How to build an effective incident response plan

Get this free guide on how to respond to mobile security breaches — or thwart them altogether.

Download Now
Security Threats

Enhancing mobile endpoint security with Zimperium and Samsung Knox

IT managers on the fence about antimalware for mobile devices have good reason to be skeptical. On desktops, traditional antimalware solutions designed around signature identification have failed to keep attackers at bay, which is why new technologies, such as sandboxing, are now becoming mainstream for desktop antimalware. But the same worry applies to mobile devices: If signatures aren’t such a hot way to catch malware on desktops, why would that be any different for mobile?

Well, it’s not. In the fight against malware, phishing and every other software evil, endpoint security vendors are upping their game to meet current threats with new technologies. In their approach to deflecting mobile attacks, Zimperium breaks the problem down into four different areas of protection: Device, Network, Application and Phishing.

Mitigation with sophistication

The key to Zimperium’s approach is that it’s not a “go/no-go” answer like you’d find in traditional, signature-based malware detection. Instead, they identify risks and issues, and these can then be used to trigger a variety of different mitigations. Not just “delete or block the app,” but much more sophisticated responses, such as “quarantine the device” or “restrict conditional access.” The difference here is not just the technology but that it caters to the enterprise IT manager who needs a more nuanced answer to mobile threat detection.

How to build an effective incident response plan

icon of a documentWhite Paper

Get this free guide on how to respond to mobile security breaches — or thwart them altogether. Download Now

Let’s walk through an example. In device protection, Zimperium’s software looks at the device’s operating system (OS) and configuration and then evaluates the risks that the device poses. Say a device isn’t running the latest Android OS. That represents a certain risk, and an IT manager can respond to that risk based on their own policy. But it’s not just a question of whether the device is “up-to-date.” Devices can be a little or a lot out-of-date, which represent different risk levels. The Zimperium model lets an IT manager look at how out-of-date a device is and mitigate that risk depending on how high the risk is in their environment.

Here’s another example of threat detection that doesn’t involve signatures. Zimperium’s Network protection watches traffic heading in and out of a mobile device. This is a lot more important for mobile than it is for desktops, because mobile devices aggressively connect to whatever wireless networks they can find. If the network protections detect a Secure Sockets Layer (SSL) attack, such as an attempt to decrypt and observe traffic from the device, they can easily stop it, and the further risk of a compromised network can be mitigated in other ways, such as by disconnecting from that Wi-Fi network, triggering a VPN or restricting specific traffic.

Manage risk without aggravation

Having a different strategy, both in detection and mitigation, is what makes this an interesting approach. On mobile devices, detecting malware or attacks can’t be a function of heavyweight signature databases or even online lookups for every image. These devices are fast, but they’re not that fast, and their network connections can be expensive, with high error rates and high latencies. Mitigations in the smartphone and tablet world also have to be more nuanced, especially because these devices are mobile. When the user is on the road or at a customer site doing a demo, there isn’t a help desk team ready to rush over and reimage the device. Enterprise IT managers want to manage risk, not upset and aggravate their end users.

Zimperium’s approach to mobile security depends on machine learning algorithms and behavior classifiers. These small, lightweight tools run on the device itself and gather information about its activity. Zimperium provides a proprietary model that constantly evaluates the mobile device to classify risks and deliver probability estimates on whether a piece of software is malware, whether the device is under attack, or whether a certain link is a phishing scam or legitimate.

These ideas of level of risk and probability of malware are why this technology is an enterprise-class product, not something you’ll see in consumer or small-business environments. Consumers just want to know if their smartphone is infected, and the most common mitigation is to wipe the device. Second most common? Ignore the problem and hope it will go away. Enterprise IT managers want to handle threats more subtly, with more sophistication, catching threats earlier before they turn into serious problems. They also want to have the forensics available to thoroughly investigate an attack.

Synergy with Knox Platform for Enterprise

Zimperium is also leveraging Samsung’s Knox Platform for Enterprise (KPE). When an enterprise IT manager has Zimperium and Samsung products working together, they have security capabilities not found with other mobile platforms. As a starting point, KPE strengthens Zimperium’s threat detection capabilities by providing more visibility into device activity than you’d get with a generic Android build.

Some of the capabilities that KPE brings to the table help provide parity with the latest generation of desktop threat mitigation tools. For example, when something bad happens on a desktop and the IT manager wants to perform forensic analysis, it’s a given that the device state can be captured and analyzed: What processes are running? What network connections are up, and where are they going? In mobile devices, that’s simply not available — unless you’ve got a device with KPE. In that case, Zimperium can deliver much the same forensics you’re used to getting from Windows endpoint security. This is a huge benefit to security and incident response teams.

KPE also offers a broader set of security controls and remediations that aren’t present in the standard Android APIs. For example, if Zimperium’s threat detection tools decide that an application or process presents a high risk, the IT manager gets a broader set of security policy choices than they do with standard Android. They can forcibly uninstall an application, or they can isolate an application by disconnecting its network connections to block data leakage or blocking its access to the clipboard to preserve data loss prevention (DLP).

With KPE, endpoint security providers like Zimperium have more tools to deliver the advanced capabilities that enterprise IT managers need to handle the most sophisticated security problems.

Learn more about thwarting mobile security cyberattacks and responding to them in our free guide Building a Cyber Incident Response Plan. And discover five ways Samsung is tackling mobile security with Knox.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder