ai

Why Browsers Are the New Endpoints — and What Security Teams Must Do About It

Jiphun Security , , , , , , ,

Introduction:

The enterprise workforce has increasingly shifted to operating within web browsers over the last decade. Today, more than 85% of work is browser-based, with employees expecting seamless access to enterprise systems — anytime, anywhere, and from any device.

With a globally distributed workforce made up of full-time employees, contractors, and third-party vendors, the concept of an “endpoint” is no longer limited to physical devices like laptops and mobile phones. While virtual environments like VDIs (Virtual Desktop Infrastructure) emerged as a solution, they’ve struggled to scale efficiently and have not delivered the anticipated reductions in operational costs or complexity.

It’s time to recognize that browsers are no longer just applications running on endpoints — they are the new enterprise endpoints. So IT and Security teams need to treat them as endpoints to secure their digital workplace.

The Browser Risk Landscape:

As browser usage has surged, so too has the cyber risk surface associated with it. Security and IT teams now face a unique and growing set of challenges:

  • Session hijacking, phishing, and credential theft remain leading threats initiated via the browser.
  • Malicious browser extensions are now a primary delivery method for malware in the enterprise.
  • Shadow AI has worsened the shadow IT problem — with many unapproved apps accessed via browsers without oversight.
  • Data exfiltration through browser-based activity often escapes traditional DLP detection, especially actions like copy-paste, screenshots, and screen recordings.
  • Data lineage tracking within browsers is extremely difficult, leaving gaps in auditability and traceability.
  • Browser patch management is a persistent challenge as multiple browsers are used across operating systems and devices, often unmanaged.

Despite efforts to secure browser workloads, the industry has not seen consistent success using traditional security tools to protect work executed within consumer-grade browsers. 

Why Secure Browsers Are the Future:

Having worked in browser security for nearly a decade, I’ve seen the challenges first-hand. At Intel, we used Intel SGX — a confidential computing technology — to secure sensitive browser operations such as digital signature validation. It was powerful, but it didn’t scale. One-off use case protections weren’t enough to drive widespread adoption. The focus was to implement security controls to protect mission critical tasks inside a consumer grade browser. 

More recently, enterprises have shifted their strategy: instead of bolting on controls to Chrome or Firefox, they are adopting enterprise-grade secure browsers such as Island, Chrome Enterprise, and Prisma Access Browser. As an early adopter of secure browsers, with two successful rollouts of secure browsers across two large corporations (Snowflake and Medallia) for thousands of users, I believe this shift is a no-brainer.

Here’s why secure browsers are game-changers:

  • Enforced Access Control: You can enforce that corporate apps are only accessed through a secure browser. If SSO is enabled, routing all authentication flows becomes seamless and manageable.
  • Extension Governance: Managing apps and extensions across endpoints is nearly impossible at scale. Secure browsers enable organizations to pre-approve only trusted extensions, drastically reducing attack surfaces.
  • Group-Based DLP Policies: Instead of applying generic DLP rules across the board, secure browsers support identity-integrated policy enforcement tailored by role, department, or geography.
  • Tool Integration & Context-Aware Controls: Secure browsers can integrate with DLP and endpoint posture tools. For example, you can block a Salesforce admin from accessing critical functions unless the device meets patching and compliance standards.
  • Secure BYOD Isolation: Many enterprises do not manage employee mobile devices. Secure browsers can provide containerized browser environments on mobile, enabling limited and secured access without a full MDM solution.

Conclusion

Insider threats remain the top source of enterprise breaches. There’s no silver bullet — but layered security and preventative controls are the best defense.

Since browsers are now where most work happens, it’s imperative to re-evaluate what browsers your employees use and how you manage them. A secure browser strategy provides the control, visibility, and protection that traditional endpoints no longer guarantee.

The browser is the new endpoint — and it’s time to manage it like one.

Generative AI Strategy for CISOs

Jiphun Security , , , , , ,

Every industry is creating their GenAI strategy to harness the power of AI. Business units of companies are figuring out their plans for adopting these technologies to grow their business. It is also great to see how the Cybersecurity industry is catching up to the AI revolution. Over the last year I have met many executives, founders and entrepreneurs who are building amazing products using the power of LLM and GenAI to solve hard Cybersecurity problems. However, the Cybersecurity teams, specifically CISO orgs across the board have been reactive to the adoption of GenAI. Worse yet, their focus has been mostly in the security assessment space. That needs to change. CISOs need to be intentional about this technology and create an AI strategy for their organization so that they can truly harness the power of GenAI.

A comprehensive GenAI strategy for a cybersecurity team within a tech company should address the following domains.

  • Ship trustworthy GenAI products and services for customers
  • Protect enterprise data while adopting GenAI products within the corporate
  • Delight internal stakeholders and external customers by significantly raising the customer experience
  • Increase productivity and employee experience within the security org

1. Ship trustworthy GenAI products and services for customers

Organizations building GenAI apps, creating LLMs or creating a platform which empowers developers to build GenAI apps need to ensure their products are built with right security and trust from the get go. Training data poisoning, Model theft, prompt injection, AI software supply chain risks and bias are a few key safety and security risks security teams need to address during the development process of their GenAI applications. Their SDLC and/or DevSecOps processes need to evolve to proactively mitigate these risks before their apps are shipped.

Google’s Secure AI Framework (SAIF), OWASP’s AI Cybersecurity and LLM Governance Checklist or Microsoft’s AI Security Risk Assessment framework are a few frameworks that can help security and engineering teams to implement the right level of scrutiny needed during the SDLC process. These frameworks outline the necessary security controls teams need to implement to manage GenAI specific risks effectively.

Many DevSecOps and AppSec tools have enhanced their capabilities to empower developers to build trusted GenAI applications and LLM models. CISOs should have a risk driven roadmap in place for their teams.

2. Protect enterprise data while adopting GenAI products within the corporate

Companies are adopting GenAI products and services at breakneck pace to increase their productivity, delight their customers with new capabilities and increase the quality of their service. Security teams of these organizations need to be agile and openminded about adopting these services. Banning these apps is not a great option because first of all you will deprive teams of taking advantage of this technology and secondly it’s not practical to determine which products are GenAI products and which ones aren’t. Almost every product and service that enterprises use today have an AI feature, at least that’s what vendors claim.

Sensitive enterprise data getting exfiltrated to 3rd party GenAI services and proprietary company data getting used for LLM training by 3rd party vendors are two major risks corporates need to address while adopting any new GenAI based service. One can argue the risks here are no different from using a SaaS product. However, that’s not an accurate argument because of examples like below.

  1. The GenAI use cases may consume additional sensitive information that the teams are not aware of. Data retention of sensitive information can be different from the primary use case that a service provides. For example, a Video conferencing tool which had certain data retention controls for recordings and transcription will change if they want to provide interactive AI assistant type of features for their users. Because the AI assistants will use these recordings and transcripts to render these services.
  2. Additional corporate data can be used for training LLMs. For example, Copilots from Source Code Management tools render code and can scan code to identify security vulnerabilities. It can now recommend fixes or can even fix those vulnerabilities for developers. There is a potential risk of vulnerability information landing with these SCMs and worse yet, their LLMs getting trained using your corporate vulnerability data without your knowledge. This is a new threat vector our vendor risk assessment process needs to comprehend now. We all know SCMs have been a major source of threat for security practitioners.

CISOs need to adopt a five step approach to stay on top of the adoption of these technologies and tools within their organizations

  1. Create an AI usage policy for your company in partnership with legal, privacy, procurement and IT teams.
  2. Update the vendor risk assessment process to cover unique GenAI risks and controls.
  3. Enhance monitoring of AI usage and activities your employees are carrying out on them. Detect anomalies and deter them averting policies.
  4. Create an allowed list of GenAI apps and their use cases which can be managed effectively.
  5. Train employees about the unique risks we are facing with these GenAI use cases and best practices they should follow to reduce the risks.

3. Delight internal stakeholders and external customers by significantly raising the customer experience

Cybersecurity teams need to constantly think about the experience their clients (internal and external) are getting during various engagements. GenAI can enhance these customer engagements to a large extent.

Areas like Vendor risk assessment, Audit for certification, responding to customer security and compliance questionnaires, security posture management are some of the areas where GenAI can significantly change the UX for your external customers. By following a 80/20 rule you can enable your customers to operate in a self-serve mode close to 80% of the time. The SLA for a customer questionnaire can go from days to literally minutes.

Having been part of both engineering and security teams, I connect with developers and security engineers pain points equally. This unique perspective guides me to drive mechanisms where I try to find the right balance between security, scale, ownership and accountability. I cannot claim I have always nailed it but I know what works and what doesn’t. Security teams that focus on empowering developers to do the right thing, enabling them to ship their features on time and holding both parties accountable when things go wrong, works. It is easier said than done.GenAI can certainly empower developers to execute their security tasks like threat modeling, risk assessment, vulnerabilities triage, security testing, continuous monitoring to a large extent.

Every CISO should determine key engagements, define KPIs to measure customer satisfaction during these engagements and implement a plan to constantly increase the customer satisfaction score by implementing GenAI based solutions.

4. Increase productivity and employee satisfaction within the security org

This is the most promising area for me personally where I believe GenAI can have a profound impact on a security team. Every CISO works with budget and resource constraints. They want more budget, they want to hire faster, they want their teams more motivated and they want things done faster to stay ahead of the curve. However, the reality is it’s hard to hire top talent even if you have enough budget, burn out is real, some of the activities are mundane which demoralizes security teams and security teams are not able to go deep on certain critical areas as much as necessary.

CISOs can certainly harness the real power of GenAI by building tools and/or adopting products and services that use GenAI to address many of these concerns. In the last 18 months, I have seen some amazing innovations with cybersecurity tools in the security data lake, threat detection, vulnerability detection, cloud and on-prem security, SOC, audit evidence collection, security awareness training spaces utilizing GenAI. These products and features will empower security teams to prioritize better. Leave the mundane work to the tool and focus on tasks which require their expertise more.

There is no debate whether GenAI is a transformational technology. There is no point debating whether it’s just hype or there is real impact the world is going to have from this technology. The widespread domains where GenAI has demonstrated its profound impact should inspire everyone to get to the mode of exploring this technology vs debating why this is a hype. We have seen this movie play before with Mobile and Cloud. This time, it looks like it will be wilder, faster and bigger. CISOs need to think of themselves as the head of a critical business unit that drives growth for their companies. They have to be intentional about adopting GenAI and proactively define a strategy that covers every part of their business.