Remote Browser Isolation: Preventing Malicious Web Code from Entering Your Network

Remote browser isolation, or RBI, is a technology that uses logical or physical barriers to separate non-trusted web browsing from the corporate network.

In today’s global and distributed business environment, Internet access is an essential feature for workers, but it also gives bad cyber actors a way to inject malicious code into a company’s network. While many organizations use traditional cybersecurity policies to reduce this risk, remote browser isolation (RBI) is often a more secure solution.

How do organizations traditionally control Internet access?

When you allow your workforce — whether it’s one employee with a shared personal/corporate laptop or thousands of employees with corporate laptops — to access the Internet, you’re giving the largest and most dynamic network in the world the ability to run potentially malicious code on your enterprise devices. Cybersecurity leaders have addressed this risk by creating policies on the firewall, proxy, or secure web gateway (these are all ways to filter, monitor, and control access) to make browsing the web safer. Here are two approaches to consider: 

1. The textbook answer to controlling Internet access is to adopt restrictive policies that use an allow list (a list that spells out all the websites that users are allowed to access) to permit only trusted sites and web apps into the network and implicitly block all other content. 

2. Most companies instead rely on permissive policies based on block lists (a list that spells out all the websites that users are blocked from accessing) derived from third-party threat intelligence or website categorization providers to keep known bad sites off the network.

Reliance on permissive policies and detection capabilities is risky, especially as cloud services and AI-driven botnets (short for “robot network,” a botnet is a network of computers infected by malicious software) make it easier to spin up attack servers and create more believable phishing attacks, elevating the risk that third-party intelligence will fail to detect malicious behavior or that a user will be tricked by phishing, rendering your network more vulnerable to attack. It can also generate too many alerts for cybersecurity teams to analyze and take action on. On the other hand, relying on restrictive policies means you’ll have to use valuable IT or cybersecurity resources to vet more sites, which will also slow down the pace of business.

An alternative is to deploy RBI. It allows users to conduct trusted browsing on their endpoints (or computers at the end of a communication network; think an employee’s laptop) while interacting with non-trusted sites in separate environments that shield the endpoint and corporate network from the risk of processing code from non-trusted sites. It also significantly reduces the risk of phishing attacks by containing technical exploits on phishing pages and alerting the users that the phishing site isn’t a trusted service. Let’s take a closer look at RBI!

What is remote browser isolation?

Remote browser isolation, or RBI, removes the risk to your corporate network by creating a safe, isolated environment where Internet code is processed. With RBI, you can take a restrictive approach to sites directly connecting to your corporate network while allowing employees to browse sites that haven’t been vetted. If an employee opens a malicious site, it will appear in a separate environment that isolates them from the risk of malware and is flagged as unsafe, making it less likely that the employee will enter their password or other sensitive information into the site. There are many ways to do this, but all RBI solutions try to make browsing non-trusted sites safer for your company and more accessible for your employees – win-win!

From a user perspective, most RBI solutions try to make the browsing experience similar to normal browsing. This usually means that the RBI platform will create a separate window or tab for isolated browsing and allow limited copy/paste capabilities so users can bring text and pictures onto your company’s network without manually re-treating the content. In essence, RBI aspires to remove the risk of non-trusted web code processing — a core building block of a zero trust architecture — while allowing the business and its employees to enjoy most of the benefits of permissive Internet access.

4 key differences in RBI delivery

Once you understand the idea of RBI, you need to learn which RBI solution could work best for your business. While vendors may offer various features, it’s most important to consider the security considerations of the solution since security is, itself, the reason you’re purchasing an RBI solution instead of using Chrome. Here are a few key security considerations, which get a bit technical – but when it comes to security, the technical details matter!

1 - Thoroughness of enforcement

Some RBI solutions will process all content sent to the service without applying a second level of discretion – so if you ask the RBI solution to process google.com, it will. Other RBI solutions apply their filters to exempt sites and content types that they consider trustworthy from processing in their RBI solution, even if you direct that traffic to them – so they might say, “You sent google.com for processing, but I trust Google, so I’ll consider it safe and pass the code directly into your network.” While applying additional filters to exempt content from isolation may marginally improve performance in some implementations, it incurs the same risks of a third party falling behind in its evaluation as a permissive firewall policy.

2 - Strength of the transformation mechanism

There are two primary mechanisms to render web content safe: 

• Processing code separately and passing only the resulting audio/video stream to the endpoint (a process known as “pixel-pushing”).

• Using an algorithm to render code safer and processing that safer code on the endpoint (a process known as “transcoding”). 

While pixel pushing is a more intensive process than transcoding, it is the only way to ensure that no residual risky code evades the transcoding process.

3 - Means of containment and transformation

Most RBI solutions rely on software running in the Cloud for containment and transformation, using containerization software to isolate the browsing and software processes to pixel push or transcode the content. A few providers offer hardware security (hardsec) browser isolation, in which dedicated hardware (hosted in a provider’s cloud data center or on the customer’s premises) conducts the browsing on one system and uses fixed-function hardware to pixel push the content to a separate system to which the end user is connected. While software-based systems are more convenient for the vendor and can sometimes offer more rapid feature development, hardware-based systems are not vulnerable to software exploits and do not need to be re-evaluated for patch hygiene and software bill of materials assessment.

4 - Security awareness for users

Some RBI solutions offer nearly transparent solutions, where transformed content is available side-by-side with trusted content in a separate browser tab. Other RBI solutions present the isolated browsing session in a separate window to warn users that the content presented inside the isolated window is risky and may not be what it seems. While more transparent solutions may be appealing to users, consider that while RBI protects against malicious web code, it does not, on its own, protect against human-enabled attacks like phishing, so you may want a more visible indicator like a separate window to make sure your users think twice before providing sensitive information in an RBI session.

Conclusion

RBI is an ideal technology to move your web browsing security from a detection-based approach reliant on vendor technology to identify and defend against bad content once it’s on your network to a prevention-based approach that keeps bad content from entering your network in the first place. It complements proactive inbound security approaches like attack surface management by securing all of your outbound Internet browsing from the risk of malicious sites. When evaluating which RBI technology is right for you, it’s essential to closely scrutinize how the browsing is isolated to ensure your new RBI solution can keep up with the rapidly evolving threat landscape in human attacks like phishing and technical attacks like malware.

I'm the king of the world…after reading this epic RBI article. Come to think of it, I might want to share it with my “subjects.”

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD