Latest news with #SquareX
Techday NZ
10-06-2025
- Techday NZ
Exclusive: SquareX's Audrey Adeline on why the browser is 'the new endpoint'
The browser is the new battleground. That's the message from Audrey Adeline of cybersecurity company SquareX, who has launched a practical Browser Detection and Response Manual to help organisations understand and defend against attacks in what she calls "the most used app on your device." "Eighty per cent of the time spent on a device is now in the browser," she explained to TechDay during a recent interview. "Yet it's one of the least protected surfaces in cybersecurity." Unveiled at the RSA Conference (RSAC'25) earlier this year, the manual has struck a chord with security leaders worldwide, selling out quickly and prompting strong feedback. The manual, written by Audrey Adeline and Vivek Ramachandran is titled: 'The Browser Security Field Manual'. "We were one of the top-selling books at the RSA bookstore," Adeline said. "A lot of CISOs reached out to us afterwards to say it helped their teams rethink browser security." Originally from Indonesia, Adeline's own path into tech was unconventional. "I grew up in a very traditional economy. Most of my family ran consumer businesses - nobody was in STEM," she said. After studying biochemistry at Cambridge and working in cancer research, she pivoted into consulting, and eventually joined Sequoia to evaluate tech companies, including cybersecurity firms. Her passion for deep tech and research led her to SquareX, where she now leads the Year of Browser Bugs (YOBB) project, uncovering browser-based architectural vulnerabilities each month. These include high-profile exploits like polymorphic extensions, which can impersonate legitimate browser tools like password managers and crypto wallets. "The danger is users don't realise they're entering credentials into a fake extension," Adeline explained. "These are architectural issues that legitimate browser features enable, and they're much harder to detect or patch." That urgency drove the creation of the manual. "We kept seeing the same problem - people using the browser constantly, but having very little visibility or protection," she said. "Existing tools just don't give you a clear picture of how the breach occurred." The manual's first edition is now being followed by a second, set for release at DEF CON and Black Hat in August. It will feature commentary from CISOs at Fortune 500 companies to ground the guidance in real-world enterprise experience. "We didn't want to just make it theoretical," Adeline said. "Each chapter now includes perspectives on actual problems faced by security teams." Access to the manual is currently via request form, though Adeline said digital availability is expected closer to August. Developing the manual was not without challenges. "The biggest hurdle was the lack of consolidated resources," she said. "There's research out there, but it's scattered. We had to pull together a lot of primary sources and make it digestible - from beginner concepts to advanced attacks." Browser-based threats have spiked recently, with attackers targeting the browser as the new endpoint for enterprise data. "Think about it," she said. "We don't download files anymore. Our files, apps, identities - everything is now in the browser. It's where 60 to 70 per cent of enterprise data lives." Adeline warned that the shift in attacker behaviour is permanent. "It's not just a trend. There's a fundamental change in how we work, and attackers are following the data." To help teams assess their own posture, SquareX has also launched a free browser attack testing tool. "Seeing is believing," she said. "You can test against 49 different browser-based attacks and see which ones bypass your current solutions." She sees two main approaches to browser defence: dedicated secure browsers, or solutions like SquareX's browser extension, which converts any existing browser into a secure one. "Most organisations can't migrate everyone to a new browser," she said. "Extensions are more practical, and updates are seamless." SquareX positions itself as the EDR for the browser, focusing on detection and response at a granular level. "We're obsessed with user experience. You can't compromise productivity just to get security," she said. The company's design avoids the risks of dedicated browsers, which often lag behind on security patches. "Every time Chrome issues a patch, those browsers need to be updated manually. That creates a gap where zero-days can thrive," she explained. Future plans include a red team edition of the manual and continuous updates as attacks evolve. "I wouldn't be surprised if there are multiple versions by next year," Adeline said. Her advice to security leaders just waking up to the browser as a threat vector is clear: "You need browser-native security to tackle browser-native threats." Adeline believes the industry must go beyond reacting to breaches and start anticipating them. "The best defence is understanding what attackers are doing," she said. "You can't just play catch-up." For her, the inclusion of peer input in the manual is crucial. "Security leaders want to hear from their peers. They need validation that this is a permanent shift, not a passing concern," she said. Asked what's changed to make browsers such a prime target now, Adeline points to a confluence of technology and behaviour. "Chrome has added countless new features like WebAssembly and WebRTC. These make browsers powerful enough to replace local apps," she explained. "Since COVID, we've seen everything move online. Now attackers are simply going where the data is." "The browser is the new endpoint," she said. "It's where we work - and where we're vulnerable."
Associated Press
05-06-2025
- Business
- Associated Press
SquareX Appoints Mary Yang as Chief Marketing Officer to Drive Global Growth Strategy
PALO ALTO, Calif., June 5, 2025 /PRNewswire/ -- SquareX, the leading browser security company, is proud to announce the appointment of Mary Yang as its Chief Marketing Officer (CMO). A marketing veteran, Mary brings a wealth of experience in marketing leadership from her roles at global technology firms and high-growth startups, with a proven track record of driving brand awareness, demand generation, and go-to-market (GTM) success. Mary brings more than 20 years of marketing experience, including multiple successful exits, to SquareX. In her previous role, Mary oversaw global marketing and communications for Syxsense, an automated endpoint and vulnerability management company that was acquired in September 2024. As SquareX CMO, Mary will lead global marketing strategy, including brand, growth, communications, field and channel marketing, helping to expand awareness and scale demand for SquareX's industry-first Browser Detection and Response solution. 'Mary has a unique combination of GTM discipline and creativity, honed through years of leadership in the cybersecurity space,' said Vivek Ramachandran, Founder and CEO of SquareX. 'Her understanding of what it takes to grow a cybersecurity startup through building trust is exactly what we need as we shift up. We're very excited to work with her to build something category-creating.' Mary joins SquareX at a pivotal moment, as the company recently closed its Series A with lead investor SYN Ventures and moves to accelerate adoption and deployment of browser detection and response. 'I'm thrilled to join the SquareX team. When I saw the depth and breadth of the SquareX browser detection and response solution along with the challenges it was solving, it was clear how game-changing this technology is,' said Mary. 'Browsers are now the frontline of enterprise work and risk — every business-critical task happens inside a browser and nearly all major cyber-attacks leverage the browser as part of the kill chain. I look forward to showcasing how SquareX can help enterprises secure their workforce and enable their employees to work online confidently.' As browser-based threats continue to evolve, SquareX remains committed to staying ahead of attackers with its innovative security approach. Mary's appointment marks the latest in a series of leadership hires at SquareX, as the company ramps up efforts to transform browser security for enterprises. About SquareX SquareX is the pioneer of Browser Detection and Response (BDR), empowering organizations to detect, mitigate, and effectively threat-hunt client-side web attacks. SquareX provides critical protection against a range of browser security threats, including malicious browser extensions, advanced spearphishing, browser-native ransomware, genAI DLP, and more. Unlike legacy security approaches or cumbersome enterprise browsers, SquareX seamlessly integrates with existing browsers, ensuring enhanced security without compromising user experience or productivity. By delivering unparalleled visibility and control directly within the browser, SquareX enables enterprises to reduce their attack surface, gain actionable intelligence, and strengthen their cybersecurity posture against the newest threat vector: the browser. To learn more about SquareX's BDR, users can contact [email protected]. For press inquiries on this disclosure on the Year of Browser Bugs, users can contact [email protected] View original content to download multimedia: SOURCE SquareX
Techday NZ
30-05-2025
- Techday NZ
Safari users at heightened risk from new fullscreen BitM attack
SquareX has released new threat research detailing an advanced Browser-in-the-Middle (BitM) attack that specifically targets users of the Safari browser. The research, conducted as part of the Year of Browser Bugs (YOBB) project, outlines the method by which BitM attacks deceive individuals into providing sensitive credentials by presenting fake login pages in the victim's browser through a pop-up window controlled by the attacker. Traditionally, one limitation of BitM attacks has been the continued visibility of the malicious URL in the parent window, which could alert security-conscious users to the threat. SquareX's research identifies a vulnerability in Safari's implementation of the Fullscreen API that attackers can exploit to make the attack more convincing and difficult to detect. According to the team, "When combined with BitM, this vulnerability can be exploited to create an extremely convincing Fullscreen BitM attack, where the BitM window opens up in fullscreen mode such that no suspicious URLs from the parent window is seen. Safari users are especially vulnerable to this attack as there is no clear visual indicator of users entering fullscreen." The researchers added, "We have disclosed this vulnerability to Safari and were regrettably informed that there is no plan to address the issue." The Fullscreen API, as currently specified, requires only that "the user has to interact with the page or a UI element in order for this feature to work." However, it does not detail what type of interaction is necessary. Attackers can thus embed any clickable element, such as a fake login button, in the pop-up which triggers fullscreen mode, convincingly mimicking a legitimate login page with the real URL in the address bar. SquareX's researchers warned: "The Fullscreen BitM attack highlights architectural and design flaws in browser APIs, specifically the FullScreen API. Users can unknowingly click on a fake button and trigger a fullscreen BitM window, especially in Safari where there is no notification when the user enters fullscreen mode." "Users that typically rely on URLs to verify the legitimacy of a site will have zero visual cues that they are on an attacker-controlled site. With how advanced BitM is becoming, it is critical for enterprises to have browser-native security measures to stop attacks that can no longer be visually identified by even the most security aware individuals." While BitM attacks have generally been used to steal login credentials, session tokens, and SaaS application data, the fullscreen variant described in SquareX's research further increases the risks by making detection by ordinary users extremely difficult. The attack could extend to spreading misinformation via fake pages designed to resemble official government sites, as well as gathering personally identifiable information (PII) and company data. Attackers could also open new tabs within the attacker-controlled window, gaining further insight into the victim's browsing activities. Other browsers, including Firefox, Chrome, Edge, and Chromium-based ones, are also technically susceptible to the Fullscreen BitM attack. These browsers do issue a notification when fullscreen mode is activated, but the warning is described as subtle and easily overlooked. Dark mode and modified colour schemes can make the notification even less noticeable. In contrast, Safari only shows a brief swipe animation with no explicit messaging, which increases user vulnerability. The research states that endpoint detection and response solutions lack the capability to monitor activity within the browser itself, rendering them ineffective against both standard and fullscreen BitM attacks. According to SquareX, "EDRs have zero visibility into the browser and are proven to be obsolete when it comes to detecting any BitM attack, much less its more advanced fullscreen variant. Additionally, orchestrating the attack with technologies such as remote browser and pixel pushing will also allow it to bypass SASE/SSE detection by eliminating any suspicious local traffic." The researchers assert that security tools are currently unable to detect or mitigate Fullscreen BitM attacks due to the lack of access to detailed browser metrics. "As phishing attacks become more sophisticated to exploit architectural limitations of browser APIs that are either unfixable or will take significant time to fix by browser providers, it is critical for enterprises to rethink their defense strategy to include advanced attacks like Fullscreen BitM in the browser," the research team stated. SquareX's disclosure of the Fullscreen BitM attack is part of its ongoing initiative to highlight browser vulnerabilities and architectural limitations as browser-based attacks continue to evolve. Previous disclosures under the Year of Browser Bugs project have addressed threats such as Browser Syncjacking, Polymorphic Extensions, and Browser-Native Ransomware.
Business Mayor
27-04-2025
- Business
- Business Mayor
SquareX secures US$20 million to transform browser security
SquareX has announced the close of its Series A funding round, raising US$20 million. The investment was led by SYN Ventures, a venture capital firm specialising in cybersecurity, with continued support from Peak XV Partners, formerly known as Sequoia Capital SEA. The Singapore-based company has pioneered Browser Detection and Response (BDR), a solution that strengthens security directly within the browser. Its approach eliminates the need for businesses to adopt entirely new enterprise browsers, which can often disrupt user experience and productivity. Instead, SquareX offers a simple extension that turns any browser into a secure, enterprise-grade tool. Vivek Ramachandran, CEO of SquareX, said, 'The browser is the new endpoint, yet it remains a major blind spot for most organisations. Existing solutions often force a trade-off between security and usability. We built SquareX to eliminate this compromise in browser security, offering robust protection that works with the browsers users are already familiar with. This Series A funding, led by the team at SYN Ventures, validates our vision of everyone being able to be online without fear.' As browsers have increasingly become primary targets for cyberattacks, the need for better security solutions has grown urgent. Traditional security tools often lack the ability to monitor threats at the browser level, and adopting proprietary enterprise browsers can create friction in daily workflows. SquareX addresses these challenges with its BDR extension. It allows enterprises to detect and manage threats such as malicious extensions, phishing attempts, data leakage through generative AI, and insider threats. By operating within the native browser environment, SquareX significantly reduces the attack surface without compromising usability or requiring complex change management. Jay Leek, Managing Partner and Founder of SYN Ventures, commented, 'SquareX is tackling one of the most significant and underserved areas in cybersecurity today. The browser is ground zero for countless attacks, and the team at SquareX has developed an elegant and powerful solution that provides critical visibility and control where it's needed most – directly within the native browser experience.' Peak XV Partners, which first invested during SquareX's seed stage, has expressed confidence in the company's progress and direction. 'Having partnered with SquareX since their seed stage, we've been impressed by their vision and execution in tackling browser security challenges. We are excited to partner with them again as they demonstrate strong results in delivering much-needed cybersecurity capabilities to enterprise customers,' said Shailendra Singh, Managing Director at Peak XV. SquareX's innovative approach aims to reshape how enterprises think about browser security, offering a way to protect users without disrupting their preferred digital workflows.
Forbes
17-04-2025
- Business
- Forbes
19 Tech Experts Detail Emerging APT Tactics (And How To Prepare)
getty The thought of a successful cyberattack is a sobering one for any business, but even more alarming are advanced persistent threats. Through these sophisticated attacks, a bad actor infiltrates a network and is able to linger for an extended period of time, undetected, accessing sensitive data, disrupting operations or even conducting ongoing surveillance. Carefully planned and often tailored to specific industries and technologies, APTs are evolving and growing in number, with cloud migration, remote workplaces and increased reliance on third-party vendors expanding the attack surface. Below, members of Forbes Technology Council detail emerging APT tactics digital organizations must be ready for and how to prepare. Browsers have emerged as a significant threat vector. The significant majority of our work time is spent within browsers. As the use of SaaS applications continues to grow, the number of locations where sensitive data is stored expands, making it more challenging to secure data and leaving IT and security teams struggling to keep up. Our inability to mitigate browser-based threats poses critical risk for our organizations. - John Carse, SquareX Threat actors are weaponizing EDR bypass tools (or 'EDR killers') to launch their attacks, as seen in recent attempts by RansomHub. Threats that evade perimeter controls, however, must still cross the network—which can't be tampered with. Have a layered defense that includes network visibility to identify unusual patterns that could indicate malicious behaviors so attackers have nowhere to hide. - Rob Greer, ExtraHop Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify? AI supports every phase of an attack, including command-and-control (C2) beaconing. If your security mostly relies on machine learning systems based on rules and known indicators, you're exposed. Most enterprises should expect their counterparties to be repeatedly hacked—until we all embrace adaptive deep learning as a defense. - Evan Powell, Deep Tempo APT groups will weaponize deepfake-driven phishing even further. AI-generated voices and videos will impersonate executives, bypassing traditional identity verification and social engineering defenses. Organizations must implement multifactor biometric authentication, behavioral analytics and AI-driven anomaly detection that can flag even the most subtle inconsistencies. - Aditya Patel, Amazon Web Services (AWS) Cloud collaboration tools are increasingly being weaponized. Attackers 'live off the land' using trusted platforms like Microsoft 365 to evade detection. To combat this, organizations should implement strong multifactor authentication and behavioral analytics for cloud environments and train employees to recognize suspicious activity in the tools they rely on for daily collaboration. - Gergo Vari, Lensa, Inc. Advances in generative AI have become sophisticated, making social engineering attacks more convincing and challenging to detect. Identity-driven security, such as phishing-resistant authentication and verification, plays a crucial role in mitigating social engineering attacks by focusing on verifying and validating the identities of users and entities involved in digital interactions. - Venkat Viswanathan, Okta APTs are increasingly targeting backup and disaster recovery systems to sabotage recovery efforts. Organizations must implement immutable backups, enforce zero-trust access, regularly test recovery plans and use AI-driven threat detection to ensure cyber resilience. - Aliasgar Dohadwala, Visiontech Systems International LLC APT groups are increasingly leveraging infostealer malware to harvest credentials and session cookies, allowing them to bypass multifactor authentication and maintain stealthy access. To defend against this, organizations must monitor for stolen credentials, detect and invalidate compromised sessions, and enforce adaptive authentication to prevent attackers from exploiting legitimate user identities. - Damon Fleury, SpyCloud A rising APT tactic is supply chain attacks, where hackers exploit third-party vendors and software dependencies to breach networks. To counter this, organizations must conduct strict vendor assessments, enforce zero-trust security, implement continuous monitoring and strengthen incident response to safeguard critical systems and data. - Sanjoy Sarkar, First Citizens Bank While open-source AI models are a goldmine for software developers, they are equally attractive to cybercriminals for embedding malware. Organizations need to be able to discover which models are being used within their applications, and how they're being used, to screen them for security risks and enforce policies over which models can and cannot be used. - Varun Badhwar, Endor Labs Prepare for AI-driven APTs that autonomously adapt to security defenses. These attacks learn from detection attempts and modify their techniques to remain hidden. Prepare by implementing AI-based defense systems, conducting adversarial simulations, developing response playbooks, embracing zero-trust architecture and investing in threat intelligence for early warnings of new attack methods. - Priya Mohan, KPMG An emerging APT tactic is adversarial AI attacks, where threat actors manipulate machine learning models to evade detection or generate false insights. Organizations should prepare by securing AI training data, implementing robust anomaly detection and continuously stress-testing models against adversarial inputs. Strengthening AI governance and investing in explainable AI will enhance resilience. - Sai Vishnu Vardhan Machapatri, Vernus Technologies Attackers are deploying zero-click exploits—which require no user interaction—to infiltrate mobile devices, Internet of Things systems and critical infrastructure. Enterprises need continuous endpoint monitoring, hardware-level security enforcement and AI-driven anomaly detection for connected devices. - Vamsi Krishna Dhakshinadhi, GrabAgile Inc. An emerging APT tactic involves targeting unmanaged digital assets (that is, shadow IT) and poisoning AI training data to manipulate outcomes. Organizations should conduct regular audits to identify and secure shadow IT, enforce strict governance over digital tools, validate AI data pipelines and implement anomaly detection to ensure data integrity before model training. - Mark Mahle, NetActuate, Inc. A new APT tactic to watch for is adversary-in-the-middle (AiTM) attacks, where threat actors intercept and manipulate real-time communications to bypass authentication and hijack sessions. To prepare, organizations should implement phishing-resistant multifactor authentication, monitor session integrity and deploy AI-driven anomaly detection to flag unauthorized access attempts before they escalate. - Roman Vinogradov, Improvado APTs will increasingly target data governance gaps rather than technical systems. Organizations should prepare by establishing comprehensive data inventories and clear data lineage. When you know what data you have, who can access it and how it flows through systems, you eliminate the 'dark corners' where threats hide. - Nick Hart, Data Foundation Organizations must prepare for 'AI poisoning,' where attackers manipulate machine learning models by injecting corrupted data into training sets. This can lead to biased and incorrect results, eventually distorting fraud detection and security defenses. Organizations must implement robust data validation pipelines and regularly and proactively audit AI models for anomalies. - Harini Shankar Cloud-native attack chains are a rising advanced persistent threat trend. These use cloud services for stealthy, complex attacks that evade traditional defenses. Organizations must implement cloud workload protection (CWP), continuous API monitoring and SIEM that correlates cloud-native logs. Microsegmentation and least-privilege access are also vital to limit lateral movement. - Pradeep Kumar Muthukamatchi, Microsoft Attackers with long-term footholds in networks performing data exfiltration are a major concern. To combat this, businesses should implement zero-trust architectures to limit lateral movement and use next-generation firewalls that analyze traffic patterns to new or untrusted locations. - Imran Aftab, 10Pearls
