In the not too distant past, security teams used in-house firewalls to inspect all network traffic and block calls to malicious URLs. This worked well when most devices were connected to a controlled network. Security was all about having strong defenses at the network’s edges to block unauthorized access and keep an eye on threats. Then we used always-on VPNs to tunnel traffic from roaming devices through the corporate firewall.
Fast forward to today: everything is TLS encrypted and can’t be inspected without decrypting/re-encrypting all traffic at the corporate firewall. Even if you do that, employee devices are now scattered across different networks and the need for real-time (latency sensitive) communications tools (Zoom, Teams, etc.), which makes the always-on VPN a non-starter. Roaming devices are allowed unfettered internet access as a result.
The growth of URL attacks URL-based attacks have become a big threat, taking advantage of the difficulties in checking encrypted traffic and the mobility of modern work devices. This includes stuff like: - Phishing: Tricking users with fake URLs to get sensitive info. - Malware Delivery: URLs leading to sites that automatically download harmful software. - Command and Control (C2): Attackers using URLs to communicate with infected systems, often through encrypted channels. Threat actors are getting better at avoiding sandboxes, only servicing malicious content to some site visitors (filtering out traffic from sources like Proofpoint, Mimecast, and other threat intel shops)
Where network defense is heading
- Companies assert close control of employee web browsers
- By adding security features directly in browsers, URL requests can be checked and filtered before they hit the network, catching threats early
- This can protect against phishing and harmful URLs in real-time, no matter where the user is located
- “Shadow IT” becomes visible to company administrators
- Can be achieved either via a mandatory browser plug-in or a mandated enterprise browser like Island
- Endpoint security evolution
- EDR tools are used pretty much everywhere, but most don’t inspect network traffic - they tend to wait for a malicious payload to be executed before taking action
- There is an opportunity for EDR vendors (especially those who live in the kernel) to fill the void and start doing URL filtering.
TLDR: It’s difficult to conceive of a future in which companies don’t need a security presence in all employee web browsers. If you are responsible for securing corporate data, you should update your risk register and plan accordingly.