• United States



by Will Kelly

How to use threat intel to boost mobile security

Jul 06, 20157 mins
Mobile Security

Security pros are recommending that companies integrate threat intelligence — the real-time sharing of intelligence information about cyber security threats and malicious applications – with mobile device management platforms in order to improve mobile security.

The first step, according to Larry Whiteside, Jr., chief security officer of the Lower Colorado River Authority, is to make sure you’re getting the same level of log information from your enterprise mobility management (EMM)/mobile device management (MDM) provider as you would from your desktop security provider.

“I can’t see anybody who would have a Symantec or McAfee or even any of the new tools that are protecting desktops, and just say, ‘Yeah, just put your protections on there. We don’t need to know what’s hitting it. We don’t need to know anything about what’s going on. Just protect it and we’ll trust you.’”

But that’s what we do in mobile right now” says Whiteside. He says that when companies look at MDM solutions they tend to focus on integration and capabilities, “but they don’t put a lot of requirements around ensuring that they’re getting some of the basic functionality, such as logs, and such as threat type.”

Integration of feeds is key

Bring threat intelligence feeds into your MDM system so you can use the intelligence about dangerous and malicious apps to upgrade your mobile threat defenses. That’s the recommendation of David Jevans, CEO, Chairman, and CTO of Marble Security, a provider of app security services. Often, you can bring in threat intelligence feeds to your MDM/EMM platform using an API from your MDM or threat intelligence platform provider, he says.

+ ALSO ON NETWORK WORLD Threat intel sharing: Security breakthrough or flavor of the month? +

“Threat intelligence can give an enterprise very quick intel into which apps should not be allowed on your network, and this can be done in a matter of hours inside an enterprise,” Jevans says. The idea is to get the data feed, correlate it with MDM and delete those apps immediately or notify those users.

Of course, things are a bit more complicated in Bring Your Own Device (BYOD) environments, but Jevans still recommends bringing your threat feeds into your MDM. However, he cautioned that companies need to have management capabilities in place for BYOD in order to know what’s running on users’ devices. That typically means deploying an agent to run on user devices that let you know what the device is running, so you can correlate the device to threat intelligence.

Good Technology concurs with Jevans about the unique problems that BYOD brings to threat intelligence. He also offers another benefit of feeding threat intel directly into an MDM. “You may want to stop that device from being able to connect to your corporate network, but I can’t go and wipe the whole device, or stop it from talking to AT&T, or the WiFi at home because it’s not my device.”

+ ALSO ON NETWORK WORLD How to deploy tablets to your mobile workforce +

Van Someren adds, “There’s a couple of different ways both on the sensing and on the actioning side that mobile is different, but at many levels it’s the same activity because threat intelligence needs to be a holistic approach rather than a point solution.

“That classic MDM solution is much more vulnerable than a containerized solution where the only keys in the container are keys that get you to just the resources that are specific to that containerized application and nothing else,” van Someren says. “That sort of containerization solution is much better protected against the sorts of end point threats that we’re talking about here.”

“From a mobility point of view we don’t have quite as much opportunity to collect information in the mobile space as we do in a managed physically shackled, physically controlled device that’s on the corporate network,” van Someren adds.

There are also privacy implications. “You have to think carefully, ‘Is it my place to be collecting information off these end points?’ Then similarly in terms of actioning, if I have a device that I’ve ascertained is not clean, if there’s something wrong with that device and it’s got some bad behavior, I can’t go around wiping people’s devices willy nilly if it’s their personal device,” van Someren says.

Take a holistic approach

It’s important to note that there’s no such thing as mobile specific threat intelligence in the eyes of cyber security experts. Threat intelligence only makes sense when it’s applied across the entire infrastructure, according to van Someren.

Look at threat intelligence as more than just applying individual IP addresses and domains to individual transactions, recommends Monzy Merza, chief security specialist at Splunk, a provider of operational intelligence and log management solutions.

He recommends that enterprises look across the entire IT spectrum, including servers, databases and applications to see how mobile interactions are happening and apply threat intelligence to as broad a base as possible.

That entails deploying tools that allow you to apply threat intel to your mobile application logs, to your firewall logs, even your email content.

“Don’t be confined to ‘event data’ and apply threat intel across all data sources,” Merza recommends.

“When it comes to getting intelligence about what your employees are doing, I think it’s super important to go with the solution that gives you some reporting on who’s accessing what applications, when, and getting visibility into that application access,” says Andrew Conway, senior director of enterprise mobility at Microsoft.

When you think about threat intelligence, what’s going to happen at some point is it’s going to be about accessing applications and understanding, ‘OK, who’s accessing, when, how are they doing that.’”

Another tip from Marble Security’s Jevans is to integrate mobile threat intelligence into your network intelligence. Network intelligence data might include:

  • Network coordinates about where malicious traffic is going from mobile devices
  • Devices connected to your enterprise network whether inside your firewall or connected through your VPN

Integrating mobile focused threat intelligence and network intelligence enables you to better profile and add that malicious information into your existing threat prevention system, whether it’s firewalls or device management and then you can track it that way as well.

“You may not be able to detect it when they’re at the airport, but you can detect it when they’re back at work,” Jevans advises.

Ed Fox, vice president of network services, and Max Silber, vice president of mobility for MetTel, a provider of network, data, and mobility services, recommend forming an internal SWAT team around threat intelligence feeds to help target information to users who are under threat of attack.

Diana Kelley, executive security adviser, for IBM Security recommends putting a mobile protection environment in place internally. While not threat intel from the outside, it’s still very valuable in using your MDM solution to detect jail broken or rooted devices inside your enterprise.

“That’s really important threat intelligence, because although it’s not the big world intelligence, it’s intelligence inside your environment,” Kelley asserts. “Did they jailbreak their device? Then you can, again, take action to shut down that device, limit its access to the corporate container, not allow it to access the corporate system.”

Threats against mobile devices are part of the larger threat landscape that enterprises face each day. Bringing together MDM/EMM with threat intelligence adds a cyber security overwatch to mobile security ensuring a more expedient response to rising mobile-centric cyber security threats.

Kelly is a freelance writer. He can be reached at