Mobile Security - the device isn't the problem
Mobile Security - the device isn't the problem

Enterprise information security used to be so much simpler. CIOs would take solace from knowing that information security came in two simple parts. Secure the network and the hardware from the outset, and then protect the network from the outside world by securing the endpoints. The greatest reassurance came from knowing that most of these endpoints were identifiable. USB ports, browsers and email inboxes were the greatest threats and if suitable software was in place and their employees were educated and warned appropriately, the network would probably remain unharmed.  

But then came enterprise mobility. Suddenly, the breadth of potential information security threats grew exponentially., even immeasurably.

The CIO's response? Secure the mobile devices. Implement anti-virus solutions, malware scanners and secure data containers on the devices themselves. But this is a departure from the multi-level approach to information security of pre-mobility – it is focusing solely on the hardware and not the endpoint.

After all, the device is the hardware, not the endpoint. The device actually contains its own selection of endpoints, each with its own threats: mobile browsers, access to mobile email and downloading unauthorised or unwise app downloads. All of which can open up the devices, and therefore the network, to attack.

Think of mobile security like border security – passengers on planes are verified as “safe” by checking their passports. But their bags are still also scanned before boarding. In the same way, EMM-based mobile security only checks the passport, leaving the bag unchecked. Effective mobile security requires more than just well-monitored devices. The endpoints within the device must be brought into the security effort.

To use a very recent example, the XcodeGhost attack put thousands of iOS enterprise mobiles at risk. The modified version of Apple's software development suite Xcode introduced malicious functionality into apps without the developers knowing. When these infected apps containing altered code were then downloaded to users' phones, they unwittingly gave the XcodeGhost creators access to the employee's sensitive information – including that of their employers.

XcodeGhost was invisible to most CIOs' mobile security processes. The apps were corrupted versions of reputable brands, and so would be unlikely to be on any blacklists and readily passed through most vetting procedures. To revisit the earlier border security analogy, checking the apps on the devices is akin to only checking the passenger's passport, and it proved to be insufficient. The apps were deemed safe, but the data streams they created were clearly unsafe.

Therefore the only way to detect the threat of these apps would have been to closely monitor the data traffic to and from the device. What does the data look like? How much is being transmitted? Where, when and how frequently is it being sent?

Multi-level threat detection will sit in the cloud and scan all the data that enters the network in real-time. One of the key advantages of this approach is that it can correlate data between the device and the cloud to deliver proactive security with automatic policy-based remediation. It can also identify risk exposures from data leaks and anomalous user activity, as well as provide the maximum visibility into various types of malware and risks. This information enables IT teams to react quickly to solve any issues as they arise, mitigating against attacks spreading.  

Without correct, and most importantly, real-time data stream information, organisations are effectively operating in the dark: they cannot see the way in which the devices are interacting with the network and therefore what threats the device and its data may be being exposed to. Securing the device is only the first step in reducing the risk of mobile employees. Since we can't predict where the next big mobile attack will come from, CIOs need to return to the pre-mobility mindset of securing and monitoring both the hardware and the endpoint activity and implement a multi-level approach to ensure organisations have the most comprehensive and reliable threat detection possible, which is flexible enough to cope with the next threat vector.

Contributed by Eldar Tuvey, CEO, Wandera