Browser Security

Interviews
Written By Guest User
 

Browser Security and the Future of Endpoint Protection — A Conversation with Eric Cornelius, CEO of Conceal

In this week’s Gulch Adventures video, Ron Gula sits down with Eric Cornelius, a former CTO of Cylance and now the CEO of Conceal, for a wide-ranging conversation about browser security, endpoint protection, and how adversaries are evolving faster than many organizations can adapt.

The interview begins with a walk through Eric’s extensive cybersecurity journey — from early days at the Army Research Lab to critical infrastructure assessments at Idaho National Lab, and eventually leading security product innovation at Cylance. His background in both offensive and defensive cybersecurity uniquely positions him to understand the modern browser’s vulnerabilities and how enterprises should respond.

Why the Browser Is the New Front Line

Eric makes the case that the browser has become the single largest and most overlooked attack surface in most organizations. “It’s the secret castle door,” he says — the interface through which users regularly download and execute third-party code, often unknowingly. While endpoint detection and response (EDR) tools remain essential, they fall short when it comes to protecting users inside their browsers.

He highlights three key attack surfaces:

  1. The browser itself — vulnerable to exploits due to the complexity of modern engines.

  2. The user — susceptible to phishing, social engineering, and adversary-in-the-middle attacks.

  3. The websites being visited — often loaded with risky or opaque third-party scripts.

Using a real-world demonstration, Eric shows how a simple phishing link can capture login credentials, including multi-factor authentication (MFA) tokens, and hijack a user session — a method known as adversary-in-the-middle. Once hijacked, attackers can impersonate users across multiple services, creating long-term, stealthy breaches.

Code You Can’t See — The Invisible Risk

To illustrate the scale of modern web risks, Eric brings up CNN.com in a live demo and opens the browser’s developer console. Without clicking anything, over 245 third-party domains and nearly a gigabyte of data were loaded into the browser — over 14,000 lines of JavaScript. For an attacker, all it takes is one vulnerability or one successful exploit in that sea of code.

This type of exposure — where every tab, click, and scroll can trigger code execution — is what makes the browser both powerful and dangerous.

The Case for Managed Attribution and Secure Access

Eric explains that Conceal addresses these problems by blending browser plugins with managed attribution — meaning users can safely and anonymously browse the web, even on unmanaged or personal devices.

This approach is especially relevant for organizations with contractors, field workers, or bring-your-own-device (BYOD) policies. Conceal’s secure browsing sessions allow administrators to control what apps can be accessed, block downloads, disable screenshots, and prevent copy-paste — all without needing to install heavy agents or replace the browser itself.

“Most users don’t need to know their login credentials,” Eric notes. By using a proxy-based authentication layer, organizations can protect themselves from users accidentally reusing stolen credentials across services — a common path for attackers to move laterally inside networks.

Market Trends and EDR Saturation

Ron and Eric reflect on the evolution of the endpoint protection market. While Cylance disrupted legacy antivirus with AI-driven malware detection, today’s EDR platforms like CrowdStrike and SentinelOne have matured into full-fledged ecosystems. Eric calls this shift “platformization” — where each vendor tries to cover every threat vector with add-on modules.

However, this comes with diminishing returns. “You need endpoint protection,” Eric says, “but it’s not enough anymore. Especially when EDRs can’t see inside browser sessions.”

A Zero Trust Mindset, Especially in the Browser

The conversation reinforces a theme from many past Gulch interviews — the need to assume every website is hostile until proven otherwise. Ron recalls examples of legitimate websites — including local government domains — that were compromised and distributed malware to unsuspecting users. Conceal’s technology scans every page in real time, treating even trusted domains like Google or Salesforce as potentially dangerous.

Eric adds that content filtering remains a powerful and underutilized tool. Organizations should restrict access to known high-risk domains and geographies, reducing their attack surface by simply limiting browsing behavior. “Minimize non-corporate relevant behavior on corporate devices,” he advises.

What Makes Conceal Different?

Unlike solutions that replace the browser or just inspect traffic, Conceal’s hybrid approach combines endpoint visibility with network-level control. This allows them to provide:

  • Session isolation

  • Browser-based policy enforcement

  • Anonymous access to sensitive apps

  • Managed attribution for OSINT, AML, or competitive research use cases

Conceal also supports pre-negotiated encryption keys for secure communications — a critical feature in an era where telco routers and internet infrastructure are increasingly targeted.

So, Should You Still Use Chrome?

Ron presses Eric on what average users and organizations should do with their current browser stacks. Should you trust Chrome? Safari? Edge?

Eric’s answer is pragmatic: most enterprise users will default to whatever browser ships with their device — and that’s okay, as long as it's paired with layered controls like plugin-based isolation, content filtering, and managed attribution.

He stresses that the problem isn’t Chrome or Safari themselves, but the lack of control and lack of visibility into what they’re doing.

Final Thoughts for Small Business and Enterprise Users

Eric wraps with advice for teams without big budgets: start by patching everything, filtering risky content, and educating your users. Then layer in tools that can isolate browser sessions and prevent data leaks — especially when accessing SaaS apps, CRMs, or internal resources.

Ultimately, “hacking the user” through the browser will remain a top attack vector. Defending it will require smarter architecture, policy, and tooling — not just better malware signatures.

Bonus: Don’t Miss “The Bat Browser”

As a bonus to the interview, Gula Tech Adventures also released a new animated short titled The Bat Browser — where the world’s greatest detective learns how to stay anonymous online. It’s a lighthearted take on browser security and a reminder that even superheroes need to think twice before clicking suspicious links.

For more insights, tools, and interviews like this, visit gula.tech, follow Ron Gula on LinkedIn, or reach out to Conceal at conceal.io.

If you're a cybersecurity startup working in this space, reach out to us at investor@gulchadventures.com — we’d love to hear what you’re building.

 

Watch More

 
Guest User
Previous

The Bat Browser
Next

Art Of The Phish - Cynfeld #8