Patricia de Hemricourt

@Patricia1507

Zero-Trust Browsing to Reduce Cybersecurity Job Fatigue?

Illustration by Geralt

A recent ESG (Enterprise Strategy Group) report underlines one of the less known endemic problem plaguing infosec professionals — Job Fatigue. The recent ESG/ISSA (Information Systems Security Association) survey underlines the human costs:

• 68% of cybersecurity professionals believe that a cybersecurity career can be taxing on the balance between one’s personal and professional life. 
• 62% of cybersecurity professionals believe that their organization is not providing an adequate level of training for them to keep up with business and IT risks.
• 41% of cybersecurity professionals say that the cybersecurity skills shortage has led to a situation where the infosec staff spends a disproportionate amount of time dealing with high-priority issues and incident response. 
• 38% of cybersecurity professionals say that the cybersecurity skills shortage has led to high burnout rates and staff attrition.

This is a direct result of the combination of the global staffing crisis, as underlined in an (ICS)2 research that warns of a 3 million shortage in qualified cybersecurity staff, and the increasingly dangerous threat landscape.

Malicious actors are about to incorporate AI and machine learning into their exploit models and leverage them to develop swarm-based botnets designed to overwhelm classic defences. As zero-day vulnerabilities and exploits will explode, reactive measures will become increasingly insufficient, and the workload on experienced cybersecurity personal will increase, leading to higher burnout and attrition rate.

Without a drastic shift from reactive to proactive defence tactic, even ideally staffed cybersecurity teams will be overpowered.
Already, they face occupational hazards such as long hours, high stress levels, and career frustration that can lead to exhaustion, burnout or even mental health issues.

The ideal cyber prevention solution should deliver instantaneous end-to-end security for every kind of network-based non-executable content for the whole range of persistently used attack vectors such as email, web, apps and cloud file sharing applications and for every device connected to the Internet. It should allow zero-trust browsing with minimal reliance on threat databases, antivirus, firewalls, and other existing classic defence infrastructure. As the vast majority of today’s threats are browser-borne, the best current proactive defence method is browser isolation.

Browser isolation can be either local or remote.

Local isolation solutions use virtualization on the device itself to separate browsing from other functions. For example, end-point isolation can be achieved with a local Virtual Machine (VM). A VM is an operating system or application environment that is installed on software, which imitates dedicated hardware and is running on the user’s device but has drawbacks: 
• high CPU and memory requests cause sluggish user experience
• the cost is prohibitive for large organizations as each endpoint has to be equipped with a VM individually which:
• might require upgrading some or all devices to accommodate increased CPU and memory request 
• increases IT personal workload
• limits BYOD options as it is located on the device itself

On the remote side, the last decade saw the emergence of Virtual desktop infrastructure (VDI), a virtualization technology that hosts a desktop operating system on a centralized server in a data center. The desktop image is delivered over a network to an endpoint device, which allows the user to interact with the OS and its applications as if they were running locally. VDI suffers from the triple handicap of 
• High Cost: Besides the cost of running VDI infrastructure, it leads to double costs due to the necessity to secure licenses for both physical and virtual desktops
• Impaired User experience: The remote desktop must be accessed via a dedicated client, resulting in increased latency
• Need for Policies: As VDI is not a security solution by itself, organizations still need to implement and manage policies such as web-app access.

But today, for organizations looking for an affordable integral defence against browser-borne threats, the closest approximation available is container-based Remote Browser Isolation (RBI). According to Gartner “Through 2022, organizations that isolate high-risk internet browsing and access to URLs in email will experience a 70% reduction in attacks that compromise end-user systems.”

Illustration by Wir Sind Klein

As RBI does not require individual endpoints installation, organization-wide deployment can be achieved with minimal burden. Added to the substantial reductions in attack penetration and the resulting drop in security alerts that need to be reviewed and addressed, it is highly effective in reducing the workload of cybersecurity teams, improving their work/life balance and reducing job fatigue and burnouts. Even better, as it is not tied to devices and is browser-agnostic, RBI can be deployed across devices including phones and tablets, eliminating BYOD restrictions or added installation cost.

Pioneered by nuclear plants and military facilities, RBI solutions rely on the physical separation between the endpoint and the actual browsing. All executable code is executed on the remote browser and rendered as a safe content stream that is sent to the user’s local browser, locking malicious code away from the endpoint.

This leaves downloaded files as the only potential source of threat penetration, which requires sandboxing them for sanitation before delivering them to the endpoint.

The expected increased capacity of AI-assisted threat development means that classic sandboxing technologies relying on threat detection to neutralize them are likely to be less and less effective. Opting for a non-detection based mechanism such as Content Disarm and Reconstruct (CDR) technology to sanitize downloaded files is as close as one can get today to zero-trust browsing. CDR deconstructs all incoming files, removes any element that does not match the file’s type structural specifications and reconstructs the file whilst preserving its full functionality.

With integrated RBI/CDR, the end user’s browsing experience is near identical to direct browsing and can be performed from any device, removing any restriction pertaining to remote working.

Civilian use of RBI is still in infancy, there are currently only a 4 RBI solution providers, with a mature and well established international presence:

Menlo, with its Security Isolation Platform (first released in Oct 2016), is close to full isolation but still incorporates some of its pre-existing DOM technology elements and is using PDF viewer as opposed to CDR, reducing near-native browsing experience 
Ericom, with Ericom Shield (first released Sep 2017), offers a full-service, modulable RBI solution with integrated CDR, and supports easy integration with existing security infrastructures 
Symantec, with Web Isolation (first released Feb 2018), almost provides full isolation but still enables direct video streaming which is a potential vulnerability
Citrix, with its Secure Web Gateway (first released March 2018), relies on ICA (Citrix Protocol), so is not yet a dedicated browsing solution and is still lacking a full CDR for executable file downloads

From reducing the workload of cybersecurity staff to freeing the end user from cumbersome browsing restrictions, the potential of RBI covers more than providing advanced cybersecurity. Any forward-looking CISO should definitely consider including RBI as an essential element of their cybersecurity strategy or, at the very least, thoroughly evaluate its potential benefit.

All those interested in the topic of Browser isolation are warmly invited to join the newly created Browser_Isolation subreddit

If you liked this article, feel free to clap generously and share with those of your friends who might be interested. Thank you

More by Patricia de Hemricourt

Topics of interest

More Related Stories