A Secure Web Gateway (SWG) is a web security solution that provides safety against cyberthreats and virus infections by analyzing web/ internet traffic, inspecting web requests, comparing them to defined policies, and filtering malicious packets before they can reach their intended target.
Secure web gateways can be either on-premises or cloud-delivered and are located between users and the internet, blocking malicious applications, and preventing access to websites that are known to be bad. In this manner, unsecured traffic is prevented from gaining network access, protecting users from infection by malicious traffic, websites, viruses, and other malware. In addition, a secure web gateway ensures compliance with an organization’s regulatory policies and frameworks.
Secure web gateways are expected to have the following minimum set of functionality:
Some secure web gateways also incorporate antivirus software to remove attempted downloads of threats and sandboxing for real-time blocking or to prevent attacks by emulating the production environment.
Secure web gateways (SWGs) use a proxy architecture where the SWG acts as intermediary between client and server. As proxy it can terminate and emulate traffic to deliver the desired protection, by terminating the inbound connection and emulating the client by originating a new, separate outbound connection to the server. In this manner the SWG can receive all the packets of a request including headers and message body to determine precisely what the server response is intended to do. Once this is determined, the SWG will either send the request on to the destination or divert it for additional analysis such as policy enforcement, data loss prevention, or sandbox to safely detonate a potentially harmful payload. Since every message is inspected packet by packet and as a whole, security policies can be consistently applied to every type of communication, on-premises and in the cloud.
As the workforce has become increasingly distributed across locations, the need for SWGs has grown proportionally. The COVID-19 pandemic accentuated this need, as employees were required to access corporate resources such as data and applications from beyond the network perimeter. Now that employees work from home, remote office, or anywhere with free Wi-Fi, the need for SWGs becomes apparent. Additionally, employees may be using multiple devices – laptops, tablets, and smartphones – to access corporate resources, and it can be difficult or impossible to ensure that these remote, mobile devices have adequate security.
Organizations who have not adopted SWG may rely on legacy network security infrastructure, which was not designed with mobility, the cloud, and device scaling in mind. Given the speed with which new attack methods are being created, the amount of time and money needed to constantly update legacy hardware-based security appliances would make the task essentially impossible.
SWGs have the ability to stop both known and unknown threats, including zero-day threats and advanced persistent threats (APTs) that would otherwise avoid detection.
The use of proxies enables SWGs to detect and ameliorate sophisticated, targeted attacks that utilize the web and web protocols.
SWGs can discover threats that could evade detection by firewalls or other stream-based solutions that are concealed in web traffic thanks to their proxy architecture. Frequently, SWGs are the only method of discovering and preventing attacks before they wreak damage or violate policy or governance mandates.
SWGs keep abreast of new and emerging threats with monitoring tools that then incorporate newly discovered attack signatures, since current intelligence is critical to SWG success. Since much web traffic is encrypted, SWGs can decrypt traffic – including cloud-based traffic – to ensure that there are no blind spots due to encryption. SWGs can also send suspicious content to other security systems such as DLP or CASB to improve the overall security posture of the organization.
SWGs also offer visibility into new attack vectors that may be in web traffic. New sites and links can all be used to penetrate an organization’s defenses and cause damage to operations. This is achieved by monitoring and logging all traffic on-prem and in the cloud, so the organization can see how the web is being used, and by whom. This is increasingly important as many legitimate websites have unpatched vulnerabilities. By understanding and categorizing web traffic, SWGs can help ensure compliance with the myriad of government and local regulations as well as corporate governance policies.
SWGs offer a comprehensive solution for protection of an organization’s digital assets. The primary benefits of SWGs are:
As with most infrastructure, secure web gateways can be deployed on-premises, in the cloud, or in a hybrid fashion. All of these deployments support in-line connection which sends all web traffic to the SWG via proxy, client-based agents, or other routing method.
As a rule, SWGs are deployed as a workload running on a server, whether physical or virtual machine. Some SWGs are available as appliances. The largest growth is on the cloud-based SWG market.
Cyber Threat Hunting