Enterprise mobility: BYOD, EMM, and new security approaches

I carry my Android smartphone at all times, and check it many -- probably too many -- times a day. In my rucksack, there's usually an iOS tablet and/or a Windows laptop in case I need to use a bigger screen and/or a keyboard when out of the office. I have desktop computers at work and at home, running OS X -- or macOS, as we must now learn to call it -- and Windows, respectively.

It may be easier for a tech journalist to accumulate kit than most people, but I doubt that my device count is wildly out of the ordinary for a knowledge worker in the modern enterprise (although the number of different operating systems in play may be). All of these endpoints allow me to access company email, applications and data, in addition to the web and various cloud services, and they all pose potential security risks.

Mobile devices are a particular headache for IT security professionals, because they present a bigger attack surface than PCs residing (relatively) safely within the corporate firewall, for several reasons: mobile devices can be lost or stolen; mobile operating systems generally have less enterprise manageability heritage than desktop OSs; and wireless communications -- be they wi-fi or cellular -- can be intercepted.

Overlaying all this is the BYOD issue: many organizations allow employees to use their own smartphones, tablets, and laptops to access company resources, whereupon the security of this heterogeneous population of endpoints becomes the IT department's responsibility.

As the enterprise has become more mobile, a whole industry -- initially focusing on Mobile Device Management (MDM) and subsequently broadened to encompass Enterprise Mobility Management (EMM) -- has grown to address these issues. But security breaches continue to make the news almost daily, and the mobile enterprise continues to evolve with wearables and other IoT devices plugging into enterprise networks, and ever more workloads and data being deployed in the cloud.

What the surveys say

The Ponemon Institute, an independent privacy, data protection and information security research organization, has published a State of the Endpoint report since 2010, and its 2016 survey report reveals some telling insights about enterprise mobile security -- many of them clearly driven by the BYOD trend of recent years.

Ponemon's survey population (18,590 IT and IT security practitioners involved in endpoint security in the US) was asked: "What are the biggest threats to endpoint security in your organization?" The most frequent answer -- as so often -- was people, in the shape of "Negligent or careless employees who do not follow security policies."

Of course, not all of these negligent employees will be mobile device users, but three of the remaining seven top threats were specifically mobile-related, with "the number of insecure mobile devices used in the workplace has increased significantly" showing the biggest increase between 2014 (33 percent) and 2016 (50 percent).

And when asked "Where are you seeing the greatest rise in potential IT security risk?", Ponemon's leading response was "Mobile devices such as smartphones."

It's also noticeable that mobile devices have seen the biggest rise in risk rating between 2016 (86 percent) and the average over the preceding five surveys (57 percent).

According to Ponemon's respondents, Android is the most vulnerable operating system to a data breach or cyberattack (28 percent), followed by Windows (23 percent), iOS (19 percent), Linux (12 percent), Firefox OS (11 percent) and Mac OS (7 percent).

This mobile OS ranking is supported by the latest report from the Nokia Threat Intelligence Lab, which found that "Android continues to be the main mobile platform targeted," while also noting that "for the first time since the report began, iOS-based malware -- including XcodeGhost and FlexiSpy -- is on the top 20 list". Other Nokia findings include an increase in smartphone infection rates in mobile networks, several varieties of ransomware attacking Android devices, and the fact that "mobile malware is becoming more sophisticated in the techniques it uses to persist on the device". It is becoming "very difficult to uninstall and can even survive a factory reset".

Another 2016 endpoint security survey, from The SANS Institute, found that desktops and laptops were the most compromised endpoint types in a wide range of organisations, from SMEs to large enterprises. Mobile devices, both employee- and employer-owned, were also featured prominently, while the most common type of data breach was of login and access credentials -- which are commonly found on client devices, and are the gateway to more valuable resources on the network.

The SANS survey also found that the majority of breaches were reactively detected, either directly from endpoint AV or IPS software, or via an SIEM system. However, the third most-common detection route (reported by 27 percent of respondents) was 'third party notification' -- from law enforcement, customers, or business partners, for example. This doesn't say a lot for the maturity of the incumbent security systems, although 21 percent of respondents did report detection via "indicators of compromise learned from threat intelligence".

EMM: the state of play

The SANS Institute survey referenced above includes a good summary of the BYOD issue, which explains the growth of the Enterprise Mobility Management (EMM) market:

"The increasing prevalence of BYOD acceptance means that procurement is no longer making all the purchasing decisions based on standards, and users are connecting a wider variety of devices to the network. These devices may have different technical characteristics, such as operating system and filesystem structure, so the protection technology likely varies. Security is always more difficult in a varied environment, adding challenges for the security department. The various devices that comprise this new type of endpoint require multiple solutions, all of which must be integrated into the overall strategy for protecting the enterprise."

In its 2016 Magic Quadrant, analyst firm Gartner identifies four main functions performed by EMM suites: provisioning; auditing, tracking, and reporting; enterprise data protection; and support. These services are delivered via five types of EMM technology: mobile device management (MDM); mobile application management (MAM); mobile identity (MI); mobile content management (MCM); and containment technology. Gartner requires MDM, MAM and at least one of MI, MCM, or containment technologies for qualification as an EMM suite.

Although the EMM market has seen considerable consolidation in recent years, there are still plenty of players out there. According to Gartner, EMM functions are offered by over 100 vendors -- a population it whittled to just 14 for its 2016 Magic Quadrant, which places VMware's AirWatch in pole position:

To get an idea of the EMM functions and components that companies are actually deploying, US-based research firm J Gold Associates recently surveyed some 300 organisations -- mostly large enterprises. The results show that while most have installed the "high-value, easiest to deploy" components, other "nice to have" components have marginal deployment rates:

MDM (device asset management) is the base level of functionality, with secure email, file/data sharing, browsing, and office/productivity apps reflecting the ever-broadening usage of mobile devices in the enterprise.

The research firm also highlights an alternative, less device-centric, Workspace-as-a-Service (WaaS) approach to mobile productivity. This combination of "VDI and componentized cloud services" is spearheaded by companies like Citrix and VMware, and may well prove a more attractive option for many organisations -- especially SMEs.

Novel approaches to mobile enterprise security

Despite the best efforts of the security industry, the frequency of breaches shows no sign of declining -- quite the opposite, in fact. This has prompted some security software vendors to seek new ways of dealing with the problem. Here are a couple of the most interesting ones that could impact the mobile enterprise.

Isolation

Isolation technology, which inserts a secure execution environment between users and potential attack vectors such as compromised websites or weaponised email attachments, is not new, but the approach taken by Menlo Security with its MSIP (Menlo Security Isolation Platform) is innovative.

MSIP, which is available either as an AWS-hosted public cloud service or as an on-premises virtual appliance, comprises two key elements: Disposable Virtual Containers (DVCs) and Adaptive Clientless Rendering (ACR) technology. DVCs handle the execution of active content in user sessions: when a browser tab is closed, or suspicious activity occurs, the relevant DVC is disposed of, preventing any malware from persisting or spreading. ACR, meanwhile, connects the user session running in the MSIP to the user's native on-device browser. No endpoint software or plugins are required, and Menlo Security claims that the user experience is essentially indistinguishable from direct interaction with a website.

As well as safe website access, other MSIP use cases include safe document viewing, elimination of Java and Flash from endpoints, safe email and anti-phishing, and protection of online apps against bots.

Deploying MSIP in the mobile enterprise will require an MDM solution to be in place, says Jason Steer, Solutions Architect, EMEA at Menlo Security: "Without MDM, deploying MSIP is tricky as it's reliant on the user to configure settings, which is never going to work long term. The MSIP solution does need an MDM provider to enforce settings that users cannot bypass. Other than that, it's very easy to deploy for users -- the user experience is the same."

According to Steer, EMM/MDM usage is currently the limiting factor for MSIP: "I think our biggest challenge is that many organisations have yet to deploy an EMM suite to users, which makes it harder and slower to deploy given the current state of iOS and Android enterprise features."

Machine learning & AI

Cylance is another company seeking to address the shortcomings of legacy approaches to cybersecurity, this time using machine learning and artificial intelligence to "unlock the DNA of advanced threats".

The company's flagship product, CylancePROTECT, combines big data and data science to analyse files and determine their status -- good or bad -- based purely on the information in the file itself. This allows the software to predict cyberattacks and block them on endpoints, in real time, before they execute.

Cylance claims a 99 percent success rate with a very low frequency of false positives, and notes that, unlike traditional AV software, its mathematical model can detect malicious programs even if they have never been encountered before, or belong to an entirely new family of malware.

Lloyd Webb, Cylance's Director of Sales Engineering for EMEA, explains the process: "On a daily basis we'll take feeds of malware and learn from that malware, and twice a year we'll put out a brand-new mathematical model. Basically, that algorithm is what we install on the endpoint agent. Once that agent is fully installed and you've got a policy configured on the endpoint, you can then be offline -- if someone gives you a USB key, or you open an email that's sat in your inbox, we can prevent that malware from executing on your machine."

Crucially for mobile devices, the CylancePROTECT agent has a small footprint: "The impact on the machine is very low CPU and very low memory utilisation, which is ideal for our customer base," says Webb. "Customers are fed up with the daily impacts they get from antivirus software: download a new security update, and suddenly you've got to scan your whole machine again. 'Cylance' is a play on words: we want security to be silent."

"We provide you with your own private management tenant in the cloud, running on Amazon infrastructure," adds Webb. "The agent communicates up to the cloud, shares the threats that it's found when it comes online, and downloads any [twice-yearly] agent update. From a customer's perspective, you can literally start a proof-of-concept in 24 hours: get the tenant ready, roll out the agent and that's it, you're ready to go."

CylancePROTECT is currently available for Windows (XP SP3 and above, and Server 2003 and above) and macOS (Mavericks and above). As far as mobile platforms are concerned, Android is likely to be first in the queue, says Webb "because that's where the biggest threat factor is -- we've all seen some pretty scary malware being distributed, and some inappropriate practices in terms of software development in the Android marketplace, so that's where we'll initially spend a bit of time investigating."

Outlook

BYOD -- or, in more locked-down enterprises, COPE (Corporate-Owned, Personally Enabled) -- is here to stay because employees are generally more productive under this regime. EMM suites provide the tools for IT departments to manage and secure the resulting heterogeneous collection of devices, with alternative approaches like Workspace-as-a-Service (WaaS) available to deliver applications and data. Employees may not appreciate tight IT control over their laptops, tablets and smartphones, but without it cyberattackers will increasingly turn to mobile devices as a route into enterprise networks.

Of course, there's more to mobile security than simply protecting the endpoint. As London-based IT procurement consultants Turnstone Services put it: "Mobile security is a top concern for IT leaders, but mobile security must focus on more than just the end device. The data centre environment security needs to be a key consideration. Protecting the mobile device and providing effective resistance to hackers and malware is a minimum, but measures are required to secure the entire data path to and from the mobile device to the data centre."