February 5, 2018
Cloud-First, Device Assisted: A Layered Defense Model
In part 1 of this series, I highlighted some of the drawbacks of "on-device" Mobile Threat Defense (MTD) solutions. In this issue, I'll talk about an alternative "cloud-first, device assisted" approach that addresses the limitations of on-device detection by incorporating the power of cloud computing and big data in a layered defense model.
Malicious actors continue to discover new ways to avoid detection. In fact, cybersecurity will always be a cat-and-mouse game - a back-and-forth routine in which one side constantly attempts to gain tactical advantage over the other.
To understand the severity of the problem, one need only look at the WikiLeaks release of the U.S. CIA's hacking arsenal code-named "Vault 7". This trove of dangerous software included malware, viruses, trojans, weaponized "zero day" exploits, remote control systems and associated documentation. The techniques used in these exploits are well known to malicious actors who iterate on them while developing new tactics that are even more dangerous.
Stopping these malicious actors requires the kind of long view, holistic effort that Lookout has employed with its unique "cloud-first, device assisted" approach. This layered defense model addresses the limitations of on-device detection by incorporating the power of cloud computing and big data. The cloud component acts as a force multiplier, dramatically increasing the effectiveness of enterprise defenses against an increasingly sophisticated enemy.
"The cloud component acts as a force multiplier, dramatically increasing the effectiveness of enterprise defenses against an increasingly sophisticated enemy. "
There is no substitute for relevant data sourced from large populations
A useful analogy to help underscore the benefit of this approach can be found in the field of clinical research, where cohort studies are used to investigate the causes of disease by establishing links between risk factors and health outcomes. For example, researchers might record the foods consumed by a group of individuals over the course of a study and use correlations to explore the link between sugar consumption and heart disease. The sample size of the cohort is an important part of the study design, with a larger sample size providing more accurate predictions. Studying a cohort that is too small can result in insufficient "statistical power". In other words, the analysis becomes unable to identify real differences as significant merely because there aren't enough subjects to analyze.
The same methods have found their way into the domain of cybersecurity. The ability to stay ahead of threat actors and accurately predict their next attack requires collecting anonymous signals from millions of devices and applying machine learning to draw reliable inferences. The cloud makes gaining access to large cohorts practical while adding a level of insight that's unmatched by more constrained solutions that employ only on-device techniques.
"The cloud makes gaining access to large cohorts practical while adding a level of insight that’s unmatched by more constrained solutions that employ only on-device techniques."
The question of statistical power is even more relevant in the Android ecosystem due to growing device diversity (a.k.a., fragmentation), which has given rise to tens of thousands of different Android variations in the market. Device diversity is caused by several factors, beginning with the eight major platform versions currently in circulation (from Gingerbread to Oreo) and the inclination of each manufacturer to tweak the source code with their own features (i.e., drivers, OEM applications, etc). To make matters worse, mobile carriers insist on adding their own software customizations while exercising control over software updates. With more than 24,000 different Android variants on the market today, each cohort must be sampled from a subset of devices with a similar codebase to obtain the best possible insights. This selection can only be performed with a cloud solution that provides visibility to all Android variants in the market at a given time.
Patterns of attack are exponentially more revealing
While on-device indicators are increasingly limited due to OS constraints, they will continue to have some relevance. In other words, on-device indicators can be useful but are not sufficient. The most effective philosophy is to collect as many indicators as possible from the device and send them to the cloud for analysis. There we can look at indicators of compromise in a global context. If indicators change, whether because a threat actor changed his tactics or specific indicators became inaccessible in a newer OS version, we can adapt our decision rules in real time.
"In fact, patterns of attack are exponentially more revealing than individual indicators of compromise and can be used to profile an attack even before it can cause damage."
For the most effective threat detection, however, on-device indicators must be coupled with other real-time data streams that are compiled off device. At Lookout, we monitor and collect billions of data points every day. A large, global data set lets you uncover hidden patterns and unknown correlations that can't be found on a single device. In fact, patterns of attack are exponentially more revealing than individual indicators of compromise and can be used to profile an attack even before it can cause damage. Once discovered, we instantly share these patterns across our collective user base, creating a protective shield from a specific attack vector or variation of it. This network effect multiplies the value of our solution for customers while making it exponentially more difficult for attackers to succeed.
As noted in part 1 of this series, an attacker changing an indicator of compromise is analogous to a bank robber changing his shirt. While the police are looking for a man with a blue shirt, the same crook is robbing a bank across town wearing a red shirt. Too often we're trying to detect an outdated shirt. What if we didn't care about shirt color and instead focused on the crook's physical traits (e.g., left handed, curly hair, walks with a limp) or something else inherent to his natural behavior, while attempting an attack? These patterns are far more difficult to change. Now consider how difficult it would be for crooks to change tactics if we immediately shared their inherent behaviors with every bank in the world. That global network effect makes it exponentially more difficult for the attacker to make even the slightest change before immediately being caught.
The cloud makes all this possible
By applying supercomputer-like processing power to multiple, large, relevant datasets from disparate sources, anomalies are more easily detected, "normal" activity is quickly recognized and false-positive alerts are minimized. More importantly, a "cloud-first, device assisted" approach adapts to changing signals in real time for greater agility, observing and reacting to unfolding events more rapidly to gain advantage. Given the pace of innovation in cybercrime, this ability to constantly evolve is critical to stay ahead of adversaries.
The world's largest mobile security dataset
Over the last 10 years, Lookout has built the world's largest mobile security dataset through more than 150 million users in over 150 countries. This massive global installed base of customers generates billions of anonymous, real time signals that we combine with insights from our global threat intelligence network and our world-class Security Research teams. Through this mix of automation and human-powered intelligence, we're constantly identifying new and advanced threats while deriving valuable insights for more complete understanding of each threat and its context.
Cloud computing and big data allow us to fundamentally rethink our efforts to chase down attackers. Better tools help alter the balance of power and risk. The cyber threat landscape is evolving quickly - so must the tools used to combat it.
Interested in learning how Lookout can secure your mobile workforce? Contact us today.
Book a personalized, no-pressure demo today to learn:
- How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
- Real-world examples of phishing and app threats that have compromised organizations
- How an integrated endpoint-to-cloud security platform can detect threats and protect your organization