As enterprises push ahead with mobile-first strategies – and employee smartphones and tablets increasingly becoming business tools – the importance of mobile threat defense (MTD) is growing.
Using mobile threat detection and defense, however, is no small task; the technology must cover applications, networks and device-level threats to iOS and Android phones and tablets to be effective.
"We talk about mobile threat defense, rather than detection – the reason being these solutions not only detect, but also can prevent and remediate threats," said Dionisio Zumerle, research director for mobile security at Gartner.
The MTD market is growing in terms of adoption, and has started to attract attention from endpoint protection platform (EPP) vendors and in other related markets, according to a recent report from Gartner.
By 2019, mobile malware will amount to one-third of total malware reported in standard tests, up sharply from 7.5% of malware today, according to Gartner's Market Guide for Mobile Threat Defense Solutions. By 2020, 30% of organizations will have MTD in place, up from the less than 10% who have it in place this year.
There is still a lot of confusion and uncertainty from end users regarding which risks MTD addresses and how urgent or useful it can be, Gartner said.
Mobile application "reputation solutions," which are used to perform app vetting, are converging with MTD in a single solution.
Machine learning plays a crucial role in threat detection
Additionally, machine learning has emerged as a foundational technology in mobile threat detection, even though it has only been around for a few years.
MTD and machine learning employs on-device software and crowdsourced threat intelligence and behavioral anomaly detection.
Machine learning, simply put, allows computers to develop more sophisticated behavior, such as pattern recognition, without being specifically programmed for it. The idea behind machine learning in MTD is for the software to sit in the background and monitor application and user behavior and identify anomalous behavior.
"By observing how devices behave, you can determine what is normal and what is abnormal behavior, and what might lead to a malicious action," Zumerle said. "Machine learning is one of the ways to speed this process up. Crowdsourcing is another component."
For example, if you have 1,000 iOS devices on iOS 11.1 and most of them have very similar types of firmware, but one of them diverges significantly from that norm, chances are there is a modified library; that modification is abnormal – and it might be done for malicious purposes, Zumerle said.
Malware is harder to find
The ability to monitor user and application behaviors is needed more than in the past. While malware has always been disguised as legitimate apps, it's harder to find now, according Jack Gold, principal analyst at J. Gold Associates, a mobile research firm. How you establish what is anomalous behavior is the hard part.
"Before, you could do a scan of the binary and find patterns that didn't match what they were supposed to do and detect it. Now, malware is often much more subtle and harder to find with a scan," Gold said. "You need to find the behavior of the app."
For instance, developers can build fake apps that pose as legitimate ones, say from Amazon, that will divert an end user to a site that can then steal the sensitive data they enter while attempting to make a purchase.
"How could you find that with a simple scan?" Gold said.
Another example are phishing attacks, which can't be detected through a scan either.
"So, behavior, both by the app and the person, is key to finding bad things happening, and [machine learning and artificial intelligence] are pretty good at that detection if properly trained," Gold said.
But it's a tug of war, Gold added, as the malware and anti-malware developers continue to get better.
"There's no 100% solution," he said, adding that enterprises hoping to thwart mobile threats need multiple levels of defense.
MTD vendors and guidelines
Among the industry's leading providers of MTD solutions are CheckPoint's SandBlast Mobile, Lookout's Mobile Endpoint Security, Proofpoint's Mobile Defense, Pradeo's Mobile Threat Defense, Symantec's Endpoint Protection Mobile, Wandera's Threat Defense, and Zimperium's zIPS Protection.
Many of the MTD products integrate with some or all EMM and MAM vendor solutions, including AirWatch, Blackberry, Microsoft, MobileIron, IBM and SOTI.
Gartner recommends several steps for adopting MTD solutions:
- Introduce MTD solutions gradually, depending on industry, applicable regulations, the sensitivity of data on mobile devices, specific use cases and organizational risk appetite. Policy enforcement will not be enough indefinitely as a security intervention.
- Adopt MTD sooner in high-security verticals, with large Android device fleets, or in regulated verticals, such as finance and healthcare.
- Integrate MTD with enterprise mobility management (EMM) tools. Network traffic proxying deployment options should be selected only where bring-your-own-device (BYOD) is not a factor, and where strict device management is applied.
MTD solutions should not only be able to detect anomalous behavior by tracking expected or acceptable behavioral patterns, it should also be able to inspect mobile devices for configuration weaknesses that could open doors to malware.
The software should be able to monitor network traffic, cutting off suspicious connections as well as scanning applications to identify those that could place enterprise data at risk.
One frustration some enterprises have voiced with machine learning-based mobile security software are false positives, or legitimate apps or user behavior that's flagged as threats when they're not.
"It's a problem with all malware detection, not just mobile. I've downloaded apps I knew were good, but Symantec's software will pop up and say they're bad," Gold said.
MTD, however, is not dependent on machine learning, Zumerle pointed out. There are many simpler things an MTD option can do that may prove more tangible and beneficial to an enterprise right away.
"For example, a dashboard that can simply flag unpatched devices and order them in order of risk," Zumerle said. "Or a policy where an organization can blacklist all applications that, say, send the contact list to third parties outside the user's home country.
"In a nutshell, MTD solutions should be all-around mobile security solutions for enterprises."