CHECK POINT 3 STEPS TO IMPLEMENTING AN EFFECTIVE BYOD MOBILE SECURITY STRATEGY

Transcription

1 CHECK POINT 3 STEPS TO IMPLEMENTING AN EFFECTIVE BYOD MOBILE SECURITY STRATEGY How to Augment Your MDM, MAM, NAC and SIEM Deployments to Truly Mitigate Mobile Risks and Protect Enterprise Resources Table of Contents Backdrop - Mobility is Attractive for Enterprise Productivity & Mobile Cyber Security Threats 1 1. Understanding The Risks and Value of Mobility to Your Stakeholders 3 2. Identifying the Holes in Your Mobile Security 4 MDM and MAM 4 NAC 5 SIEM 6 Point Solutions Attempting to Fill the Gap 6 3. Requirements for Next-Generation Mobile Security - How to Shut Down Attackers 7 Detect Advanced Mobile Threats 7 Enable Risk-Based Mobile Management 8 Perform Vulnerability Assessments at Each Threat Vector 9 Maintain Privacy and a Good User Experience 9 Summary Checklist on Mobile Security Capabilities Needed to Protect Mobility Initiatives 9 BACKDROP - MOBILITY IS ATTRACTIVE FOR ENTERPRISE PRODUCTIVITY & MOBILE CYBER SECURITY THREATS Given the competitive pressures of the global economy, it s no surprise enterprises are looking to increase their agility to respond to changing conditions and accelerate time to market. Mobile devices enable employees to work from anywhere, at any time, which can significantly increase flexibility and productivity. It s the 1

2 reason most enterprises are looking to support a wider variety of mobile devices and platforms, (72% of respondents to a Forrester survey 1 ) and improve or modernize mobile app(s) to deliver more information or transaction support (71%). Many organizations, however, are struggling to move fast enough to keep pace with mobile device and application innovation. As a result, users are taking matters into their own hands another Forrester survey 2 found that to help them do their jobs, 16% of employees admitted they would install unsupported software, 22% said they would use a website or Internet-based service that their company doesn t support, and 35% would buy something with their own money. The rise of shadow IT, where users leverage unapproved technologies to get work done, along with the consumerization of IT, where users expect the same level of service and convenience at work they have in their personal lives, create significant gaps in visibility and control within the enterprise. All these technologies may enable a more fluid, productive work environment, but they can wreak havoc with corporate processes, oversight and security. All the different mobile devices and applications making their way into the enterprise present new pathways for attackers into valuable corporate data and resources. This is why, as users bring their own devices (BYOD), apps and services into the corporate network to get work done, enterprises have made it a priority to add controls and security the Forrester survey 3 revealed that 75% of enterprises expect the number of employees using their BYOD to increase and 77% will be adding security requirements for those devices. Trying to stay on top of all the variables entering the corporate environment, however, is often an uphill battle for the already overburdened IT staff. Consider that over 2 billion tablets and mobile phones are expected to be sold worldwide in and the number of apps available to users is in the billions (its estimated the two largest app stores - Apple App Store and Google Play have 800,000 apiece 5 ). What is needed is a way to secure your mobility in a way that maximizes its benefits to achieve this you will need to identify: 1. Understand the Risks of Mobility what can the mobile devices, applications and traffic in your environment be used by attackers to do? Do you understand the needs of all of your stakeholders? 2. Identify the Potential Holes in Your Coverage what are the different solutions in your environment designed to do and where are you still vulnerable? 3. How to Shut Down Attackers what is needed to effectively manage your risk, without hampering the productivity these mobile devices and applications can provide. 1. Forrsights Mobility Survey, Q Forrsights Workforce Employee Survey, Q Forrsights Mobility Survey, Q Gartner, March ,895.1 Mobile Phones and Tablets (millions of units) 5. mobithinking 2

3 1. UNDERSTANDING THE RISKS AND VALUE OF MOBILITY TO YOUR STAKEHOLDERS The key to securing your mobility is to first understand how it is being used in your environment and what is potentially at risk. Taking stock of the mobile devices, applications and traffic in your network is critical to identifying how your data and resources are potentially vulnerable. Since mobile devices are being used to do more and more the devices being carried around today are 3000 times more powerful than the compute power on the original space shuttle 6 - the potential risks continue to increase. Once an attacker is in tricking a user into downloading malware or a malicious app, infecting a WiFi hot spot, exploiting a device vulnerability, in the operating system, hardware, configurations, etc. - they can do almost anything on the device and apps, including: Intercept s and text messages Steal application data, including content within secure containers and wrappers (refer to the white paper How Mobile Malware Compromises Your Secure Containers and Enterprise Content to understand how attackers bypass these measures to compromise enterprise data) Capture browsing activity, including any usernames and passwords entered into sites Extract contact lists, call and text logs Activate the microphone (to listen in on private conversations and meetings) Use the camera to take pictures or videos (white boards, manufacturing plant layouts, etc.) Track location (where an executive is going could provide insights into potential customer deals or merger/ acquisition plans, etc.) Stakeholders across your organization will likely view these risks differently and have different expectations around what is needed to effectively secure your data and resources. Since security is always a balancing act, requiring decisions on when and how to allow or shut down access, it s important to understand what your stakeholders are looking for out of mobility and what they are willing to accept in terms of security. ROLE WHAT MOBILITY REPRESENTS TO THEM THEIR MOBILE SECURITY PRIORITIES CISO AUDIT & RISK MANAGERS AUDIT & RISK MANAGERS Business-level objective to improve agility and overall productivity. An initiative that introduces risks that need to be quantified and managed. An initiative with a lot of moving parts out of their control. Need to support: BYOD New mobile application roll outs Ongoing management and maintenance of mobile policies Getting ahead of the evolving mobile threat landscape to prevent intellectual property loss, tough board-level discussions and lawsuits that: Erode customer confidence Tarnish brand reputation Reduce competitive advantage Meeting compliance goals by adhering to security best practices and putting measures in place that reduce the attack surface. Improving visibility to better manage mobile devices and applications and reduce risks to ensure alignment with overall security policies and practices

4 SECURITY TEAM EMPLOYEES An initiative that opens up a lot of new threat vectors that need to be managed and mitigated to keep resources safe and prevent data leakage. The convenience of being able to work whenever and wherever they are located. Effectively assessing mobile risks, integrating mobile intelligence into security information and event management (SIEM) and network access control (NAC) systems, and consistently applying policies, regardless of how or where a user accesses resources. Protecting their privacy and preserving a simple, good user experience. 2. IDENTIFYING THE HOLES IN YOUR MOBILE SECURITY There are a host of solutions that enterprises use to gain visibility into their mobility and security infrastructure and add controls that reduce the risks of their mobility initiatives. Some of the foundational solutions that you may have deployed are: Mobile Device Management (MDM) Solutions help you enforce corporate policies around mobility; they keep track of mobile devices in the your environment and manage the access those devices have to corporate data and resources. Mobile Application Management (MAM) Solutions often delivered as a function of MDMs, MAMs help you enforce policies around which mobile applications can and cannot be used in the corporate environment. Network Access Control (NAC) Solutions enable you to enforce general access policies, typically making decisions based on the user s role, type of device (including mobile) they are using and type of resource they are trying to access. Security Information and Event Management (SIEM) Systems provide visibility into the security alerts generated by all the attack detection solutions (including mobile threat detection solutions - if in place) deployed throughout your network. While effectively managing mobility does have derivative security benefits, inherently reducing the risks of mobile devices and applications, it is not the same as securing it. It is important to understand exactly how the solutions you ve deployed support your mobile security objectives and where you have holes to determine how best to augment your mobility and security infrastructure to effectively mitigate your risk. MDM AND MAM Capabilities: MDMs/MAMs help you gain visibility into the mobile devices in your environment and enforce policies around what users can and cannot access with their mobile devices, via a variety of mechanisms/ controls: Device Registration increasing the visibility of the devices entering your environment; ensures basic compliance to enterprise mobility policies prior to allowing access to corporate resources from that device. App Management - restricting apps that pose risks to the organization; often uses white or black lists to define what is and isn t allowed. Remote Locate, Lock and Wipe Capabilities protecting the integrity of information on devices that are lost or stolen. Data Leakage Protection (DLP) implementing secure containers or wrappers that encrypt enterprise application data and keep those applications separate from personal applications; may implement screen capture, attachment, and copy and paste controls to restrict potentially risky device functionality. 4

5 Augmentation Needed: While MDM/MAM capabilities help you understand and better manage your mobility, they aren t focused on securing it. MDM/MAM solutions need to be augmented with mobile security capabilities that can: NAC Assess mobile vulnerabilities on the devices and in the applications in your environment to understand where you have weaknesses. Detect mobile threats to your mobile devices, the applications and in the mobile traffic flowing through your network to identify advanced, targeted attacks. Look at how the applications on the devices actually operate in context to understand whether behaviors or sudden changes represent real threats. Look for malicious interactions between the device, applications and network that constitute an attack or possible threat. Validate the security of DLP measures and secure containers to identify if and when they have been compromised. Add risk-based mitigation capabilities to enable dynamic access policy enforcement, based on real-time mobile risk levels. Capabilities: NAC enforces general access policies for any endpoint in your environment. NAC solutions were traditionally delivered as stand-alone hardware-based devices, however, over the past 5 years, most of the capabilities have moved to cloud-based services or into the infrastructure, itself, including switches, routers and user operating systems. Typical NAC capabilities include: Authentication verifying a user is who they say they are, typically via a two-step process that includes something you know (password) and something you have (fob, registered device, etc.). End-Point Security Posture Checking conducting basic checks to identify whether a device adheres to corporate policies (e.g. is running the right OS version, has applied the right patches, doesn t have any unapproved apps running, etc.) Access Control Enforcement providing access to network resources based on the user s role, device type, and resource. Augmentation Needed: While NAC provides a basic level of protection for the mobile devices in your environment, it doesn t go deep enough to be able to provide the capabilities you need to protect your resources from advanced, targeted mobile threats. NAC needs to be augmented by mobile security capabilities that can: Identify vulnerabilities introduced by mobile devices and applications in your environment, going beyond the basic checks to understand the security ramifications of a particular OS version, patch, application, etc. Detect advanced mobile threats via detailed analysis that correlates device, application and network activity to understand what is really going on and uncover attacks. Add risk-based mitigation capabilities to enable dynamic access policy enforcement, based on real-time mobile risk levels. 5

6 SIEM Capabilities: SIEMs focus on helping you monitor and manage activity in your network. The SIEM collects, analyzes and presents information from all the different devices/services across your organization to give you real-time visibility and intelligence into the security posture of your environment, so you can better manage your network and security infrastructures. SIEMs offer tools to support: Vulnerability Management integrating vulnerability databases to identify potential issues within your environment. Compliance validating conformance to corporate policies and supporting post-remediation forensics. Incident Investigation correlating log source data from thousands of devices/services to flag anomalies and facilitate investigations into your security events. Incident Resolution providing visibility into activities to facilitate remediation of security incients and attacks. Augmentation Needed: Since SIEMs try to provide a holistic view of your infrastructure, it s important they have access not only to accurate intelligence from the mobile devices and applications in your environment, but also the threats they pose. SIEMs need mobile threat intelligence on: Vulnerabilities in the devices and applications in your environment. Threats and anomalous behavior in your mobile devices, applications and traffic, so you can make informed decisions around policies and defense mechanisms. Attacks using mobile devices and applications to target corporate assets and resources. POINT SOLUTIONS ATTEMPTING TO FILL THE GAP Given the mobile security holes in existing network and security infrastructures, there are a host of solutions that have emerged to try to mitigate the risks mobility poses to your organization. Each solution looks at the mobile security threat in a different way: Mobile AV similar to desktop AV solutions, these technologies scan mobile files and communications to look for known attack patterns and identify mass malware. Unfortunately, they are unable to address malware that has morphed or any of the advanced targeted attacks facing an enterprise. App Reputation/Integrity Solutions these technologies look at all the different mobile applications to try to identify those that display suspicious behaviors or contain malware. Many use sandbox techniques, which execute the applications in a controlled environment, to understand what they do and how they do it. They scan popular app stores looking for new apps and provide enterprises with a risk score that can then be used to set policies that are enforced by an MDM or mobile app management (MAM) system. Note, due to controls within the Apple store, these solutions aren t testing ios apps, rather they infer what similar Android apps will do on ios. Unfortunately, many legitimate apps that are widely used may display behaviors that could be deemed dangerous by these solutions (e.g. conference apps often accesses contact lists, allow files to be easily uploaded/downloaded/shared, turn on camera, etc.). Any attempt to lock down or block apps relied on by users will probably be viewed as intrusive or disruptive as already noted, users will likely find a work-around to use the apps anyway, if they are part of their work/personal lives. The main reason these solutions are limited in their ability to identify real risks is they execute the app in isolation with no knowledge or context of how the app may interact with a particular device that downloads it. 6

7 Mobile Network Gateways these technologies represent a host of different solutions that control access and inspect traffic to and from resources within the enterprise environment. They could be placed in front of mail or web servers or used to protect WiFi networks or the corporate LAN. They are able to detect and prevent a variety of attacks leveraging mobile traffic as a pathway into sensitive corporate resources. They can protect mobile communications via virtual private networks (VPNs) that encrypt traffic to keep it secure. Unfortunately, they can only protect the devices when they are in the corporate network ( behind the firewall). The value of mobility is that it allows users to be anywhere. Routing all traffic through the gateway is an option, however, it can have significant performance implications on that traffic and negatively impact the user experience, adversely affecting productivity and satisfaction levels. Mobile Authentication Solutions these technologies are designed to validate a user is who they say they are to grant them appropriate access to resources. Almost every solution has an authentication element embedded in it. Similar to secure containers and wrappers, authentication adds a layer of protection, but is blind to exploits. So if a user, device or application has been compromised, it will not be picked up when they authenticate and access will be granted as though nothing is wrong. While each of these solutions offers some level of protection, it is not complete. There are so many different threat vectors an attacker can exploit on your mobile devices and applications and in your mobile traffic, that you really need a solution that covers them all. Trying to put together a comprehensive solution from these point products will probably still leave you vulnerable, plus, deploying and managing them all is likely cost prohibitive, adding significant complexity to your ongoing operations. Pulling in next-generation mobile security solutions that can bridge it all together will enable you to more effectively manage and mitigate all your mobile risks to protect your corporate resources. 3. REQUIREMENTS FOR NEXT-GENERATION MOBILE SECURITY - HOW TO SHUT DOWN ATTACKERS Before companies can turn to mobile devices and apps to do more, they need to know those devices, and all the corporate data stored on or accessed by them, are secure. This requires adding comprehensive protection capabilities that can effectively assess vulnerabilities and mobile risks, detect advanced attacks and mitigate them, in real-time, to reduce the attack surface, without adversely impacting the benefits of mobility. DETECT ADVANCED MOBILE THREATS Pinpointing vulnerabilities and understanding when they are being exploited enables enterprises to effectively shut attacks down to protect corporate data and resources and prevent data leakage. Mobile security solutions need to vigilantly monitor and analyze all the different threat vectors on the device, in the applications and in the network to determine when a vulnerability is being exploited to gain access to the data and resources stored on and flowing through mobile devices. 7

8 It requires advanced analysis and correlation capabilities, including: Behavioral Application Analysis - to identify suspicious patterns and application behaviors over time. On-device and Network Event Anomaly Detection to identify malicious command and control behaviors and data exfiltration by unknown malware through the identification of patterns that would otherwise evade detection. Real-time Risk Assessments looking at changes to configurations and the state of the device and comparing vulnerabilities in the OS and applications against know exploits to identify compromises to secure containers and man-in-the-middle attacks. The most common exploits of the vulnerabilities associated with ios and Android devices that solutions need to be able to detect include: ANDROID THREAT DETECTION REQUIREMENTS Suspicious Configuration Changes Vulnerable Configurations Secure Container Compromises Exploits Against a Device s OS Version File System Tampering Rooting Applications Malicious Behaviors: Spyphones SMS interception Key Loggging Screen Scraping Man-in-the-Middle Attacks - Connections to Rogue Hotspots DEVICE-LEVEL EXPLOITS IOS THREAT DETECTION REQUIREMENTS Suspicious Configuration Changes Malicious Profiles Secure Container Compromises Exploits Against a Device s OS Version Device Jailbreaks APPLICATION-LEVEL EXPLOITS Stolen or Fake Certificates Malicious Behaviors: Spyphones NETWORK-LEVEL EXPLOITS Proxy, VPN Man-in-the-Middle Attacks Once detected, the solution should be able to differentiate between the level of risk a particular attack poses to the organization, so appropriate decisions can be made around how to best mitigate the threat. ENABLE RISK-BASED MOBILE MANAGEMENT Enterprises need to enact security controls based on the real-time risks a user or device poses to corporate data. Adding security to mobile management in a way that effectively protects an enterprise s resources from the current threats they are facing helps organizations align their mobility and security objectives. An effective security solution will be able to offer a variety of mitigation capabilities, so enterprises can tailor their responses to certain risk levels in accordance with their security priorities and risk tolerance. For example, they may want to: Notify Users educating them on the risk a particular application or action poses, confirming they knowingly allowed an application or action, or asking them to remove or stop using a particular application or action. Block Access preventing a user s access to specific corporate resources until the risk is mitigated. Block Traffic preventing traffic from reaching its destination until the attack is remediated. Activate a VPN ensuring particularly sensitive information is encrypted, so it remains private until the threat is removed. 8

9 PERFORM VULNERABILITY ASSESSMENTS AT EACH THREAT VECTOR Enterprises need to be able to inspect all the activity taking place in their environment and determine the level of risk the mobile devices and applications are exposing to their organization, at any given time. This requires looking at each and every mobile threat vector that an attacker could exploit in the devices, applications and network to understand the attack surface that could be exploited by an attacker. An effective mobile security solution will be able to analyze the vulnerabilities associated with: Devices including all the hardware, operating system (OS), configurations, and sensors, as well as device characteristics (role of the user in the organization, current location, etc.), to determine how any changes could impact risk. Data and Applications including all the different behaviors of apps over time and their interactions with the devices on which they are downloaded to understand what they are doing, what data they are accessing and where they are sending that data to pinpoint risky activity. Network Traffic including all the communication patterns of devices, the type of network being used (WiFi, foreign 3G network, etc.), and connectivity status (time, duration of connection, location, etc.) to identify any activity that is anomalous and suspicious. To ensure nothing is missed, the analysis of risk indicators must be done in context; each of these threat vectors needs to be correlated to ensure the true scope of a threat can be identified. The attack surface and potential impact of a threat can only be understood by evaluating all potential vulnerabilities and their inter-dependencies. MAINTAIN PRIVACY AND A GOOD USER EXPERIENCE Providing a good user experience cannot be underestimated. It is the key to a successful deployment. As already noted, users are going to find ways to leverage the technologies they need to get work done. Any security measure that significantly hampers the convenience and ease of use that users expect from their mobile devices and applications is likely to be met with objections and result in minimal business value. Being able to quickly and simply integrate security into the user experience, in a non-invasive way, will satisfy both security and business objectives. The mobile security solution should: Be Easy to Use Mobile users will be more accepting of a solution that doesn t change they way the use their device or adversely impact the performance (battery life, speed, etc.). Tailor Responses When Threat Is Identified enabling an appropriate response, so the user experience is impacted only when absolutely necessary. Ideally, the solution could tailor responses to particular user segments e.g. executives versus call center workers, etc. - to further refine security measures. Maintain Privacy ensuring all appropriate measures are taken to maintain the privacy and integrity of each and every user e.g. no personal information is collected or analyzed, only aggregate data that is pertinent to risks. SUMMARY CHECKLIST ON MOBILE SECURITY CAPABILITIES NEEDED TO PROTECT MOBILITY INITIATIVES There are solutions emerging to address the mobile security needs of enterprises and protect the corporate data stored and accessed by mobile devices. To be effective, however, they must provide comprehensive protection capabilities that give you the coverage you need, as well as the flexibility to mitigate risks in line with the security and business objectives of all your stakeholders. 9

10 In the face of a rapidly evolving threat landscape, solutions need to be able to demonstrate how they can keep up and ensure you can consistently assess and manage your vulnerabilities to prevent advanced, mobile attacks and mitigate risks to maintain your security posture. The following is a quick summary checklist of capabilities you can use when evaluating mobile security solutions to ensure you can get the most out of your mobility initiatives. CAPABILITY DESCRIPTION KEY FEATURES KEY BENEFITS ADVANCED MOBILE THREAT DETECTION ADAPTIVE RISK MITIGATION VULNERABILITY ASSESSMENT Identify real-time threat levels, by accurately identifying: Jailbroken / rooting apps on the devices, Changes to the OS, configurations, and device characteristics. Malware (known and zero-day). Malicious apps and risky app behaviors. Suspicious network traffic patterns. The ability to enact security controls based on real-time risk levels. Assess real-time vulnerabilities on all the different mobile devices, applications and network traffic in your environment. Ability to correlate device, application and network information to identify threats. Should use a variety of detection methods to ensure maximum coverage, including: advanced app reputation analysis; mobile AV; device and network anomaly detection; etc. Ability to differentiate between High, Medium and Low Threats Deliver a variety of mitigation capabilities: On-Device: notify users and provide remediation steps Via Integration with existing Access Policies (e.g. MDMs/ MAMs/NAC/etc.) In-Network: dynamically active VPN to protect communications; block attack traffic until threat is removed Assess hardware, OS, configurations and application vulnerabilities. Comprehensively detect advanced threats, including zero-day, advanced persistent threats (APTs), malware, malicious applications, etc. Accurately classify threats to corporate assets, providing visibility into the threat landscape you are facing. Ensure protection methods align with the threat level. Ensure protection methods align with security and business objectives. Reduce attack surface Confirm compliance with corporate policies (acceptable use) VALUE TO STAKEHOLDERS Gives Security team a real-time view of the threats they are facing to ensure the most effective risk mitigation measures are in place. Enables Mobility team to understand risks to better support security objectives. Mitigates attack damage to support CISO and Security team objectives Ensures user experience is only interrupted for highlevel threats, with a quick and easy way to remediate and get back to normal. Gives Auditors and Risk Managers the information they need to evaluate and manage risks associated with mobility. Gives Security and Mobility teams visibility into the attack surface for more effective policies and mobile management. 10

11 EASY TO MANAGE Enterprise-ready capabilities that simplify deployment, maintenance and management. Integrate with MDM/ MAM/NAC systems. Integrate with SIEMs and other security solutions. User-friendly dashboard. Dynamic mobile policy enforcement that reflects real-time threat-levels. Effectively manage and mitigate risks. Reports/data easily understood and exportable. Reduce ongoing operational costs to support business objectives of CISO s. Streamline visibility and policy enforcement to strengthen overall security for the Security team. Provides relevant information for audit and compliance checks by the Risk and Audit teams. Enhances overall mobility management for the Mobility team. MINIMAL USER IMPACT The solution cannot impact the overall user experience. Simple to download and use: Run in the background No performance degradation Nothing extra to carry (e.g. fob) Maintain user privacy Increase adoption/ user acceptance. Ensure consistent security stance across the organization. Continue to use device as they normally do, without fear of someone monitoring their every move. Maintain operational cost structure only Ensures employees have the convenience and security they need to conduct business everywhere. CONTACT US Worldwide Headquarters 5 Ha Solelim Street, Tel Aviv 67897, Israel Tel: Fax: info@checkpoint.com U.S. Headquarters 959 Skyway Road, Suite 300, San Carlos, CA Tel: ; Fax: