ENTERPRISE ARCHITECTURE RESEARCH GROUP INTELLIGENCE BRIEF

Enterprise Intelligence Brief

Mobile Security

Q3 2019

NSS LABS RESEARCH NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Overview

Some say the hyperconnected world has arrived; others say we are only at the beginning, visualizing an ecosystem with billions Anti-threat capability, privacy options, of interconnected, often mobile, systems. Today’s mobile regulatory compliance, strong encryption, and devices have many form factors and distinct use cases, which end user impact are reported priorities for makes defining a mobile device surprisingly difficult and makes evaluating mobile security products. efforts to understand mobile device risk even more so. It follows, then, that building a management and security strategy for these devices—one that does not introduce needless risk nor restrict employee productivity—is challenging.

An astounding variety of mobile devices have been introduced to the corporate infrastructure. Obvious mobile device examples include laptops, tablets, and smartphones. Newer, not-so-obvious devices are wearables (e.g., watches, with or without 4G/LTE) and IoT (e.g., embedded OS-based systems integrated into Microsoft Office365 or Google G Suite, such as a smart Wi-Fi-based wall-mounted calendar). All of these expand threat surface area, add uncertainty, and introduce risk.

IT consumerization (e.g., BYOD) has added an overwhelming number of unknowns for an enterprise. Enterprise IT security teams tasked with managing mobile risk must answer important questions prior to selecting a mobile security product. Should mobile security policies target device control, application control, data security, or should they take a multi-faceted approach? Should access to corporate data be restricted by mobile operating system? What are the minimum needs for multi-factor authentication (MFA), and how can mobile technology enable broader requirements? Will threats found on mobile devices be prioritized, and how will alerts be communicated? Which teams will manage IoT and cross-platform operating systems? Should existing network security products (e.g., next generation firewall, intrusion detection system, traffic analysis) be leveraged, and if so, how?

Organizations pursuing mobile management and security software as a path to reduced risk find themselves in the middle of a rapidly evolving industry. Product consolidation is constant, and the line between mobile device management (MDM) and newer product categories has blurred. Endpoint mobility management (EMM) was the first product category to combine centralized management, configuration, and security functionality into an “all-in- one” technology. Unified endpoint management (UEM) is the most current iteration of this product, incorporating client management and endpoint security product toolsets, productivity apps, more mature authentication and authorization features, and broader OS support for systems including Microsoft Windows 10, Apple macOS, Linux, and even, in some cases, IoT. An enterprise intolerant to risk must choose the product that aligns with mobile device assets present in its environment, efficiently integrates with existing security products, and enables a streamlined, low-impact workflow for users that discourages circumvention of mobile security policies.

Many CISOs focus their efforts on high-risk areas that they can control, such as requiring network isolation for mobile devices, establishing geofence-based access policies, and prioritizing threats found on devices with network carrier technology. They may also implement strategic but sometimes unpopular policies, such as restricting highly targeted or open operating systems, enforcing the use of secure mobile applications instead of more commonly available (and often easier to use) options, and enforcing strict authentication and access control. Enterprises inevitably balance policy with risk acceptance, often relying on a combination of tools and user training to reduce exposure.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 1 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Key Findings

• More than half of all respondents reported that mobile threats were a higher risk to organizational assets than other cyber threats. • 49.4% of respondents reported poor user awareness as the greatest challenge to mobile security strategy. • 32.1% of respondents strongly agree and 45.5% agree that their companies respect privacy on mobile devices. • For respondents with mobile security, the average rating of their protection was 76.1 out of 100; respondents without mobile security rated their protection as 70.1 out of 100. • IoT is the fourth most often identified device capable of accessing corporate assets. • 12.3% of respondents reported user bypass of security policies as a very frequent occurrence and 25.1% reported it as a frequent occurrence. • Respondents reported deployment of the following mobile device technologies at their organizations: MDM (57.0%), MAM (45.7%), MTD (44.9%), EMM (39.6%), MCM (39.3%), MIM (38.5%), and UEM (37.2%). • Application control and regulation compliance are the top drivers for deploying a mobile security technology; “mobile security is not a pressing need” and privacy are the top drivers for not deploying. • The technologies reported as most commonly affecting mobile security are security information and event management (SIEM), secure web gateway (SWG), distributed denial-of-service (DDoS) prevention, next generation firewall (NGFW), and threat detection and analytics (TDA) products.

Observations

• BYOD, e.g., IT consumerization, affects enterprises of all sizes. • UEM represents a chance for enterprises exploring mobile security to revisit their endpoint security strategy. • The definition of security varies by mobile vendor; the term can, for instance, reference encryption, or URL- filtering, or full anti-threat capabilities.

Recommendations

• Enterprises should focus on user training, as it remains a key component to reducing mobile device risk. • Identification and authentication workflows are critical for successful mobile security, and organizations should focus product selection efforts on products that minimize user impact while decreasing risk. • An organization must define what a “mobile device” is in its environment, as this will affect which security tools it chooses; the IT team must adopt the same terminology for consistent execution of strategy. • Mobile security technology is evolving; in the interim, risk-intolerant enterprises should maintain a strict defense-in-depth approach to their IT security architectures. • For Wi-Fi-based mobile devices that must connect to corporate networks, organizations should rely on deep packet inspection for anti-threat using devices such as NGFWs, breach prevention systems (BPS), TDA products, and intrusion detection systems (IDS). • At a minimum, organizations concerned with risk from mobile devices should provide network isolation and control access to corporate email and data through secure applications. • Environments with Microsoft Windows 10 and strict application control and security requirements should deploy multiple agent types and should test compatibility carefully during proof of concept (PoC). • PoCs for mobile device security should test anti-threat capabilities, privacy options, regulatory compliance, strong encryption, and impact to the end user. • Mobile device risk tolerance and employee business enablement should be evaluated with same priority level.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 2 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

2019 NSS Labs Mobile Security Study Methodology Summary

In the spring of 2019, NSS Labs conducted its study on mobile security to gain an understanding of the current utilization of network security products in US enterprises. The project consisted of a two-armed qualitative and quantitative study with six primary objectives: 1) Obtain enterprise priorities for the functional aspects (security efficacy, performance, management, deployment, interoperability) of mobile security products; 2) Map mobile security program maturity by enterprise use case; 3) Determine enterprise perceptions of mobile security threat vectors and mitigating technologies; 4) Identify the applications and data accessed via the mobile devices that change enterprise risk; 5) Determine enterprise security professionals’ experience with OS-based threat migration to mobile OS; and 6) Obtain ITSEC management’s rating of their organization’s current mobile security posture.

The study was conducted with the participation of 383 qualified, full-time US enterprise IT security professionals representing 35 industries from the US, England, Germany, France, and Ireland with a mean IT security budget of US$10M – $49M.

Details can be found in the section 2019 NSS Labs Mobile Security Study Methodology.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 3 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Table of Contents Overview ...... 1 Key Findings ...... 2 Recommendations ...... 2 2019 NSS Labs Mobile Security Study Methodology Summary ...... 3 Definitions, Approach, Deployment, and Alternatives ...... 5 Mobile Devices in the Enterprise ...... 7 Challenges of Building a Mobile Security Strategy ...... 7 Defining the Mobile Device ...... 7 BYOD ...... 8 Understanding Mobile Device Access to Corporate Data ...... 8 Addressing User Behavior ...... 9 Identifying Areas of Risk ...... 9 Perceptions of Risk, Privacy, Protection, and Maturity ...... 11 Perception of Risk ...... 11 Perceptions of Privacy ...... 12 Perceptions of Protection ...... 13 Perceptions of Program Maturity ...... 14 The Impact of Mobile Security on User Experience ...... 15 Integrating Mobile Security with IT Security Architectures ...... 16 Data Gathering ...... 16 Asset Discovery ...... 16 Mobile Threat Awareness ...... 17 Choosing a Mobile Strategy ...... 18 Additional Considerations ...... 20 Investigating Mobile Products ...... 21 Product Differentiation ...... 21 Additional Risk Considerations ...... 22 Request for Proposal and Proof of Concept: Considerations ...... 23 Request for Proposal (RFP) ...... 23 Proof of Concept (PoC) ...... 23 Testing Mobile Security Products ...... 23 2019 NSS Labs Mobile Security Study Methodology ...... 24 About the Enterprise Architecture Research Group ...... 26 Contact Information ...... 26

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 4 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Definitions, Approach, Deployment, and Alternatives

Definition Details

Mobile Mobile security, as defined by NSS, is the protection of handheld or wearable devices from threats Product and vulnerabilities. Multiple mobile product categories exist; however, consolidation is ongoing, and enterprises should be aware that products may have overlapping capabilities.

• UEM – Unified Endpoint Management Multi-purpose, cross-platform endpoint product; combines security and anti-threat with management across desktop OS, mobile OS, and a growing number of IoT devices. • EMM – Enterprise Mobility Management Management and security through mobile OS and mobile applications, “MDM + MAM”. • MDM – Mobile Device Management Monitor, manage, and secure mobile devices through controls provided by the mobile OS. • MTM/MTD – Mobile Threat Management/Mobile Threat Defense Detect threats to devices, operating systems, networks and apps on the device. • MAM – Mobile Application Management Apply management and security directly to applications; sometimes called “containerization”. • MCM – Mobile Content Management Securely manage, view, and share content on mobile devices. • MIM – Mobile Information Management Encrypt sensitive data and control applications used to access it (older terminology).

Mobile A mobile device is defined by more than its form factor and network carrier. Portable devices with Device any of the following characteristics may meet the definition of mobile device for an enterprise.

Hardware • Mobile phone (e.g., “smartphone”): Has both carrier and wireless network technology. Form • Tablet: Portable computing device utilizing a touchscreen but without built-in keyboard. Factor • Laptop: Portable device that may have touchscreen but must have non-removable physical keyboard; often has clamshell design. • Other: Wearables (watches), IoT, etc. May have Wi-Fi and carrier network access.

Network • Carrier (LTE, 4G, future 5G) + wireless (802.x): Mobile device supports both wireless carrier Access signal (LTE, 4G, 5G, etc.) and wireless networking (802.x). Type • Wireless (802.x) only: All mobile devices but without carrier functionality (i.e. 802.x only). • Sub-gigahertz (sub-GHz): Low frequency wireless (433 MHz, 915Mhz, etc.), often IoT device.

Operating • Apple: Mobile phones and tablets (iOS), wearables (watchOS), laptops (macOS). System • Android (all variants): All hardware types: mobile phone, tablets, laptops. • Microsoft: Windows 10: Mobile phones, tablets, laptops. Other OS: Laptops and tablets. • Other: Blackberry, Google ChromeOS, IoT (embedded firmware), etc.

Figure 1 – Mobile Product Definition and Mobile Device Definition

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 5 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Category Description

Approach Mobile apps may have access to contacts, browsing history, and geolocation data, often covertly. Often, these mobile apps have ties to advertising programs, making this data a target for exfiltration.

Mobile security and management products use multiple methods to secure or manage devices. Software is often installed on the mobile device to intercept and scan traffic, as well as to provide control functionality. The application integrates at the kernel level to perform this task.

Identity and the user impact of authentication are an important component of a mobile device security strategy. Products that offer isolation may implement a second profile to the device to enable isolation of content based on user persona (e.g., separate work and personal profiles). Products can also create isolation by creating a sandbox on the mobile device itself in which organization apps launch, allowing for greater control of user data and applications that request access to it.

Deployment Mobile management and mobile security products require a central management system (CMS). Application installation on the device will require authentication by an administrator-level user account, along with user consent for BYOD. The CMS may be offered as a cloud-delivered service, a hardware appliance, or a virtual appliance.

Apple iOS-based, Android-based, and Microsoft Windows 10-based mobile phones and tablets may require an OS-specific app downloaded from the relevant app store.

Alternatives Data and application control can be achieved through cloud-delivered technology, i.e., a cloud access security broker (CASB). Network traffic can be scanned using cloud technology or through local network scanning such as an NGFW.

Other BYOD: “Bring your own device”. Employee-owned mobile device able to access corporate resources and personal resources. COPE: “Corporate-owned, personally-enabled”. Corporate-owned mobile device able to access corporate resources and personal resources. COBO: “Company-owned, business only”. Corporate-owned mobile device able to access only corporate resources.

Figure 2 – Approach, Deployment, Alternatives, Other

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 6 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Mobile Devices in the Enterprise

Organizations choosing to evolve their mobile security strategy must understand challenges unique to the device category. They must quantify their perceptions of risk, privacy, and protection, and define the mobile user experience they are targeting. They must also investigate their own security practices and explore how they relate to mobile systems.

Challenges of Building a Mobile Security Strategy

The largest percentage of respondents to the 2019 NSS Labs Mobile Security study (48.4%) indicated that their industry is moderately mature in terms of mobile security, yet many respondents acknowledged that challenges exist with their mobile security strategies.

Defining the Mobile Device

A mobile device is any portable device capable of accessing corporate resources, commonly via Wi-Fi, Bluetooth, physical connection (e.g., USB, ethernet cable), or through a separate carrier network. Common examples of mobile devices include smartphones, tablets, and laptops, but wearables and even IoT-embedded OS devices are also included in the category, as they often integrate with common business productivity suites. Figure 3 presents the user-interfaced devices reported capable of accessing corporate data within respondent environments.

Figure 3 – Which of the Following User-Interfaced Devices Can Access Corporate Data at Your Organization? Select All That Apply.

Challenges associated with the expanding definition of the term “mobile device” should not be underestimated. To manage corporate mobile device risk, all mobile devices must be categorized and included in the mobile security strategy. Organizations that are intolerant to risk should explore mobile security and management products capable of supporting all mobile hardware form factors present in their environments. For these environments, access to corporate assets, not device owner (i.e., COPE or BYOD) should take priority.

Cross-platform operating systems—the most visible example being Microsoft Windows 10—should be considered separately, since organizations can manage risk on devices with these OSs using multiple security approaches. For more on mobile device definitions, see the section on Definitions, Approach, Deployment, and Alternatives. For more information on risk, see the section on Additional Risk Considerations.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 7 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

BYOD

BYOD may increase organizational risk for several reasons, including: the presence of unvalidated applications; loss of visibility into data accessed, stored, and transferred; unsupported operating systems; multi-network use, including high-risk rogue hotspots; and challenges associated with identity and authentication. A lenient BYOD policy will complicate a mobile security strategy by introducing unsupported hardware, firmware, or jailbroken devices. It is taxing for IT security teams to support all varieties of mobile devices in order to control risk but maintain productivity. Figure 4 – Study Question: What is your organization's The NSS Labs 2019 Mobile Security Study provided some predominant policy for BYOD (Bring Your Own Device)? insight into the acceptance of mobile devices in enterprises. Figure 4 illustrates that many organizations (nearly half, or 42.8%) of respondents indicate high control for BYOD (managed mobile devices are provided, and non-business applications are disabled), and 32.1% indicate moderate control (managed mobile devices are provided, and non-business applications are permitted).

Understanding Mobile Device Access to Corporate Data

Quantifying which data can be accessed by mobile devices can add considerable burden for organizations. Respondents to the study indicated the top three types of corporate data available to mobile device users as email, documents, and file share data (Figure 5). Corporate data is also available for unmanaged mobile devices.

Figure 5 – What Corporate Data is Stored on Mobile Devices at Your Organization? Select All That Apply. What Corporate Data is Available to Users of Unmanaged Mobile Devices at Your Organization? Select All That Apply.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 8 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Addressing User Behavior

Security is defined by many as maintaining the confidentiality, integrity, and availability of corporate resources. Transparent security is the goal for most enterprise IT security practitioners; data should be readily available, and recipients should have high confidence that the data is unaltered and that channels are private.

However, security often complicates access to corporate resources, which reduces productivity and increases end user frustration. As shown in Figure 6, more than half of the survey respondents (59.6%) revealed that they have users who willfully bypass processes or policies (i.e., very frequent, frequent, and occasional).

Figure 6 – How Common Is it for Users at Your Organization to Bypass or Ignore Security Processes/Policies?

Identifying Areas of Risk

Enterprises building a mobile security strategy should focus on recognized categories of risk. In this study, people (poor user awareness and lack of skilled operators) were considered the greatest challenge to organizational security strategies (Figure 7) by respondents who indicated their environments had mobile security deployed.

Figure 7 – What Is the Greatest Challenge to Your Organization’s Mobile Security Strategy? Select All That Apply.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 9 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Respondents reported that applications and network are the largest threat vectors at their organizations (Figure 8).

Figure 8 – What is the Largest Mobile-based Threat Vector at your Organization?

Social networking, email, and games represent the greatest mobile application risks (Figure 9).

Figure 9 – What Types of Mobile Applications Pose the Greatest Risk from Mobile-Threats? Select All That Apply.

Respondents reported witnessing threat migration between desktop and mobile operating systems (Figure 10).

Figure 10 – How Frequently Has your Organization Experienced Threats Migrating from Desktop/PC OS to Mobile OS?

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 10 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Perceptions of Risk, Privacy, Protection, and Maturity

Enterprise IT security teams have strong perceptions of risk, privacy, and the protection of their organization. These perceptions can impact the direction of a mobile security strategy and influence the success of the chosen implementation. Respondents to the 2019 NSS study indicated their perception of risk and of privacy aligns with observed risk from mobile devices. However, respondents’ perception of protection does not align with deployed protection mechanisms.

Perception of Risk

“I would recommend they get everyone on board at once with what risk level they can all agree to tolerate. Get all departments to put their oar in. We learned that the hard way.” – Director, IT Security, Manufacturing

The 2019 NSS study compared the perception of risk from mobile device threats to the perception of risk from network-based threats. The largest percentage of respondents with mobile security deployed (30.9%) characterized mobile device threats as a slightly higher risk than network-based threats. The largest percentage of respondents without mobile security reported mobile device threats as a moderately higher risk (Figure 11).

Figure 11 – How Would You Describe Mobile Device Threats Compared to Other Cyberthreats in Terms of Risk to Your Organization’s Assets?

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 11 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Perceptions of Privacy

“Only allow managed mobile devices—no personal devices.” – Network Architect, Industrial Manufacturing

Privacy regulations and concerns can impact all IT security process and policy decisions. Regulation is put in place by government or industry, whereas enterprises can address concerns by pushing for specific policies and processes regardless of whether a “regulation” is in place.

The largest percentage of respondents to the 2019 NSS study indicated they agree (45.5%) and strongly agree (32.1%) that their organizations respect mobile device privacy (Figure 12).

Figure 12 – To What Extent Do You Agree or Disagree with the Following Statement: My Organization Respects Privacy on Mobile Devices?

Respondents indicated their organizations intentionally do not monitor some data, with the largest number of respondents choosing personal email, social media, and photos/videos (Figure 13).

Figure 13 – Which Data are Unmonitored on Mobile Devices at Your Organization for User Privacy? Select All That Apply.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 12 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Perceptions of Protection

“Have a zero-tolerance policy in play for your organization because data loss can bring an entire company down.“ – CIO, Logistics/Transportation

Because of the number of variables associated with defining mobile devices, there are often gaps between the perception of what is being protected and what is actually being protected. Respondents were asked to rate their organization’s protection on a scale of 0 – 100.

• On average, respondents with mobile security rated their protection as 76.1. • On average, respondents without mobile security rated their protection as 70.1. Figure 14 – On a scale of 0 – 100, with 0 Being Not Protected at Respondents with mobile security products reported their All, and 100 Being Optimally Protected, How Adequately environments as more protected than those environments Protected Do You Believe Your Organization Is from Mobile Threat Vectors? without protection; however, both values are relatively low, even for security professionals who are inclined to rate their products favorably. In addition, a rating of 70.1 from those without mobile security may reveal a false sense of security or a lack of understanding of the risk this threat vector adds. One takeaway may be that even with mobile investments, there is opportunity for improvement and education.

Respondents were also asked to rate their organizations’ awareness of mobile-based threats versus that of their peers. The largest percentage of respondents (51%) indicated their awareness was somewhat better (Figure 15). This also reveals an opportunity for education as it may be an indicator of over-confidence in perceived protection.

Figure 15 – Compared to Most Other Organizations in Your Industry, How Would You Rate your Organization’s User Awareness of Mobile-Based Threats?

Mobile device alert prioritization appears to differentiate substantially between enterprises. Though most respondents (49%) indicated that their prioritization of alerts from mobile device was the same as an alert from other devices, 42% of respondents indicated mobile alerts took a higher priority (Figure 16).

Figure 16 – In Terms of Priority, How Do Security Alerts from Mobile Devices Compare to Alerts of Other Devices at Your Organization?

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 13 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Perceptions of Program Maturity

Data suggests there is a disconnect between an organization’s perception of protection compared to its peers and its evaluation of its industry’s mobile security maturity. Most respondents (more than 79%) reported self-ratings of protection as better than others in their industry (Figure 15), yet most respondents (more than 90%) also indicated their industry was mature in terms of its mobile security (Figure 17).

Figure 17 – How Mature Do You Feel Your Overall Industry Is in Terms of Mobile Security?

Many factors can influence perceptions of maturity, including the maturity of the tools enabling discovery/asset management, visibility, control, and process/operations. User maturity is also a factor, which expands the evaluation to include perceptions of user training and enrollment. Maturity models may include categorization by groups, ranging from immature organizations (no visibility, control, or training specifically for mobile devices) to mature organizations (implementation of mobile security strategies).

The largest percentage of respondents reported their organization’s mobile security posture as very close to ideal (Figure 18).

Figure 18 – How Would You Rate Your Organization's Mobile Security Posture?

The largest number of respondents rated their organization’s mobile security maturity on the NIST Maturity Scale as Level 4: Managed (Figure 19).

Figure 19 – How Would You Rate Your Organization's Mobile Security Maturity on the NIST Maturity Scale?

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 14 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

The Impact of Mobile Security on User Experience

Mobile device users are sensitive to inconvenience, and IT security practitioners must take this into consideration before deploying mobile security products. The largest number of respondents to the 2019 NSS study indicated their organization is “tolerant – security is prioritized and user experience is secondary” (Figure 20).

Figure 20 – How Would You Gauge Your Organization’s Tolerance of Inconvenience in the Name of Security?

MDM products are mature and broadly deployed, and as such, provide an indicator of the challenges associated with introducing security to a mobile device. The largest number of respondents reported “user resistance,” “user privacy complaints,” and “complicates regulatory compliance” as challenges to MDM (Figure 21).

Figure 21 – What Challenges Have You Experienced with Mobile Device Management (MDM)? Select All That Apply.

Organizations that permit mobile devices to access corporate resources often have established processes in place to provide control. The processes most commonly selected as implemented were “strong password requirements,” followed by “employee onboarding includes mobile security training” (Figure 22).

Figure 22 – Which User-Specific Mobile Security Processes are Implemented at Your Organization?

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 15 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Integrating Mobile Security with IT Security Architectures

Some organizations permit employee-owned mobile devices inside their business perimeters. Some acknowledge that employee-owned devices are part of shadow IT—visible and accessing corporate resources but not supported by the organization’s central IT department. Others attempt to block mobile devices outright or offer network isolation for wireless access in attempts to segment them.

Regardless of established policy, organizations considering the incorporation of mobile security into their IT security architectures have their work cut out for them, including data gathering, choosing a mobile strategy, and investigating mobile products.

Data Gathering

Asset Discovery

“Make sure you figure out your device inventory and what people are running BEFORE you start shopping for MDM solutions.” – Director IT Security, Healthcare

To understand the risk introduced by mobile devices, an enterprise must first understand the mobile devices present in its IT architecture. Data can be gathered using dedicated asset discovery tools or by leveraging data from network perimeter appliances such as NGFWs.

Once this data has been gathered, policies can be modified to restrict access from some devices and mobile security product search criteria can be expanded.

Mobile products capable of accessing corporate data vary widely. While the top three most reported devices were smartphones, laptops, and tablets, the fourth most reported device capable of accessing corporate data was IoT (Figure 3). This is an immense opportunity for risk within an organization and should be explored carefully.

Respondents reported that the mobile operating system distributions within their organizations’ environments include primarily Android and iOS (Figure 23).

Figure 23 – Which Mobile Operating Systems are Employed on Mobile Devices at Your Organization? Select All That Apply.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 16 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Mobile Threat Awareness

Respondents with mobile security deployed indicated the top three mobile-based security threats to their organizations’ assets are ransomware, phishing, and email (Figure 24).

Figure 24 – What Is the Greatest Mobile-Based Security Threat to Your Organization’s Assets?

Respondents to NSS’ 2019 study selected malware, SMS phishing, and malicious scripts as the three most common detected/blocked mobile-based threats (Figure 25).

Figure 25 – Which Types of Mobile-Based Threats Has Your Organization Detected/Blocked? Select All That Apply.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 17 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Choosing a Mobile Strategy

Once the challenges of defining mobile devices and identifying those that exist in an organization’s IT architecture are addressed, organizations can begin to develop the mobile strategy that best fits their environment.

A mobile security strategy does not necessarily involve deployment of a dedicated mobile management or security product. NSS analysts have observed that enterprises often follow one of three paths:

• Ignore risk – Too many variables and insufficient IT security resources to properly manage risk • Address risk – Rely on network security technologies to fill in the gap for detection/protection • Address risk – Build a mobile security strategy that utilizes a mobile management and/or mobile security technology and aligns with existing IT security architecture

Study respondents selected application control, regulation compliance, and data loss prevention as the top three drivers for deploying a mobile security technology (Figure 26).

Figure 26 – What Are the Primary Drivers for Deploying Mobile Security Technology? Select All That Apply.

Some organizations choose to not enforce a mobile policy. Of the study respondents who indicated their organizations do not deploy a mobile security technology, the largest number reported “mobile security is not a pressing need” as the reason why (Figure 27). This may indicate the lack of a current risk assessment within the organization.

Figure 27 – Why Doesn't Your Organization Deploy Mobile Security Technology? Select All That Apply.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 18 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Regardless of whether or not an organization’s mobile strategy includes a mobile management or mobile security product, it is recognized that security products already in the IT security architecture affect the organization’s mobile security posture, with SIEM, SWG and threat intelligence and analytics being the most often reported (Figure 28).

Figure 28 – You Indicated That Your Organization Affects Mobile Security Using Different Security Technology. Which Technologies? Select All That Apply.

Mobile strategies that involve mobile security products rely on policies to guide and enforce behavior. Respondents to this study indicated the top three policies employed by their organizations are acceptable use policy, application blacklisting, and website blacklisting (Figure 29).

Figure 29 – Which of the Following Mobile Policies are Implemented at Your Organization? Select All That Apply.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 19 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Organizations will implement a variety of control techniques in an effort to manage mobile device risk. Respondents indicated the top three control capabilities employed within their organizations are configuration management, network control, and application control/patch (Figure 30).

Figure 30 – Which Mobile Device Control Capabilities are Employed at Your Organization?

Additional Considerations

An organization will make its own decisions on how to reduce or maintain risk from the use of mobile devices in its infrastructure; for example, it may employ a multiple device policy with both corporate-provided devices and personal devices. Additional insight into mobile security strategies from qualitative responses obtained during NSS’ 2019 study include:

Question: How would you describe your organization’s approach to mobile security?

• “When I think about mobile security, I think mobile phones and laptops. Containerization is difficult to get across the finish line because [our] users prefer their own email client.” – Bruce Forman, CISO, UMass Memorial Medical Center

Question: How would you rate your organizational readiness for mobile-based threats?

• “4 out of 5. Without being draconian, like forcing users to put AV on their phones, we aren't likely to do better. It's fairly locked down. We could do more, like in terms of monitoring, but we don't want to go there for legal [reasons].” – Marc Crudgington, MBA, CISO, SVP Information Security, Woodforest National Bank

Question: If you were going to test a mobile security product, what variables would be important to you? • “Latency – anything we put on a device can't slow it down much. Secondly, user experience. What is the user impact? Will it change their experience of their phone? What is the administrative impact? How much overhead does it create? In creating overhead, does it alleviate overhead elsewhere?” – Chris Gebhardt, Director, IT Security, WeWork, Inc. (now VP Cyber Operations, StratoZen)

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 20 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Investigating Mobile Products

Enterprises base mobile management and mobile security purchasing decisions on diverse factors, including risk tolerance, security effectiveness, throughput, and overarching IT security architecture. Once an organization chooses a mobile security strategy that involves a dedicated mobile product, its IT team must investigate which mobile security products can help them achieve their desired risk posture.

Study respondents reported the following mobile device technologies as in use, on the roadmap, or not on the roadmap (Figure 31).

Figure 31 – What Mobile Device Technologies are Deployed at Your Organization?

Product Differentiation

“I would say [MDM] is a vital part of the infrastructure to keep an organization’s data secure.” – IT Manager, Manufacturing

Products within the MDM category are often the first thought for organizations investigating mobile security and mobile management products. However, mobile security product categories are evolving rapidly, and features can vary significantly by vendor despite overarching product labels (e.g., MDM vs. EMM vs. UEM).

Organizations considering mobile security products should investigate the differences in features between vendors during PoCs. For organizations evaluating mobile products, consider the following brief descriptions:

• UEM – Current iteration of mobile management and security technology. Often contains technology supporting MDM, MAM, MCM, MTD/MTM, and user authentication and authorization (e.g., SSO). Supports broadest operating systems, often Google Android, Apple iOS, Apple macOS, Microsoft Windows 10, and IoT- based systems (though this is less common). Device deployment is often facilitated through directory service integration and “over the air” enrollment. • EMM – Considered transitional technology—a precursor to UEM. Offers broader security and management features, layering secure access to mobile applications and data across broader operating systems. • MDM – Heritage mobile product, designed around traditional mobile operating systems (typically Google Android and Apple iOS). MDM features focus on device locate, lock, and wipe (e.g., jailbreaking/rooting detection, PIN and passcode enforcement, remote wipe, encryption, geofencing, VPN enforcement); management through policy and compliance rules. • MTD – Anti-threat feature sets, focus on anti-malware functionality and features such as vulnerability assessment, network security, application scanning, and URL filtering.

For additional information on product definitions, see the section on Definitions, Approach, Deployment, and Alternatives.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 21 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Additional Risk Considerations

This section provides information for organizations considering mobile security or mobile management products.

Educate end users

Regardless of technology approach, it is in an enterprise’s best interests to educate end users on the risks associated with mobile devices and how these risks apply to the corporate policy. Qualitative responses obtained during NSS’ 2019 study emphasize this point.

• “Tech is great, but the human firewall is the best thing we can do. All new employees go through security training, in person.” – Chris Gebhardt, Director, IT Security, WeWork, Inc. (now VP Cyber Operations, StratoZen) • “Educating employees on the matter of cybersecurity is the most substantial initial step.” – CIO, Hospital • “Document and define all processes, and educate, educate, educate.“ – CIO, Healthcare

Expand the definition of endpoint to include IoT

Many relatively low-cost, Internet-based convenience products offer support for business productivity suites such as Microsoft Office365 and Google G Suite. These devices typically are classified as IoT, and many have embedded operating systems that are challenging to update. Enterprises looking to manage risk should focus on technologies that support visibility into these devices as they represent a large unknown in many IT security architectures.

Prioritize based on technology

For organizations intolerant to risk, NSS recommends focusing on mobile systems with the following capabilities:

• Carrier network connectivity – Dual wireless connectivity (i.e., Wi-Fi + 4G/5G/LTE) enables multiple command & control (C&C) communication channels that fall outside the corporate network security infrastructure. This applies to mobile devices that have built-in carrier network connectivity or that can connect directly to a device with carrier network connectivity. Threats discovered on these systems should be prioritized. • Android operating system – While all operating systems are vulnerable to some extent, Android devices are often targeted1 due to their open platform, open app store, and the size of the Android ecosystem. • Microsoft Windows 10 operating system – This cross-platform OS enables a device to be a part of multiple anti-threat and management technologies. While this does not immediately translate to higher risk, it represents an area that must be explored to ensure security policies are uniformly applied and protection gaps are not inadvertently introduced. Does the organization install mobile management, mobile security, or endpoint security products?

Automation and API Automation capabilities (i.e., interoperability, often through API) are often discussed during network product selection inquiry with NSS clients. This aligns with results from the 2018 NSS Labs Network Security Study: When asked how important API features are during NGFW product selection on a five-point scale from “extremely” to “not at all”, almost half of respondents (46.4%) indicated “very” and 40.4% indicated “extremely”. NSS expects API requirements for a mobile technology to align with network security product API requirements. Organizations should evaluate the API maturity of any mobile product prior to deployment.

1 Example: https://techcrunch.com/2019/04/01/android-security-0-04-of-downloads-on-google-play-in-2018-were-potentially-harmful-apps/

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 22 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Request for Proposal and Proof of Concept: Considerations

The following guidance is supplied for enterprises considering mobile security products.

Request for Proposal (RFP)

• Determine your use case(s) and gather requirements from all teams that require operational access to the management console, event data, log data, etc. • Use operating system support and risk goals to pare your list of candidates prior to PoC. • Evaluate your organization’s need for forensic threat details. • Focus the RFP on product capabilities and measurable results rather than marketing claims. • RFP requirements should be highly focused, ideally prompting only “yes” or “no” answers from vendors.

Proof of Concept (PoC)

• List the capabilities the PoC must provide guidance on, focusing on what is measurable. • Evaluate the product’s management capabilities for all mobile devices found in your environment. • Include test cases to understand how security features may disrupt business through non-traditional apps. • Any evaluation of the management console workflow should include exploring what threat and system data is available through the management console, API, and logs.

Testing Mobile Security Products

Enterprises evaluating mobile security products should consider the following insight:

"Define what you want your policies to look like, define requirements that tool must fit, and what your EULA looks like, what tools that you might have that are identity access-related. Then do your research on 5–7 players, then shortlist 3–4, then PoC including a pilot within your IT dept; narrow down to 2, then roll to end users to see which they like the best." – Marc Crudgington, MBA, CISO, SVP Information Security, Woodforest National Bank

Respondents indicated their priorities for testing mobile security products are the following (Figure 32):

Figure 32 – Which of the Following Factors Would You Include in a Test of a Mobile Security Product? Select All That Apply.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 23 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

2019 NSS Labs Mobile Security Study Methodology

In the spring of 2019, NSS Labs conducted its study on mobile security to gain an understanding of the current utilization of network security products in US enterprises. The project consisted of a two-armed qualitative and quantitative study with six primary objectives: 1) Obtain enterprise priorities for the functional aspects (security efficacy, performance, management, deployment, interoperability) of mobile security products; 2) Map mobile security program maturity by enterprise use case; 3) Determine enterprise perceptions of mobile security threat vectors and mitigating technologies; 4) Identify the applications and data accessed via the mobile devices that change enterprise risk; 5) Determine enterprise security professionals’ experience with OS-based threat migration to mobile OS; and 6) Obtain ITSEC management’s rating of their organization’s current mobile security posture.

The study was conducted with the participation of 383 qualified, full-time US enterprise IT security professionals representing 35 industries from the US, England, Germany, France, and Ireland with a mean IT security budget of US$10M – $49M.

Arm 1: Qualitative Study

The qualitative arm of the study involved individual 30-minute, semi-structured interviews of 8 (eight) IT security professionals employed at enterprise-sized organizations (respondent organizations’ number of FTEs ranged from 400–300k) who had final purchase authority for IT security technology. After providing informed consent to participate in the study, each participant engaged in a 30-minute conversation using a Webex teleconference system. Participants were employed in the following industries: Banking/Finance (n=3), Hospital and Healthcare (n=1), Professional Services (n=2), Technology (n=1), and Education (n=1). The semi-structured instrument entailed 12 open-ended questions on mobile security strategies, perceptions, deployments, and challenges, but not all questions were asked of every participant, and ad hoc follow-up questions were common. In addition to supporting study objectives, results bolstered the content validity of the quantitative study. The subsequent quantitative instrument included additional items and enriched response sets as a result of these interviews.

Arm 2: Quantitative Study

A 50-item, mixed-format battery was drafted by the NSS Labs Enterprise Architecture Research Group and delivered via an online survey platform using a third-party B2B panel service for pre-screening, participant role verification, and to facilitate accrual. To minimize error resulting from primacy and recency effects, non-ranked survey response options were presented in random order. The survey had several screening items and participants failing these items were excluded from final analyses. Additionally, speeders were excluded from final analyses using one-third median time-to-complete as the minimum epoch for inclusion.

Participants/Accrual

Potential participants were prescreened for eligibility. There were multiple qualifiers for eligibility in this study, including both organizational and participant inclusion criteria. To be eligible for participation, a participant was required to be currently employed as a full-time information security professional with a minimum of three years in role as a security practitioner. Additionally, participants were required to be employed at enterprises with a minimum of 100 full-time employees (no SMB respondents). To minimize error due to non-response bias and drive accrual, participation was incentivized. At close of accrual, 481 participants passed screening and completed the survey. Post hoc quality controls included a review of responses using a QA rubric to flag responses with multiple noncontextual/nonsensical responses, patterned responses, duplicate responses, and for indicators of an automated response set (bots). Final sample after attrition for quality control consisted of 374 participants.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 24 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

Margin of Error

All surveys and polls are subject to numerous sources of error such as sampling error; coverage error; errors due to nonresponse; errors associated with question wording and response options; and post-survey weighting and adjustments. Where possible, controls for common errors were implemented in this study, including multiple screening items, quality control items, controls for speeders, and data quality checks for nonsensical or patterned responses. In keeping with the American Association for Public Opinion Research’s Code of Ethics, NSS has chosen not to report a margin of sampling error for this study as random selection from this population was not feasible. Inclusion of a margin-of-error estimate could imply that our interpretations should be accorded greater confidence than the data warrants. Margin of error is an estimate of sampling error, not a measure of validity, and should always be interpreted with caution.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 25 NSS Labs Enterprise Intelligence Brief: Mobile Security v1.0

About the Enterprise Architecture Research Group

The mission of the NSS Labs Enterprise Architecture Research Group is to work with enterprises to solve security architecture and product challenges. We provide research and advisory services that are objective, accurate, reliable, and actionable. Our data comes from NSS test results, first-hand experience in the lab, novel primary research, and interaction with our enterprise clients.

Contact Information

NSS Labs, Inc. 3711 South MoPac Expressway Building 1, Suite 400 Austin, TX 78746-8022 USA [email protected] www.nsslabs.com

© 2019 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, copied/scanned, stored on a retrieval system, e-mailed or otherwise disseminated or transmitted without the express written consent of NSS Labs, Inc. (“us” or “we”). Please read the disclaimer in this box because it contains important information that binds you. If you do not agree to these conditions, you should not read the rest of this report but should instead return the report immediately to us. “You” or “your” means the person who accesses this report and any entity on whose behalf he/she has obtained this report. 1. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it. 2. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or expenses of any nature whatsoever arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, ARE HEREBY DISCLAIMED AND EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and/or software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet your expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners.

This report is Confidential and is expressly limited to NSS Labs’ licensed users. 26