Management Isn't Security: Why You Need More Than MDM

Hank Schless  00:08

All right, everybody. Welcome to the Lookout podcast. I'm your host, Hank Schless. And today, we have a very global presence with us. We've got Victoria Mosby joining us from Washington, DC, and Jeroen Wijdogen, joining us from the Netherlands. So Victoria is one of our mobile experts who focuses on working with U.S. federal organizations, whereas Jeroen is a security consultant who has more than 15 years of experience between network and mobile security. So I'm really excited to have you guys on here, really excited for your perspective. Thank you very much for joining us.

‍

Victoria  00:41

Thanks for having us.

‍

Hank Schless  00:43

Absolutely. So today, we're gonna be covering mobile security, and specifically, what security isn't isn't. People, obviously, are using their mobile phones or tablets more, especially as they try to stay productive, while people are working from home more frequently now. And there's sort of this idea that mobile devices exist at the intersection of our work and our personal lives becoming more and more of a thing. So, for a lot of organizations, there's sort of this misconception that if I have mobile device management or MDM, which we'll get into, deployed, then my devices are secure. Maybe,  Victoria, you can chime in on this one, where that misconception come from? What's kind of the genesis of it? And why do people have it if it's called management and not security?

‍

Victoria  01:33

Well, it's kind of started, I believe, I would say, on the federal side of things like most standards in the industry end up getting started. The federal side starts it and then private sector kind of picks it up in order to work with the federal. But it kind of started more so as a compliance thing, compliance mandates that we see that end users back in the early 2010s and even a little bit before that… We were starting to use mobile phones, Blackberries, and stuff like that for email, text message, and, you know, phone calls for work specifically. So the idea was, we need to be able to account for those things, we need to be able to track who has it, what policies are being pushed to it. So management really of the other folks, management of, like, an asset tracker was all they really wanted to accomplish. Fast forward to today, where our phones can do so much more than just email and text message. You can actually do work on the phone now with your Word or Office 365. We now get into the precipice of, “We need actual security for these phones.” And the MDM which served a purpose at that time is just, like, an asset tracker and just saying, “Okay, this phone is lost or stolen, then we can just hard wipe it and then that's it.” You can't really do that now, especially with people bringing in their own personal devices to do work. 

‍

Hank Schless  02:56

So yeah, it sounds like it was sort of a checklist item. At the genesis of it, people's mentality hasn't totally evolved with the capabilities of the devices. And Jeroen. What about you? Any anything to add?

‍

03:11

Yeah, I think it's also a lack of knowledge. The perception is that if you have an agent, or there's a kind of management capabilities in there that people think that, oh, there must be something that is securing my device. And that has also been purposely built to secure that mobile device.

‍

Hank Schless  03:33

Yeah, totally makes sense. And so what types of vectors do you think have really evolved? Even just in the last couple of years?

‍

Jeroen Wijdogen

03:40

I think, yeah, we all remember that from desktops. Let's be honest that, with email, with attachments, you receive infected files via email. And that's pretty similar. Or, actually how it's done on a mobile device is that… what we've seen is that, although the mobile operating system has been locked down, every mobile device in an application runs in a sandbox environment. We've seen a lot of infections in the mobile applications.

‍

Hank Schless  04:12

Just to take a quick step back here, and Victoria, I'll pose this question to you first. Can you kind of, for people who are less familiar with mobile than we are, talk a little bit about what mobile device manager, MDM, is and why it's part of this whole conversation?

‍

Victoria  04:29

Sure. So mobile device management or manager, it's for understanding what is in my fleet of mobile devices. They then will push an MDM profile directly to that device. And that profile allows them some level of control over the device from a management perspective. It's essentially a glorified asset tracker, with the ability to manage the device to certain levels, depending on how they did. Scientists use it. It’s a good tool to have for mobility architecture, which is not a security tool. And it's very much a tracking, onboarding, and management tool for these devices.

‍

Hank Schless  05:11

Interesting. Yeah. It's interesting how you keep using the term, “basically an asset tracker.” But right, I mean, to your point, and Jeroen maybe you can chime in a little bit on this from a little bit more of the enterprise side and the types of organizations that you talk with every day. How are they framing MDM, whether that's internally to their own, you know, security team to others internally, or to their customers who asked, “Oh, how are you securing our you know, our data or whatever it may be? 

‍

Jeroen Wijdogen

05:41

So, you know, in my conversations with enterprises, everyone is talking a lot about mobile device management. But actually, that technology already exists for many, many years –– MDM muscle. Really, like, okay, a company hands over the phone to the employee. And we'll make sure that employee is meeting the compliance policies. What we see now is that, to enable productivity, people can bring their own device, but they find it more intrusive. So you're not managing the device anymore. But you just manage the application itself, to make sure that when someone is accessing the application, it will ask for a passcode, for example. And the industry that basically has created a new acronym for it. it moved from mobile device management to a named product by Gartner. Because it was a tool. It was not only managing devices, but now certainly it was also managing applications. So it was an enterprise mobility management system. But now you see also that UTM is the broader acronym of managing mobile devices, applications, IoT, but also desktops and laptops.

‍

Hank Schless  06:51

So a lot of companies are shifting towards this model, where they're allowing people, especially now that we have a lot of people working remotely –– kind of the work from home or work from anywhere model –– just using mobile application management versus a full device management. Is that enough to protect?

‍

Victoria  07:12

Those are interesting tools. But I would say they're even less security focused than your MDM, because at least when you get with an MDM, you have that MDM profile on the device that can enforce or require certain criteria be applied to the device. And in a MAM scenario, you have no control over anything on that device at all. The only thing you're controlling is the app itself, for both of them. if your device is compromised, all of those protections, regardless of what it is, go out the door. 

‍

Hank Schless  07:47

All right, so we've talked about MDM, MAM, UVM. We touched on M, man. But it doesn't really sound like any of those really provide full protection. So the question I have for you, Jeroen, is what causes organizations to start looking at something like a true mobile security tool? What's kind of the catalyst for a lot of them? Do they really start to see it and say, “Okay, well, now we understand this, that management is not security.” What do we do, like, where does that all fall?

‍

Jeroen Wijdogen

08:19

It's a lot of work to educate customers in explaining what the different technologies are, how they've been developed from the ground up. And once you understand that, you automatically see that from the ground up as we build it as a management tool or an asset to many devices. So you see that, although they can detect all kinds of commodity jailbreaks or they can rely on simple black and white listings in certain applications, they don't have the intelligence and they've not been built from the ground up to do these kinds of detections. A great example is that an MDM tool usually keeps track of all the installed applications. But it does that every four hours. But yeah, the security product that wants to know what's going on. So if there is… Maybe the operating system is compromised. So there's a change in the operating system. We want to be able to detect that. So we are, “Okay, a mobile threat events agent can really detect that and has this real-time detection.” That's also the same  for those applications that you want to see. It’s not, “Did you look at the crucial data?” But that you really look at. “Okay, what kind of binary uses there are; is there any suspicious behavior on that device?”

‍

Hank Schless  09:41

Yeah, so it sounds like it's more about getting the kind of more “real-time” –– to use the overused term –– visibility into what's actually happening rather than just sort of continuous updates, like us, for example, every four hours. So Victoria, what were they looking at for that real security layer? MDM and all these other tools have their place. But what's the security tool?

‍

Victoria  10:05

Yeah, um, as you said, like, the other tools aren't good tools to have for an overall mobile architecture, but are the overall security arm of that mobile architecture. You need to look at something called a mobile threat defense solution or MTD. You might also hear it called a mobile threat protection solution, so MTP. They're kind of interchangeable, depending on who you talk to. But that solution is built purposely for detecting mobile threats for putting defenses and protections in place against those things in the real-time fashion. These are usually agents, app agents that sit on the device itself, so they can monitor at the device level as the heuristics and the status of the device changes. So they offer security visibility into the device. And it can look at the apps on the device,  typically at, like, the library coding binary level of the apps. Most of these MTD solutions aren't going to actually break into your apps and look at your personal data, which is typically the concern that I hear from, you know, prospects or customers or people who I talk to about this. Well, if you're looking at my apps, and I don't want you looking at my, you know, personal data that I have in my health app or stuff like that, I'm like, no, they won't. All the MTD solutions are concerned with: Is this app secured? That’s from the perspective of it doesn't have any risks and coding behaviors. It isn't asking for more permissions than it should have. Those are the things that it looks at, for my app perspective. But it also does provide network protection. It provides device level protection. And that device-level protection gets into, you know, do you have a password or passcode set? Are you running an out-of-date OS on your phone? Or is your phone jailbroken, for instance. And then, lastly, the biggest one that MTDS can really help with is phishing protection. Because our device platform is so small with these folds, you have no way of really looking at a link that you get on that phone. When it comes in from a text message, you browse to something your friend sent you, a link like WhatsApp or Facebook Messenger or stuff like that. Those are usually bitly links or shorter links that you can't really read through. So you're just going to click on it because you maybe trust the source of where it's come from. And then you get phish. These MTD solutions are very good at protecting end users from those things. So, I mean, there, you could essentially treat them as your, like, if you're going to compare them to, like, a laptop or a desktop, you could see them as your host-based firewall, host-based antivirus. And, you know, just that security check, like a Norton sort of deal but for the phone, and it does so much more.

‍

Hank Schless  12:49

I sort of touched on this earlier, when you kind of have people trying to push that down to the mobile side, why is it taking so long for organizations to understand that these devices kind of are at the same level as the more traditional endpoints that, you know, obviously, we've all been securing for years.

‍

Victoria  13:06

There's several things and it's about mentality, convenience, and it's a matter of you had corporate phones that were specifically corporate only and those are usually, like, Blackberry phones that you get. And again, those were only used for text messages, email, and phone calls. Fast forward to today, where a given smartphone is more powerful than a laptop or a computer from 10 years ago; there's so much more you can do with this phone, especially the BYOD. This is my phone. So the adoption of BYOD into the workforce, especially at a federal level has been very slow. Because there's this perspective of it's their personal phone; we can't control what they do on it. And there's no way we can ensure the security of our, you know, our organizational information or apps or data stream or whatever, if we allow them to use their phones.

‍

Hank Schless  14:02

Got it. Jeroen, would you say that from the enterprise side? Is it similar? I mean, how do you kind of talk through that stalemate that Victoria just mentioned? 

‍

14:12

Yeah, so, the perception is obviously that if the device is completely locked down, okay, then we are safe. But also add these personal phones; we don't want to touch that more than what also exists a lot in, I would say, in enterprises. The change obviously is that you see that there are more capabilities these days. So more adoption as well on the traditional desktop applications: Word, Excel or G Suite or any application that you want to use. They are there and also available in the App Store and you can use them only on those mobile devices. So I do see a shift in enterprise that they see also the advantage because, let's be honest, productivity will happily increase If you get access to those kinds of capabilities, and also to the corporate data, but also expose risk to your organization. And yeah, how I usually also explain mobile defense is that it's a healthy agent that you have installed on your device, but also is bridging the gap between those two worlds. Because working it down, yeah, that will make, let's say, people that don't like that, but complete freedom. Yeah, obviously, that brings a lot of risks to the organization and having some kind of glue and a tool, mobile tech defense, is helping organizations and adopting that.

‍

Hank Schless  15:41

So I mean, like I mentioned, the start seems like there's definitely a place for these management tools. But based on what you guys are saying they're not true security. It sounds like mobile threat defense is the only way to really, truly protect your… do more than check the box these days, I think, with more people working from home where those more traditional security tools aren't really taking care of things. I mean, we've talked about a lot where it's evolving now from work from home to work from anywhere. I mean, what do you guys think the future kind of looks like –– your kind of final advice to an organization that's looking at how to deal with securing people as they are evolving into the future, which will be work from anywhere.

‍

Jeroen Wijdogen

16:26

So what I usually try to explain to organizations’ enterprise IT is usually review a lot of notable Ted discoveries, because still, the perception is MDM, and we've already discussed, okay, what kind of capabilities are in there? What can I do, but still, okay, well, what is the missing piece? And going over those notable discoveries explained to them what the risks are associated with that? And then I steer the conversation more into, do you have visibility? Because once people understand that there are threats out there, and there are gaps in solutions –– because it's a personal device, it's maybe a lockdown device; yeah, there are still gaps also, with COVID-19; productivity is going more… or remote workers –– then I'm talking about visibility. Because all starts with visibility. Because if you don't see it today, yeah, that also has maybe to do with that you have no visibility, and there are tools that can help you with that.

‍

Hank Schless  17:32

Yeah, for sure, Victoria, anything to add?

‍

Victoria  17:35

That MTD solution that we were talking about will normally work hand in hand with your MDM complement and supplement the MAM solution and the MDM solutions that exist. That having all been said, education is a really big thing, because a lot of experts said that. Even I've dealt with ad agencies, and they understand in a lot of cases that security is a thing. They just don't understand what that means for the mobile device.

‍

Hank Schless  18:01

Got it. Guys. It's been great having you both on here. Thank you so much for joining us. It's really getting the perspective between federal enterprise kind of more, U.S. based, Europe based. It's been… This has been a great conversation. And it's really been cool to hear your guys' perspective –– you know, unique perspectives –– on how managing devices is actually pretty different from actually securing them. So I think we'll wrap it up here. Thank you both for taking the time to talk today. Thank you everyone for tuning in. And to learn more about mobile security, you can always check out our blog. It's just blog.lookout.com and we'll see you next time. Thanks, everybody.

‍