Fixing browser security with artificial intelligence
Had you told me 30 years ago the first web browser would be the ancestor of most software interfaces, I’d have been skeptical. Of course, that was before most of us had an inkling of what the web would become. Even with that hindsight, it’s staggering how web browsers have become our primary windows into the digital world. Were it not for mobile apps, that domination would be nearly absolute. And many apps use the same scripting languages that create modern websites.
The rise of the cloud and services era cemented the browser’s ubiquity. It doesn’t matter what backend software or operating systems you deploy. At the front, users can fire up any modern browser and interact with those systems. Rather than installing bespoke client software on every device, you simply point users to a URL.
Browsers are the new operating systems – and though fantastic for accessibility, this creates an enormous security headache for people and organizations.
The flaws in our browsers
Historically, browsers represented contained spaces. What happened in the browser stayed in the browser and couldn’t influence the rest of the system. That idea became outdated as browsers evolved to become more versatile and relevant. Yet the spirit lingers: it’s still easy to think of the browser as a contained space, not a highly integrated part of your digital experience.
To clarify, browser technology has not languished: today’s browsers are much more security conscious. But they face two big adversaries: highly motivated criminals and user errors. Browsers are getting better, but the deck is stacked against them.
Returning to the days of dedicated software clients would be one step backwards for security and a gigantic leap backwards for technology. Browsers are universal and agnostic: they provide access to different interfaces such as dynamic websites, 3D (GrabCAD or Online 3D Viewer), and even virtual reality (the WebVR standard). Browsers even fuel modern development – using open languages such as HTML5 and Ruby on Rails, developers can make rapid changes and continual improvements to interfaces.
Regressing to days before the browser became the operating system would also have enormous cost implications. Imagine the world’s Salesforce users not accessing its services through browsers. Ditto for Amazon and Gmail. Apps have emerged as an alternative, but the digital software world is a browser world. Around the globe, millions access versions of Microsoft Office or Adobe Photoshop directly in a browser. We’ve come a long way since needing to install software for every service. Orphaning browsers is a step backward.
Getting intelligent about browser security
There is a security cost to browser ubiquity. Browsers interact with sophisticated websites, and they use powerful extensions and plugins – headlines often pointed fingers at third-party software such as Flash and Java for their security vulnerabilities. And browsers are present on many user devices. The way we work now – blending personal and professional lives from remote locations across multiple devices – adds to the security threat landscape even more.
The browser’s security woes relate to another trend in the cyber security market: the rapid marginalization of security perimeters. The Computing Technology Industry Association (CompTIA) wrote an article titled, The Death of the Perimeter: Zero Trust is (Almost) Here to Stay, that “we’ve finally killed off the idea of the perimeter as a viable defense metaphor.”
Cyber criminals have devised ways to get around security perimeters. Using extremely targeted and sophisticated spear phishing attacks, they dupe users into giving them access. They mimic authentic communication (in ways undetectable to the human eye) but instead deliver ways to breach systems without security being alerted. If you’ve received an urgent email about your bank account being in peril, or an express delivery gone awry, or an urgent request related to a collaboration platform you use, like LinkedIn or Slack, inviting you to fix it by clicking on a link and confirming your login details, you’ve come face to face with phishing. And, to underscore, long gone are the days when poor spelling, badly pixelated company logos, and unbelievable claims from overseas asking for access to bank accounts made phishing attempts easy to spot. Today’s cybercriminals are using much more sophisticated approaches that humans need intelligence and machine help to identify.
Browsers are often integral to phishing attacks – the links in emails display through a browser. Dangerous links are hard to contain. They emerge from legitimate infrastructure and trusted places. According to research by SlashNext, 70 percent of all phishing email URLs were hosted on legitimate cloud infrastructure, including AWS, Azure, outlook.com, and sharepoint.com.
This has become the leading cybersecurity challenge for organizations. They need browsers to access software services. Browser access must be easy, or else it can affect productivity. Yet browsers also need to be secure in a way traditional perimeter security cannot provide.
The answer is to mimic human intuition with the power of artificial intelligence (AI) and machine learning (ML) – and then bolster it. These technologies excel at spotting anomalous behavior and reacting swiftly in response. Using natural language and link-based detection, they can protect users from email phishing, mobile-based smishing (SMS phishing), browser-based spear-phishing (targeted phishing), and business email compromise (when criminals intercept company correspondence and insert malicious information, such as different bank payment details).
By harnessing AI and ML, we can secure browsers and preemptively stop attacks that target users such as employees or customers. We then also solve the conundrum of keeping digital interactions secure in a world where the browser is our operating system. Rather than reinvent the software wheel, a little computer intelligence and vigilance can go a long way and resolve the browser security paradox.