How Do You Support Splinternet Security On Mobile Devices?

Mobile authentication is nothing new.  SiteMinder, a prominent web access management tool, has been able to handle mobile browsers and sessions for at least 7-8 years. Some users complained of WAP and its limitations, but most could access information and log in to websites with minimal issues.

WAP is gone and it is now replaced by a multitude of devices: tablets, PDAs, smartphones, etc. With the proliferation of Splinternet, we are witnessing not only a boom of content, but also the need to limit access to sensitive applications and data not only from the device but also on the device. Authentication, authorization, and data protection challenges multiply as companies embrace the post-PC tablets, etc.

 What do we see people asking about? From the enterprise security perspective, the biggest challenges seems to be protecting the data on the device, performing a remote wipe on a lost or stolen piece of equipment, and making sure corporate information is separated clearly from any private data. Writing mobile applications or designing mobile-capable and still rich, interactive web pages is no easy task either. Companies also wonder about how to deliver and (de)provision applications quickly and securely.

 What do we see companies do? Sandboxing corporate data and mandating the use of remotely wipeable devices is the first step. Storing certificates and using transaction signature mobile authenticators to defend against stolen or compromised text messages with one-time passwords is a logical follow-on.

 We expect Splinternet to embrace mobile virtualization. Running VMware with multiple guest operation systems will be a good candidate for solving this. We are trying to lead the way at Forrester and help companies with data protection and Splinternet access from these devices.

 Let us know about your thoughts, trials, and tribulations in this area.


Unfortunately, mobile device

Unfortunately, mobile device hackers are developing attack patterns faster than the current security solutions can detect. Most existing solutions simply look for “signature-based” threats that search for known malicious patterns. This approach, while sufficient in some cases, is ultimately inadequate for two key reasons: 1.) Attackers are quickly evolving their methods to evade signature-based
detection and 2.) Signature-based detection often flags as threats benign activities, generating a stream of false positives that only exacerbates the needle-in-the-haystack problem inherent in mobile device security.

Instead of relying on known patterns, security solutions must evolve to detect changes in user behavior. Behavior-based detection looks beyond “who” the user is to also include “what” that user is doing and “when” (in which context). Such a security solution can be achieved through Operational Intelligence.

What's next for Operational Intelligence on mobile devices?

I agree that behavioral pattern recognition formulating your responses to deal with dangerous patterns is the most effective approach here. Can you share some of your experiences on how you do this well?

We would recommend

We would recommend accomplishing this using a combination of capabilities and techniques. The exact approach would depend on the specific use case, of course. Layered filters and dynamic rules - one approach we have seen work - is to use an initial layer of filter rules that check against an ever evolving, or dynamic, watch list of known criteria. This of course fits into the signature-based pattern detection, but is just the starting place. On top this filter layer we add dynamism to the watch list and the rules in the following ways. First, we update and modify the watch list based on learned patterns. For example, let's say we create a filter rule that catches any device ID's that are sending SMS's in a volume or frequency outside some absolute limit or moving average based on a finer segmentation arrived at through data enrichment. In other words, we are keying on device behavior outside the norm. Once these ID's are flagged as potentially compromised they are added to the watch list for a configurable amount of time. Now the filter rules are explicitly looking for all activity from these identified devices. Simultaneously, through a policy, we expand the net by pushing a new rule into the system that specifies the capture of the IDs of any other devices that are pinged outside some “normal” limit by those ID's in the watch list, the rational being that these devices may now be affected. We are following a dynamic line of inquiry that can be described as filtering (to separate the signal from the noise), learning (based on the results of those filters), expanding our domain of inquiry (via the dynamic watch lists), and adjusting our inquiries (by dynamically adding or adjusting rules based on the learning). In this way, we can keep up with the evolving threat.

I hope that answers your question.

For more information, you can always refer to our online help desk at: