A

Hey everyone, this is Casey Ellis for the Risky Business podcast and today we're talking to David and Daniel from Airlock. For those who don't know, Airlock provide an easy to manage and scalable application control solution to help their customers protect endpoints with confidence. So, yeah, Daniel and David are speaking at Falcon in a few weeks about browser extension management and why it's a priority for enterprises and you know, all of the different things that Airlock might be able to do to help solve this particular problem. So let's start with the fundamentals, like why, why are we talking about this in the first. Why do we care?

B

Yeah, so browser extensions in the enterprise, it's sort of something that snuck up on us like we're so used to in the mobile ecosystem having permissions front of mind, having what apps we install sort of front of mind and the consumers in control with browsers, we care about what browsers we have in the enterprise, but it's sort of like we've never really had great visibilities to what's inside the browser because browser browser manufacturers have always focused on the outside, right. Creating the shell around the browser. Everything that's in the browser shouldn't matter. And if you've just got the browser there, it's fine. But when you start introducing third party code into the browser from all of these app stores that are largely sort of consumer controlled, those decisions still today, you start to introduce and break through a little bit of that security barrier and you can sort of put code in that, that where third parties can sort of snuffle data out of that protected shell. And yeah, because it's so hardened, you don't really get ease of visibility into that space and users are doing all sorts of interesting stuff at, you know, something like Grammarly, right. You know, checking all of your text effectively in order to correct your grammar, but that is not really done inside the browser, that's done off box somewhere else. So there's security implications for that. And you know, that story you can repeat a thousand times with a thousand different sort of manifestations, I guess.

A

Daniel, anything to add to that?

C

Yeah, it's pretty much the same. But yeah, I'd say also with the AI revolution that's led to a billion other browser extensions as well, where people are also entering more sensitive content as well.

A

That's interesting. So are you sort of saying there like with the whole kind of vibe coding thing and the ease with which someone can actually create a browser extension, there's like a.

C

Well, yeah, well a people are Vibe coding browser extensions, which might not be considering security that much as well. But then also just there's a thousand new extensions related to AI and people are sort of interested in that as well, which is then asking for context on your people pasting code. All the traditional stuff in that space as well. But yeah, when I was looking into the permissions model for the browser extensions, I found that there are 97 permissions roughly at the moment to go through. And they go for different ranges from things being like can they capture your screen, can they capture the desktop, so it can even come out of the browser, let alone for things such as code execution and similar as well. So there's some interesting design learnings there as well when you look into. Start looking into the details to operating.

B

Environments inside your operating environment. And we haven't sort of inceptioned down to that point quite often when it comes to enterprise security. And users, unless you're really focused on it, are largely in control of that space.

A

Yeah, it's an interesting. I mean, David, the way that you kind of characterized it is intriguing to me because it feels a lot like the same kind of breach of assumed trust model that we had when we first started dropping wireless into enterprise networks, like way back in the day.

C

Right.

A

We've built a trust and a security model that assumes that you have to be inside the building to be trusted. And if you're outside the building, you're automatically not. But if you kind of violate that, then a whole bunch of things kind of get weird and unpredictable at that point in time.

B

Yeah. And in this case, you can teleport your friends inside the part of the building that you control. Right. You know, it's this really odd thing, which is just a byproduct of, you know, an enclave is great, but what matters is we've got code delivery inside the enclave. So, you know, and I think that the permissions model that Daniel briefly touched on there is complex and it's not front of mind when it comes to controlling it. You don't really. You can just. The granularity isn't there, where users just kind of have to accept it. It's like, here's what permissions I need, accept or don't use the extension. It's not like mobile where, you know, in the last few years you can actually revoke certain permissions if you don't want certain aspects of things to happen. And the browser manufacturers are tightening the amount of permissions up in order to try and get control of it. But just like app stores, there's just a mess of stuff that's there, from squatting to malicious extensions as well. So it's something that what we're talking about at Falcon is giving people some practical advice on how to start to get control of this type of problem.

A

Yeah, that makes a lot of sense. I mean, it's one of the. I think that side of it is something that I've always really liked about the idea of application allow listing just in general. And then when you guys popped up on the scene and started working on it, I got kind of excited because it has always been a really easy thing to talk about and a very difficult thing to do. And that seems to have been the focus of Airlock over the years and now it's sort of coming into this season. I guess this is no real kind of exception to the rule of why this is actually a pretty decent approach to doing it. Like, yeah, there are things that the browsers are doing in their marketplaces to try to root out evil or malice or things that are not necessarily something that an enterprise would want. But for an enterprise to fully rely on controls like that means they're basically losing control of the process. And you're playing a game of whack a mole at that point, right?

C

Yeah. And you're giving like the user the decision like you add an extension that pops up that little window that's like, hey, you're installing this thing and here's the 10 things it wants to do. A lot of people are just going to push the allow button at that stage. Right. They're not told doing a risk assessment at that point.

A

They don't read the Euler. What are you talking about?

C

Eula's name, part of that path conversation. Right. So yeah, there's that. And it is that still like Dave quickly mentioned, it's like what you see on those marketplaces is still like extension squatting where people are putting similar names in, like search for Zoom meetings and how many Zoom Info meeting or Zoom Recorder and you can just get. The user could get installed a different one than the official one. I think that's a big risk. So the allow listing approach of just saying allow only what you trust, block everything else adds a pretty strong layer there just from people doing that. And then we've also seen where People's extensions, their GitHub repositories get taken over sometimes developers, traditionally, I think you have a security mindset or if they're vibe coding and the API keys are in their git and all this sort of stuff, they Sort of lose control of the extensions at some point as well. So there's just these different types and then there's just the whole junk app shadow it version where it's like I need my Bitcoin wallet and a browser extension and stuff like that. It's probably got no business in many cases in most orgs.

A

Interesting. So in terms of, I guess where you guys are having customers come and talk to you or some of the stories that I've seen you kind of pull out into this Falcon talk. But also I guess in terms of what you're seeing in the wild at this point, because you've got a pretty incredible kind of perspective on what's actually happening in bad guy land, what the bad actors are actually up to and I guess some of the things that might be going wrong. Can you give some sort of examples of that or provide just a general feel of what's happening, where that's going?

B

The funny thing is it's actually trying to sift through the noise and make sense of it because it's a very user initiated process. It's sort of like from a, from a targeting point of view, attackers will generally cast a wide net. It's not often used in a specific targeted sense where someone's like, I need to get into that organization specifically unless they're compromising the supply chain of a browser extension. If you want to target a specific install base, then that's how you would sort of do that through the supply chain. But if you're just trying to do a wide ranging sort of info gathering, you know, credential stealing type stuff, it's generally the normal squatting, malicious extension, you know, type approach. Quite often when users come to us or customers, I should say it's really trying to get a handle on the problem in the first place. And when they install it's like, oh, we have a wide range of stuff and it's just trying to understand, you know, it's often the first time that they're actually seeing that data and it's actually trying to go through and figure out, okay, what's the prevalence, which ones do we actually need? And then very quickly trying to sort of pair that back to a known sort of good trusted set. And it's really interesting going through those questions for sort of the first time because people have less of an idea about what's there than traditional files or applications.

C

Yeah, it's sort of like about the management's a big piece of this as well because it's not only just the browser Extensions, it's what browsers are there in your environment. Like, let's start there, because you got your Firefox, Edge, Chrome, and then you got Brave and all these other sort of cloned ones with their own sort of flavor. So the first question, especially since we're doing app control, is like, which browser should be in the environment and allowed in the environment in the first place? Let's start there. And the first part is like all things, it's like asset inventory or software inventory to go like, well, where is it? What's actually out there and gain that visibility in the first place. So, for example, with us, what we're doing is that when browser extensions are being installed and such, we'll get visibility of that. But that doesn't really help you to get started. You really need to get some of that initial inventory of what's already deployed. And that's where we have an integration with CrowdStrike, where CrowdStrike already know all the browser extensions that are installed. And we can sort of bring those extension IDs in, you can review them and then decide to get that initial hit the ground running to sort of see what's going on in your environment. And then. And that's all CrowdStrike model. And a lot of the vendors in that space as well will tell you a little bit about the risk possibly, or the risk scoring based on the behaviors or the permissions of those extensions. So that sort of helps you make the decisions of going, should we trust this? Should we not? Because again, even the administrators can be looking at a list of extensions going, what is that? Is that the real one? Is that not like you still have to go through that same process? I guess you've just got a bit more of an analytical eye, hopefully, at that point.

A

Yeah, that makes a lot of sense. So is this like, is this a separate feature? Is it like, how long you like, what does this actually look like in the Airlock platform at this point? How do you guys help with this? And how do people kind of get involved in getting this insight if they're not already doing that?

C

So if you're an Airlock customer sort of already, then there's a lot of pivoting from the Airlock product into the CrowdStrike UI console. So, like, if something was blocked or something like that, or sort of pivot, you back up. And what we're doing at the moment is we're sort of building out our sort of second generation of CrowdStrike foundry application. It's called, I guess it's the way that you can build applications within CrowdStrike. So we're actually packaging that up together now to collect all that data and allow you to make sort of decisions to not just enrich more Data within the CrowdStrike console, but also sort of make some decisions and push decisions from that console as well to spend less time sort of pivoting between back and forth between the sort of two logging the single pane of Dash Dream.

B

Yeah, so, but what we're actually doing from a browser extension point of view is basically what we'll do is we'll see when that browser extension installation event actually happens. We'll capture that information, validate it, make sure it's on your trust set, and then basically give you an enforceable sort of like, hey, I only basically want these particular extension IDs or extensions from these, you know, particular publishers to be able to be installed and then basically stop users from actually just going to the store and bringing that in. And if something gets blocked, they can request, hey, I'd like to use this extension and we'll give you the details on that so you can make those choices. So yeah, you know, that's what we're currently doing with the platform today. But what I would definitely suggest for organizations that want to get visibility over this and are thinking about this, definitely have a look at the, you know, the Active, so the group policy ADMX extension sets that are available for like Firefox, Chrome and Edge and bring that in and then what you can actually do is you can then start to at least give your capability to block extensions that are there and you can at least identify because you'll know, you know, if you're on site, just go for a wander around the office and have a look at different people's browsers from different areas and go, what do you have? And then if there's any alarm bells that you can at least use that extension template to figure out the IDs and just, just play Whack a Mole and knock them on the head and start to get some level of control over that.

A

Okay, that's good advice.

C

And those, those GPOs, your settings or the custom extensions, they've got thousands and thousands of settings inside of them pretty much like every browser setting and lots that you can't even probably easily do within the browser for a ui. So there's a lot of other sort of hardening wins available. So it's worth sort of looking in there because, you know, you can like disable all sorts of telemetry stuff. You Know, that's very a quick win that doesn't cost you anything. You control what the users can actually change configuration wise. You know, set some defaults as well, like, you know, how many orgs are sort of enforcing certain search engines or something. You know, just that user preference stuff. I feel like this was also well managed back in the Active directory days and we've sort of slipped a bit since then. And so as people are like between SCCM and Intune and gpo, like, you know, the maturity on some of these things have gone up and down.

A

Yeah, that makes total sense when you guys are talking about the different kind of permissions that exist, the different kind of risks that are ultimately being put in the hands of the users when it comes to browser extensions. Like what's, I guess your advice to a listener on how to start to get their arms around defending against this problem? What are their options from a hardening standpoint?

B

Yeah, so I think it's quite challenging from a permissions point of view. There are options to allow you to allow or block particular browser extensions from a GPO point of view. And the best thing you can obviously do is restrict the number or the types of browser extensions that people can install. I think if you're reviewing the types of browser extensions, there's a few permissions that you want to definitely look out for in terms of requests. Like there's File system and File System Write Access, which is a permission to browser extensions. There's desktop capture, which allows sort of full screenshots downloads open, which is we can launch downloaded files or execute them on the operating system. So there are a number of these, like really high risk sort of permissions in some extensions. And I think the best approach, what you can do is use whether it's admx templates or another solution is one, get the visibility, two, try and restrict it to a trust set. And when you're reviewing what you want to allow or block, have a look at what really high risk permissions are when you're reviewing those types of browser extensions to sort of give you pause to say, I don't know what this is, but I know it's requesting an extreme level of access on this system which should never really be allowed.

A

So if as a user or if as an administrator, I take that advice, start trying to do that and then promptly bamboozled by the number of options. What's a good approach to I guess, spinning up on the art of the possible here?

B

There's a reason that we're talking about this, which points to the challenge of control and granularity of control in this space. And I think again, the best thing you can probably do is say, is this work related? And you'll find that unlike desktop applications, the distinction of whether a browser extension is needed or not in the enterprise is a far easier decision to make a call on just based on the nature of it. Because not often you will have a browser extension. Like it's clear when a browser extension supports your business functions or not. I personally think, like just anecdotally. And then if you're not sure and you're on the fence, get the browser extensions permissions, have a look at what those permissions are actually requesting and that will help you inform, you know, a level of security risk there. But, you know, deny by default is always going to be the way here.

C

I think that gives a summary of the problem, really, like the permissions and everything is so complicated that yeah, it might give you some indications that yes, this could be a risky extension because it requests all these strong permissions, but that level of granular permission control and you can do some and not others, win different browsers with different extensions, like at the end of the day. And I guess we're app control people, right. So we're going to say, well, allow the ones that you allow and they will probably have the appropriate extension permissions. And if they don't, what's your choice anyway, apart from saying, no, we're not trusting this or we won't have that. But you know, Zoom's going to want these accidents and there's going to be a browser extension you want, so we're going to allow it.

B

Yeah. So I think if you were going to approach this, it is get an inventory of what you have through a mechanism review and approve the ones that you want to allow and then block everything else and then define what permissions you don't want. Because there is a, is a standard sort of permission set for, as a framework for making decisions into the future, and then try and control any other browsers that you don't really have a solid grip on outside of that. It'd be that portable applications, you know, people using other non enterprise browsers, things like that.

C

Cool.

A

Well, as we're kind of rounding into the final stretch here, Daniel, you mentioned that there's a new release, the platform that's come out over the past little bit. Do you want to speak to that real quick?

C

Yeah, sure. So, yeah, We've released Airlock 6.1. We've got a whole new sort of UI sort of refresh. That's definitely a lot tidier and it looks a bit prettier. And then another big thing that we added was the ability to like enter cloud sync. So what that allows you to do is now make soft policy rules for such as we want to block PowerShell for members of this group or not this group, and these sort of things based on entra groups before we had ad and on prem support, but now switching into that sort of those new modern platforms, that definitely gives a lot more control. Very, very cool.

A

All right, so I guess the call out here would be if you're planning on attending Falcon in a couple of weeks time, when is it and where? Just, just for the audience.

C

Next week in Las Vegas.

A

Excellent, excellent. So if you, if you're at Falcon, highly encourage you to come up and grab, you know, David or Daniel or any of the other airlock crew that might be there, have a chat about this stuff, if it's interesting to you, and it definitely should be. The browser definitely feels like kind of this newly discovered but, you know, very kind of central battleground that we're all kind of fighting over at this point in time. So it's great to hear that you guys are working on this and some of the thoughts that you've got on how to approach the whole thing. Well, this has been Casey for the Risky Business podcast speaking with Daniel and David and yeah, great to chat with you guys. Cheers.

C

Cheers.

A

Thanks, Sam.