Seraphic Security: Protection for the Browser Where You Live
The problem with most browser security products, as Ilan Yeshua, co-founder and CEO at Seraphic Security, sees it, is they expect you to go work somewhere else.
“It is as if you have a beautiful house, and you want to secure your house, but somebody is coming in and telling you, ‘We will take you to a secure house in a different place.’ You won’t like it; probably you’d like to stay in your own house,” he explained.
Seraphic Security, based in Herzliya, Israel, recently emerged from stealth after two years. Its approach is to provide security where workers live — in the browser, whether that be Chrome, Firefox, Safari, Edge or whatever.
Especially since the pandemic, with so many people working from home or other remote locations, they increasingly rely on SaaS applications on their personal devices to do their work, and security teams struggle — or have even given up trying — to lock down what users can do. At the same time, the browser provides a giant window for threat actors to conduct malicious activities.
“Nobody is going to tell employees, ‘Don’t use your own device. … the mobile, nobody is going to tell you not to use it. And nobody is going to tell you which applications to use. In the past, organizations used to dictate everything — you work only here, my devices and use the application that I’m telling you to use.
“Today, employees choose applications, and organizations are following up because they realize that the walled garden is not good for productivity,” he said.
CISOs are seeking seamless and frictionless security solutions, Frost & Sullivan wrote in a report on enterprise browser security.
“Backhauling all user traffic to secure it for remote users does not allow a native experience where users can go directly to a cloud app,” the report states.
Focused on Randomness
Seraphic’s approach takes a page from Moving Target Defense, a concept introduced in the U.S. military on the 1950s to increase complexity for attackers, reduce their window of opportunity and increase the costs of their efforts.
In the ’50s, when all communication was analog with no encryption, the U.S. military used frequency hopping. Every few seconds, they were hopping to a new frequency, co-founder and CTO Avihay Cohen explained. So if an adversary were listening, it continually had to spend time trying to find the next frequency. Though it wasn’t exactly robust, it did work, he said.
He likens Seraphic’s approach to an ever-changing lock.
“We are introducing a new type of lock that is changing every time you try to pick it. So the lock is the browser in this case, and it’s becoming more and more chaotic and random, which is completely and robustly able to prevent exploitation,” he said.
It relies on a lightweight agent that operates within the JavaScript Engine (JSE), installed on the client devices that provides deep visibility into malicious activity as it unfolds, at which point the attack is blocked. The agent has a negligible impact on system performance, according to Cohen, and some customers’ workforces didn’t even notice any difference when it was installed.
The technology creates an abstraction layer that produces rich execution-related telemetry that can thwart attacks such as zero-day, unpatched n-day vulnerability exploitation and sophisticated spear phishing.
The runtime telemetry also allows Seraphic Security to provide fine-grained governance and policy enforcement, preventing issues such as sensitive data leakage and user credential theft in real-time.
At the ‘Crime Scene’
Two things make the Seraphic approach unique, according to Yeshua. First, it doesn’t rely on detection.
“By definition, when you’re doing detection, you’re relying on known patterns. You do some kind of comparison to signatures or other things. And then the problem is that hackers are always one step ahead,” he said.
“If you are not basing your approach on detection, you are not falling into the trap of this cat-and-mouse game because you don’t care about the pattern. You just change the target in a way that is randomized in a way that is unexploitable by the code, because any malicious code in order to execute needs to get some hooks inside the target. And if we change the target in a way that is unexpected to the malicious code, then it is becoming unexploitable,” he said.
The second is that most existing solutions — endpoint protection (EPP) or endpoint detection and response (EDR) — are trying to monitor and mitigate the browser from the perimeter, rather than inside the browser itself. They act post-execution and rely on detection. Plus, they want workers to only use a dedicated browser.
Some of the newer competitors in this space include Dallas-based Island, which offers a secure enterprise browser; Israeli startup Guardio, which offers an in-browser extension; and Israel-based Talon, which has developed an endpoint-agnostic solution called TalonWork that acts as a secure browser for enterprises.
Said Yeshua: “We are not an OS operating system agent. We are at the level of the browser itself. We say that we are located at the crime scene. If the crime scene is the browser, why should we try to monitor the browser and audit it and mitigate it from the perimeter? Let’s put our abilities inside the browser.”
Organizations can set governance policies like copy/paste and data loss prevention controls. There’s the option to use an optical character recognition (OCR) engine to scan images and set controls for sensitive content, and different installation choices. For instance, should the solution run even when a worker is doing personal web surfing?
Depending on the installation configuration, Yeshua and Cohen say the agent would continue to protect workers even in the off-hours, but they maintain that privacy would still be protected. Since all the processing of information takes place locally in the agent, no data is sent to a proxy, a gateway or to a server. Nothing goes to the cloud.
A Testimonial
Israel-based Clal Insurance and Finance had been using full remote browser isolation (RBI) for almost seven years, and was happy with it for the first five, according to Haim Inger, CTO and vice president of infrastructure and operations.
For the past two years, though, while increasing its public cloud footprint, the company started to encounter more sites that didn’t work well or not at all with the full RBI solution. User experience was badly damaged, he said.
With responsibility for all IT Infrastructure and cyber defense products in the company, he and his team set out to find more appropriate solutions. He explained what they found:
- Full RBI solutions are all the same, and you will find yourself with a lot of websites that are not compatible with RBI, so you will access those sites directly, thus bypassing the full RBI protection for sites that are holding your most precious data, such as public cloud-based CRM.
- Other vendors offer a partial RBI approach, accessing unknown sites with RBI and known sites with just a proxy server. This approach is very dangerous since an attacker can install malware on one of your well-known and good sites so that browsing it from the organization will cause immediate damage to the computer and from there to the entire network.
“So, our conclusion was [that] we must find a product that will secure the browser and protect it 100% of the usage time while allowing a native user experience,” he said.
They checked out a company that offered a secured, Chromium-based browser, which looked like a good idea at first, but after a proof of concept, found three issues:
- We needed to replace the Edge or Chrome browser in our organization. This is not a simple thing to do. We still have a lot of web apps that needed the Edge compatibility feature for IE11 and even IE6.
- The dedicated browser needs to be updated whenever Google finds a zero-day in its browser, something that happens every month.
- So, even if we rewrite our legacy apps to be Chromium-native and use the new secure browser as our only browser, we cannot update the browser every three to four weeks since we have about 200 apps that we need to make sure will work with the new browser version. It takes us about six weeks to accomplish these tests, and using this solution means four to six weeks of being vulnerable to a known zero-day attack.
“That’s the point we met with Seraphic,” he said. “They promised us that their solution will protect us from zero-day attacks with our current Edge and Chrome browsers while giving us a full native user experience, and even new features we never had like detecting clickjacking, anti-phishing and other well-known browser-based attacks.”
He admitted it sounded too good to be true, but was curious, so decided to do a POC. Teams compared well-known attacks on unprotected older versions of Chrome and Edge, and the Seraphic solution on the same machines using the same old browsers. They found that 100% of the previous attacks were blocked with Seraphic and equal success with the new features like anti-phishing and others.
They next checked out user experience. “Users really asked me when could I migrate them from the full RBI to the ‘new surfing thing you are testing,’” Inger said.
The Seraphic technology has replaced both the previous RBI solution and an old proxy server the company was using, he said.
