How remote browser isolation can mitigate cyber threats

The rise of remote work, where employees could be accessing a corporate network from wherever they are, has cast the spotlight on end-point security, including the security of web browsers that are being used to access corporate applications and cloud services.

Browsers are already being targeted by threat actors who have been exploiting browser vulnerabilities to launch malware campaigns. Hackers in North Korea, for example, reportedly spent six weeks exploiting a zero-day flaw in Google’s Chrome browser at the start of this year.

One way to mitigate such threats is through remote browser isolation, where webpages are loaded in a remote browser before being delivered to users, usually as rendered pixels, without the need to download any active content, thus keeping malicious code at bay.

“Without browser isolation, you’re basically relying on your endpoint solution, and attackers that are targeting zero-days in a browser are definitely looking at ways to evade that,” said Devin Ertel, chief information security officer (CISO) at Menlo Security.

Menlo Security, known for its browser isolation capability, is now taking the technology further by providing isolation at the application layer through its Menlo Private Access technology.

“If you wanted a sensitive application to be protected, you can isolate it using the same technology we use for browsers,” Ertel said, adding that this will enable employees to access a secure application without putting it on the internet.

Ertel said some companies could even use browser isolation to control the access and use of applications in the way virtual desktop infrastructure (VDI) could, such as blocking uploads of sensitive documents to public file-sharing services like Dropbox.

“It’s a cheaper way than VDI which can be pretty expensive and the user experience of VDI is not that great as you’re going into a separate desktop,” he told Computer Weekly.

Still, there are cases where VDI could make more sense than a remote browser, such as logging on to a thick client to access a remote application.

“But if you’re accessing an internal application or you have some SaaS [software-as-a-service] application that you wanted to give access to and control, a remote browser would work in that sense,” Ertel said.

Ertel said remote browser isolation also enables productivity without increasing security risks, as employees spend less time trying to circumvent blocklists of URLs and DNS addresses.

Like its customers, Menlo Security uses remote browser isolation to fend off browser-based threats, but Ertel said what differs is that “if we ever catch something in our product, we will push that off for our customers as well”, referring to software improvements.

“So, we try to eat our own dog food and feed our research and intelligence back into the products to protect our customers as well,” he said.

Remote browser isolation is seen as one of the key implementations of zero-trust security, where traditional perimeters are eliminated, and no user or device can be trusted when accessing a service or data until proven otherwise.

“When you think about Menlo, we don’t even trust the browser so you’re protecting instantly via just a proxy setting and rolling that out to your whole population,” Ertel said, adding that it was company’s technology that drew him to take up the job about 10 months ago.

Ertel was a former CISO of BlackHawk Network, a fintech company that specialises in prepaid gift cards and payments. He was also head of security at a startup and worked at Mandiant and the US Federal Reserve where he had hands-on experience mitigating high-profile breaches.