It’s no secret that the way we work has fundamentally changed over the past five years. Most work – whether it’s communicating with customers or fulfilling procurement requests – is conducted in the browser. In fact, according to Forrester, enterprise employees spend 75% of their device time in the web browser.
Threat actors know this of course and are increasingly seeking out and exploiting blindspots in browser security. These Highly Evasive and Adaptive Threats (HEAT) are specifically designed to avoid detection by traditional security solutions, gain an initial foothold on the end device, spread to the network in search of an enticing target and deliver their payload when the time is right. From there, they can take control of business systems, hold them for ransom and/or exfiltrate valuable data.
Organizations need to close this critical blind spot and deliver better browser security that can stop these attacks before they make that initial breach.
Existing security tools are blind to HEAT attacks because they continue to rely on a detect and respond approach and are unable to monitor certain browser behaviors that take place on the Internet outside the enterprise network. Detection capabilities are only successful against attacks that carry a familiar threat signature to previously known attacks that target network communications and other enterprise-level functions. However, as threats gain initial access on the end device through the browser, a lack of visibility into browser behavior makes it extremely difficult to detect threats in time before they deliver their payload.
Even the best, most up to date threat intelligence is no match for a new attack created and spun up by today’s Ransomware as a Service (RaaS) supply chain. As a result, many organizations have deployed Zero Trust security strategies that operate on the assumption that all content is potentially bad or untrustworthy. This forces browsers to treat everything as a threat and require constant authentication for every browser engagement. While a solid strategy in theory, today’s existing security stacks weren’t designed for this level and scale of authentication – creating complexity that slows performance, makes the Internet not work as intended and inhibits productivity of the modern, hybrid worker.
Organizations looking to enable their Zero Trust strategies need a browser security solution that can protect users from advanced phishing and malware attacks on a global scale without disrupting regular business operations. This ensures that organizations’ browser security solutions fall within their Zero Trust framework while never blindly trusting content from browsers.
But not all browser security solutions are created equal. Here are five things to consider when evaluating solutions:
You need to make sure your security solution can protect users from zero-hour phishing attacks and ransomware by providing adequate controls into how users interact on the Internet. This includes in-line browser security that includes dynamic policy enforcement that can proactively stop users from entering their credentials into a false web form.
Ensure that your browser security solution actually provides visibility into browser signals and behavior. This helps identify suspicious behavior and create robust threat intelligence that can speed and enhance incident response. As modern threats continue to operate at the speed of business, this critical context into the threat chain and how attacks behave in the browser allows security teams to act quickly before threats are able to deliver their payload.
Any degradation in performance or change in regular workflows give users incentive to find ways around your security controls. Employees are measured on their productivity, and it’s IT’s job to keep them safe without impacting their ability to get their job done. It’s important to ensure your security strategies don’t interrupt productivity and allow the Internet – where most work is done today – to continue to act like the Internet. This includes copy, paste and print functions while allowing video streaming and other interactive features.
Effective browser security should have no bounds and protect users wherever business takes them. This includes hybrid workforces that move between offices, their home, customer locations and partner sites. Make sure your security solution is delivered through the ubiquitous cloud where you can apply application- and geographic- aware policies at scale across any device without limiting scope or productivity.
It’s also important to ensure your browser security solution is compatible with any browser your users rely on – including popular browsers such as Chrome, Firefox, Edge, Safari and their mobile versions. Nothing is worse than asking your users to use a specific browser that they aren't accustomed to using. This just invites workarounds and other rogue IT attempts that put them, the organization, partners and customers at more risk.
Threat actors are increasingly targeting the browser as a way to gain an initial access to an end device and eventually the corporate network. However, blind spots in browser security are preventing security teams from implementing Zero Trust strategies that adequately protect users from these HEAT attacks. Organizations need new browser security solutions that protect users from modern attacks, provide visibility into the browser, preserve the native user experience, scale globally and ensure compatibility with today’s most popular browsers. As browsers continue to grab a bigger role in enterprise productivity, organizations need to plug this hole and better protect users.