Browsers are now the most used enterprise application today. But popularity comes with a giant target. According to the Verizon 2022 Data Breach Investigation Report (DBIR), web applications and email – which are primarily accessed via web browsers – constitute the primary attack vectors in security breaches, accounting for over 80% of such incidents. Threat actors are using highly evasive and adaptive techniques to gain an initial foothold through the browser before spreading through the network in search of more prominent targets.
Security teams know this, of course, and are relying on their existing Secure Web Gateways (SWGs) to provide the level of protection they need to stop these kinds of attacks. However, these Highly Evasive, Adaptive Threats (HEAT) keep getting through. Ransomware and phishing are still a problem for enterprise security teams, as they have been for a very long time.
Why are SWGs not sufficient against today’s HEAT attacks?
SWGs have been around a long time, but they were designed to solve a problem that has evolved into something completely different over time. If you remember, SWGs were originally intended to be a web filtering tool. They served as a firewall between enterprise networks and the public Internet, identifying potentially malicious content. A simple allow or block decision was made at this inflection point with static security policies dictating what content users could access. The SWG has since evolved to include URL reputation and sandboxing capabilities – allowing organizations to first identify malicious content and then quarantine it before it could gain access to enterprise networks.
As you would expect, threat actors evolved right alongside the SWG, developing evasive and adaptable techniques to get around these filters. Eventually, threat actors realized that the browser is now the gateway to enterprise networks and have been developing ways to deliver payloads in the browser before traffic is filtered through the SWG. Techniques such as HTML smuggling, cross-site scripting and Legacy URL Reputation Evasion (LURE) are exploiting vulnerabilities in the browser. The SWG sits between the end point and the enterprise network and isn’t in a position to block (or even identify) HEAT attacks that target the browser. Once they make that initial access, they can lay in wait, find a way to spread to the network undetected and deliver their payload.
How can SWGs be updated to better protect browsers?
SWGs are not completely obsolete. In fact, they are quite resilient. They have evolved several times in step with evolving threats, and all we need to do is extend their reach to the browser. Here are four ways that SWGs can evolve to better meet today’s HEAT attacks:
1. Enhance visibility in the browser
SWGs sit between the end device and the enterprise network and provide little visibility into what’s going on in the browser. Organizations need to extend visibility to the browser and monitor how users are interacting with the Internet. This includes the sites they are visiting, the files they are uploading and downloading, the Software as a Service (SaaS) platforms and cloud infrastructure they use to get work done – even social media and other interactions that take place outside the enterprise network. Simply moving the SWG between the end device and the public Internet could enable this critical visibility.
2. Analyze web elements in real time
Phishing attacks are getting very good at imitating legitimate and trusted brands. SWGs need to use artificial intelligence (AI) and machine learning (ML) to analyze web elements such as images, logos, fonts and meta data to determine if a site is what it purports to be. And it needs to do this in real time at the point of click. Today’s attacks operate at the speed of business and any delay in detection could lead to a breach. Multi-factor authentication (MFA) bypass is a good example of this. Threat actors are able to intercept MFA tokens and use them to gain access to an application within a few seconds. A SWG armed with AI/ML could detect a suspicious logo on a web form before the user enters their credentials.
3. Isolate the user from potentially malicious content
SWGs could also be enhanced with isolation technology that creates a virtual air gap between the user and the public Internet. Executing all content – whether it’s deemed malicious or not – in a remote browser in the cloud before it gets to the end device would prevent HEAT attacks from gaining an initial foothold. Tricking attacks into executing evasive techniques and even forcing them to deliver their payload before they get to the end device forces them to reveal themselves before they are ready – allowing traditional SWG capabilities such as URL filtering and sandboxing to do what they do best.
4. Enable dynamic security policies
Finally, SWGs need to be updated with a mechanism that allows them to execute dynamic security policies. In the past, security control through a SWG has been static. If this content or behavior is detected, then block. However, security policies need nuance. Users log in from unexpected geographies while on vacation or at a conference. People sometimes behave suspiciously – whether they mean to or not. Legitimate websites are often uncategorized or miscategorized. Dynamic security policies executed within the proper context can keep users safe from HEAT attacks without shutting off wide swaths of the Internet or impacting productivity.
It’s time for another evolution
SWGs have been a critical cybersecurity tool for decades, and they have shown an amazing ability to evolve with a constantly shifting threat landscape. It’s time for another evolution. Existing security strategies expose browsers to today’s HEAT attacks. Extending visibility to the browser, analyzing web content in real time, isolating users from the public Internet and enabling dynamic security policies are four ways SWGs can be enhanced to meet today’s threats.
