Blog
What You Should Know About Browser and Endpoint Isolation
By BUFFERZONE Team, 24/05/2023
Web security is of paramount importance in today’s digital landscape. Browsers enable access to various types of online resources like websites, digital media, and cloud-based services. However, this also makes browsers a prime vector for cyberattacks. Browser-based and web-based attacks are prevalent, posing risks such as security breaches, data theft, and cybercrime.
To safeguard against these threats, it is imperative for users and organizations to adopt a multi-layered approach to web security. This includes using up-to-date browsers, antivirus software, and other protective measures. Staying vigilant with regular security updates and safe browsing practices is crucial. However, these traditional measures are often insufficient in the face of evolving, sophisticated threats. Mitigating the risk of web-based attacks requires proactive efforts, a proactive mindset, and proactive tools.
Web-based attacks are a growing concern for individuals and organizations due to the increasing vulnerabilities in browsers and the internet. Here are some common examples of web-based attacks:
- Cross-Site Scripting (XSS): Attackers inject malicious code into a website. The code may then be executed in unsuspecting users’ browsers.
- SQL Injection: Exploits vulnerabilities in a website’s database to gain unauthorized access to sensitive information.
- Phishing: A social engineering attack where attackers impersonate trusted entities to trick victims into revealing sensitive information like login credentials.
- Drive-by Downloads: Can infiltrate a victim’s device simply by their visiting a website that has been compromised by the attacker.
- Malware Delivery: Attackers can deliver malware to a victim’s device through a website or email attachment.
- Adware: Often bundled with free software, adware can collect user information, redirect to unknown websites, or display pop-ups.
Protecting against web-based attacks requires a multi-layered approach. Keeping web browsers and operating systems up to date, avoiding clicking on suspicious links, and using reputable antivirus software are basic, important measures. However, these may not be enough against new and evolving threats. Staying aware of the latest threats and educating employees on safe browsing practices is crucial. Additional measures like network segmentation, application whitelisting, and web filtering can help minimize the impact of successful attacks.
In recent years, innovative solutions like browser isolation have emerged as a prevention technique for minimizing the risk of web-based attacks. Browser isolation can be achieved through local isolation using virtual machines or virtual containers, or remote server-based isolation. By isolating the browser from the rest of the computer, the potential impact of web-based threats can be minimized. Advanced isolation technologies can also extend this protection to USB devices, communication applications like Teams or Zoom, and email attachments and downloads within the isolated environment. However, it’s important to note that phishing attacks may go beyond the scope of isolation, so advanced techniques should be employed for comprehensive protection.
The need for browser isolation is gaining high attention, and in this blog, we will describe different isoltation-based solutions and compare them.
A. Remote Browser Isolation (RBI)
Remote browser isolation is a technique where a user’s browsing activity is conducted over a remote server that hosts multiple isolated browsers. This server can either be located within an organization in a secure and isolated environment or it can be provided as a cloud-based service. The primary advantage of this approach is that it offers greater security, as any risks are isolated outside of the organization. However, the main drawback is the high level of maintenance and hardware resources required to run the service. Moreover, remote browsers are typically limited to browsing, while other isolation solutions support external devices and other applications that may pose a risk to the organization.
One important aspect of remote browser isolation is ensuring a seamless user experience. This includes addressing concerns such as network latency and transferring user-created or downloaded content from the remote browser to the local computer. To achieve this, remote browser isolation solutions should employ server-based malware scanning and Content Disarm and Reconstruction (CDR) techniques to provide safe passage from the remote browser to the local computer. However, this may increase the cost and pose a challenge for RBI systems. It is essential to strike a balance between security and usability to provide an effective remote browser isolation solution.
B. Virtual Machine (VM) endpoint containment:
These solutions offer a robust level of security through the separation of virtualization. Typically, each application or browser tab runs within its own isolated virtual machine, ensuring strong isolation.
However, there are some drawbacks to this approach. User experience can suffer due to complex installation, customization, and secure data sharing manual processes. Additionally, the high resource requirements, including CPU and memory, needed to support multiple virtual machine instances, can impact performance. Software licensing may also pose challenges, potentially increasing the legal usage of applications within VM-based solutions. Another limitation is the lack of work persistency in VM-based solutions, which can hinder productivity.
C. Windows Sandbox
Windows Sandbox is a built-in feature in Windows 10/11 Pro that provides a secure and lightweight environment for running applications in isolation. Windows Sandbox allows users to test untrusted or unknown software without impacting the underlying operating system. By utilizing hardware virtualization, it creates a disposable virtual machine with a dedicated temporary storage space, enabling users to run potentially harmful software in a secure sandboxed environment. When the user closes the sandbox, all software, files, and states are deleted, ensuring that the host operating system remains unaffected and secure. This is an example of virtual machine-based containment, with the same limitations and drawbacks.
D. Virtual Application based:
In this type of solution, a virtual container is created by a kernel driver, which virtually separates the operating system into two zones. The first zone is the trusted zone, which is connected to all the organization networks. The second zone is called the untrusted zone, which acts as a buffer zone where various applications including browsers run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly work inside the virtual container without noticing that you are protected from browsing and USB threats.
BUFFERZONE® Safe Workspace® is the only such virtual containment solution, working based on 6 patented technologies. For business continuity as needed, Safe Workspace® incorporates SafeBridge® – local CDR disarming, right there on the endpoint. SafeBridge® can also utilize server-based CDR as needed.
The following table summarize the differences between the three methods:
RBI | VM based | Windows Sandbox | BUFFERZONE® Safe Workspace™ | |
Browser isolation | V | V | V | V |
USB isolation | X | X | X | V |
Messaging app isolation | X | V | X | V |
Email Attachment isolation | V | V | X | V |
Work Persistency | X | X | X | V |
Anti-phishing | Optional | Optional | Optional | Optional |
CDR | Optional in SAAS integration | Optional in SAAS integration | V Local, inside the virtual container |
|
Software Licensing | Extra software licensing | Extra Software Licensing | Cannot be installed | No extra licensing |
CPU/Memory Consumption |
Not relevant | High | high | Low |
Quality of Experience | Limited | Limited | Low | High |
Latency | High | Low | Low | No latency |
MITRE ATT&CK® | Initial Access Limited to:
|
Depends on the vendor. Category: |
Categories: | Please check our Blog about MITRE ATTACK® Categories: |
[1] https://www.enisa.europa.eu/publications/web-based-attacks/@@download/fullReport