In this episode of Threat Vector, Ofer Ben‑Noon steps in as guest host to interview cybersecurity strategist Kirsten Davies. They explore why browsers now handle 85 percent of work and how that shift makes them the prime attack surface. Learn how phishing and session hijacks exploit low‑friction paths, why Zero Trust and enterprise browsers must work hand in glove, and how AI can spot anomalies before data is lost. Tune in for practical guidance on balancing seamless user experience with powerful browser defense.
Protect yourself from the evolving threat landscape - more episodes of Threat Vector are a click away
Transcript
[ Music ]
David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience, and uncover insights into the latest industry trends. I'm your host, David Moulton, senior director of thought leadership for Unit 42. [ Music ] In today's special episode of Threat Vector, guest Ofer Ben-Noon speaks with Kirsten Davies about the critical security challenges facing modern browsers. As our organizations conduct more of their business through web interfaces, they'll explore why browser security has become a primary concern for cybersecurity professionals. Their conversation covers the evolution of browser-based threats, the balance between security and productivity, the role of enterprise browser solutions in zero trust architectures, and how AI is transforming both attack and defense strategies in browser security. [ Music ]
Ofer Ben-Noon: Okay, Kirsten. First off. So, so great to have you here. I'm very excited. You know, we've been knowing each other for so long, and first time doing a podcast together, so pretty exciting.
Kirsten Davies: Absolutely it is. It's been a long time since we've known each other. I can't believe we haven't done this before, so this is great.
Ofer Ben-Noon: For sure, for sure. So today we are tackling something that affects every business and every individual, the importance of secure browsers. We are living in a world that most cyber threats start in the browser, obviously, whether it's phishing, malware, session hijacking, data exfiltration, malicious file downloads. Obviously the way that we have worked has changed completely during the last few years. Now with remote work, which is here to stay all over the world, cloud applications, web applications all over, and increasingly sophisticated threat landscape. So the browser is becoming more and more the front line of defense. How has the browser become such a key target for cyber criminals? What do you think about that?
Kirsten Davies: Because we do everything in the browser these days. We bank in a browser. We get our email in a browser. You know, we look at our calendar dates in a browser. We have connectivity to applications in a browser. And that's just in the private life of an everyday citizen. When you talk about that at the corporate level, you know, there's access by contractors, by consultants, by average everyday FTEs, you know, folks that are the front line of work. They're accessing applications through the browser. Sometimes they are, you know, using a BYOD device, and they're accessing their email. They're doing their day-to-day work in a browser. And I think there's a statistic out there for - that was recently in the "Key Insights for Security and IT Leaders" that 85% of work today takes place in a browser. That's huge. That's huge. I think it's a paradigm shift for us in the industry to be thinking outside of on-prem connectivity to in-the-cloud via the browser connectivity. And so, as a result of this, this attack vector has exploded because everybody needs connectivity to do their work. And if they're doing their work through a browser, 85% of which, if you believe the stat on that, then this does become a huge attack vector for threat actors. Everything from, you know, drive-by malware to just, you know, the threats that evolve through the space of having a browser.
Ofer Ben-Noon: 100%, and actually, if everything is in the browser, then there is no need to have the second hoop, you know, to take over the operating system, right?
Kirsten Davies: That's right.
Ofer Ben-Noon: So if everything is there anyway, so kind of focus on the browser, and the bad guys already got what they wanted.
Kirsten Davies: Well yeah, because bad guys are going for path of least resistance, aren't they? They're not here to make their lives harder. They're not going to do a super complex attack or an attack path if they can do something super easy, a spoofed website, or like, you know, malware, drive-by malware, things like that. Those are low-hanging fruit that they can grab, so why wouldn't they? They're in it for the bang for the buck, and that's a super easy way to compromise. Whether it's the identity going through and accessing an application itself, or just a click-through in and of itself from an email into a browser, into an application, just that click-through itself, with the identity harvesting. It's just easier for them, so of course they're going to take the easy route if they can.
Ofer Ben-Noon: 100% agree. What type of attacks are you seeing today that makes really securing the browser even more urgent than ever?
Kirsten Davies: Yeah, well some of them we've just been discussing right now. Super low-cost, low-friction, high-value attack vectors for these threat actors, you know, some of the ones that we've seen that are extraordinarily rudimentary but also very effective. A phishing email, an email that you then, as an employee, they go, oh, I need to click here to get my latest paystub. I need to click here to, you know, access an email from the president of XYZ business unit, whatever that looks like. They click through, it takes them to a malicious website that they don't realize is a malicious website, and then they have a whole identity harvest that happens right there, right? Just a scraping of identities. Likewise, when an employee is looking to log in to an application through a web browser interface, there can be that whole, again, old-school man-in-the-middle attack. It can be a skin on a web browser in and of itself, that does a redirect. I mean, these things are - these are old attack methodologies that are all new again because they work.
Ofer Ben-Noon: I think the easiest way to take over an identity, and then the data of an organization, phishing still works.
Kirsten Davies: Hmm.
Ofer Ben-Noon: Unfortunately, phishing still works, and it's like by far the easiest. You know, finding the zero days is much harder. And now with AI, it's so easy to craft an email that no human being will be able to kind of say, oh, you know, remember the times that you had all of the typos in the email? Gone. It's not there anymore, right?
Kirsten Davies: Right? That's so true. I - sometimes I want to see a typo in an email, because then I know a human wrote it, you know what I'm saying?
Ofer Ben-Noon: Yeah.
Kirsten Davies: As opposed to AI, which is -
Ofer Ben-Noon: Yeah, [overtalking].
Kirsten Davies: Yeah, exactly, [laughter].
Ofer Ben-Noon: How do you recognize a phishing email? It has a perfect grammar.
Kirsten Davies: Yeah, right.
Ofer Ben-Noon: That's kind of the - it's the opposite.
Kirsten Davies: [Laughter], perfect graphic, perfect grammar, perfect syntax. Yeah, I don't know. Hard to say, [laughter].
Ofer Ben-Noon: But then I'm wondering to myself, how could it be that browser security has been overlooked for so long, and still today? What do you think about it?
Kirsten Davies: Yeah. Look, I think some of this goes back to the human risk element, which is as humans interfacing with technology. Not cyber people, so I'm not talking about the cyber industry of operators and practitioners. That's a small component, right? Outside of practitioners and operators in cybersecurity, the human element assumes that when I'm interfacing with a website, I'm the only person interfacing with that website. I'm doing something relatively mundane or relatively secure, simply because I'm on the browser doing the work that I need to do. There's a presumption of security that's there. And so along with that presumption of security then is this whole thing of, well, what do you mean we need browser security? All I do is I type in a URL, and I go do my banking. Or I go access the SAP application at work, in order to do the updates that I need to do, or you know, pull the reports, the financial reports I need to pull. There's no assumption of any type of risk that's there, predominantly because, number one, you know, the older generation of our workforce presumes security. I think when there isn't security that's there, that's a - it's a cultural condition of an older generation of the workforce, which I'm approaching, so don't talk about, you know, I mean, I'm not pointing fingers anywhere, [laughter]. I'm not a spring chicken anymore, [laughter].
Ofer Ben-Noon: The [inaudible 00:09:14], that's the thing, no?
Kirsten Davies: Oh, thank you. Yes, you can say that all day long. I appreciate that. But I think there's a presumption of security because that's part of a cultural habit of an older workforce. Then in a younger workforce that's a digital native, there's no the thought around security really mattering. Again, outside of the cybersecurity and privacy industries themselves, because this whole notion of my data being private is a bit of a fallacy. I think it's a myth. You know, privacy is a myth. And so, because we post everything everywhere. Digital natives post everything about their lives everywhere. There's no presumption of a need for security. And so this whole notion of needing security in a browser, I believe, has been overlooked because of the human risk element. Humans do not presume compromise. Humans do not presume, oh, lack of privacy, I should be worried about this. Humans do not presume that there could be somebody looking over your shoulder, from a digital perspective, looking at what you're typing in, looking at the passwords that you've just typed in, which is, you know, as we know, like either a screen scraper or a keyboard emulator, imitator, that kind of thing, you know what I'm saying.
Ofer Ben-Noon: Yeah.
Kirsten Davies: So there's no presumption of a problem. And so, when there's a lack of a presumption of a problem, there's not going to be a hey, do we have security on this browser? We should maybe have security here. They don't, they don't think to ask for it.
Ofer Ben-Noon: And there are - maybe there is kind of thought, hey, it's so popular, everyone are using this consumer browser, so probably it's secure.
Kirsten Davies: Mm hmm.
Ofer Ben-Noon: Right, like kind of the rule of [inaudible 00:11:09] amongst billions of people, so probably it's good.
Kirsten Davies: Yeah, absolutely. And I'm a firm believer of - there should be frictionless security where we are able to have frictionless security, but there are actually times when friction should be introduced so that people are aware that there is security. For example, online banking. I want to be prompted for multifactor authentication. I want that as a consumer. Otherwise I'm like, why do I have my money with this bank? Can anybody log into my back account? Do you know what I mean?
Ofer Ben-Noon: 100%. I think there are the points that you need kind of to trigger in the minds of the people, suspicion. Hey, let's think for a second about security. I agree that friction should be very limited, but there are some points that you would like to give minimal friction to your global workforce, and that leads me actually to the next point, which is typically enterprise security was focused on endpoints, networks, identity management. Where do you see secure browser fit into this modern enterprise security strategy?
Kirsten Davies: Yeah, look, I think it's a key component. So if we take a step outside of our traditional silo of security, right? So in security practitioning, security operations, we focus solely on risk management, risk reduction, right? What are the security implications of this tech stack? What are the ways of the data itself? What are the ways in which we need to secure the decisions that the CIO makes, or that the CTO makes, or the business leaders make, that kind of a thing. And that's important, don't get me wrong. That's very important. However, if we take a step back from our silo on that, we realize that these decisions are being taken by CIO, CTOs for example, by business leaders themselves. For more rapid connectivity, right? For more efficient delivery, and ingestion, and translating of data back and forth, so that decisions - quick and effective business decisions can be made. There's a need for expansion of the business itself, whether it's through M and A, or it's through just expanding product lines, or things like that. Geolocations, things like that. When we think about the decisions that the non-security executives are taking, enterprise browsing fits squarely within that. Why? The CIO is having to do more with less, drive efficiency, drive resiliency, and optimize cost structure. It no longer makes sense for CIOs to invest an enormous amount every year, or every two years, depending upon their refresh strategy for endpoints, and servers, and all those kind. It makes no sense any longer for them to invest enormous amounts of money and hardware, when you can have software access through a browser, right? You need a BYOD. You can have tablets, mobile phones, whatever that is, accessing the corporate assets, the SAS services, things like that. It helps the CIO drive these optimization, availability, even resilience, right, and lowering cost across the IT footprint, the technology footprint of an organization, or an agency, or a department, or whatever that is. So it's a long way around over to say that the software, sorry, the software security, yes, on the side of, like, a zero trust strategy. The access into the software, into the SAS services must be secure form a zero trust perspective. But the access point through which employees, contractors, consultants, vendors are accessing these corporate assets is also super important, which is the browser, right? So it reduces cost, it drives efficiency, it drives optimization in the IT world for the CIO, the CTO. It puts data, data analytics, data insights, even AI tools at the fingertips of the business side of the house when they're trying to drive insights in order to make split-second decisions based upon revenue generation of expansion, or you know, reduction, things like that. So this whole notion of the browser itself becomes the gateway through which the whole business, the whole department, the whole agency can actually streamline efficiency, have dominance in data decisions, right? Have accessibility at the speed of thought, as it were, for the availability of these SAS applications, and the tools that the frontline needs in order to make decisions. [ Music ]
Ofer Ben-Noon: And I think one key thing that we are hearing again and again in the market is, hey, in the past, in order to isolate data from leaking out of the organization, we needed, like, VDI, and Citrix, and stuff [overtalking]. If I can reduce all of that cost, have better user experience, and also better security, it's like triple win, which is like the ideal golden standard for all three, right?
Kirsten Davies: Yeah.
Ofer Ben-Noon: Because CIO is saying, I want better productivity, I want better user experience, and I want to drive efficiency across the organization. CISO is saying, wow, I can do all of that and become much more secure in terms of phishing, DLP, web security, file security.
Kirsten Davies: Yep. Yeah, 100%. It wasn't that long ago that COVID happened, and the world had to work from home with, like, three hours of notice, [laughter]. I mean, I remember that, and I laugh a little bit because it's a still a bit of a twitch in every CISO's memory, [laughter], from how painful that was for - yes, for the world from a health perspective. Yes, from a fear perspective. You know, we were all very afraid. There were things that were happening outside of our control. Life changed dramatically and irrevocably, with the advent of that. However, I remember from a technology perspective, and my colleagues in other industries, so I'm not speaking specifically about my experience, per se, because I wouldn't want to, you know, only talk about my experience. But across the industry, CISOs were having to figure out that very thing. We - do we do virtual desktops? Must we use, you know, must we send hardware to everyone who needs this compute power? At home, now. They can't go to the office. You know, what are the critical resources that are required in order for people to effectively work from anywhere? It was to work from home. Now it's working from anywhere. And while many organizations are moving back to kind of a hybrid model, some entities are moving back to a full-blown back in the office 100%, there still is the need for connectedness at any time from anywhere, and with varying security protocols, depending upon the confidentiality or the secured nature of the data or the assets that you're interacting with.
Ofer Ben-Noon: 100%. A stat that I've seen recently, actually, from Gardner, that 74% of workers will bypass security to achieve a business objective.
Kirsten Davies: I believe it.
Ofer Ben-Noon: And it's kind of clear, you know, that since the early days, security and productivity has been kind of in love-hate relationship, let's say. And what I think about it, kind of, how do we strike the ideal balance between keeping the browser secure and ensuring the employees remaining productive?
Kirsten Davies: Yep. Look, I think it's easier said than done at times. I don't think this is a technology problem, though. I think it's a culture problem. So, the technology is there, in order to have, you know, to implement secure browsing sessions. The technology is there to have more secure identities and zero trust principles involved with application integration, API calls, identity access into, again, bespoke levels of confidentiality of data, and transformation, and innovation. The technology is there, the culture is the hard part to change. And so, I think as CISOs, and as CIOs, we need to double down on this notion of frictionless wherever possible, adding friction where it should be in order to remind people, as we discussed earlier. In order to remind people that what they're interacting with is highly confidential, highly sensitive, whatever those things are. So I do believe that there's a lot more that we can do from a technology perspective. We need to be using the tools that are out there. We need to be implementing zero trust principles at pace, like not accepting that it's 5 or 10 years away before we're going to get this implemented. That's just not acceptable. It's absolutely not acceptable, when we really need to be doubling down on these areas of risk reduction. And that does take a partnership between the CISO, the CIO, the CTO, now chief AI officers, right? Business leaders themselves, heads of business units, because we have to do these things. It's not optional any longer to not have security around an organization's sensitive data. It's not optional to do that. Why? Because a well-placed attack can bring an organization to its knees. Ask any of the headline companies across the last two years. Even just two years you can go back and go, hmm, if you could have re-prioritized this, would you have done this differently? 100% they would have. And that's not the CISO's job alone. That is the CIO, the CTO, the heads of business unit, prioritizing these things that just simply need to be done. And I think, I would say respectfully, to my colleagues, respect to my business colleagues across many organizations, across a very long career, where I've been very blessed to serve. It's not that hard, [laughter]. Just do the right thing. Do you know what I mean? I mean, in dealing with IT colleagues, and god bless them, application owners, and data owners, do the right thing. It's harder to actually put up a cultural site than it is to implement the tools that are available to make these things seamlessly less risky for the users. It's a cultural challenge. It really is.
Ofer Ben-Noon: Agree, and I'm hearing this across the board. I think that the process of change management culture, typically they are biggest barriers to implement the right security strategy versus anything else, and getting back, actually, to that point. What do you think are the most important considerations or key security features that companies should prioritize when choosing the right secure browser solution? What would you recommend prioritizing?
Kirsten Davies: What's really important to first determine, when looking at that over, is to understand the context of the business that you're in. So what does that mean? What applications and what corresponding datasets would better serve your organization, your agency, your department if they were more accessible through any device, anywhere in the world, whether that's at a substation for an electrical power grid, it's at, you know, there's 7000 privately-owned waterways in America. That's part of our critical infrastructure.
Ofer Ben-Noon: Wow.
Kirsten Davies: They need to have access at these locations to the datasets, right? Are you going to lug around a, you know, a server? Lug around a laptop with you? Or do you want to have this accessible through a tablet, through, you know, that you know is secure, that you know is secure, you know what I'm saying? So I think this context is super important to understand first, because you're not going to make an argument for a secure browser if you don't have anybody using a browser to access corporate assets, right? Duh, that's kind of like a Captain Obvious moment. Thank you, Captain Davies Obvious. Okay, so once that context is understood, then it's looking at, okay, what should be the demands then, for me, for a secure browser? Well, first of all, it needs to very effectively integrate into my AD. My identity and access, even my privilege access management. It needs to very effectively integrate with that, because I need to have not only an identity of an individual, and an identity of the device that they're using, but I need an identity around the session that they are going to be using. These are all principles we know as operators and practitioners. You just need to translate it into a browser session itself. Now, on the back end of that, what are the parameters, the constraints, the access credentialing around the application and the datasets themselves, as well as any innovation that's there. You know, we can talk all day about AI and the use of AI also.
Ofer Ben-Noon: We will in a second.
Kirsten Davies: Okay, we'll get to that, then.
Ofer Ben-Noon: [Laughter].
Kirsten Davies: And, you know, you need to know on the back end, well, what does this particular employee, contractor, third-party vendor identity, with their device, with their browser session, need to access, and then how does that then meet on the other side the API connectors, the access into the application, the datasets, and it may only be certain datasets in an application, and not all the datasets in an application. Like, it's really determining what is the end-to-end session look like for the individual, or the service identity, [laughter], or the robotic identity, because that's coming, right? Like, how do you actually map out the flow from end to end of what needs to be accessed? And then you build that into your requirements for that secure browser design, because it does have to be from the front end to the back end as well.
Ofer Ben-Noon: 100%. [inaudible 00:27:40], AI. Obviously disrupting every aspect of cybersecurity, every aspect of our lives, for both attackers and defenders. How do you see AI being used to enhance browser security?
Kirsten Davies: Yep. Maybe, look, you're the technical guy on this one, so I'm going to ask - I'm going to turn around and ask you the same thing. But with a strategic hat on, maybe if I could look into, you know, a time capsule, potentially, and be in the future and look backwards, I would hope that AI would support the human interface, and what it would do is it would very clearly identify when the identity of either the individual, the service, or the robotic, or the identity of the device that's being used, or the identity of the session that's being undertaken, has abnormalities across it, right? I think AI is really well-positioned to learn rapidly and to flag anomalies as well, so that there is an alert that happens, that can then be triaged by a human using the AI, I think to start with. And then, you know, over time the supervised learning capability of AI and machine learning. You know, that aspect of it, which then turns into AI, perhaps even agentic AI that then sits on the browser itself and detects what normal and abnormal looks like, interrupts the abnormal to add another point of friction, right? To make sure that there isn't something that is allowed to continue, especially to these sensitive datasets, or these critical applications that are controlling aspects of your organization, you know, critical aspects, crown jewels, or controlling critical infrastructure functions. Like, you want to interrupt any kind of a command that's initiated if it's abnormal. I think that is a key use case for AI going forward. There's some work on that right now. I just, I don't know how mature it is. But I'm going to turn around and ask you the same question. What do you think AI's role is in this?
Ofer Ben-Noon: I think the best thing that AI can do for us is really the ability to learn from pretty much infinite amount of data. Because if you think about it, most cyber companies, the large ones, are seeing so much data, but it's not as if human being can correlate all of that and say, this is normal, this is an anomaly. This is safe, this is risky. And the power of AI is really to correlate terabytes, petabytes of data into steady state.
Kirsten Davies: Rapidly, yeah.
Ofer Ben-Noon: Normal pattern, irregularity.
Kirsten Davies: Yep.
Ofer Ben-Noon: And then that's really playing nicely for the bigger vendors, because they have unlimited amount of data, pretty much. So if you think about the case of Palo Alto Networks, we have data coming from 70,000 customers globally. We are seeing, every day, petabytes of data. It's like, so much data. And with that amount of new events seen every day, millions of new attacks, millions of new domains which have been registered lately. The beta, really, to correlate all of that, is only possible, obviously, with AI, and we have thousands of LLM models which are correlating all of that, learning from all of that, and that's where - that's the only way, honestly, that we'll have a chance, because the bad guys are also using AI to, now moving from days to exfiltrate an organization and to take out the data, to minutes. Right, so if we're not able to fight AI with AI, I don't think we actually stand a chance.
Kirsten Davies: Yeah. You know, there's some stats around this. I love what you're saying around this, because that's so - it's so critical. I think I read a stat recently that said about 65% of organizations have limited to no control over what data is shared in AI tools. So the majority of organizations don't even know what's being put into AI models. They don't have any control over it. So the governance of that is huge, and if the major hyper-scalars, right, support vendors, for lack of a better terminology, without using the outright name of the company that you're with. But you know, if there is a focus that's placed this at scale, then I think that there actually is hope for the smaller to medium-size businesses who are just kind of tinkering with these AI tools as well, and they're consuming SAS services because they need them to reduce their IT, like their technology costs themselves, because they're just trying to run a business, right? They're trying to make money, run a business, hire people, grow their business, you know? Well, that kind of a thing. I just feel like, you know, the Palo Alto's, the HPEs, the larger, you know, the IBMs, the Microsoft's of the world can really do a lot here and should do a lot when it comes to training AI models, leveraging these petabytes of data, and learning at rapid, rapid pace, and at scale, in order to help shape and form the industry, right, from a security and an availability perspective.
Ofer Ben-Noon: 100%. Closing question, Kirsten. What is the most important thing a listener should remember from this conversation, in your opinion?
Kirsten Davies: Oh. Look, I'll end it the way I end many of my talks, which is, the possibilities here are really quite endless. We're living in such an exciting time in history, with the advent of AI, really from the private sector, obviously. The public sector's been using it for quite some time. Defense industries, and defense agencies have been using it. Space has been using it for quite some time. But from a private sector perspective, we're really in the infancy stages of especially AI, agentic AI. And yet, and yet, with all of that exciting innovation and all of that wonderful access at our fingertips, we're still having to be brilliant at the basics, and partnering across the organization, the agency, wherever it is that we work, in order to enable and empower employees to do their jobs more effectively, more securely, more optimally. And we, as security practitioners, security operators, technology and risk professionals, whether you're a CIO or a CRO, we have to be balancing that conversation at all times. And I hope that that is the takeaway for your listeners today, to say okay, how can I balance out all of these conversations of yes, there has to be risk reduction. Yes, there needs to be security principles. But there also needs to be optimal cost, availability, resiliency of solutions that are here, and tools that are here for the employees, and at all times we need to be driving costs down, right? We need to be thinking about this in our mindset, and I hope that, while we're innovating, by the way.
Ofer Ben-Noon: [Laughter].
Kirsten Davies: So not just those things, but we also have to innovate at the same time. So I think - I hope that that's the takeaway that people have, is that it's a great opportunity, but it's also a tremendous responsibility in order to be on the front foot, thinking about these things, and balancing these conversations at all times.
Ofer Ben-Noon: I love this. Kirsten, you are amazing, as always. Thank you so, so much.
Kirsten Davies: It's such a pleasure to join you. Always, always so great to have a conversation with you, Ofer. Thanks for having me. [ Music ]
David Moulton: That's it for today. If you liked what you've heard, please subscribe wherever you listen, and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really do help me understand what you want to hear about. I want to thank our executive producer, Michael Heller. Our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]
