Extending Zero Trust to the Internet browser

The latest security vulnerability of the distributed enterprise

The public Internet is a significant source of cyber risk to an organization. Employees using the Internet for work or personal use risk exposure to phishing and malware attacks, which use social engineering techniques and exploitation of browser vulnerabilities to steal sensitive information or execute malicious code on an employee’s machine.

Regardless of their tactics, most of these attacks have the same goal: access to the organization’s private network. .

A variety of factors — many stemming from the Covid-19 pandemic — have caused spikes in browser-based threats and led to increased vulnerability of those threats to the organization. These factors include:

• Attackers using pandemic-induced confusion to spur malware downloads

• Remote work blurring the lines between personal and professional Internet usage

• Remote work forcing employees to use unprotected or weakly protected personal devices

• Employees accessing a higher proportion of applications and data over the public Internet, rather than via a private corporate network

• Cobbled-together remote access tools giving compromised devices carte blanche access to corporate networks.

No longer does the traditional corporate perimeter’s security protections encompass how business is done today; within the Internet browser.

Browser-based attack patterns are evolving

The Internet has always been a source of cyber risk. However, over time, attack patterns have evolved, especially in the wake of COVID-19 and the resulting surge in remote work.

Phishing attempts are spiking

One of the most recent widespread changes in the cyber threat landscape is a rise in phishing attacks. 42% of small organizations and 61% of large organizations experienced an increase in phishing attacks during shelter-in-place. According to the FBI Internet Crime Complaint Center (IC3), phishing was the most common type of crime reported as remote work spiked, and the center received twice as many complaints as the previous year.

Phishing attacks are common because they are effective at stealing credentials. They work best in an environment of uncertainty where people looking for information are more likely to fall for scams, like in the case of the 2018 Winter Olympics. The COVID-19 pandemic creates an ideal phishing environment as people search for virus-related news and information.

Ransomware is surging

Malware is malicious software that infects computers, other Internet-connected devices, and even, entire networks. Once on a target device or network, malware can achieve a variety of different goals, ranging from data theft to ransomware attacks.

Malware is a broad category and various forms of malware rise and fall in popularity over time. But the overall threat will always persist. For example, ransomware tends to trade-off with cryptojacking malware as a dominant attack vector for cybercriminals. In 2020, ransomware attacks grew by 465% as cybercriminals took advantage of the pandemic.

Malware is often delivered via phishing or compromised remote access solutions, but it can also be built into an overtly malicious website — or even into a site that has been compromised without its owner’s knowledge. For this reason, organizations must be prepared to defend against malware delivered through the Internet browser.

Traditional security controls miss novel attacks

Secure web gateway (SWG) and web proxy services are common solutions to the cyber risks of Internet browsing for remote devices. Traffic is routed through these solutions, which monitor and filter it to block attempted visits to suspicious or malicious sites. This prevents malicious content from reaching the employee’s device.

SWGs and web proxies commonly consume threat intelligence that identifies known threats or sites that violate policies defined by administrators. However, they are not a perfect solution. The Internet threat landscape is constantly evolving as attackers set up new websites to support new campaigns or rebrand their existing sites.

This means that organizations often face zero-day and unknown threats, which SWGs are not effective at detecting. Administrators need additional ways to block threats they aren’t yet aware of.

The adoption of browser isolation

The limitations of SWGs and web proxies mean that it is infeasible to blocklist every potential threat on the Internet. Without the ability to prevent all attacks, the next best solution is to minimize the potential risk that these attacks pose to the organization.

Browser isolation has gained some popularity for isolating the users’ browsing session from their device — instead of taking place in sealed containers, often in the cloud, which is automatically destroyed when the session ends. The results of which mean that even successful attacks by unknown and undetected threats are prevented from actually affecting the targeted device.

However, browser isolation has faced a unique set of challenges limiting adoption. Until very recently, all browser isolation tools used one of the following flawed methods:

• Pixel-based streaming: In this method, browsing activity takes place in a cloud server, and a feed of said activity is streamed as pixels to the user’s device. Unfortunately, it is costly from a computational perspective. It also requires a great deal of bandwidth and adds latency that interferes with interactive SaaS and Internet apps.

• Code-stripping: In this approach, the remote browser strips malware out of the website experience and passes ‘clean’ code on to the end-user. But this approach frequently breaks the website experience altogether and may miss zero-day vulnerabilities.

• Local: With local approach, browsing takes place on a local virtual machine that is isolated from the rest of the device’s operating system. Unfortunately, this approach slows down devices, doesn’t apply to mobile devices, and is hard to deploy organization-wide.

Due to the challenges with these available browser isolation tools, organizations have often limited their implementation to a subset of employees or a set of high-risk sites. While this does provide partial protection, it also leaves significant security gaps.

Every employee within the organization is a potential victim of a malware attack, and cybercriminals may explicitly target those not protected by browser isolation. In addition, limiting browser isolation to specific sites assumes that the organization can accurately identify every potentially risky site on the Internet. In reality, malware may be delivered over “trusted” media, such as shared files on Google Docs or OneDrive.

Browser isolation is a promising approach to securing and enabling Internet use, but innovations had yet to deliver a comprehensive solution. That was until Zero Trust was extended to the Internet browser.

Zero Trust browser isolation

Alternative to the browser isolation technologies listed above, a Zero Trust browser isolation approach applies Zero Trust principles to all employee Internet activity, meaning that every single browsing session and piece of website code is treated as untrustworthy by default. And, vice-versa, every single user and device browsing web application data is treated as untrustworthy by default.

We have established that traditional browser isolations make this level of rigor unfeasible in practice. Traditional browser isolation methods are either too clunky to be used all the time, not accurate enough at stopping threats, or both.

To protect every employee from every online threat, browser isolation must have:

• High reliability: Modern websites and browser-based applications can be complex and may break some browser isolation solutions. Zero Trust browser isolation should allow users to visit any site on the Internet and have the same experience as on a local browser.

• Minimal latency: Traditional remote browsing solutions are slow and send a clunky version of a webpage to the user. A modern Zero Trust browsing solution should incur minimal latency and offer high performance and responsiveness.

• Cost-effectiveness: Zero Trust browsing is most effective when it is deployed for all of an organization’s employees and sites. This requires a solution that is cost-effective and scalable.

• Granular control: A browser isolation solution should provide administrators with more granular control over data-in-use and in-browser activities like printing, copy/paste, and filling in forms, enabling them to further minimize cyber risk.

When it comes to determining which Zero Trust browser isolation vendor you partner with, there are many best practice strategies and requirements to keep in mind. These key aspects of browser isolation can lend to a more successful, efficient, and performant implementation of the technology:

• Use of a large edge network: Rather than hosting browser isolation in a limited number of public cloud data centers, do so on a global edge network that is close to end-users anywhere to minimize latency. Cloudflare runs on a 250+ city edge network, with browser isolation running on every server in every data center.

• Only stream draw commands: Rather than trying to scrub website code, browser isolation should send lightweight draw commands to end-user devices, allowing them to load and interact with sites accurately without loading any code. Cloudflare takes precisely this approach with our Network Vector Rendering technology.

• Use native browser technology: Remote browsers that use technology already built into common endpoint device browsing applications are more reliable at reconstructing all kinds of sites accurately. Cloudflare works with native browser technology — specifically the widely used Chromium browser — which transmits lightweight draw commands rather than pixel streams or deconstructed code.

• Next-generation cloud computing: Avoid remote browser isolation hosted in the public cloud — which passes along cloud costs to users and adds latency. And use efficient serverless computing techniques that improve on virtualization and containerization by eliminating the orchestration and management of underlying server resources, to use those resources more effectively. Cloudflare’s efficient orchestration and management of server resources reduces end-user latency and delivers 2x speed increases over traditional remote browsers.

Cloudflare utilizes a massive global network and a patented browser isolation approach to provide a Zero Trust browsing experience without performance tradeoffs. In this way, organizations will be able to experience the true value of browser isolation.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

• How the Internet browser increases exposure to cyberattack

• What techniques attackers are using within the browser

• The recent trends in attack vectors

• How to mitigate risk using Zero Trust browser isolation

Related resources

• White paper: Common browser isolation challenges, and how to overcome them

• What is browser isolation?

• Cloudflare Browser Isolation