Too frequently, URL filtering fails to catch malicious websites, or it blocks resources that employees need to do their job. With its new secure web gateway (SWG) integration Authentic8’s remote secure browser Silo now helps enterprises close this security gap.
Secure web gateway (SWG) solutions provide a generally reliable way for the enterprise to handle users’ web requests, allowing some sites to be accessed and others to be blocked.
To maintain security and efficiency, “generally” reliable may not be enough. A web resource that an employee needs may not have been crawled and categorized by the SWG vendor yet. Another URL may have been cataloged, yet somehow ended up in the wrong category. Or a resource that was approved earlier has since been infected with malware.
If the SWG allows users to access a potentially dangerous web resource without protection or security backstop, the consequences to the company could be disastrous.
Because regular browsers fetch and process all code from the web locally, at the endpoint, connecting to an infected website opens the door for malicious software, such as ransomware or spyware, to enter your local IT infrastructure.
Most companies have come to terms with the trip-ups of URL miscategorization. But an even bigger challenge remains:
Beware the uncategorized URL
Should you allow access to a website that has not been classified yet by the SWG vendor? This may expose the local browser and your IT infrastructure to potential security violations.
Or should you simply block all unclassified URLs? This step would likely reduce the efficiency of your business, while increasing the number of angry messages in your inbox from employees who need a particular URL unblocked, and pronto.
While some companies may accept the risk of access, trusting that AV scanning is an appropriate backstop, that trust could be misplaced. According to a report by Canadian security researchers, leading anti-virus tools are susceptible to web-borne exploits themselves, and expand the attack surface rather than limiting or eliminating it [PDF].
How can organizations close the security gap opened up by non-categorized URLs, without loss of productivity?
URL categorization: a tedious task
If Sisyphus were around today, he’d probably be in the business of maintaining SWGs. It’s the internet’s version of rolling a giant boulder up a hill, for eternity. In the modern version, at least there’s a payoff. Market researchers forecast the global SWG market to grow from more than $2 billion (2016) to $5.6 billion by 2020.
The money is hard-earned, though. Secure web gateway vendors use URL classification and categorization to enable a go/no-go decision for access, based on groups of sites. This means they need to keep their web filtering categories current – a monumental undertaking, given the rate of growth and change on the web and the diversity of URLs associated with the content embedded in web pages.
To accomplish this task, SWG vendors rely on web crawlers to collect data on billions of websites. URLs are then organized by categories – malicious, pornography, social media, etc. IT uses these URL categories in its web access policies, when creating the rules that define which online resources are approved or blocked for users within an organization.
Uncategorized URLs force a risky decision
Researchers estimate that out of 50 billion URLs, only 30 billion have been categorized. Too many URLs still require IT to decide if they allow access and accept the security risk, or block access and potentially risk harm to the business.
Firms in highly regulated fields – such as financial or legal services providers – use SWGs to block all URLs except for those essential to the organization’s business, to ensure regulatory compliance and security when employees access the web.
A large bank, for example, may require its external business partners, such as law firms, to prevent their employees from accessing social media or webmail sites.
While categorizing and blocking URLs en masse can ease the burden on desktop and network analysis solutions, it doesn’t close the aperture for exploit.
In other words, categorizing URLs doesn’t make the web safer – only less available, which slows down business processes, due to SWGs’ main challenges:
- The web changes too fast. Domain registrars’ statistics show nearly 500,000 domains being registered on a daily basis across all top-level domains. With the emergence of vanity domains and country codes, the pressure on SWG vendors to keep categorizations current increases with the growth of the web.
Your organization can avoid paying the price for this lag, by making Silo the default browser for web resources that have not been captured yet.
- Category filters are often wrong. With billions of websites to categorize, firms rely on automated processes for web filtering based on characteristics. An error in these heuristic processes leads to erroneous blocks that prevent users from accessing necessary resources and costly exceptions management procedures in IT.
Productivity suffers when the system blocks access to web resources that employees need to complete a work-related task. Instead of quickly scanning this financial analyst’s newsletter or downloading that investor relation firm’s PDF report, the employee will have to request an exception from IT to get the resource whitelisted or moved to a different category.
By making Silo the default browser for miscategorized or ambiguous groups of sites, employees will be protected when they access relevant resources. As an example, members of the IT team conducting research would no longer be prevented from visiting “white hat” hacker websites, just because “hack” or “hacking” is part of the respective URL.
- Attacks may come from approved URLs. One of the most underestimated risks in this context. In 2015/2016, potentially millions of employees who visited New York Times and the BBC were exposed to the Angler Exploit Kit and corresponding ransomware. The code was hidden in online advertisements distributed to those sites by major ad server networks. Firms whose SWG granted access to tier one news sites opened the door for the payload.
By letting Silo handle particular web categories – such as news, business networking or social media sites, given their vulnerability to malware distribution schemes – the enterprise can protect itself without internet restrictions that employees would perceive as overly rigid.
Close the security gap, increase business efficiency
Enter Silo, the secure virtual browser developed by Authentic8. It picks up the security slack of the SWG and improves productivity at the same time, by solving the underlying problem that traditional tools fail to address: the inherent vulnerability of the local browser.
Through its integration with leading secure web gateway solutions, which was announced this week, Silo now enables enterprise IT to selectively redirect certain URLs for safe rendering in Authentic8’s patented isolated browsing environment.
Authentic8 customers can now configure their edge gateways, proxies, or firewalls to forward some or all web requests to Silo, where they are processed remotely and safely in a secure cloud container, off the local network.
Pairing the secure browser with a secure web gateway
Authentic8 provides customers who want to use SWG integration with an identifying token that they can embed in any URL forwarded to the service. Authentic8 will return an encoded pointer for the user to automatically connect to a secure, virtual browser where the site can be securely rendered. Each user’s Silo instance is built with a policy defined by the customer.
Admins can enable a global configuration, with a single policy restricting key functionality like upload/download, copy/paste, freeform browsing to other websites, and more. Alternatively, customers can create specific web use policies for different groups of users in their organization. All user activity data is logged and encrypted with a customer-supplied public key.
IT can determine which URLs are redirected to Silo, including current categories like social media or personal productivity sites, to allow employee access without the risk of undermining security or compliance policies.
Secure your SWG investment, let Silo close the gap:
Authentic8 SWG integration is available now. Contact email@example.com for more information.
*** This is a Security Bloggers Network syndicated blog from Authentic8 Blog authored by Gerd Meissner. Read the original post at: https://authentic8.blog/when-url-filtering-fails-this-secure-browser-has-your-back/