whyyou’ll care more about mobile security in 2020 - tom bain
TRANSCRIPT
Why You’ll Care More About Mobile Security in 2020
Tom Bain@tmbainjr1
Presentation Agenda
• Today’s emerging ‘threatscape’ + the key trends impacting mobile security
• Common & emerging exploits + impact
• Seven steps to tackling mobile security & a glimpse forward
WHAT WE’LL COVER TODAY
• Next-‐generation security firm in the EDR market
• Venture-‐backed endpoint security organization with $56M total raise
• Office locations: Boston; Los Angeles; Sacramento, Washington, DC
• EDR and IR Product Suite: (200+ customers) Sentinel, Active Defense, Responder PRO
• Recognized by Gartner, 451, ESG & Forrester
• Android sensor to GA soon
Big Data Endpoint Detection & Response
Investors
Who Am I?
@tmbainjr1@CounterTack
• 13+ years in information security• CounterTack | MCSI, Security Innovation, Q1 Labs/IBM, Application Security, Inc./TrustWave, Sophos, WAVE Systems• Hacker Halted, Global CISO Forum, SecureWorld Expo, ISSA, OWASP, Boston Security Conference, Terrapin Cybersecurity Conference, Strata + Hadoop World• Struggling musician• Mobile device owner
TODAY’S EMERGING‘THREATSCAPE’ + KEY TRENDS
Enterprise and Individual Threats are Colliding
You Can’t Defend Against What You Don’t Understand
In 2014
95% of major data breaches were unknown
Known Previously
70%Unknown
30%
2015 Verizon Business Data Breach Investigations Report
The Mobile Explosion
• 73% organizations plan to spend increase spending on mobility
• Enterprise/Fortune 500 spend an average of $34M developing mobile apps for business purposes
• 5.5% of the mobile budget is targeted at app security
• Only 50% of organizations appropriate budget toward securing mobile apps
• 62% of enterprise org’s say mobile computing increases difficulty of security management
ENTERPRISE SPENDING
The Mobile ExplosionENTERPRISE PRIORITIES
• 25% of organizations state that mobile computing platforms are the highest software development priority
• 66% of organizations say that mobile platforms will become the dominant software development priority over the next 24 months
• 55% of enterprises believe mobile computing increases productivity
• 300M mobile devices sold per quarter
2014 State of Mobile Security, Enterprise Strategy Group
Today’s Threatscape• Mobile threats are more pervasive and
more sophisticated• Users continue to engage in risky
behavior• IoT has opened up a new attack surface• Organizations find assessing their mobile
security risk levels challenging• Building a mobile security policy
presents multiple challenges & needs sponsorship
• Targeting an individual can help penetrate an organization
INCREASED RISK
Today’s ThreatscapeMOBILE MALWARE: JUST LAST YEAR!
• 98% of all mobile malware targets Android users
• Kaspersky: 3.4M malware detections on 1.1M devices
• 60% of all attacks are capable of stealing users’ money
• Reported attacks have increased 6X! (from 35K in August 2013 to 242K as of March 2014
Today’s ThreatscapeMOBILE MALWARE: A YEAR LATER
• By end of 2014, an estimated 16M devices were infected with malware
• 80% believe mobile malware will become significantly/somewhat more dangerous over the next two years
• Estimated that 11.6M devices are infected with malicious code at any given time
• Closer to 99% of all mobile malware targets Android users
• 57% of all malicious programs detected by Kaspersky were Trojans designed to proliferate via SMS
Today’s ThreatscapeWE ARE SEEING THE IMPACT
Reported a security breach resulting from a compromised
mobile device in 2014.
47% 90%
Of the most popular mobile applications have been
breached. (multiple times)
Why Are We Here? CAUSES/PATTERNS
• Lost/stolen devices• Jailbroken devices• Device misuse• Non App Store or Play Store 3rd party apps downloaded
• No formal mobile security policy
COMMON & EMERGINGEXPLOITS + IMPACT
Specific Threats & Impact
StageFright
1 Text 950M devices
FakeToken
Spveng
$1M350K devices
Exploits @ Black Hat
• Universal Android Rooting• Researchers: KEEN Team (Wen Xu)• Achieved permanent root on most Android
devices through kernel memory control• @K33nTeam
• iOS Exploit: TrustKit• Researchers: Data Theorem• New technique around SSL pinning for iOS 8• https://datatheorem.github.io/ios/ssl/2015
/08/08/introducing-‐trustkit/
Android Kit Resources
iOS Kit Resources
SEVEN STEPS TO TACKLING MOBILE SECURITY HEAD-‐ON
There’s No One ‘Right’ Way to Do It
Assess Your Risk1. START WITH A CHECKLIST
ü Take an inventory of your high-‐risk aps and mobile applications.
ü Determine business criticality.
ü What’s your attack probability?
ü How do you define the attack surface?
ü Consider overall business impact.
ü Where does compliance factor in?
ü What are the security threats?
Examine & Verify BYOD Challenges2. VERIFY CHALLENGES
Devices
Data/Content
Applications
Users
Policy Management
Integration
Access Controls & Organizational Roles3. DETERMINE WHO & WHAT THEY DO
• Which departments/groups/individuals have been most active in developing policies?
• Has there been any previous collaboration between policies and authors?
• Can you identify a potential champion(s) to support the new policy?
• Areas of agreement in commonly implemented controls re: policies?
• Support documents, materials and related policies should be cited in mobile device policy.
Phase I: Policy Construction
ü Consider risk scenarios in your business.ü Adapt from proven or trustworthy
models.ü Measure perception.ü Understand roles, privileges and what’s in
place today.ü Get granular with your questions &
considerations.ü Figure out a strategy for testing your
applications. ü Policy enforcement.ü Raise awareness/required training.
4. FACTORS INFLUENCING HOW YOU BUILD A POLICY
Phase II: Further Define Policy5. GET GRANULAR & SET OBJECTIVES
• Provide contextual, technical guidelines• Map to compliance mandates• Considers criticality of application and data
‒ Requirements, activities and level of detail needed will differ
• Have clear exception policies where necessary‒ What if minimum standards can’t be met? What is
considered acceptable? Who approves?• Includes internally built and third party applications• Reflects current maturity and skillset of staff
‒ The more skilled, the less explicit you need to be with policies
Mobile Device Management Strategy6. BUILD ON BROADER POLICY
• Establish certificate policies to require valid signatures (VPN, email, WiFi)
• Policy on no rooting – wipe if violated• Define the platforms supported (firmware
specs, OS levels)• Reporting of lost or stolen devices • Password policy – complexity, length, time-‐
out and limit of re-‐try’s• Right to wipe – the organization can reserve
this right• Containment – data & apps isolated by
authentication & crypto (separate from underlying platform for greater visibility)
• Static application testing
Enforcement of Policy7. ENFORCEMENT STRATEGY IS CRITICAL
• You need management buy-‐in!• Broad strategy vs Targeted strategy roll-‐out• On-‐boarding:
‒ Require all device info as part of hiring process‒ Require policy training up front
• Require training for various departments:‒ General population receives awareness training‒ Technical employees receive in-‐depth training
• Monitor for effectiveness – EX: Deliver training or reminder when employee is out of compliance.
LOOKING FORWARDWhat Can We Expect?
Rinse and Repeat
Implementation
Technology
People ProcessData
By 2020
4.3B
of global GDP (mobile industry)
people globally own a mobile device
infected devices
unique subscribers
5.1%
56% 100M
Sources
• Containing Mobile Security Risks with the 80/20 Rule, Gartner• 2015 Mobile Security Trends, IBM Security Systems• The State of Mobile Computing Security, 2014, Enterprise Strategy Group• Introducing the Mobile Security Assessment and Audit Framework,
Gartner• Motive Security Labs 2H2014 Malware Report, Motive Security/Alcatel-‐
Lucent• Mobile Cyber Threats, Kaspersky/Interpol study• Managed Diversity Model for BYOD and CYOD to Manage and Safeguard
Users, IT and Business, Gartner
Thank you. Tom Bain
@tmbainjr1@CounterTack