BYOD proliferation into Enterprise is growing exponentially and no way to stop it. At one place there is MDMs and DLPs and MAMs to manage the device and the apps at the device level, but there is a bigger threat that is slowly looming under the carpets which IT is turning a blind eye – the mobile malware attacks. It will throw greater challenges to Enterprises that allow personal devices into their networks and it is time the IT starts thinking about it and what it can do to stop them in their tracks even before they enter the system. This article talks about the issues & ways to contain them.
With the high proliferation of BYODs among Enterprises and with checkpoint pointing out that there are 5 times more personal devices in Enterprises in last 2 years and with more than 71% devices having vulnerabilities and with around 1/3rd devices infected, Enterprises should stand up and start noticing and provide ways to stop these infections spreading across Enterprise to various networks and network elements. With malware becoming sophisticated, hybrid and cross-over – it doesn’t matter how it enters but will find a way to way to enter and infect eventually all of the elements and the cost will be too huge too late to fix it. Separating out the BYOD traffic onto a separate vLAN won’t help either (please read this FAQ and this blog). Adding MDM will helps reduce this but it is not the right way to contain malware, intrusion and especially the anomaly detection (for zero day attack) and the malware detection active using signature on the device is not as matures as its desktop counterparts and it is not the same either and you just cannot detect even 25% (please read Symantec acceptance here) if you try.
Malnets (Malware networks), the infrastructures that successfully drove nearly two thirds of all web-based attacks in 2012, are setting their sights on mobile users. Currently almost 40% of all web-based mobile malware are coming from these known malnets (source Bluecoat Webpulse). Few of the latest mobile Trojan attacks that were recently detected were hardly recognized by only 10 of the 41 anti-virus engines in Virustotal.
Another critical point to note is that from Juniper survey, hardly 5% of all devices have any kind of security software in their device. There is a 600% growth of mobile malware600% is the growth of mobile malware in the last 2 years and 79% of the Enterprises had a mobile incident last year alone (Checkpoint report 2012) and the cost for such an incident is $500K for large enterprises and $100K for an SMB (less than 1000 employees).
Considering all these, matter of time before major mobile specific offence is launched by these malnets. Mobile devices have empowered users, giving them access to a wealth of information and corporate assets from anywhere. Yet, we haven’t put in place the tools and practices that will allow them to make good, safe choices. Essentially, we have set them up to fail. It is the duty of the enterprise today to ensure that the network and its assets are safeguarded by these sophisticated malware and malnets.
The best way to secure a progressive Enterprise that has enabled BYOD is to make sure that passive scanning (scanning at the network layer on the traffic generated by these devices) is enabled of all mobile traffic to identify what is normal traffic and what is malicious/intrusive including detecting any anomaly for detecting zero-day attacks. For example Scanning a android device wont tell much but watching the traffic from that device, seeing what all apps are running, what all servers being accessed, analyzing the relationship between these devices and network elements gives a lot more information on determining malicious activity.
Also we need to automate all these inducing discovering devices, fingerprinting them, checking and analyzing the traffic to see vulnerabilities, any malicious/intrusive behavior including catching all those zero-day probable attacks based on anomaly will be a huge thing for the enterprise to secure their network against any BYOD specific malware attacks. All can be done in real-time providing great security insights to the Enterprise. Also collecting the data, and putting it into a searchable and query-able database where one can apply big-data analytics can throw lot of amazing security intelligence.
This is exactly what we do with Peregrine7. We also correlate the log information to detect any anomalies. This analysis can be done across devices and groups of devices say belonging to a user or a particular group throws lot more info especially and can help further fine tune security analysis.
With the advent & high proliferation of personal devices in the enterprise and exponential growth of malware and advanced persistence attacks vector coming from devices, the burden on the security officer has increased drastically and with the help of such tools and the key is constant automatic monitoring of these activities and traffic from-to of these BYODs and early action against any anomalies or malicious activity.