Are secure web gateways still an effective tool in the enterprise? The browser has changed a lot in the last decade, are Secure Web Gateways – SWGs still keeping up?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Vivek Ramachandran, founder, SquareX.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, SquareX
Find out more at sqrx.com.
Full Transcript
Intro
0:00.000
[David Spark] Are secure web gateways still an effective tool in the enterprise? The browser has changed a lot in the last decade. Are secure web gateways or SWGs still keeping up?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series and joining me for this very episode, it’s Steve Zalewski. Steve, say hello to the very nice audience.
[Steve Zalewski] Hello, audience.
[David Spark] That is Steve Zalewski. We’re available on CISOseries.com. You can check out lots more programs on the site. Why not check it out? We got videos, we got articles, more episodes, shows. It’s a ton of fun. Our sponsor for today’s episode is SquareX. Be fearless online with SquareX, and we’ll explain exactly what we mean by just that. And we’re actually going to be talking about the issue that SquareX deals with, and that is, well, safe web traffic. So, let’s jump into this. Steve, the way browsers are used in the enterprise has fundamentally changed over the last 15 years. So, why does it feel like secure web gateways have not kept up? Steve, you wrote about this on LinkedIn. You still believe they are essential for enterprise security, but where are they proving less effective today?
[Steve Zalewski] And this was a good topic because I actually had to think about this, which was my analogy here is more like the Swiss army knife, which is over time some of the blades on the Swiss army knife may not be as popular, as useful as they once were, but you still need them. And so when I look at secure web gateways and the conversation today is that they still fill an important role for us, but it’s not necessarily as common a role as it once was.
[David Spark] Very good way of putting it. I like that idea. Still a valuable knife in the Swiss army knife, but we got a lot more tools in there as well that are doing the trick. Let’s bring in our guest who’s going to help us with this, and it is from our sponsor. It is actually the founder of SquareX, our sponsor, none other than Vivek Ramachandran. Vivek, thank you so much for joining us.
[Vivek Ramachandran] Thanks so much, David. Super excited to be on the show, an honor and privilege. And Steve, very excited to be able to speak with you as well.
Why is this a problem?
2:33.671
[David Spark] All right. When I begin here, everybody, I’m just going to tell you this is a mouthful, what I’m going to read, this quote, but hold on and just follow me through this. This comes from Carlo Dapino, who says of this issue, “The problem as I see it, in a context where modern east-west traffic,” which we all know about, it’s like once you break the shell, how they’re traveling within your network, “Is also on the WAN side and doesn’t get captured in north-south traffic,” which he describes as the example, the traffic between two cloud providers. Carlo goes on to say, “The capabilities to stop attack is getting thinner. SD-WAN was supposed to integrate and fix the issue, but if we see the real implementation footprint and the fact people use that without application routing and L7 visibility, we got to step back and we have a lot of false security implemented in SWGs.”
Now, Neil Baal also said, “We have the traditional move forward proxy/web gateway/web filter, which gives some good details on user clicks about an incident and does stop some threats in their tracks, especially when users click a link in an email and the web gateway knows it’s malicious or looks nefarious.” So, Steve, you’re nodding your head. Neil is kind of giving the details of what you mentioned in the opening, isn’t he?
[Steve Zalewski] Yes. And I agree. It’s kind of a mouthful for both. And this is a pretty technical topic because north-south, east-west, right, proxy gateways. But what we’re really getting at here is there are still some use cases where these gateways are the most effective solution. Oftentimes, when you have what I call a hard network edge, where you’re routing everything through, right, holes through your network. We talked about layer seven here and layer four. Great solution, still a great solution. So, the problem isn’t so much that the technology has gotten harder. It’s just we don’t necessarily push as much traffic through that as we used to. So, we’re having to augment a good secure web gateway with other solutions.
[David Spark] I’m throwing this to you too, Vivek. When did you stop loving SWGs?
[Vivek Ramachandran] [Laughter] I mean, almost the moment I started using them.
[David Spark] What was the rub?
[Laughter]
[Vivek Ramachandran] When we were trying to defend the network, and attackers were pounding our end users, we started seeing a lot of limitations of SWGs. And that is really where Steve, to Carlo’s point, I agree in part, but the most important thing to realize is even with proper routing and visibility set up via the SWG, we are essentially trying to infer, detect, mitigate application layer attacks, but with network traffic consisting of plain old HTML, CSS, and JavaScript. So, my favorite analogy example is this is akin to relying entirely on basic static analysis of an executable to decide if this is ransomware or not. And we know there are hundreds of ways an attacker can obfuscate web attacks and completely evade SWGs. So, unfortunately, this is why I strongly feel SWGs in today’s context of progressive web apps, newer web protocols, and all of that can only detect the most basic of web attacks. And as a CISO, I guess you’re worried more about skilled attackers, nation state attackers, and not about script kiddies banging against your network.
Where does the solution fall short?
6:32.566
[David Spark] Jaydeep Palana of ITC Infotech said, “Traditional on-premise SWGs have long become obsolete.” And really much pointing to what you just said, Vivek. He goes on to say, “Cloud-based security service edge or SSE providers have stepped in to replace these with a suite of protections. These are just one layer of defense. Organizations must continuously calibrate their EDR, their SOC, identity threat detection and response, web application firewall, cloud security components, and most importantly, a well-documented and tested incident response and recovery plan in place for comprehensive protection. So, I mean, I think what I like about Jaydeep’s comment here is that it’s like, SWGs were nice once, but we have a much more complicated environment, as you were just saying, Vivek.
Let me also read Andy Woodward’s comment here from HighPoint, who said, “I think many SWGs still provide a great layer of defense and visibility. However, they’re only one layer. I’ve seen too many products recently claiming to be a catch-all when the reality is the defense in depth is still required. There will always be a new attack methodology that will bypass a control, so it’s important to not rely on any one component absolutely.” I’ll let you answer this one, Vivek, first. Just the bottom line, and especially with Jaydeep, who listed off all these different technologies, the bottom line is don’t rely on one.
[Vivek Ramachandran] Yeah, absolutely. And I feel like layering your defenses definitely increases the probability of catching an attack, but the problem in this specific case is we are relying on the SWG as the sole layer to filter malicious web traffic delivered to enterprise users. Now, if you look at the other layers he’s been talking about, endpoint security has absolutely no visibility into the browser and can only detect threats when the enemy is already at the gates, right, a file ended up dropping. Also, it is unable to do any form of attack attribution.
And David, just to kind of elaborate on that, if a bad actor was targeting multiple users in your organization by sending them a malicious Word document, but over LinkedIn DMs posing as a recruiter, then endpoint security will finally only tell you that Chrome was used to download a malicious file, but have absolutely no clue how the attack was orchestrated in the first place, which means there is no security awareness which can happen internally. There is no way you can sound it out to your employees that this malicious actor is using this technique to reach out and all of that. So, unfortunately, what is happening today is employee browsers and what happens within is a blind spot for enterprises.
[David Spark] All right, Steve, I show this to you, and you make a very good point. It’s the applications that are making this really freaking complicated, isn’t it, Steve?
[Steve Zalewski] Yeah, and Vivek did a really nice job. And this is where, as we’re talking about this, is secure web gateways as a concept says that I’m going to start from a known good place, and I’m only going to let you go to known good places. So, if you think about it, it’s a fully controlled environment. But more and more, right, that’s what we said, is I can’t enforce that kind of total control in the environment. The browser edge has moved to the data edge. I have to let you do things, okay, that I don’t have total control over, which means I need more context. I need to be able to not know that you’re in a safe playground so much as when bad things enter the playground, I can now identify them. And that is the shift in why this conversation is occurring, is they have a role, like I’ve always said, but more and more, we don’t have that constrained playground because the business won’t let us do it.
Sponsor – SquareX
10:42.918
[David Spark] Who’s our sponsor this week? None other than SquareX. And let me tell you about how awesome. You remember at the very beginning, I said, be fearless online? Let me explain. So, SquareX empowers organizations to detect, mitigate, and threat-hunt web attacks against their enterprise users in real time. Now, as we all know, traditional SASE or SSE secure web gateways can’t stop modern web threats that happen on the client side. And endpoint security companies have no visibility into what happens in the browser during a client-side web attack, leaving an organization vulnerable. In fact, Vivek was just talking about this.
So, SquareX, with its innovative approach, bridges this gap. Their browser-native security product, which deploys within minutes as a browser extension, safeguards enterprise users from a spectrum of web-based threats, encompassing malicious files, websites, scripts, and compromised networks. SquareX offers full visibility into the attack chain, this is what we were just talking about, enabling enterprises to effectively threat-hunt and identify similar attacks across their networks. Now, you can learn more about protecting your enterprise users against web attacks with SquareX and let me spell it for you. It’s sqrx.com. So, it’s SquareX, but with no vowels, sqrx.com. Don’t wait for threats to reach your enterprise. Stop them where they start with SquareX.
What aspects haven’t been considered?
12:12.515
[David Spark] Justin Francesconi of Bowtie said, “There’s been an architectural shift explicitly to prevent man-in-the-middle interception, raising questions of effectiveness at a technical level. But there’s also the reality that most of these solutions are user-hostile, creating incentives for disuse, and pushing important traffic flows to unmonitored streams. The answer is to focus on speed and invisibility while still reacting quickly and helping to answer the question of what happened when the worst inevitably occurs.”
Or Eshed of LayerX Security said, “SWGs are focused on DNS-level security.” That’s a good point. “That was decent when every website was doing something. Today, as the cloud/SaaS age, anything is everything.” That’s a good way of putting it. Yes. “I use AWS for my production environment, crown jewel, my peers are using AWS for their services, supply chain, and the attacker is using AWS for phishing and malware command and control. If the SWG only sees AWS without an identity and content context, it becomes an ineffective technology. Most SaaS apps are a black box for the SWG, the certificate pinning, progressive web apps. In the bottom line, SWGs are a legacy technology that takes too much and gives too little. A browser security tool can be 10x better and 10x simpler with SWGs.” Actually, I am going to start with you, Vivek, on this one because of the very last thing that Or just said, he is speaking to your product, isn’t he?
[Vivek Ramachandran] Yes, absolutely. And David, I’ll split my answer into two parts. One to address what Justin mentioned and kind of bring in why browser-native security is so important. So, unfortunately, what Justin was mentioning, there is definitely a big penalty placed on user experience when SWGs intercept and monitor encrypted web traffic. And even with this, unfortunately, SWGs have no application context. They are unaware of user interaction and how the page is being rendered by the browser and shown to the user. And this is really where a browser-native security solution like what SquareX is building, by sitting in the browser, we are able to monitor every little change which is happening in the DOM, how the user is interacting, how the browser renders the UI, where attackers may be trying to do UI redressing attacks and all of that.
So, by having full visibility into everything going on on the browser, our detection algorithms actually are a lot more powerful when it comes to detecting attacks. And because we sit in the browser, it is possible for us just in time to do attack mitigation simply because everything is happening in line in the browser itself. And I’ll give you very simple examples of how SWGs fail. Imagine today that an SWG sees a user downloading a file. Absolutely, it can have no clue if this was something the user clicked on the active tab on a link and is downloading it, or if this is actually going on on a tab out of focus where maybe this is a drive-by download. But a browser-native security product can look at this and say, “Hey, why is that website which is kind of like hidden away in one of the inactive tabs trying to download a file?” And that itself is suspicious to begin with.
Finally, just to add to what Or mentioned, I feel like in today’s cloud service world, the URL is unfortunately too broad of a construct to apply blanket allow/disallow policies. And true zero trust is about verifying everything which actually ends up loading as part of that URL. And I’ll kind of close my comments by saying I was reading about an attack where bad actors were smuggling malware and attaching them as zip files to GitHub repo issue responses. And this was completely subverting a lot of the SWG rules because all they were looking at is that this is originating from GitHub, and that would probably mean this is the enterprise’s developer GitHub, and we should just allow everything.
[David Spark] So, what I’m realizing as I’m listening to you, Steve and Vivek, and also these quotes as well from our very wise listeners, is the bottom line is if you want to stop web attacks, you have to get as close to it as possible, and SWGs are not as close to it as possible.
[Steve Zalewski] That is 100% right for more and more of the use cases. Okay? Another way I say this, and that’s why this is kind of a complex topic we’re talking about, is that if I have a network edge, and I protect it at the network edge, that’s great. But what the cloud did, and what SaaS vendors are responsible for, is exposing a data edge. And a data edge doesn’t actually have a network, right? It isn’t a traditional network edge. You’re exposing the data directly between an application in a browser client and the cloud. SWGs can be enforced there, but they’re very difficult. They’re complex to implement that way. The better place is get into the browser, right close to where the user is interacting, right, with the SaaS cloud, cloud-native application, and solve the problem. And that’s what we’re talking about today is these are the use cases where this is the right way to solve the problem.
[David Spark] And also getting back to what Or said here about identity and content context. If you’re in the browser, you can do that. If you’re not in the browser, who knows? And this goes back to what you’re saying, Vivek, right?
[Vivek Ramachandran] Absolutely. And I feel that SWGs, unfortunately, are forced to act in the blind because all they are seeing is this massive traffic stream. Imagine your browser has 10 tabs, all of that traffic just gets mixed. So, the SWG has really no application context. And I feel like that is the biggest undoing of the solution, is without context, how do you know how to look at traffic and decide what to do?
[David Spark] You could be wrong 12 different ways.
[Steve Zalewski] And let’s expand on that for a minute, stay technical here, which was in extending the context. Okay, this is what we talked about. This is identity and access management. When I am at a network edge, right, and I’m looking at layer three, layer four, layer seven, the identity data that I can obtain at that point to determine context is pretty limited. When I look at it at the browser edge, and I look at identity and access management, and I can look at authentication, I can look at authorization, I can look at threat intelligence in near real time at that point, then the authorization of that data by that identity is now actually much more practical to accomplish, and that’s where we’re being pushed. That’s the new edge of a service edge, which is why for many of us, this becomes an obvious solution that you have to deploy because we’re realizing that’s where the new Wild West is.
Does anyone have a better solution?
20:03.082
[David Spark] Russell Spitler of Nudge Security said, “It is time to reevaluate the reliance on SWGs for any mission-critical risk reduction. The challenges are many,” which we have been talking about, “Whether it is the number of devices and networks we work from, or the dominance of TLS traffic, or the futility of the man-in-the-middle approach with the number of application protocols that you need to reverse engineer to get meaningful signal. We are at the point where reliance on network control like this is just fooling ourselves.” That’s a good point right there. “This is not to say that they cannot play an important role but is that they should not be the mitigating control for any major risk.” Steve, that’s a pretty good sum statement right there. Yes?
[Steve Zalewski] Russell’s a smart guy. He’s been in this space. And I really like what he said at the end, right, which is network control is just that. It’s network control where we need other knives, right? And so we’ve got to get outside of that bubble, this is what we’re doing, and it’s the right thing to do.
[David Spark] Vivek, what’s your take here? And let me more, I guess, ask is what makes people not look beyond an SWG? Or is it just like, “Eh, this is just the way I’m operating right now”? Or they just haven’t built their security program deep enough? I mean, what is…
[Vivek Ramachandran] I think, David, most organizations tend to act when the number of attacks in the wild and publicized online clearly show that the defenses they have are no longer working. So, I think probably what is going to happen, and this is my prediction, as more and more attackers end up exploiting and evading SWGs and dropping attacks on enterprise users, we will start to see a clear failure of SWG, and the need for more browser-native security solutions. So, my hope is that Gartner, Forrester, all of these guys, eventually may even consider roping in the browser as part of the SASE, SSE requirements, when it actually comes to these vendors. So, that way, what can happen is we could have a browser-native component, working in tandem with the SWG, supplementing things that the SWG cannot absolutely see and detect.
I feel like Russell has summed it up well. To close out, I would kind of feel like the best solution at this point to detect web attacks against enterprise users is in the browser itself. The browser is the place where you have the most amount of rich and comprehensive data available. DOM changes, user interactions, UI rendering, all of that is available to algorithms which can run there. Now, the big change which has happened is in recent years, browsers have become very capable development platforms in their own right, with technologies like WebAssembly and all of that, allowing near native quality attack detection and mitigation possible.
So, I feel the browser isn’t this dumb terminal that we are used to using for the past decade. It is now a very, very capable platform, almost an operating system level complexity, if you just went and looked at Chrome’s code. So, my humble opinion is a browser-native security agent residing within the enterprise browser can detect attacks in a better way. Most importantly, it can detect this upstream before those end up landing on the endpoint, that is, before the enemy is actually at your gates.
[David Spark] Excellent point.
Closing
23:58.685
[David Spark] Well, that brings us to the point of the show where we ask you which quote was your favorite, and I have a feeling that there’s two already I’m thinking of that you guys are going to lean towards. But I will start with you Vivek, which quote was your favorite and why?
[Vivek Ramachandran] Yeah, so my favorite quote was from Russell, and I feel like he’s summed up the whole thing really, really well, which is the state of affairs, and why network-based security controls, unfortunately, are failing and what we need to do. Excellent.
[David Spark] Steve, your favorite quote and why? That was one, there’s another one that I thought you might pull.
[Steve Zalewski] And I will say I really like Russell’s quote, coming from a management perspective. I think Russell really did a nice job from management. But I have to go with Or for layer X security because I think as a technologist, that was a really nice summary for the security architects out there and the security managers who are trying to articulate why they need to go to a browser service edge, as that’s a really nice way of articulating why either what they have isn’t sufficient, or if I’m going to do something new, start here before you start with an SWG.
[David Spark] Excellent point. Well, that brings us to the very end of the show. I want to thank your company, Vivek, SquareX, for sponsoring this very episode. The web address is sqrx.com. So, it’s SquareX without the vowels, sqrx.com. Thank you again, Steve, so much for being here. Now, Vivek, as I understand, there is a browser extension people can download for free, it’s a free extension that people can test it out. What are they going to experience when they test out that extension? What’s going to be different for them?
[Vivek Ramachandran] So, David, what we’ve done is we’ve given out a free extension, in which they can go ahead and install and be able to detect web attacks which are happening on their end computers. Now, this could be cybersecurity, IT people, who are just trying to protect themselves, or you can deploy this organization wide, where you can detect, mitigate, and threat-hunt web attacks which are happening in real time against your users.
[David Spark] For example, an attack comes through, what’s a classic thing I would see through your browser extension?
[Vivek Ramachandran] So, what would happen is the browser extension talks to the enterprise portal. And in that enterprise portal, you would see the entire attack graph of how a bad actor probably sent an email or sent a downloadable attachment to somebody in your company, ad what really happened which finally led to that document or that attack finally dropping on the enterprise. So, all of this visualization is something you’d be able to see. On the browser extension itself, of course, you would kind of see which policy triggered and why we ended up blocking access to a certain place.
[David Spark] Excellent. Well, if you’d like to talk to SquareX about this, we’re going to have the link to Vivek’s LinkedIn account. You can also go to sqrx.com, get access to information there as well. Thank you so, so much, Vivek, for coming on the show. This was a really great discussion. Steve, thank you as well. And again, to our audience, we greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.