Security

11:25 AM
Mike Raggo
Mike Raggo
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Anti-Malware Doesn’t Cut It in the Mobile Era

As operating system architectures shift from open file systems to application sandboxes, traditional anti-virus becomes less relevant. Enterprise mobility management provides both proactive countermeasures and reactive mitigation.

It’s no secret that retailers are under attack. Not from masked robbers, but from anonymous criminals that work online. What is less widely known is that anti-malware -- the virtual guardian of the PC era -- won’t protect organizations in an increasingly mobile world. And the pace of change in mobile is so great that certain security standards can quickly become obsolete.

To address the rapidly changing challenges in mobile security, I have had the privilege of working with the Payment Card Industry (PCI) Security Standards Council as part of its PCI Mobile Task Force. We are focused on the emerging mobile point-of-sale (POS) technologies and the evolving mobile threat landscape. As more retailers deploy mobile devices for mobile POS, mobile presents the opportunity for more automated security countermeasures for protecting retailers from attack. Therefore the PCI Mobile Task Force continues to update the PCI guidelines to take advantage of these unique security features.

Learning from recent attacks
Recent retail breaches exposed a common theme with the attacks that involve infecting legacy POS devices. It demonstrates a lack of defense-in-depth strategies within these legacy POS environments.

The nice thing about mobile POS is that when an organization incorporates enterprise mobility management (EMM) and mobile into a retail environment, it comes with a full defense-in-depth strategy. Any holistic security strategy should include both proactive and reactive countermeasures. EMM and mobile enables that in a variety of ways:

Sandboxes make antimalware irrelevant
After analyzing more than 2.5 million apps for our mutual enterprise customers, Appthority found that less than half a percent were malware. Appthority is an app reputation service that integrates with MobileIron’s EMM dashboards.

Traditional anti-malware (especially anti-virus) are becoming less relevant in the mobile era. This is because operating system architectures are shifting from open file systems (Windows 7 and below) to application sandboxes (Android, iOS, Windows Phone/Pro/RT).

For example, on iOS, there isn’t much for anti-malware or anti-virus products to do because neither they nor any other app on the device can access another app's storage or memory. On Android, there is some shared storage and memory, and so there are anti-malware and anti-virus products. But these products only detect and alert, so even on Android, they don't mitigate or remediate the problem once detected, because they can't remove a bad app.

The EMM alternative
The basic difference between anti-malware and enterprise mobility management is that anti-malware for mobile is reactive and doesn’t mitigate the problem once detected. EMM provides both proactive countermeasures and reactive mitigation.

EMM proactive and automated mitigation measures include managing app, content, and device access and creating automated countermeasures for when devices fall out of compliance with security policies. This includes:

Mobile POS proactive and reactive automated protection. Mobile POS (mPOS) can be further protected by EMM. For example, EMM solutions can distribute the mPOS app to the device. This therefore enables management of the app to enforce control over that app. If a nefarious attack occurs, or the device falls out of compliance (jailbreak, root, disabled PIN, etc.), the auto-quarantine kicks in and can block network connectivity or remove the mPOS app and its data, thus mitigating a breach. In the case of recent retail breaches, the window of compromise occurred for weeks or months with legacy POS devices. With mobile and EMM, organizations can detect malicious apps, as well as when a jailbreak or rooting occurs, and can respond in a matter of hours or minutes. It’s also important to note that this mitigation is automated without the need for a human in the loop. This can mitigate the threat automatically and minimize the window of compromise.

Certificates. The PCI Data Security Standards (DSS) 3.0 requirements outline the use of certificates for authentication for WiFi and for remote access. EMM enables this by providing a built-in Certificate Authority and automated distribute of certificates to mobile devices. This deters man-in-the-middle attacks and eliminates passwords, which can be vulnerable to brute-force attacks. This also helps organizations achieve compliance with the Mobile Payment Acceptance Security Guidelines v1.0, Objectives 1, 2, and 3, released in Sept. 2012.

App containerization. App containerization operates through a software development kit (SDK) or app wrapping to separate corporate and personal data so that even if malware is downloaded to the device, the isolated corporate data remains intact and unaffected. It enables enforcement of data loss prevention (DLP) rules to restrict content sharing with unauthorized apps on the device

App reputation service. Anti-virus and anti-malware are largely ineffective in mobile due to the application sandboxing in iOS, Android, and Windows Phone 8. Arguably the best that these products can accomplish is to possibly identify malicious, rogue, or risky apps. In contrast, an app reputation service in conjunction with EMM can provide a variety of detection as well as countermeasures and quarantine options to remove the human-in-the-loop and automated mitigation:

  • Consistent security policies applied to corporate data such as email, apps, documents, and web pages
  • Device-level lockdown policies when tight control is required

EMM reactive mitigation measures include:

  • Auto-quarantine ranging from a simple blocking of email to an automated selective wipe of the corporate data and apps to avoid a breach. This action can be triggered by a malware download or a jailbreak/rooting action, and the security action knob can be adjusted by the administrator.
  • Integration with app reputation services that monitor the inventory of apps on the device to flag those with undesirable or risky behaviors and trigger a notification, access control, quarantine, or wipe action.

Put another way: Where do EMM solutions overlap with mobile security services from the top anti-virus vendors? There is very little overlap, and they take completely different approaches. Traditional security products were built for the security issues of Windows. Mobile architectures are different.

Protection at the speed of mobile
EMM solutions approach mobile security in a different and more complete way than traditional anti-malware solutions do. An enterprise won’t be able to secure mobile apps, content, and devices using only an anti-malware solution. There might be times when enterprises wish to distribute an anti-malware app through EMM to provide additional security, and anti-malware can provide some complementary controls on certain devices, but EMM is quickly becoming the primary approach to protect cardholder data on mobile.

Mike T. Raggo (CISSP, NSA-IAM, CCSI, ACE, CSI) applies over 20 years of security technology experience and evangelism to the technical delivery of mobile security solutions at MobileIron. Mike's technology experience includes mobile device security, penetration testing, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
anon8486258036
50%
50%
anon8486258036,
User Rank: Apprentice
6/20/2014 | 3:06:03 PM
Less relevant but not irelevant
There are some good ponts in this article.  But i think it is important to remember that AV engines, which do function very much like the app reputation service will still play an important role in the future.  While dynamic analysis tools like FireEye are considered nextgen, you still want an AV or ideally multiple av's infront of those boxes to weed out the known threats so you can concentrate your resources on the sandbox.  We have dynamic analysis and we have a metascan box that uses 8 AV engines to scan everything before the fireeye box. cuts down on known malware dramatically. 

 

 
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/25/2014 | 9:43:04 AM
Re: Less relevant but not irelevant
True. You can't abandon AV alltogether...it is still important. As you mentioned, it is important to have multiple layers to protect against threats, since a single barrier is easier to defeat.
kiers
50%
50%
kiers,
User Rank: Apprentice
6/21/2014 | 4:10:25 AM
How do you ensure Vendors/Stores will implement the latest tech
Yes there are great technologies out there, and there are RECALCITRANT industry standards set by quasi government bodies like PCI-DSS.

 

The Target stores breach proved that Target bore no financial burden compared to customers. So where's the enforcement? PCI and related standards continue to lumber along in the STONE AGE. What will force companies like Target to get their act together????
Becca L
50%
50%
Becca L,
User Rank: Author
6/30/2014 | 12:46:37 AM
Protection to Prevention
Thanks Mike, great points about this evolution in security, it really has moved from an area that focuses on protection to one of prevention, and requires a completely new approach. Managing enterprise security requires a constant finger on the pulse of security technology, and it's interesting to see how mobile architecture is adapting. I don't see malware becoming completely irrelevant in the mobile era, but cetainyl it is less impactful than in "simpler times."
More Commentary
Wall Street CIOs Have a Vendor Management Problem
If Wall Street CIOs want to stay ahead of competition and ensure high-speed trading software doesn't start the next flash crash, they need better insight into vendor delivered software.
Technology Innovation Returns to Financial Services
Capital Markets Outlook 2015: Following a few years dominated by regulatory compliance and cost saving technology initiatives, financial organizations are finally investing in innovative technology and tools.
Voice Biometrics Improve Transaction Monitoring Fraud Detection
Why voice biometrics should be a part of your fraud prevention strategy in the call center.
Fintech Fast Forward 2015
What will shape the future of Fintech in 2015 and beyond?
Look Deeper at Business Connections
When a business person or practice crosses the line, what should a professional do?
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video