Non-Porous Browser Isolation

Problem: Internet Crime via Infected Endpoints

Internet crime continues to escalate with 800,944 complaints to the FBI in 2023 with a record $10.3B in reported losses. Ransomware is also on the rise with 73% of businesses suffering a ransomware attack in 2022, and the global cost of ransomware is expected to exceed $30 billion in 2023. Ransomware holds data hostage by encrypting it or denies access to critical systems until a ransom is paid. Many that pay the ransom suffer a follow-on incident shortly after.

Attackers have been particularly adept at planting malicious code or malware such as Ransomware into organizations, often using phishing and pharming techniques to get a toe hold by inserting initial malware into a user’s endpoint. Once an attacker has an initial toe hold, they can then frequently leverage it to infect other areas of the victim’s organization and eventually gain control over critical systems and data. With such control, attackers can insert Ransomware, sell breached data or post breached data publicly. Moreover, many organizations are under regulations which obligate them to publicly report such incidents causing damage to their brand and complicating incident recovery.

A single infected endpoint is a risk to the entire organization.

When any user’s endpoint becomes infected it is a risk to the entire organization. Moreover, attackers particularly value infiltrating the endpoints of users with higher levels of access or access to critical data or functions. Such high-risk users could include system administrators, database administrators, cloud administrators, domain administrators, cybersecurity team members, executives, payment teams, and users with access to finance, customer, patient, and legal systems. Attackers can more easily leverage infected high-risk users’ endpoints to impact critical systems and data.

Why Do You Need a Browser Isolation Solution?

A Browser Isolation (also called Remote Browser Isolation or RBI) solution allows users the freedom to browse the web, including potentially risky web sites, without having to worry about their endpoints becoming infected with malware from the web. Without Browser Isolation, browsing even a legitimate website poses some risk since attackers deliberately hack websites to host malware that can be downloaded to the user’s endpoint. This type of attack is called “pharming”. Many people also use their browser to read their e-mail on the web and phishing attacks using malicious links or code in the e-mail pose a similar risk.

Sometimes attackers pharm on a massive scale with tools that automatically search for vulnerable websites and infect them with downloadable malware. Other times the attacks are extremely sophisticated and targeted by determining known or likely sites that the potential victim frequents and placing an infection on those sites that is aimed to work on the targeted victim, but not others, so it goes undetected by the larger public. Pharming attacks may also involve setting up phony or dangerous sites that show up in search results or exploiting DNS cache poisoning to direct victims to malicious sites.

Phishing attacks may send mass e-mails containing a malicious URL or attachment to many users or target a specific user. Doing background checks on the user can assist an attacker in crafting a message such that the malicious URL or attachment will get clicked. Some attackers even leverage artificial intelligence to help do this type of crafting automatically on a large scale often using publicly available sources of information like social media.

Attackers constantly look for variations and improvements for their pharming and phishing methods to gain access to a desired company’s network and information. Trying to train users to detect and avoid pharming and phishing attacks will not be sufficient, since attackers are skilled at creating attacks that are almost impossible for their human targets to detect.

The common browsers on today’s market and endpoint protection systems attempt to detect unsafe websites or malicious code. However, since attackers have access to these common systems, they test their attacks against them to ensure they work. Browsers and antivirus, endpoint detection and response (EDR) or even extended detection and response (XDR) systems will not stop a successful novel attack until many users fall victim to the attack and it is reported, analyzed and an update is provided to protect against the new attack.

Browsers and endpoint protection will not stop all attacks.

What is Browser Isolation?

A Browser Isolation system adds a significant additional layer of defense against pharming and phishing attacks by redirecting the user’s web traffic so that it flows through a Browser Isolation server. The Browser Isolation server does the actual browsing of the web and then transforms the web content into less risky or safe content that is passed on to the browser or app on the user’s endpoint (see figure 1). A Browser Isolation solution must also have a pathway for the user’s input on their endpoint browser to be communicated back to the remote browsing session to produce a complete and familiar browsing experience with full user interaction.

Browser Isolation transforms web content into less risky or safe content

Today’s organizations are extremely concerned about malware being used for data breaches, ransomware, command, and control, or to take over their systems for other nefarious purposes. Given the success of such attacks, organizations are looking for defense in depth beyond just the endpoint browser and traditional anti-virus protection. Browser Isolation solutions provide this needed defense in depth and should be considered a necessary control, particularly for high-risk users.

Organizations with more demanding security needs may also be concerned about sensitive data leaking out or deliberately sent from the user’s endpoint to the web—a data exfiltration problem. Browser Isolation can also assist with that by 1) ensuring malicious code from the web will not be transmitted to the endpoint to exfiltrate data, and 2) allowing an organization to place controls and monitoring on the data transferred to the web (a form of data loss prevention or DLP). More fine-grained control could be achieved by integrating the Browser Isolation solution with a DLP solution.

Types of Browser Isolation Solutions

When browsing a web site, the site sends commands, code, and other content to the browser which then uses that to display information and interact with the user. The set of such possible commands, code and other content is large and is frequently misused by attackers to transmit malware from the web site to the user. Browser Isolation combats this potential misuse.

There are two primary types of Browser Isolation methods on the market today: 1) transcoding or rendering, or 2) pixel-pushing. Both are widely used, but they work quite differently which results in different capabilities. In addition, Browser Isolation platforms either use a single system or two systems for remote browsing which also has an impact on isolation capabilities.

Transcoding or Rendering Browser Isolation Method

Many Browser Isolation solutions transcode or render the potentially dangerous web traffic into a subset of commands, code, and other content (see figure 2). Such solutions are usually software-based and can perform well enough to provide an acceptable browsing experience.

The chosen subset is claimed to be safer than today’s large set of browser-supported web traffic, including commands and code. Figure 2 shows how the superset of all possible web traffic, including code and commands is transcoded into a smaller subset of hopefully safer code and commands. Since the user’s browser already supports this subset, it can display the subset without requiring any changes or plugins to the browser. However, a vendor using transcoding or rendering must also keep up with the ever-expanding set of supported web traffic, likely resulting in occasional web site compatibility issues and requiring constant updates to their Browser Isolation solution.

While such transcoding or rendering may be effective against many types of malware on the web, there is no guarantee that an attacker could not craft an attack that could let their malicious code or commands either survive the transcoding or infect the Browser Isolation server browser and thereby infect the browsing endpoint. Transcoding or rendering a set of supported commands or code to a subset sent to the browser means that some commands and code still flow through from the superset of possible traffic to the subset as shown in figure 2. Or in other words, a transcoding or rendering Browser Isolation solution is porous.

Transcoding or rendering Browser Isolation solutions are porous

Browsers are inherently porous which is the reason attacks can flow through them. Therefore, it makes little sense to choose a Browser Isolation solution that is also porous. Even if the transcoding or rendering Browser Isolation is less porous than using a browser without it—it is still porous. You should assume that attackers will test against a porous Browser Isolation solution and find a way through it.

Sometimes Browser Isolation vendors using the transcoding or rendering technique are reluctant to describe exactly how the rendering works, including the exact subset of commands, code, and other content that it uses for the transcoding. They may also restrict the trial so that you can’t easily test the Browser Isolation solution against arbitrary web sites, but only against a set of predefined sites. This lack of transparency is a warning sign that the vendor may be relying on security by obscurity—which is always doomed to eventually fail.

As mentioned, the superset of web code and commands is constantly expanding as browsers increase capability. Therefore, providers of Browser Isolation solutions that use the transcoding or rendering method must ensure that they keep up with this expansion and any changes that occur. The easiest way to quickly maintain compatibility is to just allow new or changed commands to pass through the transcoding which would make such a solution even more porous, without customers even realizing it.

Pixel-Pushing Browser Isolation Method

By contrast, a pixel-pushing Browser Isolation system transforms web content to an interactive video stream of pixels (see figure 3). ?A remote isolation platform based on two systems creates a pixel gap across which only pixels can travel. Pixel-pushing Browser Isolation with a verifiable pixel gap is not porous since no web commands or code survive this transformation nor infect the system connecting to the user’s browser. As a result, organizations have high assurance that infected web sites, even those infected with zero-day or novel attacks, cannot successfully attack their endpoints or networks since the transmitted pixels in a video stream cannot contain malicious code (or any code for that matter). The pixel-pushing method is transparent, and the robustness of its security is easy to understand.

A pixel-pushing Browser Isolation solution can be non-porous

Moreover, even as new web code and commands are supported by browsers, a pixel-pushing Browser Isolation solution will still automatically transform the web session, including the new capabilities, to pixels. There are never any commands or code transmitted from the Browser Isolation server to the user’s endpoint browser, just pixels.

Two System vs. Single System Browser Isolation Platform

As shown in Figure 4, a two-system browser isolation platform has two remote systems for the browsing session. System B is assumed to be untrusted and compromised and runs the remote browsing session of the web site on the Internet. System A is trusted and connects to the user’s browser. Pixels and PCM audio bits from the remote browsing session are transferred from System B to System A. Since only pixels and audio bits can flow between the two systems this is referred to as a pixel gap which is analogous to an air gap. No code can flow between the two systems. Moreover, even if System B becomes compromised and infected, the compromise cannot pass across the pixel gap to System A. A pixel gap which is enforced in a way that is easily proven to enforce the flow of just pixels and audio bits is a verifiable pixel gap.

A two-system pixel-pushing browser isolation system with a verifiable pixel gap is non-porous

Unfortunately, most browser isolation platforms only contain a single system for remote browsing (see figure 5). This single system both connects to the web site and does the browsing, transforming the content into a pixel stream and then sending it to the user’s browser. Since the single system is connected to both the web site and the user’s browser, if it becomes compromised or infected, the system could send something besides pixels—such as malicious code, to the user’s browser. Therefore, a single-system isolation platform is porous—even if it is using pixel pushing.

The single-system browser isolation platform used by most vendors lacks a pixel gap and is therefore porous

Software or Hardware Pixel Pushing?

Some pixel-pushing solutions use only software to do the transformation which results in unacceptable performance and a poor browsing experience—or, otherwise, a very high cost. This is because the pixel-pushing transformation process is more compute intensive than the transcoding or rendering method. To solve this problem, consider using a pixel-pushing Browser Isolation solution that uses high performance, specialized hardware deployed either on premise or in the cloud. Using a solution that has a cloud service containing specialized hardware allows you to obtain high performing, non-porous Browser Isolation without having to deploy and manage any specialized hardware yourself.

There are many different types of specialized hardware that could improve the performance of pixel pushing. One interesting technique is to leverage Hardsec which is based on using non-Turing machines using FPGAs (Field Programmable Gate Arrays), thereby avoiding the problem of machines based on traditional firmware becoming compromised by overwriting the firmware with malicious code. Unlike firmware, an FPGA cannot be re-programmed without physical access to the FPGA itself.

Moreover, a two-system isolation platform based on hardware, like FPGAs, that enforces the pixel gap is easily verifiable, creating a verifiable pixel gap and by extension verifiable non-porous Browser Isolation. The FPGAs can perform the display and camera functions that form a hardware-enforced pixel gap between System A and B in figure 4. Such a system provides a true Browser Isolation control, not just an additional layer of software-based detection that an attacker might evade.

A hardsec-based Browser Isolation solution provides a verifiable pixel gap and is non-porous

Since it lacks a pixel gap, a single-system software-only Browser Isolation system could become infected and transmit malicious code to the user’s endpoint or to some other internal system. The use of VMs or containers to set up and tear down remote browsing sessions making them more ephemeral is essential and helps reduce this risk, but some risk remains and therefore all single-system Browser Isolation is porous.

The lower in the stack that you implement a security function, the more secure it is. A standard attack technique is to get around a security function by going underneath it at a lower level in the stack. FPGA-based hardware is lower in the stack than both firmware and software. Bypassing such a hardware-enforced control would require physical access to the remote systems and replacing part or all of the system hardware.

What Do You Need in a Browser Isolation Solution?

Investing in a Browser Isolation solution represents an organization’s commitment to security and defense in depth. So, what do organizations need and expect from a Browser Isolation system? The list below gives the highlights with respect to requirements.

1. Security – Rock solid security with a verifiable pixel gap that a knowledgeable and dedicated attacker cannot bypass. Organizations should assume that attackers have access to leading Browser Isolation solutions and will test their attack techniques against them.
2. Easy Implementation – A cloud-based Browser Isolation system makes installation easy, although some cloud-adverse clients may prefer to implement and manage the Browser Isolation servers on premise. A clientless solution that works with the user’s existing browser and does not require software or a plug-in to be installed onto the users’ endpoints is also easier to implement than one that does.
3. Manageability – The Browser Isolation solution should be easy to manage through a secure admin portal or similar functionality. The solution should be compatible with nearly all web sites without requiring a software update. A few consumer sites that require undesirable communication about the endpoint back to the web site from the browser may not function. For example, Netflix requires the browser to send DRM information back to their site before authorizing the playing of a video.
4. Usability – Users are likely to feel some impact as they browse the web since the traffic is now flowing through an intermediate Browser Isolation server. Nevertheless, the browsing experience with Browser Isolation needs to be close to the user’s experience without it. Certain actions like downloading and printing files are riskier and therefore are likely to have significant experiential differences with a Browser Isolation solution. While there will be some latency introduced by the intermediary server, the performance needs to be acceptable to the user, even when playing videos. Highly noticeable lag time could cause an organization to avoid an otherwise strong Browser Isolation solution. Users should also have a browsing experience consistent with their geographic location.
5. Interoperability – The Browser Isolation solution should work with other solutions the organization may have such as secure web gateways, VPNs, and DLP. When the Browser Isolation solution is part of a package of solutions, care should be taken that the other requirements are strongly met, especially security.
6. Cost Effective – The Browser Isolation solution must have a pricing and licensing model that is cost effective compared to other offerings and the risk it mitigates and can scale easily as the organization grows.

Even though you are primarily using Browser Isolation for security, you might be tempted to choose a solution that provides less security, but that is stronger in the other areas. However, you should not have to compromise security to meet the other requirements.

You should not have to compromise security to meet other requirements

Browser Isolation as Part of a Package

Some vendors include Browser Isolation as a feature or product that is included as part of a larger platform or package. While this might seem somewhat attractive if you are looking to buy a lot of functionality, the additional cost and management overhead doesn’t make sense if you are primarily looking to implement Browser Isolation. A platform, suite, or package approach might also lead to vendor lock-in, making it difficult to swap out a subpar, perhaps porous, Browser Isolation solution for a better solution in the future.

By focusing on a larger platform or package, a vendor can create confusion about the robustness of their Browser Isolation’s underlying security architecture and implementation and thereby mask weaknesses or flaws or even the porous nature of their Browser Isolation. Consider a best-in-class, non-porous Browser Isolation solution that allows you to use other security products and platforms while ensuring confidence in the demonstrable robustness of the security of your remote browsing implementation.

Conclusion

Internet crime and malware infections from phishing and browsing risky web sites continues to increase, sometimes resulting in ransomware holding data and systems hostage. Targeted attacks make it more difficult for users to determine what is a legitimate web site or e-mail message and what is not.

Browser Isolation is a critical tool that allows users, especially high-risk users, to safely browse the web and open e-mails. Browser Isolation solutions can be deployed on premise, which requires managing servers or appliances, or more easily through a cloud service.

The primary purpose of Browser Isolation is security—ensuring that web code and commands cannot be used to infect the user’s endpoint or the organization’s network. There are two main types of Browser Isolation, 1) transcoding or rendering which by its very nature is porous, and 2) pixel pushing with a verifiable pixel gap which is non-porous since pixels do not contain code and only pixels and PCM audio bits can cross the gap. A single-system pixel pushing solution lacks a pixel gap and remains porous since the system could be compromised and still transmit malicious code to the user’s endpoint. Specialized hardware or hardsec can provide a verifiable pixel gap and provide good performance for pixel pushing.? Using a non-porous Browser Isolation solution ensures meeting the primary purpose of security and other important requirements—and adds an essential control to your security posture.

Using a non-porous Browser Isolation solution adds an essential control

Note: This contains some material from an article I published on November 18, 2021.