While mobile threat defense products have been around for several years now, adoption is very low in many companies. Less than 40% of my customers have invested in mobile-specific threat detection and remediation tools. (Note that mobile threat defense is a category of products that is distinct from MDM, MAM, and EMM.) Today, I’ll look at why this is, why I think MTD should be deployed, and how deployments work.
The mobile threat model
This article will to concentrate on the more practical side of MTD, but in case you’re not up to speed, here’s a quick introduction.
On the one hand, mobile devices have a great security baseline. For example, mobile apps are sandboxed; today the official app stores are reasonably safe, and mobile devices commonly leverage concepts like hardware-based security, among other attributes. On the other hand, there are still threats, including mobile phishing, malware that does happen to slip through, network-based attacks, users that choose to root/jailbreak their phones, and apps that are legitimate but still do unwelcome things like siphon off contacts or fail to encrypt sensitive data in transit.
There are plenty of hooks that MDM and MAM use to protect against mobile security risks, but there’s also a role for mobile threat defense, as well. MTD products typically address mobile malware, mobile app reputation, device integrity/attestation, network security, and of late, phishing.
(For more, check out this series on mobile threat defense and mobile phishing.)
What organizations are deploying MTD, and why
Government agencies, legal firms, and banks, due to the prevalence of Banking Trojans, tend to have the highest protection rates. More regulated organizations tend to be more aware of the attack surfaces they are exposed to, while many other companies tend to be reactive, not taking any measures until they become aware of an attempt on their data.
Some of this complacency comes from a lack of education on the threats, and some from not knowing that solutions are available. Because mobile devices are commonly deployed for email access, many falsely believe that the protection on the email server is sufficient to detect threats before the mail ever reaches the endpoint.
However, the increase in phishing attacks being delivered via mobile messaging apps shows that IT departments need to consider the security of the entire device, not just the corporate apps.
Where budget has not been made available to deal with these threats, I often ask customers if they would consider saving money by not renewing the antivirus software on their laptops? Or even removing their corporate firewall? Of course, any admin who values their job would never dream of entertaining such reckless ideas, which makes it perplexing that they allow endpoints that operate beyond the boundaries of their network to face the world without equivalent protection.
Part of the problem is that many organizations don’t know when they have been attacked. Apps that steal contact lists often do so by abusing permissions granted by careless users. In this manner, the attack is largely invisible, as are network-based attacks. Mobile devices don’t let users see running processes in the way that a desktop/laptop does, and a slight dip in battery life is often indiscernible, so a phone can fall victim to a cryptojacking app without the user realizing that they are mining the currency on behalf of someone else.
Once companies engage in a trial of a threat defense platform, I see adoption rates in excess of 80%, as they invariably discover something that has been lurking on at least a subset of their mobile estate, and immediately see the risks to which they were oblivious beforehand.
Most MTD solutions can be deployed via a cloud portal, and orchestrated to some degree by MDM, so there isn’t a great degree of additional work for administrators once the initial configuration is complete.
Many of the leading solutions provide additional insights such as app intelligence (sometimes also referred to as a mobile app reputation service, or MARS), which can lead to automated whitelisting and blacklisting of apps based on behavior. Solutions such as Appthority go as far as geolocating the servers contacted by apps, so that blacklists can be made based on the countries the apps talk to. This is particularly useful for organizations that need to consider the Patriot Act, GDPR, or trying to decide whether information should be subject to seven-year retention under Sarbanes-Oxley, or Europe’s “right to be forgotten.”
Other solutions such as Wandera combine threat detection with corporate compliance and cost control, so that combined with MDM/EMM, devices are protected at device, app, and network layers.
Zimperium have embedded their app into MobileIron’s client app, so that administrators don’t even need to push another app out to devices once enrolled in EMM; it’s just a matter of licensing the additional feature and collecting security information.
It’s possible to configure and deploy these services for thousands of users very quickly (often less than a day), and so it’s not the massive project that often comes with adding software to a solution stack.
Typically, I encourage customers to start out by carefully considering the balance of security over privacy. Where COPE or BYOD devices are part of the estate, it is still possible to protect users, but messaging needs to be clear, and employees need to see the benefit they get by enrolling in the new security platform. For example, many platforms now offer user anonymity, or allow a user to be informed when an app or website leaks information, without alerting the administrator unless the leak poses a risk to corporate information. This presents a win-win scenario where privacy concerns are alleviated, company-related risks are flagged to IT, but the users are otherwise free to use the device as their own—within reason.
The biggest issues seem to be lack of awareness, which is easily fixed by allowing a software trial, and cost, which compared to the monetary and reputational costs of data breach, is minimal.
I think that once companies realize the unavoidable truth that the mobile device is every bit as much a corporate endpoint as the desk-based counterpart, the need to protect them against the growing threat landscape is obvious.
Currently, various researchers say that about 25,000 new mobile threats are being discovered every month, and while EMM protects the device from data loss if misplaced or stolen, it is only the base layer upon which security needs to be built.