[00:00:00] Speaker A: Take a look at your evolving landscape and take a fresh look at what are the security tools you want to overlay onto those, rather than retrofitting your existing security stack into a world that has evolved significantly over the last ten years.
[00:00:23] Speaker B: This is KBCS.
[00:00:25] Speaker C: Are they completely cycled as a primary.
[00:00:26] Speaker B: Target for ransomware campaigns, security and testing.
[00:00:30] Speaker A: And performance and scalability?
[00:00:32] Speaker C: We can actually automate that, take that.
[00:00:34] Speaker A: Data and use it.
[00:00:37] Speaker C: Joining me today is Paneema Debol, co founder and chief product officer from Menlo Security. And today we are discussing web browser security. So, Paneema, thanks for joining and welcome.
[00:00:49] Speaker A: Thank you, Carissa. Thank you for having me and excited to talk about this topic.
[00:00:53] Speaker C: Okay, so web browser security. I don't think I've spoken about this topic a lot on the show in 255 episodes or whatever's out there now. So maybe tell me everything that comes to mind from your perspective around web browser security.
[00:01:11] Speaker A: Let me maybe kind of try to bring in a few industry analogies that will help us understand what our perspective is on web browser security. And to your point, obviously, we have to evangelize, educate the customer and the market about what this actually entails, because it's definitely a newer topic on people's minds. So when I think about web browser security talking to customers, I try to refer them back to a few things that have happened in the security industry over the last decade. I started my career at Checkpoint Software, who were the pioneers of the Internet firewall, right? And ten years later comes along another company called Palo Alto Networks, and they started talking about next gen firewalls, right? And the whole concept of it was, now that everybody has connected to the Internet and have had their basic firewall policies all under control, what happens to this one channel, which is HTTP and HTTPs at the time when it is being used for more than just the original intent of web browsing? So came along virus updates. They realized that this channel is open, I'm going to use it. Came along other applications, which basically, even if they were using a different protocol, piggybacked on HTTP or HTTPs and said, we're going to use this channel because we know that companies are allowing this channel to be open because they want their users to connect to the Internet. So there was a big shift and an education from a customer perspective to say, look, this particular protocol is more than just your Telnet or FTP. It can be overloaded, and now you need to look inside it and decide on a security policy that's more than just a firewall port and protocol, right? That was the whole concept of what Palo Alto pioneered, called App ID, which is now let's look inside HTTP and HTTPs. Now our perspective is building on top of that.
It's very similar, but continues to build on top of that to say great. Now that you have for the last decade started inspecting HTTP and HTTPs and you have a better handle on it, now look at where the origin of that traffic is, which is typically between the browser and the server, and look at how that has evolved over the last ten plus years. If you look at Netscape Navigator, whenever I think we're all going to date ourselves, if we say when you used it, all you were doing was exchanging information or reading what the server had posted on its website. Now you look at the browser, it's an entire operating system in itself, right? Like this podcast we're recording, we're doing it on a browser. When you go to a SaaS application, it's a very complex application, like be Google or Google Workspace or Microsoft Office 365 or M 365, you're doing a host of things using the browser. If you go to an Internet website, it's no longer, let me give you the news for the day in kind of short stories. It's now customizing advertisements for you. It knows who you are when you go shopping. You get different advertisements when I go shopping. So when you look at the complexity and capability of a browser, it means that you're no longer getting the right level of security by just inspecting it on the network. You need to start treating the browser as an application, as the star application on your desktop, because the number of things it's doing has grown by leaps and bounds. The bad guys are also taking notice. Now when you look at attacks, they look very benign when you are inspecting it with a proxy or a next gen firewall. But then they're able to use the execution environment in the browser and compile and composite the malware on the endpoint rather than try to sneak it through, means that they have used before. So that's kind of the story and the evolution of how security always needs to build on the controls that you have today. But as the technology evolves, you also need to start looking from the perspective of how do I now get control and visibility into the new methodology, the new architecture, the new applications of today, not keep using tools from the past. And we believe sincerely, and this is very true, even if you study a lot of the attacks that are happening, they're succeeding because we're still applying old techniques and old tools into an environment that's kind of evolved and gone beyond, beyond having those controls that you had in the past. Right. You need to upgrade in that sense. I think that was a long, tough track, but hopefully it makes sense that when we talk about browser security, we want customers to start looking at this very powerful application as the place that they should be focusing their security perspectives and protections.
[00:07:13] Speaker C: No, I appreciate a long talk track. We want this to be a conversation and a discussion. So, Puneema, there's a couple of things in there that I want to press on a little bit more. Now, you said the capability of the browser. Would you say with your experience that people, I don't know, meaning companies, they sort of forget about the browser a little bit because everyone's like, oh, well, you know, I just jump on Google in the morning and I search whatever. Do you think the browser or, you know, the security around, like, web browsers has felt a little bit relegated, would you say?
[00:07:44] Speaker A: Yeah, absolutely. I think we have a talk track. We talk about the forgotten layer in your security stack, which is, we're referring to the browser in that context.
And there is a reason for that. It's not that enterprises are overlooking this big hole intentionally. It is typically how enterprise security organizations have been organized around the current security stack. Network security had the domain, or it's their purview to look at the web protocol, which is usually HTTPs. Today, nobody, almost nobody uses HTTP. So let's say your proxy and your next gen firewall always have the jurisdiction over HTTPs, and that has been considered the web security. Now, if you look at team that's working on endpoint security, they usually focused on antivirus, be it EDR like technologies, maybe some level of email security, some level of DLP agents. So they had their own jurisdiction of what happens on the endpoint and the set of security tools that they use to maintain and manage that endpoint. However, this browser, which is something that the endpoint team installs onto your laptop, was never viewed from that security perspective. It's just a means to an end. So the app gets installed. And I asked this question of every enterprise customer that I talked to of how do you manage the browser? And greater than 90% of them manage one parameter for the browser, which is, when do I update it? Do I update it as soon as Google or Microsoft publishes an update, or do I wait? Right. Do I wait a couple of days to ensure that it has compatibility with my applications? But that's the only thing they control. When you look at the details of what you can actually control in a browser, there's thousands of settings.
This browser is a very, very powerful application, may be largely purpose built for the consumer, right? You know, people who are shopping, you know, kids playing games or all of these highly interactive consumer based applications. And when you bring that into the enterprise, it has thousands of settings and capabilities that you probably don't need to for what your enterprise users are doing in terms of their everyday work. And unfortunately, the endpoint team has not really looked at this as an application they need to manage. So they forgot it. And the network team continues to look at it from an HTTPs and a network perspective. And that makes it that big gap of control and understanding that's missing. And I forgotten to your point, and we're, we're working very hard to say, hey, from an enterprise perspective, here's what you need. And customize this giant application by turning off things you actually don't need for the enterprise. There is a capability in Google where the web browser can attach to your usb or attached your audio device for things like podcasts that we're doing. Not everybody in enterprise needs all of those capabilities. The enterprise now can turn off those things. And when you turn it off, what's the benefit? You are now saying, this piece of code that's not relevant to me does not need to be invoked in my environment, which means now you're reducing the tag surface of this giant application and getting better security, but also getting better control of a very powerful application and not continue to forget about it. Right. So we do recognize that it's forgotten. But I think the main reason why it gets forgotten is because it falls in that crevice between what has traditionally been endpoint security and traditionally network security kind of falls in between and gets kind of lost and forgotten.
[00:12:31] Speaker C: So you said before people need to view the browser as an application. So how do people get into that mindset? Because you've clearly articulated things that forgotten, et cetera, specialized teams, there's sort of that gap in the middle. They work on different areas. So how can people sort of approach that from your experience?
[00:12:50] Speaker A: Yeah, so I think we're still educating and figuring out some of the pieces ourselves. But where I have seen success, right, is even if the browser continues to be the jurisdiction of the endpoint team, for the cybersecurity team to be kind of an overlay across the endpoint team and the network security team and start to define policies around what should be the browser posture in an enterprise, it can mean things. And we're not the first ones to say that you should do this. There are industry standards or industry bodies that have said, here are the browser feature capabilities that you should start paying attention to and managing it. On enterprise, there's a benchmark called the CiSDA, which I believe is the center for information security, or maybe something like that. But it's an industry standard body that has defined what a browser posture should look like. If you look in the government sector, the US Department of Defense, for example, defines something called a stick, which is their security recommendation for various applications in your environment, and they have one for browser.
So there are industry standards that recommend. In fact, I think Google worked with CIS to develop those benchmark security standards. So the point is for enterprises to start looking at those standards and starting to say, here is how my starting point is when it comes to browser posture in my enterprise, and it's a great starting point to start learning. And I'm sure there will be things that you need to then tweak and customize for your enterprise use case. Like, you know, you may be a media company that needs some of the things that cis may say, oh, you should turn it off, but turns out you actually need it in your business, you need to customize it. But it's a great starting point for the broader enterprise security teams to start looking at and understanding both the risks. But also how do you get control of it to put your enterprise into a better situation? When it comes to all of these attacks that happily come on HTTPs and manifest in the browser, how do you start reducing your attack surface and getting better control and visibility of your browser posture? That's our perspective is there's benchmarks out there. There are recommendations, find tools that give you an easy way to start managing those.
[00:15:49] Speaker C: Okay, so just before I go back and ask you something else that you said, I just want to touch on the benchmarks, would you say that people say, oh, well, piny, there's just so much information for me to consume, like where do I start? Do you get that a bit as well in some of the discussions?
[00:16:02] Speaker A: We do. We do. And it's not just a complaint, right? It's a reality of what cybersecurity teams are dealing with. But we do believe that there are tools out there, including tools from Menlo. We do see financial sector, which is usually coming to the table with probably best perspective in terms of security thinking and areas that they cover is more comprehensive.
Those teams are coming to the table already looking at these benchmarks. But the challenge I see with the existing model there is very used to saying, again, something hearkens back to many years ago, where software updates used to be three times a year or maybe at the most four or five times a year. But now Google and Edge from Microsoft will update sometimes every other week, depending on what they're delivering. So the financial sector actually does have practices that I've seen where they start with the CIS level two benchmark, but then they do that every six months, or they go back and look at it every quarter or something like that, which is nearly not as frequent enough or as often as the browser updates today.
So there is a challenge, but I do believe that it is for the better of the enterprise for them to take some of those practices they may have and take a fresh look at it and say, how do we evolve this to the modern day behavior of the browser, the modern day behavior of the software updates, rather than continue to keep it to be a quarter or six months ago? There are tools in the industry that that will help you do it, and I think it's time for people to actually start incorporating that. Because when I look at any kind of breach or data loss today, you'll see the browser front and center in it, not because it has any security issues on its own, but how the bad guys are exploiting this very rich capability of the browser to deliver the malware or create the breach in the first place, be it credential, phishing or HTML smuggling. All of these techniques are leveraging the richness of the browser and getting to the end point and circumventing your network stack.
[00:18:52] Speaker C: So you mentioned before as well, Panima, that people are still using tools from the past or old techniques. What would they be?
[00:19:00] Speaker A: So the techniques from the past are some of the things that I mentioned at the top where you say, okay, a proxy or a next gen firewall way of inspecting the browser traffic at the network level is good enough, right? What we're seeing is, let's say a malware is able to do a very simple thing like I'm going to encrypt the JavaScript, or I'm going to encrypt the payload for the malware, or I'm going to password protect a file that you're accessing via the browser. All of these things are fairly simple circumventions of the current technique of people saying I will inspect things at the network layer because all of these things rely on the fact that on the network layer I just look like a benign set of bits. And I'm going to use the execution environment of the browser to actually composite or execute what I need to deliver to the endpoint.
We wrote a fairly detailed blog on a malware called Socgolish, and in that it was interesting where this combining a number of techniques, it's saying I'm going to encrypt the JavaScript so you cannot inspect anything on the network. I'm going to encrypt the payload so you cannot identify. This is a malicious payload. I'm also going to take that payload and split it across different websites. So it's not even coming through the network as one payload, but it's coming as little pieces that is buried in your HTML traffic. And then when I get all of those pieces to the browser, I'm going to use that JavaScript environment to then composite that file. And I'm already on the endpoint at this point, nobody can stop, right? So it's very creative to some extent, but that old school way of saying I'm going to look at things on the network unfortunately is extremely short sighted when it comes to the richness of the browser execution environment.
[00:21:18] Speaker C: So would you say majority of people are still in this old school way of thinking, or do you think things are moving now, as you mentioned, with the education and awareness, et cetera? But would you still say that most people just aren't there yet in terms of the modern day behavior of a browser?
[00:21:35] Speaker A: I think it's starting to change. It's starting to change with this whole focus on or the product category that's evolving called the secure enterprise browser.
That category of products capabilities that vendors are delivering is starting to really create the momentum for enterprises to look at both use cases and security capabilities that they need to actively manage and create visibility and have control of the browser, rather than just treat it as an application that happens to be on the endpoint. Hey, I can put all my controls on the network. It's definitely an evolution and a change of perspective that we see happening, both from the customer perspective of starting to look at the attack patterns the same way that I described to you, and then looking at the vendor landscape where people are starting to have choices in terms of what they can do when the customers start thinking about. So it's definitely a shift that we see, and we are on our own world tour of going to various different cities in the world and starting to evangelize around, you know, you should be doing this. And it was interesting. I was just in Mumbai and one of the participants in our event came up to me and said, this is such a good idea. Why has nobody been talking about this for the last few years? And I was like, I hate to disappoint you, but we have been. But it was kind of the AHA moment for this person. Right. In terms of saying, yes, this is something I should be doing or I should be thinking about. So I think the trend is starting to shift.
[00:23:35] Speaker C: Okay, so you say that web security is not browser security. So talk to me a little bit more about this and what this means.
[00:23:43] Speaker A: Yeah. So we referenced some of it, but I can supplement or I want to maybe take this particular perspective on why that is the case. Right? So used to be in the past number of years, let's take a decade, there were usually these two tracks of, I would say, security breaches or security stories that you write about. The first one was largely financially motivated, right? So it could be, Im going to go down the path of ransomware, or Im going to go down the path of infecting your endpoint or infecting an enterprise and extracting some of the data and do more kind of an extortion, not necessarily always ransomware, or Im going to steal data and sell it, right? All of these various methodologies of the bad guys or the threat actors behavior was very focused on financial benefit, right? So there was a category of fairly sophisticated marketplace for these financial benefits. Then there was this concept of intellectual property or maybe more nation state driven threat actors, right? Where the outcome was very different than financial. It was a myriad of things, but it was definitely not financial. It could be some of the things like you saw in various elections across the world, all of these things were motivated by something different than financial. So you have these two tracks of financial benefit and a nation state threat actor almost on parallel tracks. Now, when they started exploiting this benefit of browsers or SaaS applications and the whole ecosystem around the browser, you saw an interesting intersection of techniques across those two things.
All of a sudden you saw the financially motivated threat actor starting to use fairly sophisticated tools that were more the purview of the nation state threat actor. And as those things started merging, some of these, I don't really even think that it's that sophisticated, but some of these more commonly used techniques in the nation state tax start to permeate into the financial sector. Financially motivated attacks and the tools that enterprises were using there were no longer good enough or enough to begin with.
Let's take an example of something like HTML smuggling. HTML smuggling is this concept of I'm not going to deliver the file in its entirety, I'm going to break it up into pieces, host it in various different websites and send it as a data blob in your HTML traffic and composite it onto your once I breach the browser. We first saw it, in fact ten years ago at the financial institution and we were like, wow, this is really clever. But it never actually gained the popularity or the usage that we see today. But what happened was Microsoft, for the office products which is prevalently used in the enterprise, they decided that the macros which are in your office suite of products were going to turn that off by default. So that financially motivated threat actor who was targeting the enterprise now all of a sudden no longer had this favorite tool of theirs, which was the macros and office product that was readily available to them. So they borrowed this HTML smuggling technique, which was probably more used by the nation state threat actor and started using it in the financial malware and the ransomware and all of those type of attacks. So you start to see this convergence of investigated techniques that were coming into the financially motivated attacks and got more and more sophisticated. And when you look at kind of that landscape of how that evolved, it's very interesting and it's very cool to actually study how those cross pollination happened. But when that happened is when in my opinion, the web security is not. Browser security really came to the forefront to say, again, just web security, where I'm doing URL filtering. URL filtering is like this site is good, this site is bad. So I'm going to block you from going to the bad side, but allow you to go to the good side. No longer worked because I'm now using perfectly category relevant websites to deliver malware. So that went out of the window. I'm going to inspect files that are coming through on this browser channel. No longer applied because now I'm going to password protect these files and you won't be able to inspect it. If you're going to do some kind of JavaScript inspection, I'm going to encrypt the JavaScript. So all of this kind of bucket of techniques that worked well when the techniques were fairly rudimentary or simplistic and financially motivated, started to be completely not adequate for the techniques that you were using today. When it became the sophisticated techniques from all across the browser dimensions started bleeding into web security.
That is where we say web security is not browser security because web security is typically those three things most people will reference. I'm doing URL filtering, I'm doing HTTPs inspection. I'm doing file inspection. Great, you can do all of that and I can still get malware or ransomware to your browser. Means that web security is not browser security. You need to think about it from a different perspective.
[00:30:25] Speaker C: So I want to now switch gears and maybe talk about something else that you've mentioned around treating all web traffic as potentially risky. Now what does this sort of look, what does this sort of look like to you, Paneema, with your experience? And then also, how would you advise a company to approach this? And does that sound exhausting though, if you're going to look at all web traffic as potentially risky?
[00:30:50] Speaker A: Yeah, it's a great question. And unfortunately it's the times that we live in, right. When we say treat all web traffic as risky, it does not necessarily mean that everything is risky. You know, you need to close your doors and close your windows and hunker down, right? All it means is if you look at the past set of breaches or attacks that have made the headlines, we have statistics that show that something like 70% of attacks, be it phishing or malware, is launched or hosted on what is considered good sites. What are sites from an enterprise or general human definition, right? So you would probably categorize news websites as good sites, right? Like be it cnn.com or, or any of those news websites that you talk about, you're like, okay, those are good sites. I go get my news from there. But if you look in the past, you know, five to eight years, you'll see that many of these news websites have been compromised and used to deliver malware. Let's look at then as a second category of things. We all use these SaaS or the productivity tools, be it G drive or outlook or Dropbox, any of these websites that we're talking about, we probably use it on a regular basis to get our work done. But because these tools are also allowing users to host their own content on there. So I can use my Gmail and send you a link to a document which your web security tools will trust because this is coming from the area of tools hosted by Google. Or I can host a file on Outlook and send you a link. And again, your web security tools, well trust it because it's coming from trusted websites, from trusted sites or ip addresses from Microsoft. So when you look at kind of how these tools are being leveraged to deliver malware, then it starts to make sense that you should treat all of these sites that you don't know where the content is coming from as risky.
It does sound exhausting, but it's not that hard to do with some of the security tools that I'm sure your enterprise users are aware of.
But taking that posture, make sure that you are evolving your security thinking to keep pace with how the threat actors are exploiting your existing security stack. Because all of the enterprises today are using URL filtering and say, hey, news is good, I'm going to allow my users to connect to news. That is the area that they're compromising now. I'm going to trust the outlook in the workspace in the Dropbox. Ipsen is the place that they are exploiting, right? So treating everything as risky does not necessarily mean that it's that hard to do, but it's just kind of recognizing the fact that that is actually getting exploited and you potentially have no choice but to start treating everything as risky to make sure your posture continues to evolve. The areas that the threat actors are exploiting. There is a reason that those exploits are succeeding, because your existing security mindset and your existing security tools are not considering those to be the risky areas. And you need to start shifting that thinking and treat all of that to be risky because you actually don't know where the bad is coming from. I don't know. I'm going to maybe date myself here quite a bit. But if you look all the way like 20 years ago when there were websites that were considered bad hosted bad things, like when you look at how URL filtering came to being in the very first place, it was that particular technology's effort to say, I know, for example, these gambling websites or these websites that host adult content also are hosting something bad. So it was fairly easy for the enterprise to say, I'm going to block those because there is no reason for an enterprise user to go there. And this URL filtering databases were a fine way of bucketizing and protecting your users. But today, when you look at it, you will see major websites have been compromised and delivered malware, right? And when you look at that perspective and you look at our statistic that says 70% of the time malware and phishing attacks are launched from good categorized websites, business and economy, computer and Internet fashion shopping. All of these categories that enterprises would not consider to be risky and block them, then you need to have the realization that there is no good website out there and all of them have the possibility of being bad. And I need to treat all of that traffic as risky.
[00:36:41] Speaker C: So Paneema, in terms of trying to conclude our interview with everything that you sort of said, is there any sort of final thoughts or closing comments you'd like to leave our audience with today?
[00:36:50] Speaker A: I think the best thought I can leave is for the enterprise to really look at take a fresh look at the security stack right? There is a reason that people are spending billions of dollars and you still see these headlines that make you scratch your head and probably give you a few sleepless nights. Especially if you're in charge of security for your enterprise. The best way for you to combat that is to not keep doing more of the same. But take a fresh look at where are the vulnerabilities? Where is the security falling short for the current set of tools and user behavior, be it working from home or traveling or I usage of various different tools that are much more SaaS based today than they were ever before. Much more cloud based today than they were ever before. So take a look at your evolving landscape and take a fresh look at what are the security tools you want to overlay onto those, rather than keep retrofitting your existing security stack into a world that has evolved significantly over the last ten years.
[00:38:23] Speaker B: This is KBCast, the voice of cyber.
[00:38:27] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:38:36] Speaker B: This episode is brought to you by Mercset, your smarter route security talent Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.