Get best of the week

Mobile threat defense: a marketing move or a new trend?

Prologue


As soon as users of mobile devices began to trust “sensitive” information to their smartphones and tablets, curious people appeared who wanted to use it, including for personal gain. At first it was personal information - photos, bank card pin codes, accounts for accessing various services, etc.



Corporate Mobile Security


Later, with the beginning of the use of mobile devices for corporate needs, lovers appeared to take advantage of corporate secrets that users leave in the mail, files viewed and not deleted, browser caches, temporary application files. For their convenience, tools have also been developed to take advantage of what is not protected on mobile devices.

In contrast, they are developing security features for mobile devices.. But due to the peculiarities of mobile operating systems, it turned out that simply porting protection tools from under Windows and Linux is either impossible or inefficient. For example, an antivirus was forced to work in the same “sandbox” as a regular application. Accordingly, it was almost impossible to scan applications or remove even those to which there was access and in which the malware was detected without the help of the user. And if it was possible for a private user who started scanning on his own to get permission to delete the malware, then with corporate users everything is more complicated. Scanning for them must be started centrally: either according to the schedule or by the administrator’s command. The likelihood that the device will be in the hands of the user, and he will quickly figure out the answer, is small. Therefore, for full work,the device had to be transferred to the “superuser” rights access mode. And that in itself was unsafe.

As a result, manufacturers of mobile platforms began to expand the capabilities of their APIs, adding support for security features. There was an understanding that the approach with complete isolation of applications (from each other) does not provide the necessary protection against possible attacks and does not allow the protection tools to get the access they need to the file system and software distributions. In addition, the need to use hundreds and thousands of corporate mobile devices in business has led to the need to develop mobile device management systems and / or related protocols.

Along with the development of mobile device management systems, “mobile” antiviruses have begun to appear, capable of scanning and removing malware. Although, in fairness, it should be noted that system applications were still inaccessible to them. Developing and competing, antivirus developers began to implement heuristic search algorithms to detect zero-day attacks, use databases of dangerous sites, check kernel versions, firmware, applications, etc. Also, a detailed analysis of application software distributions for vulnerabilities and certificates used has been developed. Unfortunately, all analysis results obtained in this way cannot be used without the participation of the administrator. And the administrator, knowing that a self-signed certificate is used, can not do anything about it, unless otherwise necessary financial resources are allocated.Therefore, most of the information obtained as a result of such monitoring remains unclaimed or is used ex post to explain the causes of information leakage.

Mobile threat defense


Preventing corporate users from getting bored and aware of the practical value of various security measures, vendors today compete among themselves in the “steepness” of algorithms for analyzing information about threats to mobile devices. This functionality is called Mobile Threat Defense (MTD).

Due to the peculiarity of mobile devices, information received from MTD often remains in the “note” status, if only because developers of OS for mobile devices very rarely issue updates. The reason is that the production time for a particular device model is about a year. Correcting vulnerabilities and sending updates to devices that will soon be discontinued is not profitable. Due to competition, manufacturers are forced to take a different approach. They release a new device with new firmware, in which they try to take into account the problems identified. At the same time, there will be new vulnerabilities in them, which will also not be fixed until the release of a new device with a new OS.

The development of mobile protection technologies goes in such a way that gradually all the protection and management functions of mobile devices will be implemented within the framework of mobile device management systems, called Unified Endpoint Management (UEM). This does not seem to be random. The most sought-after functionality on mobile devices is security management based on policies and teams, and application distribution. Everything else became part of UEM as the development of MDM as a result of competition between manufacturers. To compete on the basis of the same for all MDM APIs provided by mobile platforms can be very limited within the framework of different approaches for providing them to the system administrator, a set of reports and an interface convenience.

And now, when all this has been exhausted, the implementation of functions that have a weak relation to the practical needs of end consumers begins.

World practices


Over the past few years, the Gartner analytic agency, known for its “magic quadrants,” has also turned its attention to MTD systems. We reviewed the 2019 Market Guide for Mobile Threat Defense report. Further in the text - squeezes and analysis of the report contents.

At the beginning, it is noted that the validity of the declared MTD functions in terms of protection against attacks requires verification (they so called marketing fantasies):

“Even though MTD vendors express confidence in being able to detect and counter advanced attacks, Gartner has yet to see evidence in the field »

Further, Gartner draws attention to the fact that now MTD functions are offered either by UEM manufacturers, which have historically developed from device management (MDM) to servicing all mobility in the “single window” mode, or manufacturers of mobile antiviruses that can only signal vulnerabilities, but in the absence of functions MDM cannot do anything with them without user intervention.

Not being MDM solutionsand not being able to remove malware from the device or remotely reset the device to factory settings, mobile MTD solutions found an interesting way out. Part of the MTD manufacturers proposes to put their own VPN client on the device, which, if an attack is detected, wraps the traffic addressed to the corporate network back to the device. This technique was called blackholing. In our opinion, the defense is more declarative than real. If access to the Internet is saved on the device, then it will not receive malware access to the corporate network, but it will transmit everything it wants to the attacker's server.

The functions offered by MTD can be reduced to the following set:

  1. Android .
    , . . Android — .
  2. — , Wi-Fi .
    VPN ( Wi-Fi ) , . UEM.
  3. malware / grayware. . , .

    malware , . « » , , «» SMS. grayware. UEM . .
  4. (jailbreak, root).

    , — . UEM , -. , . . , . MTD- .
  5. . MTD .

    UEM HTTP- - MTD .
  6. , SMS, , QR- . . — . MTD, . . UEM .

The main conclusion in the report is the statement that it makes no sense to implement MTD until the basic level of corporate mobility security is ensured, which is ensured by the following rules:

1. Use of the latest versions of mobile OS.

In fact, this is a requirement for the purchase of new mobile devices with the latest versions of operating systems. There are still new devices with Android 6 on the market.

2. Denying access to “patched” devices with custom recovery, a busy busy box or the ability to get root access via adb ...

Alas, this sometimes happens even on commercially available smartphones.

3. Permission to install applications only from official stores and corporate storage.

4. Ban jailbreak / root and unlocked bootloader.

5. Application of password policies.

A lost / stolen device without a password is the dream of any hacker.

6. Reset to factory settings when the device is lost / stolen.

It is difficult to disagree with this, especially since the Russian corporate market does not always meet these seemingly obvious requirements. On the public procurement website, there are regularly lots for the supply of devices with outdated Android along with VPN and antivirus, which will not be able to provide a basic level of protection.

We sincerely hope that over time, the use of UEM on mobile devices in Russia will become as integral an attribute of security as antivirus for Windows. And there, you look, and funds will remain on MTD ...

More articles:


All Articles