, and countless security features deployed at the browser level. With a novel parallel AI engine working both at the edge and at the backend and the highest security resolution possible, LayerX aspires to unlock the full potential of the browser for both users and the enterprise security program.
LayerX: for Both Security and Productivity
The benefits for enterprises using LayerX are countless. LayerX increases the prevention rate vs. web borne attacks to 99% of all zero hour attacks, eliminates browser blind spots, addresses data security risks when using unsanctioned SaaS applications and unmanaged devices, increases the user privacy by conducting all analysis inside the browser, and provides browser security without the need for a networking solution.
LayerX is a zero trust swiss knife that enforces who gets access to where by being a silent authentication factor, prevents rogue access to resources, monitors all user actions within applications, and customizes the browser to secure the applications it consumes. In other words, users are getting superior security from anywhere, on managed and unmanaged devices, while keeping the best privacy settings possible. This browser-centric zero trust approach is a revolution that brings simplicity and security to any application user.
Looking into the future, we see a fascinating world emerging, where security is changing rapidly for cloud centric organizations. We believe that network security tools will soon stop being a leading browsing security tool, and turn into a niche product for network segmentation instead. Endpoint security tools will adapt to the more applicative world . To address modern threats, enterprise security programs will include modern solutions such as SaaS security and browser security. In this new world, LayerX will become a leading platform for security teams.
As browser usage is growing (and in many cases becoming more important than the operating system itself), more and more browser security use cases will emerge. LayerX is here to address each and every one of them. We are truly excited and looking forward to revolutionizing security for our users: turning the browser into the greatest enterprise security asset, enabling cloud adoption, blocking the minimum required for addressing security while allowing the most flexibility for users. A solution that achieves those objectives will become the number one browser security platform.