The other day we got a recall notice in the mail for our car. We’re a one car family – trying to be eco-friendly – so taking in our car for service isn’t something we want to rush to do. But this notice was about a potentially (fairly) serious issue and the notice said we shouldn’t drive the car until it was fixed. While my wife and I were debating how to deal with this, it dawned on me how this issue is strikingly similar to dealing with browser security around zero-day exploits.
Many years ago when I managed IT organizations, we would get vendor notices concerning zero-day browser exploits and I’d convene our security, desktop, helpdesk, networking and administration teams to discuss how we should handle it. Invariably, the vendor suggestion was to stop using the product until the fix was available. That’s easy enough for them to say, but what about our business? Working with our finance team, we calculated that one minute of end user desktop downtime cost us nearly $1M in lost revenue processing. Intentionally taking any kind of productivity loss was unthinkable, but continuing to run this exposed software was risky. The web browser was mission critical to our business, so turning it off for all 500 employees was not a viable option and there was no reasonable alternative mitigation.
In the end we would make a decision based on risk tolerance, and that decision was always to keep the browser running and watch for security issues. Browsium Catalyst gives you a better option – limit use of the vulnerable browser AND keep the business running with an alternative browser. It does this by giving IT central control over multi-browser PCs. Before Catalyst, there was no good way to manage user behavior with multiple browsers on the desktop. Users could choose which browser to use, often making the wrong choice – breaking compatibility or putting network security at risk.
We’ve already blogged about a variety of Catalyst features (with more to come), including last week’s post about Zone Management in Chrome and Firefox. Today the topic is managing security incidents, and Catalyst has several options that you can invoke to better deal with a zero-day browser crisis. You can use Catalyst to restrict which browser is allowed to access content for a given URL, website, keyword, or Security Zone. That means you can have Catalyst ensure a vulnerable browser isn’t exposed to external threats – for example you can restrict IE6 or IE7 (yes, we know you’re still running them…talk to us about Browsium Ion) to only the Intranet Zone and use Chrome or Firefox to access the Internet.
Another cool feature in Catalyst is the ability to ‘Close Tab’ when Rule conditions are met. Even if you want to remain a single browser shop, you can use Catalyst to mitigate the issue in the case of a zero-day. Simply set up a Rule to trigger on conditions you’re concerned about (like accessing the Internet) and users can’t browse anywhere during the crisis. Another option would be to use the ‘Redirect’ feature to stop the navigation and display a page explaining why users can’t see the content they are trying to access. Stop the users in their tracks and prevent any exposure before some rogue website has a chance to attack.
If you haven’t downloaded Catalyst yet, I invite you to test it out. Try the security approaches I covered here and give us feedback. Are there other scenarios we should add? Your input helps us deliver better products so this is your chance to get involved.
Back to my car issue, if you were wondering, my wife and I took the other approach with the car and had it towed in for service. We were limited to using only the Metro for a few days, but now every time we load the kids in the car, we’re very glad we made that call.
Matt Heller
Founder & CEO
