For years, organizations have relied on a holistic cybersecurity strategy that protects disparate systems and an expanding threat surface from increasingly sophisticated threats. Coined Defense in Depth (DiD) by the National Institute of Standards and Technology (NIST), the approach “integrat(es) people, technology and operations capabilities to establish variable barriers across multiple layers and missions of the organization.” The term comes from military strategy (perhaps inspired by Sun Tsu’s Art of War) that asserts that the combined power of an army’s forces is greater than its parts. In the cybersecurity world, this means that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way.
However, while DiD integrates multiple layers of an organization’s cybersecurity strategy–including network, identity and access management, application and data security–most DID strategies fail to include browser security, despite the browser emerging as one of the most widely used business tools today. A truly comprehensive strategy based on DiD principles needs to elevate browser security as a critical table stake integrated with other layers in the security stack – creating a truly holistic strategy that keeps organizations safe from increasingly sophisticated threats.
The browser is the primary business tool today
Digital and cloud transformation, hybrid work policies and the rise of Software as a Service (SaaS) platforms over the past several years has made the browser one of the most widely used business tools today. From customer relationship management (CRM) to email and other productivity tools, most applications and data are accessed by distributed users through the browser from any device that can connect to the Internet – whether it is managed by the organization or not. According to the latest Verizon Data Breach Investigation Report (DBIR), the top threat vectors over the past year remain web applications and email.
The problem is that most organizations do not have comprehensive visibility or control into browser behavior. Traditional security solutions continue to rely on other threat vectors such as network and email, depending on URL reputation databases and block lists for browser protection, creating a major gap in coverage. Threat actors know this, of course, and have been targeting browsers as a way to evade enterprise security controls and spread throughout the network in search of valuable targets.
Two recent attacks are indicative of the challenges of detecting and stopping sophisticated threats with limited visibility in the browser. The recent Tycoon 2FA phishing-as-a-service (PhaaS) kit uses evasive Adversary-in-the-Middle (AitM) techniques to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication. The threat has been highly successful thanks to its ability to evade detection of its fake sign in pages. Better visibility and control into the browser would allow organizations to detect these pages and prevent users from entering their credentials.
In addition, the recent breach at Change Healthcare was caused by a strain of LockBit malware that was used to exploit the vulnerabilities in ConnectWise ScreenConnect. The malware was likely downloaded by an unsuspecting user via a phishing attack that directed them to a fake or compromised website. Again, better visibility and control into browser behavior could have detected the threat and prevented the user interaction that led to the infection.
The need for DiD in the browser
DiD was specifically designed to improve an organization’s chances of detecting and stopping these increasingly sophisticated attacks, acknowledging the reality that no single security measure is foolproof, and a comprehensive strategy that protects every threat surface is essential for maintaining good cyber resilience. Extending this protection to the browser is a winning strategy.
Here are several ways that a DiD approach that includes browser security could enhance the overall security posture of the organization:
Adaptability to Highly Evasive Threats
Cyberthreats are constantly evolving, becoming more sophisticated and diverse to adapt to security controls. DiD employs multiple layers of security, including firewalls, intrusion detection systems, encryption, access controls and more to counter a wide range of threats that use evasive techniques to get around a particular solution.
Compensating for Human Error
People are often the weakest link in cybersecurity. Even with proper training and awareness programs in place, mistakes still happen. Additional layers of security – especially in the browser where users spend most of the work day – can help mitigate the consequences of human error.
Meeting Regulatory Compliance
Many industries are subject to strict regulations regarding data protection and privacy. Implementing a DiD approach can help organizations meet these compliance requirements by demonstrating a comprehensive approach to security.
Protection at the Initial Access Point
Cyberattacks typically involve multiple stages – from initial access to exploitation and exfiltration. These various attacks are often initiated at the browser level where an attacker will try to gain access to a system using malware payloads or credential theft. Incorporating browser security in an organization’s DiD strategy would make it more difficult for threat actors to achieve their objectives through these attack vectors.
Enhancing Trust and Experience
A robust browser security posture, supported by DiD principles, can enhance customer trust and protect a user’s browsing experience. Customers and partners are more likely to trust companies that demonstrate a commitment to safeguarding their data and systems.
Building a secure cybersecurity foundation in the browser
It’s clear that extending DiD strategies to the browser isn’t just a luxury. Instead, it’s a foundational table stake of an organization's overall cybersecurity strategy that provides real time visibility and protection into a vulnerable business tool that has become a top attack vector. Adding browser security to DiD strategies allows security teams to view and understand user behaviors as they interact with entities on the Internet and put real-time dynamic controls in place to prevent evasive threats from gaining initial access to an end point.
The key principles to implementing browser security in DiD strategies revolve around Management, Protection and Secure Access.
1. Manage
An efficient cybersecurity strategy looks to build benchmarks that can be applied across any browser. For browser security, this means applying local browser configurations automatically based on recommended policies and ensuring that best practices are applied appropriately and as required.
2. Protect
Browser-based threats (particularly zero-hour phishing attacks) operate at the speed of business, and organizations need to proactively stop highly evasive and adaptive threats (HEAT) across a rapidly expanding threat surface. Artificial intelligence and machine learning (AI/ML) can provide this level of protection at scale, providing full browser visibility and applying real-time dynamic threat protection inside the browser to stop evasive threats before users have a chance to interact with them.
3. Secure
Extending DiD strategies to the browser also helps implement zero trust policies to SaaS platforms and private applications in the cloud or on the Internet. This ensures secure access and application protection, while simultaneously protecting the associated intellectual property and application data.
Extending DiD principles to the browser
DiD is a tried and true strategy that has been around for years, helping organizations implement robust security controls across an increasingly complex threat landscape. However, a failure to include browser security in DiD has created a major gap in coverage, putting many organizations at unnecessary risk as work continues to flow through the enterprise browser. Browser-based phishing and ransomware attacks, in particular, continue to thwart traditional cybersecurity solutions. It’s clear that DiD strategies should be extended to the browser, providing a first line of defense against increasingly sophisticated HEAT attacks that attempt to gain an initial foothold on the end device. Menlo’s recent partnership with Google to provide Menlo Secure Enterprise Browser to Google Chrome users is an example of how organizations can extend DiD strategies to the browser – gaining visibility and control into how their users are interacting with the browser.
Learn more about how you can implement better browser security in your organization by downloading CISO’s Guide to Enterprise Browsers whitepaper.
