Browser Security with Jeswin Mathai - Software Engineering Daily

Summary7 min read

Podcast Summary: Software Engineering Daily - Browser Security with Jeswin Mathai

Episode Information:

Title: Browser Security with Jeswin Mathai
Host: Gregor Vand, Founder and CTO of MailPass
Guest: Jeswin Maathai, Chief Architect at Squarex
Release Date: February 27, 2025

1. Introduction

In this episode of Software Engineering Daily, Gregor Vand engages in an insightful conversation with Jeswin Maathai, the Chief Architect at Squarex, a cybersecurity company specializing in protecting users and organizations from web-based threats. The discussion delves into the complexities of browser security, the evolution of Squarex, and modern strategies to safeguard online activities.

2. Jeswin Maathai's Journey to Squarex [00:00 - 08:56]

Early Interest in Security

Jeswin Maathai recounts his initial fascination with cybersecurity during high school, driven by concerns over online scams and attacks that could have profound personal and financial impacts. His passion for computers led him to explore programming languages and hardware, laying the foundation for his career in security.

Academic and Professional Development

During university, Jeswin focused on computer science fundamentals, recognizing the difficulty of breaking into the security field without a strong technical base. He secured an internship at Pentestra Academy under CEO Vivek Ramachandran, a cybersecurity veteran known for discovering multiple zero-day attacks. This experience was transformative, providing Jeswin with hands-on learning and contributing to his work being published at prestigious conferences like DEFCON and Black Hat.

Transition to Entrepreneurship

Despite receiving offers for a Master's degree in the U.S., Jeswin chose to join Pentestra Academy full-time, attracted by the company's vision and high-performance team. Their collaboration led to the creation of a web-accessible lab platform for cybersecurity education, pioneering container-based desktop environments for secure hands-on exercises. This innovation set Squarex apart, leading Jeswin to eventually launch Squarex, focusing on browser security to address the evolving threat landscape.

Notable Quote:

"Security is one of the most difficult fields to get into because to break something, you need to understand how it works." – Jeswin Maathai [01:48]

3. Understanding Squarex [08:56 - 09:23]

Gregor prompts Jeswin to elaborate on Squarex’s core mission. Jeswin outlines that Squarex offers both consumer and enterprise solutions aimed at enhancing browser security without hindering user productivity. The company's philosophy emphasizes providing secure alternatives rather than blocking user actions outright, thereby maintaining a seamless online experience.

4. Core Features and Functionality of Squarex [09:23 - 19:16]

Disposable Browser and File Guard

Squarex introduces features like the Disposable Browser and Disposable File Guard. The Disposable Browser operates within a remote container, isolating browsing sessions to prevent malicious websites from compromising the user’s device. Users can easily open suspicious links in this secure environment, ensuring that even if the site is malicious, the main device remains protected.

Example:

"Imagine you are opening a resume or an assignment with potentially malicious files. With Squarex, you can safely access these files without risking your device." – Jeswin Maathai [12:36]

Browser Extension Approach

Squarex leverages a Chrome extension to integrate seamlessly with users’ existing browsers. This decision was strategic, allowing easier adoption without requiring users to switch browsers or install standalone applications. The extension can detect and redirect potentially harmful actions to the Disposable Browser automatically or via a simple right-click option.

Notable Quote:

"We wanted to make everything configurable as a setting for the user. By default, a lot of things will be turned off, and users can selectively enable features." – Jeswin Maathai [18:48]

5. Performance Optimization [19:16 - 22:21]

Gregor inquires about the performance impact of Squarex’s solutions. Jeswin explains that Squarex is designed to operate with minimal latency, aiming for sub-millisecond response times. They employ WebAssembly to perform operations within the browser efficiently, ensuring that the extension consumes only 1-2% of the browser's resources under normal usage conditions.

Key Points:

Resource Management: Squarex utilizes the browser's inherent resource optimization to manage its own footprint.
Scalability: Extensive benchmarking ensures that the extension remains lightweight and does not hinder user experience, even under significant load.

6. Security Threat Landscape and Squarex’s Response [27:59 - 35:28]

Evolving Threats in Browsers

Jeswin highlights the shift of cyber threats into the browser environment, driven by the increase in SaaS applications and remote work trends post-COVID. Traditional endpoint detection and response (EDR) solutions are becoming less effective as malicious activities remain confined to browsers, exploiting sophisticated techniques like polymorphic websites and recaptchas to evade detection.

Notable Quote:

"Attackers are the smartest folk on the planet. Even if we have the best security solution, they'll find a way to beat them." – Jeswin Maathai [27:59]

Squarex’s Detection Mechanisms

Squarex employs in-browser AI models and leverages threat intelligence from established sources like CrowdStrike to identify and mitigate threats. Their browser extension analyzes various indicators such as domain ownership, SSL certificate details, and website behavior, enabling real-time detection of phishing attempts and other malicious activities.

Example:

"We can figure out that the sentiment is of login and the website looks like Microsoft, but it is not Microsoft. So a lot of indicators help us deduce it's risky." – Jeswin Maathai [35:28]

7. Integration of AI and Threat Intelligence [35:28 - 39:42]

Gregor probes into how Squarex integrates threat intelligence and AI to stay ahead of sophisticated attackers. Jeswin explains that while Squarex leverages existing threat intelligence from partners, they also develop proprietary intelligence tailored to web-based attacks. Their AI models, built with ONNX, perform on-the-fly analysis within the browser, balancing performance with robust security.

Notable Quote:

"Our idea is the same that will provide the threat intel for the web-based attacks that are happening. Any attacks that other vendors are not capable of detecting, that is something we are going to fill the void we are going to fill." – Jeswin Maathai [37:20]

8. Competitive Landscape and Technology Positioning [40:23 - 42:08]

Avoiding VM-Based Solutions

Unlike competitors who rely on VM or container-based remote browsers, Squarex’s extension-based approach ensures superior performance and user experience. Isolation features are available for high-risk activities, allowing enterprises to protect sensitive workflows without compromising on speed or usability.

Key Points:

Performance: Extension-based solutions avoid the latency and resource overhead associated with VM-based browsers.
User Experience: Maintains familiarity and ease of use by operating within the user's primary browser environment.

9. Future Directions and Innovations [43:39 - 45:36]

Jeswin outlines Squarex’s roadmap, focusing on expanding their detection capabilities and introducing features like private app access and VDI replacements. The company aims to solidify its position as a thought leader in browser security by continuously innovating and addressing emerging threats.

Notable Quote:

"We have to be the thought leaders, we are the innovators in the industry and that is in our DNA." – Jeswin Maathai [43:39]

10. Squarex vs. VPN [46:11 - 47:49]

Gregor brings up the common comparison between Squarex and traditional VPNs. Jeswin clarifies that while VPNs secure traffic routing, they do not protect against browser-specific threats like zero-day attacks on malicious websites. Squarex’s Disposable Browser ensures that even if a site is compromised, the main device remains unaffected by isolating the browsing session.

Notable Quote:

"With Squarex Disposable Browser, anything that happens there can't impact your regular device in any way." – Jeswin Maathai [46:11]

11. Conclusion and Call to Action [47:59 - 49:09]

In wrapping up, Jeswin directs listeners to visit Squarex.com or search for Squarex on the Chrome Store to explore their consumer and enterprise offerings. With a high rating and a substantial user base, Squarex is positioned as a pioneering solution in the browser security landscape.

Final Quote:

"It's quite innovative and it is relevant for every organization out there. Everyone is impacted by the attacks that are happening and sadly there is no security solution apart from us who can provide protection on the browser to combat such attacks." – Jeswin Maathai [47:59]

Key Takeaways

Browser-Centric Security: As browsers become central to daily workflows, securing them is paramount. Squarex addresses this by operating directly within the browser environment.
User Experience: Squarex prioritizes seamless integration and minimal performance impact, ensuring that security measures do not hinder productivity.
Advanced Threat Detection: Leveraging AI and up-to-date threat intelligence, Squarex offers robust protection against evolving cyber threats.
Competitive Advantage: By avoiding heavy VM-based solutions and focusing on browser extensions, Squarex delivers superior performance and user convenience.

For more information, visit Squarex.com or find the Squarex extension on the Chrome Store to enhance your browser security today.

Loading summary

Transcript37 lines

[00:00]
Jeswin Maathai
Browser security aims to protect users from cyber threats encountered online such as phishing, malicious extensions and malware. It's a complex, multifaceted challenge that's increasingly important as cloud based tools, SaaS, platforms and collaborative applications become the backbone of modern workflows. Jeswin Maathai is the chief architect at squarex, which is a cybersecurity company focused on protecting users and companies from web based threats. Jeswin joins the podcast to talk about squarex and modern strategies for browser security. Gregor Vand is a security focused technologist and is the founder and CTO of MailPass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at Vand hk.
[01:04]
Gregor Vand
Hi Jeswin, welcome to Software Engineering Daily.
[01:07]
Jeswin Maathai
Hi Gregor, it's great to be here.
[01:09]
Gregor Vand
Yeah. So Jeswin, great to have you on today you're here from squarex, which we're going to hear all about. Just, you know, sort of spoiler, it's all sort of insecurity and we're going to be talking a lot about browser security today and for once we're actually both sitting in Singapore, which is nice. Just I'm usually talking to someone far, far away. But yeah, it's a very hot day in Singapore today, so nice to have you here, but let's start the normal way, so to speak. So Jesmyn, I think you got a pretty interesting sort of history before squarex and a lot of security experience. Could you maybe just talk a bit about from, I don't know, leaving high school to kind of squarex? What was that sort of journey for you?
[01:49]
Jeswin Maathai
Yeah, thank you so much, Gregor. So it started off in high school where I got, you know, a bit scared seeing all of the activity that happened online and security. The reason I got into it was primarily, you know, just to be aware of the hacks, the attacks that happen and how I can protect, you know, myself as well as people I care about. Right. So because someone losing a lot of money in any of the scams, phishing, it can impact or like, you know, can have a scarring impact on, on the live. So that was sort of, you know, a fear that I had that sort of pushed me in the direction of security. And very early on I was very into computers so I'd be exploring various programming languages, even exploring hardware whatnot. So that's how it started during my university again. And security is one of the most difficult field to get into because in order to break something, you need to understand how it works. So and to get to the first mile is like very, very difficult. So that's where in my university I just focused on computer science fundamentals, ensuring I'm at least grasping how the world works, how the Internet works. And then slowly I started to explore various courses and at that point in time, there was not proper course material or a guide on how to start a career in cybersecurity. So just, you know, throwing my hands around various, various courses, topics just to have some more context. And I was a complete newbie in the field of security. Then luckily, Vivek Ramachandran, who was the CEO of Pentestra Academy, was looking for interns at the time. So I applied and everything went well and I got in and I absolutely loved the people there. So it was a very small team, but they were like very, I'd say high performant as well as aligned to the vision what we are building. Everyone loved security. So I remember having, you know, 4am calls with my manager, and that is sort of unheard of at times. We both were like workaholics of sorts. So during my internship time, it was just amazing. Run got to explore so many technologies that I felt like the amount of learning I had had in just those six months was like, massive. And a lot of people won't get exposed to that. And this was also the time where I was exploring Masters options for Masters. So I had got an admit from some amazing university in the U.S. but it was, you know, a leap of faith that I took that I have to join this startup. And one good thing happened at the time was my work got published in two of the top conferences in Security, defcon and Black Hat. So out of curiosity, you know, as an intern, my work got there. What is it that we can do full time and how the ride is going to be. And I knew that once I go for Masters, the opportunity can't come back, but when it comes to, you know, later on, at any point in time I can go for Masters. So that was like a sort of leap of faith I took. And some of the folks in my university were like a bit skeptical about this because this was the time, you know, in startups you join and they'll get a lot of work out of you, but the pay might not be good or it could turn out to be a complete scam. So a lot of people are like, oh, why are you ditching the offers from such good university and going for a startup? But luckily Everything worked out, the team was amazing and in just like a couple of months time I got to learn quite a lot and I'm a workaholic, right? So I put in crazy amount of effort and this was the time when we were building a lab platform with pentester Academy. So to provide context about pentester Academy, it was a cyber security education firm ran by Vivek. Vivek Ramchandran is a cybersecurity veteran with over 20 years of experience. He has found multiple zero day attack which is again he's the first to find some of the attacks in like Wi fi, stack and so on. So at the time again we had a course platform but now we wanted to make sure that everyone can go ahead and do some hands on exercise and that's the best way to learn anything, right? You need to do hands on. And when it comes to cybersecurity, that was lacking in the industry. So Vivek's idea was that we need to make a lab platform that can be fully accessible from the web. And if you think about it, getting hands on experience on cybersecurity is a bit difficult. Reason being you have to attack something that is vulnerable. So now you can't host something vulnerable in public Internet. So all of the other players, the competitors, what they used to do was they used to create a VPN and now you have to connect your device to the VPN network and there you'll get to attack those machines. But now the big problem with using VPN is that it's a two way street. So you can attack the other machine but you can get attacked. So in every corporate organization VPN is like a completely no go. So that's where Vivek thought that whatever solution we are building has to be served from the web. So we constrained ourselves to just a web browser and we ended up building an elegant solution. And at the start we were bashed upon that, you know, this is not going to work, VPN is the route to take and so on. But six months down the road everyone started copying the technology that we have built out, which is through the web interface. And we were the first to go ahead and provide like a full blown desktop environment on a container. People used to do it in vm, that's why again it was so expensive. But we were the first to sort of package everything in form of container and that sort of changed the whole industry for the months to come. And while running pentest Academy I can. Vivek ran it brilliantly with like just four or Five folks, we were able to deliver so much and we were so ahead of the competitors that even if they started copying us, they couldn't get to the point where we were. And while running Pentester Academy, what ended up happening was Vivek is a very curious person, right? He's the hands down the most technical person I have met. And he noticed a lot of issue in the whole browser security space. And more importantly, if you think about the technology is keeping evolving, but the phishing scam, the number keeps on compounding. So even though there's better technology, it is not going down because attackers are like finding a way to go ahead, you know, evade security solution and whatnot. And none of the vendors are doing much about it. Google, Microsoft, you know, they aren't acting on it, even though they know something is happening. So a bit of frustration as well as various ideas Vivek had at that point in time and now we knew that we can't run two businesses parallelly and beyond a point again, in cybersecurity education, we had a massive impact, right? So we are talking about customers from Fortune 500 companies, U.S. department of Defense, U.S. army and quite a lot of defense agencies that we have trained people from. But we knew that at some point in time we'll hit the market cap because among the whole IT population we have small percentage of cybersecurity enthusiasts out of which again, only small fraction is going to go for the courses. So at that point in time, Vivek decided that it would be best to sell the business to a U.S. firm. So we parked a big win and then one year down, we started squarex with the sole vision of, you know, providing better security solution on the browser and started off as, you know, going ahead and protecting the user from scams. Phishing attack that would be happening. So I know this was like a long stint, but that's how the journey has been till the time squarex started.
[08:56]
Gregor Vand
That's a great little history there and I think definitely leads really clearly into why squarex is what it is today. So I think that's been really helpful, I imagine for the listeners, sort of in terms of squarex is very much all to do with the browser, but I'd obviously love to hear it from you. So if you were to describe what is squarex today, I'd love to hear that. And then obviously we'll dive into a bit of detail in various aspects. So what is squarex?
[09:23]
Jeswin Maathai
So at this point in time we are having a consumer version as well as enterprise version, but I'll talk about the vision first, how it all started. Right. So if you think about from a user's perspective, we have antivirus solution to, you know, block any malware malicious files that would be coming in. But now let's say you get an email that Google marks as dangerous now, but it is an important mail that is coming in. So at that point in time, you'll go ahead, ignore the warning Google prompted you, you'll download the file. Now, let's say your Windows defender goes ahead, blocks you from opening the file. Now, it is important, so you'll go ahead, disable your Windows defender, and then you'll end up opening the file because again, false positive can happen. So the way the industry worked was again, blocking the user from doing things. And no one likes to be, you know, blocked or in a way deterred from what they wanted to do. That's where our philosophy was, let's not block the user, but rather provide them an alternate way to, you know, access the web, access the files in a secure environment. So one of the examples I can give is anytime I get a resume, right? And we are a security company, so I have to be careful about opening those resume. And let's say someone sends a assignment with videos and files in it, I have to literally spin up a VM to make sure again, if I open the file, even if it has some malware, it doesn't end up compromising my device. So all of these are like a lot of concerns about the files that you are getting from the Internet. And that's how a lot of hacks happen. People accidentally go ahead, disable the security solution. One time, they forget about it. And now you're open to the sea of malwares that are out there. And it takes just one opportunity for the attacker to get in. Once that is there, then at that point in time, you might end up losing your credentials. You might incur, like, financial loss. And to be honest, the world is quite ruthless, right? People don't care about what would be happening to you. So let's say you're in a very financially bad situation. Could be like medical situation, whatnot. They don't care. They'll just take out the money. So that's where our logic was, that don't block the user from doing things, but rather provide them an alternate way. And a lot of people don't care about security that much. So in a way also to educate the users that at times you have to take a secure measure. So all of this led to like, couple of Features called disposable browser, disposable file gear. Disposable browser is like a remote container that runs on which again, a lightweight desktop environment is running. And on top of it a browser will open up. So it's a very seamless interface. Imagine that you surf something, right, and now you'll notice a lot of Google sponsored link coming on the search result. To be honest, I never click those because what attackers do is they'll pay Google to make sure their website come up on top. So instead of going to the legit website, you'll be going to like a malicious website. So what I do usually is all of those website, I'll simply right click and then open it in like disposable browser. And that launches a remote container on Square Access Data Center. And now the browser is running there, so you can access the website as you would on your regular browser. So in a way, the container is running, the browser is running and the view is getting streamed to you. And the container is ephemeral in nature. So you can destroy at any point in time, no data retained or so.
[12:37]
Gregor Vand
Nice. So, yeah, I mean, there's a lot to sort of unpack here. You know, you've sort of described the experience and I think probably quite a few listeners are asking quite a few questions in their head right now. Sort of. Hang on, how does this really work? You know, squarex describes itself as browser detection and response, which I really like. I really like that sort of idea. It's clearly a play on endpoint detection and response. Let's come back to that in a second. Just in terms of just in point is probably referring to just your OS in general. And then there's a reason now it's browser detection response. But everything you just described there. Okay, so I'm using my browser, but I believe there's quite a sort of important Chrome extension piece here because I think from what you described, okay, I might be opening something malicious and the disposable browser aspect sort of kicks into play. The missing link I think at the moment is perhaps the Chrome extension. I could be wrong, but maybe you want to talk about how does the browser know to sort of start spinning up a disposable browser, for example.
[13:40]
Jeswin Maathai
That's a great question. So again, I'll explain the decision of why we went with the Chrome extension approach. So originally, again, squarex is a new company, right? People won't trust it that much. And to have our own, let's say, browser or installer, it's a very high bar for the users to install it. But if you think about a Chrome extension, people don't, you know, take a look that often they are very open to installing extension. Ever since the AI boom with the, you know, ChatGPT and everything, people want to enhance their productivity. And again, the usage of extension had square rocketed. So we took a look at the stats and then we decided that extension is the easiest way to get onboarded on the user's device. And now we had like couple of features. For example, anytime we let's say you're surfing based on the links that you're seeing, we ourselves will identify that it looks a bit dangerous for you to directly open it in the browser. So we'll open it automatically in the disposable browser. That was like something that the extension is automatically doing. Additionally, what you can do is you can simply right click any of the link and in the right click menu there will be option open with square X and disposable browser. So you click on it and then that link automatically opens. So it was a seamless integration from the regular browser to the disposable browser provided directly. And our idea was that slowly we have to go ahead, package a lot of security features onto the end device. Because most of the security solution, the way they work is they don't do any analysis on the end device. They'll be sending it to the cloud where again your content will get analyzed and then it will flag. Now this is a big privacy concern because the data is moving out from the user's browser to the cloud. So with extension and the browser itself have become much more powerful, right? We are seeing the end device at one point in time, we are seeing like 4 gigs device, but now you're talking about 8, 16 or even 32. So the device itself has become powerful and the browser capability has increased quite a lot. So for example, webassembly has like skyrocketed, you know, in terms of the usage that is happening. So big players, Adobe, figma, canva, all of these guys are using wasm. So what we did was we took the similar approach that we can use webassembly to go ahead, perform some of the operation that the endpoint detection or the antivirus would be performing. So before the file touches the disk and to provide some more context, right? So all of the antivirus, they go ahead, act when the file touches the disk because that's where again they can access the full file and take a look at what's happening. So even before that happens, squarex can perform the checks on the browser in memory. That was in a way our superpower to tell that you already have an antivirus. It will catch something if Square X misses something. So these sort of enhancement we were keeping on doing with the platform and also to test out, you know, what's the performance impact on the end device because it's a free extension, Square X in case if anyone wants to try it out and the users don't have an incentive to, you know, use the product unless they really like it. And it was a good test for us to figure out how well can it scale, how well can it run and also to ensure that whether it is causing any difficulty with the user. So if they feel that something is slowing down, they'll immediately uninstall. Similarly, again, if it is getting too annoying, they'll immediately uninstall. But that was a big exercise that we run so that we gather all of the user experience with people who are not associated with us in any way. And it's like the raw, you know, just the likeliness of the product. Is it going to scale? So a couple of these questions are answered with that exercise. And even today, again, squarex, the extension is completely free for anyone to use at least a consumer version.
[17:21]
Gregor Vand
So yeah, I mean, I think in terms of. Okay, so I think now is a good time, you know, browser detection, response and then versus probably a term that at least a good number of our listeners have heard before, which is endpoint detection and response. And I think it's no sort of secret that the browser is becoming almost the sort of almost OS for most people day to day. So many things are moving into the browser that might have been able to or would have run as a native application. And it's interesting that you mentioned WebAssembly because that's clearly this direction where we're able to package things. Again, applications that would have needed a lot of resources to run in the browser or on the os and now we're finding ways to run them pretty interestingly and efficiently in the Browser because of WebAssembly. So if I'm using my browser, you mentioned sort of. Well, I guess I'm still just trying to understand it. Diskwarex, if I've installed the extension, does it sort of, I hate to use this phrase, but does it sort of pop up and sort of say, oh, we think you're trying to download something malicious, so and so and so, or is it something different? Because I mean, again, to your point about productivity and not getting in the way of Users. I think many users, including myself, would probably say look, if I'm just trying to do something and then this thing pops up and says are you sure? That's already a friction point. So I'm curious how you guys have thought about that.
[18:49]
Jeswin Maathai
So the idea is again, we have to make everything configurable as a setting for the user. So by default a lot of things will be turned off and then they can selectively enable some of the features so that again, it's not intrusive. We want to run as silently as possible without even user realizing that square X is running. And that's where again, everything was like an opt in that they can enable from the settings and that way again they don't get blocked or you know, annoyed in any way.
[19:16]
Gregor Vand
Yeah, gotcha.
[19:19]
Jeswin Maathai
The global developer talent shortage is expected to grow to 4 million in 2025, further contributing to developer burnout. With the security and talent shortage growing rapidly, businesses need effective tools to help developers efficiently and securely. That's where Bitwarden comes in. Bit Warden delivers trusted open source security solutions that empower your developers and security teams to securely manage and share sensitive information online. Protect your infrastructure secrets, API keys, user passwords, mailing addresses, credit cards, passkeys and more. With easy to use and enterprise ready Bitwarden solutions. Start your free trial today@bitwarden.com so yeah.
[19:59]
Gregor Vand
I mean you talked a bit about performance there and that's obviously a very interesting piece. So as much as you can kind of reveal how does this work behind the scenes, how again user experience and performance these days is almost intrinsically linked. So if something's going to take too long to tell me something and obviously we'll probably get to AI in a bit. But AI is a great example of this where unless I'm getting a response within three to five seconds then I'm already kind of, you've lost me. So yeah, how do you look at performance and sort of, how has that been sort of looked at behind the scenes?
[20:35]
Jeswin Maathai
Yeah, so in terms of performance, again the idea is we have to be in like sub millisecond and every action that we are performing some actions. For example let's say file download and if you're analyzing the file, depending upon the size of the file, the analysis can take some time. So that is one thing. Again, let's say you're downloading gigs of file, then definitely it can go up to like seconds and worst case it can go up to minute. But there is nothing we can do about that. But if you think about like users downloading files in general, most of the files will be very small in nature. Right. Not everyone will be downloading, you know, 100 gig file or even a 10 gig file every day. And file download in general are very less unless again, the profession itself requires a lot of file download, upload and so on. One thing which we did was again to make sure that we benchmark everything properly and a lot of optimization just keep on happening over time. So in regular use it used to take like 1 to 2% of what the browser would be taking. And the browser is like, you know, such a beautiful solution at this point in time. It automatically optimizes the resources it consumes as well as again the resources that the extension consumes. So let's say you have quite a lot of memory CPU available and it is free to use. There's no other application using the browser can go up to like maybe 70, 80% at times because again, there's some free resource available. But now something comes up, it will constrain that and it will also make sure that the extension automatically gets constrained as well as again, it might go ahead kill off the service worker, which is like the main thread that is running in case if it is exceeding some memory limits. So in a way we are piggybacking on what the browser itself provides. And again, hats off to the Chromium team as well as the Firefox and Safari team. They have done a brilliant job in terms of managing the resources, making, making sure that everything is optimized.
[22:22]
Gregor Vand
Yeah, so I think I'd like to sort of go into more of the security side in a second. But yeah, I definitely have a big question, which is the decision around a Chrome extension as opposed to. We've seen some people, I wouldn't say just in security, but in some other realms say, look, Chromium is the de facto browser framework now. Okay, great. So why don't we piggyback on that and we still come up with our own browser. It doesn't deviate too far from Chromium, but it builds in these things. I'm really interested to hear why a Chrome extension was still the decision over saying, this is the Squarex browser.
[23:04]
Jeswin Maathai
Yeah, so that's a great question. We looked into the other companies who had rolled out the browser and we realized again, it didn't pick up. And these are very large companies, some of them were public companies. So the adoption of a new browser is like a very, very high bar because in a way you're asking the user to transition all of their regular workflow from a browser to a new browser. And plus again the I'd say credibility at that point in time because we're a startup, right? So that credibility to build it up to a level where user are comfortable in terms of privacy security, that's going to take a while. So we evaluated all of these options and one biggest concern is that anytime you're using or like building your own browser, let's say there is a vulnerability that comes in, right? So all of those patch management is a very big thing to manage in like every place software patch management is like, it's a management sort of hell, I'd say. So that was one reason because anytime a vulnerability comes on Chromium, right? So the Chrome, the team will go ahead immediately roll out a patch. But now we are deriving something on top of Chromium. So if something comes up in Chromium as a vulnerability now if we have deviated too far, we have to make sure that the patch is conveniently applied here and also the design decision, right? So we can't deviate in such a way that it becomes like, you know, completely something different from Chromium so that all of those patches become like big pain to manage. So from a security standpoint, from a management standpoint, we decided that at this point in time, again just the enterprise browser, it has to be something revolutionary. It has to be something like, you know, it's not possible to do on Chromium at that point in time. We can go ahead decide. So we evaluated the whole extension story. We figured out for most of the security related feature, we have the power with the browser extension, which most people are unaware of. Browser extension are like super powerful. And it sort of checked all of the boxes that we had in mind so that it was purely, you know, management plus security related decision to go with Chrome extension. So let's say again some vulnerability comes in in Chromium, Chrome will automatically patch it. Now we are running as a browser extension. If some vulnerability comes in our software, all we have to do is, you know, push a new update to Chrome Store or the private link that we have and the browser automatically will pull it in after, you know, a few hours time, in case a day's time. So it is much secure version of the solution that we are offering. And the best part is again, user doesn't have to go through any change management. They don't have to, you know, change their regular workflow in any way. Everything works out of the box.
[25:41]
Gregor Vand
Nice. When I first saw the product so it was at the Govware in Singapore. It's a bit of a strange name, but it is basically the biggest cybersecurity conference in Singapore other than there's a black hat offshoot that comes to Singapore as well. But yeah, if you sort of think of, I don't know, almost like DEFCON Singapore is sort of like that. But yeah, and I was really, really impressed by just sort of seeing what actually the ultimate capabilities of a Chrome extension or. I mean, just to dive into some small details for a second. I mean, when Square Decks was started, was that. I'm trying to sort of match up times now. Was that the V2 manifest versus V3, or did you guys get lucky and start on V3 or how did that work?
[26:24]
Jeswin Maathai
We directly started with V3.
[26:26]
Gregor Vand
Okay.
[26:26]
Jeswin Maathai
Even though, again, we were not leveraging a lot of heavyweight feature from V2. So again, we could have done it for V2 as well, but we decided that V3 is the best way to go.
[26:35]
Gregor Vand
Nice. Okay. So you avoided, I think, a lot of headaches there. Yeah. We've had some other security companies on the podcast and obviously they've been around. Well, they've been around a bit longer and yeah, unfortunately one of the reasons that their extension was sort of lacking to users was just actually that V3 had come along and they were having to take a lot of effort and time to upgrade to V3. So that's one of the powerful things of being a startup is if you can start at the right time, then you can miss these things out. So you mentioned, I think it's interesting, Chromium in terms of, well, if things get patched there, then they deal with it and obviously if there's anything to do with the extension, you would look at that. But it's just in general, from the security landscape, or rather the threat landscape, how do you assess and keep on top of what you considered a threat? I believe one example that you guys cover is malicious QR code. An example. Could you maybe give some other examples of the kinds of things you cover? And then also what's your sort of process for sort of looking out for and keeping on top of what can be considered a threat within the browser context? Because I guess also you've talked about phishing and phishing is this ephemeral thing, as you've just said, it doesn't seem to matter what happens. Phishing just continues because people are smart and plus AI. So, yeah, I'd love to hear all about that.
[27:59]
Jeswin Maathai
That sounds great. Yeah. So just to provide some more Context of like what squarex is trying to solve. So we have couple of big players in the market. So we have like what's called edr endpoint detection and response for the consumer folks you'll familiarize with like antivirus solution. So EDR is like antivirus solution but for enterprises. So now these solution, you know they came up with at a time where everything was running on different application on the local machine. So we're talking about Ms. Office, Adobe, your video player, whatnot. So they're great at detecting malware that directly comes on the desk. But over time what happened was everything got transitioned to the browser and ever since the COVID hit, what ended up happening was a lot of work from home, lot of SaaS application like skyrocketed and the browser became the main interface through which everything is happening. No longer we are using, you know, most of the time we won't be using local application and enterprise. 95% of the time users spend on the browser and attackers are like the smartest folk on the planet, right? So even if we have the best security solution, they'll find a way to be beat them. And the way they're beating it right now is by remaining in the browser without triggering any file download they'll try to be on the browser could be like a phishing page or could be a QR code. Now imagine that you are on a corporate device with best security solution. Suddenly you see a QR code. Now the user will be incentivized to, let's say it could be something related to travel deals, it could be a financial tip, whatnot. They'll be incentivized to go ahead, scan the QR code. Now the moment they scan the QR code, you are on a smaller device more susceptible to phishing attacks and more importantly you're using a device that does not have any security solution that the enterprise would have provided. So a couple of these vectors were coming in where attackers are just living on the browser. Another example is I'm not sure if you're familiar with the pop up based scam. So basically what ends up happening is every website in today's time is asking for notification permission, right? So users are used to clicking allow, allow, allow. Now attackers are leveraging the same. So let's say you go to a website that asks for notification permission, you click on allow, nothing will happen to you at that point in time. But few hours later, what you'll see is suddenly pop up appearing from that website. And the way the browser works is that that website doesn't even have to be active when you're seeing those pop ups. So suddenly you see quite a lot of pop up that will show that your account has been compromised or malware detected on your device. So this actually we noticed on like couple of our non tech folks, some of their again family members went ahead and clicked on one of those website and what ended up happening was the pop up was spamming so much that it just filled the screen on the right side such that again you can't even click on the settings button to disable the notification permission for that website. So there's no way out. All you have to do is you'll be forced to click on the pop up. Now when you click on the pop up it will take you to let's say either a malicious website or it will take you to a affiliate marketing link. And the affiliate marketing link could be of genuine corporation, could be like Norton or an antivirus solution. Now the users are thinking that oh, their device has been compromised. Now when you click on it it takes you to Norton. So then you end up purchasing Norton and during this you are using affiliate link of the attacker. So they make money regardless of, you know, the approach they are taking. And this was one of the hardest attack to detect because the user is going to an official Norton website or antivirus company and there is nothing wrong about it. So all of these attacks are happening at this point in time that again it's like so smart of them to use this. And I think in 2022 alone close to 3.4 billion were lost to Norton and some other companies due to this affiliate marketing fraud. And the pop up based attack that is happening now what attackers are also doing is they know that the website will get scanned, right? So there are like a lot of point of presence around the globe which are held by security companies. And they're constantly scanning websites from different location, figuring out whether something is malicious or not. And attackers, the way they are evading that is by applying tactics such as they figure out the traffic is coming from data center, so they'll suddenly change the website's behavior and show a very simple page that doesn't have anything malicious. But now if the traffic is coming from a regular ISP from where the user will be accessing, they'll suddenly show the malicious website. So this is one tactic based on again the origin of the request, we show different behavior and this we are terming as like polymorphism or like polymorphic website. It is popularly used in malware, polymorphic malware they change their own behavior and this is exactly what is happening for the website in today's world. Another tactic is again they'll put a recaptcha on top of their website. Now let's say a security scanner is scanning, it can't go ahead bypass that recaptcha, only a human can. So but again this way again the security scanner are unable to pick it up. And lot of these website are out there in the wild for a long time. So even we tried, you know, reporting to Chrome and it takes them close to like even 16 to 24 hours to acknowledge and then fully take down the website and the process itself. It could be possible that some websites are up to like you know, couple of weeks to even months before they are finally classified as dangerous. So that's where again with square X the idea is that we sit on the browser, we see what the user is seeing. So we are acting on the last mile. So let's say you go to a phishing site, we can figure out that the sentiment is of login and the website looks like Microsoft, but it is not Microsoft. So and this could be like numerous number of indicators. First is again the visual based on the text that we have similarly again checks on the domains. So for example, if it's a domain it's like very newly registered, then it's a red flag. Now attackers are very creative, they'll go ahead, use a, they'll purchase a domain that is already there in the market for a long time to evade this sort of check. But in this case again we can perform checks such as again who is the owner of the domain and it looks like Microsoft, the website looks like Microsoft, but the owner is not the same as what Microsoft would be generally using. Similarly again from where the traffic is coming in a lot of parameters across like what is the server headers, whois related information, what are the way the SSL certificates are issued, who is the in a way signer of the certificate. All of these key metrics we are able to gather by sitting as an extension. And based on that we can deduce that oh this is like a bit risky, bit dangerous for a user to go to. So a lot of like in a way intelligence is embedded right there on the browser extension. And we are also having like some AI models that are packaged with like the ONNX model. It's a good thing that we can run on the browser. So all of those are packaged to go ahead analyze the content that the user sees. And all of this is happening in a Privacy safe way. More importantly, because we wanted to reduce the amount of data we'll be sending to the cloud. So most of this thing that I mentioned is part of our enterprise offering, how we are protecting the end users for businesses. And there again the challenge is we can't send a lot of data to the cloud because again, it's corporate data. So the more detection we do on the browser, the more data we reduce, the more again we are performant in terms of cost as well as again, in the whole user experience is much more seamless.
[35:28]
Gregor Vand
Yeah, that makes a lot of sense.
[35:31]
Jeswin Maathai
Developers, we've all been there. It's 3am and your phone blares, jolting you awake. Another alert. You scramble to troubleshoot, but the complexity of your microservices environment makes it nearly impossible to pinpoint the problem quickly. That's why Chronosphere is on a mission to help you take back control with Differential Diagnosis, a new distributed tracing feature that takes the guesswork out of troubleshooting. With just one click. DDX automatically analyzes all spans and dimensions related to a service, pinpointing the most likely cause of the issue. Don't let troubleshooting drag you into the early hours of the morning, just DDX it and resolve issues faster. Cycronosphere was named a leader in the 2024 Gartner Magic Quadrant for Observability Platforms at Chronosphere IO Sed.
[36:20]
Gregor Vand
So you've talked quite a bit about, I guess, sort of learning and detecting from what is happening from actions. And also you talked just there about being able to use models, AI models that again run on the browser. There still must be some degree of threat intelligence that you have to be aware of and bring into the platform. I'm curious about that because if we look at other security domains like attack service management, I would say without naming names or companies, I would say that the leaders now are the ones who have internal threat intelligence teams who are able to bring that right into the product leading edge effectively. How are you guys looking at that? Because as you've just said, the attackers are the smartest people on the planet. And I would agree with that in the sense that they're very smart and there's no rules, so they can do almost whatever they want and try whatever they want. So how are you guys bringing that into squarex?
[37:20]
Jeswin Maathai
So yeah, that's a great question. At this point in time, our idea is not to reinvent the wheel for some of the things. For example, we don't want to dwell into, you know, threat intel for Malware analysis, we don't want to do that, that we are building our own full blown malware analysis platform because the past two decades industries have established and a lot of big players are there. So we leverage threat intel for like some of the things that are already there. For example, we integrate with like crowdstrike reversing lab to get insights from them and then our analysis runs on let's say parallel to catch the points that they wouldn't be analyzing. So in a way again bit of our own intelligence is there for based on our experience, right. So we are a bit disappointed that again the big players, some of them are not doing that great of a job when it comes to like let's say office documents and we did a full research publication on the same that Google, Outlook, all of the big players, email vendors, none of them are doing as aggressive check as they should be. And we're able to demonstrate that a simple malicious office file can go through and VirusTotal will only give like certain hits where everyone should be flagging up at that point in time. So again, leveraging the intel where we can. Plus again our own intelligence is built out similarly for web application we are leveraging the Intels that are around provided by the big players. Because anytime let's say a malicious website has been classified by someone, if it is malicious then we immediately block on top of this what we are doing is we are building our own intelligence for the web. Because again the intelligence everyone has is a bit outdated. It is not capable of capturing the new attack that we are seeing out there. So that's where again the whole analogy of browser detection and response comes in. So we are the first browser detection and response solution and the idea is the same that will provide the threat intel for the web based attacks that are happening. Any attacks that other vendors are not capable of detecting, that is something the void we are going to fill and that's our positioning at this point in time. And slowly we'll go behind other vendors as well. But we realize that there's a big market for us to capitalize on the whole browser security space. And again once we do that at that point in time we'll definitely dwell into the limitations various vendors are having and maybe have our own analysis engine and all of those segments.
[39:43]
Gregor Vand
Again, just to sort of paint a picture for I think listeners in this space. Am I right in saying if it's not what the solution that squarex is providing, it's actually more of a solution where you're almost kind of using a Sort of VM browser almost. I'm sort of trying to think of some other vendors. I'm not going to name the names exactly, but some other big players there where I say, oh, our browser is the safe browser and there's no latency and so on so forth. But you're kind of effectively using a VM virtual browser or something to that extent. How would you categorize the competition just from a technology standpoint?
[40:24]
Jeswin Maathai
That's a great question. So in our case we are running as a browser extension on users browser. So in terms of performance everything is super good. There's no VM or container based access being provided for their regular workflow. Now what we have a feature is called isolation. So let's say enterprise is not comfortable with, you know, users accessing a website on their regular device. They can either block it. So if you block it, they can't access it or you allow it, they can access. But now with the isolation feature, what happens is that's where we have a container that is created on the cloud and we have a desktop environment that runs on the container and that view is streamed back to the end device. So this way again, any website you access in the container, it's completely isolated and the user wouldn't be in a way in the risk of, you know, security threats that are. So that is one. And our preference to be honest was to avoid isolation technology as much as possible because again, it is running remotely, right. And it is a remote browser and users are used to using their regular browser. They are way more familiar with it and they wouldn't be able to, you know, get that hundred percent of the feel on the remote browser. So our recommendation is to only use isolation for like some website, not make the isolation as the main browser which a lot of other vendors are doing. Because again, it gets super frustrating, super annoying when you're seeing, you know, the latency go up and suddenly you're trying to watch a video, it, it starts to lag and all of those things start to happen. So yeah, that's where again with square X, the detection, the analysis, everything happens locally to make sure again the user experience is the best in any website they're visiting.
[42:08]
Gregor Vand
Nice. I think it's still helpful to call out to our listeners. This is still quite an evolving space. Right? You know, I think it's only been sort of fairly understood quite recently that actually the browser is basically where most of the problems happen. And whether it's email, as you've called out, phishing is where this happens. A lot. And that can obviously be where the email providers are saying, look, we'll try and take care of this. But equally, at the end of the day, it's still mostly happening in the browser to some degree. So it makes a lot of sense that we evolve the solutions around what is happening in the browser from a security standpoint. And unfortunately we can't just rely on, I don't know, Google building in things into Chrome. There's a big enough job there just to run Chromium itself. And unfortunately we're seeing things like Firefox unfortunately, kind of dying away a little bit because it is too hard to keep up with the, the requirements of today. And obviously on their side, that's purely open source and I'm sure there's some funding there. But it's difficult for Firefox to really keep up with the juggernaut that is Chromium and Chrome, et cetera. As we sort of come to a close here, where does squarex go from here? And what are the sort of anything that you can share in terms of, I know, over the next six to 12 months, what are the sort of things that we can maybe expect to start to see from squarex?
[43:39]
Jeswin Maathai
I think that's a great question. So at this point in time, what we realized was that all of the vendor, right, so we have a couple of competitors, I wouldn't say the name, but all of them are not very security or attack focused and they lack sufficient background for, you know, to go ahead, build the detection to prevent the threats that are happening. If they had, then they would have definitely built it by now. So our approach is again to go ahead and build out a full suite of detection across all the attacks. We already have a lot of them built out, but again, to make sure that we just keep on compounding on the library of the detections that we have to make sure again, anytime a user visits a website, even before they see it, we can go ahead, block it. So that is one thing. Additionally, again, there are a lot of features in the pipeline such as again, private app access, VDI replacement, all of those. Those things are also coming in, in a way to make it easy for the, any enterprise that is out there to become like sort of a one shop for again, all the, all the requirements they would have in terms of security, as well as making sure that the productivity is amazing within the organization. So that is something and just making sure that we are the thought leaders, we are the innovators in the industry and that is in our DNA, you know, Knowing the wic, we can run or establish a business, you know, it's relatively easy to rephrase it that we can build a decent business by doing certain things. But here again, it's just in our DNA that we have to be the best in the world and make sure that we are the pioneers, innovators and again, super excited to envision the next couple of months. A lot of these features, parallel research are happening where we are trying to go ahead and block all of the attacks that would be happening on the web. So that's on the horizon. I can't reveal a lot of information, even though I'm tempted to. But again I'll have to check with the company on how much I can diverge.
[45:37]
Gregor Vand
All good. I mean that's the great thing about having startups on software engineering daily. We don't expect to be able to hear about sort of the next 12 months that's usually sort of larger companies. So it's just great to be able to have you here. Anyway, one final point, and this might be a question that a few people are just sort of still asking in terms of squarex versus a vpn, because I'm just thinking that might be the product that they're most familiar with in terms of something that might be helping them block malicious things. Could you maybe just summarize actually just how squarex goes beyond a vpn?
[46:11]
Jeswin Maathai
So that's a great question. With VPN again you're still vulnerable to a lot of attacks. It's just routing your traffic through a secure network or a secure location. But if you think about it, and let's say you get a malicious website right? So now it is opening on your end device. Now at that point in time that website could lead to some zero day attack that could happen and your device gets compromised. So that is one big concern we have around all VPN solution. And what will end up happening is with vpn, sadly Mac OS removed the support for split tunneling. So all of your devices traffic is now going through like some location and in a way it will affect the user experience because again the websites will slow down. With squarex disposable browser, a couple of these features, again it's a browser running within a tab of your regular browser. So anything you do there again it's just a tab. And that way again the surfing experience is much more better compared to vpn. And more importantly from a security standpoint, anything that happens there can't impact your regular device in any way. Let's say you go to malicious website it will impact the container that is running and these containers are like hardened from day to day basis making sure it's properly updated, patched and best let's say security hardening mechanisms are put in place to ensure nothing happens in case. Again worst case is some zero day happens and there's no way squarex can can block it on the container level. You're still safe because again it's a remote container that gets compromised. It's square access a part of small part of infra that might get compromised but the user won't be impacted in any way.
[47:50]
Gregor Vand
I think that's a great explanation. So as you've heard, you know any user kind of get going with squarex, you know. So just to be clear where's the best place to go and what do they do from there.
[48:00]
Jeswin Maathai
Best part about squarex so the domain is pretty short. It is sqrx.com so again just head to squarex.com and take a look at the videos that are there in case if you want to try out the consumer version of the extension then head over to the Chrome store and search for squarex. We have above I think 4.9 rating with 200,000 users actively using the product that will again tell the story for itself. So yeah on Chrome store you can find us as well as on squarex.com and do check out the enterprise offering that we have. It's. It's quite innovative and it is relevant for every organization out there. Everyone is impacted by the attacks that are happening and sadly there is no security solution apart from us who can provide protection on the browser to combat such attacks.
[48:48]
Gregor Vand
Nice. That was sqrx.com so head there and check it out. Jeswin, great to have you here. Nice as always to have someone also in Singapore to speak to. Slight novelty for us Software Engineering Daily. So thank you so much for making the time in your evening and hope we get to catch up again in the future. Hear hear how Square X is doing.
[49:10]
Jeswin Maathai
Sure, sure. Sounds great. Thank you so much Gregor. It was awesome to be here.