Join us on an insightful journey as we sit down with Jeswin Mathai, Chief Architect at SquareX, during our special coverage of the Black Hat Conference 2024, to explore cutting-edge cybersecurity solutions and innovations.
Welcome to another edition of Brand Stories, part of our On Location coverage of Black Hat Conference 2024 in Las Vegas. In this episode, Sean Martin and Marco Ciappelli chat with Jeswin Mathai, Chief Architect at SquareX, one of our esteemed sponsors for this year’s coverage. Jeswin brings his in-depth knowledge and experience in cybersecurity to discuss the innovative solutions SquareX is bringing to the table and what to expect at this year’s event.
Getting Ready for Black Hat 2024
The conversation kicks off with Marco and Sean sharing their excitement about the upcoming Black Hat USA 2024 in Las Vegas. They fondly recall their past experiences and the anticipation that comes with one of the most significant cybersecurity events of the year. Both hosts highlight the significance of the event for ITSP Magazine, marking ten years since its inception at Black Hat.
Introducing Jeswin Mathai and SquareX
Jeswin Mathai introduces himself as the Chief Architect at SquareX. He oversees managing the backend infrastructure and ensuring the product’s efficiency and security, particularly as a browser extension designed to be non-intrusive and highly effective. With six years of experience in the security industry, Jeswin has made significant contributions through his work published at various conferences and the development of open-source tools like AWS Goat and Azure Goat.
The Birth of SquareX
Sean and Marco delve deeper into the origins of SquareX. Jeswin shares the story of how SquareX was founded by Vivek Ramachandran, who previously founded Pentester Academy, a cybersecurity education company. Seeing the persistent issues in consumer security and the inefficacy of existing antivirus solutions, Vivek decided to shift focus to consumer security, particularly the visibility gap in browser-level security.
Addressing Security Gaps
Jeswin explains how traditional security solutions, like endpoint security and secure web gateways, often lack visibility at the browser level. Attacks originating from browsers go unnoticed, creating significant vulnerabilities. SquareX aims to fill this gap by providing comprehensive browser security, detecting and mitigating threats in real time without hampering user productivity.
Innovative Security Solutions
SquareX started as a consumer-based product and later expanded to enterprise solutions. The core principles are privacy, productivity, and scalability. Jeswin elaborates on how SquareX leverages advanced web technologies like WebAssembly to perform extensive computations directly on the browser, ensuring minimal dependency on cloud resources and optimizing user experience.
A Scalable and Privacy-Safe Solution
Marco raises the question of data privacy regulations like GDPR in Europe and the California Consumer Privacy Act (CCPA). Jeswin reassures that SquareX is designed to be highly configurable, allowing administrators to adjust data privacy settings based on regional regulations. This flexibility ensures that user data remains secure and compliant with local laws.
Real-World Use Cases
To illustrate SquareX’s capabilities, Jeswin discusses common use cases like phishing attacks and how SquareX protects users. Attackers often exploit legitimate platforms like SharePoint and GitHub to bypass traditional security measures. With SquareX, administrators can enforce policies to block unauthorized credential entry, perform live analysis, and categorize content to prevent phishing scams and other threats.
Looking Ahead to Black Hat and DEF CON
The discussion wraps up with a look at what attendees can expect from SquareX at Black Hat and DEF CON. SquareX will have a booth at both events, and Jeswin previews some of the talks on breaking secure web gateways and the dangers of malicious browser extensions. He encourages everyone to visit their booths and attend the talks to gain deeper insights into today’s cybersecurity challenges and solutions.
Conclusion
In conclusion, the conversation with Jeswin Mathai offers a comprehensive look at how SquareX is revolutionizing browser security. Their innovative solutions address critical gaps in traditional security measures, ensuring both consumer and enterprise users are protected against sophisticated threats. Join us at Black Hat Conference 2024 to learn more and engage with the experts at SquareX.
Learn more about SquareX: https://itspm.ag/sqrx-l91
Note: This story contains promotional content. Learn more.
Guest: Jeswin Mathai, Chief Architect, SquareX [@getsquarex]
On LinkedIn | https://www.linkedin.com/in/jeswinmathai/
Resources
Learn more and catch more stories from SquareX: https://www.itspmagazine.com/directory/squarex
View all of our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
A Deep Dive into SquareX | A Short Brand Story from Black Hat USA 2024 | A SquareX Story with Chief Architect Jeswin Mathai | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Marco.
[00:00:02] Marco Ciappelli: Sean.
[00:00:03] Sean Martin: Are you ready?
[00:00:05] Marco Ciappelli: I am ready.
[00:00:06] Sean Martin: Yeah,
[00:00:07] Marco Ciappelli: I was just expecting you to do the vroom vroom.
Let's do the vroom vroom. It's uh, this point is our signature to start the chats on the road to Black Hat USA. That's right. 2024 in Las Vegas. And, uh, you're gonna go a little bit more, uh, on the technical kind of question. I'll be cheerleading because I am very excited for a couple of things. One, of course, to go to Black Hat and do the coverage.
Always one of a great event that I keep reminding. That's 10 years ago. That's where ITSP Magazine was born. So it's always a great opportunity to celebrate a birthday. The other one is that we get to meet again on location this year with Square X. We, we had them as a sponsor at RSA conference and, uh, and now we have it here . Now
[00:01:01] Sean Martin: in Las Vegas, a long flight from Singapore to the state of Nevada for the team. And, uh, yeah, I'm excited to see Vivek again and some of the other folks. And. And get an update on what's going on. But first we're gonna, we're gonna learn about what, uh, what some of the use cases are, we've had a couple of good chats with Vivek, but today we have Jesswin on, who is a architect of, uh, the solution there at SquareX.
Jesswin, how are you?
[00:01:31] Jeswin Mathai: I'm doing great, Sean and Marco. How about you?
[00:01:35] Sean Martin: Yep. Very, very good. Excited to, uh, excited to chat with you and learn more about, uh, some of the use cases. And then, uh, and then a bit about what, uh, Vivek and team will be talking about in Vegas. Before we dig in, can you share a few words about your role at SquareX and some of the things you work on?
[00:01:55] Jeswin Mathai: Yes. So I'm the chief architect at SquareX. I'm responsible for managing the backend infrastructure and making sure that the product works really well from security standpoint, as well as our product is primarily a browser extension. Thank you. So we have to make sure that, again, it's not hampering the user's productivity.
Uh, it does not cause any sort of privacy issue on the browser. So making sure the whole system works, uh, fully. And I've been in the security industry for past six years, published my work in various conferences, conducted training in, uh, Black Hat, uh, and other conferences as well. Uh, and I also authored various open source tools, few of them are like AWS Goat, Azure Goat, which have had like really good, uh, impact on the community.
[00:02:39] Marco Ciappelli: Well, very good. No
[00:02:40] Sean Martin: pressure for you to keep things running.
[00:02:45] Marco Ciappelli: It's not a, it's not an easy job, but, uh, I know you guys are making huge leaps in, uh, with this product and I'm excited to meet another, another team member. Uh, which is you. Would you like to take the opportunity to give a little introduction for those that haven't heard about SquareX yet?
What do you guys do? What is the focus? And, yeah, a small, short origin story before we dive into it.
[00:03:15] Jeswin Mathai: SquareX is founded by Vivek Ramachandran. So, Vivek also had one more company called Pentestri Academy. We were into cyber security education before this. And we had a massive impact on the industry. We did really, really well.
And that time, Vivek noticed a lot of changes. issue in the consumer security problem and more importantly, the antivirus solutions and all of the existing security solutions were not doing that good of a job. That's why, you know, we hear about phishing scams, just the numbers keep on increasing and the people keep on getting impacted more and more.
That's where again Vivek decided that, uh, we can go ahead and dwell entirely into the consumer security space in order to provide better, uh, security. And this was primarily because All of the existing security solution, they did not have visibility on what's happening on the browser. They did everything on, you know, your host level where you can monitor application.
But let's say an attack happens from Chrome, the underlying application will know that an attack came from Chrome. But it wouldn't be able to tell that this attack came from let's say a user who sent a message on LinkedIn from where he went to another website and from where the payload was downloaded.
So all of the existing solution lacked visibility on the browser. That's where SquareX figured out that, and more importantly, Vivek figured out that, uh, if we can protect the user on the browser level, we can mitigate a lot of threats and more importantly, save people from getting hacked, save the money, uh, and so on.
So that's how. Square X eventually came to be, but again, it was years of, I'd say, frustration as well as, you know, a lack of things that the existing solutions were not doing. Uh, that eventually gave all the ideas for Vivek to formalize SquareX. So the idea was that we'll have a browser, uh, uh, browser native component, and then eventually one component of the host machine, so we can protect the user entirely.
So to give you an example, let's say Uh, you might go into a cafeteria and now you're connecting to a open network, or it could be a rogue network. Now all of this insights are not available to you as a browser, so that's where we can change this up with the local agent and then get as many data point as possible.
And now on these data points, we can act really well. So Square X started off as a consumer version, uh, but we also figured out that, uh, when it comes to enterprise spaces. All of the employees are at risk right now because your existing solution, we have SWIX, we have, uh, you know, your endpoint detection.
Uh, they still have a loophole, which is basically they don't have visibility onto the browser and SquareX can fit into the right place and enrich the metrics for both of these. So that as an admin, let's say if something goes wrong, you can very easily control the blast radius. You can figure out who all are impacted.
You can apply policy to block certain attackers from sending emails and so on. So a quick quick overview of Swerix.
[00:06:12] Sean Martin: That's really cool. And I want to dig into one. I think it's for me, it's important, uh, having, having spent time building enterprise solutions is the, the need to be able to scale the protection and all the, on the management stuff, which you talked about, but also in a way that doesn't impact the user.
And you see, you mentioned that, that it also is a consumer based. Product, which I mean, the end user consumers do all kinds of weird things and access all kinds of fun stuff and interesting networks. And I mean, so to be able to operate in that environment, and then of course, enterprise users are also just users, but to take all that knowledge and experience in the consumer world and scale to that level, um, talk to me a little bit about that and how important that piece is as part of the puzzle of working properly in the enterprise.
[00:07:13] Jeswin Mathai: I think, uh, that's a great question. So it was great that we started with the consumer and then eventually ventured into enterprise. Reason being, we have to be very cautious of the user's privacy, what data we are sending. So in a way, we restricted everything to the browser and, uh, at the end of the day, the less we can do on the cloud, the well it can scale.
So the user's device have become much more powerful in the past decades time. So a decade back we used to have like a 4 gig device where browser would lay, let's say consume 1 gigs of RAM. Now we are talking about 16 gigs, 32 gigs or even powerful devices and now browser is consuming close to a 60 70 percent of the RAM because most of your workflows are just there on the browser.
So we wanted to write this way and with the advantage of web technology such as WebAssembly, we can do a lot of compute right there on the browser. So, uh, our original idea was that when we are rolling out to end consumers, we want to be as privacy safe as possible. At the same time, uh, Everyone hates when we stop them from doing things that let's say antivirus is installed.
It blocks you from opening file. People hate it. They'll go ahead and disable it. So our philosophy was we have to be productivity first. We have to make sure that we don't change the user workflow because change is very, uh, difficult to perform on like regular users and enterprise. The story is a bit different because admin can enforce, but the regular customers, they'll simply not use your product.
So. In a way, we, uh, stuck to a few principles, which was again, being productivity first, making sure that we don't block anything for the user, we provide them an alternate way. Then the second approach was that we have to make sure we are privacy safe as much as possible. And the more we can do on the browser, the better.
Reduce the dependency from the cloud. More importantly, because it scales really, really well. It's a browser extension, can run off on any device anywhere on the planet, even offline to some degree. So that's where we went ahead, packaged the whole file analysis module right there in the browser. So it's capable of inspecting the file, figuring out that there are some malicious parts of it, and it's even capable of removing those malicious parts.
on on the browser. So having those constraints in a way allowed us to build an amazing product on the browser. And I can confidently say that Square X is probably the best uh, browser security company out there because we are doing so many things. And now this stretches out to our enterprise product where we can take the same principles and scale it on an amazing level.
And make sure that the user does not feel that, you know, something is slowing down. Because at the end of the day, let's say you have a security solution which sends everything to the cloud. It is doing analysis there and then you are getting the response, which slows down and sometimes you might have to wait.
It could be like few milliseconds, but still it keeps on compounding over time and you'll get frustrated. With Squarex, there is no such worry.
[00:10:07] Marco Ciappelli: Well, I make one comment thinking about Vivek being frustrated. And say, well, this product doesn't exist. I'm going to make it. And I think the best product actually do come from that kind of situation where you just like said, I have the capabilities.
I mean, I couldn't do it because I don't have the knowledge, but somebody like Vivek that say, you know, this is this is something that I leave on my own skin on other people. And I'm going to do that. But what I really like is the scalability and my question for you is, and you mentioned you can use this browser solution all over the world.
And of course, me also being European, I think about it. Well, there is GDPR, then there is the California Act when it comes to privacy, so it can easily be regulated and tune it down or up in the privacy according to where the user is using the browser.
[00:11:09] Jeswin Mathai: Correct. We can very easily control all aspect of data that is being sent.
So the best part of SquareX is again the data, you have an option as an administrator, right? So data can never leave the browser as well. You just need like minimal amount of data. Let's say something goes wrong that information can be propagated back. But that could also be done in an anonymous way without tying anything to the user.
So all of those, uh, are available as part of a configuration for the administrator. Very
[00:11:36] Marco Ciappelli: cool. Very cool.
[00:11:38] Sean Martin: Well, let's talk about a couple of use cases, um, to help illustrate, uh, some of this, uh, capability. Um, I think, yeah, probably one of the more common use cases of, uh, of an attacker, yeah, threat actor, doing some fun things through the browser would be threat actor.
Phishing, right? Yeah. So maybe, uh, give us, give us an example of how, uh, how that attack looks and how score X comes in to save the data.
[00:12:09] Jeswin Mathai: Sure. Uh, so attackers are like smartest guys on the planet, right? So they're getting very, very creative. So there used to be a time where they'll send a phishing link over your email, but now what they're doing is they're leveraging the domain authority of existing platforms, such as it could be GitHub, it could be SharePoint, it could be your office phone.
So imagine that I create a SharePoint as an attacker. I embed an image, which takes you to one other legitimate site, which in turn takes you to a phishing site. Now what I'll do is I'll share that SharePoint with the victim, uh, and then they'll get an official notification from SharePoint. In a way, I have evaded all of the email security solution because now SharePoint is sending you a notification.
Now the same thing can happen with GitHub, let's say I. Uh, uh, tag you in a comment. Now you get official notification from GitHub. You click on it. Now, GitHub's take you, GitHub takes you to a link, which in turn takes your phishing site. This way, again, the user will be fooled and most of the folks who are not, you know, security focused, a lot of developers as well as, uh, a lot of, uh, IT folks.
So they'll think that, oh, you know, I just got prompted for a login page. Uh. When I was coming from SharePoint. So this login page looks like Microsoft is probably Microsoft, but the reality is it is a phishing page. So all of these techniques are being used by the attackers. So in the GitHub case, what they did was they had a OAuth login from the GitHub comment.
So now the moment you go into the OAuth login of a fake phishing page, uh, they go ahead, get the permission to access all of your GitHub repository. They deleted those and then asked for ransom in order to get back. So imagine that a company repositories are being impacted and now it's a big concern for the companies.
So attackers are doing all of these, uh, things and they're leveraging the domain authority of all of these big platform because they can bypass your security solution very, very easily. So with Squarex, you can speak
[00:14:04] Sean Martin: to that quickly because I think the end point, right, this is a legitimate message through a browser.
You're clicking on that in the browser. The endpoint has no chance of doing anything now with that, right?
[00:14:18] Jeswin Mathai: Yeah, so the endpoint does a great job once a file touches the disk. At that point, it might be able to figure out that, you know, this file is malicious or it might be able to analyze it live. Uh, at best, it has the information of which process, uh, triggered the file download.
So it will know that the file came from Chrome. Uh, but in this case, we are talking about phishing attacks and Endpoint at this point does not have any visibility into what's happening on the browser. It can't see that user came from this site and eventually he is entering credentials. So all of those things it can't.
So endpoint will be completely, I'd say, bypassed at this point. And if you have a secure web gateway that will also be bypassed because, uh, now you're getting traffic from like SharePoint. It's just too
[00:15:02] Marco Ciappelli: late. It's too late. It's like, hey, I have a thief in the house. It's better if you block it before you come in the house.
[00:15:10] Jeswin Mathai: Correct, yeah.
[00:15:11] Marco Ciappelli: So how does SquareX operate in this case?
[00:15:15] Jeswin Mathai: So SquareX, being on the browser, it has the full context of, you know, how you came to be at a site. So let's say you came from a SharePoint link, then you went to a different site, from there you went to a different site. So in admin, you can very easily enforce policies that, let's say, you get to a login page from SharePoint, but that login page is not of a Microsoft official login page or known login pages.
You can very easily block entering of credentials. Microsoft Mechanics Which qx, you can also go one step beyond and we can do a live analysis because we see what the user is seeing. So we can do a live analysis, pick out all the text and figure out this is very similar to the existing websites like Microsoft, uh, Google Login and so on, and prompt the user that you are on a phishing website.
So being on the browser offers us a lot of flexibility in doing all of this analysis. And this is happening right there on the browser live. So we can even perform content categorization. So we have all of the URL filtering solution which primarily rely on domain categorization. And one problem with that is it broadly classifies.
So to give you an example, let's say I have abc. xyz. com. And now the categorization for xyz. com is IT technology. So ABC, the whole domain will be classified as IT technology. So attackers leverage this, they'll host website and leverage the domain authority of the whole domain. So, and due to which again, misclassification can happen and a lot of content can seep through.
BitSquareX, since we are analyzing the content, we can figure out that, oh, this is a sports site, this is a, probably a gambling site, this is a fishing site. All of those live categorization we can do by sitting on the browser. So this way it's like offering a robust, uh, phishing protection solution.
[00:17:01] Sean Martin: And if I remember correctly, there, there's something cool you do with, because you said you, you see what the user sees.
Um. And you're doing some cool rendering there, if I'm not mistaken, is that right?
[00:17:17] Jeswin Mathai: Uh, so we do the live analysis, we take a look at the whole screen. So irrespective of whether it is DOM or whether it is canvas, whether it is an image. So the one example I can give you is, let's say, QR code, right? So what ends up happening is attacker want to take the workflow to, let's say, less protected device.
So this is where they can perform an out of band attack. Imagine that you get an email with a QR code. Now your device is protected with all possible enterprise security solutions. But your phone might not be. So in a way they transition all of this workflow from your regular device, which is enterprise device onto your mobile phone, which could be a personal device, which is less protected.
And this way they can very easily scam as well as, you know, phish people on the phone because now you're limited to, you know, visibility on the phone. You might not see the whole URL. You might not even see the URL at time. So attackers are like very, very creative, but being Squarex, uh, we are able to figure all of this out and then deduce that, oh, this is a potential QR code.
We offer administrative flexibility that they can outright block QR codes as well as if it is malicious, they can block and perform operations on top of it.
[00:18:26] Sean Martin: Very cool. Very cool. So I know, um, we're coming up on time here for this. This chat and, uh, yeah, I think plenty more use cases to discuss. And I think the best place to do that, uh, of course I want to have more of those chats, but, uh, another great place to do that is in Las Vegas with the team there.
So, uh, the team's going to be both at Black Hat and at DEF CON. We have a booth, uh, booth of both. And I believe you're speaking at. DEF CON as well, Vivek is, um, can you give us some info on, uh, what's going on there and what people can expect when they meet you?
[00:19:06] Jeswin Mathai: So, SquareX is doing both at Black Hat, uh, as well as we have talks at DEF CON.
So, the DEF CON talk is about breaking secure web gateways. Uh, and it is about, you know, major issues around secure web gateways, how they can be evaded. Uh, and it's like a couple of fundamental, uh, flaws in the system because it's built on stateless model. So it processes each request and it only takes a look at data on the network level.
So there are various, various techniques. We'll showcase all of those, uh, in DEF CON, uh, as well as we have. Two other talks in villages. One is in Adversary Village and one is in Recon Village. The Adversary Village one is around browser extension. So we ourselves run as a browser extension. We know what power we hold.
So similarly, again, Malicious browser extension. It is very, very easy to install. So what attacker do is they go ahead, purchase various extensions from Chrome store that are gaining popularity. And then they'll release an update with some malicious code and at the end of the day, it ends up compromising the user's device.
So the talks are amazing talks around, uh, the extension topic, uh, secure web gateways, uh, and so on.
[00:20:16] Marco Ciappelli: Very cool. And, uh, like I was mentioning at the beginning, we, we had already some conversation with the team we met. And I have good memories of almost be back in Australia, New Zealand, all the Asian Singapore area because when we were at your booth at RSA, all of a sudden we run into all our friends that are located in that part of the world.
So I'm kind of excited to see Vivek again and the team at Black Hat and DEF CON and I Want to remind everybody that that will be August the 3rd the 8th and DEF CON, I believe, is right after that. I don't know if we're gonna stay for that, but We may change our mind. We haven't been at DEF CON in a while.
And, uh, of course, uh, I invite everybody , that is going to be a blackout to come in at the booth and look for you guys, but also if you're not there, this is a solution that, of course, it's one of the coolest things out there in cybersecurity, in my opinion. We're honored to have you on board with the sponsorship and having more conversation with you.
And definitely go to find out. Uh, more about Square X, , Sean, I know you, you've talked to Vivek already several times I
[00:21:29] Sean Martin: know, great, great conversations. And, uh, I want to talk more with Jeswin. So hopefully we can, we can find that. I think I know all these, all these, uh, use cases. I think that's, that's great.
For me, when we can start talking about operationalizing and what the threat is and how security administrators can actually respond to them, that's what I really love. So, great to meet you Jeswin and great to have you on the show today. Wish you and the team all the best and safe travels for those that are making the journey from Singapore to Las Vegas and hope you, hope we get to chat with lots of folks.
They're in, uh, in Black Hat and DEF CON.
[00:22:13] Jeswin Mathai: Thank you so much, Sean. Marco, it was a privilege to be on the program.
[00:22:17] Marco Ciappelli: Of course. It was a real pleasure. Absolutely. Stay tuned. There'll be more conversation before, during, and after, uh, the old hacker summer camp that happened in Las Vegas. So be with us, even if you cannot be in, uh, Las Vegas, we'll, we'll bring you there.
We'll share.
[00:22:36] Sean Martin: We have another chat with, with Vivek on location. So stay tuned for that for sure.
[00:22:40] Marco Ciappelli: Excited for that. Excited for that. All right. everybody.
[00:22:44] Sean Martin: Thank you.