Mobile Threat Defense

DISA – TEM Brief: Mobile Threat Defense (MTD) for GFE/BYOD May 19th, 2021 Agenda • What problem do we solve? • Zero-Day attacks on Mobile (Network, Device, Phishing, Mobile Apps) • Anti-Virus for Mobile • Telework, BYOD/GFE, O365/Teams, Zero Trust • Who have we solved it for? • Fortune 2K and Government Enterprises • DISA MEP DMUC • How do we solve it? • ZIPS/MAPS • Why are we unique? • z9, On-Device, On-Prem, FedRamp, Hybrid, Enterprise grade

Visibility (40%) No Visibility (60%)

“Criminals and terrorists who want to infiltrate systems and disrupt sensitive networks may start their attacks by accessing just one person’s smartphone.”

• The Zimperium platform will monitor DISA DMUC users when securely accessing applications and data on iOS and Android endpoints. Powered by Zimperium’s on-device, machine learning- based engine, z9, Zimperium zIPS protects devices from more mobile threats than any other solution -- even when an attacker controls the network. • DISA considers on-device (always on) protection important to ensure the greatest degree of threat detection and support in a zero-trust environment. Additionally, Zimperium was selected because it: • Provides on-device protection against device, network, phishing and malicious app attacks; • Achieved FedRAMP Authority to Operate (ATO) certification; • Protects Android and iOS; • Integrates with multiple unified endpoint management (UEM) tools in a single tenant; • Can be managed on any cloud or on-prem; and • Protects privacy.

Status: Deployment in Process

Current Use Cases: • COCOMS

• U.S. Marine Corp Please contact Mike Shea for use case details • U.S. Army • U.S. Air Force • IC Areas requiring Mobile Endpoint Protection: • U.S. Army: • Defensive Cyber Operations (DCO), Army National Guard, Net Warrior/ATAK, NETCOM (GFE/BYO), etc. • U.S. Navy: • PACOM (iPhone/BB UEM), PMW-240 Mobile Apps, FY21 Initiatives: Navy Reserve, etc. • Microsoft Office 365 / Teams • Air Force: • Android for Enterprise • AF EITaaS (GFE/BYOD), Electronic Flight Bag ** source: DISA Forecast to Industry 2019 (EFB)/iPads, BRICE/iPads, Air National Guard, etc. Zimperium Proprietary All Rights Reserved © 2020 Why enterprises need Mobile Threat Defense (MTD)

App • Containers (e.g., UEMs)

• Phishing Email Gateways (corporate email only)

Network • Encryption (VPN) Mobile Threat Mobile Threats Mobile • Encryption (DLP) Defense Device • Jailbreak Detection

Governance/Compliance Protection / Detection

NIST 800.124 Rev 2 – Mobile Security Guidelines

“MTD systems are designed to detect the presence of malicious apps, network-based attacks, improper configurations and known vulnerabilities in mobile apps or the mobile OS itself." Zimperium Proprietary All Rights Reserved MITRE ATT&CK and MDM/MTD Alignment

MDM

MTD & MDM MTD NIST 1800-22 Mobile Security: BYOD

Why BYOD: ● Interchangeably for work and personal purposes throughout the day ● Flexible and convenient

Why NOT: ● Introduce challenges to an enterprise ● May lack mobile device security protections ● Greater risk of unauthorized access to sensitive information ● Email phishing attacks ● Eavesdropping attacks ● Misuse of device sensors ● Compromise of organizational data due to lost devices ● to name but a few risks NIST SP 1800-22 BYOD Reference Architecture

• Ensuring data is protected when accessed from personal devices poses unique challenges and threats • Can enhance the security and privacy posture of adopting organizations • The high-level security and privacy goals are illustrated below

On-Device! Zero Trust & Mobile

Mobile devices are the Achilles' heal of Zero Trust… : Patented detection engine designed for mobile

The detection engine uses machine learning to provide real-time, on-device protection against both known and unknown threats

Device Network Phishing Malicious Attacks Attacks Sites Apps

Device Risks Device Compromises MDM Actions Detailed Forensics • Vulnerabilities • Rooted Device • Wipe Data • No Device Encryption • Elevated Privileges • Terminate Access • Jailbreaks • System Tampering SOC Integrations • SIEMs • Unmanaged Profiles Block Phishing Site • EDRs Phishing Sites App Risks Network Threat Hunting • Insecure Apps Malicious Apps • Disable WiFi • Sideloaded Apps • Disable Bluetooth • Network Sinkhole Network Risks Network Attacks • Reconnaissance Scans • MITM Attacks • Unsecured WiFi • Rogue Access Points Samsung KNOX • Prevent App Install • Uninstall App

Zimperium’s Fundamental Design Principles • Deliver Enterprise Capabilities & Scale • Provide Management Console on Any Cloud or • Detect Known and Unknown Threats On-device On-Prem • Enable Privacy-focused Use Cases • Operate with Multiple UEMs Simultaneously

Development Runtime

ü NIAP Compliance ü Code Tampering Trigger ü Device Detections ü OWASP Compliance ü Name and Flow Obfuscation ü Network Detections ü Security Policies ü App/Phishing Detections ü String Encryption ü Privacy Policies ü Code Optimization ü Over 140 parameters check ü And more

MDM / EMM Integrations 3A™ CONSOLE™

SIEM / Threat Hunting/Dev Integrations

Microsoft Defender / Sentinel AlienVault

Workspace One Intelligence

• Zimperium's MTD is integrated with Microsoft's Endpoint Manager (Intune) • Microsoft and Zimperium jointly developed the integration of Mobile Threat Defense with unmanaged to support Microsoft MAM BYOD solution. • Advanced Integration with Microsoft Defender ATP and Sentinel for forensic level threat visibility and advanced hunting. • Zimperium is the only MTD solution that deploys its console within Microsoft Azure infrastructure.

• Conditional access to Microsoft 365 applications based on Microsoft Endpoint Manager MAM app protection policies. • On-device detection that does not require cloud analysis or connection. • Threat remediation and user notification on the device. • Individual user and group based mobile security and access policies. • Support for multiple UEM solutions simultaneously. • Strict privacy functionality with no user information sent to the cloud.

Zimperium Proprietary All Rights Reserved © 2020 Executive Threat Insights Key Insights Global Target COVERAGE Your Score ~79% Good Coverage. (8/20-10/20) Avg. Zone CRITICAL DEVICES 633 Devices with Malware 93 Tampered Devices (Jailbroken/System Tampering/SE Linux) Mobile 6 Devices with App Tampering Security Score 7.1 6.5 >8 4 Devices connected to KARMA attack (4 Access Point) 24 Connected to unsecure rogue access network

0 4 8 10 RISKY DEVICES How Secure are your >74% Devices running critically vulnerable OS mobile devices? 563 Devices with access to 3rd party app store High Risk Medium Low Risk 35 iOS 3rd Party App-store Profiles 1.3k Devices with access to risky settings (No Device Pin, Developer options) Total Devices Activated 5k High Privacy OR Security Risk Apps 4.2k Devices with side-loaded apps 781 Found Rogue Access Point nearby 27.5 k 21.6 k RECOMMENDATIONS

20 k 16.5 k • Enforce compliance to activate zIPS on all devices • Review Profiles & Disallow High Risk Profiles • Monitor Side-loaded apps & whitelist internal Apps 7 k • Leverage Corporate VPN or Alert users to prevent from 5.1 k connecting to Risky Networks (Rogue Access Point) • Automate Reminders to Users to update the OS periodically

*Data Analyzed 08/2020 -10/20

Devices with Malicious Apps 316 Apps with possible Data leakage ● Tutu App *com.tutuapp.tutuapphwenterprise

● UnCover jailbreak Unique Android Apps removed from or no 242 721 longer in PlayStore Malicious ● Science.xnu.undecimus High Risk Apps Apps Unique iOS Apps removed from or no ● Metasploit: com.metasploit.stage 127 longer in AppStore

20.7k Devices running Vulnerable OS 86 ● Jailbroken/Rooted (Magisk, uncover) Devices vulnerable to CheckRa1n but 4.2 k don’t have MTD activated 6 ● App Tampering (Cydia) Risky Device Configurations Tampered ● File System Changed. (Chinese device High Risk Devices 1 Devices 1.3k (Developer options, USB debugging on, manufacturer) Unknown Sources Enabled)

Devices connected to Rogue Access Points 143 Devices running Vulnerable OS 4 experienced a Karma attack. iOS 3rd Party Profiles 93 ● Tutulite, u04Store,AppValley, Network Profiles Emus4u Attacks 781 Devices found unique Rogue Access Points Nearby (55 Rogue Access Points exhibiting KARMA Attacks) 42 Jailbreak Profiles ● Unc0ver, Jailbreak Installer, Cydia

SideloadedUn-managedApps profile Malicious App File System Changed 5 Devices

12:31:30 PM 12:34:10 PM 12:39:40 PM 8/23/2020

Unsecured Network Rogue Access Point SSL Strip 24 Devices

2:11:30 PM 2:11:40 PM 2:14:30 PM 9/12/2020

System Tampering Device Jail-Broken App Tampering 10 Devices

9:10:30 AM 9:11:21 AM 9:13:21 AM 9/24/2020

• Questions ? • Action Items ……

Contact Information: Michael Shea, Senior Director DoD Phone: 703-626-8971 Email: [email protected]