Considerations on Closing the Browser Security Gap

Here’s the bad news first: The Browser Security Gap is real, it’s growing, and it’s dangerous. Despite defense-in-depth strategies, phishing and ransomware attacks continue to skyrocket. Post-breach detect and respond methods, by definition, fail in the face of zero-day phishing attacks. That’s a big problem, because 80% of all phishing attacks are now zero-day, and are signature-defeating. 
‍

These are known as HEAT attacks. HEAT stands for Highly Evasive, Adaptive Threats. Unfortunately, browsers and web traffic they handle lend themselves to both evasive and adaptive attacks.

Now the good news: Browser Security is not an unsolved problem.

This article is the first in a series, covering various considerations you and your stakeholders need to weigh and consider in the process of closing the browser security gap. We’ll be talking about: 

• Architecture
• Browser choice and its implications
• The increasing criticality of GenAI security
• Secure App Access and VDI reduction
• Cloud-based Browser Security versus legacy RBI

In this first installment, we’ll tackle architecture. Let’s take a closer look at the battlefield first.
‍

HEAT ATTACKS

Highly evasive and adaptive threats (HEAT) are a type of cybersecurity threat that often exhibits sophisticated techniques like dynamic behavior, fileless attacks and delayed execution to avoid detection and evade traditional security measures. These threats are designed to fly under the radar and can be particularly challenging for security professionals to identify and mitigate.

Consider the HTML Smuggling HEAT attack, enabled by the very HTTP methods that optimize file transfer: chunked file transfer (streaming), range requests (partial content) and automatic downloads. Threat actors embed malware in these files. Then, active code like Javascript can detect the download and invoke the malware. HTML Smuggling defeats network-based detection because due to their architecture, they generally cannot see the entire content of files transferred via HTML. Endpoint detection is defeated also if the malicious Javascript can activate the malware before an AV scan can see it. Mitre has a great, more technical discussion of this here.

Now consider the AI-driven escalation in phishing attacks: It used to be easy to pick out a phishing email, based on typos, grammar mistakes or distrust of a sender that the recipient doesn’t know. Those days are gone, because attackers are taking full use of GenAI’s capabilities to smooth grammar and writing. Even a poorly written phishing campaign used to take time to execute; with GenAI, attackers can iterate on attacks in minutes.

Finally, one of the newer exploits (that unfortunately is very much in the news right now) is voice-phishing, or vishing. There are countless, endlessly mutating vishing flows that threat actors use. 

Here’s one trivial, simple example:

1. I am watching a streaming service on my laptop.
2. A threat actor starts the same streaming service on their computer.
3. The threat actor has done their homework and knows enough about me to make me think they work for my ISP. The threat actor says to me “we need to test your service for you. Please go to service/device_auth and send me the code on your screen”
4. The threat actor is now using my login for their streaming service.

This specific attack is painful for the consumer alone, but the same attack principles can be and are used for much higher stakes and grimmer consequences. Salesforce.com is currently wrestling with an extortion demand for the return of 1 billion records, belonging to dozens of customers, stolen through a vishing attack.

Now, let’s consider how the architecture of your browser security solution can help or hinder your ability to mitigate these kinds of threats.
‍

Architectural Choice

Putting it in the simplest terms, Browser Security occurs in one of two places:

1. At the endpoint. Typically, this will be executed through a browser plugin, or by replacing the mainstream browsers in your organization with a replacement browser like Island, or Palo Alto’s Prisma Browser.

2. In the cloud. MenloSecurity’s solution isolates browsing sessions in the cloud, regardless of the user’s browser, endpoint or location 
   ‍

Replacement Browsers Deliver A False Sense of Security

Don’t be drawn in by the potential simplicity of an enterprise browser. Architecturally, they leave your organization exposed in a number of ways, notably:

1. Browsers themselves are uniquely vulnerable to zero-day phishing and malware attacks, and that vulnerability persists when an organization replaces their mainstream browsers like Chrome or Edge with a replacement browser. The holes are still there. Replacement browsers are built from Chromium, the engine that runs Chrome and Edge. This means that all of the Common Vulnerabilities and Exposures (CVEs) that are present in Chrome and Chromium are present in any Chromium-based browser. In fact, a strong case can be made that replacing Chrome with another Chromium-based browser (like Island) increases, rather than decreases, the risk. The Chrome team has thousands of engineers poring over code and patching CVEs as quickly as possible. Replacement browser vendors simply can’t match that resource commitment. Their patches will always lag, and that lag time means more exposure for the customer.

2. There is also the massive gap created by unmanaged endpoints. Placing a managed browser application on an unmanaged and potentially compromised endpoint only conjures up a new threat vector, where a privileged attack can steal session tokens or dump the browser’s memory, with severe consequences.

In contrast, the centralization of a cloud-based browser security architecture allows it to mitigate the kinds of zero-day threats that replacement browsers and browser plugins are blind to:

• Chrome and Chromium CVEs are patched in the cloud - shielding all exposed browsers on managed and unmanaged endpoints from exposure - even if the browsers on the devices haven't been updated.  Why? All browser traffic is sanitized in the Menlo Secure Cloud via the surrogate browser instance, shielding the endpoint from vulnerability.

• In the cloud, defense can be pre-emptive. How? In the cloud, a surrogate browser intercepts user traffic and prevents threats from reaching the endpoint. Without the cloud, threats are executed on the endpoint.

• In the cloud, services like data loss prevention occur before sensitive data is physically on the endpoint. Endpoint security solutions are a weak link in the chain. They are only as strong as the user’s training and behavior, and relying on 100% policy compliance and flawless judgement from your users is simply not a viable strategy.

• In the cloud, data is centralized. Logs of millions of browser sessions can feed machine-learning security.

‍

Can AI Help?

In the cloud, yes. AI can be properly leveraged to identify and neutralize zero-day threats, which is still a pipe dream for replacement browser solutions.

First, take a look at this report to learn how the bad guys are using AI for nefarious purposes, such as AI-customized phishing/spear phishing/whaling attacks. 

Menlo developed a range of machine-learning-based algorithms to detect fraudulent sites, including:

• Logo detection (Menlo customers can submit a high-resolution version of their logo to add to the Menlo logo database used for fraudulent site detection)

• Page structure (with understanding of every page’s Document Object Model) 

• Input fields

• Analysis of the full URL path

Our partnership with Google continues to bear fruit in this area: Menlo Heat Shield AI now leverages Google Vertex platform with Gemini models to greatly strengthen detection of fraudulent phishing sites.
‍

Fork In The Road

As we’ve discussed here, the fundamental architecture choice between cloud-based and endpoint-based browser security has a massive impact on the ability of your organization to defend itself from the exponential spread of HEAT attacks. But as we laid out at the beginning of this article, that’s not the only dimension of this question. In the next installments, we’ll address the importance of maintaining browser choice and what that means for your ability to deliver Gen-AI capabilities to your business and your users.

‍

‍