Moty Jacob, CEO and co-founder of SURF Security, draws on his extensive background as a security practitioner in a recent interview with SafetyDetectives. He discusses the inception of SURF Security, emphasizing his career focused on minimizing the attack surface. Recognizing the evolving landscape of SaaS services and the increased use of personal devices, Jacob and his team developed the Zero Trust Surf browser. This browser, based on the Chromium open source, enforces authentication with company credentials, consolidating the entire security stack into a unified control point. Jacob highlights key features of the browser, addresses security challenges in remote work scenarios, and dispels common misconceptions about online security. The interview concludes by stressing the importance of adopting browser-centric security measures for an enhanced online security posture.
Hi Moty, Thank you for taking some time for me today. Can you talk about your background and what led you to establish Surf?
Hello, my name is Moty Jacob, and I’m the CEO and co-founder of SURF Security. I’ve worked as a security practitioner for most of my professional career, holding positions such as security expert, security consultant, and CISO for both startups and large companies.
My primary focus has been on reducing the attack surface. While dealing with security vulnerabilities and threats, I observed a trend of continuously adding more security tools. Over the last decade, there has been a significant shift towards SaaS services, with a growing demand for Identity Provider (IDP) solutions like Okta, Microsoft Azure, Google Workspace, etc
Simultaneously, there has been a shift towards employees using their own devices. Companies desire their personnel to access contractors, help desks, data centers, etc., from their own systems. Recognizing that the browser is often the only application consistently in use, we noticed it was originally designed for end-users, not organizations. When Google or Microsoft introduces new features, they typically cater to consumers rather than enterprise users.
Our thought process led us to leverage our expertise along with the technical capabilities in Chromium, the open source used in Chrome, to build an enterprise browser. We developed an identity-based, zero-trust browser that mandates authentication with company credentials to access company data. This approach consolidates the entire security stack into a single control point. Our browser encompasses Data Loss Prevention (DLP), anti-phishing, and anti-malware capabilities.
With Surf, you gain control over the complete lifecycle of data and user interactions on a website. For instance, when visiting a website, Surf can mask specific details or remove buttons if the user lacks authorization for certain actions on that site.
What are some of Surf’s standout features?
The Zero Trust Surf browser boasts a dual focus on User Experience and Enterprise benefits. From a user experience standpoint, the comprehensive browser supports various platforms, including mobile (Android and iOS), Mac, Windows, Linux, and Chromebooks. The feature set encompasses a wide range of capabilities, catering to both unmanaged and managed devices. The full browser is designed for unmanaged devices, providing extensive capabilities, while an extension solution is tailored for managed devices, offering secure browsing features such as protection from zero-day threats and Data Loss Prevention (DLP) protection.
The capabilities of the Zero Trust Surf browser are diverse and include:
- Preventing users from compromising credentials
- Restricting file uploads to unauthorized websites
- Controlling the extensions users can add, limiting potential security risks
- DLP features providing control over copy-paste, screen capture, and screen sharing
- Encryption of website parts to ensure data privacy for remote teams
- Preventing advertising and malware downloads for a comprehensive security posture
- File encryption upon download
- Setting automatic deletion timers for downloaded files
- Controlling user uploads to prevent unauthorized dissemination of company assets
- Alerts based on user actions, such as attempting to copy and paste sensitive information.
The Zero Trust Surf browser positions itself as a pivotal asset in organizational security, integrating into the security tools arsenal. Its capabilities extend to both consumer endpoints and corporate environments. While ensuring privacy and endpoint control for consumers, the corporate side emphasizes endpoint management, security integration, traffic management, and browser configuration management. The inclusion of a productivity dashboard alongside the security dashboard provides comprehensive insights, addressing issues such as patches, latency, and computer problems.
The browser’s flexibility allows organizations to implement zero trust access, eliminating the need for a VPN, with a primary use case being VDI replacement, especially for websites, SSH, or RDP. Privileged users, like IT or DevOps, can enhance capabilities, enabling additional logging and monitoring for specific URLs. The Zero Trust Surf browser proves valuable for compliance and scenarios such as mergers and acquisitions, offering a robust configuration that monitors screen activities for forensic purposes and prevention of potential attacks.
Browser extensions are a common vector for security threats. How does Surf manage and secure browser extensions to mitigate potential risks?
Administrators have the ability to create a list of approved extensions available on the Google Chrome Store, Microsoft Edge, or any other marketplace. This list can be customized for a specific user, group, team, or the entire company. I got the idea- During my time as a CISO in a company with over 10,000 users, we implemented a company-wide policy allowing the installation of only 30 essential extensions for work.
If a user attempts to install an extension not included in the approved list, it will be prevented from installation on the browser. We can also restrict user access to company resources like Office 365, Outlook, Workday, Salesforce, etc., on other browsers, allowing access exclusively through Surf. This specific conditional access is effective only when accessed through our browser, and the certificate exchange occurs seamlessly in the background.
In the era of remote work and BYOD policies, what are the primary security challenges that organizations face, and how can they effectively address them?
This represents one of our main use cases. For example, in an open-space office, individuals may bring and use their personal devices. Similarly, other companies may have a globally scattered remote workforce. In both scenarios, employees need to connect to their hub and access company information.
We offer complete control over unmanaged devices while ensuring user privacy. This is achieved by installing the Surf browser on their devices, allowing endpoint users to connect to company resources without the need for a VPN or VDI. The administrator maintains full visibility and control over what employees can access. This solution is easily scalable and features a rapid MDM installation.
We also prioritize end-user privacy. If users visit private websites or use another browser, their activities remain untracked, ensuring the company cannot monitor their actions. Interestingly, users find our browser enjoyable and appreciate security features such as ad-blockers and encryption.
What are the most common misconceptions enterprises have about online security, and how can they enhance their protection?
The biggest misconception is the assumption that browsers are secure.
In my tenure as a CISO, I observed that organizations used to rely on a seemingly endless security stack, a complete security arsenal. While browsers are among the most frequently used applications in any organization, many security tools work around them. Some companies installed 20 or more security agents for endpoint security to access company resources. This includes VPNs, privileged access, SaaS tools, DLP, performance management tools, proxy tools, and more, all aimed at monitoring traffic and ensuring security.
However, all these measures were implemented outside the browser, often requiring the installation of extensions that added latency or disrupted the user’s workflow. This misconception leads to the underestimation of the inherent vulnerabilities in browsers. In reality, not all browsers are created equal, and each may have varying security features and vulnerabilities. Addressing this misconception and recognizing the need for browser-centric security measures, such as integrating security features inside the browser, significantly enhances an organization’s overall online security posture.