Look Who’s MeriTalking: Bob Stevens on Mobile Security Risks

By: MeriTalk Staff

Blogs

May 23, 2017 | 4:00 am

MeriTalk recently spoke with Bob Stevens, vice president of Federal systems for Lookout, about the unique mobile security risks facing the Federal government, where agencies are making progress, where they need to improve, and what they can do to get started. Lookout takes a mobile-first approach to security, creating mobile-first, cloud-first products for IT administrators, CISOs, and individuals.

MeriTalk: Why do mobile devices present unique security risks and challenges for the Federal government?

Bob Stevens: Mobile devices are designed for consumer use, not Federal agency use. The government has to put a lot of checks and balances in place to ensure security, but many features aren’t available out of the box. Further, the Federal government needs visibility into what exists within its mobile ecosystem. To do this, agencies need encryption, device-specific ID management, and a mobile threat protection solution for continuous monitoring of mobile applications, the device, and network to provide near real-time threat detection.

It’s also important to consider that, when it comes to the Federal government, hackers and other malicious entities targeting intelligence agencies have very different motives and processes than those targeting consumer agencies. And, the wide range of mobile risks is especially concerning for agencies due to the critical data being accessed across their networks.

At the end of the day, Federal employees are individuals, too. Just like you and me, most Federal employees interact with friends and family on social media and stay connected to the world via a mobile device. While Federal data may not be housed on a personal mobile device, an infected device could give hackers the entryway they need to access our nation’s critical data across Federal networks.

MeriTalk: Where have agencies made the most progress?

BS: In a 2015 survey, Lookout found that 40 percent of Federal employees said that rules prohibiting personal smartphone use had little to no impact on their behavior. Before 2016, mobile wasn’t even a thought for DHS top priorities, and now it’s in the top three for the department.

Rapid adoption and innovation in mobile technology has forced Federal agencies to recognize that the shift toward mobility has a direct and immediate impact on their organizations, and that mobile security should be a priority.

Each of the steps being taken to address mobile security is a sign of progress for the Federal government. Just last week, President Trump issued his executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which among several provisions calls for agencies to adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Furthermore, the Department of Homeland Security (DHS) Science and Technology Directorate recently released a study on Mobile Device Security. The report outlined the risks mobile devices pose to the security of the government.

One Federal entity that is leading the charge when it comes to mobile security is the U.S. House of Representatives. CISO John Ramsey is forward looking, understands the threat of the mobile ecosystem, and is taking action. The U.S. House of Representatives, for example, is focused on deploying real-time diagnostics on devices themselves.

MeriTalk: What strategies and tactics do you advise to help agencies evolve beyond simple mobile device management?

BS: Agencies need clear visibility into the mobile ecosystem. They need to know every device that is connecting to the network and know the apps on those devices. They also need predictive analytics on the devices themselves.

For true mobile protection, mobile device management (MDM) is critical, but not all encompassing. Many agencies believe their MDM solution will protect them from malicious applications. However, because users can “sideload” apps onto their phone, we consistently see malicious applications appear on our enterprise customers’ devices.

To truly protect against the wide array of mobile threats, agencies need a large portfolio of mobile defense software. Mobile application management (MAM) solutions, for example, give Federal agencies an added layer of security for devices that are Federally managed.

MeriTalk: What best practices can you offer for continuously monitoring for threats and providing enterprisewide visibility into threat intelligence?

BS: While many of the same components of risk that affect PCs also apply to mobile endpoints, mobility has introduced a new generation of risk. Simply extending current PC security controls to your mobile fleet is not a viable option. Enterprise risk management needs to evolve to address mobile risks, and security professionals must architect mobile-specific security.

When it comes to threat intelligence, it is critical that agencies have insight into both external and internal risks. Lookout developed a unique program for mobile threat intelligence. The success of Lookout’s personal and enterprise endpoint products has given Lookout visibility into over 100M mobile devices worldwide. Every month millions of devices in over 150 countries send security telemetry to the Lookout Security Cloud, ensuring that Lookout can track evolving threat actors and continue to lead the industry in novel threat discoveries such as the Pegasus spyware.

In terms of providing enterprisewide visibility into threat intelligence, most organizations find that they have very limited visibility into most mobile risks. This is because many CISOs and security teams fail to get visibility into employee behaviors and device configurations, which is the first step to enabling mobile security. Agencies and organizations that are able to gain visibility into the entire spectrum of mobile risks facing their infrastructures will be able to foster an environment that enables the safe and efficient use of mobile technology.

Another best practice when it comes to providing enterprisewide visibility is enterprise management mobility (EMM). Specifically for internal mobile security risks, EMM addresses the vulnerabilities associated with personal devices. Simply put, EMM solutions have the ability to grant and revoke access to employee devices. When used together, threat protection and EMM solutions provide the necessary defense tools needed for managing risks inside and outside of the agency.

MeriTalk: How do machine learning and contextual analytics increasingly factor into the ability to protect devices from malicious applications? Where and how is Lookout delivering innovation on this front?

BS: Mobile security is a constant, fast-moving battle between the good guys and the bad guys. New threats appear all the time and enterprises need to be able to cover them all.

Modern threat management is all about data. It’s a big data problem. The bigger the data set, the more effective a solution is at identifying and protecting against threats.

Lookout has the biggest data set in mobile security as a result of our consumer user base, which is generated from a network of over 100 million devices. Those devices acquire 90,000 apps every day, contributing to a corpus of over 40 million apps, and enabling Lookout to auto-convict over 5,000 new pieces of malware each day. Our teams leverage machine learning to be able to quickly dive into our massive data set and pinpoint potential attacks, malicious applications, and risks at scale.

MeriTalk: What is the CISO’s role in the evolving digital ecosystem and the IoT?

BS: We understand that the CISO’s job is not an easy one. From the outside looking in, the CISO’s role appears to be a very strategic juggling act. With the recent explosion in mobile technology, another ball has been thrown into the mix.

In terms of evolving the digital ecosystem and IoT, the CISO should question the security protocols currently in use. By continuously taking a step back to understand the interconnectivity of attacks, the CISO can push for new approaches to security solutions. By providing security teams with a holistic sense of what they’re facing, they can develop improved strategies for securing the digital ecosystem and IoT.

MeriTalk: What emerging threats and dangers should CIOs and CISOs be paying attention to today to avoid larger issues down the road?

BS: How quickly network infrastructure is changing and will continue to change, for one. Mobile devices—smartphones and tablets—have completely changed the security assumptions that have been baked into most enterprise networks. Instead of all of your data being inside the firewall on tightly controlled servers and PCs, it’s now distributed between cloud services and mobile devices that don’t typically have the same security controls as their on-premise counterparts.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.

Archives