The key to end-user computing

bluebay2014 - Fotolia


How mobile threat detection tools spot incoming attacks

EMM configurations can help safeguard the enterprise from attacks, but mobile threat detection tools take a different approach to actively pinpoint security issues.

There are a wide variety of third-party mobile threat detection products that can address the mobile security concerns that most companies have.

The mobile security landscape is relatively safe. As a result, most corporate security measures comprise typical enterprise mobility management (EMM) configurations, such as encryption, VPNs, passcodes, remote wipe commands, data-sharing controls and ensuring that devices aren''t rooted or jailbroken.

Mobile threat detection tools differ in that they are designed to actively discover security issues. There are three typical approaches that these products may use individually or in combination:

Ensuring device integrity. On-device agents can monitor the integrity of the device by probing as many APIs and aspects of the device as possible, looking for any changes of state, configuration or behavior that may indicate a compromise.

Network monitoring. An agent app can actively send and receive traffic, monitoring for signs of network-based attacks.

App scanning. An agent app or mobile device management server looks for potentially harmful apps. Some apps are of course outright Malware. Some may be inadvertently insecure. And some may be perfectly legitimate apps, but nevertheless put corporate data in danger. The mobile threat detection vendor does the actual analysis of the apps, via a service known as mobile app reputation.

The restricted nature of mobile devices and public app stores can make the job of a mobile threat detection agent app difficult. Some agents have functionality that is not allowed in publicly distributed apps, so they must be signed with enterprise credentials and distributed privately. For example, some agents query private or undocumented APIs. Others query devices to see what apps the user has installed -- a practice that's forbidden in the Apple App Store. So far, neither Apple nor Google have commented publicly or cracked down on this behavior, but businesses should be aware that apps with this approach may be affected in the future if undocumented APIs are changed or if these vendors decide to act.

Today, most mobile threat detection products integrate with EMM platforms, so organizations can use EMM to enforce policies based on any threats or issues that these tools find.

The changing market

In the nearly 10 years that modern mobile devices have been around, there has been no shortage of ominous reports warning of exponentially increasing amounts of mobile malware and threats. Reports such as the 2016 Verizon Data Breach Investigations Report, however, have found no "significant real-world data" indicating corporate data breaches as a result of attacks on mobile devices. Anecdotally, the majority of smartphone and tablet users have had trouble-free experiences with their devices.

Mobile operating systems are designed to be much more restrictive than desktops originally were, and app stores vet most mobile apps. When potential security issues do come up, often they involve apps that are not from official app stores or require devices to be jailbroken or rooted. As a result, they do not affect typical users. Truly threatening exploits, such as spyware that can remotely infect devices, are still extremely rare. Apple is quick to respond to iOS vulnerabilities with operating system updates, and Google also took positive steps by introducing monthly Android security updates in 2015.

Mobile operating systems are designed to be much more restrictive than desktops originally were.

Without any large, widely reported mobile breaches to sway enterprise opinions, adoption of mobile threat detection remains low. Simply put, most organizations have many more pressing security issues to worry about.

In the past year, however, there have been signs that the market is shifting, including several high-profile partnerships and acquisitions. And almost all EMM vendors have mobile threat detection partner programs and integrations. Rare but widely reported incidents such as the Pegasus spyware, which could remotely jailbreak an Apple iPhone through a malicious link in a text message, have raised the profile of mobile threat detection.

Mobile threat detection adoption is likely to increase in 2017 and beyond, as it becomes part of organizations' more mature and wide-ranging mobile security strategies.

Article 4 of 7

Next Steps

Are companies taking mobile threats seriously?

Shorten the time between threat detection and response

How to detect jailbroken enterprise devices

Dig Deeper on Enterprise mobile security