Are you seeing mobile attacks?
Webinar transcript - View the full webinar
Susan: Hello, and thank you for joining our webinar today on mobile threat detection. Before we get started, I want to mention a couple of housekeeping items.
Our 50‑minute session today will be recorded and will be available shortly after today's presentation. Additionally, we want this to be an interactive session. We encourage you to ask questions through our Q&A panel.
Your MobileIron presenters today are Ellie Ruano, Senior Lead Manager, James Saturnio, Senior Solutions Architect, and Scott McCormick, Senior Product Manager. With that, I'm going to hand it over to Ellie to get us started. Over to you, Ellie.
Ellie Ruano: Thank you so much, Susan, and welcome, everybody, to MobileIron's Threat Defense session. I'm Ellie.
James Saturnio: I'm James.
Scott McCormick: I'm Scott.
Ellie: Thank you, gentlemen, for joining me. We are here to share with you more information about MobileIron Threat Defense. We're going to talk more about research, and is mobile security a problem today? Why you should consider a mobile threat defense solution, and why from MobileIron?
What are the risks that are out there today that you should be aware of? What might be your strategy to help you get started? Let's begin by taking a look at, is mobile security a problem? We're in the era of modern work. Mobile and cloud are the catalysts. With modern work, it's enabling your users to be more innovative and productive.
With the increased use of cloud computing and web apps, it's allowing the users to have access to tons of information and data from these mobile devices. This can be a good thing, because it does help them be more innovative and productive.
They can work from anywhere. They can make quicker decisions because they have access to that information, and obviously more productive, which is going to help your company grow.
When we look at what organizations are doing or not doing to protect themselves, the research is showing that many organizations are not as prepared as they can be for the security challenges that are posed with this type of modern work and the increased use of devices with the increased access of information.
We look at research to find out, is mobile security a problem? We look at the Verizon study that was recently conducted, the Mobile Security Index of 2018. It was conducted on 600 individuals like yourself who buy and manage mobile devices for their companies worldwide.
The input that they gave when asked the question is mobile security really a problem, was that 85 percent said yes. They said that your peers, the respondents, said that they believe that they're going to experience a moderate to high risk of a mobile security threat in the future.
Let's dive a little bit deeper into what else they said. 89 percent of the respondents to this research study said that they rely on just a single security strategy.
James: That's scary.
Ellie: Yeah, it is. If we look at the four basic common of changing your default passwords, making sure you have strong dual factor authentication, also restricting which apps your employees can download. Then making sure you have a policy for the use of public WiFi...
Ellie: ...and encrypting that. Then let's go with that one as well. Those are the four basic, but out of those four, only one is what 89 percent say they rely on. With public WiFi, 51 percent said, they don't have a policy.
They're not encrypting the data, they don't have a policy, they're allowing workers to work from public hotspot, like a cafe, like the airport, like the hotel.
James: 71 percent say, they allow the users to use public WiFi, but only 51 percent of them don't have a policy, including enabling VPN when they connect to the public WiFi. That's...Yeah.
Ellie: Then the research also showed that 62 percent said, they have a lack of user understanding as their major barrier. If you look at these together, so lack of user understanding, maybe don't click on that phishing email, don't plug into a USB port in a public spot.
Those kinds of things coupled together, when you have a single layer security strategy, when you're not encrypting your data, and you don't have a policy for use of public WiFi, which with mobile devices, chances are you may be doing that. Your users aren't quite sure what is a mobile threat and what might be a security problem for the organization.
You bring that together. For MobileIron, we're recommending a layered security strategy. That means that you're coupling your unified endpoint management, MEMM to help enable your internal users to safely use their mobile device in addition to protecting against that unknown eternal hacker from the mobile threats that might be taking place driven by that unknown hacker.
You couple this together with protection that you're getting for your operation, your intellectual property, your data, your customers' data and, ultimately, your reputation. This is where we suggest MobileIron Threat Defense because it gives you that layered security strategy.
James: I call it multilayer, automated threat defense.
Ellie: There we go. Why should you consider MobileIron Threat Defense? We've given you a little bit of information of, "Is mobile security a problem?" How you can help solve that is with one integrated client.
You have the unified endpoint management along with the threat detection and remediation all‑in‑one client. You have the server. You have a management consult. With this, you get the advance apps analytics engine. This is going to help you analyze your privacy and security risks all from one dashboard.
James: Yeah, a single client. That's actually pretty powerful, right? You don't need to download a separate MTV app from the public app store and having to enable that and actually enter maybe another set of credentials. Maybe it's a little more cumbersome if you have two. Having a single app, that's easy.
Ellie: It's easy. That's what customers are telling us. Having that single app for the administrators is saving them tons of time in trying to monitor and manage their users. Again, it's easy for the users because there's no action required on their part. They don't have to activate the application. They cannot fight and remove it.
This is making it easy for the admins to plug it in. As soon as they plug it in, they have immediate and ongoing visibility. They're not tracking down users. They're immediately protected. With that immediate and ongoing visibility, as soon as they plug it in, they also have the risky app analysis that I was mentioning. It's all on device.
You get zero‑day unknown protection. You get known and unknown mobile threats protection with machine learning algorithm of device network and mobile app threats along with the local remediation and notification all on device.
James: For known threats, we actually still use static signature, sandboxing logistics. For unknown threats, that's with zero‑day machine learning. The one thing about on device here is...I think these people...Part of the comments are the term a policy enforcement point.
Your device becomes the policy enforcement point. It doesn't have to connect to a VTM concentrate. It doesn't need to connect to a router or a firewall. Your device becomes a policy enforcement point.
Ellie: That's a great point, Jason. I think that brings us to our next slide, what you're going to talk about for other solutions that are out there today.
James: Exactly. What do our competitors do? You see the two layers here. You see on device, and you see in the cloud. How do our competitors do this? On the device, they only scan the device. They actually do the heavy‑lifting, the performing of the detection up in the cloud. It's not done on the device, itself.
Then it informs EMM of a policy violation, send that remediation instruction to potentially a different EMM agent and then back down to the device where it remediates the threat.
What is the problem with this? If your device has a threat, say for instance, man in unknown threat on the device already, it could prevent or be redirected from going to the cloud and being able to do steps two, three, four, and five. Those steps become null and void. You have a vulnerable device that cannot detect or remediate the threat.
What do we do? Our MobileIron Threat Defense solution, again, you have on device, and you have in the cloud. You have those two separate layers. The scanning of the device and the performing of the detection is done on the device. It's not punted up to the cloud. It recognizes any policy violations still on the device, not having access to cloud.
The remediation is done on the same app on the device. That is pretty powerful.
Scott: This also has an advantage. You can do it much faster than sending the data to the cloud, having the cloud analyze this, make a decision, send back command which takes time. Time is of the essence when you're trying to detect and remediate against mobile threats.
James: That is actually pretty powerful there too, Scott. Thanks. One of the new cool features and one of the key differentiators is we call it local actions but it does local compliance and notifications.
This is a separate policy from MPD itself. Once you register your device to EMM, we can push a separate local compliance policy for all the 44 different threats that we're able to detect currently. There's network threats, malware threats, device‑level threats.
We're able to detect those and actually provide some compliance actions for both iOS and Android devices if the device is not connected to the network. If it doesn't have connectivity to core, cloud, or the MobileIron threat defense console, the device itself can protect itself from these different threats.
This is actually a key differentiator of a pretty powerful product here in that case. You have instances where the device could lose connectivity from the server but the device still knows how to protect itself from the different types of threats out there. One of the other key features is the concept of tiered compliance.
Let's take for instance you have a traveling worker that has to connect to hotel WiFi fairly frequently. You may not want to quarantine or block their device if they have to connect to the hotel WiFi as maybe their sole means of communicating to the Internet.
What you can do in the first step is you can send an alert and you could push a message to the device saying, "Hey, you just connected to an unsecured WiFi" just as a reminder, and you monitor the user's or the device's actions.
You can wait from 1 hour to 24 hours and then you can enforce a second set of compliance actions. In this case we're showing quarantine, but we could also block App Connect apps. We can block email.
Finally, you can add additional steps too. You see one, two, three. You can go four. You can wait. Again, you can quarantine the device all the way to even retiring the device if for some reason the user persists in connecting to hotel WiFi and they're not protected. Trip compliance is another powerful key differentiator in our product that's available.
What are the risks?
Ellie: Everyone, you can see from this chart that was updated April 30th, and this is from the cvedetails.com. It's showing the Common Vulnerabilities and Exposures, the CVEs, for both iOS and Google Android.
What we want to point out here is you can see that this trajectory for the past 10 years‑plus is increasing. You can see that the quantity here of the vulnerabilities are numerous and they're advancing. But we don't want to rely just on raw numbers. We can see that they're advancing.
What we also want to take a look at with this is the Common Vulnerabilities Scoring System, the CVSS. This is on a range from 0 to 10 with 10 being the highest. You can take a look at how the severity level is. The larger the bubble, the darker the red color that you're seeing means that it's more severe.
You have a 7.0. Anything that is above a 7.0 and above is considered severe and should have been remediated and fixed yesterday.
James: Should have been patched yesterday.
Ellie: Should have been patched yesterday. Absolutely. As we look at this, the average score is 7.4. When you look at both the vulnerabilities are numerous, that we just saw a minute ago, and the scoring system is showing us that they're much more severe than they used to be, these hackers are getting very skilled. They're very sophisticated.
This is a financial business. They're getting paid big money to deploy these threats and these exploits. The vulnerabilities will help them get the data and sell the data. They make money off of it.
James: Look at this big red sun. I call this a big red giant. It's going to gobble up all these other smaller suns here. Basically, this is a 10. Unfortunately, on the iOS side, a lot of their vulnerabilities have been a 10. They should have been patched yesterday. That in itself is scary. You see that most of these or a lot of these are 10.
Ellie: The solution that we have with MobileIron Threat Defense will help show you that severity level.
James: What are the vulnerabilities from the past year? This is just a sampling of the different types of device exploits like [inaudible 15:18] . Everyone's heard of Spectre and Meltdown. Maybe not so much LiberiOS and Electra.
You have network attacks. You have KRACK and Blueborne, which are protocol‑level vulnerabilities. You don't have a lack of malicious apps, including BankBot and Copycat types of malicious apps.
For 2018, what are the projections for the different types of mobile security threats? The tried‑and‑true adware, spyware, phishing, any pre‑installed bloatware on your device, that's still number one.
Number two and number three are projected to overtake number one in the latter part of this year. You have cryptocurrency. You have people storing their digital currency and their wallets and their Coinbase exchanges on their mobile devices.
The unsanctioned crypto mining, which is called cryptojacking, is the phenomena of actually stealing your power from, in this case, mobile devices. You say, "Well, why would you leverage a mobile device?"
If you get a bunch of mobile devices in a botnet, then there you go. That's how you steal a bunch of processing power.
Ransomware, it's still out there. You've heard of some high‑profile ones, like the city of Atlanta was hit with a ransomware attack. Basically, the ransom was $51,000, but the city of Atlanta was crippled for a couple weeks.
It ended up costing the city itself millions of dollars to try to fight the ransomware. You have the city of Riverside, California, whose emergency, the police, fire, were also affected by a ransomware attack.
You have exploit kits, where you can potentially download or purchase from shady sites on the dark web. Basically, an exploit kit is something that you buy that you can attach to a legitimate app, that can be used for malware.
What you have is all of the mobile threats are basically working together in unison. What you have is you have adware, spyware, phishing exploits that are redirecting users to cryptojacking or cryptocurrency‑stealing websites.
You have ransomware and exploit kits that are pushing the threats of cryptocurrency and cryptojacking. All of them are working together. What do you need to fight these security threats? You need a multilayered, automated threat response type of solution. That's what MobileIron Threat Defense is.
You've heard of Spectre? In a nutshell, Spectre is the idea of unsanctioned or potentially malware accessing protected memory spaces of other apps and potentially stealing your personal, identifiable information, your credentials, anything from your mobile device.
It could be running an Intel processor. Even ARM processes are affected by Spectre. What does MTD do for you? It detects the unpatched OS, any tampering of the device. It will detect any malware that could potentially exploit this threat.
The bad thing is Spectre is going to be one of those threats or vulnerabilities, it's going to keep giving for the next several years until these processors are taken out of service.
Markdown is the lesser of the two evils with Spectre. Again, it's the idea that it's reading or unsanctioned apps. Other apps could be reading protected memory spaces of other apps, including your browsers. Again, MTD is able to detect unpatched OS, device tampering, and any malware that can exploit the threat.
Anyway, KRACK is whack. [laughs] Key reinstallation attack. It's basically a vulnerability or a weakness in the WiFi Protected Access protocol. If I was a bad actor, I could basically reinsert the same key over and over in the four‑way handshake to establish a secure WiFi connection to the point where I can actually decipher the entire key chain.
Once I have that key chain, then I can decrypt all of your WiFi traffic. The good thing is that KRACK has been patched on access points and routers and even on the client, the supplicant. MTD detects any man‑in‑the‑middle or redirection, device tampering, and any malware that, again, could exploit this threat.
Have any of you heard of a BankBot? Basically, a BankBot attaches itself to potentially a legitimate app. Its whole purpose in life is to scour your mobile device and look for any banking or financial services app, say your Bank of America, your Chase bank, any of the legitimate apps.
It waits for the user to actually log in to their banking facility or banking site. What it does is it puts a fake overlay over the login screen. It will keylog your credentials. You're going to enter your real credentials.
It's probably going to come back and say, "That's the wrong credentials," but you actually entered your right credentials. Then the BankBot or the malware has your credentials to the real banking site.
Again, how does MTD help in this case? It detects any escalation in privileges of the app, any man‑in‑the‑middle or redirection, and the malware that can take advantage of this type of threat.
There are 50,000 websites out there that are from legitimate websites like MSN Japan, public sector websites also. Again, there's two parts to the cryptojacking. It's stealing not only your digital currency that you have stored or any exchanges that you have stored on your mobile device.
It could also steal power from your central processing unit, your graphics processing unit, dynamic random access memory, application‑specific integrated circuits.
How do you know? Maybe your phone is overheating. In the case of some phones, it actually exploded from being pegged because of this cryptojacking exploit. MTD detects the malware and any drive‑by malware on these infected websites.
Not all mobile threats are created equally. If I were to ask you which of these threats...MobileIron Threat Defense is capable of detecting all three of these, device‑level threats, network‑level threats, and app‑level threats.
We're able to detect all three, but which of these three would you say is the most severe, something that you would never want to get on your mobile device? The answer to the question, it is device‑level threats. Those are the worst.
I can actually take over your device without you knowing it. I can steal your PII. I can send nasty emails portraying or pretending to be the CEO of the company. Again, device‑level threats are the worst.
How do you think device‑level threats or device threats get onto the device? Via network, man‑in‑the‑middle, or app‑level threats. That's how device‑level threats get onto the device.
How do I get started? One of the cool things that we're able to do or provide is the fact that this, our MobileIron Threat Defense solution, has been tested, has been proven, has been deployed.
We employ all the best practices to validate the design for MobileIron Threat Defense. It's a little easier than some of the other solutions out there. The fact that we only have three components in this case. We have the app that talks to both Core and to the MobileIron Threat Defense management console.
You have the two servers communicating with one another. Then of course you have MobileIron Threat Defense that's actually detecting and remediating the threats on the device.
Optionally, you can have Core or Cloud linked up with MobileIron Monitor. On the MobileIron Threat device side, you can have a [inaudible 25:12] integrated with the console.
What are the components for the MobileIron validated design? We have the Threat Defense. Then we have the managed devices. You have Core and Cloud. You have Monitor.
A lot of lines to follow in this. The key takeaway from this is the fact that this product has been tested on these platforms and proven to work and work efficiently and whatnot.
Really quickly, I want to show you how the client is actually provisioned. Keep in mind again it's a single app, single app that you download from the public App Store. You normally would log in to your MobileIron Core or Cloud, providing your credentials.
What you get back during the EMM registration is a token or a key that can be used to activate to the MobileIron Threat Defense console. What you get back is basically you're good to go if you have a valid token.
Then all your managed apps and App Connect apps can be provisioned onto your device, as well as VPN, WiFi, all the other key components for EMM.
What are the server remediation actions for device, network, and app‑level threats? In this example, we have a device that we're going to introduce malware to. What we can do is we can send an alert to the device.
Then we can block email and App Connect apps. We can remove any EMM‑provisioned configurations, including WiFi, VPN, and certificates that are pushed onto devices or the EMM registration.
We can remove managed apps and content. One of the things I neglected to put up here is that we can actually retire the device completely from the server.
This is the client‑side notification. This is just a screenshot ‑‑ in this case, it's an Android device ‑‑ that shows the client‑side notification.
What you have is the MobileIron Threat Defense is active. It will actually give you an inventory of all the other devices that you have registered to EMM and the current status.
Again, network‑level threats. Just in the case of, let's say, for instance, you inadvertently connect to a Pineapple AP. A Pineapple AP are one of those scary penetration tools that, even for the person that's doing it, it's actually really scary.
Its biggest capability is to do man‑in‑the‑middle attacks that can...Say, for instance, your device inadvertently connects to the AP. It can do WiFi phishing. It can steal your credentials. It can strip your SSL connection.
One of the other bad things it can do is portray or set up or basically duplicate a legitimate WiFi. It waits for you to either roam out of that WiFi and have you connect to the Pineapple AP.
At that point, I'm able to do all the other things like phishing and stealing your credentials and stripping your SSL connection.
In this video ‑‑ let me tee this up really quickly here ‑‑ this is an iPad that we have Mobile@Work installed. We have MobileIron Threat Defense enabled.
We have managed apps, like in this case it's Office 365, Outlook, Excel, PowerPoint, Word, and a couple App Connect apps like for Web@Work, or it could Entrust for our Derived Credentials solution.
In this case, I'm just going to show you really quickly what happens in a case of connecting to an unsecured or unprotected WiFi. Let's go ahead and run this. Really quickly, I'm showing you here that I'm connected to my home WiFi, which is called Tsunami.
I know it to be secure because I'm pretty secure about things. I have IPS and a firewall. I'm able to bring up Web@Work. I'm able to browse protected websites or our website internally and externally.
I'm able to bring up Word and open a document that is stored on OneDrive. This is a document I created for our MobileIron live sessions or conferences the past month. I'm able again to bring up Word.
Everything is OK. I'm still connected to my secure WiFi. If I change that to, in this case, Xfinity WiFi, which I know to be an unsecured WiFi that happens to be in my neighborhood, it actually says that it's unsecured WiFi.
Within a matter of minutes, in this case what I'm doing is a quarantine action. Your managed apps start being removed or uninstalled on the device. You also get a user notification. If I, again, try to browse using Web@Work, it says, I'm out of confines, I'm blocked from browsing any sites.
Now what I'm going to do is, remediate the threat on the device. I'm going to reconnect from Xfinity WiFi to my secure WiFi, called Tsunami. Again, within a matter of minutes, the managed apps start reinstalling onto the device.
Preferably, what you have is, your content is stored externally on OneDrive or other storage services, but as you can see here, you're seeing Excel, PowerPoint, and all the managed apps being reinstalled onto the device. Very powerful stuff, just one of the many compliance actions that you can enforce on a device, based on the threat that's detected on the device.
For device‑level or device system tampering, again, one of the worst things that you could ever do is, potentially, download a malware or a man‑in‑the‑middle attack, that spawns some tampering attack onto your device.
It could record audio files, it could steal your video files, and upload it to the dark web, where it can be sold to the highest bidder, in this case, and potentially steal your personal information.
What is your strategy?
Ellie: James, if the strategy may be such that, your organization is prioritizing speed and profitability over security, then those actions of doing nothing to protect your data, your operations, your customers' data, you're going to have, potentially, loss of critical business data.
You might have damage to your reputation, you might have loss of your customer revenue, because this will become public exposure, there could be fines, either GDPR fines or local regulators, and then, the cost of resources to fix, not just the threat and the attack, but also your reputation.
We found research from Ponemon that says, the average cost of a data breach is $3.2 million. I can tell you that, I think some of the examples that we have out there, are much higher than that. We can take a look at a few of those now.
James: One other thing, you had damage to your reputation, how many years do you think it would take to fix your reputation, if you were hit by one of these breaches?
One of the examples, even though Equifax wasn't hit with a mobile threat, it was breached through a vulnerability on their servers, but this is an example of what happens if you do nothing. Initially, numbers reported was, 143 customers were affected, and now it's up to 148 million. That number keeps growing.
Information was divulged or stolen from Equifax. It was your name, your social security number, birthdays, addresses, basically any information that could be used to establish new credit, or masquerade as a legitimate user.
One of the more recent news that was reported was that, passport photos were also stolen from Equifax, and get this, they blamed a single IT employee for this breach. I think it's more systemic. Again, this idea that if you decide to wait for a breach to actually occur before you take any action, this could, potentially, be what happens to your enterprise or your company.
Another example is,  7.ai. Basically, this was a third‑party customer support or customer service contractor, that provides service for customers of Sears, Kmart, Delta Airlines, and Best Buy. What happened was, their credit card information was stolen.
The bad part is, this was discovered back in September of 2017.  7.ai did not tell Sears, Kmart, Delta Airlines, and Best Buy of this breach until the latter part of March. Of course, that's when Sears, Delta, and Best Buy told their customers that, potentially, their credit card information was stolen. Six months later.
That's really bad. I would be very upset, if I was one of their customers that, potentially, my credit card information was out there for six months before I was notified.
If you go back to what I presented early in the presentation, that 62 percent of the admins worry about the knowledge of their mobile users, or their threat knowledge in this case. One of the things that we'd like to do, just common sense things, is to coach.
One of the jobs is to coach the mobile user on how to protect themselves, if they plan on using their mobile devices for work and play, updates any device operating systems, including any security patches that's required on the device, updates their apps, because potentially, older or obsoleted apps have vulnerabilities in them.
Of course, use MobileIron UEM or EMM work MTD, because you'll get the multi‑layered security, with automated threat response by using both. Obviously, you should.
Download your apps directly from the iOS or Google Play Store, or if you have an enterprise app store, download from those locations only.
This thing's a little bit, maybe unrealistic, try not to connect to public WiFi. If you do, and you're a traveling worker, turn on VPN when you connect to a public WiFi.
Lastly, try not to connect to a USB charger directly in public charging stations. I see this a lot at the airport, that people just blindly plug into a USB port or a charging station at the airport. You don't know what's on the other side, because not only is it charging your device, but it could be stealing your data, because that connection has both power and data capabilities.
How do you get around this? Connect the power supply to the end of that USB charger, plug it directly into a electrical receptacle, or your laptop, directly.
Ellie: What's great about everything that James has talked about today, is highlighting some of those differentiators. There's lots of solutions that are out there for you to evaluate and consider. We encourage you to do so.
The benefits, or the differentiators that you will experience with MobileIron Threat Defense, is that single app that we talked about. This is not only going to save you time, it improves your organization's operational efficiency, because you're not having to use multiple apps.
In addition, it's going to provide you with that easiness, that we discussed, for your users, because they don't have to activate the app and they can't swipe it. As soon as you plug it in, you get that immediate and ongoing visibility, and the users don't have to take any action.
You get the visibility to known and zero‑day device, networks, and apps' mobile threats, your users are so protected, their privacy is still in place, but you have that visibility into the activity that is going on, in order to make informed decisions with the intelligence that we provide in this solution, to know what type of action to take.
That action is done on the device. You have the machine‑learning algorithms that are doing the detection, and then you have the on‑device...we have the notifications, we have the local remediation, and we have our compliance actions that we talked about, so we have [inaudible 40:11] compliance. These are things that differentiate and highlight this solution.
James: Keep in mind, earlier I had mentioned that your device becomes the policy enforcement point, before the device connects to the network, where, once it's on the network and it has a threat on that device, it could potentially infect other devices connected on to the network. Again, the device is the policy enforcement point.
Ellie: That's right, good point. It's looking at the device, the network, and the mobile app threats across. Some vendors won't look at the malicious apps. You can get this on‑premises and in the cloud, across iOS and Android mobile devices.
We mentioned the device, network, and apps, it's not just one or the other, it's all of them. You have a combined solution opportunity here to gain that visibility, and to help protect your organization.
We'd like to say thank you to James and to Scott, for joining us in this webcast, and to let everybody online know that if you have any questions, or if you'd like to find out more information about mobile threats, in general or our particular solution, to go to mobileiron.com/threatdefense. This is the location where you can get any additional information.
Thank you so much for joining our webcast, and we would invite you to come back to our website. Thanks again.
James: Thanks, guys.