The browser is vital to organizations’ productivity, with critical tools like software-as-a-service (SaaS) and collaboration applications typically accessed via the browser.
However, the browser is now also a target for threat actors. Despite this, cybersecurity tools in many organizations have failed to properly evolve to meet this threat, with the primary focus still around endpoint security.
Infosecurity spoke to Dean Paterek, Chrome Enterprise Lead EMEA at Chrome Enterprise, to discuss this issue and to understand the security capabilities available for Google Chrome Enterprise, one of the most widely used browsers in the world.
Infosecurity Magazine: A recent Google Chrome whitepaper, "The Security Blindspot," highlighted how traditional security models overlook the browser. What is this "blindspot" and why has the browser become the new critical, but often exposed, enterprise security perimeter?
Dean Paterek: Most organizations now realize, to a degree, that users are doing a lot of their work in the browser as they access more SaaS and web-based applications.
Traditional security has looked at endpoint and network security tools to govern that perimeter. These tools do a great job at protecting assets like managed devices and traffic that routes through a traditional network, when a user has accessed publicly facing applications or even privately hosted web apps.
“Attackers realize that the easiest way to penetrate a business is to target the browser.”
However, there's a lot of activity that goes on within the browser that is not being picked up by traditional tools. Attackers realize that the easiest way to penetrate a business is to target the browser.
Organizations are starting to recognize this threat and the need to have a level of visibility in the browser to be able to do something about it.
Security leaders need to start controlling what is happening in the browser, what users can do in the browser and then how you can enforce access control and data loss prevention control directly in the browser.
IM: Evasive tactics like QR code phishing and the use of legitimate browser features for living off the land attacks are on the rise. How is Chrome Enterprise Premium designed to counteract sophisticated, modern attacks that bypass traditional security tools?
DP: Chrome Enterprise Premium is a zero trust solution. A “never trust, always verify” approach. It looks at the user, the device, the location and never trusts any of those three until validated, so continuous authentication.
If anything changes post-authentication, the connection will be cut. There's never a continual level of trust applied in that environment.
We also protect users from downloading malicious content or going to phishing sites. Our consistent and dynamic URL risk evaluation looks to understand the behaviors of that URL, identify malicious activity and then apply a risk score internally. This enables us to either prevent a user going to those risky URLs or flagging them to notify that user that they are potentially at risk.
Should they go to that website, then we have a range of AI-powered phishing and malware protections which ensures we're analyzing what is being downloaded from that website or URL in a dynamic way to understand what it is trying to do before it can execute on the system.
We can also add things like extension risk protection. We're very aware that extensions are a key productivity tool within the browser, but they are being exploited.
Chrome Enterprise can continually help organizations understand the changing nature of an extension after you have allowed a user to utilize an extension.
We can build an automated removal of an extension which is causing issues or is exhibiting behavior changes. Alternatively, we can completely remove the user from the environment should that extension pose a risk.
IM: Insider threats and security risks associated with Bring Your Own Device (BYOD) policies present a major challenge. How does Chrome Enterprise address the data exfiltration and data loss prevention (DLP) challenge at the browser layer, particularly on unmanaged devices?
DP: This is one of the biggest areas where we're seeing organizations move to a browser-based approach. Chrome Enterprise Premium uses rules that can prevent both malicious and unintentional data exfiltration.
We can prevent an attacker from targeting that organization and reduce the potential blast radius. Within the browser we can apply granular policy controls to prevent actions like download, upload, print, copy and paste. You can be specific to the user and tie that with context-aware access rules. Depending on where that user is, the device posture, the user privilege level, you can apply more granular DLP controls to enforce or reduce the level of restriction to that user.
We can also be preventative and help the user understand that they are accessing sensitive data and that they need to think about what they do with it. We can apply things like watermarks, preventing screenshots and screen sharing, or even mask certain parts of that web resource.
This can prevent the user from seeing parts of the data on the page unless they double click or completely hover over it. We can also completely redact the information depending on the signal from the device.
Applying those DLP controls is based on a range of factors, and our view is that by bringing this directly to the user in the browser, you're applying it at the most impactful point in that process.
IM: Security teams need actionable data to reduce the blind spot. What kind of telemetry, insights and reporting does Chrome Enterprise Premium generate, and how can security operations teams use this to enhance their Security Information and Event Management (SIEM) practices?
DP: Chrome Enterprise provides real time telemetry for network events, high-risk users and domains in a neat dashboard. This enables early visibility into what's happening across the browser fleet, whether that's on a managed or an unmanaged device. This can capture real evidence in the evidence locker. That can be used to support further forensic investigation.
What's interesting now is the move from traditional device management, where you manage the device and integrate in an EDR tool, towards browser detection and response. This means that we're now using the same methodology to detect and respond to threats but are not dependent upon having an EDR deployed.
The value of that is you've now got the same consistent control panel across managed and unmanaged devices. Security operations center (SOC) teams have not traditionally had that visibility into the extended workforce or vendor landscape in a consistent way.
By integrating that into your security practice, you can start to apply a broader set of detection response capabilities across the environment. Within any third party SIEM you can build out those playbooks to identify user risk and potentially orchestrate a response within Google SecOps.
Within SecOps, we're really starting to drive that automated detection and response directly in the browser.
IM: Finally, what is the business case and return on investment (ROI) for adopting Chrome Enterprise? How does it contribute to both risk reduction and employee productivity?
DP: We commissioned a report back in 2023 by Forrester, which calls out some specific stats regarding the ROI of the enterprise browser.
It showed about a 10% reduction in overall security costs, equating to roughly $2.6m in savings from improved security and a saving of around $500,000 through improving IT resources and productivity.
That is the economics behind managing the browser when we think about utilizing it to get access to critical applications, to improve security and deliver threat protection directly at the user level. From there, ultimately reducing the attack blast radius by applying DLP controls.
However, I think there is enormous value for organizations beyond this. There is a huge opportunity to consolidate and rationalize technology in the environment, so removing the need to deploy complex endpoint technologies or even buy devices in the first place.
If you can start to remove the need to manage a device end to end, certainly for your extended workforce, then you remove the upfront cost in acquiring and provisioning said devices.
And then you can reduce the in-life management cost and risk associated with managing those devices, just by handing out an identity and getting a user to sign into Chrome.
You can bring IT and security teams together and meet the IT requirement, which is providing scalable, efficient access to corporate resources quickly. At the same time, meeting the security requirement by providing a compliance audit for security-driven outcomes that allow the security team to understand what the user is accessing and restrict actions based on a whole range of controls.
We've seen a huge amount of uptake from businesses looking to change the way they deliver secure access to both managed and unmanaged devices without the need for over-provisioning networks and deploying complex endpoint, network infrastructure.
IM: Given the threats and solutions we’ve discussed, what steps can an IT security leader take to begin addressing the browser security blind spot in their organization?
DP: Phase one is to simply gain control and visibility of how the browser is being used.
Without understanding what's happening, it's difficult to do anything about it. Within Chrome today you can manage the Chrome browser across your environment, both on managed and non-managed devices through Chrome Enterprise Core.
This is a capability to apply basic policy control and govern extensions directly across your environment today, then look at how you can operationalize the power of the browser and start using it as an access control method and applying the granular DLP control.
There's a range of benefits that can be delivered directly via a control, which is deployed on over four billion devices out there today.
It's a significant opportunity for organizations to mobilize what is a very common platform as both a productivity and security tool.
