Browser Security Unveiled: John Carse on SquareX & Cyber Career Insights Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Browser Security Unveiled: John Carse on SquareX & Cyber Career Insights

April 27, 2025 • Joe South • Episode 191

Send us a text

In this episode, Joe sits down with John Carse, Field CISO at SquareX, to dive into the often-overlooked world of browser security and the evolving landscape of cybersecurity. Recorded despite a 12-hour time difference (Singapore to the US!), John shares:
The Browser Security Gap: Why 85% of user time in browsers is a growing risk for SaaS and cloud environments .

SquareX’s Solution: How SquareX acts as an EDR for browsers, detecting and responding to threats like polymorphic extensions .

Career Journey: From early IT days to field CISO, John reveals how foundational IT skills (help desk, field services) make better cyber professionals .

Real-World Insights: Lessons from working with the US Navy and the importance of understanding IT systems for effective cybersecurity .

Check Your Browser Security: Visit SquareX Browser Security to assess your controls.
Learn More About SquareX: Explore their solution at sqrx.com.
Connect with John: Find him on X @JohnCarse

Chapters
00:00 Introduction and Time Zone Challenges
02:54 John Carse's Journey into IT
06:05 Transitioning to Cybersecurity
08:46 The Importance of Customer Service in IT
11:36 Formative Experiences in Help Desk and Field Services
14:35 Understanding IT Systems for Cybersecurity
23:51 The Interplay Between IT Skills and Cybersecurity
24:41 The Role of Security Engineers in IT
28:43 Understanding the Complexity of Cybersecurity
29:33 Exploring the Field CISO Role
32:55 The Browser as a Security Frontier
42:07 Challenges in SaaS Security
46:20 The Importance of Browser Security Awareness

Subscribe for more cybersecurity insights and career tips! Share your thoughts in the comments—how are you securing your browser?

Digital Disruption with Geoff Nielson
Discover how technology is reshaping our lives and livelihoods.

Listen on: Apple Podcasts Spotify

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Speaker 1: 0:54

How's it going, john? It's great to get you on the podcast. I know me and your company have been trying to do this thing since, probably like last summer. I might even be being generous with that, but I'm real excited to get you on and hear about your story.

Speaker 2: 1:11

Great Thanks for having me, joe. I didn't know it was taking so long to get us online. So glad to be here. Glad to be here, yeah.

Speaker 1: 1:21

At first it was like the time difference, right, Because they're based out of Singapore, I believe it's. I mean, it's almost like a 24 hour time difference. It is. It's pretty crazy.

Speaker 2: 1:34

Yeah, it's like. It's like past 1am in the morning right now.

Speaker 1: 1:43

So yeah, it's like 12 or 13 hours different, so it does feel like it is and feels like it's on the other side of the world. Yeah, yeah, it's. Um. It's interesting whenever, whenever I'm doing a podcast with someone you know that far away, like I've done podcasts with people in Israel and uh, I mean I did a podcast with someone in Israel that was like actively getting bombed, you know, and he's like, oh, I may have to, like, you know, drop out. You know, I don't know if you hear the sirens. I'm like dude, let's just reschedule, I don't need you on a podcast like actively getting bombed or something.

Speaker 2: 2:14

So that's, that's pretty intense. I lived in the Middle East before, so I kind of uh, I kind of understand the feeling. You know there's uh, some amount of unrest that happens, like where I was all the time. So you know, if you're not, if you're not going to live your life, then it's going to those. Those things are going to get in your way. So we've got to feel. Got to feel for those folks.

Speaker 1: 2:39

Yeah, I mean it's challenging. It's like they didn't ask for it and people were born into it. It's like they're born almost into an active war zone without having any say about it, which is true for a lot of different parts of the world and whatnot, and it's an unfortunate reality. I think I heard someone say that like you won the lottery just by being born in America, right? Like I mean that's.

Speaker 2: 3:11

I was going to say something very similar, right, and there's a very, very similar kind of sentiment there's great places to live and most everywhere, there's bad places to be. But yeah, being in the US, we're somewhat lucky. I think that there are, of course, things that we would like to have better in the United States.

Speaker 1: 3:40

But in a lot of ways we don't have the same challenges as other countries do for sure. Yeah, that's a really good point. You know, john. I want to hear about how you got into IT. You know where that journey starts for you and what made you. You know, once you got into IT, what made you want to like make the pivot into security in IT. What made you want?

Speaker 2: 3:58

to make the pivot into security. Yeah, I started my IT work really kind of early. I got involved with computers very early on, when I was maybe 14 years old or so, and actually a little bit younger, because I didn't have my own computer but I had friends that were on the street around me that did have computers. So for a couple of years, you know, I kind of hung out with those kids and played on their computers and we did lots of little things together for a couple of years before I got my own computer in 84. And it was. It was a completely different world than today's world. I mean, everything that we had we didn't have Google and we didn't have a lot of computer books. We had some magazines and which were hard to find. We didn't have the internet so we couldn't just go look stuff up. So we did a lot of like, just like sometimes even just hunting and pecking, like what the command keys were that you could, you know, use to make an application work, because the documentation wasn't that great either for a lot of the applications that we were using. And but you know, I found myself that I was really in love with computers and love doing things with computers as I kind of went into school you know, finished up high school, came out of high school, needed to do work and I had a couple of friends that were doing IT work and consulting kind of work in the Houston Texas area and so I did that for a few years before really getting my first real job. You know where someone where I was an employee which was at Apple in 93 in Austin doing just help desk stuff and you know I'd already been working on Apple computers for a few years already and loved it. But at some point in time I kind of got unenamored with always having to use a mouse and wanted to automate things and do things. So I got into. Really people were telling me I thought I was going to get into like Novell networks kind of stuff and people probably don't remember Novell but someone pushed me to Windows NT and so I went towards Windows NT as well and got my certifications there and spent a lot of time doing work on Windows systems and building Windows environments and the old pre-Windows 2000 active directory days. Eventually I got into Linux and was doing a lot of work in system management systems like enterprise management systems to do distributed monitoring, configuration management, event correlation kind of work based on both Unix and Windows environments and that gets me around to like 95, 96. And was a consultant at IBM after that. So I was building enterprise systems for a group called Enterprise Services for Microsoft Technologies and I thought I had the perfect job. I thought it was great.

Speaker 2: 6:53

And then in 2003, I started doing some work for the US Navy as a contractor for their overseas networks OCONUS Naval Network and that was really the kind of first experience I had with cyber right. But up till that time I had done Windows, linux, mac work. I had done work with networking equipment. I had a lot of IT experience kind of getting into before I started working with the Navy. I mean so I'd been doing computer stuff from 89 professionally to 2003. So I had a lot of time that I'd been in the IT industry doing lots of works all over the place.

Speaker 2: 7:34

But in 2003, I started doing work with the US Navy and as we were building these systems to go into this Navy network, they required that I secure it and harden it and make sure that it would conform to some you know specification, just a STIG kind of specifications. And that was really the first time I had gotten into security at all was just as part of that work, and I remember thinking I don't know what this is right, what is this security stuff? And that's how I got into cyber. But before that IT I'd done work with firewalls and IPSs and all sorts of well, not IPSs so much, but VPNs more, because it was part of like a managed solution, right, doing VPNs across different things, but that kind of system integration work before getting into cyber insecurity to some degree, it's because you know you're you're not always going to be in a situation where you know you're friendly with the other person on the on the other end of the phone, right.

Speaker 1: 8:45

I mean you're going to be in a difficult situation where someone's yelling at you, you know about something that you don't know, that you didn't do, you know and you have to be able to work through it, like I remember. I remember when I first started after college. You know I would, I would get on these calls and you know people would be yelling at me and whatnot, and after the calls, like I'd have to go take a walk around the block, right, just to just to like kind of make it through the day, right, and I was dealing with some anxiety at the time and everything you know. So it was just like, man, I don't know if I can make it through this, you know, but I really stuck with it and I started to eventually, you know, really figure it out right and that kind of being in that sort of customer support type role.

Speaker 1: 9:32

Really I feel like it can either, you know, jade you towards, you know, dealing with customers, or jade you in some other ways, or you know it can either you know jade you towards, you know dealing with customers or jade you in some other ways, or you know it can really open your eyes to what good customer service actually looks like. You know and what that standard is what you should be expecting when you pick up the phone and call someone, and you know. I'll give you an example. Right, I was calling my wife's student loan company about her student loans and there's all these services out there that will advise you on your student loans and how to pay them off quickly and this and that right, it costs anywhere from like 500 to 1500 bucks for a 30, 45 minute session with these people to tell you you know how to like, what to do and everything Right.

Speaker 1: 10:23

Almost common sense stuff that they're telling you, yeah, and you know, and that's the thing too right. It's like, okay, well, what's the value that I don't know from online, you know. And so before making that call or whatever, I decided to get on the call on the phone with you know the actual company, and the person who picked up the phone gave me like more than enough information than what I ever would have gotten with that consulting company. Right, and not to not to put them under the bus or anything like that. I mean, I didn't name them, obviously, but I told her. I was like you know, you didn't just save me you know X amount of money on the monthly payment, you just saved me like a thousand dollars of paying these people to tell me exactly what you just told me and I never would have known it.

Speaker 1: 11:42

You know, because student loans are like they're actually pretty complicated, Because student loans are actually pretty complicated and it's difficult to understand for anyone, I think, and I was impressed. But had I not gone through being bad at customer service? I mean, just honestly, I was pretty bad starting out. I'm sure everyone is, Absolutely. If I didn't go through that, I wouldn't have known what good customer service is, I wouldn't have been able to identify that and, you know, provide the positive feedback or whatnot.

Speaker 2: 12:15

Yeah, and I would say that I think that I learned a lot. So two of my early positions were in help desk, right where I was on a help desk at Apple, you know. So I was getting a lot of customer calls every day. I think that was a really good formative experience and I'll explain that in a second. And then a second one was field services. Just doing field IT work was another really formative experience as well.

Speaker 2: 12:41

Again, dealing with customers On the help desk side, you know we didn't when I was at Apple in 93, on the help desk side, you know we didn't when I was at Apple in 93, we didn't have a lot of we definitely didn't have for support calls, you know, at a customer, at a consumer environment. We didn't have like remote control tools to help us see what the user was doing. So we had to in some ways manage the customer experience from a. You know they're frustrated, you're trying to walk them back off a cliff and kind of engage in the conversation and then also, you know being really kind of understanding like how the system works, how the technology you're working with works, so that you can say you know, go, this is like flashback stuff, it's like go to the top left-hand corner that's where the Apple logo is Apple icon, click there, go to this place and having to drive them and say, well, what do you see there? And then getting that information from them, and then go to the next place and you know, as we're kind of like troubleshooting their problem and trying to understand what's happening so that we could then tell them remove this extension or do this or do that, and that, you know, really had to kind of like put for me and how it's related to my cyber career, is that really had to had me kind of understanding. You know how to troubleshoot in my head, right, you know, it's like understanding, like what the pieces and parts are that were in play. Is this a network problem? Is it a operating system problem? Is it an application problem? Is it, you know, something else? What is the problem that we're experiencing? And then just trying to like talk through this just on a one-to-one basis with someone who may or may not have the same experiences that you have. I mean, often they did not have any experience with actually how their computer worked, and so I think that really played.

Speaker 2: 14:36

You know, when you get into like incident response scenarios. That is an incredible talent to have right. So, like you know, it's like getting into incident response and you're in with a bunch of folks that may have never talked to each other before you know. You got the application guy, the networking guy, the database guy, and those people have never been on a call at the same time just because of how bureaucracy works in enterprises and then you're getting them into an incident call. Being able to kind of like maneuver around those different people's experiences is a great skill to have right, and being able to do it in a way that you can focus that partner on the call into a specific place and just manage it is a great skill to have.

Speaker 2: 15:21

The other one is just field services, just dealing with you know people at their desks and being able to see what they're doing, and that's also really good because you see lots of ways of working, just kind of running around to people's desks, systems so that people would have a consistent experience dealing with inconsistencies and poor quality with systems that are being rolled out.

Speaker 2: 15:51

You also start getting the feeling, like you know, what we need to be consistent which is also incredibly useful in cyber is just consistent application of your controls. In my case, it wasn't about controls, it was about how do we make a consistent experience for that IT system to be deployed so that our users are having a consistent experience. And as a field services person, you go out from system to system to system and you start seeing that, wow, this root cause is, this wasn't set correctly. Why wasn't that set correctly? Right, and then you're fixing applications, but a lot of that is also very useful with respect to cyber as well. Right, because it's, you know, understanding an IT system and how it works and how applications kind of interoperate with each other's in the network and your security controls. That's something that I've had experience with too.

Speaker 1: 16:51

And a lot of, I don't know, a lot of people try to shortcut that. You know Absolutely, it's like man, no, you really do need to. You know, cut your teeth over there and do this and go through it, right, and you know, like you said, right, troubleshooting back. Then you're basically, you know, walking people through something that you have in your head, someone that may not be technical at all. And I remember, you know, maybe a year into that help desk job, I started to take over the federal and the military clients at this company and I mean mean the first thing with them is that they can't send you screenshots, they're not sending you logs, they're not sending you anything and the person that they put on that phone is intentionally unaware of everything about that application, the server, everything. So if anything goes, it is solely on you, right, like there's no in between on it. Yes, it's interesting because you know that's like a double or triple blind troubleshooting right when you're getting this problem. That could be a very unique problem, something you've never encountered before, something that no one at your company has ever encountered before, and you have to, you know, get the valid or the relevant information over the phone from this person, you know, like, one time I had him go into a log file, right, and I said, hey, you know, go to the bottom and read me what that says. Right, hey, you know, go to the bottom and read me what that says. Right, read me like the last log message. He starts reading me the entire page from top to bottom, like, hey, man, like you need to, like listen to me, right, you need to go to the bottom, tell me the topics and all that sort of stuff. I had to, like, you know, eventually go on site and give them some pretty in-depth training, because it's like, hey, when we're on the call, this is what I'm expecting for you to provide to me. If you don't do this, I can't do anything for you.

Speaker 1: 19:06

Into the mix, right is going on site, because at these federal agencies and whatnot, I mean, I was only allowed to bring in a paper and pen, you know, and sometimes they didn't even let me bring in the pen, right, like you know, it was just the craziest situation, because you don't have any resources around you, even though you're on site. So you're basically doing the same thing. You know that you would on the phone and you can't touch a keyboard because you're not cleared, can't touch a mouse right, and you're walking through that same person that doesn't know anything at all. You know of this application that was built on this Linux server. He doesn't know Linux, he doesn't know the application, he doesn't know anything about it. You know. And so if you tell him it's running right, he just takes your word for it. And then you have someone else be like is this running right? And if they say no, you know, then you're, you're, the jig is up, you got to go fix it. You know, like there's no line, there's validation with everything.

Speaker 2: 20:07

With the flashing light behind you that says that everyone knows there's an uncleared person in the space.

Speaker 1: 20:12

Oh my gosh, yeah, they'd have to announce it. You know, like they're announcing it as we're walking down these aisles, it takes like five, ten minutes to walk from one end of the aisle to the other end of the aisle, you know, because it's such a massive building. And you know, because it's such a massive building and you know they'd have to announce an uncleared person entering. Uncleared person entering. I'm like geez man, it's almost like insulting.

Speaker 2: 20:34

Just clear me. I know this feeling too, yeah, yeah, but yeah, I think, like you know, definitely, it, I think you know today, with the perception and I and I don my experience, as you know, hiring people is that sometimes they just don't. They just don't, they don't understand the underlying technology or how it relates to the incident that they're looking at. And I don't necessarily mean that it's a, you know, million dollar incident or multimillion dollar incident. Just that detection that they're looking at, right, just that detection that they're looking at right now, that alert that they're looking at right now how is it related to the system? It seems like there is definitely a gap in understanding about how IT systems work and, when it's all said and done, from a cybersecurity perspective, we're defending IT systems perspective. We're defending IT systems, right? So, understanding how the network works, how information flows, how applications work, what the operating system has, what its involvement is, those things, putting those pieces together, understanding like how they work, is incredibly useful, right? So, you know, because you know, a lot of times when we have new people that join the team that are just out of college, they may have some understanding of IT from a, from a book, smart point of view, but they often don't have the necessary networking chops and system chops that they need to understand how very these very complex systems that we have today work. And I think there's some basic patterns that you should be able to tell and just take these basic patterns and kind of put them around and then you can maybe troubleshoot a problem, whether that problem is an IT problem or a cybersecurity incident. They're just different. The outcome that we're trying to achieve in that diagnosis and the analysis and the investigation. They may have different outcomes that we're trying to achieve, which might be availability, bring that system back up. That's kind of the IT use cases, but it could also be did we lose control of data? Was there a data breach in place? We just have different outcomes that we're looking for diagnosing, but the underlying data and systems are the same.

Speaker 2: 23:11

And again, having that experience or that understanding of how those systems work I think plays a lot makes you a better cyber person, whether you're doing security engineering or incident response or you're on the SOC or you're doing vulnerability management. I think all of those things we as cyber people are affecting IT systems. How do we make sure that we understand, just like in the help desk context. How do we understand our customer, whether that customer is an end user who just got hit by a phishing attack or it's an IT person who's scared about patching their systems. We kind of need to understand what their point of view is and what their experience is and kind of lead them in the direction if we actually want to achieve the security outcomes that we want to have. Whatever those are but I do I definitely think that you know, having good IT skills will make you a better cyber person.

Speaker 1: 24:10

Yeah, yeah, absolutely. I mean you really need to have that foundational knowledge, right? I have a friend that's you know a good security engineer can step into the role of you, role of a system admin, network engineer, whatever it might be, and it may be a little bit tough at first to do the work and whatnot, to get used to everything, but typically they'll eventually pretty quickly be able to pick it up and excel with it. And that alludes to you really need to understand what's going on, what's being used. Why does this process run on this server? Do we need it? Is it expected to run? Is the OS running it? What's the kernel look like? What's the BIOS look like? All these different things.

Speaker 1: 25:03

It all matters, right, and the security professional is the one that's tying it all together. The systems guy may not understand where he's. Deploying this in the network matters right, and the networking guy understands okay, there's a difference between these two networks. I don't really know what the real difference is, why it matters to security and security says no, you have to deploy this system in this network because of all of these controls that we have around it, because of what it's doing in our network and how it's doing it right, like we need to potentially sequester this thing off to an extent where the rest of the network doesn't need that kind of security, right, the rest of the network needs to operate maybe a little bit faster than this part and all those different things. Context matters, right. Yeah, they all come together, right, but it's that security person that really is the one that knows it and understands it.

Speaker 2: 26:00

And I 100% agree, ends it, and I 100% agree.

Speaker 2: 26:08

I think that one of the most complicated jobs that we have in IT is probably the cybersecurity practitioner, whereas you might have, like you said, you might have IT people that are really good at databases and you might have IT people that are really good at Windows or really good at Linux operating systems or networking or whatever.

Speaker 2: 26:22

They have these areas that they can focus on, and developers are typically working on an application with a feature set and they understand their application, and I think that cyber people typically have to know how that system works next to this system, next to this system, next to this systems, and they're dealing with Windows and Linux and different versions of Windows and Linux, different database systems, different web servers, different application servers and all of these things are mixed up in a big melting pot of your enterprise IT systems that all work individually but they have to work together.

Speaker 2: 27:06

But the cyber folks have to know about everything. They need to know how all of it works and they need to understand the context of it, as opposed to, like when I was, you know, at some of these big enterprises, we would have folks that their only job was to install the operating system on a virtual machine, then the ticket would go to the next person that their job was to install Oracle on this virtual machine after the operating system was installed. And that's great from a database person's point of view. But when those systems come together, both the business context, the data context and the technology context need to kind of come together and as a cybersecurity practitioner it's a daunting set of requirements that you need to understand as you kind of progress in your career. So it's complicated. It's definitely a complicated set of roles.

Speaker 1: 28:05

Yeah, that's very true. Well, you know, currently you're a field CISO, right? So not, I feel like not a lot of people may know what a field CISO is or what that's like. Can you tell me a little bit about that? So I'm still learning.

Speaker 2: 28:18

What a field CISO is too. So I'm still learning what a field CISO is too. So this is the first time I've had this role. What I feel like the role is is, you know, partially a mentor or advisor kind of role I have. It feels like I'm trying to help, you know customers understand how a product fits into their defense and depth strategy. There may be things that they're worried about right now, but there are probably other adjacencies that are also useful right that they may not be thinking about right now but they're going to be thinking about in a few months. But also how this tool, one tool set fits into the rest of their defensive strategy and you know those kinds of things. So it's like kind of understanding the technology, understanding their use cases that they're trying to protect from right now because there's usually something that's important to them and kind of helping advise on that front. In some ways it's a product role, where I am taking feedback from a customer about something that works or doesn't work and bringing it back to the engineer so that they can understand how this feature should rank in their product roadmap. So there's some amount of that as well, and it's also a certain amount of evangelism and just talking to people about. You know our product sets and how it, you know what kind of, and for me you know it's somewhat the feel felt found. You know you know how did you know our product sets and and how it, you know what kind of, and then for me, you know somewhat the feel felt found. You know, you know how did it, you know how do you feel about it. And then you know what I felt.

Speaker 2: 29:49

You know what I found, because I did something and it could be just gaps in my experience, like in my experience, you know, I thought that certain things were covered well, you know, I had that illusion that, hey, this is actually working pretty well. But then I learned that you know, just because of use cases that we were having, how my DLP was either working or not working, or it worked in this way and not in these other areas, and one of the classic ones is just Windows versus Mac or Windows versus Linux it's a lot of times the technology that we're using works really well in Windows, but its effectiveness in Linux or Mac environments is almost nil right. It almost doesn't work. And being able to discern that was, you know, is again having the background in Linux and Windows and Macs, I kind of understand, like what it is that I need to be looking at. But again I, having the background in Linux and Windows and Macs, I kind of understand what it is that I need to be looking at.

Speaker 2: 30:47

But again, I was under the illusion that certain things were being covered pretty well, but when I looked into it I found that they weren't, and so I had to kind of come up with ways of circumventing those gaps and those controls as they're implemented on Windows or on Linux or Mac systems that I didn't anticipate At Squarex. That's one of the things that I'm kind of interested in is how the evolution of the browser and evolution of SaaS and cloud, how that's kind of impacted, you know, our ability to maintain the confidentiality of data everywhere we go, and it's surprising how many people are working in browsers today. So I think that for me that's a very interesting topic, just because of my recent experiences and somewhat of the gaps that I thought that I was living under.

Speaker 1: 31:40

Well, tell me about SquareX.

Speaker 2: 31:54

What's the problem, right, and how are you guys solving it today? And we are the browser as a platform somewhat predominates most of our work today, meaning like you and I are in this podcast, in this studio, and we're in a browser and somehow it's recording us and videoing us, and it's just an incredible lot of power that's in this browser today that we didn't have in the mid-90s and early 2000s. And so the problem is like so who's monitoring the browser? Like who's making sure that the browser is working like it's supposed to? I mean, we thought it had a sandbox and everything else, and now we have extension subsystems that are creating threat and grief for us. And that's cool.

Speaker 2: 32:42

That's one thing that's happening on the endpoint, but the bigger problem, I think, is that we have so many SaaS apps that we're going to that are ways of spreading data around, and then how do we manage the confidentiality and prevent the loss of data into places that we did not intend to when there are so many web applications that are delivered via SaaS today, and that's not new. But I think the confluence of cloud and the availability of SaaS apps, the complexity of the browser, kind of coming together, I don't think most people are thinking about how big of a problem that actually is, what that attack surface actually looks like, and then how do they detect problems, how do they mitigate them, how do they prevent those things from happening in the first place? How does that happen in the browser? We are really good at doing it on an endpoint, you know, with our EDR solutions and some amount of steering that we have with SASE and SWG products, but now we're dealing with everything steering to one of the cloud environments, because all the SaaS applications are delivered to cloud environments. How do we know that that's where we want to put our data within that application and that our users are doing what we expect them to do in those applications, when the only interface to that is the browser? And I think that's the problem.

Speaker 2: 34:03

The solution is having the right amount of detective controls in place so that you can watch everything that's happening in the browser, whether that's WebSocket communications, gprc communications, changes to the DOM, the injections of JavaScript into the application, the code that you're looking, looking at extension what information, what rights does that extension want to have in your application, your browser, and what OAuth controls that applications and SaaS apps are asking you for? There's so many things that happen in the browser, and the solution is we need better detection and threat response in the browser, and so that's what Squarex does browser detection and response to. So it's very much like edr for your browser.

Speaker 1: 34:53

That's interesting. I wonder why that space hasn't seemed to take off like it probably should have. I heard grumblings, but it hasn't risen to the same level as CrowdStrike with EDR or whatever it might be right. Maybe that is kind of like a new I don't want to call it a new frontier for cybersecurity, but it's a new layer that people haven't thought about before, because typically they're thinking about oh okay, with the sas app, I need to secure it via data encryption and strong authentication and whatever else, right? Well, no one really thought about the abstraction layer back of how are people actually connecting to the sas app?

Speaker 1: 35:52

Well, what, what, if? What, if something lives in that browser that even the end user doesn't know about Exactly and you know it's being exploited that way. It's probably a really good way that, like if nation states were to, you know, attack people or attack an entity or whatever it might be, I mean that would be a really good way of doing it, because no one is looking at the browser, right? No one's even thinking about it Like I downloaded it from Google Chrome. Way of doing it. Because no one is looking at the browser, right? No one's even thinking about it Like I downloaded it from Google Chrome. It's up to date, you know, on its thousandth update of the year. What else?

Speaker 2: 36:26

do you want me to do? You know? Yeah, I mean, even if you look at like just a stick hardening for Chrome, it says keep the browser up to date, make sure your extensions are up to date, and that's you know, architecturally, I think that's probably correct, right, keep it up to date. You don't want to lose control of your browser with respect to a Chrome vulnerability that allows you to do remote code executions in the browser environment. But on the extensions, it's even extension updates, just like application updates on a Windows, on a normal Windows device, I can install this version of Acrobat, then the next version of Acrobat, then the next version of Acrobat, and they always have vulnerabilities. There's always something that can be that applications have some vulnerability to. They're just known or not known, and maybe it's different levels of severity, but we're always introducing vulnerabilities into our environment, and that's just the reality of working in, you know, trying to secure systems or harden systems. However, the number of applications, the extension, the extensions, you know I think there's right now over 140,000 extensions that are available on the Chrome Web Store marketplace, and that's just them. And then Firefox has an extension system and Safari has a plugin system as well, and those applications need to be vetted, complex, to even vet applications that are going on your desktop, much less something that's just happening inside the process shell of your browser. So I think that the management of that you know is important and, like I said, hardening and controlling you know what extensions that folks should or should not be using, that's great. But as soon as I install an extension that's having some other problem, like a supply side attack or they lost control of their extension and then the vendor has code that's being placed into their extension that they did not. They did not, that an attacker put in there that they don't expect to be in the environment, those introduced vulnerabilities into it, kind of like SolarWinds you know, where they kind of lost control of their code base and now it's being deployed everywhere.

Speaker 2: 38:27

You know, you find out you have the same kind of problems in the extension space as well. But there's also a pretty active marketplace for extensions, also right, meaning that extensions do get bought and sold by different people to you know inside that space. Then losing control to someone that you don't know, a developer that you don't trust or an attacker that's going to, and these problems aren't new. I mean, I think the earliest one that, like the top of my mind, is like 2015,. Right, and I'm sure they go back further those managing that, I think, is complicated.

Speaker 2: 39:09

But again, you also have the same problems with the SaaS apps as well, where you can give too much rights to a particular SaaS app and by doing that you lose control of your data, your systems or your integrations between different systems as well. So it's a lot of complexity, a lot of very complex environment, a lot of opportunities for threat actors to take advantage of the browser and then get control of the data sprawl that we have in SaaS environments, whether they're business-led IT, shadow SaaS or central IT-led, it doesn't really matter. Lots of use of SaaS apps today.

Speaker 1: 39:49

That's interesting. Do you see more adoption of this in one sector of the market over another? Is there anything like that? I would think that some financial institutions, like large banks or whatnot, they would want something like that For sure. Obviously the federal government and the military, you know they would want that sort of technology.

Speaker 2: 40:13

Yeah, they do. They do, but I think we've been conditioned to worry about the endpoint and applications and network steering, right Meaning we used to have proxy servers all over the place. We used to have IDSs all over the place and we're protecting office environments with our data centers, which were two closed systems that we could connect and we knew and keep people out of the ones that we don't want to right. That we could connect and we knew and keep people out of the ones that we don't want to right. That system was way less complicated than what we have today, which is the big issue. I think one of the earlier questions was why aren't people thinking about this? Well, again, I think it's a matter of education. There was a time when people didn't think we needed EDR tools either, that we thought antivirus was enough. Now there's a lot of EDR vendors and they're all pretty effective in the Windows space, and then it looks like how do you want to protect Linux and stuff? Again, it becomes more complicated.

Speaker 2: 41:13

But we've been conditioned to think that we have data centers and we have office environments and we need to protect that kind of world, Whereas the world's really shifted out from underneath us. So I don't think there's been enough education or understanding of the threats that are inherent in cloud running SaaS products and then accessing all those SaaS products via a browser. I don't think that's really been. I think that's kind of new thinking, new ways of it's. A new way of it's, a different paradigm that I don't think people are putting too much focus on because it doesn't work with our traditional IT education.

Speaker 2: 41:52

Right, it's our traditional IT education has been here's a network, this is a firewall, this is a host, this is a node, and we design a system to be self-enclosed, and that's just not how we operate today.

Speaker 2: 42:07

There's environments today that don't have. They just have open Wi-Fi or they may have MFA enabled connections to their Wi-Fi at work, but then there is no, there's no. It might as well just be a guest network, right, Because there is no connectivity with other systems on the environment or access to those hosts and servers, because all those are in the cloud behind, you know, an AWS console, right? We have lots of environments that are just working out of WeWork, not something that we had 20 years ago. All of our current, I think, training is around traditional IT practices versus remote workers, SaaS apps and where we're actually working, which is in the browser. I think one of the interesting statistics on that is that like 85% of user time is spent in a browser today. That's an incredible amount of time to be spending in an application that you don't really have a lot of visibility on.

Speaker 1: 43:11

Yeah, that makes a lot of sense. I never I guess I never really thought about it like that. You know, and even with all the education that we have, we never really talk about browser security. You just assume you know Google's doing their job, right, and it's. We'll probably end on this point, right, because we're running out of time here quickly.

Speaker 1: 43:32

When I was working at a company that was creating an application, they had to deploy an application on Google Play Store and the Apple App Store and we were talking about the timelines and the developer said, oh, I could put it on Google Play Store ready to download for people by the end of the day. It's not a big deal. They don't even check what's in it. Right, you just check all these boxes and you're good With Apple. It's going to be like a two, three month process. That's right. Right, because they're going to pen test the app, they're going to really check it and everything else like that.

Speaker 1: 44:06

Right, and sure enough. I mean it was probably four or five months even to get it on the Apple app store, and that's probably something similar, you know, with browsers, right, If I wanted to get an extension, I bet you know there's not like a very robust team at Google you would think that there would be, but I'm sure there's not a very robust team at Google really reviewing these extensions which can really increase or decrease the security of your browser overall, which really puts the rest of the data and everything else that you're accessing and using it for all at risk, which that would be really frustrating for me, because I'm over here using a password manager with an extension in my browser, right, and it makes me think that everything is all secure while you know, lo and behold, there might be a malicious extension intercepting all of my very lengthy passwords that I don't even know.

Speaker 2: 44:59

Yeah, you should look at the polymorphic extension webinar that I did, where we went through that exact where we had an extension that was used for marketing that we changed to actually change the icon for our extension to the 1Password extension and then started popping up hey, you've logged out, ask you for your credential information, and then re-enabled the extension and changed our icon back. We call it polymorphic extension, where we then capture those credentials from that user and then we're able to go anywhere that user can go to right, because now we have access to their vaults, because we have their security key and everything else that we need. But a user would totally not see that happening. It would be incredibly transparent for them to see it. I mean it's happening. They wouldn't know. It's somewhat of a scary, scary thing, but exactly that. And so I don't think I definitely wouldn't say that Google's not doing a good job. Right, I think they're doing a lot of things, but just like when you know they have a lot of automated processes to kind of get through that, because there's lots and lots of extensions that are being published or updated et cetera, and they they have, they have good skills you know good people skills to get that stuff done.

Speaker 2: 46:26

I think that the problem is that you know this then becomes an enterprise or user problem because the system's working as designed. In the polymorphic extension and the browser sync jacking attacks that we did research on and we posted about, the system is doing exactly what it's supposed to do. You know the problem is how much what it's supposed to do. You know the problem is how much rights are you providing to that extension? What subsystems are you allowing them to have access to? And if you don't know everything, or even how the combinations and permutations of all those rights kind of work together, it's easy to get lost there and make a decision that you didn't intend to make, which results in you losing control of your password manager or your credentials or whatnot. So it's a threat there and there's a threat there.

Speaker 1: 47:08

Yeah, it's interesting. It's definitely something that you don't typically think about. Really Well, john, we're at the top of our time here, but and I really enjoyed our conversation, but before I let you go, how about you tell my audience you know where they could find you if they wanted to reach out and connect and where they could find SquareX if they wanted to learn more about the company and the solution?

Speaker 2: 47:30

Yeah, so you can find me on x at John Kars J-O-H-N-C-A-R-S-E. You can also find SquareX at S-Q-R-X dot com. So SquareX dot com, and take a look at our browser dot security site as well, because it'll allow you to check your browser and how well it works. Do you have the right kind of controls in your browser? If you're an enterprise customer, and we also have a consumer plugin that can help you out as well. So that's on the Chrome Web Store as well, if you want to check that out kind of organically.

Speaker 1: 48:03

Awesome. Well, thanks, john, and thanks everyone for watching or listening to this episode. Hope everyone enjoyed it.

Speaker 2: 48:10

Thanks, joe, good to meet you.

Speaker 1: 48:12

Yeah, absolutely Good to meet you too. Thanks everyone.

People on this episode

Joe South

Host