We’re all familiar with Sir Arthur Conan Doyle’s legendary detective. Sherlock Holmes solved the most confounding of mysteries based on little more than his own observation and reasoning.
Like Holmes, cybersecurity professionals are tasked with investigating incidents based on clues they can observe and analyze — in their case, via a stack of non-interconnected security tools. But their powers of observation can do little to unravel many of today’s phishing campaigns, internal exploits and other cyberattacks. Why? Because despite the wealth of visibility that security teams have into the network, SaaS apps, endpoints, and websites in general, they have limited visibility into the place where most modern attacks originate: the browser.
You cannot analyze what you cannot see
Before the days of digital transformation and the move to SaaS apps, most potentially dangerous activities occurred inside the network or on the endpoint itself. Today, however, as applications move to the cloud and are increasingly accessible by the browser, the threats have moved with them.
According to DemandSage, In 2023, the average organization used 371 SaaS applications, and SaaS spending is expected to grow by 20% in 2024. And by 2030, enterprise browsers will be the core platform for delivering workforce productivity and security software on managed and unmanaged devices.
With only limited visibility into browsing sessions, security professionals and incident responders are blind to the very place where attacks are likely to begin. As Sherlock would say, “The game’s afoot!”
Why is browser visibility such an issue?
Bad actors are targeting the browser for exactly the reason you might expect – it has become the route of least resistance. As the use of the browser to access everything from apps to email has grown, so too have the Common Vulnerabilities and Exploits (CVEs) associated with it. Chrome has seen 40 CVEs so far in 2024 alone, while Microsoft Edge has 35.
Far from a damning statistic of these browsers, these CVEs actually reflect their enormous popularity and widespread use. It’s important to realize, however, that in the same period the number of browser-based exploits have risen by 56%. The need to protect the browser and treat it like the enterprise asset that it is has become clear.
Some organizations would have you believe that the best solution is to force a replacement browser for enterprise use, but the end-user response to such an edict is thorny. This is, in part, because enterprise users have been using a browser since they were old enough to reach a keyboard, and they naturally have preferences.
According to Browserstack.com, “While technology is rapidly developing, humans are not. Significant numbers of individuals are resistant to change, or, more specifically, ‘avoid upgrading their technology.’” And, as events have shown us repeatedly, introducing a technology that users will resist is often futile (despite what Star Trek might tell you).
An innovative approach to browser visibility
The better approach is to make every browser a Secure Enterprise Browser. Our solution is based on the Menlo Secure Cloud Browser, a unique platform featuring Adaptive Clientless Rendering. Surprisingly, Menlo can perform better than local browsing due to the nature of hybrid rendering and the content delivery performance of the Menlo Cloud.
Menlo does real-time analysis via the cloud, using computer vision and artificial intelligence on web content to see and stop attacks that others let through. The result is largely transparent to users, but the security outcomes are obvious to enterprises. Another benefit is the ability to provide vital information that you can use to answer security or investigative questions conclusively, without guesswork.
What are you missing?
Because most enterprises have limited visibility into their users’ browsers, cloud-delivered content often becomes the weakest link in the cyber kill chain. Browser-based phishing attacks are a good example of this weakness.
Phishing is often used to establish a beachhead in a company and it can be very difficult to detect. Investigations into what occurred during a phishing attack often involve tediously correlating information from other tools or even user interviews, in which people are asked about links that they may have clicked on days or even weeks in the past. Results are generally inconclusive at best. Meanwhile incident response and security teams are left with nothing to work from, since phishing sites typically have life spans measured in hours or days.
What is this costing you?
The entire experience of investigating a threat is extremely costly, and not always for the reasons that you might expect. Every investigation requires time and focus from an already over-subscribed security team. Throughout the process, the team remains unsure as to what, if anything, has been exposed, which means that they have no idea how to proceed. Every moment that it takes to find the problem and resolve it is another moment that the enterprise as a whole is exposed.
While this frustrating and expensive scenario has been around for years, there is now a new twist – the new SEC 8K filing, which went into effect in the US in December 2023 which requires companies to file a report within 4 days of a material breach. This mirrors other such requirements in Europe and elsewhere and raises the stakes for organizations, their customers and their shareholders.
Nothing compares to first-hand evidence
The Menlo Secure Cloud Browser itself enables a wealth of information via the Insight section of the dashboard, which comes pre-loaded with over 60 of the most common queries; queries can also be custom configured as required. Alerts on the Insights Dashboard are categorized, and color coded to show information classified as risky, isolated, and informational, making it easy to get the information and context that security and IT teams need at a glance.
Menlo Browsing Forensics takes things a step farther, replacing the miserable work of deciphering packet captures and endpoint logs with forensically accurate recordings to provide the missing link for conclusive investigations and clear next steps.
Menlo Browsing Forensics captures user activities, including screenshots, user input, and page resources, in policy-specified user sessions. If the security team gets an alert, it can quickly click into an actual session capture to see exactly what happened. Browsing Forensics dramatically reduces exposure time and provides resolutions that are unambiguous.
Another important element of Browsing Forensics is that page resources are captured as well, so threat hunters can finally look at the hacker’s latest techniques. That’s a key advantage because, according to the Verizon 2024 Data Breach Investigations Report, “Financially motivated threat actors will typically stick to the attack techniques that will give them the most return on investment.” This means that if you see an attack once, you’re likely to see a version of it again.
Browsing Forensics allows security and IT teams to track how attacks happen. This helps them educate users better and improve policies to close any gaps that attackers might exploit. The content of these session captures is sensitive and private, so Menlo does not retain or even view them – captured packages are immediately sent to a customer’s choice of cloud storage.
Browsing Forensics is highly effective at detecting a wide variety of issues, including:
- Internal threats
- Securing applications, particularly for partners, contractors, or other third parties using their own devices
- Providing actual evidence of compliance
- Giving threat hunters the information they need to be proactive
- Security events, such as the phishing scenario outlined above.
With Browsing Forensics, even Doctor Watson could solve some of the most mysterious cases. That’s because he would be presented with actual evidence rather than just clues and inferences. Moriarty wouldn’t stand a chance.
Menlo Browsing Forensics, check it out here.