Authentic8 Blog Category: Security

Showdown: VPN vs. Cloud Browser

In many companies, VPN has become a staple of the traditional IT security stack. Annually, mid-sized organizations (<5,000 employees) spend an average of $60 per user on VPN technology and maintenance. Not much longer though, it seems.

While VPN has been around for more than 20 years, it now looks as if its promises of secure and private web access have worn off - many of them unfulfilled. In the words of Patrick Sullivan, Global Director of Security at Akamai, we are witnessing The death of VPN.

In his article for SC Magazine, Sullivan proclaimed: “It’s time to say goodbye.”

Sullivan’s farewell to VPN sounds timely, and he is not alone. Organizations large and small have found a way to cut their VPN costs or eliminated them altogether. In the same step, they attained a level of secure and private web access that VPN has never been able to deliver. What happened?

How Companies Cut VPN Costs

They

85% of Infected Websites Are NOT Blacklisted

Website attacks increased by 59% in 2018, according to the 2019 Website Security Report [PDF] recently published by Scottsdale, AZ-based SiteLock, a provider of business website security solutions. Most of the attacks were automated, the company reports, with 330 bots staging on average 62 attacks per day.

So far, so not surprising - just wait, there’s more. Let’s look next at a significant aspect of the SiteLock findings. It illustrates how much the attackers behind such malware campaigns can rely on the inherent vulnerability of traditional browsers.

When someone visits an infected site, the regular browser dutifully executes the malicious code from the web on the local machine. From there, ransomware, spyware or cryptojackers can spread through the user’s corporate or home network. Game over.

“Not so fast,” you may object. “Our IT security team has many ways to prevent such exploits. AV/EPP/ATP, CASB, VPN, SWG/URL Filters…” Which brings up that other finding in the report

Cloud Browser Economics 101

We could go on all day long about the high price enterprises are paying for using traditional “free” browsers in their day-to-day business. Being respectful of your time, we addressed the core points in a short webinar titled Your Browser Betrays You (What is the cost of running a “free” local web browser in your organization?)

We frequently hear from customers how Silo, the secure cloud browser provided as-a-service by Authentic8, helped them realize significant savings. Customer survey results show:

Customer Survey Results: Savings Realized with Silo Cloud Browser by Authentic8

IT savings realized with the Silo cloud browser. Source: Authentic8

Before Silo, those resources - almost automatically, quietly - went to procure, maintain and update one or more components of a bloated security stack (think AV, CASB, URL Filter…). Its components were mostly aimed at preventing and mitigating the exploit and data loss risks associated with a locally installed browser base.

Because remote browser isolation with Silo removes these risks, enterprises can stop this point-solutions drain on their IT team and budget.

Federal Tech Talk: Secure Web Browsing

You may have heard that browsers were not designed with security in mind. Originally created to make the internet more accessible for scientists, the "free" browser soon morphed into a tool that helped advertisers and marketers turn its users into the product.

The rest is (web) history. In the traditional browser ecosystem, consumers pay for their "free" browser with ad clicks and their online usage data. Inherently insecure browsers have become ubiquitous - even in the federal government and its organizations, where taxpayers expect security to be more than an afterthought.

The high price "free" browsers elicit from federal organizations, in terms of weakened IT security and data protection, was the topic of a recent conversation between John Gilroy, host of Federal News Network's podcast Federal Tech Talk, and Thom Kaye, Federal Program Manager at Authentic8.

One highlight of their insightful exchange on How the browser betrays your organization: Thom explains how location data disclosed by

Browser Security: The Worst Code Injections and How They Work

In a new report titled Malicious Injections: The Tip of the Spear for Browser Threats, researchers with security firm RiskIQ predict that browser-based attacks will be a significant portion of the threat landscape for years to come, and will continue to cause major problems.

What do these attacks all have in common? Malicious injects targeting locally installed browsers. “Internet browsers are proving an invaluable attack vector for criminals,” the report concludes.

The point of injecting malicious scripts is to have the local browser dutifully execute code on the user’s machine. Attackers aim either to inject a piece of script into a web page directly or to inject a remote script (resources) into the page.

The report documents the top six techniques that they use to achieve either direct and remote injects:

Tacking it On

This is the most common method of adding malicious code to a page and can be done by injecting a malicious script in a <script>