Moderator: My name is Linda Hagopian and I will be the moderator for today's webinar Zero Trust Browsing, A New Cyber Security Approach for the New Decade. Let me introduce our two presenters for today, Nick Kael and Gerry Grealish.
Nick is Chief Technology Officer of Ericom. As you can see, Nick has a strong security domain knowledge with multiple security certifications and hands-on work as an architect, designing and deploying cloud and web security solutions for some of the largest enterprises on the planet. Prior to Ericom, Nick held senior positions at Zscaler and Symantec. Nick is joined by Gerry Grealish who runs marketing and product marketing at Ericom. Some of you may heard from Gerry before as he is a frequent contributor in the industry on topics like zero trust security. Prior to Ericom, Gerry ran product marketing for network security at Symantec, which he joined via its acquisition of Blue Coat where he focused on cloud security. With that intro, let me hand off to Gerry to get us started.
Gerry Grealish:Thanks, Linda. And thanks to everyone for joining us here today. Before I go into the agenda and give an overview, I wanted to just share a little bit of context and background on the business that Nick and I are in, because I think that'll help you understand a bit to understand the lens that we work with customers through.
Ericom is a cybersecurity software and services company. Our portfolio is broken into two areas; We have a series of products and services that help customers securely access applications, whether those applications be on premise or legacy applications, data center securely access those applications from remote locations primarily. And then we have a series of applications that are focused on secure helping enterprises secure their users’ access to the web.
That's where we're going to spend our time today. These secure web access technologies are based on a capability called Isolation. And as you saw in the kickoff, we're going to be talking about how Isolation can help you as you're deploying security strategies around zero trust, and how it can help you ensure that as your users interact with the web and email, they have advanced security to prevent malware from making its way onto your endpoints and onto your network.
I'm going to start out and share with you what I call the challenge of the unknown web. I wish I could take credit for naming this, but a customer communicated their challenge in this language and I think it really works. I'm going to use that as the foundation for our conversation today. Then I'm going to hand to Nick to talk about zero trust web browsing and how Isolation helps organizations deploy zero trust in the area of web security. From there I'll give you a couple of pointers to where you can go to learn bit more about the topic and then to answer a few questions for you.
So let's talk about the challenge of the unknown web. As I mentioned, a customer I work with laid this out for me. They said that they look at the web or websites in basically two categories; known and unknown, and they treat sites that they know something about in two specific ways. There's the known good. So these would be websites that their users need to get to, that they know, based upon the threat intelligence and the forensics on the site, that these are destinations that it's okay for their users to get to. So their Acceptable Use policies allow users to be able to access these sites directly. So they put policies in their secure web gateway or the next gen firewall to allow users to get to these sites. No surprise.
Then you have a series of sites that, based upon their policies, they know something about. And these sites are quote unquote, bad. These could be gambling sites, could be sites that have pornography. They could be sites in certain geographic locations that they know based upon their corporate policies. They want to block their users from going to these sites. So no surprise, they put policies in place and their firewall or their gateway to prevent access to these sites. These are sites that they know something about and they can make a determination on, based upon their existing technology stack.
Here's the challenge area. The customers that I work with call this the battleground, these unknown sites that they don't have a lot of information about. For them, it was sites such as social media sites of their employees. There's a lot of stuff that comes through their feeds, whether it be URLs that people can click on or content. They don't know if that's good content or bad that these employees on corporate devices should be accessing.
Same with personal emails. I have Yahoo there as an example, but you know, Gmail, Yahoo, et cetera. Is it okay to let employees access that stuff? It could be sites that there's just not a lot of information about. As I'll share with you in a minute, there's a lot of sites that pop up and down each day that could be legitimate and maybe they're not. So what do you do with those? You're not quite sure what the risk is of those sites. Again, in the language of the users, the battleground, the sites that they spend most of their time on from a web security perspective, they either win or lose on how they handle these particular sites. These are the challenging ones.
They tend to be categories, no surprise that their users want to get to such as social media, email, et cetera. The statistics are amazing how many sites come up and down in just a daily, weekly period. Of course, because of that, there's not a lot of reputational history for engines to be looking at, to make a determination about the risk of a site. So what you have is a situation where traditional approaches that look at sort of history on a site to be able to give you insight onto whether or not you can access it, if you should be allowed to permit access for your users to those sites. So what we traditionally have now is a situation where an enterprise is either put in a difficult situation of having to over block access or take a risk and under block access.
Of course, there's business impact either way. Let's just take a look at sort of both sides of the coin there. If I'm under blocking access, obviously I'm putting my business at risk of attacks coming in through the web, and email vector. A couple of statistics here. I think these all ring true to the audience. Website attacks are increasing year over year. These are from a 2018 stat that came out in 2019 research. I'm sure when the new research comes out this year, it'll be higher than 59%. An important one is the second one that basically, cybercriminals are taking advantage of vulnerabilities in the browsers themselves, to attack the end point and make their way to your data and your network. So we see the browser itself being attacked. The third one is phishing attacks. I don't have to spend much time on that. I think we all see that day in, day out. And we know that vector continues to be used by cyber criminals. And then lastly, I wanted to point out, and this sort of plays back to some of the issues around that “allow access” policy construct that I shared on an earlier slide, you see cyber criminals hiding malicious URLs below good domains. Within amazon.com, you know, buried underneath that sort of high level domain, you'll see malware being put on a site, cnn.com et cetera. So the challenge there is, you know, basically, folks that are using this attack technique, you're trying to trick the existing state of the art to be able to get around the existing security stack. So that's under blocking. And of course the impact of under blocking is headlines like this. So this is just from the past couple of weeks, I grabbed these across industries.
We see the pain for an enterprise, both in terms of cost, if somebody makes the decision to pay a cyber criminal in a ransomware incident. But of course, there's business disruption, lost customers, employees that are down and not being productive. So dramatic impact to ransomware. And as you go through this approach to zero trust web browsing, you'll see how this technology can really help you prevent headlines such as this. Then, you know, the whipsaw reaction is, wow, I don't want those headlines, so I'm going to over block access, right? But that hurts the business as well. So just three examples here, we have angry users, and you know, not only our peers, but it could also be executives and, sometimes we don't want those phone calls, right? So they can be angry users, when you have situations where you've over blocked somebody access, the wasted time and effort, not only for your organization, because you need to open up those trouble tickets and go through the process of putting new policies in and testing those, etc.
On the right hand side, we see the loss of business productivity of the person that's waiting to get access to these web and cloud resources, right? So both sides are painful. Nick is going to talk more about this, but I'll just touch on it, the reality of the current approach with these gateways, whether it be a firewall or a secure web gateway, is it can only do so much, right? They make a decision based upon what they can detect and what they know about a particular site. But we just talked about some of the realities of the situation where successful web attacks are hidden in these middle ground sites. They're using some really advanced stealthy approaches that Nick will touch on and because of that, the existing approaches just can't get it done. What we're going to be talking about today are customers that we've been working with to bring a additional layer of security, the zero trust browsing-based approach to their web security that completely isolates your endpoints from the dangers that exist on the websites that they're visiting.
With that, I'm going to hand over to Nick and then Nick's going to go through the technology through the lens of a couple of key use cases that we're helping customers with. And then he'll come back to me and I'll give you some pointers on places to do a little bit more research on your side. So Nick, over to you.
In an attempt to satisfy both, many organizations have adopted one-dimensional approaches to IT security, such as basic virus protection software, that leave gaping holes in their security perimeter and are unable to address many of the emerging attack vectors.
Nick: Over the next few few slides, what I'm going to do is introduce the technology of Remote Browser Isolation or what you'll hear us call RBI. We'll discuss how it works in the context of some of the key use cases that we see with our customers and how it's being adopted and making a big difference for them in their environments.
Before we go there, let's dig into what Gerry just talked about a little bit, because it's so important to understand the power of the technology, as Gerry mentioned,classic security gateways, next gen firewalls, some of the secure web gateways and things there. They're in most today, and doing a fair job, but they still really work on that “detect and prevent” type of an approach. They're constantly doing this cat-and-mouse type of an update where they have to download signatures or different files to be able to see new types of malware and attacks that are out there. Zero day threats, you know, as simple as taking an existing threat and modifying some of that code, makes it a brand new threat and now becomes zero day.
Patient zero could be impacted and infected. Some of the HTML code and websites, style sheets, fonts, et cetera, that browsers used to render the page in a “detect and prevent” approach are pretty much useless. Why? Because even the best class scanning engines can't catch that kind of stuff, right? RBI doesn't need to accurately detect anything to stop anything from infecting your endpoint because the key here is the “I” in RBI, Isolation. Any of the stealthy stuff that's been hidden in the resources on the webpage is literally stopped in its tracks because we keep it in a container isolated. It's never allowed outside of that container. We'll highlight here the three key use cases, the first one, no surprise, is really just to prevent web-based malware. Drive by downloads, we've probably all heard the term malvertising, you know, malware that comes down through ads and things like that. You'll also see over the next few slides how we tackle phishing attacks that come after your users, social engineering types of attacks, ransomware and things that steal credentials. Then also how your users interact with file downloads. Quite commonly they're either looking to download some type of an executable, a PDF, different files. They either want to print those or save them, and so, we'll get into how the technology helps you with that.
What you'll see here is side by side comparison of a regular browser on the left and you'll see RBI or remote browser isolation image of the same website on the right. And so, you know, as you can see here, really no difference to the end user in terms of any videos and things, they'd still be able to stream and interact with those sites just like they would normally.
The use case here is about email isolation and then also phishing attacks. Through some configurations, we have the ability to isolate email. The links and the attachments and things that a user would interact with from email, we can feed through RBI. As well, we take intelligence feeds, either we can or your vendors that have your next gen firewalls and secure web gateway also take intelligence feeds so we can work off either, but, typically we work off those feeds for the intelligence to understand about known or suspected phishing sites as well. Quite commonly these days, Office365 and a few other applications, they're really trying to harvest the user's credentials around those. And so those types of attacks, what we can do is render the keyboard useless so that the user doesn't accidentally input any credentials into a bad site and protect your user from being compromised there. It's extremely effective around credential theft. We can block those attacks, even from suspected sites. If we're not quite sure, we can still block that.
Gerry: I talked to earlier about that customer who helped me frame that battleground construct. This was an extremely powerful use case for them, together with a number of those other sort of sites that they didn't know a lot about. They wanted to enable secure access of personal email for their employees on corporate devices. And this was a game changer. They were really wrestling with that and the ability to ensure that the use of Gmail accounts, et cetera, was all isolated in this way, and that credentials were secured with this approach and, that as Nick will talk about, downloads were secured and then there are any URLs that people went to embedded in those emails were isolated—that really was something that allowed them to satisfy an important request from their user base. But do it in a way that brought no additional business risk to the enterprise, which is what they were searching to do.
Actually, across the board, it is reasonable to say that signature-based malware products are no longer effective at preventing security breaches. Put simply, a signature is a characteristic of a piece of malware. It could be a change in a registry setting, a redirected web link, a modified code string, or something as simple as a text string in a startup script. Providers of this class of solutions monitor the internet for new malware threats, and then add a signature to an ever-growing library of known threats. When the computer runs the virus scan, it’s checking to see if any of those signatures appear on your system.
Nick: The final use case that we talked about out of the three is pretty traditional. One of the big factors is interacting with files and different content. And a lot of where malware infections come in through is downloading of this type of content, either from a website or email. Addressing the file interaction for your users, we use what's called Content Disarm and Reconstruct. We inspect that attachment, we look at the payload and anything that's active content or could be deemed harmful, we can go on and strip out that content. What we do is leave behind a stub saying that the file’s been modified and so we remove some suspected content and the user would still be able to download that file and interact with it just as normal—print, preview, anything that they need to do with that. And then the administrator for your organization would have the ability, you know, if the user says, “Hey, this is a spreadsheet that I've been getting for the last six years for accounting”, it's a legitimate spreadsheet, but it has macros in it, they would still have the ability to go to the administrator of the solution or contact IT and have the original file retrieved. So that is still a possibility for them to get the original file if we've stripped any content.
We talked a little bit about deployments and I know that I saw some questions that were submitted by a few of the guests on the call. This'll show just kind of a high-level diagram of a deployment. We've got a next gen firewall or a secure web gateway sitting in the middle. And again, this could be cloud based or prem based. Typically if you're premise-based, with the next gen firewall or secure web gateway, we're going to consider, or at least work with you on whether we're going to do cloud or prem, based on a roundtrip delay between those two. But what you'll see is that we leverage the secure web gateway or the next gen firewall and the feeds and intelligence feeds that they pull in to look at.
That might be your URL filtering database and also some threat feeds. But to make decisions, we essentially become the traffic cop on how to route that traffic. You'll see based on policy here, we've got safe sites allowed, the risky sites like Gerry talked about earlier, that middle ground, the battleground as the customer called it, we can take those risky sites and isolate those to make sure that the questionable sites are in fact safe. The known unsafe sites, we could block those. I've also seen some customers take, known unsafe sites and say, look, I just want to put them through Isolation. So, you can tackle these in different ways. The other common deployment here is that when we integrate with a active directory, either your web gateway is doing that, your firewall is doing that or we have the ability to do that, then we can carve out these policies by groups
A lot of organizations want to get very granular on, you know, one policy for say marketing, but yet executives get a different, level of blocking, right? Maybe for those types of individuals, the admin for the CEO and the CEO themselves, maybe all sites go through Isolation because they're very highly targeted with different types of attacks. We can handle that type of traffic or isolation differently by groups in your organization through tying into your directory. This is typically how it works. And I know we got the question specifically ahead of time around a FortiGate firewall. You know, what we can do is usually with most of these, there's a couple of common approaches. We do it either with a redirect or what I call kind of a block-page redirect. So typically, you would get a splash page that says “This site's been blocked via your policy.” We might add a button to that like we do in Forcepoint. We add a button at the bottom saying, “If you want to continue to this site in isolation, click here.” The user could go ahead and click and they'll be redirected to that site, but it's going through Isolation. Those are some of the common deployment types of methods that we use.
Gerry: One thing I’ll also add, the other group that we often see get their traffic completely isolated would be those doing sort of investigations and security, going out into different sites, sort of poking the bear on some of these malicious sites. This of course gives them the ability to see what's going on on those sites. But at the same time they're isolated themselves.
Nick: Yeah, I've seen research teams, marketing teams, there's all different kinds of use cases here for different customers and the reason why you might isolate you know, full traffic for a certain group.
Gerry:A couple of things I just wanted to point out just to bring the content here to a close and I promised I’d give you some ideas about where to find more. Well, for those of you that are customers of Gartner, and have the ability to do some inquiries with them, I'd urge you to do that. They've published quite a bit on the subject. Two pieces in particular that I'd point you to. In 2018, they put out Innovation Insight for Remote Browser Isolation, where they cover the technology and spoke to the power that technology had for enterprises that adopt it. You see on the left hand side, a quote from the report saying that organizations that adopt that technology will experience a 70% reduction in attacks that successfully compromise end user systems.
Just think about the power of that, the ability, through Isolation to prevent phishing attacks or prevent these sort of drive by attacks on websites, getting on endpoints, really powerful technology, a difference-maker for security organizations. So, I urge you to read that report. Just recently, a few months ago in the Secure Web Gateway Magic Quadrant, Gartner pointed out that they're seeing increasing growing demand for this technology. No surprise, given the comment on the left hand side. And they're seeing and anticipating an extremely aggressive adoption of the technology because of the power that it has to make a difference in that prevention aspect for enterprises, with 25% of enterprises over the next few years adopting it either as an extension of their existing technology or perhaps moving completely to it, which is, the next comment, that I'd highlight. That yes, the use case that we traditionally see as we're working in the field is that we're deployed for those sort of battleground sites for the general population. What I would call targeted isolation.
Then there's those groups of users that Nick mentioned where we'll put all of their traffic through Isolation because they're privileged users, they have special access to systems, data, et cetera. We want to make sure that you're giving that group more of a “belts and suspenders” approach to security. But then we're seeing, and Gartner sees it as well, that there are some highly security-conscious organizations that are moving completely to Isolation. We see that a bit as well in our own business. And, you know, that that's an option as people are looking at what they're trying to accomplish in their security stack. I know that many of you, like customers I work with, are also looking at Forrester and their zero trust security construct. It's a really powerful construct that covers many areas and credits to Forrester as their image here talks about controls that need to be deployed across the enterprise to secure data, right? Data is at the core of the zero trust model. Just to set context, Forrester talks about this technology, RBI, Remote Browser Isolation, in the “people” construct. They view it as a control that basically pushes your perimeter out towards the internet so it's no longer on your device because as Nick described, the rendering is occurring in a cloud isolated chamber. You now have pushed that perimeter out and that brings zero trust security to your people that are interacting with the web and cloud.
So last slide and then I'll go to questions that we have time for. If we don't get to your questions, we'll follow up via email. But there's more, of course, on our website. I'd urge you to go to Ericom.com and our product, called Ericom Shield. You'll see quite a bit of white papers, integration guides, a lot of content out there. It's a great, great place to stop to learn more on the technology. You can also send us an email at info@Ericom.com. It's quick and straightforward for us to work with you to do what we call a proof of value. So if you want to take some traffic and put it through an Isolation-based approach, we're happy to do that so you can experience the power of the technology. And then I know many of you, like me will be out at RSA at the end of the month, so please visit us in the North Hall. We’re happy to chat with you and give you a demonstration and talk to you more about the technology. So with that, if we have time for any questions, let's go ahead and take care of that and then we'll follow up if we need to.
Moderator: What integrations do we have with secure web gateways or next generation firewall vendors?
Gerry:We have a large customer base, pretty much everyone out there. But, I'd point to the secure web gateway side integrations that we have with Forcepoint, McAfee, Cisco, we work with Symantec as well. On the firewall side, we have Cisco and Nick mentioned Forcepoint and Fortinet, Checkpoint. So the list is long and if I didn't get to have the particular vendor that you're working with, send us a note and I can let you know more details about how we work with them.
Moderator:Okay, Nick, this one's for you. How much effort is required to get this up and running?
Nick:Typically, because most of our customers are deploying in the cloud, there's very low effort. It's really just setting up the redirect typically or proxy chain relationship between the devices. Once we have that in place, it's just making sure that we have a policy. So I'm talking, most of the time, maybe hour and a half, possibly two hours. It just depends on if you have the information handy for us and how fast we can move together.
Moderator: Okay. Great, we'll just squeeze one more in here and then, we'll pull this to a close. Nick, does RBI work with videos? And what about users who browse from mobile devices? Does RBI protect them?
Nick: Yeah, so absolutely on both. We stream the the videos through to user. They'd still be able to watch those, we get a lot of comments back and positive feedback that users are going out and doing testing on our solution and looking at videos on YouTube and watching the streaming. We've gotta be able to protect your users who are on the go. And so a lot of organizations want either a consistent protection type of an approach or sometimes even a tighter approach when their devices leave the four walls of corporate, right? So, we have the ability to support those devices while they're out on the go and still forward their traffic through Isolation.
Gerry: Somebody chatted me a message asked about Palo Alto Networks. Yes, we work quite a bit with them as well.
Moderator:Okay, great. Well, that's all the time we have for today. We appreciate you joining us. Please feel free to pass the link along to your peers.