Security professionals and technologists old enough to remember renting movies at Blockbuster on Friday nights likely also remember a time when the internet was a new phenomenon full of wonder and promise. These same individuals probably view it through a more skeptical lens seeing it now as a cesspool of malware and great risk. It’s also widely understood that no web security solution can offer perfect protection against the metaphorical minefield that is the internet. This last statement, however, is being challenged by a new technology that is grasping at the title of perfect web security. This mythical technology is Remote Browser Isolation, or RBI, and it can be argued that it does, in fact, provide its users with invincibility against web-based threats.
Remote Browser Isolation changes the playbook on web security in one very fundamental way: it doesn’t rely on detecting threats. When a user tries to browse to a website, the RBI solution instantiates an ephemeral browser in a remote datacenter which loads all the requested content. The RBI solution then renders the website into a dynamic visual stream that enables the user to see and safely interact with it.
Figure 1: How Remote Browser Isolation works.
User behavior can be controlled at a granular level, preventing uploads, downloads, and even copy & paste using the local clipboard. When properly configured, absolutely none of the content from the requested site is loaded on the local client. For this reason, it can be argued that it’s literally impossible for malware to be delivered to the local client. Of course, the RBI solution’s ephemeral browser instance may be compromised, but it will be fully isolated from the organization’s valuable assets and data, rendering the attack harmless. As soon as the user closes their local browser tab, the ephemeral browser is destroyed.
The value of this cannot be overstated. The world is increasingly conducting its affairs through web browsers, and the challenge of detecting threats continues to increase at an exponential rate. While there is great efficacy and value in the threat intelligence and malware detection capabilities of web security solutions today, the “cat & mouse” game being played with cybercriminals means that they’re simply never going to offer perfect protection. Attackers often use zero-day threats coupled with domains registered perhaps within the past few minutes to compromise their victims, and these methods will too often succeed in circumventing any detection-based security measures. The game-changing efficacy of RBI and the fact its inception was actually more than 10 years ago should bring an obvious question to mind – If it’s so great, why doesn’t every organization in the world use RBI today? There are a few relevant answers to this, but one rises above all the rest: cost.
RBI’s method of instantiating remote web browsers for all users precludes the possibility of any implementation that is not expensive to deliver. Consider the size of a modern enterprise, the number of users, the number of web browser tabs an average user keeps open, and then consider the amount of memory and CPU consumed by each of those tabs. To mirror these resources in a remote datacenter will always be a costly proposition. For this reason, many RBI solutions on the market today may literally consume the entire security budget allocated for each licensed user. As prevalent as web-based threats are today and as effective as RBI’s protection may be, no security organization can dedicate most or all of their security budget to a single technology or even a single threat vector.
To better understand the cost problem and how it may be solved, let’s take a closer look at the two most common use cases for RBI. The first and most common use case is handling uncategorized sites or sites with unknown risk, known as selective isolation. As mentioned before, attackers will often use a site that was registered very recently to deliver their web-based threats to victims. Therefore, organizations often want to block any site that has not been categorized by their web security vendor. However, the problem is that many legitimate sites can be uncategorized resulting in unnecessary blocking that may impact business. Managing such a policy is very tedious, and the user experience tends to suffer greatly. RBI is an ideal solution to this problem where you can grant users access to these sites while maintaining a high level of security. This situation calls for a selective use of RBI where trusted sites are filtered through more traditional means while only the unknown or high-risk sites are isolated.
The other common need for RBI is various groups of high-risk users. Consider C-level executives who have access to highly sensitive information relating to business strategies, intellectual property, and other information that must remain private. Another common example is IT administrators who have elevated privileges that could be devastating if their accounts were compromised. In these scenarios, organizations may look to isolate all of the traffic for these users including even sites that are trusted. Typically, this full isolation approach is reserved for only a subset of users who pose a particularly high risk if compromised.
In light of these two use cases, selective isolation and full isolation, let’s take a closer look at the cost of this invincibility-granting technology. Let’s consider a hypothetical organization, Brycin International, who has a total of 10,000 users. Brycin has identified 400 users who either have access to critical data or have elevated permissions and therefore require full-time isolation. We will assume a street price of $100 per user for full time isolation totaling $40,000 for these users. This seems like a reasonable cost considering the elevated risk a compromise would represent for any one of these users. Brycin would also like to leverage selective isolation for the rest of the user population, or 9,600 users. Some solutions may require purchasing a full license, but most offer a discounted license for selective isolation. We will assume a generous discount of 60%, resulting in a total cost of $40 per user or $384,000 for the rest of the organization. This gives us a total price tag of $424,000 for Brycin, or an average cost of $42.40 per user.
Not only is this a steep cost for our 10,000-user enterprise, but the cost does not at all align with the value or the cost to deliver the solution. The 9,600 selective isolation users may represent 96% of the user population, but when you consider the fact that only a small percentage of their web traffic will actually be isolated – state-of-the-art web threat security stacks can detect as much as 99% of all threats, leaving 1% of all traffic to be isolated – they generate perhaps less than 20% of the isolated web traffic. The full isolation users, while a minority of the license count, will represent the bulk of the isolated web traffic – a little more than 80%. However, despite the fact that selective isolation users are responsible for such a small share of all isolated traffic and given the generous 60% discounted licensing, they are still by far the largest expense at over 90% of the total solution cost! This ratio of cost to value simply will not align with the budget and goals of most security organizations.
Figure 2: The disproportionate relationship between RBI users, traffic load, and solution cost.
McAfee Enterprise has now upended this unfortunate paradigm by incorporating remote browser isolation technology natively into our MVISION Unified Cloud Edge platform. McAfee Enterprise offers two licensing options for RBI: RBI for Risky Web and Full Isolation. RBI for Risky Web uses an algorithm built by McAfee Enterprise to automatically trigger browser isolation for any site McAfee Enterprise determines to be potentially malicious. This is designed to address the most common use case, selective isolation, and it is included at no additional cost for any Unified Cloud Edge customer. Additionally, Full Isolation licenses can be purchased as an add-on for any users that require isolation at all times. These Full Isolation licenses allow you to create your own policy dictating which sites are isolated or not for these users.
Now, let’s revisit Brycin International’s cost to deliver enterprise-wide RBI if they chose McAfee Enterprise. As we saw earlier, despite the fact the selective isolation users generated less than 20% of the traffic, they represented over 90% of the total cost of the solution. With McAfee Enterprise’s licensing model, these users would not require any additional licenses at all, reducing this cost to zero! Now, Brycin only has to consider the Full Isolation add-on licenses for their 400 high-risk users, or $40,000 – this is now the entire cost for the enterprise-wide RBI deployment. While $100 per user still may exceed the per-user security budget for Brycin, it is now diluted by the total user population, reducing the per-user cost of the RBI deployment from $42.40 to only $4. This is a tremendous reduction in cost for equal or greater value, making RBI much more likely to fit into Brycin’s budget and overall security plans.
This may beg the question, “How can McAfee Enterprise do this?” In short, as one of the most mature security vendors in the world, McAfee Enterprise has the most powerful threat intelligence and anti-malware capabilities in the market today. McAfee Enterprise’s Global Threat Intelligence service leverages over 1 billion threat sensors around the world reducing the unknowns to an extremely small fraction of all web traffic. In addition, its heuristics-based anti-malware technology is able to detect many zero-day malware variants. More uniquely, the Gateway Anti-Malware engine offers inline, real-time, emulation-based sandboxing using behavioral analysis to identify never-before seen threats based on their behavior. After analyzing the combined effectiveness of these technologies, we found that only a small percentage of web traffic could not be confidently identified as either safe or malicious – roughly 0.5%. This made the cost of delivering selective RBI for Risky Web something that could be easily absorbed without any additional cost to our customers.
Remote Browser Isolation is an absolute paradigm shift in how we can protect our most critical assets against web-based threats today. While the benefits are tremendous, cost has been a significant barrier preventing this powerful defense from becoming a ubiquitous technology. McAfee Enterprise has broken down this barrier by leveraging our superior threat intelligence to reduce the cost of delivering RBI and then passing this savings on to our customers.