Like the threat landscape itself, web gateways have changed over the years. Back in the 1990s, organizations primarily used them to prevent employees from wasting time surfing the web – or worse, from visiting gambling, adult and other unauthorized websites. Today web gateways do much more than enforce regulatory compliance and HR policies. Whether they are implemented on-premise or as cloud-based services, organizations rely on web gateways to thwart Internet-borne threats delivered through users’ browsers.
But while traditional web gateways deliver basic security against cyber-attacks, they are no match for today’s advanced threats. Organizations today augment their web security defenses by deploying isolation technologies to “air gap” the corporate network from the Internet to eliminate the risk of malware.
Web gateway shortcomings
Web gateways have benefits, but over-reliance on them is putting data, users, customers, organizations and reputations at risk. Reasons for this include:
- URL filtering is behind the curve – Because of the sheer number of websites (some of which are very short-lived) and since all detection-based approaches are not 100% accurate, it is inevitable that some websites are misclassified or cannot be classified. This opens the door to new malicious sites, especially since many enterprises allow access to uncategorized sites.
- “Safe” websites infect visitors – The belief that infections occur only through websites that are categorized as suspicious or malicious is false. So-called safe websites are often aggregated and serve content from other sources which they have little or no control over.
- Blocking uncategorized websites reduces end user productivity – Not only is this intolerable for many (or perhaps all) end users, security teams are forced to deal with support tickets for users who legitimately need to access information.
- Malicious files can’t be stopped – While some web gateways integrate antivirus engines and other file scanning services, these are not effective in detecting zero-day attacks. Leveraging sandboxes is also ineffective, as these require time to run and analyze files, and malware has already learned to evade them.
- Web gateways cannot neutralize malware – Web gateways only analyze network traffic and not what users are doing. As such, gateways have a hard time differentiating between legitimate and malicious traffic, and detecting and neutralizing malware on infected machines.
Isolation – The new approach to threat prevention
So how do you combat cyber villains who are constantly finding new ways to get in? To battle zero-day attacks and other vulnerabilities targeting end-users, information security architects should consider augmenting web security with isolation technologies to address the risk of malware infections.
Isolation is based on the concept of creating an “air-gap” between the web and users, to eliminate the possibility of threats reaching devices. Recent developments in the field allow enterprises to integrate this technology with web gateways without requiring any endpoint installation. All web requests are proxied to the isolation platform which executes and renders web sessions remotely in a secure environment on behalf of users, and only a safe visual stream is sent to users’ browsers.
According to recent research by Gartner, attackers mostly target end-users by serving malicious content that leverages browser vulnerabilities. However, with isolation, because all content is executed away from endpoints, users are completely protected from malicious websites.
Unlike detection based approaches used by web gateways, isolation avoids the decision-making process of telling good from bad, and prevents malicious content from reaching the end user. When working through a network-based, agent-less isolation platform, employees will have more freedom to access websites and documents without the risk of infection from an accidental click on a not-so-friendly link.
In addition to eliminating threats and attack surfaces, with isolation IT won’t need to deal with the overhead that comes with traditional web gateways. Isolation doesn’t create false negative alerts and security teams won’t need to waste time on unnecessary investigations. Isolation technology can allow access to uncategorized sites without risk, and eliminate support tickets requesting access to unclassified legitimate business sites – a daunting task for every security organization.
Isolation can maintain a consistently effective, security defense against ransomware, phishing, and malvertizing, to name a few. Notably, malware threats, reaching nearly 500 million in volume in 2015, are prevented because of the “air gap” between end-users and web attack surface. Attackers cannot leverage Zero-day exploits and Flash and Java vulnerabilities since all attacks detonate in a remote secure environment.
The future of web gateways
Gartner estimates that by 2021, 50% of enterprises will leverage isolation to reduce the impact of attacks, up from less than 5% in 2016. What’s more, organizations that isolate web browsing will experience a significant reduction in attacks that compromise end-user systems.
We are already seeing organizations adopt isolation technologies and integrate them with existing web gateways, and we can also expect isolation platforms to continue to evolve and eventually replace traditional web gateways. While gateway providers may try to develop isolation capabilities in-house, this is a large commitment that will take years to accomplish properly and won’t solve the breaches infecting users right now.
Detection-based solutions and secure web gateways are far from being 100% effective in stopping breaches. But if breaches are isolated, they can be contained in ways that don’t leave a mark on enterprises.
Fireglass allows users to click with confidence from any device by eliminating malware and phishing from web and email with no endpoint agent. Organizations protected by Fireglass maximize user productivity while solving the operational overhead and complexity of web gateways through true isolation, where all traffic is executed remotely and does not reach the corporate network. Deployed at Fortune 500 companies, Fireglass was founded by network security leaders and military intelligence veterans.