Many cybersecurity attacks use browser-based vulnerabilities and threats. Current browser developers attempt to isolate web applications so that malicious code cannot access a device’s operating system and low-level functionality. Although these attempts at isolation prevent some attacks, allowing a user to openly browse the internet adds exponential risk to the organization. True browser isolation contains all web activity within a closed virtualized environment without allowing any browser-based code to access other sections of the user’s device. A virtualized browser strategy is far more secure than traditional methods of web access.
History of Browser Isolation
Traditionally, users installed software on their desktops and ran applications locally. Data was typically stored on a network drive, but the application itself ran on the local machine. With the increased popularity of cloud computing, software now runs remotely so that data can be local or in the cloud. The easiest way to build applications that run remotely is to code them to execute in a browser, which means that most software-as-a-service (SaaS) applications use browsers.
Cybersecurity experts determined that browser-based applications were safer for users and enabled unencumbered access to application functionality. Users were familiar with navigating a browser, so these applications also reduced user training time. Developers used browser controls and APIs for easier coding and worked with browser cybersecurity instead of writing their own.
As cybersecurity evolved, organizations found that a browser running in a virtualized environment could completely separate the browser application from the device’s underlying operating system. Providing users access to internet browsing introduce risks, but a virtualized environment and browser protect a user’s device from common malware as it cannot access the main system.
Because isolated browsers are more secure than standard installations, governments now use isolated browsers and virtualized technologies to protect internal network resources, sensitive data, and trade secrets. Security experts recommend an isolated browser approach to web browsing on machines that have access to sensitive network resources and data to reduce risk from drive-by malware, phishing, and data theft.
How Browser Isolation Works
Browser isolation works by sandboxing a web environment. That means the web browser runs in its own environment without interacting with the operating system. Imagine that you created a chemical concoction built within a glass bottle. Should the reaction create smoke and a foul smell, it cannot affect the environment outside of the bottle. This scenario is similar to the way an isolated browser environment works.
Types of Browser Isolation
Administrators can choose from three types of browser isolation, and each one provides its own benefits and drawbacks. Each isolation strategy offers different levels of protection and potential risk. In today’s business environment, web browsing is a must for users. They must be able to find answers to questions and download important information. Unfortunately, allowing open browsing of the internet also increases security risk tremendously.
The dangers of internet browsing lead to “web content filters.” Web content filters block websites on the user’s browser based on a long list of reported malicious websites. This strategy has several problems: the list must be continuously updated to be effective, false negatives are common with newly created malicious websites, and attackers create dozens of malicious websites to bypass these protections. Also, web content filtering is typically based on categories. Administrators block specific categories from being accessed, which can affect business productivity if an essential safe site is added to a filtered category.
Another issue with traditional browser setups is cookies left on the local machine. Cookies often contain session IDs and other personal information. Attackers use cross-site scripting (XSS) to obtain cookies from a legitimate site and use malicious scripts to forward a cookie to their own web servers. With the stolen cookie, an attacker can then perform cookie stuffing and session fixation, which provides malicious access to activities in the context of the user session.
Browser isolation offers users much more relaxed access to the internet without affecting local network security. For most web browser environments, administrators use remote browser isolation. This type is the most common, but organizations can choose from three types:
- On-premises browser isolation: An on-premises strategy does the same as remote browser isolation, but the server is located on the local network. This strategy is good for privacy but provides access to local network resources through the remote server. Administrators must sandbox the on-premises server to ensure that malware cannot access local network resources and data.
- Client-side browser isolation: Client-side browser isolation uses traditional virtualization by sandboxing web-based applications in a virtual machine. The browser and web applications run within the browser in a traditional sense, but the operating system and browser run in a virtualized environment.
Remote browser isolation is most common, but some environments do not have true virtualization. In a DOM mirroring environment, administrators allow specific web content to reach a user’s local machine, which leaves risk open to sophisticated threats. However, in a true isolated environment, only a stream of the browser’s interface and activity reaches the user’s local machine.
Benefits of Web Browser Isolation
Aside from added security, web browser isolation offers several more benefits. Its continued success in stopping malware and other web-based attacks has made browser isolation the chosen strategy for many organizations that need to allow users to browse the internet but require a way to reduce security risks.
Browser isolation has several benefits:
- Protection from malicious links in phishing emails: After a user clicks a malicious link, the browser automatically opens, and the malicious web page loads. Should an attacker trick a user into clicking a malicious link, the isolated browser opens and stops malicious code from loading on the local machine.
- Protection from malicious downloads: When users navigate to a malicious website and download software, the remote server stores the malware on its local sandboxed storage. In a double-strategy attack using social engineering or other methods with malware, attackers would be unable to load malicious files on the local machine.
- Protection from malicious ads: Although advertising platforms do what they can to stop malicious ads, some still get through the system. Since ads run on the virtualized browser on the remote server using isolation strategies, these ads cannot harm the user’s local machine.
- Hidden IP addresses: Should an attacker trick a user into accessing a website, the user’s IP address would be divulged. This IP address is usually the exit point from the corporate router, which can be attacked using a distributed denial-of-server (DDoS). In an isolated browser environment, only the remote server’s IP address is exposed to the attacker.
- Data loss prevention: Because malware can’t load on the user’s local machine, having an isolated browser environment improves data loss prevention (DLP) strategies.
- Gather user behavior analytics: All browser instances run on a centralized cloud server, so administrators can use analytics and monitoring tools to gather information about the sites users browse and access. These analytics can help determine if users fall for phishing and malware sites to offer them additional cybersecurity training.
- Reduced administrative overhead: Instead of using web content filters that generate alerts when users attempt to access a blocked site, administrators can eliminate the need for alerts. They simply read reports and review user behavior analytics to identify users that need more cybersecurity guidance.
- Stop web-based malware and drive-by attacks: Browser vulnerabilities leave the entire local machine and network vulnerable to zero-day attacks. With browser isolation, malware and other drive-by attacks are neutralized from these threats.
What Types of Threats Does Browser Isolation Stop?
Web browser isolation reduces administrative overhead by adding a layer of cybersecurity that cannot be found with standard web content filtering. Allowing open internet browsing increases security risks and opens the local machine to numerous threats. Users browsing the internet increase the organization’s attack surface, but browser isolation dramatically reduces it.
Web browser isolation prevents:
- Drive-by downloads: Web pages initializing malware downloads aren’t capable of loading it on the local machine; it’s only downloaded on the remote server’s storage.
- Clickjacking: Virtualized browsers block out much of the malicious code served using advertising and third-party sites. Clickjacking happens when a user clicks a component on a web page, thinking it sends data to one page when the user actually clicks a malicious hidden layer of an attacker-controlled website.
- Phishing redirection: Blocking malicious ads stops many phishing redirects served to users browsing a website.
- Man-in-the-middle attacks: The remote server loads web pages, so no data transfers between a website and the user’s local machine. After the remote server loads a web page, a stream of content is sent to the user’s local device. Because no data is sent to the user’s device, stealing data using a man-in-the-middle attack is not possible.
- Cookie theft: Attackers can no longer use cross-site scripting (XSS) to steal cookies and session IDs. Cookies are destroyed when the user closes their session, so cookies are not available to another user on the device. If the device is stolen, an attacker would not have access to cookies and session IDs.
How Proofpoint Can Help
Proofpoint offers advanced threat cybersecurity using a browser isolation strategy we call Proofpoint Targeted Attack Protection (TAP). We use a remote cloud-based server solution to give your business users, including workstations at the user’s home, access to the web without the increased risk from malware and malicious client-side code.
With the Proofpoint TAP strategy, your administrators protect sensitive data, intellectual property, critical trade secrets, and other private files and data from exfiltration. Avoid hefty compliance violation fines and reduce risk by blocking sophisticated web-based attacks where users install malware and lose data to attackers. TAP reduces your attack surface and removes much of the burden and overhead from your IT staff. With TAP, you can still give your users complete access to the internet without the risk of common attacks in the wild.