Sign-up for the latest Lookout news and threat research
In this episode, we chat with our mobile security experts about mobile device management. Why is MDM in and of itself not security. What’s the best way to protect an organization’s smartphones and tablets? Listen in to find out.
Hank Schless 00:08
All right, everybody. Welcome to the lookout podcast. I'm your host, Hank Schluss. And today, we have a very global presence with us. We've got Victoria Mosby joining us from Washington, DC, and your own wide open, joining us from the Netherlands. So Victoria is one of our mobile experts who focuses on working with US federal organizations, whereas your own is a security consultant who has more than 15 years of experience between network and mobile security. So I'm really excited to have you guys on here really excited for your perspective. Thank you very much for joining us.
Victoria Mosby 00:41
Thanks for having us.
Hank Schless 00:43
Absolutely. So So today, we're gonna be covering Mobile Security, and specifically, what security isn't isn't. People, obviously are using their mobile phones or tablets more, especially as they try to stay productive, while people are working from home more frequently now. And there's sort of this idea that mobile devices exist at the intersection of our work in our personal lives becoming more and more of a thing. So for a lot of organizations, there's sort of this misconception that if I have mobile device management or MDM, which we'll get into deployed, then my devices are secure. May, Victoria, you can chime in on this one, where that misconception come from? What's kind of the genesis of it? And why do people have it if it's called management and not security?
Well, it's kind of started, I believe, I would say on the federal side of things like most standards in the industry end up getting started, the federal side starts it and then private sector kind of picks it up in order to work with the federal, but it kind of started more so as a compliance thing, compliance mandates that we see that end users back in the early 2010s, and even a little bit before that, we're starting to use mobile phones, blackberries and stuff like that for email, text message, and, you know, phone calls for work specifically. So the idea was, we need to be able to account for those things, we need to be able to track who has it, what policies are being pushed to it. So management really of the other folks, management of like sages that like as an asset tracker was all they really wanted to accomplish. Fast forward to today, where our phones can do so much more than just email and text message, you can actually do work on the phone now with your word or office 365, we now get into the precipice of we need actual security for these phones. And the MDM is which served a purpose at that time is just like an asset tracker and just saying, Okay, this phone is lost or stolen, then we can just hard wipe it and then that's it. You can't really do that now, especially with people bringing in their own personal devices to
Hank Schless 02:56
do work. So yeah, it sounds like it was sort of a checklist item. At the genesis of it, people's mentality hasn't totally evolved with the capabilities of the devices. Exactly. And your own. What about you? Any anything to add?
Yeah, I think it's it's also a lack of knowledge. The perception is that if you have an agent, or there's a kind of management capabilities in there that people think that, oh, there must be something or any that is securing my device. And that is Yeah, has also been purposely built to secure that the mobile device.
Hank Schless 03:33
Yeah, totally makes sense. And so what types of vectors do you think have really evolved? Even just in the last couple of years?
I think, yeah, we all remember that from desktops, let's be honest with email, with attachments, and that you receive infected files via email. And that's pretty similar, or actually how it's done on a mobile device is that what we've seen is that although the the mobile operating system has been locked down, and that's every mobile device in an application runs in a sandbox environment, we've seen a lot of infections in the mobile applications.
Hank Schless 04:12
Just to take a quick step back here. And Victoria, I'll pose this question to you first, can you kind of for people who are less familiar with mobile than we are? Talk a little bit about what mobile a mobile device manager MDM is, and why it's why it's part of this whole conversation?
Sure. So mobile device management or manager, it's for understanding what is in my fleet of mobile devices. They then will push a mobile further an MDM profile directly to that device. And that profile allows them some level of control over the device from a management perspective. It's essentially a glorified asset tracker, with the ability to manage to the device to certain levels depend on depending on how they did Scientists use it for their good tool to have for mobility architecture, which is not a security tool. And it's very much a tracking, onboarding and management tool for these devices.
Hank Schless 05:11
Interesting. Yeah. It's interesting how you keep using the term, basically an asset tracker. But right, I mean, to your point, and you're on maybe you can chime in a little bit on this from a little bit more of the enterprise side, and the types of organizations that you talk with every day, how are they framing MDM, whether that's internally to their own, you know, a security team to others internally, or to their customers? Who asked Oh, how are you securing our you know, our data or whatever it may be. So,
you know, in my conversations with enterprises is that everyone is talking a lot about mobile device management. But actually, that technology already exists for many, many years, MDM muscle really like okay, a company hands over the phone to the employee. And we'll make sure that meeting the compliance policies, what we see now is that to enable productivity is that people can bring their own device, but they find it more intrusive. So you're not managing the device anymore. But you just manage the application itself to make sure that someone accessing the application and it will ask for a passcode, for example, and in the industry that basically has created a new acronym for it. So it moved from mobile device management to Iman product by Gartner. Because it was a tool more it was not only managing devices, but now certainly it was also managing applications. So it was an enterprise mobility management system. But now you see also that UTM is the broader acronym of managing mobile devices, applications, IoT, but also desktops and laptops.
Hank Schless 06:51
So a lot of companies are shifting towards this model, where they're allowing people especially now that we have a lot of people working remotely kind of the work from home or work from anywhere model, just using mobile application management versus a full device management, is that enough to protect?
Those are interesting tools. But I would say they're even less security focused than your MDM, because at least when you get with an MDM, you have that MDM profile on the device that can enforce or require certain criteria be applied to the device, and a man scenario, you have no control over anything on that device at all. The only thing you're controlling is the app itself, for both of them if your device compromised all of those protections, regardless of what it is, go out the door. All right, so we've talked about
Hank Schless 07:47
MDM, mam UVM. We touched on em, man. But it doesn't really sound like any of those really provide full protection. So the question I have for you your own is what what causes organizations to start looking at something like a true mobile security tool? What's kind of the catalyst for a lot of them? Do they really start to see it say, Okay, well, now we understand this, that management is not security, what what do we do, like, where does that all fall?
It's a lot of work to educate customers in explaining what the different technologies how they've been developed from the ground up. And once you understand that, you automatically see that from the ground up as we build as a management or an assets to many devices. So you see that although they can detect all kinds of commodity jailbreaks or they can rely on simply black and white listing certain applications, they don't have the intelligence and they've been not build up from the ground up to do these kinds of detections. A great example is that an MDM tool usually keeps keeps track of all the installed applications. But it does that every four hours. But yeah, the security product that wants to know what's going on. So if there is maybe the operating system is compromised, so there's a changing change in the operating system, we want to leave the detect that so we our A or let's say, and Mobile Threat events agent can really detect that and has this real time detection. That's the same food also those applications that you want to see. Not did you look at the crucial data, but that you really look at okay, what kind of binaries use there are, is there any suspicious behavior on that device?
Hank Schless 09:41
Yeah, so it sounds like it's more about getting the kind of more real time to use the overused term visibility into what's actually happening rather than just sort of continuous updates on like us, for example, every four hours. So Victoria, which they were looking at for that real security layer on Oh, it sounds like MDM. And all these other tools have their place. But what's what's the security tool?
Yeah, um, as you said, like the the other tools aren't good tools to have for an overall mobile architecture, but are the overall security arm of that mobile architecture, you need to look at something called a Mobile Threat Defense solution or MTD. You might also hear it called and Mobile Threat Protection solution. So in TP, they're kind of interchangeable, depending on who you talk to. But that solution is built purposely for detecting mobile threats for putting defenses and protections in place against those things in the real time fashion. These are usually agents, app agents that sit on the device itself, so they can monitor at the device level as the heuristics and the status of the device changes. So they offer a security visibility into the device. And it can look at the apps on the device. Typically at like the the library coding binary level of the apps, most of these MTD solutions aren't going to actually break into your apps and look at your personal data, which is typically the concern that I hear from, you know, prospects or customers are people who I talk to about this, well, if you're looking at my apps, and I don't want you looking at my you know, personal data that I have in my health app or stuff like that, I'm like, no, they don't do the MTD solutions are only concerned with is this app secured, and from the perspective of it doesn't have any risks and coding behaviors. Mint isn't asking for more permissions that it should have. Those are the things that it looks at, for my app perspective. But it also does provide network Protection provides device level protection and that device level protection gets into you know, do you have a password or passcode set? Are you running an out of date OS on your phone? Or is your phone jailbroken for instance. And then lastly, the biggest one that MTDS can really help with is Phishing Protection. Because our device platform is so small with these folds, you have no way of really looking at a link that you get on that phone rather comes in from a text message, you browse to something your friend send you a link like WhatsApp or Facebook Messenger or stuff like that, if those are usually bitly links or shorten links that you can't really read through. So you're just going to click on it because you maybe trust the source of where it's come from. And then you get fish, these MTD solutions are very good at protecting end users from those things. So I mean, there, you could essentially treat them as your like, if you're going to compare them to like a laptop or a desktop, you could see them as your host based firewall host base antivirus. And, you know, just that the security check, like at Norton sort of deal, but for the phone, and it does so much more.
Hank Schless 12:49
I sort of touched on this earlier, when you kind of people trying to push that down to mobile side, why is it taking so long for organizations to understand that these devices kind of put at the same level as the more traditional endpoints that, you know, obviously, we've all been securing for years,
there's several things and it's it's about mentality, convenience, and it's a matter of you had corporate phones that were specifically on the corporate only and those are usually like Blackberry phones that you get. And again, those were only used for text message, email and phone calls. Fast forward to today, where a given smartphone is more powerful than a laptop or a computer from 10 years ago, there's so much more you can do with this phone, especially the BYOD. This is my phone. So the adoption of BYOD into the workforce, especially at a federal level has been very slow. Because there's this perspective of it's their personal phone, we can't control what they do on it. And there's no way we can ensure the security of our, you know, our organizational information or apps or data stream or whatever, if we allow them to use their phones.
Hank Schless 14:02
Got it in your own. Would you say that from the enterprise side? Is it similar? I mean, how do you how do you kind of talk through that stalemate that Victoria just mentioned? Yeah, so
the perception is obviously that if either device, the device is completely locked down, okay, then we are safe. But also add these personal phones, we don't want to touch that more that that also exists a lot in, I would say in enterprises. The change obviously is there is that you see that there are more capabilities these days. So more adoption as well on the traditional desktop applications, Word, Excel or G Suite or any application that you want to use. They are there and also available in the App Store and you can use them only on those mobile devices. So I do see a shift in enterprise that they see also the advantage because let's be honest, productivity will happily increase If you get access to those kinds of capabilities, and also to the corporate data, but also expose risk to your organization. And yeah, how I usually also explain mobile defense is that it's it's a healty agents that you have installed on your device, but also is bridging the gap to between those two worlds. Because working it down, yeah, that will make, let's say people that they don't like that, but completely freedom. Yeah, obviously, that brings a lot of risks to the organization and having some kind of glue and a tool, mobile tech defense is helping organizations and adopting that.
Hank Schless 15:41
So I mean, like I mentioned, the start seems like there's definitely a place for these management tools. But based on what you guys are saying they're not true security, it sounds like Mobile Threat Defense is the only way to really, truly protect your do more than check the box. These days, I think with more people working from home where those more traditional security tools aren't really taking care of things. I mean, we've talked about a lot where it's evolving now from work from home to work from anywhere in that's obviously yesterday. I mean, what do you guys think the future kind of looks like your kind of final advice to an organization that's looking at how to deal with securing people as they are evolving into the into the future, which will be work from anywhere.
So what I usually try to explain to organizations organization's into enterprise IT is usually review a lot of notable Ted discoveries, because still, the perception is MDM, and we've already discussed on okay, what what kind of capabilities are in there? What can I do, but still okay, well, what is the missing piece? And going over those notable discoveries explained to them what the risks are associated with that? And then I steer the conversation more into Do you have visibility? Because once people understand that there are threats out there, and there are gaps in solutions? Because it's a personal device? It's maybe a lockdown device? Yeah, there are still gaps also, with COVID-19. Productivity is going more or remote workers, then I'm talking about visibility, because all starts with visibility. Because if you don't see it today, yeah, that also has maybe to do with that you have no visibility, and there are tools that can help you with that.
Hank Schless 17:32
Yeah, for sure, Victoria, anything to add
that MTD solution that we were talking about, Well normally work hand in hand with your MDM complement and supplement the MAM solution and the MDM solutions that exist, that having all been said, Education is a really big thing, because a lot of experts said that even I've dealt with ad agencies, and they understand and a lot of cases that security is a thing. They just don't understand what that means for the mobile device.
Hank Schless 18:01
Got it? Guys. It's been great. Having you both on here. Thank you so much for joining us. It's really getting the perspective between federal enterprise kind of more, US based Europe based it's been this has been a great conversation. And it's really been cool to hear your guys's perspective, you know, unique perspectives on how managing devices is actually pretty different from actually securing them. So I think we'll wrap it up here. Thank you both for taking the time to talk today. Thank you everyone for tuning in. And to learn more about mobile security, you can always check out our blog. It's just blog.lookout.com and we'll see you next time. Thanks, everybody.