Users are trusting by nature. They assume that if they are able to access a site or application on the Internet, it must be safe. If it wasn’t, the conventional wisdom goes, IT would simply block the malicious content. Unfortunately, we know that is not the case. Today’s cyberattacks use highly evasive and adaptive techniques to get around traditional security controls. The only thing standing in their way is users’ common sense. And, we also know that relying exclusively on users’ ability to detect suspicious activity is a recipe for disaster.
It is up to the cybersecurity team to make sure users are safe wherever, whenever and however they access the Internet. And this needs to occur at the point of first access: the web browser. However, traditional security solutions weren’t designed with modern browsers in mind. As a result, the browser represents the biggest and most dangerous gap in enterprise security today.
We live and work in an entirely different threat landscape than when web browsers were designed and built decades ago. As a result of digital transformation, cloud migrations and hybrid workforces, most work is conducted through the browser by users spread across a wide geographic area. Each time a user accesses a website or web application or logs into a Software as a Service (SaaS) platform, this represents an opportunity for a threat actor to gain access to the endpoint and eventually breach the enterprise network.
Unfortunately, traditional security solutions continue to focus on yesterday’s threat landscape when users were mostly consolidated behind a robust firewall. These solutions center around network and email security – which remain important, of course – but fail to address today’s most common threat target: the browser. Threat actors have become increasingly sophisticated in their ability to evade detection and adapt on the fly to get around organizations’ threat intelligence. Browser security remains an afterthought, creating a major security gap for today’s enterprise.
Organizations need to implement a new cybersecurity strategy focused around gaining visibility into and control over the browser. This can empower organizations to stop threats before they make initial access with the endpoint – preventing, rather than detecting and responding to dangerous threats.
However, browser security isn’t something you can just turn on and immediately gain visibility and control over your users’ web activity. Here are five key characteristics to consider when implementing a browser security strategy:
Today’s highly evasive threats are specifically designed to get around commonly deployed security solutions. The aim is to gain initial access to the endpoint through the browser, lay in wait and spread throughout the network in search of more valuable targets. Detection often occurs weeks or months after the initial breach, and, by then, is already too late. An effective browser security strategy layers cloud-based prevention on top of detection, stopping threats in the cloud, before they require detection. This can reduce the volume of security alerts that your analyst team has to investigate.
Today’s threat actors think differently than their predecessors, so you too must think differently if you want to prevent them from compromising your systems. Don’t be constrained by what was possible or impossible in the past. Look to extend your protection to places and areas previously thought impossible. Many highly evasive attacks use techniques and behaviors that not are not overtly malicious, but can be used for nefarious purposes –such as requesting credentials into a web form, downloading a password-protected file or rendering an ad on a trusted website. These malware-free threats are impossible to detect, so think creatively about how visibility into and control over the browser can stop these attacks from happening in the first place.
Users are trusting, they’re creatures of habit and they’re under immense pressure to perform. They will find workarounds around security controls that interfere with them doing their job. They’ll switch to personal devices, open incognito tabs, share passwords and use unauthorized applications to render your security controls useless. You can prevent this by making it as easy as possible for them to do their jobs securely without any impact on existing workflows. No new browsers to learn. No limits in functionality like copy, paste and print. No pixelated screens or performance lag. You need to implement browser security without changing the way your users currently work.
Along those same lines, you can’t limit how users work on the Internet. People tend to use the device that is most convenient, at that moment, whether it’s secured or not. So… just make sure every device and every browser is secured. This includes mobile devices, personal devices and public devices. You need to have visibility into and control over any and every browser your users may possibly use to access corporate information.
While you shouldn’t rely exclusively on users to identify potentially malicious behavior on the Internet, they are an important part of a layered cybersecurity strategy. Threat actors target browser vulnerabilities, so it’s important for users to patch and update the browser and ensure settings are set with the right blend of performance, convenience and security. Regularly educate users on emerging threats and the techniques they use so they can be extra vigilant. Working together with users on the front lines and security teams in the background, organizations can ensure that HEAT attacks are stopped before they make that initial breach.
The browser is the most commonly attacked threat vector today, but most organizations continue to rely on security strategies that focus almost exclusively on email and the network. Security teams need better visibility into and control over browsers in order to stop today’s highly evasive threats. This requires layering prevention on top of detection, focusing on gaining visibility into areas that previously couldn’t be monitored, preventing the desire to create workarounds, coverage that extends to any browser and device and ongoing education of users who can act as the first line of defense.