Symantec Mobile Threat Defense: Why Deployment Can Make or Break Your Mobile Security ROI

With the sheer number of enterprise security solutions available today, organizations often go through a careful evaluation process to determine which products are best for them. In mobile threat defense (MTD), like in other product categories, security and mobility teams naturally put the most weight on a solution’s hard-core security capabilities. They evaluate detection technology, anti-malware efficacy, protection actions, threat intel, and other features designed to mitigate security risk. Then they may look at features related to operational overhead – deployment, maintenance and support load. We argue that the latter are critical for maintaining an MTD solution’s long-term effectiveness and value.

Beyond security features, deployment and adoption enablers are a critical factor when gauging MTD products. What value can the best security features provide if end users don’t widely adopt or properly run an MTD solution? Along those lines, how can security teams expect high adoption rates if end-users perceive the solution to interfere with their privacy and productivity? Lastly, how can organizations ensure strong adoption across both managed and BYO devices, with the latter posing a greater challenge as mobility and security teams often have little visibility over unmanaged devices?

What value can the best security features provide if end users don’t widely adopt or properly run an MTD solution?

Over the years, we’ve introduced multiple components in Symantec Endpoint Protection Mobile (SEP Mobile), our MTD solution, to help make our customers’ deployments successful and sustainable over time. These components, as well as deployment best practices, were born out of close collaboration with our customers – actual security practitioners and mobility operations teams across companies of all sizes, industries, and geos – to balance enterprise mobile security and productivity needs. We share some of these key enablers below and look at how they help our customers achieve an optimal return on their MTD investment.

High-level overviews for better actionability

  • Dashboard summary
  • Recommended Actions

Tools for efficient troubleshooting

  • Installation Health tab
  • Device audit log

Customizable settings to fit each company’s policies

  • Deployment options
  • App configurations
  • End-user communication
  • Localization

High-level overviews for better actionability

1. Dashboard “Installation Health” summary

Every device with SEP Mobile has a “health status” that indicates whether the MTD solution is installed and running properly. The SEP Mobile dashboard features a section on Installation Health, summarizing the status of MTD installation across devices in an organization. Admins can easily see how many devices are enrolled in SEP Mobile, including how many were activated per day, the health status of SEP Mobile on enrolled devices, top health issues affecting the environment, and other metrics. This information helps mobility teams understand where users are getting stuck so they can take action to mitigate any obstacles.

Admins can also drill down per device into health status and Mobile Device Management (MDM) status, just as they are able to see risk and compliance status per device. They can see exactly which health issues are affecting a device, enabling more informed actions for remediation.

2. Recommended Actions

Admins can rely on SEP Mobile Recommended Actions to maximize the value of the MTD solution. The Recommended Actions list effectively prioritizes actions in SEP Mobile, so admins don’t necessarily need to be MTD experts to extract the best ROI from the solution.

The list includes recommendations for improving protection, reducing risk, and increasing deployment health. Under the latter, admins can see specific actions associated with the health status of SEP Mobile across their organization. Clicking on an action redirects admins to the appropriate place in the Management Console where they can remediate the issue.

Tools for efficient troubleshooting

1. Installation Health tab

Beyond the health status summary provided in the SEP Mobile dashboard, the Installation Health tab in the Management Console provides full visibility and on-demand remediation of devices with open health issues. This information allows security teams to focus on the specific devices that need to improve their status.

Admins can see SEP Mobile installation status across an organization, as well as the status of enrolled devices based on their MDM and activation status. The latter is broken down by pre-activation and post-activation. Each of these groups show devices that have the related open health issues on them. For example, devices that do not have SEP Mobile installed on them or have not launched the SEP Mobile app yet, will appear in the pre-activation group. Devices that do not have protection set up properly or have a deprecated version of the SEP Mobile app will appear in the post-activation group.

Admins have the ability to remediate most open issues directly from the details pane for each issue. They can choose to send a push notification or email to all end users who have devices impacted by a specific health warning. For example, users who began installation but abandoned it can be notified to resume installation. Each health warning has a risk rating allowing admins to prioritize remediation by high-risk issues. These actions enable organizations to improve installation health across mobile devices, ensuring the proper functioning of SEP Mobile over time.

2. Device log for troubleshooting

Within the aforementioned device details pane, admins can also see an audit log showing activities occurring on a device. This includes activation events, security events, health status changes and more, enabling troubleshooting and investigation of open issues.

Customizable settings to fit each company’s policies

1. Deployment options

SEP Mobile offers multiple options for the mass rollout of its mobile apps, on both managed and BYO devices.

If deployment is done via an integration with an MDM, an organization can sync specific user/device groups to push the app out to end-users gradually, or all at once. The MDM updates SEP Mobile on new devices that require the app, or retired devices that should automatically be removed.

For BYO/unmanaged devices, organizations can rely directly on SEP Mobile for deployment:

  • An email can be sent to end users with simple instructions for installing and activating the SEP Mobile app.
  • Admins can configure self-enroll domains in the Management Console. All end users installing the SEP Mobile app directly from the public app stores, and logging into the app using an email address from one of the configured domains, will automatically be added to the organization’s environment.

Additionally, a “hybrid” mode exists to support both managed and BYO devices in the same environment.

The various deployment options offered by SEP Mobile ensure that “no device gets left behind,” for optimal MTD coverage across the organization.

Whichever deployment options an organization chooses, we recommend rolling out SEP mobile in waves. Security teams should begin with a few teams in the organization and then extend deployment exponentially. We also recommend the use of SEP Mobile enforcement actions to achieve a high level of adoption, with minimum friction. Admins can inform employees ahead of time that from a specific date they will not have access to corporate resources if they do not activate SEP Mobile and comply with the mobile security policy. When using an MDM integration, SEP Mobile can report non-compliance and the MDM can automatically block employees from accessing their corporate email. 

2. App configurations

The SEP Mobile app can be configured to have a varying impact on end users’ privacy and productivity, if the organization chooses.

From the Management Console, admins can control most permissions to match the organization’s privacy guidelines. Organizations can choose whether to make specific permissions mandatory or optional, although SEP Mobile recommends requiring all permissions to provide optimal protection against threats. Based on the defined permissions policy, SEP Mobile provides a health warning for devices that don’t have all mandatory permissions granted.

Customers can also decide to have the SEP Mobile app run in “non-interactive” mode on end-user devices. When this option is enabled, all security features will operate as usual and security incidents and forensics will be available in the Management Console, but end users will not have any visible alerts inside the SEP Mobile app. Instead, if end users voluntarily go into the app, they will see a fully-customizable screen with a message that their device is protected. This is valuable in cases where organizations want to mitigate any friction from end users regarding the SEP Mobile app. While most customers value security education and transparency, for some, it may be more important to remove any concerns or anxiety their employees may have when they receive security alerts on their device.

Additionally, organizations can choose to communicate certain messages to employees via a custom information page displayed in the SEP Mobile app. The page provides another opportunity for security teams to be transparent about their intended use of SEP Mobile and assure end-users that their privacy and productivity are not being infringed upon.

SEP Mobile also provides different ways to verify end users who are manually logging into the app. For example, verification can be done by email, by text message, or by using a single verification code.

3. End-user communications

One of the most important enablers for MTD adoption is communication. SEP Mobile provides customizable notifications and emails that organizations can use to facilitate trust among employees in the onboarding process and provide clear instructions for smooth deployment. Admins can customize email templates, including branding, sender and reply-to details. Once they are set up, communications can be automated for streamlined management and actionability. For example, a SEP Mobile installation email containing an “Install SEP Mobile” button can be sent to end users. Clicking the button will automatically trigger the MDM APIs to push the SEP Mobile app to devices. Communications also include clear recommendations to end users so they can self-troubleshoot as much as possible and overcome any obstacles in the deployment process.

Among our customers, we’ve seen that sending an initial awareness message about SEP Mobile deployment helps to ensure that the solution will be properly deployed, while building trust within the organization and mitigating end-user concerns. Here is an example of an awareness message that is sent before deployment begins:

Admins can also set up daily/weekly/monthly email notifications that report on all “unhealthy” devices in the organization. Once notifications are set up, admins will get pushed updates on the status of the installation without needing to manually log in and monitor the status.

4. Localization

Lastly, end users can go through deployment in a language most comfortable for them, thereby increasing adoption. SEP Mobile supports 14 languages (English, Czech, French, German, Italian, Japanese, Korean, Polish, Portuguese, Russian, Simplified Chinese, Spanish, Traditional Chinese, and Turkish) across its iOS and Android apps, end-user notifications, and Management Console.

The language can be set based on the environment or on the device locale. Different languages can be used for different admins and end-users.

Winning hearts and minds for MTD sustainability

Gaining user trust and adoption of MTD is key for sustainable, effective protection against a growing range of mobile threats that affect enterprise today. No matter how powerful an MTD solution’s security capabilities are, incomplete deployment and low adoption rates can still leave organizations vulnerable to attacks. To address MTD adoption challenges, we’ve worked over the years to add deployment enablers to SEP Mobile, and more features are continuously being added as the needs of our customers evolve. The enablers discussed in this article are just a few core examples that have helped our customers achieve sustainable value from SEP Mobile over time. To conclude, mobility teams need robust tools that ensure the successful rollout of an MTD solution across an organization, while also supporting end-user awareness of the value of mobile security.

How to Effectively Secure Hundreds of Thousands of Mobile Devices

Join us as we cover ways to effectively and efficiently secure mobile devices across a broad range of industries.

Register Now

About the Author

Michal Toiba Kokh

Senior Manager, Product Content

Michal is a product content strategist at Symantec Endpoint Protection Mobile. Leveraging her background in journalism, Michal works with the product management team to communicate the value of our mobile security solutions for enterprise.

Regulating International Trade in Commercial Spyware

Siena Anstis, Ronald J. Deibert, and John Scott-Railton of Citizen Lab published an editorial calling for regulating the international trade in commercial surveillance systems until we can figure out how to curb human rights abuses.

Any regime of rigorous human rights safeguards that would make a meaningful change to this marketplace would require many elements, for instance, compliance with the U.N. Guiding Principles on Business and Human Rights. Corporate tokenism in this space is unacceptable; companies will have to affirmatively choose human rights concerns over growing profits and hiding behind the veneer of national security. Considering the lies that have emerged from within the surveillance industry, self-reported compliance is insufficient; compliance will have to be independently audited and verified and accept robust measures of outside scrutiny.

The purchase of surveillance technology by law enforcement in any state must be transparent and subject to public debate. Further, its use must comply with frameworks setting out the lawful scope of interference with fundamental rights under international human rights law and applicable national laws, such as the “Necessary and Proportionate” principles on the application of human rights to surveillance. Spyware companies like NSO Group have relied on rubber stamp approvals by government agencies whose permission is required to export their technologies abroad. To prevent abuse, export control systems must instead prioritize a reform agenda that focuses on minimizing the negative human rights impacts of surveillance technology and that ensures — with clear and immediate consequences for those who fail — that companies operate in an accountable and transparent environment.

Finally, and critically, states must fulfill their duty to protect individuals against third-party interference with their fundamental rights. With the growth of digital authoritarianism and the alarming consequences that it may hold for the protection of civil liberties around the world, rights-respecting countries need to establish legal regimes that hold companies and states accountable for the deployment of surveillance technology within their borders. Law enforcement and other organizations that seek to protect refugees or other vulnerable persons coming from abroad will also need to take digital threats seriously.

The Risk of Weak Online Banking Passwords

Aug 19

The Risk of Weak Online Banking Passwords

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial aggregation services like Mint, PlaidYodlee, YNAB and others to surveil and drain consumer accounts online.

Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.

From there, thieves can take the list of successful logins and feed them into apps that rely on application programming interfaces (API)s from one of several personal financial data aggregators which help users track their balances, budgets and spending across multiple banks.

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

Costello said while some banks have implemented processes which pass through multi-factor authentication (MFA) prompts when consumers wish to link aggregation services, many have not.

“Because we have become something of a known quantity with the banks, we’ve set up turning off MFA with many of them,” Costello said.  “Many of them are substituting coming from a Yodlee IP or agent as a factor because banks have historically been relying on our security posture to help them out.”

Such reconnaissance helps lay the groundwork for further attacks: If the thieves are able to access a bank account via an aggregator service or API, they can view the customer’s balance(s) and decide which customers are worthy of further targeting.

This targeting can occur in at least one of two ways. The first involves spear phishing attacks to gain access to that second authentication factor, which can be made much more convincing once the attackers have access to specific details about the customer’s account — such as recent transactions or account numbers (even partial account numbers).

The second is through an unauthorized SIM swap, a form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

But beyond targeting customers for outright account takeovers, the data available via financial aggregators enables a far more insidious type of fraud: The ability to link the target’s bank account(s) to other accounts that the attackers control.

That’s because PayPal, Zelle, and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits. For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits  — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.

Alex Holden is founder and chief technology officer of Hold Security, a Milwaukee-based security consultancy. Holden and his team closely monitor the cybercrime forums, and he said the company has seen a number of cybercriminals discussing how the financial aggregators are useful for targeting potential victims.

Holden said it’s not uncommon for thieves in these communities to resell access to bank account balance and transaction information to other crooks who specialize in cashing out such information.

“The price for these details is often very cheap, just a fraction of the monetary value in the account, because they’re not selling ‘final’ access to the account,” Holden said. “If the account is active, hackers then can go to the next stage for 2FA phishing or social engineering, or linking the accounts with another.”

Currently, the major aggregators and/or applications that use those platforms store bank logins and interactively log in to consumer accounts to periodically sync transaction data. But most of the financial aggregator platforms are slowly shifting toward using the OAuth standard for logins, which can give banks a greater ability to enforce their own fraud detection and transaction scoring systems when aggregator systems and apps are initially linked to a bank account.

That’s according to Don Cardinal, managing director of the Financial Data Exchange (FDX), which is seeking to unite the financial industry around a common, interoperable, and royalty-free standard for secure consumer and business access to their financial data.

“This is where we’re going,” Cardinal said. “The way it works today, you the aggregator or app stores the credentials encrypted and presents them to the bank. What we’re moving to is [an account linking process] that interactively loads the bank’s Web site, you login there, and the site gives the aggregator an OAuth token. In that token granting process, all the bank’s fraud controls are then direct to the consumer.”

Alissa Knight, a senior analyst with the Aite Group, a financial and technology analyst firm, said such attacks highlight the need to get rid of passwords altogether. But until such time, she said, more consumers should take full advantage of the strongest multi-factor authentication option offered by their bank(s), and consider using a password manager, which helps users pick and remember strong and unique passwords for each Web site.

“This is just more empirical data around the fact that passwords just need to go away,” Knight said. “For now, all the standard precautions we’ve been giving consumers for years still stand: Pick strong passwords, avoid re-using passwords, and get a password manager.”

Some of the most popular password managers include 1Password, Dashlane, LastPass and Keepass. recently published a worthwhile writeup which breaks down each of these based on price, features and usability.

Tags: , , , , , , , , , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.