Last month we wrote about how Extended Detection and Response (XDR) reduces detection and response time and increases security. Now we want to dive a little deeper into XDR and show how enterprise mobile devices can be better protected. Mobile devices are a growing threat to most businesses and need no less protection than any other endpoint. And XDR is an excellent solution to the types of attacks that mobile devices are increasingly vulnerable to.
Mobile devices used to be undervalued in many security ecosystems. You could set up email preferences, set passwords, and manage WiFi configuration to prevent man-in-the-middle attacks. All of these are still valid elements of mobile security.
Now, however, there is much more to consider. Mobile usage is changing – and security needs to adapt. Most notably, both the type and scope of mobile usage have expanded dramatically. Mobile devices now account for nearly 55 percent of all deployed devices. Smartphones are mini-computers, and users naturally want to use them for their work. As more and more people work remotely, this trend will only intensify.
When we talk about “mobile devices” we usually mean smartphones. But we also refer to all other devices on whichor iOS is running, e.g. B. Tablets. And while Chromebooks are generally quite well protected, they need to be protected from phishing and web-based threats, as well as from installing unwanted, potentially unsafe extensions).
Even as the mobile device gradually supplants, or at least complements, the desktop for work and web browsing, users will likely still treat it as personal property. Regardless of whether the company has a “bring your own device” policy () is used, a device feels different when you have it in your pocket all the time.
For example, a user might have less security awareness when holding their smartphone than when sitting at a desktop. Browsing behavior is likely different, and the immediacy of notifications – coupled with a smaller screen size – may make users more likely to fall for phishing.
Sophisticated threats require a new, multifaceted approach
And here’s the problem: While many cybersecurity systems have not kept pace with the growing role of mobile communications in everyday work, hackers have certainly recognized that mobile devices are often the weak link in an organization. Hence, they use increasingly sophisticated attacks to target users through their mobile devices. This can take the form of cross-device social engineering, e.g. B. by using a text message that makes a phishing email appear more legitimate on the desktop.
We have also observed attacks exploiting the confusion surrounding the COVID-19 pandemic by tricking users into downloading a fake contact tracing app outside of the Play Store. Once installed, the app accesses sensitive information such as received messages and, in some cases, the smartphone’s location and camera.
A good Unified Endpoint Management (UEM) solution can help keep mobile devices up to date and secure. Depending on the operating system and whether the device is company-managed or employee-owned, business data can be separated, policies can be set, malicious applications checked and threats intercepted.
There are also things that a standalone management solution cannot do. While it can monitor the health of a mobile device, it doesn’t provide context for the entire organization. It can tell what the user has been doing, but not if they have switched to working on their desktop. And it can show what the current situation is, but not what happened two weeks ago.
To achieve this, data from mobile devices must be collected and stored along with other cybersecurity controls. And this is where XDR comes in.
Improved visibility, context and history
With XDR, companies get a complete picture. Sensors on the device send telemetry data to a secured data store in the cloud, where it is collected along with information from other mobile devices and other XDR-enabled cybersecurity solutions.
In this way, suspicious activities can be uncovered and investigated across the company. The data lake allows you to understand the full context as it contains the events from mobile devices, classic endpoints, servers, firewalls, email and cloud security solutions. It provides a complete picture and the ability to go back in time to see the history of suspicious activity. These features align well with the challenges posed by mobile device security.
Better overview of the vulnerabilities and the condition of the devices
When it comes to mobile devices, cybersecurity and device management are inextricably linked – so it’s important that the data lake is searchable at will. For example, Sophos Mobile XDR can show all devices running outdated operating systems on which aor a root change has occurred, or who lack RAM for an update. You can also search for sideloaded apps, as in the COVID tracking example.
The exact type of information stored in the XDR data lake may vary depending on the device operating system and whether the device is corporate-owned or personal BYOD. And since privacy is a critical part of any data collection, we have a strict focus on collecting only the data that is relevant to cybersecurity.
Better protection for your mobile devices with Sophos Mobile XDR
It is clear that mobile devices can no longer be treated as outliers; they are a central part of working life and must be included in the holistic cybersecurity approach.
At Sophos, we know this way of working is here to stay. Our vision for the future is to protect devices no matter where they are or how they access corporate resources. The addition of mobile devices to the XDR family is an important step on this journey.
visit our website
Visit the Sophos website for more details about Sophos Mobile and a 30-day trial. Existing Sophos Central users can activate Sophos Mobile directly in their management console for one month free of charge.
More context to understand potential threats
Since the data lake also contains signals from other parts of the security ecosystem, it is very easy to determine what else the user was doing at the time, e.g. B. its desktop activities or the traffic on the firewall.
Examine historical telemetry data
Suppose a new threat is discovered where compromised devices communicate with a specific domain. Or a supposedly legitimate app turns out to be malicious, is removed from the Play Store and deleted from the devices by its authors. Based on live information, one would have no way of looking for passivity. The historical data in the data lake can be used to determine whether devices have communicated with a domain or the app has been installed.