Latest news with #TheBrowserSecurityFieldManual
Techday NZ
17-07-2025
- Business
- Techday NZ
SquareX unveils field manual to tackle rising browser threats
SquareX has launched "The Browser Security Field Manual", a detailed guide to browser-based cyberattacks, with contributions from chief information security officers (CISOs) of high-profile companies including Arista Networks, Dyson and Expedia. The manual, authored by cybersecurity specialists Vivek Ramachandran and Audrey Adeline, aims to address what the company describes as a growing risk area for businesses, reflecting the shift of the browser into the central point of user interaction in modern workplaces. Industry perspectives The guide not only details the techniques, tactics and procedures (TTPs) leveraged by attackers in the browser but also presents real-world commentary from CISOs such as Rathi Murthy, who serves as Chief Technology Officer at Varo Bank and has previously held leadership positions at Expedia and Verizon, Rahul Kashyap, former CISO at Arista Networks, and John Carse, former CISO at Dyson. This collaborative approach seeks to reflect the evolving strategies adversaries use to exploit browser vulnerabilities and the industry's current understanding and response to these threats. Responding to browser attacks SquareX states that browsers have emerged as a primary attack vector, stemming from their role as essential endpoints in enterprise environments. Attacks referenced in the new manual include the Cyberhaven breach, the proliferation of polymorphic extensions, and incidents such as the Midnight Blizzard remote desktop protocol (RDP)-based attack – all of which, according to the company, highlight the need for further awareness and resources in this sphere. The field manual systematises knowledge about browser threats across five primary vectors: phishing, malicious browser extensions, browser-based data loss, identity attacks, and browser-native ransomware. The book includes sample code and real-world case studies to bring these threats to life for practitioners. Audrey Adeline, SquareX Researcher and Co-author of The Browser Security Field Manual, said, Attackers thrive on information arbitrage. As the place where 85% of work happens, it's imperative that security teams understand how their employees are being targeted. We've been extremely fortunate to work closely with some of the industry's top thought leaders, and we hope that this new edition of The Browser Security Field Manual will provide security teams with not only the practical aspect of browser security, but also an industry perspective of how these threat vectors are impacting organizations in real life today and how they may evolve in the future. The manual is designed for a range of users, from technical practitioners to those responsible for organisational oversight in cybersecurity, and includes perspectives both on day-to-day risks and the anticipated evolution of browser attacks. Industry collaboration The current edition builds upon feedback developed during an earlier, limited release at a prior security event, where copies were distributed to hundreds of CISOs for input. SquareX notes that many of these professionals directly contributed their insights, shaping the content to closely align with the operational challenges security teams are currently facing. The Browser Security Field Manual will be available at official bookstores during Black Hat and DEF CON 33 events, with the authors set to attend book signings at both venues. The publication is also available for pre-order via its dedicated website, allowing broader access to practitioners worldwide. SquareX's approach to browser security The company's browser extension is designed to equip organisations with tools to detect and respond to a spectrum of web-based threats, including malicious extensions and browser-native ransomware, aiming to work without interfering with typical user experience or productivity. SquareX's focus on integrating advanced security features directly into users' browsers is intended to give security professionals increased visibility and control over browser-related risks, a priority as browser-based workflows continue to dominate the enterprise landscape. The newly launched manual is part of SquareX's ongoing efforts to supply the information and resources organisations require to defend against the shifting browser threatscape.
Business Insider
17-07-2025
- Business
- Business Insider
SquareX Collaborates with Top Fortune 500 CISOs to Launch The Browser Security Field Manual at Black Hat
Palo Alto, California, July 17th, 2025, CyberNewsWire SquareX announced the official launch of The Browser Security Field Manual at Black Hat USA 2025. In addition to a comprehensive practical guide to the latest TTPs attackers are using to target employees in the browser, this comprehensive manual features industry perspectives from leading CISOs from multiple Fortune 500 enterprises and other iconic companies, who share their perspectives on the evolving browser security landscape, the importance of each threat vector, and how they expect these attacks to evolve in the near future. Major contributors include: Rathi Murthy, CTO of Varo Bank, Fmr. CTO of Expedia and Verizon Rahul Kashyap, Fmr. CISO at Arista Networks John Carse, Fmr. CISO at Dyson As the browser becomes the new endpoint, it has also become the single most common initial access point attackers use to target employees. This is evident in the recent uptick in browser-based attacks such as the Cyberhaven breach, polymorphic extensions and Midnight Blizzard RDP-based attack. Yet, despite the increasing awareness of the browser security gap, given the nascency of the space, most security professionals lack the resources and tools to learn about this emerging threat landscape. To address this gap, The Browser Security Field Manual systematically guides practitioners through the techniques attackers are using to target employees in the browser across five major threat vectors - Phishing, Malicious Browser Extensions, Browser-based Data Loss, Identity Attacks and Browser-Native Ransomware. Co-authored by Audrey Adeline and Vivek Ramachandran, the book covers everything from common to bleeding edge techniques, including sample code snippets and case studies of such attacks unfolding in real life. "Attackers thrive on information arbitrage. As the place where 85% of work happens, it's imperative that security teams understand how their employees are being targeted," said Audrey Adeline, SquareX Researcher and Co-author of The Browser Security Field Manual. "We've been extremely fortunate to work closely with some of the industry's top thought leaders, and we hope that this new edition of The Browser Security Field Manual will provide security teams with not only the practical aspect of browser security, but also an industry perspective of how these threat vectors are impacting organizations in real life today and how they may evolve in the future." This release builds on a successful soft launch of the book at RSAC this year, where SquareX shared early copies with hundreds of CISOs for early feedback and worked closely with many of these security leaders to incorporate their deep industry insights into the second edition of the book. The Browser Security Field Manual will be available at Black Hat and DEF CON 33 bookstores, with the authors participating in both stores' book signing event. The Black Hat book signing event is taking place at the Black Hat bookstore on Thursday August 7 at 3:00pm - 3.30pm. The book is also available for pre-order via The Browser Security Field Manual website. Alternatively, you can find out more about the manual at SquareX Booth #6825 during Black Hat on August 6 from 10am to 6pm or on August 7 from 10am to 4pm. About SquareX SquareX's browser extension transforms any browser on any device into an enterprise-grade secure browser. SquareX's industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively detect, mitigate, and threat-hunt client-side web attacks including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI data loss prevention, and more. Unlike legacy security approaches and cumbersome enterprise browsers, SquareX seamlessly integrates with users' existing consumer browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables security leaders to reduce their attack surface, gain actionable intelligence, and strengthen their enterprise cybersecurity posture against the newest threat vector – the browser. Users can find out more at Contact Junice Liew
Techday NZ
10-06-2025
- Techday NZ
Exclusive: SquareX's Audrey Adeline on why the browser is 'the new endpoint'
The browser is the new battleground. That's the message from Audrey Adeline of cybersecurity company SquareX, who has launched a practical Browser Detection and Response Manual to help organisations understand and defend against attacks in what she calls "the most used app on your device." "Eighty per cent of the time spent on a device is now in the browser," she explained to TechDay during a recent interview. "Yet it's one of the least protected surfaces in cybersecurity." Unveiled at the RSA Conference (RSAC'25) earlier this year, the manual has struck a chord with security leaders worldwide, selling out quickly and prompting strong feedback. The manual, written by Audrey Adeline and Vivek Ramachandran is titled: 'The Browser Security Field Manual'. "We were one of the top-selling books at the RSA bookstore," Adeline said. "A lot of CISOs reached out to us afterwards to say it helped their teams rethink browser security." Originally from Indonesia, Adeline's own path into tech was unconventional. "I grew up in a very traditional economy. Most of my family ran consumer businesses - nobody was in STEM," she said. After studying biochemistry at Cambridge and working in cancer research, she pivoted into consulting, and eventually joined Sequoia to evaluate tech companies, including cybersecurity firms. Her passion for deep tech and research led her to SquareX, where she now leads the Year of Browser Bugs (YOBB) project, uncovering browser-based architectural vulnerabilities each month. These include high-profile exploits like polymorphic extensions, which can impersonate legitimate browser tools like password managers and crypto wallets. "The danger is users don't realise they're entering credentials into a fake extension," Adeline explained. "These are architectural issues that legitimate browser features enable, and they're much harder to detect or patch." That urgency drove the creation of the manual. "We kept seeing the same problem - people using the browser constantly, but having very little visibility or protection," she said. "Existing tools just don't give you a clear picture of how the breach occurred." The manual's first edition is now being followed by a second, set for release at DEF CON and Black Hat in August. It will feature commentary from CISOs at Fortune 500 companies to ground the guidance in real-world enterprise experience. "We didn't want to just make it theoretical," Adeline said. "Each chapter now includes perspectives on actual problems faced by security teams." Access to the manual is currently via request form, though Adeline said digital availability is expected closer to August. Developing the manual was not without challenges. "The biggest hurdle was the lack of consolidated resources," she said. "There's research out there, but it's scattered. We had to pull together a lot of primary sources and make it digestible - from beginner concepts to advanced attacks." Browser-based threats have spiked recently, with attackers targeting the browser as the new endpoint for enterprise data. "Think about it," she said. "We don't download files anymore. Our files, apps, identities - everything is now in the browser. It's where 60 to 70 per cent of enterprise data lives." Adeline warned that the shift in attacker behaviour is permanent. "It's not just a trend. There's a fundamental change in how we work, and attackers are following the data." To help teams assess their own posture, SquareX has also launched a free browser attack testing tool. "Seeing is believing," she said. "You can test against 49 different browser-based attacks and see which ones bypass your current solutions." She sees two main approaches to browser defence: dedicated secure browsers, or solutions like SquareX's browser extension, which converts any existing browser into a secure one. "Most organisations can't migrate everyone to a new browser," she said. "Extensions are more practical, and updates are seamless." SquareX positions itself as the EDR for the browser, focusing on detection and response at a granular level. "We're obsessed with user experience. You can't compromise productivity just to get security," she said. The company's design avoids the risks of dedicated browsers, which often lag behind on security patches. "Every time Chrome issues a patch, those browsers need to be updated manually. That creates a gap where zero-days can thrive," she explained. Future plans include a red team edition of the manual and continuous updates as attacks evolve. "I wouldn't be surprised if there are multiple versions by next year," Adeline said. Her advice to security leaders just waking up to the browser as a threat vector is clear: "You need browser-native security to tackle browser-native threats." Adeline believes the industry must go beyond reacting to breaches and start anticipating them. "The best defence is understanding what attackers are doing," she said. "You can't just play catch-up." For her, the inclusion of peer input in the manual is crucial. "Security leaders want to hear from their peers. They need validation that this is a permanent shift, not a passing concern," she said. Asked what's changed to make browsers such a prime target now, Adeline points to a confluence of technology and behaviour. "Chrome has added countless new features like WebAssembly and WebRTC. These make browsers powerful enough to replace local apps," she explained. "Since COVID, we've seen everything move online. Now attackers are simply going where the data is." "The browser is the new endpoint," she said. "It's where we work - and where we're vulnerable."
