Agencies are now up and running with their mobile workforces – which means telework is here to stay. But with this increased number of endpoints and phishing as the top threat vector, Feds must be more vigilant about their approach to mobile security, according to Bob Stevens, vice president of Americas, Lookout.
While common, mobile device management alone does not provide a sufficient level of protection against mobile threats; organizations need mobile threat defense, Stevens says. Advances in predictive analytics, as well as threat detection for everything from apps to mobile operating systems, provide agencies with the visibility they need to take action and protect their mobile infrastructures holistically.
Check out MeriTalk’s interview with Stevens to learn how government agencies can increase momentum in mobile threat defense, quickly – and why it’s needed now more than ever.
MeriTalk: What do agencies and their employees not realize about mobile security?
Stevens: Mobile security is important because it’s neglected today. I often refer to it as the soft underbelly for cyberattackers. Most bad actors realize that employees are using their mobile devices to access corporate or government agency data. It’s a prime target for them because it’s a lot easier to hit.
A lot of agencies think they’re protected by their mobile device management (MDM) solutions. Traditionally, MDM has been sold as a security product, even though it’s really a policy enforcement tool – it protects assets on the network, not the device itself. To properly secure the device, you need a security solution on the device actively engaged in near real-time analytics.
MeriTalk: Could you elaborate more on the difference between mobile device management and mobile security? Why is this an important distinction?
Stevens: MDM is a policy enforcement tool. It’s only as good as the policy that’s fed into it by humans. It doesn’t really have the ability to perform predictive analytics, machine learning, or malware analysis on an application that’s loaded on a device. It can’t deliver man-in-the-middle protection or phishing protection on a device. All of those things are required to properly secure mobile devices.
In addition to MDMs, you need a mobile threat defense (MTD) solution like Lookout on a device feeding actionable information into the MDM solution. When somebody downloads an application, Lookout can analyze that application and, within seconds, determine it has malware in it. We then alert the MDM and the MDM can take action.
MeriTalk: CISA recently issued an alert about phishing and other threats that exploit the current pandemic. What other mobile threats is Lookout seeing in the COVID-19 era? What should remote employees and leaders be mindful of?
Stevens: We’ve analyzed over 100 million mobile applications, and phishing is still the number one threat vector. Phishing is easier on a mobile device than it is on your traditional desktop or laptop, where most people have been trained to watch for phishing attempts. On a mobile device, a phishing attempt can come from a text message, an email, or a message in an application like WhatsApp or Telegram. It can come via Facebook Messenger or a website. There are many ways to phish on a mobile device, all of which are very difficult for the user to detect. So, you need some sort of tool on the device that protects against phishing attempts.
This doesn’t mean phishing is the only thing that cyberattackers are using. They’re also using malicious applications. They’re constantly trying to get their apps with malicious content onto application stores. That malware could be installing surveillance like a keylogger to steal your account credentials. It could also root or jailbreak the device in order to operate undetected on your device to steal data.
MeriTalk: What can agencies do now to improve their mobile security posture? Where can they start and what challenges might they face?
Stevens: Agencies can use a mobile device manager. In addition, if they’re not using a container today, I highly recommend looking at container technology so they can keep the personal side of the device separate from the government side of the device. The problem is, those two things in and of themselves don’t make the device completely secure. You also need that third component, mobile threat defense, to ensure the device is protected in near real-time.
A container is good; it’s encrypted. But if somebody can get malware on your device that jailbreaks or reads the device, then that container has become ineffective. The attacker can go back and forth between the personal and the government side of the device to steal all the credentials plus any other data stored on the device. Agencies need a combination of all three things to ensure a secure mobile environment.
As for MDM – most people who have experience installing them understand it takes time to get the policy right. It’s not something that can be installed overnight. You’re constantly updating it. But MTD is different. It can be up and running within a couple of hours. We have one customer who has tens of thousands of licenses. They can push those licenses out to their users on a Monday, and by Friday roughly 95 percent of those users are active with little to no interruption. Ensuring that your devices are 100 percent protected doesn’t have to be complicated.
MeriTalk: How is Lookout uniquely positioned to help improve mobile threat defense for agencies?
Stevens: Our goal is to ensure that agencies’ mobile infrastructure is protected in every way. Part of that involves protecting the mobile device where other tools aren’t as effective. Another aspect is device integrity – making sure that the operating system hasn’t been tampered with (e.g., rooted, jailbroken, sideload apps). Then we make sure applications are free from malicious content.
Next, we provide agencies with visibility into what’s occurring in their mobile environment. Although applications are never really “free” from vulnerabilities, we ensure that no exploit has been written against those vulnerabilities. And with mobile becoming more and more prevalent, that’s the visibility government agencies need but don’t necessarily have yet. Yes, the government gets tons of data, but what they really need is actionable data.
Lastly, something that’s really exciting for us is that Lookout recently received FedRAMP JAB P-ATO authorization. What that means is that agencies across the federal government can quickly and confidently work with us to make sure that their data and privacy are secure.
MeriTalk: You spoke about the increased prevalence of mobile, and we see that 90-95 percent, or even 100 percent of workforces are teleworking. In this new environment, do you think a lot of agencies are adequately prepared?
Stevens: I don’t think they’re as prepared as they should be. Agencies have a long way to go in ensuring that mobile devices are protected and, more importantly, the data on those mobile devices are protected. That’s what matters in the end – that the data accessed by the mobile device isn’t compromised in any way or removed from the device. Or, worse yet, the concern is that a cyberattacker steals government credentials from the device and can log into the network, going undetected for years.
Most agencies have been reluctant to embrace mobile as a means to access data, but that has clearly changed in the last eight weeks. Telework is here to stay. We have people with all types of devices accessing their data now outside the government’s security controls. Agencies need to protect their data everywhere, not just focus on the legacy desktop or laptops.
MeriTalk: How can mobile threat defense support agencies’ broader goals of enabling Bring Your Own Device (BYOD) programs?
Stevens: For years, agencies have looked at BYOD and thought they couldn’t implement it due to privacy concerns. A mobile device management agent would collect data that the employee might not want collected from their personal device. In contrast, you can install a MTD technology like Lookout on the device without a mobile device manager. MTD can still protect the applications on the device, protect against phishing and malware, and promote safe browsing. It helps eliminate the privacy concern because you’re not collecting personal data from the device.
MeriTalk: Agencies are also rolling out mobile apps and other digital citizen services. What key considerations should these agencies make from a DevOps perspective?
Stevens: Developers do a good job of ensuring that applications are secure for citizen use, but the part that’s missed is device integrity. If the device is insecure (e.g., jailbroken or rooted) and there’s something like a keylogger, surveillance, or some other malicious content on the device, it doesn’t matter how secure the app is. The attacker is still going to get the information they are looking for.
Take voting for example. If we’re going to roll out voting with mobile applications, developers will have to take a closer look at embedding technology that ensures the integrity of the device, as well as the application that’s used. It has to be much broader than just ensuring that applications are secure – it’s the whole system.
Learn more about Lookout mobile threat defense solutions for government.