1. Understanding the Mobile Security Gap Data Connectors – San Francisco
Brian Duckering
Sr. Mobile Security Specialist
10/19/2017

2. Mobile: The Enterprise Security Gap
48% of enterprises are unsure if they have had a mobile breach!
I don’t have protection against malware on my mobile devices
I am worried about my users connecting to suspicious Wi-Fi networks
I don’t have visibility into vulnerabilities affecting mobile OS/applications

3. Chasm Between – Mobile Usage & Security Spend
Customers
Business mobile consumption exploded (and exploding)
Has your security spend caught up with the explosion?
Hackers are shifting their focus to mobile
DURING COMMUTE
WORK HOURS
EVENINGS
WEEKENDS
"By 2018, 80% of organizations with MTD solutions in place will integrate them with their enterprise mobility management (EMM) solutions, which is an increase from the fewer-than-5% current estimate. "
Global Internet Consumption: Old Vs. New Endpoint
Security Spend: Old Vs. New Endpoint
39% of security professionals claim security concerns are the top inhibitor to mobile adoption
1 in 5 organizations suffered a mobile security breach
IPS
FIREWALL
DLP AV
IDS
A couple of years ago, Global Internet Consumption on the new endpoint crossed that of the old endpoint. Your users spend much more time on their mobile phones as compared to PCs. They are on it from around 6 am in the morning till 12 am at night whereas PCs are mostly used only during business hours.
However, your security spend on the two types of endpoints probably stack up the same way. The old endpoints have decades of security behind them such as – IDS, IPS, AV, Wireless security, USB security, Encryption, DLP, and so on. What about the new modern Endpoints? What kind of security do you have on them? Forget about mobile security being more than a decade old, the whole industry is less than 10 years old and really started in 2007 with the launch of first iPhone.
The last pillar on this slide talks about the change in focus by the adversary. Given the recent mobile explosion and lack of proper security, there recently have been multiple breaches originating from the mobile devices. Some of them are highlighted here. In the past 2 years, 8% of all publically disclosed healthcare breaches compromising more than 500 records came from mobile as per Dept. of Health and Human Services. According to Privacy Rights breach database, the same number for the financial industry is over 15% for the last two years.
110+ min/day
<30 min/day
Source: Dept of Health and Human Services,

4. New Threat Vectors
1 in 5 organizations suffered a mobile security breach
Average cost of each breach is $6.53M
9% of all breaches come from mobile devices 6 months average time to identify a breach
24% of organizations confirmed their mobile devices have connected to malicious Wi-Fi
48% are unsure if there have been incidents
So you have a situation where:
Customers who want to adopt more mobility are held up by security concerns.
Customers who are running a mobile enterprise, do not necessarily realize what the risks are.
If they realize what the risks are, they still don’t have visibility to the actual prevalence of those in their own enterprise.
Together these problems are a significant barrier to mobile adoption and usage, and that is a barrier to AT&T’s future growth.
Devices found with malware during assessments: 3% iOS, 6% Android
39% of Security professionals claim security concerns are the top inhibitor to mobile adoption where 72% of those are most concerned about data loss
39%
72%

5. Many “Security” Solutions
Impossible to transfer traditional solutions to mobile
Mobile Threat Defense is not EMM or traditional security
Mobile cybersecurity is a critical and expensive problem
Mobile Threat Defense requires ongoing, intense research to stay ahead of hackers
Mobile solutions must be improved and updated continuously
Protection must operate 24/7
Mobile Threat Defense and EMM solve very different problems EMM is management, MTD is security (complimentary)
IT needs visibility and proactive remediation of mobile risks
On a fraction of your overall data center or network security budget
Mobile security must aggregate multiple security solution
Malware defense (like AV )
Network defense (like IDS/IPS/firewall)
Vulnerability management (like patch management)
Threat intelligence (like reputation services )
Big data forensics (like breach analytics tools)
Risk management prioritization (like mobile SIEM)
Next gen malware protection (like APT solutions)

6. Network-based Attacks Vulnerability Exploits
EMM and MTD are Complimentary
MTD Mobile Threat Defense
EMM Enterprise Mobility Management
The guards on the walls
Detect threats & attacks
Actively protect the device from:
The locks on the doors
Productivity enablement solution
Policy enforcement
Malicious Apps
Network-based Attacks
MDM
Provision
Control
Manage
MAM
Sandbox
Tunnel
Encrypt
MCM
Access
Edit/Sync
Distribute
Vulnerability Exploits

7. EVERY ORG WITH 500+ DEVICES HAS A ROOTED/JAILBROKEN DEVICE
Mobile Threat Landscape
Physical
Malicious Chargers Drive-by-attacks
NFC Attacks
Bluetooth Attacks
Lost | Stolen | Left in Uber
EVERY ORG WITH 500+ DEVICES HAS A ROOTED/JAILBROKEN DEVICE
Malware
Mobile Malware Detections1
CIA “Vault 7”
Pegasus
XCodeGhost
YiSpecter
Wirelurker
Exaspy
HummingBad
100%+ Growth YoY
18.4M
9.0M
3.6M
2016
2015
2014
MILLION 5 10 15 20
Network
PERCENTAGE OF DEVICES EXPOSED TO NETWORK THREATS
Pineapple Wifigate arpspoof SSL decryption dnsspoof Evil Twin SSL stripping
Content manipulation
Vulnerabilities
MOBILE OS VULNERABILITIES1
Malicious Profiles App-in-the-Middle Trident Stagefright Accessibility Clickjacking No iOS Zone Shared Cookie Stores LinkedOut
So, what mobile threat do we protect against?
According to the SANS Institute, mobile devices encounter four major types of threat vectors (Examples in bold are Skycure findings or discoveries):
Physical
Some of the examples of this threat vector are: malicious wall chargers, drive-by attacks using Bluetooth or NFC and then everything around someone having physical access to your device. In addition to this, in general, we find at least one instance of rooted or jailbroken device in every organization with at least 500 devices.
2. Malware
The next type of threat is malware, which people generally associate just with Android, but that is missing a big section of the mobile attack surface. In fact, every organization we have encountered with more than 200 iOS devices had at least one instance of malware. Some malware examples include: Malware tools developed by the CIA, Pegasus, and Exaspy, a targeted malware we discovered on a Skycure protected device belonging to a VP at a multi-national company. According to Symantec’s threat report ISTR 22, mobile malware detections more than doubled in 2016 to a total of 18.4 Million.
3. Network
Then comes the network threat vector which is at least 5 times more frequent than the malware problem. Our mobile devices connect to 10 to 100 times more networks as compared to our laptops. While switching from 3G, 4G, LTE, Public/Hotel/Airport free Wifi networks they get exposed to many man-in-the-middle and other network attacks such as WiFiGate (Skycure discovery), Evil Twin and Content manipulation. Skycure Threat Intelligence discovered that on an average 40% of enterprise mobile devices undergo a network exposure risk within a single quarter.
4. Vulnerabilities
The last threat vector is Vulnerability exploits. It is not just about the bad apps. It is also about the good apps and operating systems with security holes in them. The chart shows vulnerabilities for both iOS and Android. According to ISTR 22, there were more than 600 OS vulnerabilities affecting both iOS and Android operating systems
“Half of Android Devices Didn’t Get Security Patches in 2016” – Google
2017 PROJECTION
2017 PROJECTION
1- Internet Security Threat Report (ISTR) 2017, Symantec

8. A Day In The Life Of Your Mobile User
8am
Stop for coffee,
connect to free Wi-Fi
or a wall-charger
MITM
SCP/SRP DEFENSE PHYSICAL DEFENSE
Wake up and check mobile
MESSAGE DEFENSE
MMS Attack
6am
7am
Check messages,
click links
Malware
MALWARE DEFENSE
12pm
Lunch around town
Spoofed Corp WiFi
CORP WIFI
DEFENSE
10am
At work, connect to official WiFi
Misconfigured Routers, Corp Espionage
ACTIVE HONEYPOT
9am
Drive to work, connect to ISP Wi-Fi
WiFigate/ Network Attack
NETWORK
DEFENSE
Let us now look at a real life scenario to see how many times in a day SEP Mobile comes into the picture on your employees’ mobile devices.
Let us assume they wake up at 6 am and check their mobile device. In certain cases (stagefright), it is possible for a hacker to send a maliciously crafted MMS message, root the device, gain admin access and delete the malicious MMS, all with no interaction from the user and while they were sleeping. SEP Mobile would detect these malicious MMS using Message Defense.
The next thing they do is check messages and click on a bunch of links, some of which might be attempting to download malicious apps. Verizon DBIR says 66% of malware is installed from malicious s. Malware Defense would proactively protect them before the infection makes it to the device.
On their way to work, they stop by to get coffee and either connect to the free Wi-Fi or plugin their device to public wall-charger both of which can easily be compromised. Physical Defense, Selective Resource Protection and Secure Connection Protection protects corporate communications and sensitive resources.
They get back in their car and start driving to work and on the way connect to a public Wi-Fi network that might come from their carrier or ISP or might be a spoofed one. Network Defense would come to the rescue.
They get to work and their device connects to a corporate router which got compromised overnight and is now decrypting traffic. Symantec’s patented Active Honeypot approach detects this and automatically informs the SIEM solution of a possible breach.
They step out to go get lunch at a nearby deli and malicious hackers have set traps using identical corporate Wi-Fi names to trick business users into connecting to them. Corporate W-Fi Defense knows the exact configurations and device types of the corporate routers and automatically disconnects users from malicious networks.
They go back home, kid is happy to see the parent but happier to see their mobile phone as it is their favorite toy. They download a popular game which actually is a repackaged app that leaks corporate data in the background. Symantec’s patented Repackaged App Defense comes into action.
A new security patch becomes available in some part of the world which fixes a severe vulnerability but your carrier or OS vendor has not informed you about its availability. Vulnerability Defense uses crowd wisdom to not only inform you that it is available but Security Console also shows you the devices that are upgradable, # of issues that can be resolved and the risk that can be avoided.
One of the apps on the device is communicating in the background with a command and control server in Russia where you have no business ties, Mobile Application Reputation Service allows on-demand analysis of public and private apps.
Finally, end of the day, you are tired, your device is tired but the hacker is not. They launch an Advanced Persistent Threat (APT) on the device and are trying to break into it by trying small things at a time, none of which have succeeded yet. Symantec’s Indicators of Compromise compares our app and OS level footprints with 100s of thousands of other devices out there to detect early signs of compromise even before the hacker succeeds.
This is how Symantec allows you to always stay a step ahead of hackers throughout the day.
Child downloads
a free game
Ransomware
6pm
REPACKAGED
APP DEFENSE
New OS not yet downloaded
8pm
VULNERABILITY
MGMNT
Known Vulnerability
Targeted Attack
10pm
MARS
Data Leakage
Unknown
Vulnerabilities
11pm
SYMANTEC
IOC
Mobile APT

9. Mobile Attack Demo 1 2 Threat: Network Attack
Vulnerability: Malicious Profiles
Threat: Malware
Vulnerability: Sideloaded Apps

10. Endpoint Protection Mobile Overview
Threat Intelligence
SEP Mobile crowd-wisdom
Integrated Global Intelligence Network
1000 Cyber Warriors. 175 M Endpoints. 8 B Daily Security Requests.
EMM
EMM
Cloud Server
Risk/compliance visibility Advanced security
Automation & integration
Consistent across Managed & Unmanaged
scenarios
SEP Mobile collects threat intelligence from multiple sources:
SEP Mobile research team and install base for mobile security specific intel
Symantec Global Intelligence Network that has more than 1000 cyber warriors from around 9 SOCs around the world, analyzing data from 175M endpoints and responding to more than 8 billion daily security requests
Third party sources
This helps us provide industry’s unparalleled threat intelligence for all endpoints – traditional and modern.
Public App
Simple deployment & maintenance
Ensured privacy
Minimal footprint
Symantec’s Layered Security

11. On-device Conditional Access

12. Mature Enterprise Console

13. Customer Testimonial
“One of the easiest deployments I’ve honestly ever had with any application.”
– John Dickson, IT Director
2nd largest distributer of beer, wine, and spirits in the US
Revenue: $5.5B
No. Employees: 9000
Business Challenges
Employees and data is highly mobile
Needed extension of existing solutions
Use cases – Shared devices, deployment with no access, secure 900M USD inventory, field employees & drivers
Why SEP Mobile?
Easy to manage, easy to deploy (running within hours)
Control and security reporting on all mobile devices
Secure any mobile device, on any network, and anywhere in the world
Integration with AirWatch
End user privacy completely maintained

14. My selection criteria User experience Privacy Battery life
Cloud was a must
Integrated like glue with Airwatch
Protection against malicious apps, networks and drive-by websites
USER IT
Zimperium had a complicated UX and required scripting
WHO ELSE DID WE LOOK AT?
ZIMPERIUM AND LOOKOUT
Lookout did not do anything for network awareness and protection

15. Management Buy-in was easy
It started with skepticism … 1 2
Leveraged SEP MOBILE’S iOS MALICIOUS PROFILE EXPLOIT
Took over CFO’s iPhone in less than a minute
Easiest sell ever
Received 250 FREE SEATS as part of the trial
30% DEVICES had known vulnerabilities
10 DEVICES had keystroke loggers

16. RNDC Security technologies
AirWatch MDM*
AntiMalware AntiHacking Patch Mgmt
(SEP Mobile)
Mobile Devices SFA/BYOD

17. Overall impact of SEP Mobile
3,900,000 Apps Analyzed
45,000,000 Network Tests Performed
58,000 Incidents mitigated
5,000+ Users
8,000 Devices
Multiple devices had malicious activity
SEP Mobile helped with immediate remediation
Getting more mobile related questions – There is more awareness
Helps to drive more applications into the AirWatch App Store rather than fighting the pushback
This gives us a touch into the salesforce automation program. This was missing earlier.
“Thank you’s” from all associate levels, especially for securing BYO devices and personal data in addition to business data