A device-only approach to mobile security ignores the critical real-time context of exploits, hackers and incidents that are currently acting on other devices, whether they are in the same company or around the world.
A look at home security may help to illustrate this point. When we focus on protecting our homes, we start with traditional home-only security – locks on the doors, and maybe sensors on the windows. Those sensors may even be connected to a third-party organization for incident response (as mobile security may be connected to EMM). This is a home-only approach. If a thief enters the neighborhood, pretending to be a safety inspector, his exploit will work just as effectively from house to house, as long as each house acts in isolation. Setting up a neighborhood watch and a phone tree may help to reduce the risk, especially after the first incident. Likewise, door locks and window sensors may start to fail or show a vulnerability to certain break-in methods. Unless there is a system of crowd intelligence and a central system of analysis and communication, every home with those components will continue to be just as vulnerable – and the homeowner isn’t even aware of the increased risk.
Mobile devices, like our homes, are ultimately what we are trying to protect, but our ability to do so is severely limited if we do not employ a layered approach, leveraging crowd intelligence and central analysis to get the job done. In addition to missing critical information and context that may help to protect our devices, there is another hazard with the device-only approach to mobile security. Mobile devices, unlike PCs, rely heavily on batteries and limited processing power. A device-only approach that cannot share the analysis burden with a cloud server, will necessarily consume enough battery and processing time that the end-user experience will be negatively impacted.
Here are a few specific reasons why it is important for IT administrators to consider a holistic, layered approach when securing mobile devices, instead of device-only:
- Zero-day attacks: The idea behind a zero-day attack is that it involves an exploit which has not been identified by anyone. That means with the flip of a switch, attackers begin to exploit something en masse that IT has not proactively patched. If this happens with device-only software, your users will all be vulnerable until after they’ve been infected!What’s needed is a crowd-sourced intelligence apparatus, a system that uses every device linked to the Mobile Threat Defense (MTD) solution to form real-time threat alerts. In this case, for example, users not tied to your organization end up affected by a zero-day attack. Your Mobile Threat Defense (MTD) solution sees this, is able to recognize the same exploit or conditions across the globe, and alert or protect organizations and mobile users about it.
- Implementing a real-time mobile app reputation service (MARS): A single organization or solution can’t be expected to know about, let alone black list, every app that is malicious, as they appear. Malicious repackaged apps, for example, appear all the time, and to an individual mobile device, they will not be distinguishable from a legitimate app until after it is much too late, once it has been added to a malware signature list.A solution that can constantly monitor millions of apps, installed across millions of mobile devices, can automatically detect even the smallest deviation in any app, and black-list it without any intervention by IT or relying solely on malware signature lists. The work is completely outsourced to a real-time system. Note this same approach can apply equally well to malicious and suspicious networks around the world.
- Operating system updatability: It is common practice for mobile OS update alerts to be communicated out to end users over a period of time. In the case of Android, the community is so fragmented that even Google cannot identify when particular devices, with particular hardware, on particular provider networks, are actually able to update to the safer version. Device-only security can only wait for an official notice to come, while cyber criminals take advantage of this “window of vulnerability” to perform exploits against the disclosed security holes on un-patched devices, which may be up to 6 months or more.Leveraging a massive crowd-based threat intelligence platform, critical OS upgradability information can identify exactly when a particular patch version is available and automatically notifying appropriate users, leading to greater security, for both Android and iOS platforms.
- Device performance and battery life: A device could, theoretically, perform most of the analysis required to evaluate potential threats, but it is impractical and a bad idea. Consider dynamic app analysis, a common and important method for evaluating new apps. For this, the app must be installed into a virtual and sandboxed phone environment and executed to explore all of its functions. This means the real device is now running two full phone operating systems and exhaustive execution of the new app, and this is just one piece of the evaluation. Servers are far better suited to these tasks.Relying on a mobile app to perform all the analysis and processing required, you will quickly have your users uninstalling (or finding ways to circumvent) that software. When a user finds an app slowing their phone down and draining their battery, we all know what happens – they uninstall it, undermining the original goals of the security solution.
A better strategy is to use incremental analysis, where the app on the device is the first line of defense, but has the ability to hand off the next level of analysis to something bigger and more powerful in the cloud. This balanced approach ensures the device and experience impact is minimal, while leveraging virtually unlimited computational power. The cloud server also has the advantage of updating in real time based on millions of other devices, to perform more more relevant analysis completely unavailable to device-only solutions until the next product update.
These are just four reasons why a Mobile Threat Defense (MDT) solution cannot effectively rely solely on an app installed on the device itself. No, what is needed is a solution that incorporates that mobile app into a comprehensive layered solution that includes cloud computing, machine learning, crowd-sourced intelligence, central monitoring and reporting, and more.
In fact, if you read the SANS Institute’s checklist to Mobile Security, you can see exactly how many essential features and capabilities are simply unavailable in a device-only solution, and why such a solution isn’t enough to protect your end user’s mobile devices or your company’s data. Skycure is proud that our Mobile Threat Defense (MTD) solution exceeds the SANS Institute’s checklist.
If you’d like to learn more about protecting your enterprise, we’d love for you to read more about our Mobile Threat Defense solution here, or to give us a shout at firstname.lastname@example.org.