Browser security startups insulate users from web-based threats

Companies plug holes through which attackers gain network access

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Cyber attack­ers con­tin­ue to exploit a sig­nif­i­cant secu­ri­ty gap found in a famil­iar tool used per­va­sive­ly in all com­pa­ny net­works: the com­mon web browser.

Mozil­la Fire­fox, Google Chrome, Microsoft Explor­er and Apple Safari all use an archi­tec­ture that makes it rel­a­tive­ly easy for an attack­er to embed mali­cious code on an employee’s computer—and then use that infect­ed machine as a foothold to probe deep­er into the breached network.

Here’s the good news: There is a grow­ing cot­tage indus­try of secu­ri­ty ven­dors devel­op­ing sophis­ti­cat­ed tech­nol­o­gy specif­i­cal­ly to plug this gap­ing expo­sure. Brows­er secu­ri­ty ven­dors first appeared on the scene about 2010; lead­ing inno­va­tors include Invincea, Bromi­um, Spikes Secu­ri­ty and Men­lo Secu­ri­ty.

Third­Cer­tain­ty recent­ly vis­it­ed with two new entrants, Ntre­pid and Authentic8. Here is what they each bring to the table.

The mor­ph­ing of brows­er usage

Moun­tain View, Cal­i­for­nia-based start-up Authentic8 recent­ly intro­duced a ser­vice called Silo, which iso­lates web brows­er mal­ware code from the tar­get­ed computer—and the rest of the com­pa­ny network—by rout­ing all employ­ees’ brows­ing ses­sions to ded­i­cat­ed servers that it controls.

Authentic8 CEO Scott Petry has a long his­to­ry help­ing com­pa­nies keep intrud­ers out of their net­works. Petry found­ed email-fil­ter­ing com­pa­ny Pos­ti­ni, which was bought by Google and fold­ed into the search giant in 2007.

Petry, who co-found­ed Authentic8 with anoth­er Pos­ti­ni alum, Ramesh Rajagopal, observes that the arrival of sophis­ti­cat­ed brows­er secu­ri­ty tools, like Silo, is a reflec­tion of how web brows­er usage in cor­po­rate set­tings has mor­phed over the past cou­ple of decades.

Scott Petry_Authentic8_300
Scott Petry, Authentic8 CEO

In the 1990s IT depart­ments “would con­trol how you com­pute, when you com­pute and what appli­ca­tions you access,” Petry recalls.

Steadi­ly, the web brows­er “became such a mas­sive focal point or grav­i­ty cen­ter for how peo­ple con­sumed dif­fer­ent web ser­vices,” Petry says. “It became extreme­ly com­pelling for employ­ees to access the web for per­son­al use and for busi­ness­es to start tak­ing advan­tage of the web as a way to per­form busi­ness functions.”

Ama­zon pio­neered e-com­merce and Google got busi­ness­es and con­sumers accus­tomed to quick­ly search­ing for, and pin­point­ing, desired infor­ma­tion. All of this lever­aged the browser’s capac­i­ty to exe­cute code on indi­vid­ual com­put­ers in response to users’ clicks.

As soon as that hap­pened, busi­ness data that IT depart­ments used to con­trol in their envi­ron­ment was sud­den­ly scat­tered across third-par­ty web­sites that they didn’t con­trol,” Petry says. Then social media, includ­ing Face­book and Twit­ter, appeared and all bets were off.

Rout­ing mal­ware to silos

It’s now a mess,” Petry says. “If you think about how the brows­er is used, it’s a one-size-fits-all solu­tion. Peo­ple use the same brows­er with a tab opened to get to Face­book, a tab opened to get to Drop­box and a tab opened to get to wher­ev­er. It’s a mix of per­son­al use and busi­ness activ­i­ty, and it’s no won­der that the brows­er is such a point of vulnerability.”

Ven­ture cap­i­tal­ists are fund­ing tech entre­pre­neurs com­ing for­ward with new sys­tems to lock down browsers, because how we have come to use browsers is not like­ly to change much, going forward.

I’m sure at some point we will move away from a mono­lith­ic brows­er,” Petry says. “It might

change over time, but peo­ple have been pre­dict­ing the death of email for 10 or 15 years, and it is still the most com­mon form of busi­ness com­mu­ni­ca­tion. So, no, I don’t think the brows­er is going any­where any time soon.”

Authentic8’s Silo prod­uct iso­lates all web code in a secure, remote con­tain­er in the cloud, giv­ing users a benign dis­play of the web con­tent. Noth­ing reach­es the user’s device except pixels.

The attack sur­face area is now ours, and that’s where we deal with it,” Petry says.

Vir­tu­al sessions

Instead of mov­ing brows­er ses­sions into iso­lat­ed servers, Hern­don, Vir­ginia-based Ntre­pid address­es the prob­lem by insert­ing a vir­tu­al brows­er into every employee’s computer.

Any mali­cious code arriv­ing via a web brows­ing ses­sion is iso­lat­ed from the hard dri­ve or mem­o­ry of the tar­get­ed com­put­er. The machine, in essence, is inoc­u­lat­ed against brows­er mal­ware and can­not be used by the attack­er as a beach­head to go deep­er into the company’s network.

Web browsers by design exe­cute code over which net­work admin­is­tra­tors have zero con­trol. This code exe­cu­tion enables all of the cool inter­ac­tive things we can do on our browsers.

Trou­ble is, crim­i­nal hack­ers can all too eas­i­ly slip mal­ware into this mix. Like Authentic8’s iso­lat­ed servers, Ntrepid’s vir­tu­al browsers pro­tect the orga­ni­za­tion from “all web-based attacks, includ­ing web-deliv­ered mal­ware, water­ing hole attacks, spear phish­ing, pas­sive infor­ma­tion leak­age and dri­ve-by down­loads,” accord­ing to Ntrepid.

Ntrepid’s tech­nol­o­gy, called Pas­sages, enables employ­ees to “safe­ly browse any­where,” pro­vid­ing them “the free­dom to surf online with­out the risk of infect­ing their machines or com­pro­mis­ing valu­able enter­prise data.”

To acti­vate Pas­sages, a user sim­ply clicks on it on the desk­top instead of Inter­net Explor­er, Fire­fox or anoth­er con­ven­tion­al browser.

Lance Cottrell, Ntrepid Passages chief scientist
Lance Cot­trell, Ntre­pid Pas­sages chief scientist

Any mal­ware encoun­tered on a web­site “is trapped” inside Pas­sages’ vir­tu­al machine and can’t infect any­thing else on a user’s com­put­er, says Lance Cot­trell, Ntrepid’s chief sci­en­tist. The mal­ware is destroyed when the brows­er ses­sion is over.

While brows­er secu­ri­ty tech­nol­o­gy, for the moment, is being mar­ket­ed to small and medi­um-size busi­ness­es and large enter­pris­es, Ntre­pid and Authentic8 are both devel­op­ing mar­ket­ing efforts to serve indi­vid­ual consumers.

We’re start­ing off on enterprises—our ear­ly adopters—but they are always say­ing ‘what about my wife, what about my kids, can I get this at home?’” Cot­trell says.

Cog­nizant of a mas­sive data breach last year at the U.S. Office of Per­son­nel Management—when hack­ers accessed per­son­al infor­ma­tion of more than 21.5 mil­lion employ­ees, fam­i­ly mem­bers and oth­ers—Ntre­pid is accel­er­at­ing its mar­ket­ing efforts to con­sumers, Cot­trell says.

The com­pa­ny is offer­ing every vic­tim of the OPM data breach free access to Pas­sages for a year, he says.

Authentic8 is doing some­thing sim­i­lar, pro­vid­ing Silo, for free, to all those who were affect­ed by the OPM data breach, as well as the recent Depart­ment of Home­land Secu­ri­ty hack. Gov­ern­ment offi­cials who have been noti­fied that their data has been leaked may use Silo free for a year to help lock down their brows­er and secure their sen­si­tive information.

 ThirdCertainty’s Gary Stoller con­tributed to this report.

More sto­ries about brows­er security:
Spikes Secu­ri­ty iso­lates mal­ware, keeps it from hijack­ing Web browsers
More orga­ni­za­tions find secu­ri­ty aware­ness train­ing is becom­ing a vital secu­ri­ty tool
Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats