In late 2016, Microsoft announced it will offer container-based isolation for its Edge browser, using “Windows Defender Application Guard” technology. In May 2017 Microsoft finally released the first test version of this functionality as part of the Windows 10 "Redstone 3" build. While this step is likely to reduce the risk of malware infection, using endpoint-based isolation to protect the browser has security and functionality drawbacks which make this approach unsuitable for large-scale deployments.
Seeing Microsoft roll out this functionality is a testament to two important things. First, it supports Symantec’s position that the browser is a major attack vector. Second, it further strengthens our position that isolating the browser is the best way protect against malware often delivered via uncategorized and risky sites. Microsoft points out that its latest offering resulted in fewer reported Common Vulnerabilities and Exposures (CVE’s) as compared to Internet Explorer, as well as rival browsers Chrome and Firefox:
However, when enterprises consider isolating the browser, it’s important to understand that Microsoft’s (and any) endpoint-based isolation approach has drawbacks and limitations. These include hardware and software restrictions, endpoint vulnerabilities, usability issues, and scalability deployment challenges.
Unlike web isolation that executes web sessions remotely, isolating the browser locally moves the defense line dangerously close to users’ devices. Zero-day exploits in the browser or its virtualization layer could be used to circumvent this isolation approach and then infect endpoints. Indeed, Window’s Hyper-V has already suffered from vulnerabilities allowing for remote code execution and browser exploits were used in the past to escape other browser containment solutions.
Equally important, this endpoint-based browser isolation does not offer protection against various forms of phishing such as spear-phishing and credential theft, which continues to be the fastest-growing attack method. Microsoft’s isolation approach for its Edge browser allows users to disclose sensitive information on phishing websites and does not mitigate the risk of credential theft.
Hardware and Software Restrictions
Microsoft’s browser isolation only supports devices running both Edge and Windows 10, a combination that isn’t widespread at the enterprise level. This significantly limits the applicability of this solution for the next several years.
As for hardware requirements, since Microsoft is leveraging its Hyper-V virtualization technology, this solution is likely to require stronger CPUs and larger memory than commonly found in the corporate world. This may require refreshing devices which could take years to accomplish in some organizations and dramatically increases the total cost of ownership (TCO) of this solution.
Lastly, since this solution prohibits running other hypervisors, it is not applicable for user groups (e.g. R&D) that need to run non-Microsoft hypervisors.
The high resource requirements of running a virtualization layer on the endpoint could negatively impact users’ web browsing experience (especially since most users tend to open numerous browser tabs) or when using other desktop applications which compete for CPU and memory resources with the virtualization layer.
In addition, since Edge isolation does not allow browser cookies to be saved from one session to the next, each session is completely new and loses the context of previous sessions (just like when opening the browser in Incognito/Private mode each time you navigate to a new site).
Last but far from least, Microsoft’s isolation approach is limited to the Edge browser only, which means that enterprises would need to enforce the use of this browser across the organization and prohibit end-users from using other browsers. This requirement is not realistic since Edge does not support common legacy web technologies (e.g. Java), hence organizations need to employ a dual browser policy. Moreover, employees will likely be reluctant or unwilling to cooperate with such a policy, especially since Microsoft browsers are steadily losing market share (see browser market share diagram below).
With this endpoint isolation approach, browser policies are managed and enforced locally, not globally. This means that administrators and highly privileged users can change browser configurations without triggering alarm bells (since Edge does not offer monitoring services). In addition, an isolation solution would need to offer configurable policies to support real-life large scale deployments.
The Way Forward: Web Isolation
Microsoft’s Edge isolation technology is not bulletproof because it isolates on the endpoint. Ideally isolation should take place at the network level for the following reasons:
It offers a higher level of security – isolating web sessions away from the endpoint and offering anti-phishing capabilities.
- It is much easier and simpler to deploy, as there are no hardware or software limitations.
- It supports all browsers and OSs and enables a seamless user experience.
- It is centrally managed so there is no need to monitor and enforce settings locally.
It is, therefore, no surprise that for large scale deployments, enterprises are looking for an isolation technology that minimizes business disruptions and IT operational overhead, does not require any endpoint installation or modification and protects from both malware and phishing.
To learn how Symantec Web Isolation eliminates malware and phishing from uncategorized and risky websites, visit our product page.