Talking Mobile Security with Lookout's CTO - Kevin Mahaffey

Endpoint security in the form of PC anti-virus programs was the original computer security solution. And for many years, it dominated the enterprise security landscape with blacklist-based signatures warding off viruses on Microsoft operating systems. Fast-forward to today, and the endpoint has become a mobile device or tablet used to access cloud-based assets that are provider-hosted outside the previously safe enclave of the perimeter LAN. Cyber security protection thus emerges as a challenging goal for these mobile devices and the ubiquitous apps that differentiate each user’s mobile experience. This is even more challenging as malware such as Pegasus demonstrates the dangerous precedent for remote jailbreaks to your mobile – and this includes iPhones. I had the opportunity to sit down recently with one of the industry’s experts in this area, Kevin Mahaffey from Lookout Security. I asked Kevin to share his technical and market insights into this increasingly important aspect of cyber security.

EA: Kevin, is mobile security a direct extrapolation of PC security? Or are there unique aspects of the mobile endpoint security that different from PC protection?

KM: It’s funny you should ask that question, because Lookout recently announced a partnership with Microsoft to integrate our mobile endpoint security with their enterprise mobility suite. It’s a great example of two companies combining their respective core competencies – ours in dealing with the growing threat of sensitive data loss through mobile device threats, and Microsoft’s in dealing with the day-to-day enterprise IT requirements driving businesses for the past twenty-five years. Now, to answer your question more directly, I’d say that there are significant differences between PC and mobile security, most of which stem from the architectural differences in how each are used in a typical work environment. For many years, employees would store primary copies of their data on a PC, which led to protection approaches that were focused on the native operating system in a PC. In contrast, modern mobility security assumes that mobile devices will inevitably be hacked, but sensitive data and assets stored in the cloud will still be secure. Second—and this is a big one—on many mobile devices, employees combine personal and work activities, preventing organizations from employing restrictive approaches such as binary whitelisting or URL filtering that have become commonplace on enterprise PCs. There are other differences, but these are the major ones.

EA: Can CISO teams separate protection of the mobile from protection of the cloud-hosted app? Or do you need an end-to-end solution for users reaching out to the cloud with their smart device?

KM: I believe it’s only possible to reason about mobile and cloud security together. Why? From the history of PC security, we’ve learned that OS security controls and endpoint protection software cannot guarantee 100% of threats will be blocked. Instead, I advocate for a data and application-centric approach, where you enforce conditional access to your cloud data and applications based on risk information received from a mobile endpoint security agent. Of course, you want your mobile endpoint security agent to catch as much as possible on the device, but you cannot blindly assume it will stop all threats. I believe that all organizations will eventually move to an enforcement model where access to cloud data and applications depends on the security posture of the device accessing them.

EA: To what degree will mobile security rely on accurate threat intelligence? And does this require live threat feeds to the mobile device?

KM: I believe that timely and accurate threat intelligence is the most critical aspect of any endpoint cyber security solution. In fact, you could probably say that good intelligence is the most critical aspect of any cyber security solution. However, effective use of threat intelligence isn’t simply getting feeds of tactical threat indicators such as application binary hashes, domains, and IP ranges and using them to trigger alerts. The reason for this can be seen in the challenges that emerged for the signature-based blacklists used for many years on PCs. I don’t have to summarize here all the issues with signatures, but suffice it to say – everyone soon realized that a different approach was needed. Effective threat intelligence includes two parts. First, a strategic, qualitative intelligence that helps an organization prioritize limited resources against their highest risk threats. Second, tactical threat indicators that can be used, not just alone, but also to add context to machine learning and big-data correlation systems to protect from zero-day threats quickly and reliably.

EA: Why do you think the compliance auditors haven’t been more aggressive in demanding mobile endpoint controls?

KM: I think that auditors, regulators, and compliance managers absolutely are becoming more aggressive in demanding mobile security protections. Granted, most major attacks to date have occurred with the usual assortment of PCs, physical servers, enterprise-hosted systems such as Active Directory, and Internet systems such as DNS. However, everyone on the planet knows that cyber attacks are moving in the direction of mobile, if only because that’s the direction IT is moving. Skilled hackers know full well that if you want to create problems for an enterprise, go after their mobile devices. Now, translating the mobile threat into compliance standards is not straightforward, because compliance standards are typically developed as a trailing indicator of major threats that have occurred in the past. This helps explain why compliance frameworks are often insufficient at stopping new attacks. So, this must change, but as I implied earlier, I think we are moving in the right direction today.

EA: Will we ever see a global attack where users must rush to turn off their mobiles to avoid losing their data or apps?

KM: I hope not, but an auto-propagating worm on mobile is a distinct possibility. Such a worm would likely rely on some form of application or device exploit. On PCs, enterprises can respond to exploits by pushing patches and mitigations to endpoints or blocking malicious traffic on the network. On mobile, however, enterprises do not fully control a device’s firmware update process and can only control the update cycles of enterprise-managed apps. Further, enterprises cannot rely on network mitigations because mobile traffic does not typically traverse the enterprise perimeter. On the positive side, mobile device operating systems have stronger built-in security than PCs, making it more expensive to build such a widespread attack. The best advice I can offer is that deployment of mobile security should become a greater priority so that, if such an auto-propagating worm does occur, organizations will have visibility into which devices are vulnerable and the ability to mitigate the threat.