Re-Imagining Browser Security with Trust-Qualified Browsing

Adam Maruyama

By Adam Maruyama

Commercial

As governments, critical infrastructure providers, and commercial organizations around the world come to grips with a cyber threat made more acute by rising geopolitical tensions, an increasingly organized malware/ransomware industry, and the offensive applications of AI/ML, organizations often trust their web browsers – technologies that had nearly 10 zero-days in the first half of 2024 alone! – with system-level privileges while processing the code from websites they haven’t had the opportunity to evaluate. Most organizations don’t make this decision because they’re blind to the risks that web browsers and malicious webcode pose, but because they’ve been forced to choose between two bad alternatives:

  • More restrictive web access policies, which decrease the velocity of business and research. These policies can also decrease employee morale and introduce additional security risks as employees turn to unsanctioned workarounds to be able to perform their basic job duties.
  • More lenient web access policies, which prioritize business outcomes over the security risks posed by the unevaluated code across 1.1 billion websites. These policies can make the enterprise vulnerable to zero-days that endpoint detection products may not effectively address as well as webcode supply chain attacks such as a recent attack on the Polyfill[.]io JavaScript library.

Given these two alternatives alone, it’s not difficult to see why most organizations would choose the deferred consequences of a breach if or when it happens rather than the immediate business impact of a more restrictive web access policy. At the end of the day, however, the decision between immediate and deferred consequences is not ideal, to say the least – particularly not for those who, eventually, will find themselves in the position of owning those deferred consequences.

Garrison developed our hardware-enforced Silicon-Assured Video Isolation (SAVI) technology to offer organizations another choice: viewing unevaluated content as an inert, interactive video stream, providing the access needed to do business while removing the risk of malicious webcode.

Last year, we placed our appliances in data centers across the world to provide cloud-first and cloud-native organizations the ability to inoculate themselves from the same risk.

Today, we’re excited to introduce Garrison Trust-Qualified Browsing™ (TQB), a game changing platform that provides not only our best-in-class web isolation capability, but also a browser-enforced SaaS enforcement mechanism to ensure only your most trusted web browsing are able to run code on your endpoints.

In addition to the best-in-class ULTRA hardware-enforced remote browser isolation (RBI) service, TQB introduces two new additions:

  • The Trust Boundary Engine, a SaaS application used to manage the Trust List of sites that your organization explicitly trusts. More than a standard allow list, the Trust List contains only the domains that your organization trusts to run natively on corporate endpoints, with all the system privileges that native presentation brings. The Trust Boundary Engine also gathers telemetry to allow your security team to continuously monitor and adjust your web browsing risk profile.
  • The Garrison Citadel™ extension, a Chrome and Edge extension for your organization’s endpoints that ingests and enforces the Trust List. Because Citadel is hosted on your endpoints, it understands what we call the “web bill of materials” – the dependent resources from other sites that are needed to display the site in question – and can automatically allow them in, while forwarding all other browsing activity to Garrison ULTRA.

I’ve previously likened web browsing to a private dwelling where, for the fear of missing out on important guests, we just let everyone in unless they look explicitly bad. TQB provides a better way – a central events manager to create a concise guest list in the form of the Trust Boundary engine, a trusted doorman who also lets in “plus ones” in the form of the Citadel extension, and a robust video doorbell to let you interact with all the other “would-be” guests in the form of ULTRA – without having to realize that your guest trashed your place or stole your valued possessions on their way out.

If you’d like to learn more about the details of TQB and how it helps to secure your systems, please see our in-depth white paper. Or if you’re convinced and would like to join us for a free trial during TQB’s early access period, sign up here!