RBI and the Importance of Integrated Threat Protection

It sounds like a nearly perfect cybersecurity solution: Intercept incoming data before it reaches the user’s web browser; isolate it in a secure sandbox; and send only the screen images—or pixels—to the browser. The ephemeral server is fully isolated from the organization’s IT assets and data, and its browser sessions are destroyed when the user closes a tab.

This technique is called remote browser isolation (RBI) and prevents malicious code or software from infiltrating end-user devices, making it theoretically impossible for bad actors to be successful with a web-born attack. Given that the browser is central to most of what people do on their PCs these days, it would seem to be the right solution at the right time.

But if RBI is so effective, why isn’t it used more widely? The answer: $$$

“It’s crazy expensive,” says Thayga Vasudevan, vice president of Product Management for Skyhigh Security.

RBI requires a significant amount of server resources because the server must maintain all browser sessions for all users concurrently. Since users often have 20 or more browser tabs open at once, with each tab potentially consuming upwards of 500 megabytes of memory, the cost of providing the necessary CPU and memory resources quickly adds up.

This translates to RBI licenses typically costing $40 or more on a per user basis. For a company with 10,000 endpoints, that is a large chunk of the cybersecurity budget. In fact, the fully loaded RBI cost can be as much as “almost any other five security products… combined,” Vasudevan says.

There is also a user experience penalty. We’ve all used remote desktops of various descriptions, and no matter how good the engine the final experience is never quite the same as native.

For all these reasons, most companies limit RBI use to only the highest risk employees, who usually make up less than 5% of the population.

A sensible solution

A more practical and cost-effective solution is to combine RBI with intelligent traffic analysis, and robust security stack allowing you to only isolate data streams that can’t be certified safe with a high level of confidence. For most companies less than 1% of all web traffic is both potentially dangerous (e.g., contains active content or executable code) AND unrecognized against known-safe behaviors.

In Security Services Edge (SSE), the combined intelligence of an advanced Secure Web Gateway and the robust application intelligence of a Cloud Access Security Broker (CASB) combine to allow- security administrators to intelligently apply isolation to risky traffic, rather than being forced to triage a small number of users (and impacting those user’s safe browsing.)

“Users have a natural browsing experience in nearly all cases,” Vasudevan says. “Potentially compromised sites may load through isolation, but you’re protected.”

This solution reduces IT overhead, dramatically reduces the risk of web-born threats, and allows extremely granular session controls like limiting copy-and-paste or downloads. License fees are minimal. In fact, the Skyhigh Security Service Edge portfolio provides selective isolation at no additional charge.

While there is no such thing as absolute protection, the combination of a unified cloud security platform and RBI comes certainly moves the needle on web and cloud security.

Click here to learn more about how RBI combined with intelligent traffic analysis can mitigate web-browsing risks.