During the last several years we have seen a major shift in Internet threats. Today, it is not just possible, but common for a user with a fully secured machine to become compromised. At times, this occurs due to increasingly sophisticated social engineering attacks or newly discovered (so called zero day) vulnerabilities. However, it is increasingly resulting from exploitation, which does not target a specific vulnerability on an individual platform, but instead is abusing the functionality and structure of the Internet itself. This fundamental shift to naked browser attacks changes everything. Just as attackers have continually adjusted their tactics, enterprises must adapt their approach to security if they wish to stay a step ahead in the never-ending arms race of web security.

Defense-In-Depth

Defending against attacks, which succeed regardless of your diligence patching and hardening browsers, is an unnerving thought. We’ve been trained to tighten patch management procedures as a first line of defense and here are increasing volumes of attacks that bypass that entire process. Moreover, naked browser attacks typically involve elements of social engineering and it is difficult, if not impossible to prevent an attack, which involves an employee serving as an unknowing accomplice.

Look at virtually any text discussing how to defend against attacks such as XSS or CSRF and the content will discuss how to secure the web application, not how to protect the browser affected by the attack. We have, to date, focused the majority of our security capital on defending servers, not browsers. However, typical enterprises have hundreds of browsers for every server and the majority of browsers reside on laptops that leave the confines of the enterprise on a regular basis. Moreover, individuals that have limited security knowledge at best, operate those browsers. When looking at enterprise security from that perspective, it is easy to see why we need to shift our priorities.

Security-as-a-Service Changes the Playing Field

Cloud delivered security or Security-as-a-Service (SaaS) solutions have begun to emerge in an effort to tackle the challenge of web browser security. SaaS solutions offer an inherent and critical advantage over traditional hardware or software based Secure Web Gateway (SWG) products. SaaS solutions are able to protect mobile devices just as easily as they protect assets on the Local Area Network (LAN). This is a game changing differentiator.

Enterprises are becoming increasingly reliant on remote employees and ‘road warriors’ working both from laptops and smartphones. Attackers have recognized this shift. They know all too well that remote workers are unlikely to be protected by LAN based defenses and mobile devices therefore constitute a ‘target rich’ environment. SaaS vendors can inspect web traffic regardless of location but few vendors, such as Zscaler offer ‘true SaaS’ by requiring that no additional software run on the client device. This not only ensures that remote assets can be protected ‘out of the box’, but also reduces the cost and complexity associated with managing the overall solution.

Zscaler vs.Traditional Approaches Web Security

Latency is the enemy of web security. If the web browsing experience is degraded by security controls, users will not accept the solution. It cannot be avoided. Security introduces latency, as packets must be inspected in real-time. The deeper the level of inspection required, the more CPU cycles are consumed and as a result, the potential for slowing web traffic increases. Degrading throughput is a challenge for appliance vendors and it is enhanced in the multi-tenant environment introduced in SaaS based solutions. Vendors recognize this and have therefore been forced to limit the depth of content inspection in order to avoid introducing latency when inspecting web traffic. Without a high-speed, scalable infrastructure, deep inspection simply cannot be achieved. While competitors have built their web proxy solutions on top of existing technologies in order to bring solutions to market quickly, the Zscaler infrastructure was built from the ground up with the sole purpose of creating the fastest infrastructure possible to permit deep, bi-directional inspection of web traffic.

Links to Explore

More information about Zscaler.