Posted: 9 Min ReadExpert Perspectives

Symantec Mobile Threat Defense: Stop Relying on Delayed and Invasive Protection Actions

When it comes to mobile security, it’s time to move beyond visibility and basic protections. SEP Mobile’s real-time and targeted protection actions provide the most effective defense against mobile threats

It’s 10 am on a Monday morning – do you know if your corporate resources are safe from sophisticated mobile threats?

This organization can answer with a firm yes:

Screenshot showing the number and category of threats that SEP Mobile protected against, from the dashboard of a SEP Mobile customer with 20,000 mobile devices.
Screenshot showing the number and category of threats that SEP Mobile protected against, from the dashboard of a SEP Mobile customer with 20,000 mobile devices.

This organization’s mobile devices, both managed and BYOD, are effectively being protected by proactive, smart protection actions, against the broadest spectrum of mobile threats.

Can you say the same for your organization?

Let’s say your sales director is traveling abroad to meet with a client. Ahead of the meeting, she tries to access Salesforce on her mobile phone. She quickly switches over to the Wi-Fi network at her hotel after realizing her mobile cellular network is slow to load. In a rush to access her information, she connects to what appears to be the official hotel guest network – but it’s actually a malicious spoofed hotspot. The sales director is unaware that the network she’s connected to is controlled by a hacker who can see all her device traffic, including her Salesforce credentials.

The situation can play out in three ways:

  1. If the sales director’s device is not protected by a Mobile Threat Defense (MTD) solution – by “protected” we mean going beyond visibility to actively prevent attacks and secure corporate resources – the corporate data she’s trying to access could end up falling into the hacker’s hands.
  2. If the device is protected by an MTD solution, and the solution’s recommended protection action when detecting a network threat is to disconnect the device from Wi-Fi, the corporate resources remain secure. However, the sales director has no Internet access; she can’t access Salesforce, she can’t access her email, she can’t even access her non-work-related apps. She’s stuck. 
  3. If the MTD solution protecting the device has advanced protection actions, such as automatic VPN tunneling when a network threat is detected, the sales director’s traffic is protected from malicious actors and she can continue accessing her corporate apps without interruption.

Which one would you choose?

Standard Protection Actions Don’t Cut it Anymore

Most enterprises today understand the value of mobile security solutions for protecting corporate data. But not all solutions are created equal, especially when it comes to protection. In MTD, protection actions have often been limited in the face of growing, sophisticated mobile threats. This is in large part due to application sandboxing and other components of mobile operating systems that have constrained what actions can be taken on mobile devices.

MTD vendors have often relied on actions from Mobile Device Managers (MDMs) to protect corporate resources on mobile. These are simply not enough. Remember, MDMs are just that – managers, whose main functionality is not to protect against mobile security threats. Whatever protection actions MDMs do have – such as remotely wiping a device if it is compromised or removing managed corporate apps from non-compliant devices – are often delayed and aggressive, failing to stop various levels of risk in real time while also interfering with employee productivity. These drawbacks make MDM protections less effective for enterprises.

Some MTD vendors offer more proactive actions, such as automatic disconnection from Wi-Fi networks or always-on VPN tunneling which constantly decrypts traffic. Like MDM actions, these can also be intrusive for end users. Disconnecting from Wi-Fi can interfere with device usage and productivity (see scenario #2 in our example above). VPN tunnels can face latency issues, can drain device battery, and need an Internet connection to work If the tunnel can’t be established, the device remains vulnerable to threats.

Advanced Protection Actions: A Cut Above

In our scenario with the sales director, the most effective option for protecting corporate resources, while allowing the director to continue doing her job, is the third one – using an on-demand VPN tunnel when mobile threats are detected. As mentioned before however, VPN tunnels are not flawless. In the third option we presented, if the VPN tunnel failed to connect for whatever reason, the director’s device would have remained vulnerable to threats. Wouldn’t it be great if there was another protection action that could kick in to ensure corporate resources stay safe in the absence of a VPN tunnel or Internet connection?

Advanced MTD protection actions are designed to do just that: provide layered protection against mobile threats, so that if one protection action can’t be used (for whatever reason – activation failures company policy, etc.), another is automatically activated. For example, in Symantec’s MTD solution - Symantec Endpoint Protection Mobile (SEP Mobile) – our customers can choose to block access to predefined sensitive corporate resources when a secure VPN tunnel cannot be established. This “Selective Resource Protection” acts as a safety net, keeping sensitive data from leaving the device in the presence of a mobile threat.

On-demand VPN tunneling, blocking access to corporate resources, quarantining risky apps, and several other advanced protection actions are the subject of a new Symantec white paper that highlights what protections organizations can leverage to get the most value from their MTD solution. The paper argues that the most effective form of MTD today includes advanced actions that are:

  • On-device: This allows them to be faster and provides constant protection, even when devices are disconnected from the Internet.
  • Real-time: They can proactively thwart attacks, immediately and automatically when a threat is detected.
  • Smart: They target the exact threat without impacting other resources or processes on a device; and they are activated on-demand (and turned off when not necessary).

As in a castle-and-jail security approach, many advanced protection actions can be used to either isolate (jail) threats on a device so they don’t persist and harm other resources, or to protect (castle) sensitive corporate resources from breaches or leakage. This approach helps organizations achieve a balance between security and productivity needs, something that has been challenging in a mobile security ecosystem that, as mentioned, has been largely confined by mobile OS structures.

Compared to the limited, reactive, and invasive actions utilized by most MTD solutions, advanced protection actions proactively and instantly defend against a broad range of mobile threats, from malicious apps and mobile phishing, to risky networks and MiTM attacks. They can protect corporate data without sacrificing user productivity and privacy, and without requiring an Internet connection. As shown in our example, advanced protection actions can also be layered, enabling organizations to effectively adapt their MTD to their security and privacy policies.

SEP Mobile Protection Actions

Our focus as we’ve developed SEP Mobile has been on creating MTD that is truly effective for enterprise – MTD that provides 1) the highest level of security on iOS and Android, managed and BYO devices, 2) against a broad range of sophisticated threats, 3) without compromising on device usage and user experience. The latter is something that can help organizations increase MTD adoption among employees, so everyone wins. SEP Mobile offers advanced protection actions across all the major threat vectors: risky apps, network connection, network content, and OS. We provide recommended actions for each category, but also enable organizations to configure their protection settings to meet their business needs. We take a look at some of our recommended actions below.

Protection Against Risky Apps

We define risky apps as any apps that impose a risk to the organization – not just malware, but unwanted and vulnerable apps as well.

On Android devices, SEP Mobile can provide multi-layered protection against risky apps. The actions are designed to prevent an app from proceeding at different points of its lifecycle:

  • Upon download, SEP Mobile can automatically analyze an app’s installation files and immediately quarantine them on the device (recall “jailing” threats).
  • Upon installation, if SEP Mobile is set as a device’s default installer, it can analyze apps downloaded from 3rdparty app stores and prevent them from proceeding with installation.
  • After installation, SEP Mobile can automatically terminate the app’s processes, or block communication from that app.

On iOS devices, admins can take a layered approach to protect against risky apps: 1. SEP Mobile can block an app’s communication with malicious command-and-control (C&C) servers so that it can’t execute malicious commands or steal sensitive information from a device. 2. SEP Mobile can block access to predefined sensitive corporate resources on a device (Selective Resource Protection). Following the caste-and-jail approach, we can think of the first layer as putting risky app communications in “jail” (i.e. quarantining them), and the second layer as “castling” corporate resources (i.e. protecting them from exposure to threats).

Below is an example showing how SEP Mobile protects against risky apps. Earlier this year, security researchers identified several iPhone apps linked to Golduck, a traditionally Android-focused malware campaign. Shortly after the iOS-Golduck link was discovered, SEP Mobile detected communication with Golduck’s C&C server from devices in one of our customer environments. Our on-device protection action automatically and immediately blocked the app’s communication with the malicious C&C server, protecting both managed and unmanaged devices in real-time.

Protection Against Network Threats

To protect against network threats such as malicious hotspots, SSL stripping, content manipulation, and others, SEP Mobile can be set to automatically launch a VPN tunnel when a threat is detected. Recalling our example of the sales director, tunneling traffic through a VPN allows the end user to continue using the device and accessing corporate resources, even when there is suspicious activity on the network.

As an additional layer of protection against network threats, just as in our protection against risky apps, organizations can block access to sensitive corporate resources. This is useful, for example, when corporate policies don’t allow VPN tunneling, something that may be a privacy concern, especially on BYO devices. Or, it could be useful when connecting to a network that decrypts traffic, and there is no actual Internet connection so a VPN tunnel cannot be established. This on-device action would then be the most effective and targeted form of protecting sensitive corporate resources.  

Below, SEP Mobile detected a device that was connected to a hotspot trying to decrypt secure traffic, thereby putting the end user’s communications at risk. SEP Mobile’s network protection actions were activated to protect the device and sensitive corporate resources in real time.

The above are a sample of network protection actions, with additional protections available in SEP Mobile. Actions are ever-evolving and more are continuously being added to cover a range of threats.

Protection Against Content Threats

SEP Mobile utilizes web filtering capabilities to block malicious or unwanted content on mobile devices. The protection actions in this category rely on Symantec’s real-time URL reputation engine to analyze content. The engine uses inputs from the Symantec Global Intelligence Network (GIN), the world’s largest civilian threat intelligence database, to deliver fast and highly-accurate website categorization and risk assessment. Protection actions in this category include:

  • Blocking SMS phishing messages: We use URL reputation and machine learning to analyze incoming SMS messages and block them if they are found to contain malicious links.

    An example of an SMS phishing campaign that we detected and blocked is the fake Interac tax refund scam. In 2017, reports emerged that malicious actors were using SMS phishing messages to direct Canadian victims to fake tax refund forms, in an attempt to trick them into entering their personal credentials. Victims who clicked on the link arrived at webpages that mimicked the real Interac user interface, but were in fact scam pages controlled by the fraudsters. SEP Mobile detected Interac phishing messages and effectively blocked them on end user devices.
  • Blocking access to unwanted content: SEP Mobile can block malicious or unwanted content – phishing, illegal, gambling, etc. – directly on a mobile device by using a clientside network content blocker. The blocker leverages a URL reputation engine that inspects links users are attempting to access. If the content violates company policy, SEP Mobile will block it.
  • Redirecting all traffic through a secure web gateway (SWG): This action leverages a cloudbased SWG to analyze malicious links as soon as end users click on them. Traffic passes through an VPN tunnel to the SWG which inspects it and then grants or denies access based on the corporate policy. When traffic is tunneled, SEP Mobile also uses additional security modules such as cloud access security brokers (CASBs) and data loss prevention (DLP) solutions to secure cloud apps and services from data leakage.

Managing Protection Health

To make sure SEP Mobile protection actions are working, our solution provides indicators on the setup of the VPN profile and permissions per device.  If an end user does not accept permissions allowing VPN connections, SEP Mobile protection actions relying on a VPN will not be able to function. Admins have visibility on the protection status and can send notifications to end users to remediate the issue, either on-demand or through the automatic end-user email alert rules. Protection status visibility is in place to allow customers to achieve the most effective MTD protection across thousands of devices in their organization.

Protections are Progressing

Security teams no longer need to settle for rudimentary MTD protections. Technological developments in mobile security have enabled advanced actions that can protect against a range of threats, in real-time, and without interfering with employee productivity and privacy. SEP Mobile provides a diverse set of these advanced protection actions to help organizations get the most value from their MTD. Our protection actions isolate specific threats, while protecting sensitive resources, for layered protection that effectively adapts to enterprise security and privacy policies. Among some of our additional protections are: disconnecting from fake corporate Wi-Fis, automatically disabling malicious VPNs, and blocking communication of installed apps until their analysis is complete. This list is dynamic with new protections being added all the time.

Equipped with advanced protection actions, our customers have been able to successfully protect their data across a broad spectrum of mobile threats including risky apps, suspicious networks, unwanted content and phishing, and OS-based threats and vulnerabilities.

Innovation in protection actions won’t come from any one single source. It is a continuous journey that involves mobile OS vendors, MTD vendors, customers, end users, and even hackers – as threats become more sophisticated, so too will the techniques used to protect against them.

Symantec Enterprise Blogs
You might also enjoy
8 Min Read

Symantec Mobile Threat Defense: Reducing Risky App Threats with Robust App Vetting

SEP Mobile, with integrated best-of-breed app analysis from Appthority, provides enterprises the most complete protection against mobile threats

Symantec Enterprise Blogs
You might also enjoy
5 Min Read

Symantec Mobile Threat Defense: A Snapshot of Mobile Security Incidents in Q2 2019

Threats associated with risky apps, iOS-device hacking and mobile phishing were among the major incidents

About the Author

Michal Toiba Kokh

Senior Manager, Product Content

Michal is a product content strategist at Symantec Endpoint Protection Mobile. Leveraging her background in journalism, Michal works with the product management team to communicate the value of our mobile security solutions for enterprise.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.