Virtual Browser Security - Is WDAG The Answer?

JOE CISO on November 22, 2018 | 119

You probably already know that, to loosely quote the research gurus at Gartner, the internet is a cesspool. With all the web-based threats, like ransomware and malware, that muck up the internet, you’re potentially exposing your network and data to countless threats each time you open a web browser.  

Microsoft knows this too. To try to address the issue, the good people up in Redmond recently introduced a new feature to their Edge web browser called Windows Defender Application Guard, or WDAG. WDAG, Microsoft’s answer to virtual browser security, was originally released as a feature of Edge in Windows 10 Enterprise with the goal of keeping corporate data under wraps. It can now be enabled on Windows 10 Pro as well.

Secure Browsing via Virtual Machines?

The idea behind WDAG is simple. It aims to protect organizations from “the internet cesspool” by isolating networks from the inherent risks associated of allowing web content directly onto the endpoint via browsing sessions. Using Microsoft’s Hyper-V virtualization technology, it creates a miniature secure virtual machine that allows the browser to display websites, without putting the computer itself at risk. While a user is in a WDAG session, all web content is rendered in an isolated, virtualized container intended to contain any web-based threats and prevent them from infecting the user device, and spreading from there to the network.

So far, so good, right?

Getting WDAG set up is pretty simple to do. First, a system administrator defines which websites, cloud resources and internal networks are trusted. When an employee opens an untrusted site using Microsoft Edge or Internet Explorer, Microsoft Edge automatically opens the site in a safe virtual browser.

The problem with WDAG is that although it was built with the intention of protecting enterprises, it’s simply not up to the job. Here's why:

Usability

First of all, the container is anonymous, which Microsoft touts as an advantage, since it prevents attackers from getting to an employee’s enterprise credentials. This means that the initial set up is rather cumbersome, as users need to sign in again to all the sites they normally use. Additionally, only the newest edition of Windows 10 Enterprise allows users to download documents from a WDAG container to the PC. Users of other editions are limited to awkward, annoying workarounds, such as printing files to PDFs -- which, of course, defeats the whole purpose of downloading Office application files and other interactive content.

WDAG does not support browser extensions, and “favorites” are not shared between traditional browsing sessions and WDAG sessions. This doesn't mean you can’t use favorites, but rather that users end up with two distinct sets of favorites, cookies and saved passwords, which can be confusing. All such data will be available for future Application Guard sessions but they are not shared with non-WDAG browsing sessions. And of course, WDAG does nothing to protect the majority of users who prefer to browse with Chrome, Firefox or other non-Microsoft browsers. These users are still fully exposed to browser-borne malware, as are organizations running older versions of Microsoft’s own operating systems.

All of these “little” issues cost users in terms of time and productivity. With WDAG, one price of security is an irritating user experience.

Security

But there are more basic security-impacting issues with WDAG and many other virtual browser security solutions. For starters, it resides on the endpoint/machine. Let’s be clear about what this means: Despite talk of “isolation”, any malware that executes within the secure virtual browser is physically located on your machine. A really smart malware variant, such as the new zero-day exploit discovered by exploit researchers Yushi Liang and Alexander Kochkov, can manage to get through Edge’s sandbox and from there, spread beyond the virtual browser’s container, throughout the machine, and onto your network where it can cause lots of damage.

Persistence is another significant issue. Because all untrusted sites browsed in a session share a single virtual machine, malware may persist within the virtual browser until all untrusted site browsing ends. This gives smart malware lots of time to work its way out of the virtual machine and onto your network. It also exposes the entire browsing session to the risks of Cross-Site Scripting (XSS), a favorite tool of many cybercriminals that can leave even 'safe' websites susceptible to malicious exploitation.

The Solution to the Cesspool

For real security, what your organization needs is a virtual browser that’s remote, isolated and disposable. Together, these three qualities create a browsing environment that’s secured from even the more advanced threats out there. Remote browsers are hosted either on premises (e.g., on a server in the DMZ) or in the cloud — not on an endpoint device, and not even within the network, but at the no-man's land between the organization's internal network and the internet.

Using remote browser isolation, all malware, malicious URLs, compromised websites, plugins and extensions are isolated in a remote browsing session that is disposed of at the end of each session. To minimize persistence, each tab has its own secure virtual browser, which prevents malware from finding its way out of the virtual machine. Thus, no matter how smart the exploit may be, it gets dumped in the virtual trashcan after each session is closed, where it can’t do any harm.

With the right solution, your employees won’t need to compromise on productivity or draw on their patience reserves. Ericom Shield, our remote browser isolation solution, gives users seamless browsing, with no loss of speed and productivity, and works with any browser they choose. They can access their favorites, cookies and clipboards, and thanks to the integrated file sanitization tools, users can even download files safely without resorting to frustrating workarounds that kill efficiency. It’s all the convenience your employees need to work unabated, along with the security your organization needs to prevent web-based threats from compromising the integrity of your network or data.

This doesn’t mean that WDAG and other built-in safe virtual browsers aren’t a step in the right direction. On the contrary, anything that prevents web-based threats from infiltrating is a good thing — it’s just not enough to keep organizations safe. To stop wading in the cesspool, remote browser isolation is the key.

Author | 18 Blog Posts

Joe CISO

Joe CISO is the information security professional responsible for protecting the organization from all cyber threats, including ransomware, dirve-by donwnloads and zero-day exploits. | Ericom Software

Recommended Articles