A Lightweight Approach to Mobile Security

In a post last week, I summarized some of the reasons that mobile security is hard for enterprises. The Gartner-defined approach known as Mobile Threat Defense, or MTD, has been widely agreed to as the best practice for mobile security. This approach, while comprehensive, represents heavy lifting for most enterprises. Let's unpack that before exploring what might represent a more reasonable, lightweight approach for getting started with enterprise mobile security.

MTD, as defined, has the following four general requirements:

1. Device behavioral anomalies — MTD tools provide behavioral anomaly detection by tracking expected and acceptable use patterns.
2. Vulnerability assessments — MTD tools inspect devices for configuration weaknesses that will lead to malware execution.
3. Network security — MTD tools monitor network traffic and disable suspicious connections to and from mobile devices.
4. App scans — MTD tools identify "leaky" apps (meaning apps that can put enterprise data at risk) and malicious apps, through reputation scanning and code analysis.

Most vendors propose to address requirements 1, 2, and 3 above with on-device apps, or agents. Item 4, app scans, is generally addressed through an Enterprise Mobility Management (EMM) integration or a proprietary MDM server, either of which must be deployed and managed by the enterprise IT staff (although many enterprises may already have an EMM deployed).

Requirements 1 and 2 are focused on malware detection. As I've outlined in prior posts, while mobile malware represents a real risk to individuals due to the threat of identity theft, financial fraud, ransomware and spyware, it is only a negligible enterprise threat. Requirement 3, network security, has been highlighted by vendors as critical to preventing WiFi-based man-in-the-middle (MiTM) attacks with real-time detections for SSL stripping and rogue access points. But, again, such attacks are far more of a threat to individuals than enterprises. Think about it this way: A MiTM attack against mobile devices is essentially the same as a MiTM attack against laptops, which have been used in coffee shops, hotels, airports and other public spaces for more than a decade prior to the wide adoption of smartphones. How many enterprises were breached due to MiTM laptop attacks against enterprises? None that have been publicly reported. And how many commercial solutions exists to protect laptops against MiTM attacks? None that I can find. The evidence suggests that the need for protection against mobile MiTM attacks is vendor-generated hype rather than a response to real risks to enterprises. And feedback from enterprises attempting to deploy network security approaches suggest that the current generation of products in this space are rife with false positives--a huge burden to IT staff, and something that leads to loss of trust from users.

Because MTD requires enterprises to deploy a mobile app on all users' mobile devices, it imposes challenges from both an operational and employee relations perspective (enterprises routinely receive push-back from employees due to concerns about corporate surveillance as well the many questions they will have regarding the app). Furthermore, MTD solutions remediate risks by requiring employees to delete apps that violate corporate policies their personal devices, even if those apps are not used at work. For example, an employee or contractor might be required to permanently delete a gaming, social network or messaging app that the individual might otherwise use and enjoy often. That's a tough sell, and can lead to employee resentment and dissatisfaction--and creative attempts to circumvent controls.

In summary, MTD is a heavyweight approach to mobile security due to the fact it's orthogonal to the existing security infrastructure, requires a complex integration with EMMs, introduces a new system that requires management and operational responses, and involves convincing all employees, contractors and other users to deploy a mobile app that performs on-device security functions (hopefully with minimal battery drain) and which may require employees to delete beloved apps from their personal device. This is the reason MTD can be characterized as requiring heavy lifting for enterprise mobile security.

An App-Centric, Lightweight Approach to Mobile Security
Are there other approaches to securing mobile devices in the enterprise that don't require mobile apps deployment or EMM integrations? Unfortunately, there are no commercial products that I'm aware of. I therefore believe there's an opportunity for vendors or enterprising startups to fill the solution gap between doing nothing and adopting a heavyweight solution. I'll outline the main characteristics below.

First, I think the issue of mobile security is largely an issue of mobile app security and requires an app-centric approach. The device and network threats, while real, are less of a threat to enterprises than vendors and the trade press would have us believe.

Second, the unfamiliar terrain of mobile security concepts represents a new strain for IT security staff in having to master concepts regarding EMM capabilities and operational aspects of integrations with MTD solutions.

Third, it would be ideal if a mobile security solution leveraged current enterprise security infrastructure rather than having to introduce a new platform. Most enterprise security today is based on identifying threats that come from specific external sites as identified by IP addresses. Threat intelligence, employed by many enterprises, includes a list of IPs that should be blocked, and the ubiquitous firewall is the primary security solution for accomplishing that.

If an enterprising vendor developed a mobile threat intelligence feed, that could be used to provide a reasonable level of protection within the enterprise.

The ideal feed would include endpoints and servers associated with malware campaigns which could be blocked by a firewall or other perimeter security solutions (while as noted above this is a negligible threat to enterprises, blocking those connections would be a relatively trivial task so the cost/benefit ratio is positive).

In addition, the mobile threat intelligence feed would identify apps' network connections that leak data contrary to corporate policy. Of course, each enterprise has different criteria for developing such policies, so the feed should include enough meta data so that connections could be selectively blocked based on the nature of the data leakage risk.

The vendor providing such a feed would have to analyze the connections from all apps available from Google Play, the App Store, and any other sanctioned app stores. This is simpler than doing a full behavioral analysis of the apps. A higher level solution would classify connections based on the type of data being leaked. I believe the apps' network connections could be categorized as follows:

• backend: the servers that the app connects to for cloud-based computation, aggregation and persistent storage
• auxiliary:  the third-party servers that provide auxiliary services to the app, such as outside temperature or a map overlay
• marketing frameworks: the third-party servers, such as Flurry,  that provide app use analysis and some forms of surveillance to precisely identify characteristics of the user, usually for input into big data algorithms for ad networks
• ad networks: the third-party servers and related infrastructure for serving ads (and sometimes malvertising) to the mobile device

The mobile threat intelligence feed, with meta data for each IP identifying the source app and which category the connection falls into, would give enterprises enough data to provide lightweight security to their mobile devices, both COPE and BYOD.

Here are some use cases that could be addressed with such a solution:

1. Malware protection: block all connections to/from malicious sites. Note that blocking of such connections would only be performed while the mobile device is on the corporate network; when the employees go home no further protection would be active unless a VPN is used. However, this is exactly the paradigm in place for laptop protection, when employees take their laptops home. When accessing enterprise resources remotely, a VPN is almost always required, and malicious IPs would be blocked.
2. Data leakage: block all connections, based on policy criteria. For example, apps that send address books could be blocked. The enterprise wouldn't know which are the offending apps necessarily (although a mature solution would have the option to query that). Note that the blocking of those connections prevents data leakage without having an on-device agent and without requiring any action on the part of the user. The user experience would simply be that the app would fail to work normally. If it's not a work-based productivity app, the employee really has nothing to complain about except having to wait until they get home to play games or engage their social network. Maybe productivity will improve!
3. Advertising: while employees using apps that receive ads isn't generally considered a threat, does an enterprise really want content from any one of hundreds of as networks sending data into their secure environment? And while ad network malware, known as malvertising, is rare, that would be prevented by blocking all advertising connections.

Note that with such a solution most of the MTD deployment and operational challenges are not present. No EMM integration is required. No mobile apps or agents need to be deployed on all users' devices, and employees are never asked to delete apps from their device. Some personal apps that violate policy may not operate correctly while employees are at work, but that's hardly something they can complain about.

A specialized mobile threat intelligence feed could represent an enterprise's first step into mobile security. Based on how the threat landscape evolves, and how MTD solutions mature over time, there's nothing to preclude adoption of MTD at some future date.

I haven't done an exhaustive search of the many threat intelligence feeds available today. It's possible that one or more are already covering mobile connections to some extent. And I don't know for sure that existing MTD vendors aren't exploring lightweight options similar to what has been described above. Hopefully the enterprises that have opted not to procure MTD due to its cost and operational burden may find a lightweight approach to mobile security in the near future.