The document discusses the vulnerabilities and risks associated with web-based attacks, particularly phishing and malicious websites, while proposing browser isolation as an effective method for breach protection. It details the distinction between client-side and server-side browser isolation and outlines the benefits and challenges of implementing such solutions. With a growing adoption rate from 1% in 2017 to 25% in 2022, browser isolation can significantly reduce the impact of web-based attacks on enterprises.

1. Zero-Trust Breach Protection
Browser Isolation
1
Wen-Pai Lu
May 14, 2019
(ISC)2 Silicon Valley Chapter

2. Contents
• The Problems? – Phishing, Malicious Web Sites, Threat
injections
• Current available solutions
• What is Browser Isolation?
• Two types of Browser Isolation
– Client side
– Server Side
• Current players
• Issues & Challenges
2

3. It starts with the Wild Wild Internet
3

4. Update Your Official Record

5. Phishing Example – Services
Restart your membership Suspended Account

6. Phishing Examples – Bank Account
6

7. Phishing Examples – Unexpected Refunds
and Payment
7

8. Spear-Phishing Examples
Sent “From” Recipient’s Bank
Sent “From” Recipient’s CFO
8

9. Spear-Phishing Examples From Recipient
CEO
9

10. How to Id Phishing
10

11. Malicious Websites and Drive-by Download
• Suspicious Domain on the Internet from isc.sans.org*
– Malware Domain List.com
– Domain Blocklist From Malwaredomains
– Abuse.ch Ransomware Domain Blocklist
– Threatexpert.com Malicious URLs
– Virustotal Domains
– Zeus Command And Control Server from Abuse.ch
• Malware Domain List
– https://www.malwaredomainlist.com/
• Drive-by Download – concerning the unintended
download of computer software from the Internet [wiki]
– Downloads which a person has authorized but without understanding the
consequences (e.g. downloads which install an unknown or counterfeit executable
program, ActiveX component, or Java applet) automatically.
– Any download that happens without a person's knowledge, often a computer virus
* https://isc.sans.edu/suspicious_domains.html
11

12. The Data say …
12

13. Breaches
• 2014 Yahoo had at least 500 million user accounts were affected
• 2015, Office of Personnel Management (OPM) had experienced two separate incidents
that affected 22 million personnel files
• 2017, Equifax and 2018, Marriott
• Cyber crime will cost the world $6 trillion annually by 2021, from $3 trillion in 2015*
• In 2018, average cost of a data breach is $3.86 million, up 3.86% from 2017§
– Mean time to identify a breach in 2018 was 197 days
– Meantime to contain a breach in 2018 was 69 days
• Average cost for each lost record rose from $141 to $148 in 2018 Cost of Data Breach
Study
• From 2009 to 2018, the total number of malware incidents grew from 12.4 million to
812.67 million
• Number of crypto malware incident remained < 1 million in 2017, but skyrocketed to 5.5
million in 2018
• Worldwide spending on information security products and services was at 86.4 billion in
2017, up 7% over 2016 (Gartner Report)
* 2017 Annual Cybercrime Report from Cybersecurity Ventures
§ 2018 Data Breach Study by Ponemon Institute,
13
https://www.bloomberg.com/graphics/corporate-hacks-cyber-attacks/

14. 14
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
World’s Biggest Data Breaches & Hacks

15. 15
from the user's physical desktop and enterprise network, any attacks on the remote browser session are constrained in their
ability to cause damage. Every browser session is isolated and treated as if it might have been compromised and, ideally,
every session is reset back to a known good state from immutable templates when completed.
The very act of users browsing the internet and clicking on URL links opens the enterprise to significant risk. Symantec's
2017 Internet Threat Report (https://www.symantec.com/security-center/threat-report) found that an average of 2.4 new
browser vulnerabilities are discovered per day, and its labs detected an average of 229,000 web-based attacks per day. In the
Kaspersky Security Bulletin: Overall Statistics for 2017 report, 1
browser-based exploits still represented the bulk of exploits
used in cyberattacks (see Figure 2).
Figure 2. Distribution of Exploits Used in Cyberattacks, by Type of Application Attacked, November 2016 to October 2017
Source: Adapted from Kaspersky Lab
Attacking through the browser is too easy, and the targets are too rich. Depending on the nature of the underlying vulnerability
What Symantec 2017 Internet Threat Report:
• An average of 2.4 new browser vulnerabilities are discovered per day
• An average of 229,000 web-based attacks per day
• 76% of all websites contain a critical vulnerability
Kaspersky Lab

16. It’s all Because of …
16

17. 17

18. 18

19. What Can We Do?
19

20. Provide Protection
• Perimeter-based
– Firewall
– Secure Web Gateway
– Web Application
Firewall
– Signature-based
Malware Scanning
– AI/ML
• Endpoints
– Anti-Virus
– Malware Detection
– Agent-based
– Device Control
– Endpoint intelligent
– Asset Management
– Compliance
20

21. Do they works? May be…
• Agent-based software
• Scale
– # of endpoints
– Platform manageability and scalability
• Resources
– Resource-intensive platform productivity
• Accuracy and Efficacy
– Detection rate
– False positive
• Administration and Deployment
– Large enterprises
– Small business
• Can’t effectively protect
21

22. So… What is the Alternative?
22

23. 23

24. Security Through Physical Isolation
24
Internet
Enterprise
Air
Gapping

25. We Know that …
• Web-based attacks prevention is the goals but difficult to achieve
• Perfect prevention of breaches is not possible. Strategy must be the
isolation and containment of an attacker’s ability to do damage
• Browser-based attacks are primary threat vector
• Vulnerable browser and plug-ins are easy targets
• It is never good enough no matter how good we do patching and
attacks blocking
• Need to acknowledge and accept some attacks will succeed no
matter what we do
• Should focus on contain attackers’ ability to cause damage and
reduce attack surface
25

26. Browser Isolation Concept

27. The Browser Isolation Provides …
• Using browser isolation can separate end user internet
browsing session from enterprises endpoints and networks
• Browser isolation can dramatically reduce web-based
attacks
• An air-gap between the device and the browser
• Detach web browser from the endpoint.
• Software to secure endpoints by providing end-users with
virtual, abstracted web browser
• Protection from intrusion or malware injection, only
browsers, not devices, are infected
• Zero Trust Framework
27

28. Browser Isolation Types
28

29. 29

30. Client-Based Browser Isolation
• Actual isolation on the user local machine
• Create new virtual instance in the client
• Local hypervisor
• Advantages
– No need additional server
– Leverage local machine computing resources
• Problem
– Physical isolation?
– Potentially break out the virtual instance
30

31. 31
Internet
Content Rendered
Into stream of pixels
Back to devices
Attacks isolated
HTML5, Web Apps
Email, PDF, DOC
JavaScript, WebApps
Browser
Servers
Out-of-band Attacks

32. Server-based Browser Isolation
• Isolation on remote machines
• New virtual instance created for each session
• VM or container based
• Advantages
– Better Isolation
– No Agent software installed
– Can implement without any changes
• Problem
– Need appliance/server
– Bandwidth
32

33. The Players
33

34. Current List of Players
• Apozy
• Appsulate
• Authentic8 Silo
• Bromium
• Cigloo
• Crusoe Isolation Platform
• Cyberinc Isla
• Cyberwall
• Ericom Shield
• Garrison
• Light Point Web
• Menlo Security
• Ntrepid Passages
• ProofPoint
• Randed Isolation Technology
(RITech)
• Symantec Web Isolation
(acquired FireGlass)
• WebGap
34

35. Benefits and Challenges
35

36. Benefits
• Completely isolated browser activities and the devices
• Agentless implementation – in server-based
• Breaches in the browser do not affect devices
• Protect from unpatched browsers and plug-ins
• Effectively web-based cyber attacks and malware
protection
• Browser session reset to a known good state after use
• Centralize policy management
• Additional security functions with SWG, WAF, etc.
36

37. Challenges
• Latency
• Performance
• Bandwidth
• Scalability & high availability
• Cloud-based vs. on-prem
• Seamless experiences
• Some browser capabilities may be limited (cut/paste)
• Mobile devices
37

38. Browser Isolation Services
Internet
Cloud Browser
Services
DMZ
On-prem
Appliance
Content Rendered
Into stream of pixels
Attacks isolated
HTML5, Web Apps
Email, PDF, DOC
JavaScript, WebApps
38

39. Summary
• Provide alternative for isolating and containing attackers’
ability to damage
• Reduce of web-based attack impact and breach prevention
• Eliminate the persistent of undetected and stealthy attacks
• Isolated user activities from Internet attacks
• Current adoption rate is 1% in 2017 to 25% in 2022*
• Organization can experiences 70% reduction in attacks that
compromised end-user systems*
• Still have some challenges. Plan carefully.
• Start with high-risk user groups (financial, etc.)
39
* March 2018 Gartner Report on Remote Browser Isolation

40. 40

41. 41