In the ever-evolving landscape of cybersecurity, SquareX emerges as a superhero product at the forefront of browser security, offering organizations a shield against sophisticated cyber threats.
As we journey through the ever-evolving landscape of enterprise and individual cybersecurity, it is clear for organizations that is it essential to stay one step ahead of malicious actors looking to exploit vulnerabilities. One such innovative solution, SquareX, has emerged as a superhero product in the market of browser security, providing a dynamic shield against sophisticated cyber threats.
At the recent RSA Conference, the founder and cybersecurity veteran, Vivek Ramachandran, shed light on the mission behind SquareX - to empower enterprises and individuals to be fearless online. The conversation with Sean Martin focuses onto the crucial role of browsers in modern-day cyberattacks and highlighted the challenges organizations face in securing this often overlooked aspect of their IT infrastructure.
Unveiling the Blind Spot in Browser Security
The dialogue between Sean and Vivek underscored the significance of addressing the blind spot that browsers present in the cybersecurity posture of organizations. While traditional security measures such as firewalls and web gateways play a vital role, they often fall short in detecting and mitigating threats originating from the browser.
The Power of Managed Browsers and Browser Extensions
Vivek emphasized the importance of deploying managed browsers as a foundational step towards enhancing visibility and control over browser-based threats. SquareX's browser extension acts as a vigilant guardian, monitoring every tab and window for anomalous activities and potential security risks.
Real-World Impact: Stories from the Field
Vivek shared compelling anecdotes of how SquareX has made a tangible difference in fortifying organizations against cyber threats. From preventing data leakage through unauthorized file uploads to thwarting sophisticated social engineering attacks via malicious documents, SquareX proved its effectiveness in identifying and neutralizing threats that evaded traditional security measures.
Elevating Browser Security with Cutting-Edge Technology
SquareX's innovative approach to browser security leverages AI vision and in-browser macro analysis to detect and block malicious activities in real-time. By providing detailed visibility into browser-based threats and streamlining post-incident forensics, SquareX equips organizations with the tools needed to proactively defend against evolving cyber threats.
The Path to Enhanced Cyber Resilience
In conclusion, the discussion between Sean Martin and Vivek Ramachandran encapsulates the essence of proactive cybersecurity measures in today's threat landscape. By embracing solutions like SquareX and prioritizing browser security, organizations can bolster their cyber resilience and safeguard their digital assets against sophisticated adversaries.
As we navigate the digital frontier, the importance of browser security cannot be overstated. With SquareX leading the charge as a superhero product of cybersecurity, organizations can embark on a journey towards a more secure and resilient future online.
Cheers to the new hero!
Learn more about SquareX: https://itspm.ag/sqrx-l91
Note: This story contains promotional content. Learn more.
Guest: Vivek Ramachandran, Founder, SquareX [@getsquarex]
On LinkedIn | https://www.linkedin.com/in/vivekramachandran/
Resources
Learn more and catch more stories from SquareX: https://www.itspmagazine.com/directory/squarex
View all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Presenting The Superhero Product for Browser Security at RSA Conference | A Brand Story Conversation From RSA Conference 2024 | A SquareX Story with Vivek Ramachandran | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Okay. Alright, here we are, we are at RSA Conference, Vivek. You made it. A long journey. And a long flight. Long journey for Square X to get to this point, right? Absolutely. After a long flight to get to San Francisco, it's great to have you here. I really enjoyed our chat the other day. And I'm excited for, uh, for our deeper dive.
We, we got the origin story of SquareX the other day. And I want to get into more of some of the issues that organizations are facing. And how SquareX can actually unfold and invigorate a secure browsing experience for folks, right? That's what we're going to talk about today. So thanks everybody for joining us.
I'd like to introduce Vivek from SquareX. Maybe a few words, Vivek, for those who didn't hear the last one. Go listen, but who is Vivek? What are you up to?
[00:00:53] Vivek Ramachandran: So, thank you so much for having me on the show. Super excited, I guess, you know, me, the rest of the team, everyone. Uh, I think putting a booth at RSA is no easy feat.
Right. And especially when you're already, you know, jet lagged, 16 hour time difference with Singapore. So, hopefully I'm still wide awake and I'm going to give you a great answer. Thanks.
Yeah, super excited. Uh, I'm Vivek Ramachandran. I've been in cyber security for the past 20 years. 10 years as an entrepreneur.
Uh, built multiple companies and sold them. And, you know, now here we are, SquareX. Be fearless online. That's really our vision for enterprises and individuals.
[00:01:30] Sean Martin: I love that, uh, I love that mission. It's an important one. And I have to say, you and your team have been amazing to work with. And I hope you're having some great conversations out on the show floor.
Let's, um Let's take a step into what some challenges are. I think, clearly organizations are trying to figure out how to make the most of their investments in IT. And they're trying to build security in anywhere and everywhere they can. Which is not an easy feat, right? Absolutely. And there's one, one part of the business that gets used by everybody.
For a lot of business processes. The browser. Yes. Right? Right? And oftentimes it gets left off to the side from a security perspective. So what, what are some of the challenges you're, you're hearing from customers as, as you're engaging with them? Looking at, oh, let's start with the threats first, maybe.
Yeah. How are they viewing those?
[00:02:26] Vivek Ramachandran: Yeah. So I think, you know, you bring up a great point. The browser is the most used enterprise application today, but the least secured one. And if you think about it, you know, your average employee is spending over 90 percent of time in the enterprise. On the browser, using SaaS applications, you know, both internal and external, and also doing a lot of his personal work because, hey, we are in the world of hybrid work.
And this is really where what organizations have realized is now attackers are targeting people when they're online and a lot of attacks pretty much live and die within the browser. So I'll give you some examples. So imagine a spear phishing attack where you know someone goes ahead and sends emails to your entire sales force.
Uh, having them click goes to a Salesforce replica website, which is a phishing site, and those credentials get stolen. Now, at this point, your endpoint security absolutely has no clue. No visibility into that. Exactly. No visibility. Uh, your cloud security gateways, unfortunately, also don't help most of the time.
And this has become a very big blind spot for organizations, where finally, the way the attack is discovered is the credentials end up getting used. Data gets leaked and they're like, Oh, Rob, what did you do, right? Where did you kind of, you know, give these credentials out and the employee doesn't remember or doesn't want to remember, right?
[00:03:52] Sean Martin: So you mentioned a couple of different applications there, but let's paint that picture for, for folk. I'm sure people watching and listening probably have a sense already, but I mean, Salesforce, CRM, ERP, um, accounting software, lots of stuff. That's the browser. Right? Right. So, how do organizations, I guess my point is, all this stuff is there.
Are they not able to get a view of that in any other way? You mentioned firewalls and web gateways and things like that. You think they have some visibility but that's not true, right?
[00:04:27] Vivek Ramachandran: Yeah. So I think today what organizations are doing is, you know the SAAS SSE space has this component in there called secure web gateways.
and a lot of larger organizations are using them. But what are secure web gateways, right? SWGs, as they're called, are really SSL intercepting proxies. And what they end up doing is all your organization's web traffic ends up going there. They try to go ahead and monitor just looking at network traffic of HTML, CSS, and JavaScript.
And they're trying to infer application lier attacks. So, you're already seeing that this is bound to fail. Now, when these things were invented, you know, a decade back and beyond, at that point in time, you know, websites were simpler, browsers were simpler, applications were simpler. But in today's, you know, world where you have progressive web apps, rich apps, you know, thin clients and whatnot, I think SWGs, unfortunately, are failing in a very big way.
Uh, first of all in detecting, you know, most client side attacks like UI redressing and whatnot. And one of the things that our team has discovered and we plan to put it out at DEF CON and Black Hat is really last mile reassembly attacks where attackers could go ahead and even obfuscate, you know, regular malware, sites that these SWGs have been detecting for over the past decade, and smuggle all that in, uh, completely breaking down those defenses.
Interesting. So, through the browser.
[00:05:59] Sean Martin: Everything entirely through the browser,
[00:06:01] Vivek Ramachandran: because the browser is a computing machine today.
[00:06:03] Sean Martin: Yep. So, talk to me a bit about, I don't know what's next. Maybe, I always look at the operation. To have that view in the security team, you need to partner with other organizations, right?
So, HR and finance and whatnot. Putting the controls on some of these applications through the web browser requires an understanding of how they work. Work to some degree, I would imagine. And doing, applying the configurations and the controls in a way that enables them to do what they need to do. Right.
But monitors for the bad activity, I guess is the best way to put it. So how do, how do you work with organizations to make that connection for them?
[00:06:52] Vivek Ramachandran: Yeah, great question. So I think almost all organizations end up using, you know, chromium, safari Edge, one of these browsers. And what organizations can do is convert them into managed browser.
And what that allows them to do is centrally go ahead and, you know, push policies on the browsers, extensions, and things like that. Now, today's state of the art is pretty rudimentary, so you can block some stuff, install some stuff, and that's about it. Uh, but as an example, if they worked with somebody like SquareX, what they can do is deploy a browser extension.
And that browser extension ends up monitoring every tab, every window that you're opening in the browser. Okay. Looking at DOM events, which is You know, on a browser, every single website is represented as a hierarchical data structure called DOM or Document Object Model. But by monitoring changes to the DOM, by monitoring changes to the browser events, irrespective of whether it is Salesforce, Google Apps, you know, your Azure, uh, you know, kind of like online, you can go ahead, deeply integrate, and understand what is happening in each of these applications.
And that way When finally an attacker is pushing you a phishing site, a spear phishing campaign, uh, you know, a multi channel campaign where he's trying to have your employees download ransomware, we can go ahead and detect those minute changes, classify them as malicious, because we are running detection algorithms in the browser itself, and then block that automatically.
So the best part is, it's as easy as just deploying, and detecting and blocking the attacks. Okay.
[00:08:30] Sean Martin: Can you give me A couple of scenarios of some things you find, I'm picturing anomalous activity of some sort, so some, some change in the structure of the, of the data or some insertion of something. What, what is it you're looking for?
Good question. Maybe describe it in a way that security analysts or a security program manager can relate to it and say, Ah, now, now I know what they're talking about.
[00:08:53] Vivek Ramachandran: Yeah, absolutely. Great question, right? So I'll take an example of a standard, you know, phishing website. So let's say, you know, your organization is being targeted and someone has created a phishing replica of salesforce.
com. Now that identity looks like salesforce, and now when your user is on that website, here is what we are doing. So the first time your user ever logged into salesforce, we learn how salesforce looks like. We basically even go ahead and create a k anonymity hash of the credentials that you're entering.
[00:09:27] Sean Martin: Kind of like a fingerprint.
[00:09:28] Vivek Ramachandran: Yes, so it is basically a fingerprint of the site and fingerprint of your credentials. Now, the next time an attacker is going ahead and sending you a phishing site, and you open up something which looks like salesforce. com, what we end up doing is we actually run OCR and image detection algorithms in the browser itself.
And that scans the canvas and says, you know what, this looks like a known brand Salesforce, but the URL isn't Salesforce. So based upon that, we immediately block access.
[00:09:58] Sean Martin: Image based and then renders to
[00:10:01] Vivek Ramachandran: Exactly. So, I mean, you know the best way we can describe it is, AI vision built into the browser itself, Ok.
and the moment we see that batch is a brand that your organization uses as a SaaS website, we can immediately detect and block it. Not just that, we can send that back to your enterprise portal, and do auto remediation. So the next time any of your employees is kind of targeted by the same bad actor, even before they open the site, everything gets blocked.
Okay.
So
[00:10:33] Sean Martin: is that a, is that a fingerprint based policy then?
[00:10:37] Vivek Ramachandran: Yeah, that's a, that's a great question. So what we do is, you know, once let's say we are deployed in an organization, uh, you know, from their, you know, Octa or whatever they are using to single sign on into all the enterprise apps, we can automatically create that list of enterprise apps.
Okay. And on our server side, we go crawl them and we create a machine learning model which understands and captures the fingerprint essentially. Okay. And now that gets deployed on every browser of every employee in your organization. So this way we already know. Match it with the credential one as well.
So based upon that we already know what our known good websites look like for your, you know, internal portals. And any time there is a deviation, where a bad actor is trying to get you to a phishing site looking like something similar to that, we can automatically detect and block.
[00:11:30] Sean Martin: Very cool. So, this, the image, so I guess once you have that, the fingerprints, the fingerprint.
Right. So there's not much impact on the user experience in that sense.
[00:11:43] Vivek Ramachandran: Absolutely. That's a very good question. So, you know, what we do is if you look at an average browser. I mean, people have 2025 tabs open with one active tab. Yeah. I mean, all of us are guilty of that. And that is really where, you know, by deploying our algorithms as web assembly and wasm or web assembly is a technology which allows you to kind of run heavy duty code, but with native speed with very little, you know, to almost zero penalty on the user experience and the browser at the very same time, what modern browsers do is for your inactive tabs.
They start putting those threads to sleep. So, in reality, the sheer amount that you're monitoring is a lot less than what one would believe. You know, pure face value. Interesting.
[00:12:29] Sean Martin: So, one of the things that comes to mind for me is the fact that nothing is static. Yeah, absolutely. So that fingerprint is there for, I don't know, maybe that instance and the instances we don't really know what that is. So, how do you keep up with that?
[00:12:58] Vivek Ramachandran: So, what we do is as we detect changes, we start learning those changes and we make sure that we sync it across the organization.
[00:13:04] Sean Martin: So,
compromise of an app then. Yeah. So how do you do it? There has to be some analysis of the change made to recognize that it's not a legitimate new refresh from Salesforce or whomever. And that it has been compromised by, or I mean we can look at, maybe it's not a web app, but SolarWinds is a compromised thing we all trust, right?
So I'm just wondering from a browser perspective, how do you make that assessment?
[00:13:41] Vivek Ramachandran: Yeah, that's a very good question, right? So, as you can imagine, you know, just by looking at a website. It is impossible for us to immediately figure out what change is good or bad. But if you think about it, finally when an attacker is injecting his malicious script, his primary intent is to steal something from the user and send it back to him.
Okay. And really that is what we are looking at. So it's the activity, got it. Exactly. So the idea is that anytime we think that there is malicious activity, where now for some odd reason, Salesforce is, you know, opening up a screen or something, Which is really sending forum data back to a third party website.
We immediately know something is fishy over here. So, finally, for the attacker to get something useful out of the victim, he has to go ahead and expose, you know, something which sends back to his server, something where he's probably loading it from, you know, a third party. So all of those telltale signs allow us to figure out that, look, you know what, this isn't really Salesforce.
Salesforce. And this is probably something injected into Salesforce, which is trying to fish, trying to probably get the user to a third party website. And all of that is really what an algorithm can detect.
[00:14:55] Sean Martin: So, talk to me about the team now. Because I think log and organizations rely on the firewalls and the gateways and the filters and the whatever else that's usually at the perimeter, looking at the stuff coming in, maybe going back out.
Maybe, well certainly they're looking at endpoint logs, which can't always capture the, uh, the application based stuff. Um, I think we talked about on our, on our, uh, preview, that a lot of desktop or endpoint applications are actually web apps. Correct. Progressive web apps, yeah. So, um, so, to, to think that an endpoint can, can monitor all that stuff is not always accurate.
So, my question to you is The change in the way that the security team needs to think, perhaps, about this problem that they may or may not recognize that they have. Let's look at it from the program perspective. Setting up a program for monitoring, putting policies in place. How does that fit into the rest of the picture for them?
[00:16:00] Vivek Ramachandran: Yeah, that's a great question, right? So I think All security is, you know, people, process, technology. And there's a good reason we have technology as the third one, not the first one. Right? So I think without the right people with the right mindset implementing the right policies and processes, it is impossible to use even great technology well.
So this is really where I think what organizations need to do is understand that the browser is a blind spot and it is important to take that data and And enrich that with both endpoint, SWG data and all of that. And that's the way they can actually end up getting full visibility. Now, without that full visibility, all they have is the fact that an attack happened with zero source attribution to how that ended up happening in the browser itself.
So, what we've basically seen from Enterprise's perspective is really when we go and talk to people, the very first change they need to do is Go ahead and deploy managed browsers because all browsers are unmanaged. That's wild, wild west today. Good first step. That's the very first step. Because without that, you know, if you deployed, you know, a Square X or any other extension, it should even monitor and do things.
You know what? A rogue employee could end up just go ahead and disabling that. And for larger organizations, insider attacks is a very big problem today. So, I feel like, just like you have managed endpoints, it is important to recognize that you need to have managed browsers. That transition is actually very simple to do, because all modern browsers are literally super easy to go ahead and convert into managed browsers.
Once you do that, you can deploy us, uh, and then you start to get all of that, you know, absolutely rich Intel data as to what your employees are being targeted with online. And once you enrich that. You know, with endpoint security data, you have full visibility of how attackers are actually targeting your organization.
Okay.
[00:17:58] Sean Martin: Give me, give me a case, a use case, a story from a customer where Square X has made a positive impact on their program. Either identified a threat or an attack that maybe didn't get caught in some of the other places.
[00:18:15] Vivek Ramachandran: So, so I'll give you two internal examples. Okay. Uh, interesting examples. One is, uh, you know, we are working with a very large consumer company right now, which is very heavy on intellectual property.
And their biggest concern has been that a lot of times their employees end up uploading documents sometimes by mistake to their personal Google Drive and not to the company one. Now, we know how rudimentary, yeah, I mean, you know, we're guessing hopefully that was an honest mistake. Right. Yeah. And we know how rudimentary DLP is when it comes to just looking at basic patterns and things like that.
Now, unfortunately, a large part of the browser is completely unmonitored, and this is a very easy way to actually go ahead and evade a lot of DLP today. So they came to us and they said, Wik, how can you help us? How can Square X help us? So what we do is, because we are a browser extension, we monitor events.
One of the events that we can monitor is actually file uploads as well. So, what we do, the moment we see that the user is trying to upload a file, the enterprise can apply a policy where they basically say that, look, either all files can only be uploaded to, you know, our Google Drive or our OneDrive, block everything else.
So, the very first week, they had us just monitor and not block, so that they could actually find folks, you know, who were repeat offenders. So, you know, then these folks were sent emails to and said, you know what, this is something you're doing wrong training. Yep, exactly. And the very next week they basically had us also apply block so they could identify people who were still doing it.
Okay. And, you know, that started fixing the problem internally. So this was an, you know, internal facing issue that they had when it came to browser based, you know, data leakage from the organization.
[00:20:05] Sean Martin: Again, another gateway you'd expect. Exactly filtering or monitoring.
[00:20:09] Vivek Ramachandran: Exactly. The other was, you know, kind of like outside in where what was really happening was sales team members were actually being targeted with ransomware and we know today how painful a ransomware attack can actually get.
So the organization was having difficulty in figuring out how the ransomware bad attackers were actually targeting these folks. Now, when they went to the sales team and said, Hey, Rob, Bob, Mary, you know. How do you actually download this malicious document? None of them remember. And then that is, and at the very same time, even if they do, I guess no one wants to take responsibility.
So this was a very big, uh, you know, kind of a problem for them because the admins were just going back and back, you know, blocking that malware, going to the company employees, getting no answers. So once they deployed SquareX, they immediately figured out that what was happening was. This was something very, very crazy.
On LinkedIn, someone was going ahead and pretending to be a recruiter, where they were approaching many of these sales employees saying that, you know, one of the biggest competitors was willing to offer them twice the pay. And ideally, they should kind of immediately do an interview and the document has details about like what the interview process looks like.
Now, now tell me how many employees would not open that document?
[00:21:39] Sean Martin: Just
[00:21:40] Vivek Ramachandran: out of curiosity even. Exactly. So, that document actually had a malicious macro, so that when you download and open it up, the macro executes, and it would download and execute the actual ransomware. Right. So, once they deployed SquareX, because we have tight integration to many websites, we were immediately able to say that on LinkedIn, Multiple employees were getting DMs from a user called Jake with this fake profile as a recruiter in the Bay Area.
And that was the malicious attachment which was getting downloaded.
[00:22:15] Sean Martin: Right.
[00:22:16] Vivek Ramachandran: So, yeah.
[00:22:18] Sean Martin: And so they were then able to set a policy that did what?
[00:22:23] Vivek Ramachandran: Exactly. So post that, what they were able to do, a policy is immediately block DMs coming in. From the malicious, you know, kind of like profiles. Okay, and because we can actually have a
[00:22:34] Sean Martin: specific profile.
[00:22:35] Vivek Ramachandran: Yes So what we can actually do is given we understand the layout of the content It is possible to apply specific policies at least for certain social media websites, okay, because we deeply understand how they work the second policy that they applied is Anytime that an office document or is getting downloaded if it has a macro And we suspect that it is malicious because we can do in browser macro analysis, then to immediately block.
And one of the things that we additionally do is what we call acquire. So a lot of times when endpoint security ends up blocking a file, you're scratching your head and saying, well, what file was it? Right? Could I not have access to it where I can look at it? So one of the things we've built in is acquire and what that does is when we block, we automatically also upload the sample back to the cloud.
Where you can now view that in an isolation pod. Where you can detonate, open up the document, and do all of that. So literally post forensics is something we end up integrating. Uh, when it comes to, you know, our product. Interesting.
[00:23:41] Sean Martin: Interesting. So a lot of information there. I think the, the key for me, obviously, is first the visibility.
Right, what's going on. Absolutely. And then the ability to put a policy in for control. Um, Final word as we, I think we're, I think we're about to wrap here Vic. That's um, I mean great, great stories from the customers. Is there anything, anything you want folks to know that we haven't talked about yet? In terms of getting started with SquareX and working with your team.
I mean, you have a great research team, great R& D team. Um, clearly building great solution for folks. Um, talk to me about the engagement and the conversations and how folks. So,
[00:24:25] Vivek Ramachandran: so I think, you know, what we love to do is kind of go in and tell people, go deploy SquareX for an entire month. No obligation and see the visibility that you're getting.
You don't need to deploy any blocking policies, any mitigation policies. Interestingly, what ends up happening is literally in a week's time we get called back and they're like, Hey, you know what? We never knew that these kind of attacks were happening. And this scares us today because you know what? One of them could actually go successful and we could get hacked.
So people immediately come back within a week's time and tell us, Hey Vivek, we can see all of these attack graphs. We can see that multiple people are getting attacked. How do we resolve it? And that unseen stuff. Exactly. Unseen stuff. Exactly. Because look in security, if you don't have visibility, you as an organization, as a CISO, as a head of security can't take decisions.
So I think giving visibility is the first thing we do. And I think customers love that. Then they come back to us and say, you know what? Now tell us how we can block it. And that's the way we've kind of like done all our engagements.
[00:25:31] Sean Martin: I love it. I love it. Well, Vivek, it's been, been a pleasure chatting with you and I appreciate you telling the original origin story for SquareX and allowing me to dig a little deeper and understand how it works, how companies are using it and the benefit they're getting from it.
Um, obviously I would encourage everybody to connect with you Vivek on LinkedIn. No funny business there. And if you have Squarex, it won't matter. Get the visibility. Get the visibility to start and, uh, from there you can actually take action, so. Thank you everybody for listening to this story from Squarex and Vivek and I hope you all have a great RSA conference and, uh, get some clarity.
Get some visibility. Thank you everybody.
[00:26:12] Vivek Ramachandran: Thank you so much for having me on the show. I mean, it's been an amazing discussion. Both the first time when we talked about the origin story And now when we've kind of unveiled, you know, kind of the superhero product. I know. For browser security at RSA.
[00:26:24] Sean Martin: Gotta protect the browser.
thank you so much. Thank you. Cheers everybody.