Poornima DeBolle [00:00:00]:
Take a look at your evolving landscape and take a fresh look at what are the security tools you wanna overlay onto those rather than retrofitting your existing security stack into a world that has evolved significantly over the last 10 years.
Poornima DeBolle [00:00:29]:
Security and testing and performance and and comply. And we can actually automate those.
Karissa Breen [00:00:33]:
Joining me today is Poornima DeBolle, cofounder and chief product officer from Menlo Security. And today, we are discussing web browser security. So, Poornima, thanks for joining, and welcome.
Poornima DeBolle [00:00:49]:
Thank you, Karissa. Thank you for having me. I’m excited to talk about this topic.
Karissa Breen [00:00:53]:
Okay. So web browser security, I don’t think I’ve spoken about this topic a lot on the show in 255 episodes or whatever’s out there now. So maybe tell me everything that comes to mind from your perspective around web browser security.
Poornima DeBolle [00:01:11]:
Let me maybe kind of try to bring in a few industry analogies that will help us understand what our is on web browser security. And to your point, obviously, we have to evangelize, educate the customer and the market about what this actually entails because it’s definitely a newer topic on people’s minds. So when I think about kind of web browser security talking to customers, I try to refer them back to a few things that have happened in the security industry over the last decade. Right? So I started my career at Checkpoint Software who were the pioneers of the Internet firewall. Right? And 10 years later comes along another company called Palo Alto Networks, and they started talking about next gen firewalls. Right? And the whole concept of it was now that everybody has connected to the Internet and have had their basic firewall policies all under control, what happens to this 1 channel, which is HTTP and HTTPS at the time when it is being used for more than just the original intent of web browsing. Right? So came along virus updates. They realized that this this channel is open.
Poornima DeBolle [00:02:34]:
I’m going to use it. Came along other applications, which basically, even if they were using a different protocol, piggybacked on HTTP or HTTPS and said, we’re gonna use this channel because we know that companies are allowing this channel to be open because they want their users to connect to the Internet. So there was a big shift and an education from a customer perspective to say, look. This particular protocol is more than just your telnet or FTP. It can be overloaded. And now you need to look inside it and decide on a security policy that’s more than just a firewall port and protocol. Right? That was the whole concept of what Palo Alto pioneered called App ID, which is now let’s look inside HTTP and HTTPS. Now our perspective is kind of building on top of that.
Poornima DeBolle [00:03:32]:
Right? So it’s kind of very similar, but continues to build on top of that to say, great. Now that you have, for the last decade, started inspecting HTTP and HTTPS, and you have a better handle on it. Now look at where the origin of that traffic is, right, which is typically between the browser and the server, and look at how that has evolved over the last 10 plus years. So if you look at Netscape Navigator, whenever I think we’re all gonna date ourselves. If we say, when you try when you used it, all you were doing was exchanging information or reading what the server had posted on on its website. Now you look at the browser. It’s an entire operating system in itself. Right? Like this podcast we’re recording, we’re doing it on a browser.
Poornima DeBolle [00:04:28]:
When you go to a SaaS application, it’s a very complex application, like, be it Google or Google Workspace or Microsoft Office 365 or m 365, you’re doing a host of things using the browser. If you go to an Internet website, it’s no longer, let me give you the news for the day in kind of short stories. It’s now customizing advertisements for you. It knows who you are. When you go shopping, you go you get different advertisements when I go shopping. So when you look at the complexity and capability of a browser, it means that you’re no longer getting the right level of security by just inspecting it on the network. You need to start treating the browser as an application, as kind of the star application on your desktop because the number of things it’s doing has kind of grown by leaps and bounds. The bad guys are also taking notice.
Poornima DeBolle [00:05:34]:
Right? So now when you looked at attacks, they look very benign when you are inspecting it with a proxy or a next gen firewall, but then they’re able to use the execution environment in the browser and compile and composite the malware on the endpoint rather than try to sneak it through means that they have used before. So that’s kind of the the story and the evolution of how security always needs to build on the controls that you have today. But as the technology evolves, you also need to start looking from the perspective of how do I now get control and visibility into new methodology, the new architecture, the new applications of today, not keep using tools from the past. And we believe sincerely, and this is very true, even if you study a lot of the attacks that are happening, they are succeeding because we’re still applying old techniques and old tools into an environment that’s kind of evolved and gone beyond beyond having those controls that you had in the past. Right? You you need to upgrade in that sense. I think that was a long tough track, but, hopefully, it makes sense that when we talk about browser security, we want customers to start looking at this very powerful application as the place that they should be focusing their their security perspectives and protections.
Karissa Breen [00:07:14]:
No. I appreciate a long talk track. We want this to be a conversation and a discussion. So, Poornima, there’s a couple of things in there that I wanna press on a little bit more. Now you said the capability of the browser. Would you say with your experience that people, I don’t know, meaning companies, they sort of forget about the browser a little bit because everyone’s like, oh, well, you know, I just jump on Google in the morning and I search whatever. Do you think it the browser or, you know, the security around, like, web browsers just felt a little bit relegated, would you say?
Poornima DeBolle [00:07:44]:
Yeah. Absolutely. I think we have a talk track. We talk about the forgotten layer in your security stack, which is we’re referring to the browser and the context, And and there is a reason for that. Right? So it’s not that enterprises are overlooking this big hole intentionally, it is typically how enterprise security organizations have been organized around the current security stack. Right? Network security had the domain or it’s their purview to look at the web protocol, which is usually HTTPS. Today, nobody almost nobody uses HTTP. So let’s say your proxy and your next gen firewall always have the jurisdiction over HTTPS, and that has been considered the web security.
Poornima DeBolle [00:08:40]:
Now if you look at the team that’s working on endpoint security, they usually focused on antivirus, you know, be it EDR like technologies, maybe some level of email security, some level of, you know, DLP agents. So they have their own jurisdiction of what happens on the endpoint and the set of security tools that they use to maintain and manage that endpoint. However, this browser, which is something that the endpoint team installs onto your onto your laptop, was never viewed from that security perspective. Right? It’s it’s just a means to an end. So the app gets installed. And I asked this question of every enterprise customer that I talk to of how do you manage the browser, and greater than 90% of them manage 1 parameter for the browser, right, which is when do I update it? Do I update it as soon as Google or Microsoft publishes an update, or do I wait? Right? Do I wait a couple of days to ensure that it has compatibility with my applications? But that’s the only thing they control. When you look at the details of what you can actually control in a browser, there’s thousands of settings. Right? This browser is a very, very powerful application, maybe largely purpose built for the consumer.
Poornima DeBolle [00:10:12]:
Right? You know, people who are shopping, you know, kids playing games or all of these highly interactive consumer based applications. And when you bring that into the enterprise, it has thousands of settings and capabilities that you probably don’t need for what your enterprise users are doing in terms of their everyday work. And, unfortunately, the endpoint team has not really looked at this as an application they need to manage. So they forgot it, and the network team continues to look at it from an HTTPS and a network perspective. And that makes it that big gap of control and understanding that’s missing and forgotten to your point. And we’re we’re working very hard to say, hey. From an enterprise perspective, here’s what you need and customize this giant application by turning off things you actually don’t need for the enterprise. There is a capability in Google where the web browser can attach to your USB or attach to your audio device, you know, for things like podcasts that we’re doing, not everybody in enterprise needs all of those capabilities.
Poornima DeBolle [00:11:37]:
So so the enterprise now can turn off those things. And when you turn it off, what’s the benefit? You’re now saying this piece of code that’s not relevant to me does not need to be invoked in my environment, which means now you’re reducing the attack surface of this giant application and getting better security, but also getting better control of of a very powerful application and not continue to forget about it. Right? So so we do recognize that it’s forgotten, but I think the main reason why it gets forgotten is because it falls in that crevice between what has traditionally been endpoint security and traditionally network security kind of falls in between and gets gets kind of lost and forgotten.
Karissa Breen [00:12:31]:
So you said before, people need to view the browser as an application. So how do people get into that mindset? Because you’ve clearly articulated, you know, things that have forgotten, etcetera, specialized teams, you know, the sort of that gap in the middle, they work on different areas. So how can people sort of approach that from from your experience?
Poornima DeBolle [00:12:50]:
Yeah. So I think we’re still educating and figuring out some of the pieces ourselves, but where I have seen success, right, is even if the browser continues to be the jurisdiction of the endpoint team, for the cybersecurity team to be kind of an overlay across the endpoint team and the network security team and start to define policies around what should be the browser posture in an enterprise. Right? It can mean things and and and we’re not the first ones to say that you should do this. Right? There are industry standards or industry bodies that have said, here are the browser feature capabilities that you should start paying attention to and managing in an enterprise. There’s a benchmark called the CIS, which I believe is the center for information security or maybe something like that. But it’s an industry standard body that that has defined what a browser posture should look like. If you look in the government sector, US Department of Defense, for example, defined something called a stick, right, which is their security recommendation for various applications in your environment, and they have 1 for browser. So so there are industry standards that recommend in fact, I think Google worked with CIS to develop those those benchmark security standards.
Poornima DeBolle [00:14:29]:
So the point is for enterprises to start looking at those standards and starting to say, here is how my starting point is when it comes to browser posture in my enterprise, and it’s a great starting point to start learning. And I’m sure there will be things that you need to then tweak and and customize for your enterprise use case. Like, you know, you may be a media company that needs some of the things that CIS may say, oh, you should turn it off, but turns out you actually need it in your business. You need to customize it. But it’s a great starting point for the broader enterprise security teams to start looking at and understanding both the risks, but also how do you get control of it to put your enterprise into a better situation when it comes to all of these attacks that happily come on HTTPS and manifest in the browser, how do you start reducing your attack surface and getting better control and visibility of your browser posture? That’s kind of our perspective is there’s benchmarks out there. There are recommendations. Find tools that give you an easy way to start managing those.
Karissa Breen [00:15:49]:
Okay. So just before I go back and ask you something else that you said, I just wanna touch on the benchmarks. Would you say that people say, oh, well, Pinheema, there’s just so much information for me to consume. Like, where do I start? Do you get that a bit as well in some of the discussions?
Poornima DeBolle [00:16:02]:
We do. We do. And it’s it’s not just a complaint. Right? It’s a reality of of what cybersecurity teams are dealing with. But we do believe that there are tools out there, including tools from Menlo. We do see financial sector, which is usually coming to the table with probably the best perspective in terms of security thinking and areas that they cover is more comprehensive. Those teams are coming to the table already looking at these benchmarks. Harkens back hearkens back to many years ago where software updates used to be, you know, 3 times a year or maybe, at the most, 4 or 5 times a year.
Poornima DeBolle [00:16:59]:
But now Google and Edge from Microsoft will update, you know, sometimes every other week, right, depending on what they what they are delivering. So the financial sector actually does have practices that I’ve seen where they start with the CIS level 2 benchmark, but then they do that every 6 months, or they go back and look at it every quarter or something like that, which is nearly not as frequent enough for as often as the browser updates today. So so there is a challenge, but I do believe that it is for the better of the enterprise for them to take some of those practices they may have and take a fresh look at it and say, how do we evolve this to the modern day behavior of the browser, the modern day behavior of the software updates rather than continue to keep it to be a quarter or 6 months ago. There are tools in the industry that that will help you do it, and I think it’s time for people to actually start incorporating that. Because when I look at any kind of breach or data loss today, you’ll see the browser kind of front and center in it, not because it has any security issues on its own, but how the bad guys are exploiting this very rich capability of the browser to deliver the deliver the malware or or create the breach in the first place. Right? Be it credential phishing or HTML smuggling. All of these techniques are kind of leveraging the richness of the browser and getting to the endpoint and and circumventing your network stack.
Karissa Breen [00:18:52]:
So you mentioned before as well, Poornima, that people are still using tools from the past, or old techniques. What would they be?
Poornima DeBolle [00:19:00]:
So the techniques from the past are are some of the things that I mentioned at the top, right, where you say, okay. A proxy or a next gen firewall way of inspecting the browser traffic at the network level is good enough. Right? What we’re seeing is, let’s say, a malware is able to do a very simple thing, like, I’m gonna encrypt the JavaScript, or I’m going to encrypt the payload for the malware, or I’m going to password protect a file that you’re accessing via the browser. All of these things are fairly simple circumventions of the current technique of people saying, I will inspect things at the network layer because all of these things rely on the fact that on the network layer, I just look like a benign set of bits, and I’m going to use the execution environment of the browser to actually composite or execute what I need to deliver to the endpoint. Right? We wrote a fairly detailed blog on a malware called Soc Golish. And in that, it was interesting where this combining a number of techniques. Right? It’s saying, I’m gonna encrypt the JavaScript, so you cannot inspect anything on on the network. I’m going to encrypt the payload so you cannot identify this this is a malicious payload.
Poornima DeBolle [00:20:31]:
I’m also going to take that payload and split it across different websites so it’s not even coming to through the network as 1 payload, but it’s coming as little pieces that is kinda buried in your HTML traffic. And then when I get all of those pieces to the browser, I’m going to use that JavaScript environment to then composite that file, and I’m already on the endpoint at this point. Nobody can stop. Right? So it’s it’s very creative to some extent, but that old school way of saying, I’m going to look at things on the network, unfortunately, is extremely shortsighted when it comes to the richness of the browser execution environment.
Karissa Breen [00:21:18]:
So would you say majority of people are still in this, you know, old school way of thinking, or do you think things are moving now as you mentioned with the education and awareness, etcetera? But would you still say that most people just aren’t there yet in terms of the the modern day behavior of a browser?
Poornima DeBolle [00:21:35]:
I think it’s starting to change. Right? It’s starting to change with this whole focus on or the product category that’s evolving called the secure enterprise browser. Right? So that category of products and capabilities that that vendors are delivering is starting to really create the momentum for enterprises to look at both use cases and security capabilities that they need to actively manage and create visibility and have control of the browser rather than just treat it as an application that happens to be on the endpoint. Hey. I can put all my controls on the network. So it’s definitely an evolution and a change of perspective that we see happening both from the customer perspective of starting to look at the attack patterns the same way that I described to you and then looking at the vendor landscape where people are starting to have choices in terms of what they can do when they when the customers start thinking about. So it’s definitely AAA shift that we see, and we are on our own world tour of going to various different cities in the world and and starting to evangelize around, you know, you should be doing this. And it was interesting.
Poornima DeBolle [00:23:07]:
I was just in Mumbai, and 1 of the participants in our event came up to me and said, this is such a good idea. Why has nobody been talking about this for the last few years? And I was like, I hate to disappoint you, but we have been. But but it was kind of the the moment for this person, right, in terms of saying, yes. This this is something I should be doing or I should be thinking about. So I think the trend is starting to shift.
Karissa Breen [00:23:35]:
Okay. So you say that web security is not browser security. So talk to me a little bit more about this and what this means.
Poornima DeBolle [00:23:43]:
Yeah. So we we have referenced some of it, but I can supplement or I wanna maybe take this particular perspective on why that is the case. Right? So used to be in the past number of years, let’s take a decade, there were usually these 2 tracks of, I would say, security breaches or security stories that you write about. The first 1 was largely financially motivated. Right? So it could be, I’m going to go down the path of ransomware, or I’m going to go down the path of infecting your, endpoint or infecting an enterprise and extracting some of the data and do more kind of an extortion, not necessarily always ransomware, or I’m going to steal data and sell it. Right? All of these various methodologies of the bad guys or the threat actors’ behavior was very focused on financial benefit. Right? So there was a category of fairly sophisticated marketplace for these financial benefit. Then there was this concept of intellectual property or maybe more nation state driven threat actors, right, where the outcome was very different than financial.
Poornima DeBolle [00:25:11]:
It was a myriad of things, but it was definitely not financial. It could be, you know, some of the things like you saw in various elections across the world. All of these things were motivated by something different than financial. Right? So you have these 2 tracks of financial benefit and a nation state protector almost on parallel tracks. Now when they started ex exploiting this benefit of browsers or SaaS applications and the whole kinda ecosystem around the browser, you saw an interesting intersection of techniques across those 2 things. Right? So all of a sudden, you saw the financially motivated threat actor starting to use fairly sophisticated tools that were more the purview of the nation state threat actor. And as those things started merging, some of these I don’t really even think that it’s that sophisticated, but some of these more commonly used techniques in the nation state attacks start to permeate into the financial sec, financially motivated attacks, and the tools that that enterprises were using there were no longer good enough or enough to begin with. Right? So let’s take an example of something like HTML smuggling.
Poornima DeBolle [00:26:43]:
Right? HTML smuggling is this concept of, I’m not going to deliver the file in its entirety. I’m going to break it up into pieces, host it in various different websites, and send it as a data blob in your HTML traffic and composite it onto your it once have reached the browser. We first saw it, in fact, 10 years ago at the financial institution, and we were like, wow. This is really clever, but it never actually gained the popularity or the usage that that we see today. But what happened was Microsoft for the Office products, which is prevalently used in the enterprise, they decided that the macros which are in your Office suite of products, we’re going to turn that off by default. So that financially motivated threat actor who was targeting the enterprise Now all of a sudden no longer had this favorite tool of theirs, which was the macros in the Office product that was readily available to them. So they borrowed this HTML smuggling technique, which was probably more used by the nation state threat actor and started using it in the financial financial malware and the ransomware and all of those type of attacks. So you start to see this convergence of investigated techniques that were coming into the financially motivated attacks and got more and more sophisticated.
Poornima DeBolle [00:28:24]:
And when you look at kind of that landscape of how that evolved, it’s it’s very interesting, and it’s very cool to actually study how those cross pollination happened. But when that happened is when, in my opinion, the web security is not browser security really came to the forefront to say, again, just web security where I’m doing URL filtering. URL filtering is like this site is good, this site is bad, so I’m gonna block you from going to the bad side, but allow you to go to the good side no longer worked because I’m now using perfectly category relevant websites to deliver malware. So that went out of the window. I’m going to inspect files that are coming through on this browser channel no longer applied because now I’m going to password protect these files, and you won’t be able to inspect it. If you’re going to do some kind of JavaScript inspection, I’m going to encrypt the JavaScript. So all of this kind of bucket of techniques that worked well when, you know, the techniques were fairly rudimentary or simplistic and financially motivated started to be completely not adequate for the techniques that you were using today when it became, you know, the sophisticated techniques from all across the browser dimension started bleeding into web security. Right? So that is kind of where we say web security is not browser security because web security is typically those 3 things most people will reference.
Poornima DeBolle [00:30:08]:
I’m doing URL filtering. I’m doing HTTPS inspection. I’m doing file inspection. Great. You can do all of that, and I can still get malware or ransomware to your browser means that web security is not browser security. You need to think about it from a different perspective.
Karissa Breen [00:30:25]:
So I wanna now switch gears and maybe talk about something else that you’ve mentioned around treating all web traffic as potentially risky. Now what does this sort of look what what does this sort of look like to you, Poornima, with your experience? And then also, how would you advise a company to approach this? And does that does that sound exhausting, though, if you’re gonna look
Poornima DeBolle [00:30:48]:
at all web traffic as potentially risky? Yeah. It’s a great question, and and, unfortunately, it’s the times that we live in. Right? When we say treat all web traffic as risky, it does not necessarily mean that everything is risky. You know, you need to close your doors and close your windows and hunker down. Right? All it means is if you look at the past set of breaches or attacks that that, you know, have made the headlines. We have statistics that show that something like 70% of attacks, be it phishing or malware, is launched or hosted on what is considered good sites. What are sites from an enterprise or general human definition? Right? So you would probably categorize news websites as good sites. Right? Like, be it cnn.com or or any of those news websites that you talk about.
Poornima DeBolle [00:31:49]:
You’re like, okay. Those are good sites. I go get my news from there. But if you look in the past, you know, 5 to 8 years, you’ll see that many of these news websites have been compromised and used to deliver malware. Let’s look at then as a second category of things. We all use these SaaS or the productivity tools, right, be it G Drive or Outlook or Dropbox. Any of these websites that we’re talking about, we probably use it on a regular basis to get our work done. But because these tools are also allowing users to host their own content on there.
Poornima DeBolle [00:32:33]:
Right? So I can use my Gmail and send you a link to a document which your web security tools will trust because this is coming from the area of tools hosted by Google, or I can host a file on Outlook and send you a link. And, again, your web security tools will trust it because it’s coming from trusted websites from, trusted sites or IP addresses from Microsoft. So when you look at kind of how these tools are being leveraged to deliver malware, then it starts to make sense that you should treat all of these sites that you don’t know where the content is coming from as risky. Right? And it does sound exhausting, but it’s not that hard to do with some of the security tools that I’m sure your enterprise users are aware of. But but taking that posture, make sure that you are evolving your security thinking to keep pace with how the threat actors are exploiting your existing security stack. Right? Because all of the enterprises today are using URL filtering and say, hey. News is good. I’m going to allow my users to connect to news.
Poornima DeBolle [00:34:01]:
That is the area that they’re compromising. Now I’m going to trust, you know, the Outlook and the workspace and the Dropbox IPs is the place that they are exploiting. Right? So so treating everything as risky does not necessarily mean that it’s that hard to do, but it’s it’s just kind of recognizing the fact that that is actually getting exploited, and you potentially have no choice but to start treating everything as risky to make sure your posture continues to evolve the areas that the threat actors are exploiting. There’s a reason that those exploits are succeeding. Right? Because your existing security mindset and your existing security tools are not considering those to be the risky areas, and you need to start shifting that thinking and treat all of that to be risky because you actually don’t know where the bad is coming from. III don’t know. I’m gonna maybe date myself here quite a bit, but if you look all the way, like, 20 years ago when when there were websites that were considered bad, hosted bad things. Right? Like, when you look at how URL filtering came to being in the very first place, it was that particular technology’s effort to say, I know, for example, these gambling websites or these websites that host adult content also are hosting something bad.
Poornima DeBolle [00:35:36]:
So it was fairly easy for the enterprise to say, I’m going to block those because there is no reason for an enterprise user to go there, and these URL filtering databases were a fine way of bucketizing and protecting your users. But today, when you look at it, you will see major websites have been compromised and delivered malware. Right? And when you look at that perspective and you look at our statistic that says 70% of the time, malware and phishing attacks are launched from good categorized websites, business and economy, computer and Internet, fashion, shopping, all of these categories that enterprises would not consider to be risky and block them, then you need to have the realization that there is no good website out there, and all of them have the possibility of being bad, and I need to treat all of that traffic as risky.
Karissa Breen [00:36:41]:
So, Poornima, in terms of trying to conclude our interview with everything that you sort of said, is there any sort of final thoughts or closing comments you’d like to leave our audience with today?
Poornima DeBolle [00:36:50]:
I think the the best thought I can leave is for the enterprise to really look at take a fresh look at the security stack. Right? The there is a reason that people are spending 1, 000, 000, 000 of dollars, and you still see these headlines that make you scratch your head and probably give you a few sleepless nights, especially if you’re in charge of security for your enterprise. And the best way for you to combat that is to not keep doing more of the same, but take a fresh look at where are the vulnerabilities, where is kind of the security falling short for the current set of tools and user behavior, be it working from home or traveling or usage of of various different tools that are much more SaaS based today than they were ever before, much more cloud based today than they were ever before. So take a look at your evolving landscape and take a fresh look at what are the security tools you wanna overlay onto those rather than keep retrofitting your existing security stack into a world that has evolved significantly over the last 10 years.
