For SquareX, browsers are the new endpoint

As the industry’s first browser detection and response tool, SquareX works as a simple browser extension that can be deployed to any browser available today, says Vivek Ramachandran, Founder and CEO of SquareX.

Be it on mobile phones, tablets or laptops, employees rely on the browser to get work done. While some organizations require their employees to use private and secured browsers, the reality is, many still use public browsers to surf the web, either on company issued devices or personal ones.

Browsers today - Chrome, Edge, Firefox, Safari, just to name a few, continue to improve their security features as cybercriminals continue to find ways to not just steal data but also launch cyberattacks on users and companies. While developers have introduced features to secure browsers, the reality is, more attacks are occurring on them.

Google recently required all users that use its Chrome web browser across Android, Linux, Max and Windows operating systems to install security updates to deal with vulnerabilities that could have serious consequences on users.

However, this may not be enough to deal with the problem.

According to Vivek Ramachandran, SquareX Founder and CEO, while existing browsers have threat feeds that blacklist websites, there is a need to have visibility on what’s really happening on browsers.

Threats on the browser

For Ramachandran, while developers continue to release patches to fix vulnerabilities on browsers and such, the reality is, most browsers are focused on improving the user experience.

“Browser vendors are primarily obsessed about solving software vulnerabilities in the browser. Whenever somebody figures out a zero-day bug or a buffer overflow exploit, the browser window solves it. Apart from that, their entire obsession is user experience and adding new features where more of the web can load faster,” he said.

Ramachandran pointed out that almost all attacks today are happening at the application layer, not at the browser layer. For example, when a user installs a browser extension like Grammarly from the Chrome Store, it will request for read write permission of pages. Once its given, Ramachandran explained that Chrome will immediately think that the user has already given this permission, its fine.

“Now an attacker could have set up an extension which is reading passwords when you're filling up login forms, from the browser's perspective, given you allowed a browser extension read write access, it's absolutely OK to do that. Unfortunately, browsers at the application layer have a very rudimentary understanding of when an attack is actually happening,” said Ramachandran.

As the industry’s first browser detection and response tool, with SquareX sitting in the browser, Ramachandran explained that it can immediately be applied via policy that any time a browser extension is trying to read credentials when a user is filling up in a form, block the extension. It will also let the user know that this isn’t a legitimate or trusted extension.

Looking at the attack vector on the browser for enterprises, Ramachandran believes that identity attacks remain one of the biggest problems today.

“Almost all users today have a single sign on. Now, if you have a company e-mail address, some users just use that as a convenience feature, forgetting that they shouldn't be signing up on third party websites. For example, using a third-party website that has an AI to summarize work notes from a meeting. The user uploads a company meeting onto the site to get the results. But what they are actually doing is updating the company's intellectual property into a third-party website. The company has no visibility for this is happening because they don't monitor the browser at this point in time,” said Ramachandran.

He explained that this can lead to shadow IT problems whereby IT teams don’t know employee activities on the browser with company files and resources. Another example he shared was the use of personal emails with corporate emails.

“Most employees would have their personal Gmail open as well with their corporate e-mail. Attackers can actually use personal Gmail and send you malicious office documents and all, which aren't being scanned by your enterprise security solutions. And everything is happening on the same company laptop, which means if you upload something from a personal Gmail, it can actually cause an attack, which your enterprise can't even look at this point,” he added.

Ramachandran also pointed out that because of the increased use of AI in organizations, there are a lot of employees that copy and paste company documents to do summarization, upload documents and such.

“All of these classes of attacks are something in the browser that you want to be able to look at and block. These are things that we are able to detect because we sit in the browser,” said Ramachandran.

Enhancing browser visibility

Ramachandran explained that SquareX works as a simple browser extension that can be deployed to any browser available today. Once the extension is installed, it goes ahead and starts monitoring every page, user activity and even detects if users are copy pasting. In the monitor mode, administrators will be notified if a user is copying pasting data onto chats or any other website on the browser.

On concerns if this monitoring impacts user privacy, Ramachandran pointed out that most enterprises would already have regulations compliance on employee activities on the browser. As such, any use of the browser for personal activities could also be flagged, especially when it comes to entering credentials.

“At this point in time, browser security is a very new pioneering field. And I think it's going to take the next two to five years before you start to see massive adoption. At this point, the places where we are very successful adoption are at banks, financial institutions and manufacturing companies,” said Ramachandran.

While financial institutions and regulated industries would have strong security features and limits for employees, Ramachandran highlighted that there is a need for an additional layer of security. For example, banks already have cloud security for all their infrastructure in the cloud, and they would still have some security features on their laptops installed like antiviruses and such.

“The browser is unmonitored and you're hoping that your employees in the browser are well behaved and are only talking to your authorized websites. Unfortunately, this entire layer in between your browser, the whole Internet and your trusted website, if this is not completely monitored, then you won’t know there can be a data leakage exfiltration,” he explained.

Unfortunately, for most organizations, the only time they know something has happened is when credentials are stolen and somebody's downloading data or has put it publicly. Hence, for Ramachandran, the browser and how it communicates is pretty much a blind spot today in most enterprises.

Making the change

“Adoption of a new technology in a company is a very direct function of how technical the security team is and are they themselves investing in doing active research to understand newer solutions and all of that. Most of the calls that I have taken, I think there has been a fair amount of educating the customer. It is generally rare for us to see someone who fully understands these nuances. I feel there is definitely a disconnect and that's where there is an option to pioneer such a space. But I think we're still far away from mass browser security adoption,” said Ramachandran.

When asked about SquareX’s go to market strategy, Ramachandran mentioned that SquareX is currently a SaaS tool which customers can sign up and deploy.

“We are direct selling to customers. Before we go into MSSPs and such, its important for us to elaborate our brand because that also makes the MSSP feel more comfortable. We are starting to build integrations and partnerships with larger companies, with CyberArk being a cybersecurity vendor with whom we have an integration right now. Similarly, we are talking to endpoint security vendors, SaaS, CSSC vendors to figure out how we can do that,” said Ramachandran.

At the same time, with more cybersecurity vendors moving towards platformization, it would be some time before SquareX is part of it. For now, the focus for Ramachandran is all about educating CIOs, CISOs and business leaders on the importance of browser security.

“The browser will be the new endpoint. If you think about it, you literally use the browser for everything today. Technology is becoming exceedingly complex, an average human being who's non-technical has no way to keep up with those advances. And now with AI coming in, we can't even believe what we see or hear, which is we used to trust our senses right now, somebody can clone your voice or do a cloned video and whatnot. I feel things are going to get worse before they get better. Having that added visibility on the browser can make a difference,” he concluded.