A wide range of organizations work with Unified Endpoint Management (UEM) providers to centrally manage their devices.

While UEMs have clearly helped enable and simplify administrative aspects of enterprise mobility, they do not provide the level of mobile security that businesses need in today’s rapidly growing threat landscape. Whether it’s outside-in threats like phishing, malware and cryptojacking or inside-out threats like risky user decisions, organizations need to look beyond device management to ensure they are fully protected.

This is why multiple UEM providers, including VMware Workspace One, Microsoft Intune, IBM MaaS360 and MobileIron, have partnered with Wandera to deliver complete end-to-end solutions to manage and protect your data, your applications and, most importantly, your users.

This on demand webinar discusses:

  • Overview of the evolving threat landscape
  • Challenges organizations face in securing their mobile devices
  • UEM and Mobile Threat Defense (MTD) – and the need for both
  • Analytics and insights for mobility teams
  • Analytics and insights for security teams

 

Webinar Transcript

In today’s webinar we’ll be showing you how to get the most out of your UEM investment and how to insure you are providing the best security for your mobile fleet.

Agenda

  • Insight into the evolving threat landscape – how traditional methods don’t pay off when securing mobile.
  • Highlight the challenges businesses face and the multiple risk vectors to be aware of and how to protect your users and your devices.
  • Why MTD should be used in conjunction with UEM and how Wandera is uniquely differentiated to provide the best security solution
  • Demo in radar show you how we integrate with UEM

The mobile-enabled enterprise has arrived

Security hasn’t always been a top priority and in the past our solutions have only allowed us to access email so email security solution would suffice for your mobile devices. As phones get smarter and more data is transferred over mobile – over 50% of the corporate internet used over mobile now. This includes a lot of sensitive content, so these devices and their users need to be protected. This is only going to increase.

There has been a shift where 57% of data is now on mobile, because of the move to SaaS and apps, as you move on premise data and applications and services up to the cloud, pretty much every SaaS application has a fully featured app for mobile, whether iOS or Android.

Bringing up a generation now who have entered the workforce and only ever known mobile devices so if they can use that they will do. With SaaS now, you can access the data anytime, on any device, anywhere so it’s leading to a change in data usage patterns.

Leading to a shift in employee expectations

As mentioned, we are moving from on premise to cloud or hybrid service which is breaking down these perimeter fences. You used to be able to only access data while we were in the office or on a VPN so we were using a corporate LAN or corporate Wi-Fi. Now we are seeing that shift to using cellular or public Wi-Fi and hotspots or your home Wi-Fi. Corporately owned devices used to be completely locked down by corporate IT to using any device, whether you want to use your personal device (BYOD) or a mixed mode – corporate owned, personal enabled. All adding to this use of data on mobile devices.

Two key areas of mobile risk

With that it’s bringing different risks which weren’t there before. Two areas of risk, cyber threats and employee usage threats.

Mobile cyber threats

Cyber threats – we’re seeing malicious applications such as malware or jailbreaking apps or viruses, seeing OS exploits – jailbreaking for iOS or rooting for Android. Or just vulnerabilities in the OS which aren’t patched yet, especially prevalent on Android where it’s not always as easy to be update to date on the OS if the manufacturers haven’t released the OS yet.

We’re also seeing data leaks from applications or websites when they are sending data, personal or corporate data in plain text rather than secure with SSL.

Network threats – MitM, where you can be joining public Wi-Fi like in a coffee or at the airpot and due to poor security in the way it’s set up a malicious actor on the network can intercept that traffic. This could be just sniffing the traffic set in plain text or impersonating a website, intercepting traffic, redirecting it and making you believe you’re on a real website. Gartner has said one third of all malware will be mobile by 2020 and we’re definitely seeing the numbers to back that up.

We’re also seeing that malicious threats and data threats currently elude standard UEM controls and we want to show you where an MTD can help you secure your devices.

Employee usage risks

We’re seeing the prevalence of shadow IT, 72% employees using unauthorised file sharing services.

So, what is shadow IT? I’m sure a lot of you will know what this is but it is where employees or a whole department are getting a SaaS system and IT know nothing about this. And, whether they mean to or not, this puts corporate data at risk.

We’re also seeing acceptable use issues where employees have a phone  on them all the time and it’s viewed as personal. They may be gambling or accessing adult sites or inappropriate material. If your employee is spotted doing that out and about it’s bad for the reputation of your company. It also leads to other issues, we had one company who had a user using gambling on their mobile phone and ran up considerable debts they weren’t able to pay off. They ended up suing the company because the company were the ones who provided them with the mobile device. This ended up going to court, the company did win but it cost them a lot of money and time. While they had lots of protections on their corporate LAN around content filtering blocking gambling sites, they didn’t on their mobile devices.

Then there is insecure applications.

We’ll start with British Airways. About a year and half ago, they had a big data leak due to their app being poorly designed and ended up leaking 380,000 card payments.

Southwest, Airfrance and KLM among others who were sending out links to boarding passes without using a HTTPS connection which allowed anyone on the network to sniff that traffic and ultimately were able to check in for flights and in some cases you could change boarding details without the user knowing.

On Monday Whatsapp had a big announcement about a security issue on their application, which allowed malicious third parties to inject malware into the phone via Whatsapp with zero user input.

The danger is real

90% of breaches start with a phishing attack, you might think you’re fairly well protected from a phishing attack, especially if the attack comes via email because you have filtering there already, but seeing email is actually only a small vector now and the majority is coming from SMS, WhatsApp and social media.

We saw one from HMRC quite recently, always comes up around end of tax year in the UK, scammer sending out personalised text messages from HMRC saying they were due for a tax rebate, please click here, fill in the details, scammer was getting away with bank details, PPI, everything you need to impersonate a user and steal their identity.

  • 83% of successful mobile phishing attacks take place outside email
  • 70% o Wi-Fi sessions take place over an unencrypted connection
  • 48% of phishing attacks are on mobile
  • 88% rise in businesses targeted by mobile malware
  • 85% of mobile data leaks expose a password

Differences between UEM and MTD and where we can help each other.

UEM – brilliant tool, good at doing device management, pushing out applications, configurations, doing asset management, putting all that useful information onto the device.

Quite often a UEM will include an identity or access management module or if not might be using Okta or Ping. This is generally where it stops, it doesn’t necessarily protect you from network or web threats, and certainly doesn’t do anything around employee usage behaviour.

Gartner saying malicious threats or data leakage risks and eluding UEM controls.

How we can help

Dive in section by section.

Device configuration and auditing: UEM’s bread and butter, push out a restriction payload, force a passcode on a lock screen on a device, push out everything you need to do your job so email configuration, Wi-Fi configuration, any certificates you need for authentication. Also allow you to remotely wipe that device at the end of its lifecycle or if there is an issue.

MTD can help you do more.

We can pick up the OS exploits, pushing down what applications – you may be pushing out corporate applications but users might be loading their own which we can pick up. If any risky profiles have been installed like they might be installing their own personal VPN application – advertised everywhere these days. But this is now tunnelling your corporate data through someone else’s servers. We’ll also pick up an outdated OS or third party app stores, this more prevalent on Android, quite a lot of applications include third party apps stores within the app itself which will bypass your traditional controls.

With UEM, you can click a button and deploy applications to thousands of devices, seamlessly with no user input. Couple of years ago there was open standard called app config.org which Apple and Google adopted, allowing you to push down configurations without for an application. A UEM can also monitor status and reinstall applications if you need to.

What UEM can’t tell you is what permission that application has and has it changed. For example if you have a calculator app, why does it need permission to access photos or microphone, camera or GPS – it’s a calculator, it doesn’t need that. If you’re using a business application that’s updated, have any new permissions been added or taken away? Sometimes you may not be aware, those permissions may have been approved beginning but now it’s asking for more which aren’t necessary.

What URLs are they accessing? If you’ve got a corporate application with sensitive data, is it sending data to a third party server which you don’t know? MTD can help you see that in real-time.

How secure is that data being sent? Is it in plaintext? Are they using up to date encryption protocols and ciphers? You can’t see that from a UEM but you will see that with an MTD.

Is anyone using third party libraries? App development is big now and can be complicated thing, quite often you would use a third party libraries as functions within your application – what are those third party libraries doing?

Network security layer

Your UEM may have a full device VPN or even a power app VPN, both come with pluses and minuses. If you are using a full device VPN it’s going to eat into your battery life, it also means that you’re sending everything via your network and back out again which is also eating up data bandwidth and slowing things down.

If you’re using a per app VPN, you’re only protecting the applications which have been wrapped by that per app VPN and generally you would only use that for corporate applications which need to access back-end resources. But what about protecting the user or the other applications which don’t need to access back-end resources or even users personal applications?

This is where MTD comes into play. Because we are sitting in the network we can pick up data leaks, malware network traffic and where it’s going to. If you are using a risky network such as a coffee shop or airport we can protect you from MitM attacks or always put on full device VPN. If we detect that there is an attack going on so while you’re on that network the traffic securely goes to our cloud and back out. After the network is dropped or threat is gone we can take down that VPN.

We also protect you from phishing, regardless of where that link has come from, SMS, WhatsApp, social network. Because you have to click the link to get to the site we detect that when it hits the network and we block it dead.

Employee usage

Not always about all security, it could be, the blocking of adult websites, illegal websites or malware websites but could also be saving your company money by stopping access to data hungry applications while on cellular or roaming. An example may be Netflix or YouTube – both use substantial amounts of data, ok to use them on Wi-Fi but when you switch to cellular or roaming the last thing you need is an employee downloading full length videos which can cost you a fortune.

How we work hand in hand

It starts with deploying the MTD. We load Wandera into the UEM console with a configuration and we can then push that down to the device seamlessly and silently for the end user.

We can use your UEM tool to reinstall the application if needed or update the configurations.

If we do our UEM integration where we speak to the UEM’s API, we can do things like on the fly reconfiguration. If you have groups set up in your UEM which match your active directory we can mimic those so if you move your device around in your UEM that will be reflected in Wandera, update policies and usage requirements on the fly.

This works two ways, because Wandera is on the device detecting threats in real-time, we can notify the UEM. So if we detect malware or a phishing site or bad network we feed that information back instantly to the UEM so it can take further action, quarantining the device, or feeding it into a compliance engine that then makes a decision to notify the user and remove a profile such as email. Or it could be wiping all your corporate data from that device.

Conditional access

If your device isn’t enrolled in UEM, your SaaS applications via your identity manager have been set up to block access outright.

If you are enrolled in UEM and you have got Wandera installed, then we can do a real-time compliance check. We’ll check your OS is up to date and the configurations on it, check it’s a safe network and not been infected, we can feed that back to your UEM and identity manager which will grant the access token and allow you access to those resources.

Enrolled in the UEM and you have Wandera but something ‘s not quite right, risky network or you have a bad profile installed, we can feed that back and the UEM and make the decision that even though you are enrolled and you do have Wandera due to these security issues we’re going to block access to that resource.

This then takes you to that Zero Trust model.

In this day and age there are no perimeters anymore, you have on premise apps, you have your SaaS apps. Security in the olden days and even to some companies now, employees only get access to these apps when on the corporate network and that’s where our security lies. But nowadays with a zero trust model, we don’t trust anything until proven otherwise. We don’t trust the user, we don’t trust the network or the device unless we know otherwise.

In this case using your UEM and your identity manager with Wandera t0 say one, we’ve verified the user and password with your identity manager, maybe with two-factor authentication or a certificate. We know that user it trustworthy at that time. We’ve verified the device, and yes, is it enrolled in UEM, it is on a safe network, it’s secure. So now we can give access to that resource. We continually evaluate the risk on the device and if we notice anything that has changed we feed that back in and give it a score and evaluate if we’re going to continue to allow access to that resource.

Demo

Radar is our one stop portal for all your information about security and data consumption. (Radar on screen) this is what you would see if you had access to radar, dashboard on screen and the tabs are listed out by use case.

Overview of the dashboard

Presented with when you first log in, it’s been designed to give an at a glance  overview of what’s going on in your system, see how many high severity threats, medium and low, drill into those to see more.

We can see how many threats we’ve blocked and change the time period to show some aggregated data.

We can see the over health of the devices in your system. We can also see stuff about your users, which users have used the most data, what sites have used the most data and how much have they used over this period.

Threat view

Left hand side you can see the severity ratings – high, medium, low. We flag malicious applications, here we see Google’s services which we know is malware masquerading as a Google service. We’ve got Whatsapp which we spoke about earlier having that security vulnerability so it’s now labelled as a potentially unwanted app for any of the Whatsapp versions which are applicable. So while it’s not an inherently malicious application, if it’s an older version it is susceptible to hacking.

Device view

Shows you the overall posture of that device

Under high risk there are a few devices all classified as high risk but maybe for different reasons. This one is high risk because they’ve had a lot of leaked passwords on websites and had a MitM attack as well as a download from a third party app store.

Another one has enabled developer mode, unknown sources, sideloaded applications and downloaded some malicious applications.

You can also start drill down by threat, here is a zero day exploits we detected, if we drill down we can see some of the further events. All threats are put into a security event log and if you are using a SIEM product such as Arkasite or Splunk for example we can export that in real time to give you that view of not only your mobile estate but feed that in with views you are getting from other products such as your desktop estate.

App insights

UEM is brilliant at pushing application but doesn’t give you much information about the applications you are pushing out or the applications the user has downloaded from the Google Play Store or Apple App Store.

Here you can see 91% of applications requesting access to media, 71% to address book. And you can drill down into some of these applications and find out more about them. If we look at WhatsApp, it’s not labelled red as it’s not inherently malicious but it does have the potential to be used for malicious purposes. We can see the different platforms using it and the different versions, which devices have those, what permissions it’s requesting so on Android it’s asking for more positions than what it is on iOS.

You can also see what has changed between versions so if one version asks for less and the new one asks for more we will highlight that. Because we are in the network level we can show you real-time about all the URL’s WhatsApp’s been accessing. Also show you if it’s accessing any third party libraries. And even the state of the transport layer security, is it using insecure ciphers or protocols to speak to websites or backend systems.

Acceptable use

We can show you what we’re blocking, so if we have any policies it feeds all the data back into here so you can see which users have gone to where and how they’ve been blocked, what the overall categories are, so how much data per category so you can see social used 36GB this month.

Security policy

Broken out into categories: web content, application threats and network threats. You have the ability to enable or disable individual threats, alert users or alert admins, which response you want, would you like to block it for malware or in the case of a man in the middle attack do we want to secure that network by firing up a VPN. Also see a column called signal EMM. We integrate with your EMM using an API. Majority of EMM’s have this and it allows us to get two way data. We can label or tag a device when we detect a threat and you can tag a threat however you like and your UEM can take further action on that.

Block policies

See lots of categories and subcategories, we’ve also got domestic, roaming and Wi-Fi so you can choose to block streaming applications while on domestic and roaming but while on Wi-Fi allow the user to do that. You can add overrides so you can have custom blacklists and whitelists which pre approve things like Office 365 if that’s your chosen SaaS solution.

You can not only do it to everyone, you can add individual users and groups which have their own customized policy. Might have VIP’s which are the executive groups which have less restrictions than the back office staff.

Data policies

Set limits and hard caps, choose what notifications to use whether it be a push notification or email and alert the admin to any of these security threats.

End of demo

Questions:

Q. Is there a difference between the term UEM and MDM?

A. Started with MDM or Mobile Device Management. Gartner decided to call it EMM. Now have UEM which is slightly different as it includes what you’d traditionally call MDM but adds on management for modern laptops, desktops, windows and mac OS so UEM encumbers your mobile device and your desktop fleet and possibly IOT. Not every MDM supports that, some are still just EMM and others are UEM.

Q. For MTD we know they are not all created equally either. Difference between endpoint mobile security solutions and network security solutions. Can you talk more about those and how Wandera stacks up?

A. MTD has a broadness there so you’ll have some MTD providers who just do anti virus malware protection on device and that’s as far as it goes. There are some that have started to do some network detection using DNS, they only allowing or blocking specific url’s though, not doing any detection in the network. Then have MTD vendors, Wandera included that do the full network stack, a full DNS solution or a full proxy and monitor what it going on in the network and bring up protection via VPN is need be. We can block the data dead because we are in the path of the traffic.

Q. Have a web security solution they use for their PC’s. Can’t they just extend that down to their mobile devices?

A. Yes and no, this depends on your solution. Majority of solutions are legacy ones and they are designed to sit at your firewall and sit in your corporate network and aren’t exposed to the internet. So they would work for corporate devices while they are on the corporate network or had a full VPN going however they are not accessible from the outside world so without that VPN your mobile devices wouldn’t be able to use that. Also, the types of threats we are detecting on mobile devices are specific to the features of mobile device. As mentioned at the beginning 53% of phishing attacks happen outside of email in SMS messages etc. So traditional solutions don’t really pay off for mobile so you really need to look at a solution that is tailored specifically for mobile and Wandera has the largest dataset in the industry to protect our customers from not only known threats but also from the zero-day threats so from the phishing attack we know that a new phishing attack is released every 20 seconds so you need to have a solution which is keeping up with those threats.

Q. Some MDM solutions have had data management functionality in the past which has been discontinued or still have some functionality. How does Wandera compare to that?

A. Yes, some of them do but it’s the way they do it. Some rely on using the stat counters from the device itself, they are not doing anything in the network so they can tell you how much data your phone is using over a period by using an API and going to the settings on your phone but they can’t block traffic, can’t stop that data. Few cases where they can stop the data but then it’s an all or nothing. Ie, you’ve hit 2000 megabytes and everything is stopped. So you can’t allow your corporate applications to be used or choose which applications to be used, can’t block streaming while still in the allowance so it’s an all or nothing approach. This is one of the reasons we do integrate with UEM solutions because we offer more granular functionality into that sort of thing and show in real-time, regardless of whether they are connected to cellular or wifi or regardless of the country we can show you who the user is and where the data is being consumed and then you can set granular policies back on their whereabouts or based on that connection. The way MDM’s collect data is generally they’ll take a sample every 4 hours and then send it back every 8 hours, generally to save on battery life. That means your data is possibly 8 hours behind. A user who is streaming video could have swallowed up 10’s of gb more data in that period. We heard today of one user who racked up 100gb of data in a couple of weeks so it is possible to rack up a huge amount of data in a short space of time. With the 8 hour gap you won’t see that spike in data usage until you have something like Wandera in place.

Q. With a UEM solution you can block access to applications, how is Wandera adding value to that?

A. If you have gone down to the complete lock mode where you are disabling app stores or blacklisting application bundle ID we can detect if a user is sideloading these through third party app stores which usually aren’t blocked by those MDM controls. But we can also pick up what that application is doing. You may trust it because it’s from a brand name but as we just found out with WhatsApp, you may trust it because it’s a brand name but it’s also got a major security flaw. We can pick up on those for you. What permissions is it doing, is it doing more than it needs to do. Wandera is not specific to the application either, it’s looking at browser traffic and what we’re finding from our customers is that users are becoming more savvy or sneaky and trying to evade any policies that are set by a UEM solution. For example if you’ve blocked the facebook application, the first thing users will do is try and access facebook via the browser and if you haven’t limited accessed via the browser people will be able to access it there unless you have a solution like Wandera. People have even gone to the lengths of using a browser within an application that is allowed. For example people using the browser in google maps to go to sites or to use applications that have been blocked. So you need a solution that is looking into the data to compliment your UEM to provide a complete security solution. This is not just Wandera saying it, in forresters vendor landscape report for EMM said ‘if you’re serious about security you need to have Wandera as a compliment to EMM to benefit from app scanning, network scanning and from data controls’.

 

 

Mobile Threat Landscape 2019

The world’s leading research into how the mobile threat landscape is evolving. This report looks at how phishing, malware, cryptojacking, Wi-Fi attacks as well as usage based risks are changing and how infosec professionals need to adapt their mobile security strategies.

Fill in the form below to download the report