EPISODE 1787

[INTRODUCTION]

[0:00:00] ANNOUNCER: Browser security aims to protect users from cyber threats encountered online, such as phishing, malicious extensions, and malware. It's a complex, multifaceted challenge that's increasingly important as cloud-based tools, SaaS platforms, and collaborative applications become the backbone of modern workflows. Jeswin Mathai is the Chief Architect at SquareX, which is a cybersecurity company focused on protecting users and companies from web-based threats. Jeswin joins the podcast to talk about SquareX and modern strategies for browser security. 

Gregor Vand is a security-focused technologist and is the founder and CTO of MailPass. Previously, Gregor was a CTO across cybersecurity, cyber insurance, and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at vand.hk. 

[INTERVIEW]

[0:01:04] GV: Hi, Jeswin. Welcome to Software Engineering Daily. 

[0:01:08] JM: Hi, Gregor. It's great to be here. 

[0:01:09] GV: Yeah. Jeswin, great to have you on today. You're here from SquareX, which we're going to are all about, just sort of spoilers all sort of in security. And we're going to be talking a lot about browser security today. And for once, we're actually both sitting in Singapore, which is nice. I'm usually talking to someone far, far away. But yeah, it's a very hot day in Singapore today. It's nice to have you here. But let's start the normal way, so to speak. Jeswin, I think you've got a pretty interesting sort of history before SquareX, and lot of security experience. Could you maybe just talk a bit about sort of from, I don't know, leaving high school to kind of SquareX? What was that sort of journey for you? 

[0:01:48] JM: Yeah. Thank you so much, Gregor. It started off in high school where I got a bit scared seeing all of the activity that happened online. And security, the reason I got into it was primarily just to be aware of the hacks, the attacks that happened and how I can protect myself as well as people I care about, right? Because someone losing a lot of money in any of the scams, phishing, it can impact or it can have a scarring impact on the life. That was sort of a fear that I had that sort of pushed me in the direction of security. 

And very early on, I was very into computers. I'd be exploring various programming languages. Even exploring hardware, whatnot. That's how it started. During my university - again, and security is one of the most difficult field to get into. Because in order to break something, you need to understand how it works. And to get to the first mile is like very, very difficult. That's where in my university I just focused on computer science fundamentals. Ensuring I'm at least grasping how the world works. How the internet works. 

And then slowly I started to explore various courses. And at that point in time, there was not proper course material or a guide on how to start a career in cybersecurity. Just throwing my hands around various, various courses, topics just to have some more context. And I was a complete newbie in the field of security. 

Then, luckily, Vivek Ramachandran, who was the CEO of Pentester Academy was looking for interns at the time. I applied. And everything went well and I got in. And I absolutely loved the people there. It was a very small team but they were very, I'd say, high-performance as well as aligned to the vision of what we are building. Everyone loved security. 

I remember having 4am calls with my manager and that is sort of unheard of at times. We both were like workaholics of sorts. During my internship time, it was just amazing run. Got to explore so many technologies that I felt like the amount of learning I had in just those six months was like massive. And a lot of people won't get exposed to that. And this was also the time where I was exploring masters, options for masters. I had got an admit from some amazing university in the US. But it was a leap of faith that I took that I have to join this startup. 

And one good thing happened at the time was my work got published in two of the top conferences in security, DEF CON and Black Hat. Out of curiosity, as an intern, my work got there. What is it that we can do full-time? And how the ride is going to be? And I knew that once I go for masters, the opportunity can't come back. But when it comes to later on at any point in time, I can go for masters. That was like a sort of leap of faith I took. And some of the folks in my university were like a bit skeptical about this because this was the time in startups you join and they'll get a lot of work out of you but the pay might not be good or it could turn out to be a complete scam. 

A lot of people were like, "O, why are you ditching the offers from such good university and going for a startup?" But luckily, everything worked out. The team was amazing. And in just like a couple of months time, I got to learn quite a lot. And I'm a workaholic, right? I put in crazy amount of effort. And this was the time when we were building a lab platform with Pentester Academy. 

To provide context about Pentester Academy, it was a cybersecurity education firm ran by Vivek. Vivek Ramachandran is a cybersecurity veteran with over 20 years of experience. He has found multiple zero-day attack. Which is, again, he's the first to find some of the attacks in WiFi stack and so on. At the time, again, we had a course platform. But now we wanted to make sure that everyone can go ahead and do some hands-on exercise. And that's the best way to learn anything, right? You need to do hands-on. And when it comes to cyber security, that was lacking in the industry. 

Vivek's idea was that we need to make a lab platform that can be fully accessible from the web. And if you think about it, getting hands-on experience on cyber security is a bit difficult, the reason being you have to attack something that is vulnerable. Now you can't host something vulnerable in public internet. All of the other players, the competitors, what they used to do was they used to create a VPN. And now you have to connect your device to the VPN network. And there you'll get to attack those machines. But now the big problem with using VPN is that it's a two-way street. You can attack the other machine, but you can get attacked. 

In every corporate organization, VPN is like a completely no-go. That's where Vivek thought that whatever solution we are building has to be served from the web. We constrained ourselves to just a web browser and we ended up building an elegant solution. And at the start, we were bashed upon that, you know? This is going to work. VPN is the route to take and so on. 

But six months down the road, everyone started copying the technology that we have built out, which is through the web interface. And we were the first to go ahead and provide like a full-blown desktop environment on a container. People used to do it in VM. That's why, again, it was so expensive. But we were the first to sort of package everything in the form of container. And that sort of changed the whole industry for the months to come. 

And while running Pentester Academy, and Vivek ran it brilliantly with like just four or five folks, we were able to deliver so much. And we were so ahead of the competitors that even if they started copying us, they couldn't get to the point where we were. And while running Pentester, again, what ended up happening was Vivek is a very curious person, right? He's hands down the most technical person I have met. And he noticed a lot of issue in the whole browser security space. 

And more importantly, if you think about, the technology is keeping evolving. But the phishing scam, the number keeps on compounding. Even though there's better technology, it is not going down. Because attackers are finding a way to go ahead. Evade security solution and whatnot. And none of the vendors are doing much about it. Google, Microsoft, they aren't acting on it even though they know something is happening. 

A bit of frustration as well as various ideas Vivek had at that point in time. And now we knew that we can't run two businesses parallelly. And beyond the point again in cybersecurity education, we had a massive impact. We are talking about customers from Fortune 500 companies, US Department of Defense, US Army and quite a lot of defense agencies that we have trained people from. But we knew that at some point in time we will hit the market gap. Because among the whole IT population, we have small percentage of cyber security enthusiasts out of it. Again, only small fraction is going to go for the courses

At that point in time, Vivek we decided that it would be best to sell the business to a US firm. We parked a big win. And then one year down, we started SquareX with a sole vision of providing better security solution on the browser. And started off as going ahead and protecting the user from scams, phishing attack that would be happening. I know this was like a long stint, but that's how the journey has been until the time SquareX started. 

[0:08:57] GV: That's a great little sort of history there. And sort of, I think, definitely leads really sort of clearly into why SquareX is what it is today. I think that's been really helpful. I imagine, for the listeners, sort of in terms of SquareX is very much all to do with the browser. But I'd obviously love to hear from you. If you were to describe, what is SquareX today? I'd love to hear that. And then obviously, we'll dive into a bit of detail in various aspects. What is SquareX? 

[0:09:23] JM: At this point in time, we are having a consumer version as well as enterprise version. But I'll talk about the vision first. How it all started? Right? If you think about from a user's perspective, we have antivirus solution to block any malware, malicious files that would be coming in. But now let's say you get an email that Google marks as dangerous now, but it is an important mail that is coming in. 

At that point in time, you'll go ahead, ignore the warning Google prompted you. You'll download the file. Now, let's say your Windows Defender goes ahead, blocks you from opening the file. Now, it is important. So you'll go ahead, disable your Windows Defender and then you'll end up opening the file. Because, again, false positive can happen. 

The way the industry worked was, again, blocking the user from doing things. And no one likes to be blocked or in a way deterred from what they wanted to do. That's where our philosophy was. Let's not block the user but rather provide them an alternate way to access the web, access the files in a secure environment. 

One of the examples I can give is anytime I get a resume - and we are a security company. So I have to be careful about opening those resume. And let's say someone sends an assignment with videos and files in it, I have to literally spin up a VM to make sure, again, if I open the file even if it has some malware, it doesn't end up compromising my device. All of these were like a lot of concerns about the files that you are getting from the internet. And that's how a lot of hacks happen. People accidentally go ahead, disable the security solution one time. They forget about it. And now we are open to the sea of malwares that are out there. And it takes just one opportunity for the attacker to get in. Once that is there, then, at that point in time, you might end up losing your credentials. You might incur financial loss. 

And to be honest, the world is quite ruthless, right? People don't care about what would be happening to you. Let's say you're in a very financially bad situation, it could be like a medical situation, whatnot. They don't care. They'll just take out the money. That's where our logic was. Don't block the user from doing things, but rather provide them an alternate way. 

And a lot of people don't care about security that much. In a way, also to educate the users that, at times, you have to take a secure measure. All of this led to like a couple of features called disposable browser, disposable file viewer. Disposable browser is like a remote container that runs on which, again, a lightweight desktop environment is running. And on top of it, a browser will open up. It's a very seamless interface. Imagine that users serve something right. 

And now you'll notice a lot of Google-sponsored link coming on the search result. To be honest, I never click those because what attackers do is they'll pay Google to make sure their website come up on top. Instead of going to the legit website, you'll be going to like a malicious website. What I do usually is all of those websites, I'll simply right-click and then open it in like a disposable browser. And that launches a remote container on SquareX's data center. And now the browser is running there, so you can access the website as you want on your regular browser. 

In a way, the container is running, the browser is running and the view is getting streamed to you. And the container is [inaudible 0:12:32] in nature. So you can destroy it any point in time. No data retained or so. 

[0:12:36] GV: Nice. Yeah, I mean, there's a lot to unpack here. You've sort of described the experience and I think probably quite a few listeners are asking quite a few questions in their head right now. Sort of, "Hang on. How does this really work?" SquareX describes itself as browser detection and response, which I really like. I really like that sort of idea. It's clearly a play on endpoint detection and response. Let's come back to that in a second just in terms of just endpoint is probably referring to just your OS in general, and then there's a reason now. It's browser detection response. But everything you just described there - okay, I'm using my browser. But I believe there's quite a sort of important Chrome extension piece here. Because I think for what you described, okay, I might be opening something malicious and the disposable browser aspect sort of kicks into play. The missing link, I think at the moment, is perhaps the Chrome extension. I could be wrong, but maybe you want to talk about. How does the browser know to sort of start spinning up a disposable browser, for example? 

[0:13:40] JM: That's a great question. Again, I'll explain the decision of why we went with the Chrome extension approach. Originally, again, SquareX is a new company, right? People won't trust it that much. And to have our own, let's say, browser or installer, it's a very high bar for the users to install it. But if you think about a Chrome extension, people don't take a look that often. They are very open to installing extension. 

Ever since the AI boom, with the ChatGPT and everything, people want to enhance their productivity. And, again, the usage of extension had skyrocketed. We took a look at the stats and then we decided that extension is the easiest way to get onboarded on the user's device. And now we had a couple of features. For example, anytime we - let's say you're surfing, based on the links that you're seeing, we ourselves will identify that it looks a bit dangerous for you to directly open it in the browser. We'll open it automatically in the disposable browser. That was like something that the extension is automatically doing. 

Additionally, what you can do is you can simply right-click any of the link. And in the right-click menu, there will be option. Open with SquareX and disposable browser. Click on it and then that link automatically opens. It was a seamless integration from the regular browser to the disposable browser provided directly. And our idea was that, slowly, we have to go ahead package a lot of security onto the end device. Because most of the security solution, the way they work is they don't do any analysis on the end device. They'll be sending it to the cloud where, again, your content will get analyzed and then it will fly. 

Now, this is a big privacy concern because the data is moving out from the user's browser to the cloud. With extension and the browser itself have become much more powerful, right? We are seeing the end device - at one point in time, we are seeing like four gigs device. But now you're talking about 8, 16 or even 32. The device itself has become powerful. And the browser capability has increased quite a lot. 

For example, WebAssembly has like skyrocketed in terms of the usage that is happening. So big players, Adobe, Figma, Canva, all of these guys are using Wasm. So what we did was we took the similar approach that we can use WebAssembly to go ahead, perform some of the operation that the endpoint detection or the antivirus would be performing. 

Before the file touches the disk - and to provide some more context, right? So all of the antivirus, they go ahead, act when the file touches the disk. Because that's where, again, they can access the full file and take a look at what's happening. Even before that happens, SquareX can perform the checks on the browser in-memory. That was in a way our super power to tell that you already have an antivirus. It will catch something if SquareX misses something. 

These sort of enhancement, we were keeping on doing with the platform. And also, to test out what's the performance impact on the end device. Because it's a free extension, SquareX, in case if anyone wants to try it out. And the users don't have an incentive to use the product unless they really like it. And it was a good test for us to figure out how well can it scale. How well can it run? And also, to ensure that whether it is causing any difficulty with the user. If they feel that something is slowing down, they'll immediately uninstall. 

Similarly, again, if it is getting too annoying, they'll immediately uninstall. But that was a big exercise that we run, so that we gather all of the user experience with people who are not associated with us in any way. And it's like the raw - just the likeliness of the product. Is it going to scale? A couple of these questions are answered with that exercise. And even today, again, SquareX, the extension is completely free for anyone to use. At least a consumer version. 

[0:17:22] GV: Yeah. I mean, I think in terms of - okay. So I think that was a good time. Browser detection response versus probably a term that at least a good number of our listeners have heard before, which is endpoint detection and response. And I think it is no sort of secret that the browser is becoming almost the sort of almost OS for most people day-to-day. So many things are moving into the browser that might have been able to or would have run as a native application. And it's interesting that you mentioned WebAssembly, because that's clearly this direction where we're able to package things. Again, applications that would have needed a lot of resources to run in the browser or on the OS. And now we're finding ways to run them pretty interestingly and efficiently in the browser because of WebAssembly. 

If I'm using my browser, you mentioned sort of - well, I guess I'm still just trying to understand SquareX. If I've installed the extension, does it sort of - I hate to use this phrase. But does it sort of pop up and sort of say, "Oh, we think you're trying to download something malicious, so and so and so." Or is it something different? Because I mean, again, to your point about productivity and not getting in the way of users, I think many users, including myself, would probably say, "Look, if I'm just trying to do something, and then this thing pops up and says, "Are you sure?" that's already a friction point. I'm curious how you guys have thought about that. 

[0:18:49] JM: The idea was, again, we have to make everything configurable as a setting for the user. By default, a lot of things will be turned off and then they can selectively enable some of the feature, so that, again, it's not intrusive. We want to run as silently as possible without even user realizing that SquareX is running. And that's where, again, everything was like an opt-in that they can enable from the settings. And that way, again, they don't get logged or annoyed in any way. 

[0:19:16] GV: Yeah, gotcha. Yeah, I mean, you talked a bit about performance there, and that's obviously a very interesting piece. I mean, as much as you can kind of reveal, how does this work behind the scenes? Again, user experience and performance, these days is almost intrinsically linked. If something's gonna take too long to tell me something. And, obviously, we'll probably get to AI in a bit. But AI is a great you know example of this where, unless I'm getting a response within three to five seconds, then I'm already kind of - you've lost me. Yeah, how do you look at performance and sort of how is that being sort of looked at behind the scenes? 

[0:19:53] JM: Yeah. In terms of performance, again, the idea is we have to be in like sub-millisecond in every action that we are performing. Some actions, for example, let's say file download, and if you're analyzing the file, depending upon the size of the file, the analysis can take some time. That is one thing. Again, let's say you're downloading gigs of file, then definitely it can go up to like seconds. And worst case, it can go up to a minute. But there is nothing we can do about that. 

But if you think about like users downloading files in general, most of the files will be very small in nature, right? Not everyone will be downloading a 100-gig file or even a 10-gig file every day. And file download in general are very less, unless, again, the profession itself requires a lot of file download, upload and so on. 

One thing which we did was, again, to make sure that we benchmark everything properly. And a lot of optimizations just keep on happening over time. In regular use, it used to take like 1% to 2% of what the browser would be taking. And the browser is such a beautiful solution at this point in time. It automatically optimizes the resources it consumes as well as, again, the resources that the extension consume. 

Let's say you have quite a lot of memory CPU available and it is free to use, there's no other application using, the browser can go up to like maybe 70%-80 % of times. Because, again, there's some free resource available. But now something comes up, it will constrain that and it will also make sure that the extension automatically gets constrained. As well as, again, it might go ahead, kill off the service worker, which is like the main thread that is running in case if it is exceeding some memory limits. In a way, we are piggybacking on what the browser itself provides. And, again, hats off to the Chromium team, as well as the Firefox and Safari team. They have done a brilliant job in terms of managing the resources. Making sure that everything is optimized. 

[0:21:41] GV: Yeah. I think I'd like to sort of go into more of the security side in a second. But, yeah, I definitely have a big question, which is the decision around a Chrome extension. As opposed to we've seen some people, I wouldn't say just in security, but in some other realms, say, "Look, Chromium is the de facto browser framework now." Okay, great. Why don't we piggyback on that and we still come up with our own browser? It doesn't deviate too far from Chromium, but it builds in these things. I'm really interested to hear why a Chrome extension was still the decision over saying this is the SquareX browser. 

[0:22:23] JM: Yeah. That's a great question. We looked into the other companies who had rolled out the browser and we realized, again, it didn't pick up. And these are very large companies. Some of them are like public companies. That option of a new browser is like a very, very high bar. Because in a way, you're asking the user to transition all of their regular workflow from a browser to a new browser. Plus, again, I'd say credibility at that point in time because we're a startup, right? That credibility to build it up to a level where user are comfortable in terms of privacy, security, that's going to take a while. 

We evaluated all of these options, and one biggest concern is that anytime you are using or building your own browser, let's say there is a vulnerability that comes in. All of those patch management is a very big thing to manage in every place. Software patch management, it's it's a management sort of hell, I'd say. That was one reason. Because any time a vulnerability comes on Chromium, right? So the team will go ahead, immediately roll out a patch. But now we are deriving something on top of Chromium. 

If something comes up in Chromium as a vulnerability, now if we have deviated too far, we have to make sure that the patch is conveniently applied here. And, also, the deciding decision, right? We can't deviate in such a way that it becomes like completely something different from Chromium. So that all of those patches become like big pain to manage. 

From a security standpoint, from a management standpoint we decided that, at this point in time, again, just an enterprise browser, it has to be something revolutionary. It has to be something like it's not possible to do on Chromium. At that point in time, we can go ahead and decide. We evaluated the whole extension story. We figured out, for most of the security-related feature, we have the power with the browser extension, which most people are unaware of. Browser extensions are like super powerful. And it sort of checked all of the boxes that we had in mind. It was purely management plus security-related decision to go with Chrome extension. 

Let's say, again, some vulnerability comes in in Chromium, Chrome will automatically patch it. Now we are running as a browser extension. If some vulnerability comes in our software, all we have to do is push a new update to Chrome Store or the private link that we have. And the browser automatically will pull it in after a few hours' time, or in case, a day's time. It is much secure version of the solution that we are offering. And the best part is, again, the user doesn't have to go through any change management. They don't have to change their regular workflow in any way. Everything works out of the box. 

[0:25:01] GV: Nice. When I first saw the product, it was at the GovWare in Singapore. It's a bit of a strange name, but it is basically the biggest cybersecurity conference in Singapore other than there's a Black Hat offshoot that comes to Singapore as well. But, yeah, if you sort of think of, I don't know, almost like DEF CON, the Singapore is sort of like that. But, yeah. And I was really, really impressed by just sort of seeing what actually the ultimate capabilities of a Chrome extension or - I mean, just to dive into some small details for a second. I mean, when SquareX was started, was that - I'm trying to sort of match up times now. Was that the V2 manifest versus V3? Or did you guys get lucky and start on V3? Or how did that work? 

[0:25:43] JM: We directly started with V3. 

[0:25:45] GV: Okay. 

[0:25:46] JM: Even though, again, we were not leveraging a lot of heavyweight feature from V2. Again, we could have done it for V2 as well, but we decided that V3 is the best way to go. 

[0:25:55] GV: Nice. Okay. You avoided, I think, a lot of headaches there. Yeah. We've had some other security companies on the podcast. And, obviously, they've been around - well, they've been around a bit longer. And yeah, unfortunately, one of the reasons that their extension was sort of lacking to users was just actually that V3 had come along and they were having to take a lot of effort and time to upgrade to V3. That's one of the powerful things of being a startup, is if you can start at the right time, then you can miss these things out. 

You mentioned Chromium as a - well, if things get patched there, then they deal with it. And obviously, if there's anything to do with the extension, you would look at that. But just in general, from a security landscape or rather the threat shape, how do you assess and keep on top of what you considered a threat? I believe one example that you guys cover is a malicious QR code, an example. Could you maybe give some other examples of the kinds of things you cover? And then, also, what's your process for sort of looking out for and keeping on top of what can be considered a threat within the browser context? Because, I guess, also, you've talked about phishing. And phishing is this ephemeral thing as you've just said. It doesn't seem to matter what happens. Phishing just continues because people are smart, plus AI. Yeah, I'd love to hear all about that. 

[0:27:19] JM: That sounds great. Yeah. So just to provide some more context of like what SquareX is trying to solve. We have a couple of big players in the market. We have what's called EDR, endpoint detection and response. For the consumer folks, you're familiarize with antivirus solutions. EDR is like antivirus solution but for enterprises. Now, this solution they came up with at a time where everything was running on different application on the local machine. We're talking about MS Office, Adobe, your video player, whatnot. They're great at detecting malware that directly comes on the desk. But over time, what happened was everything got transitioned to the browser. 

And ever since the COVID hit, what ended up happening was a lot of work from home, lot of SaaS application skyrocketed. And the browser became the main interface through which everything is happening. No longer we are using - most of the time, we won't be using local application. And enterprise, 95% of the time, users spend on the browser. And attackers are like the smartest folk on the planet, right? Even if we have the best security solution, they'll find the way to beat them. And the way they are beating it right now is by remaining in the browser without triggering any file download. They'll try to be on the browser. Could be like a phishing page or could be a QR code. 

Now, imagine that you are on a corporate device at a best security solution, suddenly you see a QR code. Now, the user will be incentivized to - let's say it could be something related to travel deals, it could be a financial tip, whatnot. They'll be incentivized to go ahead, scan the QR code. Now, the moment they scan the QR code, you are on a smaller device, more susceptible to phishing attacks. And more importantly, you're using a device that does not have any security solution that the enterprise would have provided. 

A couple of these vectors were coming in where attackers are just living on the browser. Another example is - I'm not sure if you're familiar with the pop-up-based scam. Basically, what ends up happening is every website in today's time is asking for notification permission, right? Users are used to clicking allow, allow, allow. Now, attackers are leveraging the same. 

Let's say you go to a website that asks for notification permission, you click on allow. Nothing will happen to you at that point in time. But few hours later, what you will see is suddenly pop-up appearing from that website. And the way the browser works is that that website doesn't even have to be active when you're seeing those pop -ups. Suddenly, you'll see quite a lot of pop-up. That will show that your account has been compromised or malware detected on your device. 

This actually we noticed on like couple of our non-tech folks. Some of their, again, family members went ahead and clicked on one of those website. And what ended up happening was the pop-up was spamming so much that it just filled the screen on the right side. Such that, again, you can't even click on the settings button to disable the notification permission for that website. There's no way out. All you have to do is you'll be forced to click on the pop-up. 

Now, when you click on the pop-up, it will take you to let's say either a malicious website or it will take you to a affiliate marketing link. And the affiliate marketing link could be of genuine corporation. Could be like Norton or an antivirus solution. Now, the users are thinking that their device has been compromised. Now, when you click on it, it takes you to Norton. So then you end up purchasing Norton. And during this, you are using affiliate link of the attacker. They make money regardless of the approach they are taking. And this was one of the hardest attack to detect because the user is going to an official Norton website or antivirus company and there is nothing wrong about it. 

All of these attacks are happening at this point in time that, again, it's like so smart of them to use this. And I think in 2022 alone, close to 3.4 billion were lost to Norton and some other companies due to this affiliate marketing fraud and the pop-up-based attack that is happening. 

Now, what attackers are also doing is they know that the website will get scanned. There are like a lot of point of presence around the globe which are held by security companies. And they're constantly scanning website from different location, figuring out whether something is malicious or not. And attackers, the way they are evading that is by applying tactics such as they figure out the traffic is coming from data center. They'll suddenly change the website's behavior and show a very simple page that doesn't have anything malicious. 

But now, if the traffic is coming from a regular ISP from where the user will be accessing, they'll suddenly show the malicious website. This is one tactic based on, again, the origin of the request, we show different behavior. And this we are terming as like polymorphism or polymorphic website. It is popularly used in malware, polymorphic malware. They change their own behavior. And this is exactly what is happening for the website in today's world. 

Another tactic is, again, they'll put a recapture on top of their website. Now, let's say a security scanner is scanning, it can't go ahead and bypass that recapture. Only a human can. But this way, again, the security scanner are unable to pick it up. And a lot of these websites are out there in the wild for a long time. Even we tried reporting to Chrome, and it takes them close to like even 16 to 24 hours to acknowledge and then fully take down the website. And the process itself, it could be possible that some websites are up until like a couple of weeks to even months before they're finally classified as dangerous. 

That's where, again, with SquareX the idea, is that we sit on the browser. We see what the user is seeing. We are acting on the last mile. Let's say you go to phishing site, we can figure out that, "Oh, the sentiment is of login. And the website looks like Microsoft, but it is not Microsoft." And this could be like numerous number of indicators. First is, again, the visual based on the text that we have. Similarly, again, checks on the domains. For example, if it's a domain, it's like very newly registered, then it's a red flag. 

Now, attackers are very creative. They'll purchase a domain that is already there in the market for a long time to await this sort of check. But in this case, again, we can perform checks such as, again, who is the owner of the domain? And it looks like Microsoft. The website looks like Microsoft but the owner is not the same as what Microsoft would be generally using. 

Similarly, again, from where the traffic is coming in. A lot of parameters across what is the server headers? Who is related information? What are the way the SSL certificates are issued? Who is the, in a way, signer of the certificate? All of these key metrics, we are able to gather by sitting as an extension. And based on that, we can reduce that. This is like a bit risky, a bit dangerous for a user to go to. 

A lot of like, in a way, intelligence is embedded right there on the browser extension. And we are also having like some AI models that are packaged with like the Onyx model. It's a good thing that we can run on the browser. All of those are packaged to go ahead, analyze the content that the user sees. And all of this is happening in a privacy safe way. More importantly, because we wanted to reduce the amount of data, we'll be sending it to the cloud. Most of this thing that I mentioned is part of our enterprise offering. How we are protecting the end users for businesses? 

And there, again, the challenge is we can't send a lot of data to the cloud because, again, it's corporate data. The more detection we do on the browser, the more data we reduce. The more, again, we are performant in terms of like cost as well as, again - and the whole user experience is much more seamless. 

[0:34:47] GV: Yeah, that makes a lot of sense. So you've talked quite a bit about, I guess, sort of learning and detecting from what is sort of happening from actions. And, also, you talked just there about being able to use models, AI models that, again, run on the browser. There still must be some degree of threat, intelligence that you have to be aware of and bring into the platform. I'm curious about that, because if we look at other security domains like attack surface management, without naming names of companies, I would say that the leaders now are the ones who have internal threat intelligence. Teams who are able to bring that right into the product, bleeding edge effectively. How are you guys sort of looking at that? Because, as you just said, the attackers are the smartest people on the planet. And I would agree with that in the sense that they're very smart and there's no rules, right? They can kind of do almost whatever they want and try whatever they want. How are you guys bringing that into SquareX? 

[0:35:49] JM: Yeah, that's a great question. At this point in time, our idea is not to reinvent the wheel for some of the things. For example, we don't want to dwell into threat intel for malware analysis. We don't want to do that. That we are building our own full-grown malware analysis platform. Because the past two decades, industries have established, and a lot of big players are there. We leverage threat intel for some of the things that are already there. 

For example, we integrated with CrowdStrike, ReversingLabs to get insights from them. And then our analysis runs on, let's say, parallelly to catch the points that they wouldn't be analyzing. In a way, again, a bit of our own intelligence is there based on our experience, right? We are a bit disappointed that, again, the big players, some of them are not doing that great of a job when it comes to, let's say, office documents. And we did a full research publication on the same that Google, Outlook, all of the big players, email vendors, none of them are doing as aggressive checkers as they should be. And we are able to demonstrate that a simple malicious office file can go through and VirusTotal will only give like certain hits where everyone should be flagging up at that point in time. 

Again, leveraging the Intel where we can. Plus, again, our own intelligence is built out. Similarly, for web application, we are leveraging the intel's that are around provided by the big players. Because anytime, let's say, a malicious website has been classified by someone, if it is malicious, then we immediately block. On top of this, what we are doing is we are building our own intelligence for the web. Because, again, the intelligence everyone has is a bit outdated. It is not capable of capturing the new attack that we are seeing out there. That's where, again, the whole analogy of browser detection and response comes in. 

We are the first browser detection and response solution. And the idea is the same, that we'll provide the threat intel for the web-based attacks that are happening. Any attacks that other vendors are not capable of detecting, that is the void we are going to fill. And that's that's our positioning at this point in time. 

And slowly, we'll go behind other vendors as well. But we realize that there's a big market for us to capitalize on the whole browser security space. And again, once we do that, at that point in time, we'll definitely dwell into the limitations various vendors are having and maybe have our own analysis engine in all of those segments. 

[0:38:12] GV: Again, just to sort of paint a picture for, I think, listeners in this space. Am I right in saying if it's not what the solution that SquareX is providing, it's actually more of a solution where you're almost kind of using a sort of VM browser almost? I'm sort of trying to think of some other vendors. I'm not going to name the names exactly. But sort of other big players there where they say, "Oh, our browser is like the safe browser. And there's no latency and so on and so forth." But you're kind of effectively using like a VM, virtual browser or something to that extent? How would you categorize sort of the competition just from a sort of technology standpoint? Yeah.

[0:38:52] JM: That's a great question. In our case, we are running as a browser extension on users' browser. In terms of performance, everything is super good. There's no VM or container-based access being provided for their regular workflow. Now, what we have a feature is called isolation. Let's say enterprise is not comfortable with users accessing a website on their regular device. They can either block it. If you block it, they can't access it. Or you allow it, they can access. 

But now with the isolation feature, what happens is that's where we have a container that is created on the cloud. And we have a desktop environment that runs on the container. And that view is streamed back to the end device. This way, again, any website you access in the container, it's completely isolated. And the user wouldn't be in a way in the risk of security threat set up. That is one. 

And our preference, to be honest, was to avoid isolation technology as much as possible. Because, again, it is running remotely, right? And it is a remote browser. And users are used to using their regular browser. They're way more familiar with it. And they wouldn't be able to get that 100% of the feel on the remote browser. Our recommendation is to only use isolation for like some website. Not make the isolation as the main browser, which a lot of other vendors are doing. Because, again, it gets super frustrating, super annoying when you're seeing the latency go up. And, suddenly, you're trying to watch a video, it starts to lag and all of those things start to happen. Yeah, that's it. Again, with SquareX, the detection, the analysis, everything happens locally to make sure, again, the user experience is the best in any website they're visiting. 

[0:40:37] GV: Nice. I think it's still helpful to call out to our listeners that this is still quite an evolving space, right? I think it's only been sort of fairly understood quite recently that, actually, the browser is basically where most of the problems happen. And whether it's email, as you've called out, phishing is where this happens a lot. And that can obviously be where the email providers are saying that we'll try and take care of this. But equally, at the end of the day, it's still mostly happening in the browser to some degree. It makes a lot of sense that we evolve the solutions around what is happening in the browser from a security standpoint. And, unfortunately, we can't just rely on - I know Google building in things into Chrome. There's a big enough job there just to run Chromium itself. And, unfortunately, we're seeing things like Firefox, unfortunately, kind of dying away a little bit because it is too hard to keep up with sort of the requirements of today. And, obviously, on their side, that's purely open source. And I'm sure there's some funding there. But it's difficult for Firefox to kind of really keep up with the juggernaut that is Chromium and Chrome, etc. 

As we sort of kind of come to a close here, I mean, where does SquareX go from here? What are the sort of `anything that you can share in terms of over the next 6 to 12 months? What are the sort of things that we and maybe expect to start to see from SquareX?

[0:42:08] JM: Yeah, I think that's a great question. At this point in time, what we realized was that all of the vendor rights. We have a couple of competitors. I wouldn't say the name. But all of them are not very security or attack-focused. And they lack sufficient background to go ahead, build a detection to prevent the trendsetter happening. If they had, then they would have definitely built it by now. 

Our approach is, again, to go ahead and build out a full suite of detection across all the attacks. We already have a lot of them build out. But again, to make sure that we just keep on compounding on the library of the detections that we have. To make sure, again, anytime a user visits a website, even before they see it, we can go ahead, block it. That is one thing. 

Additionally, again, there are a lot of features in the pipeline such as, again, private app access, VDI replacement. All of those those things are also coming in. In a way, to make it easy for any enterprise that is out there to become sort of a one shop for, again, all the requirements they would have in terms of security as well as making sure that the productivity is amazing within the organization. That is something. 

And just making sure that we are the thought leaders. We are the innovators in the industry. And that is in our DNA. Knowing that we can run or establish a business. It's relatively easy to - rephrase it. That we can build a decent business by doing certain thing. But here, again, it's just in our DNA that we have to be the best in the world and make sure that we are the pioneers, innovators. And, again, super excited to envision the next couple of months. A lot of these features, parallel research are happening where we are trying to go ahead and block all of the attacks that would be happening on the web. That's on the horizon. I can't reveal a lot of information, even though I'm tempted to. But again, I'll have to check with the company on how much I can divulge. Yeah.

[0:44:05] GV: All good. I mean, that's the great thing about having startups on the Software Engineering Daily. We don't expect to be able to hear about sort of the next 12 months. That's usually sort of larger companies. It's just great to be able to have you here anyway. One final point, and this might be a question that a few people are just sort of still asking in terms of SquareX versus a VPN. Because I'm just thinking that might be the product that they're most familiar with in terms of something that might be helping them block malicious things. Could you maybe just summarize actually just how SquareX goes beyond a VPN? 

[0:44:41] JM: That's a great question. With VPN, again, you're still vulnerable to a lot of attacks. It's just routing your traffic through a secure network or a secure location. But if you think about it - and let's say you get a malicious website, right? So now it is opening on your end device. Now, at that point in time, that website could lead to some zero-day attack that could happen and your device gets compromised. That is one big concern we have around all VPN solution. 

And what will end up happening is, with VPN, sadly, macOS removed the support for split tunneling. All of your device's traffic is now going through like some location. And in a way, it will affect the user experience. Because, again, the websites will slow down. At SquareX, disposable browser. A couple of these features. Again, it's a browser running within a tab of your regular browser. Anything you do there - again, it's just a tab. And that way, again, the surfing experience is much more better compared to VPN. And more importantly, from a security standpoint, anything that happens there can't impact your regular device in any way. 

Let's say you go to a malicious website, it will impact the container that is running. And these containers are like hardened from day-to-day basis. Making sure it's properly updated, patched. And best, I'd say, security hardening mechanisms are put in place to ensure nothing happens. In case, again, worst case is if some zero-day happens and there's no way SquareX can block it on the container level, you're still safe. Because, again, it's a remote container that gets compromised. It's SquareX's small part of info that might get compromised. But the user won't be impacted in any way. 

[0:46:18] GV: I think that's a great explanation. As you've heard, any user kind of get going with SquareX. Just to be clear, where's the best place to go? And what do they do from there? 

[0:46:28] JM: Best part about SquareX. The domain is pretty short. It is sqrx.com. Again, just head to sqrx.com and take a look at the videos that are there. In case if you want to try out the consumer version of the extension, then head over to the Chrome Store and search for SquareX. We have above, I think, 4.9 rating with 200,000 users actively using the product. That will, again, tell the story for itself. Yeah, on Chrome Store, you can find us as well as on sqrx.com. And do check out the enterprise offering that we have. It's quite innovative. And it is relevant for every organization out there. Everyone is impacted by the attacks that are happening. And, sadly, there is no security solution apart from us who can provide protection on the browser to combat such attacks. 

[0:47:16] GV: Nice. That was sqrx.com. Head there and check it out. Jeswin, great to have you here. Nice, as always, to have someone also in Singapore to speak to. Slight novelty for us at Software Engineering Daily. Thank you so much for making the time in your evening. And hope we get to catch up again in the future. Hear how SquareX is doing. 

[0:47:38] JM: Sure, sure. Sounds great. Thank you so much, Gregor. It was awesome to be here. 

[END]