Our Take on Maribel Lopez’s “Four Ways to Defend Against a Mobile Security Breach"
Blue Cedar | Sep 15, 2016
Noted mobile and IoT industry analyst Maribel Lopez published an article yesterday regarding how unaware of mobile exposure many organizations still are, and some key tactics they can employ to better protect themselves and their employees and other users. She cites some pretty compelling findings from her own research which show, among other things, that over one-third of organizations don’t view security as a key mobile concern.
Lopez also discusses four ways to defend against a mobile security breach (which is presumably only interesting for the other two-thirds of the surveyed organizations):
Secure application code as the first line of defense – due to the ever increasing demands on mobile application development teams, organizations are struggling to keep up with application testing, putting their apps at risk.
Move security to the app level – In her own words, “Mobile device management is not enough to overcome all of today's mobile challenges.” Nuff said.
Implement multifactor authentication (MFA) – nearly half of all security breaches happen because of compromised credentials, making this a table-stakes requirement for mobile (and really, all) access.
Evaluate threat detection software – it takes 9 months to detect and contain the average security breach, meaning attackers have a long window in which to access compromised systems and spread through an organization’s network. Organizations need to evaluate breach detection services to mitigate these risks.
Lopez is succinct and on-point as always. Read on for our take on her article and how Blue Cedar Networks can help organizations along most of these dimensions with our Atlas Platform:
1) Secure App Code
Atlas helps here in multiple ways. First, we harden your apps by injecting in security code that intercepts file I/O calls for Data-at-Rest encryption and network connectivity calls for Data-in-Motion protection. We also bake in policies around how and how often users must authenticate to the app, any requirements you may have around device posture, and many other mechanisms to help you better protect the app. The security code we inject into your apps is constantly being reviewed and is also regularly penetration-tested, both as part of our internal engineering process, but also by our clients.
While you can certainly use our GUI to select, configure, and inject these policies to harden their apps, many of our clients are using some of our other capabilties to address a second part of Lopez’s point. We expose our hardening engine via REST APIs, allowing customers to build security integration into their DevOps process. The security admin defines app policies once, and then as the developers build multiple revisions of their apps (across multiple platforms), their DevOps process invokes our hardening engine and secures their apps prior to making them available for testing, and ultimately, distribution.
2) Move to the App Level
Blue Cedar Networks was founded on the principle that “the App is the Endpoint”. It’s hard enough to protect a laptop, even when you buy it and image it with your standard posture and keep it current with the latest signatures and updates from your anti-virus, malware protection, threat detection, and IPS / IDS vendors. It’s an impossible task in the Mobile / Cloud era where the rate of change of devices and operating systems is accelerating as is the pace at which attackers are discovering new vulnerabilities. You’re better off minimizing your threat surface by embracing the reality that the device may be compromised, and instead draw your perimeter around your app and its encapsulated data.
3) Implement MFA
Strong authentication using digital certificates is one of Atlas’ foundational capabilities. We make certificate authentication super easy and transparent for the end user. The first time a user tries to access a secure app, they are walked through a simple set of in-app steps that transparently integrate with your PKI and securely generate a cryptographic key-pair on their device, ensuring that the private key is generated on the deviceand is never transmitted on the wire or over the air. Through this process, the user never has to leave the app, remember to download some other tool or utility like a VPN client or an EMM agent or container, or even interact with your IT help desk to get special URLs or cryptic one-time passwords (OTPs).
4) Threat Detection
In addition to using security vendors that focus on the traditional “ounce of prevention”, organizations need to embrace the reality that they are bound to get breached, and it’s quite possible that they’re breached already. Once hackers get in, they can easily mine sensitive organizational data for months without being detected. What’s more concerning is that there are only a limited number of organizations who are using breach-detection technologies today. Without investing in breach detection tools, organizations risk falling into the same trap as Target did, where their existing prevention systems were throwing up so many alerts that the true danger went unnoticed until after 40 million credit card numbers had been stolen. This is beyond the scope of app / mobile security and should be a key piece of your overall security strategy and fabric.
We strongly agree with the points that Lopez makes, and will leave you with her closing statement, “despite the desire for simplified security plans, businesses must continue to pursue layered strategies – and mobile must be part of them.”