Fixing Enterprise Mobile Blind Spots in Attack Detection

Back in May of 2016, intrusion detection vendor Cyber adAPT announced that it had completed $15M in aggregate Series A funding with Black River Investments. I’d been hearing Cyber adAPT CEO Kirsten Bay speaking around the cyber security community, and her comments and insights were impressive. So, my guess was that she would move quickly to take strategic advantage of the new financial investment.

It didn’t take her long, because just weeks later, Cyber adAPT announced that it was acquiring Mobile Active Defense, a cyber security company focused on protecting traffic into and out of all enterprise BYOD and other mobile devices. The two companies had already been integrating their technology for customers, so the acquisition was not done out of the blue. The technical groundwork had already been done. The resulting solution is called Secure Device Management (SDM).

It’s worth taking a moment to analyze why this combination of advanced intrusion detection/prevention with secure mobile device management is essential. Ask any modern enterprise security team about their internal deployment of IDS/IPS, and you’ll often hear that the collection and analysis is performed out of band from the mobile device management, BYOD usage, and other aspects of enterprise mobility. MDM tools are certainly deployed and used, but it is often not integrated with attack detection functionality.

This approach has become more unacceptable, simply because the attack surface for every enterprise has now stretched to include mobile devices and support infrastructure. Traditional IDS/IPS deployments thus contain blind spots in the enterprise, and this will create meaningful gaps in one’s log management, security information event management (SIEM), and audit infrastructure. It’s surprising that more compliance and regulatory managers have not yet noticed this problem. But when they do, my guess is that they will begin raising a gigantic fuss about getting this fixed.

That such a gap exists is understandable, since attack detection platforms were created before the enterprise was using mobility in a meaningful way. The evolution of IDS/IPS platforms thus did not typically address enterprise mobility attributes, protocols, and endpoint designators such as individual mobile subscriber identification (IMSI). Packet capture of IP traffic was usually in-band with the computing servers, local area networks (LANs), and Internet gateways. And to be honest, the IDS/IPS industry was having a fair amount of trouble making sense of this traditional traffic, especially to reduce the barrage of false alarms that characterized first generation attack detection.

The consequences of blind spots in enterprise mobile intrusion detection today should be obvious. Increasingly, the divide between mobile and traditional computing is blurring, with employees going back and forth between the two methods all day long. The split tunneling inherent in Cyber adAPT SDM was created specifically to address this issue. That is, perhaps the greatest strength of a split tunnel is its convenience for users who are trying to access corporate resources and Internet resources as part of their work.

But more importantly, it is the holistic coverage across all forms of enterprise communication that is so critically important to enterprise cyber defense. The likelihood that a phishing e-mail, for example, will be opened on a mobile device is orders of magnitude higher than in previous years. And with malware such as Pegasus identified in the wild that allow for remote jailbreak attacks, enterprise security teams must act now to close any gaps between their traditional and mobile traffic.

I had the good fortune to spend some time recently with members of the Cyber adAPT team, to go through their technology and how it integrates IDS/IPS with secure mobile device management. I liked the seamless integration of the detection algorithms with alternative metadata from mobility. It’s interesting how the basic heuristics for detecting attacks, such as deviation from norm, distance from profiles, matches on detected signatures, and the like, are easily transferable between domains. This was never an assumed result in my mind, so I’m glad that Cyber adAPT is having success.

In short, if you are a member of an enterprise security team, then it is no longer OK to leave your mobile device management, infrastructure support, and traffic analysis out of band from your existing IDS/IPS solutions. It’s time to bring these together, and you might do yourself a favor by inviting Cyber adAPT to come and explain exactly how their offering accomplishes this task.