Remote Browser Isolation: Taking One for the Fraud/AML Team
Research shows that financial services firms encounter 300 times more cybersecurity incidents – most of them browser-related – than companies in other industries. Web-borne threats and exploits affecting the browser pose a challenge particularly for due diligence researchers, fraud analysts and anti-money laundering (AML) specialists, whose internet activities frequently put them at high risk on the internet.
How can financial firms protect their teams better online? Setting up a “dirty box” somewhere in a corner or relying on a slow and hard to maintain Virtual Desktop Infrastructure (VDI)? One increasingly popular solution: outsourcing the risk with compliance-ready remote browser isolation.
Financial services organizations face escalating and evolving risk due to cyber attacks, online fraud and money laundering schemes. This has led to increased scrutiny and pressure from regulators. This dynamic poses a particular challenge for risk management and cybersecurity teams in the financial sector. Dealing with an acute IT talent shortage and having to rely on outdated tools, financial firms are expected to ensure regulatory compliance and minimize risk when employees access the web.
The Verizon Data Breach Investigations Report (DBIR) is considered one of the most comprehensive resources on the state of IT security. Its 2017 edition reflects how adversaries have shifted their focus to the weakest link in the IT security perimeter fence of financial services firms – the local browser.
Web app exploits, for example, accounted for only 31 percent of data breaches analyzed back in 2014. Now they make up 76 percent of investigated attacks. The inherent security weakness of the web’s architecture has led attackers to zoom in on regular browsers as their primary gateway to infiltrate the IT infrastructure in banks and financial services firms.
At-risk group: fraud analysts and AML investigators
According to estimates by the Boston Consulting Group, banks have paid $321 billion in regulatory fines since 2008. At the same time, they have only been able to identify and vanquish a small amount of the criminal transactions threatening the global financial system.
The financial services professionals tasked with Bank Secrecy Act (BSA) and AML compliance are among those in the industry most exposed to web-borne threats. They rely on the internet for business intelligence, fraud prevention and AML investigations. For them, the browser is a primary research tool.
This group includes analysts conducting basic KYC (“Know Your Customer”) and EDD (“Enhanced Due Diligence”) research, compliance managers pulling regulatory news and updates, fraud and AML teams conducting investigations on the web.
Without proper protection when accessing the web, such activities put the organization at risk. At the root of the problem is the inherent vulnerability of local browsers and the web architecture they are based on.
Additional security layer for BSA/AML tasks
What makes the regular browser such a risky tool especially for fraud and anti-money laundering investigators?
Browsers were designed in the 1990s as a tool to request page data from remote hosts and arbitrarily execute the payload. As the web has increased in sophistication and reach, the browser’s architecture has become a liability, opening the door for malicious software to breach the network and infect hosts.
Browsers are designed to fetch code from the web and execute it on the local computer. This web code includes images and text, cookies and other trackers to monitor the user’s online activity, as well as active scripts that process content from a variety of sources, and will stick around on the system even after the web session.
The basic interaction model of the web has created an environment where a simple page view request from a local browser can lead to system exploits and data egress. The web code now sitting in the local cache may contain malicious code that can track keystrokes, identify and record locally connected devices, help attackers take and refine a “digital fingerprint” of a user or group of users over time (even if they’re working from a variety of local and mobile devices), and more.
One common way for banks to counter these web-borne threats is to set up a “dirty box” or “danger web” for their fraud and AML investigators. This is usually a computer not connected to the local network. It needs to be wiped clean and reconfigured from scratch after each web session, a cumbersome process that often slows down critical online investigations.
Remote browser isolation provides an alternative that maximizes security with minimal cost and disruption. While the architecture of the web won’t change anytime soon, moving the location of the browser offsite creates an additional security layer needed by Fraud/AML teams.
How remote browser isolation works
With an isolated browser, all web code is executed on a remote host configured for security and data compliance. As code is rendered in the isolated environment, authorized content is converted to an encrypted and interactive display of the page and delivered to the device over an alternate, non-HTTP protocol.
Users get full fidelity access to web content. In a truly isolated browser environment, no web code ever reaches the local network or machine – only benign, secure pixels. Gartner analysts have called the remote browser solution “one of the single most significant ways an enterprise can reduce the ability of web-based attacks on users to cause damage.”
Authentic8 has pioneered this concept since 2010 with Silo, its secure remote “browser as a service”. Silo is built on a distributed cloud infrastructure and protects commercial and government organizations around the world when they access the web.
Financial service organizations deploy remote browser isolation with different policies and points of integration, based on their web access policies and specific role of the user or group.
By isolating employees from all web-borne threats to ensure security and compliance, remote browser isolation provides fast and secure access to the – often dangerous – parts of the web that contain essential information for fraud and AML investigators.
Remote browser-as-a-service closes security gap
A recent survey of financial institutions found that 32% of respondents consider their AML and sanctions compliance program budget inadequate or severely inadequate. Even more concerning: 8% of respondents did not have a formal AML or sanctions compliance program in place at all.
Surprising numbers, given that such inaction can and does have severe consequences, as illustrated by the recent wave of investigations and sanctions imposed by regulators. Executives have been found personally liable for noncompliance and licenses are at risk of getting pulled.
Browser isolation, provided as a security service offsite by a third-party vendor, is welcomed by a growing number of banks as an opportunity to optimize security and save money at the same time – by replacing or complementing cybersecurity protections that are perceived as incomplete and ineffective.
Those options include Virtual Desktop Infrastructure (VDI) solutions, sandboxed browsers, “dirty network” setups (computers, switches and routers isolated from the corporate network and designated for interacting with high-risk web environments) or the local browser’s “incognito mode” – perhaps the least effective approach of all.
None of these methods are capable of isolating all web-borne threats, and they don’t address the problem of attribution as completely as a secure remote browser.
Using a non-attributed platform for conducting research allows them to prevent their identity, intent or network resources from being exposed online. The IP address of the remote host is the only identifying data exposed to the internet. Browser isolation protects fraud and AML investigators against all web-borne threats and enables them to operate on the web in complete anonymity.
With the browser-as-a-service, patching is no longer required at the endpoint. Browser versions, Flash, Java and other plugins, even core components like SSL libraries are all centrally updated and managed by the vendor.
Content is rendered and delivered efficiently on high-speed servers over high capacity networks. The complete process takes place in the cloud, with only a stream of display information reaching the endpoint.
At the same time, a secure remote browser allows analysts, researchers and investigators to capture, annotate, and store web-based research materials off-site, to avoid downloading files that contain malicious software and could infect the local IT infrastructure.
From browser chaos to compliance-friendly security
“Banks have an increasing awareness of the financial crime threats they face and can thus design responses more effectively than ever before,” Tom Keatinge, a leading financial crime expert for the British government, told ACAMS Today, the magazine for professionals in the anti-money laundering field.
Regulators have raised the bar for financial services organizations. They expect them to muster all tools at their disposal to fight financial crime. The secure remote browser is one of the tools chosen by a growing number of organizations aiming to put up a more effective response and ensure regulatory compliance.
In addition to its non-attribution capability, the secure remote browser model provides multiple security advantages as a tool for fraud and AML investigations in the financial sector:
- Improved security: The browser runs in the cloud, off the network. No cookies, trackers, or other cached data persist across sessions. Each session is built on a fresh instance of the browser.
- Reduced costs: The burden of managing the browser shifts to the provider.
- Centralized governance: A properly designed browser in the cloud provides management hooks that require only one-time implementation.
- Anytime, Anywhere access for team members, without the loss of security or control.
- Web exploits are neutralized before they can touch the local IT environment – native web code never enters the corporate network.
Saving money and resources through managed security
More banks are experimenting with SaaS models in fraud detection and prevention as well as for BSA/AML-related tasks. They leverage top-notch technology for a limited set of functions, to improve security while at the same time save money and resources through the managed services model.
Yet many financial institutions are still hesitant to entrust a third-party vendor with handling a regulatory function on their behalf. They fear the fallout from a compliance breach. The bank itself, so their concern, would still face consequences that can range from significant penalties to getting shut down by regulators.
As far as these fears go, remote browser isolation has been both an exception and an as-a-service success story. CISOs and risk managers have found that that the secure remote browser-as-a-service model easily overcomes such concerns.
Remote browser isolation not only enables financial services organizations to maintain control over regulatory functions, but it also helps them streamline their associated IT and compliance tasks when members of the risk management and AML teams access the web. Compliance failures are not an option, given the potential regulatory consequences.
A secure remote browser that is suitable for these tasks enables admins to centrally apply policies to allow or block key browser functionality like copy/paste or upload/download. It lets IT handle identity and access management for authorized cloud-based apps.
For auditing and compliance reviews, it provides a unified view of all user activity during a web session. A single browser instance in the cloud keeps policies intact, regardless of where the users are located or which device they use to access the web.
To summarize: A secure remote browser provides complete isolation from all web-borne threats while enabling cybersecurity, fraud and AML specialists to use the web in anonymity. It is rapidly replacing less secure and effective methods and allowing IT security teams to save resources for more critical tasks.
About Richard Steinhart
Richard Steinhart is Head of Sales at Authentic8, which has pioneered remote browser isolation since 2010. Its flagship product Silo, the secure and non-attributable “browser-as-a-service”, deploys remotely in a cloud container that isolates all web content. No code from the web touches the endpoint. Learn more at https://info.authentic8.com/