Join Sean Martin as he interviews Vivek Ramachandran, Co-Founder and CEO of SquareX, about groundbreaking browser-native security solutions and insights into vulnerabilities in secure web gateways. Discover how their innovative approach fills critical security gaps and learn about their toolkit to test your own defenses against advanced threats.
In this Brand Story episode, Sean Martin gets to chat with Vivek Ramachandran, Co-Founder and CEO of SquareX, at the Black Hat USA conference in Las Vegas. The discussion centers around SquareX’s innovative approach to browser security and its relevance in today’s cybersecurity landscape.
Vivek explains that SquareX is developing a browser-native security product designed to detect, mitigate, and hunt threats in real-time, specifically focusing on the online activities of enterprise employees. This solution operates entirely within the browser, leveraging advanced technologies like WebAssembly to ensure minimal impact on the user experience.
The conversation shifts to the upcoming DEF CON talk by Vivek, titled “Breaking Secure Web Gateways for Fun and Profit,” which highlights the seven sins of secure web gateways and SASE SSE solutions. According to Vivek, these cloud proxies often fail to detect and block web attacks due to inherent architectural limitations. He mentions SquareX's research revealing over 25 different bypasses, emphasizing the need for a new approach to tackle these vulnerabilities effectively.
Sean and Vivek further discuss the practical implementation of SquareX's solution. Vivek underscores that traditional security measures often overlook browser activities, presenting a blind spot for many organizations. SquareX aims to fill this gap by providing comprehensive visibility and real-time threat detection without relying on cloud connectivity.
Vivek also answers questions about the automatic nature of the browser extension deployment, ensuring it does not disrupt day-to-day operations for users or IT teams. Additionally, he touches on the importance of organizational training and awareness, helping security teams interpret new types of alerts and attacks that occur within the browser environment.
Towards the end of the episode, Vivek introduces a new attack toolkit designed for organizations to test their own secure web gateways and SASE SSE solutions, empowering them to identify vulnerabilities firsthand. He encourages security leaders to use this tool and visit a dedicated website for practical demonstrations.
Listeners are invited to connect with Vivek and the SquareX team, especially those attending Black Hat and DEF CON, to learn more about this innovative approach to browser security.
Learn more about SquareX: https://itspm.ag/sqrx-l91
Note: This story contains promotional content. Learn more.
Guest: Vivek Ramachandran, Founder, SquareX [@getsquarex]
On LinkedIn | https://www.linkedin.com/in/vivekramachandran/
Resources
Learn more and catch more stories from SquareX: https://www.itspmagazine.com/directory/squarex
View all of our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Behind the Scenes of SquareX's Exposing DEF CON Talk and Their Latest Browser Security Innovations | A Brand Story Conversation From Black Hat USA 2024 | A SquareX Story with Vivek Ramachandran | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Matin: [00:00:00] And here you are, you're very welcome to our first episode on location. A brand story with our good friends from Square Ass Vivec. It's good to see you.
Vivek Ramachandran: Likewise, you know. It's been, it's been two and a half months. I know. But it feels like yesterday. Thanks so much for having me on the show once again.
Sean Matin: Ah, it's always a pleasure. And, uh, this time in Las Vegas for Black Hat. Obviously, if you can see the backdrop here, all the way from Singapore. A nice, nice journey. Maybe a few minutes in a flight. But, uh, you have a nice booth downstairs. We're going to come down there shortly and meet some of the other team.
Because I've seen all the posts where a good number of the teams have come to Las Vegas to engage with customers and partners and all that good stuff. So, um, let's just dive into it. I'm going to ask people to listen to the other episodes to get a kind of a broad background. But maybe just the elevator pitch for what SquareX is all about.
Vivek Ramachandran: So, you know, SquareX is building a browser native security product, [00:01:00] which detects, mitigates, and threat hunts web attacks, which are happening against, you know, enterprise employees when they're online. And we do all of this in real time.
Sean Matin: That's an important space, which we've talked about a bit before. Um, where I want to start is, obviously, Black Hat is known for its research, DEF CON even more so, and I know you're actually, you're speaking at DEF CON.
And I think if somebody is in a CISO role or a practitioner role, they probably know where their strengths are, where their weaknesses are, but there might still be a sense of false security. So, Without sharing too much, because I don't want to ruin the DEF CON talk that you're doing, but what's going on there?
Vivek Ramachandran: Yeah, so you know, Vegas is Sin City, as they call it. And what the talk is about is the seven sins of secure web gateways or SASE SSE solutions. Is OSI sins? [00:02:00] So, you know, I've named the talk, Breaking Secure Web Gateways for Fun and Profit. And really what the talk is going to be about is secure web gateways, SASE SSE solutions have now been around for Over a decade, I think.
And that is really where, to your point, you know, people have this false sense of security that these cloud proxies are able to detect and block web attacks happening against their employees when they're online. Now, unfortunately, you know, these proxies are looking at network traffic to infer application layer attacks.
And what SquareX has done, you know, very systematic, thorough research, is we've shown over 25 different bypasses, which are all because of architectural limitations. So what this means is, not one, not one, 25 plus, yeah. And the big reason we did that is if you just talk about one or two, a lot of times the vendors will come back and basically say, you know what, like this one or two, either we don't care or here you go, here's a little band aid fix, right?
We have a mitigation. Exactly. But if you go with [00:03:00] 25 plus and then just overall point to the fact that, look, we could just keep going on and on. And this is only possible because of architectural issues. Then it becomes abundantly clear. That SWGs and SASE, SSE when it comes to solving web threats is probably useless.
The most worrisome thing that we're going to point out is this ends up breaking a lot of the SLAs that these companies promise their customers, including one which basically says we will detect 100 percent with 100 percent probability any known malware. And we will actually show in the talk that known malware gets bypassed, you know, with the, with the attacks that we are developing.
Sean Matin: Where do I go with that? I mean, just the fact that the claim was made might shift me to a different vendor anyway. But sadly, uh, sadly, we, we get, we're presented with options and we make our choices. Hopefully the, hopefully the vendor lives up to [00:04:00] their, their agreements. But uh, sounds like not in every case.
So, I presume you'll talk a little bit about how, how what you do at Squarex tackles that problem. I mean, do you want to do that quickly now?
Vivek Ramachandran: Yeah, yeah,
yeah,
absolutely. So, I think, how did we land upon this research is the fact that, you know, we were looking at a lot of web threads on the client side. And we quickly figured that many of these could only be solved if you had a browser native security product.
And that's when we realized that these proxies were like wide open. So what Square X really does is because of the fact that we sit in the browser, we're able to look at all the rich DOM events, you know, browser events, user interactivity. And we take all of that and entirely on the client side, put them into machine learning algorithms so that we can do all of this detection entirely locally without even having to depend, you know, on the cloud in any way.
And that is what makes this so scalable. Because now imagine millions of different endpoints. Are all [00:05:00] individually capable once the policies are pushed via the Square X product to go about figuring all of this out.
Sean Matin: So the first question I'm certain people ask following that description is alright. So there's machine learning running in my browser at my endpoint now.
Correct. The user experience must get impacted, right?
Vivek Ramachandran: Yeah, so that's a great question. So I think, you know, in recent times, newer technologies have come. For example, WebAssembly. And every major browser now supports it and WebAssembly actually allows us to run, you know, native code, which previously used to be C libraries and all of that, but in the context of the browser.
So the browsers have ensured that these WASM modules run in an extremely lightweight way, very, very fast. So in all the benchmarking, including those of the browser vendors themselves, clearly shows that this is very lightweight. Also, interestingly, you know, John, if you think about it, What is the workload when it comes to, you know, each of these [00:06:00] Square X extensions is running an individual user.
So an individual user is like 2025 open tabs generally focused on one tab and maybe flipping between a few. So this isn't a very heavy workload to monitor from the perspective of a VASM module, which is already running at, you know, native speed.
Sean Matin: Okay. And, uh. Yeah, cause I'm picturing my browser. I'm lucky if I only have 25.
But to your point, I think I'm, I'm typically working on one or two and I might over, let's also point out the fact that it's open for a long time. Yeah. Right. And I might flip between one, one and another that I opened last week or two weeks before. Yeah. So I presume you, you sit resident in that regardless, right?
Exactly. It's machines sleeping and opening. Yeah.
Vivek Ramachandran: So we deploy as a browser extension and What browser extensions can do is individually look at every single tab which is running. So we can monitor everything happening in the [00:07:00] tab. Uh, intercept it, block it, isolate it, and do a bunch of stuff. So even if the tab is inactive, maybe even for a week or a month, but the moment it becomes active once again, we are still running there.
So
there are no limitations when it comes to, you know, active, inactive, incognito mode. Uh, kind of work across all of that.
Sean Matin: So the other scenario, let's be honest, the point we're really talking about here is a threat finds its way to the browser and something happens. What's the user experience when they actually are under attack or something's at risk?
Vivek Ramachandran: So if you look at organizational policies, primarily one is to stop bad behavior and bad behavior is, you know, employees, let's say, copy pasting something into chat GPT or trying to upload a file to get a summary, things like that. Right. And the second is, of course, attacks themselves, right? Which is spear phishing, session hijacking, things like that, identity attacks and whatnot.
So once these policies are pushed, what ends up happening is if an attack is underway, we block [00:08:00] access to that page where probably the attack is being orchestrated. And the user ends up getting an alert which basically says, hey, you are under attack, we blocked it. The administrator can now look at the entire attack reconstructed using attack graphs.
Uh, you know, another technology which we're deploying called attack vision and a bunch of other things. So this way what happens is we stop it real time. The administrator on the other side ends up getting a complete picture of what happened. And that makes it easy for them to go about creating better internal user awareness.
Uh, and at the very same time also know what, you know, threat actors are trying to do against the organization.
Sean Matin: So how does this, uh, let's shift and speak to. Security leaders at CISO and their, their leadership team. Um, building out a program, I mean, we all, everybody's pretty much, unless it's a brand new company, starts with some legacy program.
Yeah. They come in [00:09:00] and refactor it to, based on their experiences and new technologies, new risks and whatnot. How does a strategy and a program need to change, perhaps, to adopt what you're doing?
Vivek Ramachandran: Yeah, no, that's a great question. So the best part is given browser security itself as a field is in its nascency.
At this point in time, there isn't any overlap with other technologies. So the browser is a blind spot. So if you go to most seasons and ask them, Hey, what's happening in the browser, basically say we don't know, because endpoint security isn't really looking into the browser at this point. And if you have cloud proxies, all you get is the point URLs that they're visiting.
So If somebody had to roll this out very simply, they could just roll it out with a group policy and the browser extension, you know, just gets enabled and can automatically report back, apply policies and all of that. So what we've seen with our existing customers is generally within just a few hours.
You can deploy this enterprise wide.
Sean Matin: [00:10:00] And well, the end user recognize that that's happened, or it's kind of yeah, user
Vivek Ramachandran: would know nothing about it. Uh, if you know, we go ahead and show the extension icon, then he knows maybe a new extension is installed, but I mean, that's just a small thing which lights up somewhere in the browser, which most people don't even care about.
Would they have to participate in installing? Absolutely not. It's completely autonomous, automatic, you know, just happens by itself. Uh, the only time that they would end up noticing is, you know, if they've done a bad behavior or someone's been attacking them.
Sean Matin: Yeah, OK, which are both scenarios. We want to minimize the impact or completely eliminate the impact on the end user.
And we could stop the conversation there, but guess what? Yeah. IT ops, security ops, um, they could be impacted as well. So what's, what's the new world with browser security enabled look like for them, IT and security? Yeah.
Vivek Ramachandran: So, so I think when it comes to the IT and security teams, [00:11:00] of course this is a new frontier, right?
Which means even if you're pushing these events and all of that, They need to be able to interpret this in the context of, you know, events which are happening. And, of course, there's a little bit of training which goes in there because of the fact that, you know, most of these individuals may not yet even understand many of these browser attacks.
And that's what we've seen in the early deployments, is to an average security person, if you say, Hey, SSO and SAML attacks or identity attacks happening in the browser, uh, most of them haven't really seen how that can even be caught. Because, again, it's a blind spot today. So it's not an alert they're used to.
Exactly. So I think that is really where what we've tried to do is see if we can map to things like Mitre and all of that. Where even though the attack itself might be very nuanced from the perspective of, you know, running in the browser, a client side attack and all of that. For somebody to understand this is easier.
So it's a simple example. Let's say there is a malicious extension, uh, which one of the users has ended up installing and we [00:12:00] detect that. And that malicious extension was stealing credentials as your client. You know, surfing the web when you go to different websites. So what we do is we just map this to a credential stealer.
Sean Matin: Okay.
Vivek Ramachandran: So something they're familiar with. They're familiar with, right? So hopefully have
Sean Matin: a playbook
Vivek Ramachandran: and a response plan. Exactly. So we're trying to do that. Of course, there are certain attacks where there isn't such a parallel. And that's really where there's going to be a net new learning. But for what it's worth, what we've seen is people enjoy that because all of a sudden they feel like they've uncovered something new.
They're learning something new. Yeah.
Sean Matin: And one of the things I like to kind of ask is, so new alerts. Um, the last few weeks I've been looking at measurement metrics and what's the success look like? So how does a CSO know that they're succeeding? Yeah, with score X that they're actually, I presume they're going to get more alerts and hopefully they respond properly.
Any other, any other metrics or things they can look to?
Vivek Ramachandran: So, [00:13:00] so the way we've kind of looked at is we go in and a lot of times, of course, I'll break the CISO audience up into a few. The ones who are skeptical, right? They're like, Hey, you know, we don't need this visibility. That's really where we basically say, why don't you just turn the visibility on for free?
And within a week, they actually come back and tell us these are all of these new things that they're looking at. And what is this? Right. What is this really happening on chatgp. com? And that is really when we go in and basically say, look, this is bad behavior or attacks, which have been happening, which you've been completely blind to till this point.
And that's really where a light bulb goes off. And, you know, and people are like, Hey, how do we stop this now? Now the second, you know, audience is who's technical, who understands this. So in that case, what we try to do is understand their organizational priorities or attacks that are already happening.
So there was one customer who came in and said, well, you know what? Our, uh, executives are getting attacked via a SharePoint attack, which is really somebody sends [00:14:00] them a valid SharePoint link. They click on it, finally go to a credential stealing page. And because you started from a site that you trust SharePoint.
com and anybody can create SharePoints, not just your organization. People tend to believe that, you know, they were trying to open a doc via SharePoint. And now they need to log into, you know, Microsoft online or whatever. And that's really where in those cases we go in and say, okay, is this the attack?
Let's model it with Square X and show you how Square X can block it.
Sean Matin: Yeah. The thing I want to touch on is I think some of the other offerings require some connection back to, I'll call it home base, right? Right. Through, through some tunnel or through some firewall. Um, how does Square X handle that? Yeah.
I'm thinking of the remote worker where. Yeah. They're not logging in through a VPN. Exactly, exactly.
Vivek Ramachandran: So the good thing is, you know, because SquareX runs entirely within the browser. Uh, SquareX runs entirely within the browser. [00:15:00] Uh, at any given point, even if there is a loss of internet connectivity, it is still running.
If the user is on an intranet, it's still running. If they're behind a captive portal at an airport where they still haven't logged on to the network, it's still running. When he finally connects back to the internet, we sync our logs, we sync back events, attack detections and all of that. Now, unlike a web proxy, where if there is an internet connectivity loss, everything is lost.
Right. Right. There's absolutely no way now that proxy has access to the web traffic, which means it can't scrub, you know, or at least try to look for any attack patterns. So we've specifically built it in a way that even large periods of time where there is internet disruption. We can still go ahead, store the events locally in the browser local storage, which is pretty much as big as the disk space itself.
Sean Matin: Yeah, because I would imagine some, some sophisticated attacks might look for that disconnect event and then [00:16:00] do their, do their deeds. Yeah, yeah, yeah. Absolutely. And then hope for the connection to come back. Absolutely. Um, I also want to touch on the. The toolkit. Yeah, tell us a little bit about that launching.
Vivek Ramachandran: So, so I think, you know, seeing is believing, right? I mean, I could go up on stage, talk for 45 minutes, you know, mainstays Defcon and say, These are 25 different sins of secure web gateways. This is how this is broken, blah, blah, blah, right? And people will enjoy it and forget about it. So having been in cyber security research now 20 years, what I found is the moment you give people the right tools to test it themselves.
Now you've empowered them. And that is really where, you know, what we're doing is we don't want these attacks to just be a theoretical discussion with some supposedly canned demos, right? Because I mean, that's, that's the most that we can show. Yeah. And then you don't want vendors to come back and basically say these were staged demos or whatnot.
So what we are going to do at the very end is we are going to give out an attack tool kit, which [00:17:00] any organization can actually use and test against their sassy SSE solutions. Additionally, we are also putting up a website called browser. security. So, if you don't even want to set up the toolkit yourself, you can just go to browser.
security, click, and see those attacks just happen against your network while you are on a SASE SSE, uh, you know, vendor pipe.
Sean Matin: And for those wondering that there's, the payload's not there, right?
Vivek Ramachandran: No, it's just a method with which, uh, in some cases there is a payload, but we warn you not to execute it because what we want to kind of like show is known malware can be fully bypassed using the attacks that we put out, uh, through the sassy SSC secure web gateways.
Sean Matin: Playing with fire. I love it. Guess who else is playing with fire? And then they have nothing to lose. That's true. There's so many interesting things happening lately. Yeah, the bad actors. Alright, well let's um, [00:18:00] let's wrap up here Vivek. I know you have a few days here in Las Vegas, here at BlackHat and DEF CON.
Um, what would be the final message to security leaders who have heard what you said and maybe want to take the next step?
Vivek Ramachandran: I think, you know, the attackers have realized that all employees are spending over 90 95 percent of their time on the browser. And hence that is the application to target because that is also the gateway, you know, of everything in and out of the computer at this point in time.
And that is really where I think there's been a lot of vendors speak about these proxies and all that they can help and scrub traffic. It's important to do your own tests and diligence. And hopefully people will start to realize that the best place to run a security product is a place where you can have 100 percent visibility of everything happening.
And when it comes to client side web attacks, the only place is the browser. And now browsers are powerful enough that we can [00:19:00] actually have a browser native security product similar to Square X. Yeah,
Sean Matin: I love it. And, uh, yeah, so visibility, I think we talked about this before. Visibility and context and knowledge, right, can help you respond and protect.
And I think the other point that, uh, That I keep hearing is that there's no impact to the end user and, and the, uh, the information and the operations of score X. Yeah. Don't impact negatively the IT and security folks, but in fact empower them as well.
Vivek Ramachandran: Absolutely. Absolutely. That's the idea.
Sean Matin: Always a pleasure, Rebecca.
Vivek Ramachandran: Yeah. Likewise. Thanks so much for having me on the show once again.
Sean Matin: Wish you, uh, wish you the best for, uh, this week. Thank you. And a great talk and, and, uh, I don't know how many thousands of downloads of the toolkit and browser dot security clicks you get. But, uh, I think we might need to do the same, Marco.
Have a check. I'm not, I'm not certain that Marco is doing the right stuff in his browser. So I'm going to have to run some of those tests. But anyway, thank you all for [00:20:00] listening and watching this brand story with Square X. Please do visit their brand directory page and connect with Vivek and the team.
If you're in Vegas still, go visit the booth. Have Pretty good team here, uh, all the way from Singapore. And, uh, Marco and I are going to go down and say hi to everybody as well. So thanks for Beck. Thanks. Uh, thank you so much for having me on the show. Thank you. We'll see. I'll see.