Mobile Threat Detection & Remediation

Webinar transcript - View the full webinar

 

Stratos Komotoglou:  Thank you for joining, and welcome, everybody, to today's webinar, "Mobile Threat Detection and Remediation on Device."

Before we start, I just have a couple of housekeeping items. This webinar will be recorded. If you or one of your colleagues are not able to join the live session today, you will be getting a link to the recording very soon.

In addition to that, we have a Q&A box in the WebEx console. If you have any questions, please feel free to type them into the Q&A box at any time. At the end of the webinar, we'll be taking some time to go through the most frequent questions.

Today with me, I have Chris Dobrec, who's our VP of Marketing, who will be going through the presentation. With that, I would like to hand it over to Chris.

Chris, thanks for joining us today. I know it's very early your time.

[silence]

Stratos:  Chris, can you hear us?

Chris Dobrec:  There we go. Can you hear me now, Stratos?

Stratos:  Yeah, works well. Welcome, Chris. Thanks.

Chris:  Very good. Thank you, Stratos, I appreciate it. It is indeed very early here in California. Good afternoon to everyone. Really looking forward to spending some time with you here this afternoon.

During the webcast today, we're going to spend some time to help you understand more regarding the following. I'm going to spend some time covering the overall landscape of cyber security on mobile devices. We're going to talk about different types of attacks that we're seeing with some real‑world examples.

We're going to discuss how to stop mobile attacks before they can do any harm with the unique solution that we're bringing to market. We're also going to talk about your strategy, including the implications to your organization if you choose to do nothing here. As well, the benefits that you can realize by having a focus on threat defense.

We're also going to talk about how to get started. Let me jump right in. Mobile threats are certainly on the rise and they're very real. We're seeing a number of these things emerge around the globe.

Currently, if you look at this map of London, you'll see a number of different orange circles with numbers in them. What these represent, actually, in the dots are the number of incidents that have taken place in that location. If you look near Piccadilly Circus, there are 15 incidents that have been reported through our systems just in that perimeter alone.

We're seeing these on a global scale. If I put a map of New York City, if I put a map of Tokyo, you would see very, very similar activity across the globe right now.

Some other things that we've done in conjunction with our partners, Imperium, the Imperium team actually did a study a few short months ago where they polled over 1,900 cybersecurity professionals in a variety of organizations and asked various questions about awareness of security threats on mobile.

Interestingly, 24 percent of the security professionals said they had suffered a mobile security attack. 24 percent of them were aware, but another 43 percent said they were unsure if any incidents had even occurred.

This is astonishing at this point in time in particular, because I wish to share some data with you that's been collected by the Miter Organization that looks at common vulnerabilities and exposures.

As I mentioned previously, these risks are very real, and they're on the rise. If you look at what's occurred over the period from 2015 to 2017 alone, you're seeing a massive, massive growth in the number of incidents being reported. In fact, in 2017 alone, there were over 600 new CDEs for Android and over 300 for iOS.

The numbers are increasing rapidly, and that's quite frankly because the sheer number of mobile devices on the planet. More importantly, those mobile devices connecting to very valuable information, be it personal or professional information makes these devices ripe for attack. Hackers are going after those in droves.

The threats are indeed very, very real. It's become big business for a number of folks who, they're paying lots and lots of money to come up with exploits. They're being paid lots of money to come up with these exploits, I should say.

They're being discovered all the time. Interestingly enough, both iOS and Android have had attacks. On the slide, you can see some of the more highly visible attacks discovered over the last four years, but there have been a variety of chain‑type attacks, malware attacks, ad‑rootkit‑type attacks, and not just one exploit.

You can see these threats are extremely real. I don't know if you're aware, but the most recent iOS update to 11.2.5 contained three fixes that were actually identified by the researchers at Imperium. This particular area is increasing dramatically right now.

What we wanted to do is spend some time now discussing what types of mobile attacks are there? Quite frankly, they're not created equal. There are three different types ‑‑ device, network, and application attacks.

If you look at the device level attacks, they're critical for you to defend against, because those are the ones that give the hacker complete control of the device. Device level attacks can remove any apps, even if it is in a container or encrypted, and they can own a network connection, even if SL Cert is on both ends.

It could allow a hacker to install their own software and do whatever damage they want. Hackers are beginning to turn these devices into weapons. The networks are critical to protect as well, because quite frankly, this is the on ramp.

The primary way to get started with a targeted attack. These targeted attacks are how a hacker gets access to a device to drop in the exploit on the device. For example, a hacker with a man in the middle attack can deliver an exploit to compromise the mobile device, and that exploit can remain persistent, meaning it doesn't go away. It can sit there silently and then be enacted later on.

Once the device is compromised, of course, they can deliver a payload and give access to the hacker. The hacker gets control over the device, the user, and the owner. They can take contacts, they can steal email, they can log in as the user and send phishing emails to various constituents. It is very important to understand that the network is the on‑ramp for these types of attacks.

Then there are application level attacks as well. Most malicious apps are actually used for untargeted attacks, primarily for fraud. We see this in the Android world, primarily.

In reality, most iOS applications, we haven't seen these malicious attacks on apps. That is because Apple does a great job at vetting their particular applications. In the Android world, we see this quite significantly.

When you focus on where to protect, the device level attacks have to be the primary concern. Then preventing network attacks as well. This is what we do with our MobileIron Threat Defense solution. We use behavior‑based machine learning, which is extremely important, because other solutions spend their primary time focusing on the application.

In a properly configured EMM environment, you can do a great job of addressing user concerns. Allowing access to assets for the user to get to certain systems in the back end and whatnot.

What threat defense does on top of EMM is it actually gives the ability to address the malicious attacker from the outside. The combination of EMM and mobile threat defense that we're bringing together with MobileIron is extremely powerful.

Let's now look at how mobile attacks happen and what MobileIron can do to reduce the risk of loss. Here's three common scenarios across networks, device configuration changes and silent device attacks.

Let's first talk about the network attacks. In a typical scenario, a user can connect to WiFi in a coffee shop. Unbeknownst to them, a hacker can be sitting there with a rogue access point.

The user will unknowingly connect to that rogue access point. The hacker can then redirect them to a phishing page and began collecting data like usernames and passwords.

They can even drop an exploit on the device, as I mentioned previously. Once they have access here through the network, they can get access to a whole trove of information across the corporate network.

While using a solution like MobileIron Threat Defense, we can actually detect and block that situation right where it starts, with the man in the middle.

Let's take another scenario here. Device configuration changes. Here we have a not atypical situation, where a consultant or a contractor is working at a client. They are going in and out of the network.

The IT department at their client may have significant restrictions on network usage, or they may wish for that contractor to use EMM to gain access to systems, however they can't, for example, because the contractor already has EMM and iOS devices as an example, won't allow multiple EMM profiles.

How the contractor‑consultant gets around it is to use something like a free VPN application to get around that and get to their own corporate resources. Unbeknownst to that person, the free VPN app can do things like install an SSL search and allow that a hacker to get access to that particular device and raise privileges on the device to get access to more and more information.

Again, if you have a solution, like the MobileIron threat detection solution, you can actually detect when that free application is installed, and block it at that point to prevent any further damage to the environment.

Another scenario that we've seen are silent device attacks. This is a rather clever one that as was exemplified by stage flight most recently. Imagine a scenario where the phone is sitting idly and a hacker actually sends a SMS or MMS to the device.

Well, the user, of course, recognizes that message and goes to open it. The actual MMS message contains an exploit ,and that exploit is dropped onto the device and executed. In this particular case, the exploit can actually escalate privileges on that particular device and gain access to more and more information, the device is actually compromised.

Of course, once that exploit is there, it can remain persistent and effectively be a silent weapon for the hacker to go back and take advantage later and or spread to other devices around the network.

Again, if we have a solution like the MobileIron Threat Defense solution, you can detect when that privilege elevation happens and block at that point in time. What we're doing with these solutions is actually looking at these various scenarios and more and making intelligent decisions about where and when and how to block them from causing further damage.

Imagine now, if you will, with this threat knowledge in mind, imagine if you could indeed protect your corporate network, your corporate data and your mobile devices above and beyond what you're capable of doing today preventing them from being compromised and impacting the corporate network.

Once again, imagine if you could, indeed gain visibility into these potential threats and attacks and make more informed and timely decisions as to whether or not to remediate. You could mitigate the risk of your company, your customer's data loss by acting ahead of these mobile threats and not being left with the challenge to clean up after the attack.

Further, imagine if you could respond to compliance and regulatory concerns guidelines with reporting that you can provide to the compliance regulators and your executive mandate such as for reassuring users privacy, right?

This is obviously a big issue with GDPR coming up in May here. The ability to reassure users their privacy will not be invaded, and so they have instant access to their corporate data on the device without disrupting productivity.

Imagine if you could deliver this all from a single solution. With this as a backdrop, what I now wanted to do was talk about the unique approach that we are applying to deliver this type of functionality to market.

Let me start by talking about what the MobileIron Threat Defense solution is and with it you can actually protect your data from mobile attacks and keep your mobile workers happy and productive.

The solution includes a single integrated client. We've been integrated Threat Defense into the MobileIron Mobile@Work client, or the MobileIron Go client, EMM client. It also uses MobileIron Core or Cloud, our EMM system on the back end, and features a management console that adds abilities like advanced app analytics, to deliver this one, single integrated solution.

What the solution does is, protects data from mobile threats. You can deploy it, you can detect those threats, analyze them, remediate them, and easily manage the protection. From a deployment perspective, you only need to deploy one, single integrated app to have this capability.

You can roll it out, the security, to your users, and they won't need to take any action to deploy or activate this. By working in conjunction with our EMM solution, we can silently push the app to the device, and activate it without any requirement for the user to activate the solution, unlike some others that are in the market today.

We can also detect these threats, and we detect both known and zero‑day unknown device, OS, network, and application attacks on the mobile device, and we use machine‑learning algorithms, and behavior‑based detection methods to do this.

Further, with the advanced app analytics engine, we can analyze security risks to different applications, and receive actionable information, to respond quickly and effectively to various threat vectors.

Of course, you do need the ability to remediate. Even if the device is not connected to a network, with our solution, you can remediate these threats on‑device, and no network connectivity is required. Of course, having an ongoing ability to manage and monitor the activity through central dashboards are essential here, but the solution is comprised of these five elements.

What's unique about this particular solution and differentiate it in the marketplace? Let me, first of all, describe various detection and remediation methods from other solutions in the market.

The way a number of these solutions work is, they first scan the device, and then they take data off the device and put it into, typically a cloud console in the back end. The cloud then does detection for known threats, and typically uses deterministic approaches for how they detect these things.

When something is indeed detected, they go to the cloud console, notice a problem, they look at a threat matrix, and then they connect to another remediation application to actually do the remediation.

The problem, though, typically has to do with delay. It's the amount of time the process requires, to go through all these steps and all these changes. Meanwhile, sensitive data is certainly being exfiltrated. Data, like an individual's location, is transferred to these particular systems. This can end up being a GDPR issue in many instances.

In a threat situation, let's say though, the man‑in‑the‑middle attack that I described previously, if a hacker got access to the device through the network, they could cut off everything from steps two, three, four, and five, and thus, the solution wouldn't be able to go, and detect, and remediate anything.

Let's compare and contrast this to how MobileIron is bringing our solution to market here. What we're doing is, number one, we're detecting both known and unknown zero‑day threats across a DNA ‑‑ device, network, and application ‑‑ on the device.

The same agent that we have on the device, knows there's a policy violation, we recognize it there, and then we can remediate it immediately on‑device. We don't have the delays associated with having to go to the cloud, look‑up, go back to the device, and then remediate. We can collect this data on device and act accordingly.

What's the magic behind all this? We actually in partnership with Zimperium using machine‑learning technology in the background to help with this. In many ways, machine‑learning techniques give us awareness, not unlike the human nervous system, of whether the device is healthy or under attack.

The device already has all these nerve endings, if you will, to carry this analogy forward, things like memory stats, processor stats, etc. If you continue this human body analogy, the stats are like the nerve endings and tell us the condition of the overall device.

The mobile device doesn't have a nervous system necessarily to collect all these nerve ending data and process it into a decision such that I'm OK or I'm under attack. The machine‑learning engine becomes that nervous system that continually reads these nerve endings and determines if at any point those nerve endings are indicating an attack is on the body and triggering a detection.

The machine‑learning technology is very much like a nervous system for a mobile device. With these machine‑learning techniques, it gives us this awareness of whether a device is healthy or under attack.

The machine learning is continually training and optimizing processes resulting in models of behavior which sets us apart from other solutions. We think this is a very unique way to approach the problem.

To summarize some of the key differentiators in our approach, it includes the following. Number one is one application, so no need to deploy and manage multiple applications to facilitate the solution. Further, we don't require the user to actually be involved to activate the session.

One of the challenges that we've seen in the marketplace is that with the alternative solutions, a second app needs to be deployed. The user has to be involved in activating that solution. It creates challenges wherein many instances, the threat detection is never even brought into memory and working.

Further, we have the ability to detect these known and zero‑day threats. We can remediate on device across both device network and application threats without network connectivity required.

With that as a backdrop, we do know you have a choice and options for your Threat Defense strategy. I wanted to talk a little about the consequences of potentially doing nothing and not deploying Threat Defense in your company or on your employee‑owned devices. There is a threat that your enterprise will be impacted.

You may be faced with financial consequences as a result, loss of critical business data, even your data and your customers' data, potential damage to reputation. We've seen a number of exploits where data has been lost and company reputations have been damaged.

Loss of revenue, fines coming from regulatory environments, things like GDPR emerging are certainly going to create challenges. There are lots of resources particularly in productivity of employees that wish to use their mobile devices are significant risks here. These are the things that we wanted to spend time highlighting today.

In terms of the benefits, if your mobile threat protection strategy is to take action, you'll find some great benefits in the solution that providing today.

With Mobile and Threat Defense, your enterprise can protect your organization. Your strategy is augmented because it's very easy. One app makes it easy for IT with built‑in protections into the MobileIron client and it's easy for users who are not required to take any action to activate the app.

We've noticed that the best security is actually invisible to the users. This is a way to get that security deployed easily and invisible to the user in many respects. Great insights can be gained from the solution.

You can have immediate and ongoing visibility into malicious threats across all mobile devices, detailed threat intelligence with perennial and analytics of risky apps and you can make informed decisions from there.

Then the ability to do this on‑device. You can receive unmatched detection and remediation of known and zero‑day threats with the machine learning algorithms on the device and without connectivity required.

The MobileIron Threat Defense solution it's available for mobile line customers who deploy either on‑premise with MobileIron Core or in the cloud via MobileIron Cloud across iOS and Android devices.

It's really focused on looking at these device threats, these network threats, and these application threats to help you remediate against any challenges that happen therein.

You can get started today. If you wish to, please check out www.mobileiron.com/threatdefense for more information. Certainly, get in contact with your MobileIron sales representative or your channel partner and request a demo. With that, that is the prepared remarks that I had for today. Thank you very much.

Let's open it up to some question status. Shall we?

Florian:  Thank you, Chris. Thank you very much for this great overview and thanks again for making it a very early bird today.

One thing I would like to mention. If you go and check out mobileiron.com/threatdefense, you will also find this information in localized languages. We have it ready for you in German and French right now. We'll have some data sheets also ready in Italian and Spanish later.

Let me go back to questions. I know we have answered some questions already. We'll just check for new questions. Some of the question were "Is the product available already today?" Yes, it is. It's also available on iOS and Android devices the same way. We can use both the integrated Mobile@Work clients.

A question, I think, which hasn't been answered now is "Has the Mobile@Work app to run open in the background all the time to protect the device?" The question is "Does the app has to be opened again and again so that we can run the check?" Who wants to take this question?

Chris:  James, do you mind taking that one?

James:  Hi, Florian. Can you hear me OK?

Florian:  Yeah, we can hear you.

James:  Hi, Florian. Actually, after you install the Mobile@Work app, it actually just does run in the background. It does wake up if there are threats that are detected on the device. It's not constantly running. It's running in the background, so to speak, and then becomes active if there are threats detected on the mobile device.

Florian:  Thanks. Another question I would like to take is...I'm not sure I'm getting it right. James, probably you know from a technical perspective. Is it possible for the devices to get updates from the Core instead of from the cloud for the patch and releases?

James:  You're talking about like static signatures or heuristics, basically, for the MTD client? Our client actually relies most on the machine learning. It gets policies and updates actually directly from the zConsole management portal, not necessarily from Core.

Florian:  Thanks for answering that. Then we have another person with several questions. I'm not sure if we are able to answer those, but let's go and try. What is the additional battery usage? I'm not sure if we have data here. Please describe privacy and anonymity.

Then the last question, which came up a couple of times, I would like to take that before, James, you go ahead. What is the cost per client? Is it available with all of our bundles? Yes, it is available with all of our bundles, Silver, Gold, and Platinum. For pricing, please reach out to your channel partner or sales rep.

James, again for you, what is the additional battery usage? Any gets here?

James:  There's a bunch of factors that could go into the life of the battery. In a situation where, say, for instance, there is a normal set of managed devices along with the MobileIron Threat Defense running in the background, the idea is there should be a 20‑percent drainage of the battery in a 24‑hour period.

It's 20 percent, is what we're shooting for or what we can actually claim for battery life, but there's a lot of factors. If there's a bunch of managed apps along with MobileIron Threat Defense, then that could adversely affect the battery also.

Sorry. What was the other question? I apologize.

Florian:  No worries. The statement was "Please describe privacy and anonymity."

James:  Specifically, let's answer this in the iOS and Android platforms. Ideally, iOS, specifically after iOS version 11...

[alarm rings]

James:  Sorry, my alarm is going off here. [laughs] Apologize for that.

IOS actually relies on EMM to provide the app inventory. As far as privacy is concerned, if there is a privacy policy in place in EMM and it's only set to take inventory of managed apps, then on iOS we do respect that.

We do enforce that only apps that are in the app catalog or the ` is actually inventoried, whereas on the Android side, there isn't necessarily reliance on EMM for inventorying actually any apps that are on the device.

If Android Enterprise is actually enabled, then we only inventory the apps that live in the work profile.

Florian:  Thank you, James. I saw another one. That's a quite interesting one. Here's the question. Where will the machine learning stuff be stored on the device? Is it per device, or will it be communicated somewhere? Will it be shared with some service?

James:  There's actually two factors here. There is the z9 detection engine that actually resides with the client. Then there's the z3A advanced app analytics that actually is part of the zConsole management portal.

The two talk to one another, basically. Machine learning, if you wanted to actually put a place where it actually resides, it is on the management console, the z3A. Then that information gets pushed down to the z9 detection engine on the client because the heavy lifting is done within the management console.

Florian:  Thank you, James. Just going through the questions, we have also a couple of ones in the record form, which is great. Here's an interesting one, I think also for the broader audience. Let's assume there's a mobile threat. Does the end user also receive notifications of potential threats?

James:  Today, the current client, we can actually set up policy violation event notifications. It can be customized to potentially provide the type of threat that is actually detected on the device, like if it's a risky or a malware app, if it's a network threat or, say, a device exploit.

We can push generic messages to the client. Most of the information is actually in the zConsole, in the current iteration of the product.

Florian:  I think we have answered the question. I'm just taking a double‑check again. People on the line, if you have questions that you would like to raise, please feel free to still enter them. We'll give it another 30 seconds. I'm just checking the Q&A here. We have something to answer.

[pause]

Florian:  In the meantime, please, you will get an email follow‑up from us within the next couple of days. We'll be sending out some more information on the solution. In the meantime, you can also feel free to reach out to your local MobileIron team.

If you go to mobileiron.com, in the section "Contact Us," you will find telephone numbers and email addresses for all the different regions within EMEA. We have offices in the DACH region but also in France, Spain, Italy, the Benelux region, almost every country within Europe.

Please, feel free to also reach out directly to the regional offices.

[pause]

Florian:  I think we don't have any more questions to answer. Thanks, everybody, then for joining. Thank you, Chris, James, James, our two James from headquarters, along with our [inaudible 33:42] team, Ellie, for joining us today. I know for most of the folks it's very early in the morning.

Thanks, everybody on the line, for joining us today. Again, please watch out for a follow‑up email with some more information and a data sheet coming up to you very soon. In the meantime, if you have any questions, please feel free to reach out.

Thanks, everybody. Have a great day.