Why JPMorgan, Amex, HSBC are backing ‘isolation’ web browsing
Though hackers get more sophisticated every day, most cybersecurity attacks start the same way they always have: Someone clicks on a link they shouldn’t have.
Often users are tricked by phishing emails that mimic a legitimate note from the boss or a senior corporate leader. And the links and sites can look secure. According to PhishLabs, nearly 25% of all phishing sites in the third quarter were hosted on HTTPS domains — almost double the rate of the previous quarter.
And even when the phishing email is amateurish, multitasking professionals absent-mindedly click while talking on the phone, and malware rushes in.
And there are drive-by attacks, in which a visitor to an apparently legit website gets infected by malicious code downloaded onto their computer without even clicking on anything.
Humans are incapable of detecting every phishing email or vetting every element of a website. It’s not that we’re dumb, necessarily, but the signs of malicious intent are generally invisible to the human eye.
As part of their effort to deflect these attacks, some banks are turning to isolated browsing, or remote browsing, technology. Such systems force all internet activity to happen in a protected space on the cloud, preventing malicious code from reaching a company’s network. The technology is not brand new, but it is starting to gain traction as some large banks have finished their testing of it and are going public with their use of it.
JPMorgan Chase, American Express and HSBC announced Monday that they are leading a $40 million round of funding in the isolation-tech provider Menlo Security, bringing its total funding to $85 million.
The size and scope of the investment is notable.
“A $40 million round of financing is a meaningful financing,” said Rick Smith, head of private investments at JPMorgan, which began investing in Menlo two years ago. “If you look at the new investors — American Express, Ericsson, HSBC — those are all significant, meaningful organizations.”
Smith has been investing in information security businesses since 1979 and oversees all the investments JPMorgan makes off its balance sheet.
“Why? Because we’re very big believers in this new paradigm, isolation technology,” Smith said. “Isolation technology is fairly new on the field, it’s only 4 or 5 years old, and it’s only beginning to get real traction in the marketplace. Menlo is a leader in that space.”
Large financial institutions rarely go public with their investments in, and uses of, security technology. They often say they don’t want to put a target on their backs or encourage hackers to try to break any security they talk about.
In this case, Smith sees a broader good.
“It’s in the best interest of everybody in the financial services industry” to know about and implement technology like this, Smith said.
For Amir Ben Efraim, co-founder and CEO of Menlo Security, what’s unique about this Series C funding is the heavyweight financial-sector investors and partners who have been helping the company fine-tune its software.
How isolated browsing works
Using isolated browsing software is a little like viewing a zoo animal through a glass wall. You can see everything, but nothing dangerous can break through the wall and attack you.
In a bank that has implemented this technology, as soon as an employee clicks on a link, that link is opened in a protected, virtual glass box — a cloud instance run by a vendor. The experience shouldn’t look or feel different to the user, and vendors say there’s no delay. The isolation technology works across desktops, laptops and mobile devices.
“There’s no chance of your device being infected because it’s not allowed to ever connect directly to the outside world,” Efraim said. “What we do from there is mirror the session in a transparent way, and send the mirroring back to the end user, so they think it’s a native interaction. They can’t tell any of this is going on.”
Isolated browser technology can be integrated with an existing network so that all outbound requests — directly to the web or when clicking web links in email — go through the isolation platform. When an employee is traveling, a flag is set on all of the company’s end-user devices, which ensures that they connect to the web through the isolation technology.
Gartner analysts have estimated that by 2021, 20% of enterprises will adopt a remote browser solution to isolate internet browsing from enterprise systems, up from less than 1% in 2016. Such organizations will experience a 70% reduction in attacks that compromise end-user systems, they say.
Authentic8, Aurionpro, Digital Guardian, Fireglass, Light Point Security and Ntrepid Corp. all offer this technology in addition to Menlo Security.
How JPM uses it
JPMorgan, which allocated $500 million of its $9.5 billion tech budget in 2016 to security, has been using Menlo’s isolation technology for web browsing for two years.
Every time someone on JPMorgan’s network clicks on a link, what appears to be a browser pops up on the person’s computer as usual; it’s really a one-time instance in the cloud. When a user clicks on to another web page, the previous browser is thrown away and a new instance is spun up in the cloud.
“It prevents downloading of malware onto your computer because everything is done in this isolated unit in the cloud,” Smith said.
JPMorgan is in the process of rolling out the same isolation technology for email to prevent phishing.
“You get an email from somebody and it says, ‘Urgent, reset your password!’ There’s always a sense of urgency about it, they’re trying to get you go click on the link,” Smith said. “When you click on that link, if you’re not protected, all kinds of bad things can get downloaded onto your computer, including keystroke monitoring software.”
Using the Menlo software, clicking on a link embedded in an email also triggers an instance in the cloud.
Not everyone’s bullish
Al Pascual, senior vice president of research and head of fraud and security at Javelin Strategy & Research, isn’t seeing banks rush to adopt isolation technology.
“This is not new technology; there are a number of providers in the market who have been offering this for a while,” he said. “I have not heard much among our clients as far as interest in deploying.”
Asked why this technology hasn’t gained more momentum before now, Smith explained that sizable organizations tend to be conservative about making changes.
“This is protecting the core assets of a firm,” he said. “So people are very cautious about it, and they like to test things; they like to see how other people deal with such issues.”
Also, the startups that have the technology have limited sales and marketing budgets.
“It’s hard to get your message out,” Smith said. “The marketplace is so fragmented and cluttered with thousands of young companies, how do you get through the noise to get the message out?”
Pascual suspects many banks are daunted by the expense of isolation technology.
“If you think about a bank that has hundreds of thousands of employees, deploying [the software] at scale can be cost prohibitive,” Pascual said.
Menlo’s pricing is tiered with volume discounts based on the number of seats, starting at $100 per user per year. Efraim said this is in line with competing providers.
Pascual acknowledges that the technology is useful.
“Banks are being targeted by the kinds of attacks that take advantage of the fact that anyone can undertake a ransomware attack or phishing attack that’s predicated on getting an employee to click a link, or even drive-by downloads,” he said. “There are very real threats these solutions can help mitigate.”
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.