Silo beats Google Chrome as the most secure browser for the enterprise, researchers at Georgetown University found. For our podcast “The Silo Sessions”, Authentic8 Co-founder and CEO Scott Petry spoke with Paul Brigner, Managing Director of the Security and Software Engineering Research Center (S2ERC) at Georgetown University, about the study and its findings.
This transcript has been edited for readability.
Scott Petry: Paul, we are going to spend some time talking about your latest research study, so why don't you introduce yourself and give a little background?
Paul Brigner: Thank you very much, it's good to be talking to you about our research at Georgetown University. S2ERC is a partially funded National Science Foundation Research Center, and all of our research is done in conjunction with industry. There’s a specific program at the NSF called the Industry-University Collaborative Research Program, and we
are one of those centers.
Scott Petry: And we, Authentic8, are an industry affiliate. We worked with you and your team on some research studies looking at issues around browser security, browser performance, and specifically the cloud browser. That's what we're going to talk about today.
Your researchers found a fundamental difference between local browsers and browsers that live in the cloud. Before we go into the details, why don't we talk a little bit about the goals and methodologies behind your research project?
Paul Brigner: Sure. Our research was designed to validate properties and the benefits hypothesized as a result of isolating a web browser through virtualization technology.
We did this in a way where we tried to simulate an actual use case where a user would be using the virtual browser and try to identify exactly how well that approach was able to protect the user and protect the environment that user was in from attacks. And we looked at productivity - like, how does using this affect a user's productivity?
Scott Petry: ...and that's the title of the report, the S2ERC Productive Browser Report [PDF]. Can you double-click on what the productivity angle is, and how you thought about that in the context of what might be seen as a security study?
Paul Brigner: Well, we looked at it by comparing the different use cases. Say if you weren't using a virtual browser, if you weren't using Silo - if you were using Chrome or some other method to browse the web.
What was the users’ experience? And how much did that affect them? How much were they protected?From the productivity perspective, it was mostly focused on: Are the users able to access what they want and to browse the web in a very free and open way, but still be protected?
Scott Petry: The report showed a fundamental difference between the way a local browser handles access to that content and the way a cloud browser does it. What do you consider to be the most significant findings in this regard?
Paul Brigner: I think the most significant finding was that when using the cloud browser, there was no infection. The user was not put at any risk. That user’s network environment was not put at risk. That was proved to be the case.
We were careful to create an environment that would be very similar to what people might use in a corporate setting. We had the virtual browser on one side and had a laptop running Chrome with good virus protection on another, and you could see the difference.
Chrome is going to trap some of the viruses, and it's going to prevent you from downloading some of them in some cases. There might be other protections that would be common, but at the end of the day, when you're using a cloud-based browser, those downloads are not getting into your local network environment there.
They're not going to infect your network. I think that was clearly the most significant finding. Clearly, you've designed the solution to make that the case.
Scott Petry: Yeah, we were tickled pink by the results. From a productivity and usability perspective - did you find using the cloud browser came with a penalty?
Paul Brigner: From the security perspective, I think you are way ahead. It's hard to even compare the two approaches. In our experience, you adjust very quickly, very rapidly to the different approach. It becomes second nature.
You are introducing a little bit of network latency, but even that wasn't so much that it became a nuisance for us.
It's mostly an upside that you get by going to a cloud-based browser.
Scott Petry: Coming from Georgetown, where you have academics standards and expectations in terms of impartiality and such, you need to keep an open mind. Was there anything that you'd say struck you or surprised you about the results?
Paul Brigner: When you're doing a study like this, you're actually going out there, and you're identifying malware that you know has a potential to infect your machine.
And you see in some cases it gets caught by a web browser, like in the native web browser Chrome. In some cases, the download is stopped. In some cases, it's not stopped. In some cases, it's stopped by your local antivirus, because we did try to simulate an enterprise environment that would have a very strong local antivirus…
But in the end, there is going to be some of this malware that gets through. It is an inevitability, and that, I guess, was kind of eye-opening. I think we all know this is the case. We know it's a question of not “if” but “when”. This was just a great example of “yeah, it's gonna happen.”
Scott Petry: I couldn’t have said it better. When you let that content in, you have to work harder to find the things that get through. And it's hard to find everything. As we say in the company, “the good guys have to be right all the time, the bad guys only have to be right once.”
Paul, I'd like to thank you very much, and we really look forward to hearing more from you and your team in this space. Please keep us posted, and we'll continue our conversation here on The Silo Sessions.
Paul Brigner: I appreciate it. It's been a pleasure to talk to you.
The Silo Sessions is the official podcast of Authentic8, maker of Silo, the cloud browser. Listen to industry experts on the issues the cybersecurity industry is facing today. You can listen to the live recording on YouTube or SoundCloud.