Mobile device recording: MRI of healthy networks

This content is sponsored by Zimperium.

While logging in may not be the most interesting part of identifying and mitigating threats to federal systems, it is one of the most important.

Security event logs are used to protect system and network health. It gives insight into whether an organization has all the controls it needs to mitigate attacks. Just like an annual MRI that provides insight into the current health status of otherwise invisible issues, mobile threat detection gives agencies insight into the otherwise opaque device health issues.

To prevent mobile security from being the Achilles heel of network health, agencies need solutions that help them log security events on their devices.

Mitigating risks from persistent threats

Persistent threats to federated networks have only increased in recent months. In mid-February, the Cyber ​​and Infrastructure Security Agency indicated that Russian state-backed actors were targeting licensed defense contractors. Since that time, CISA has issued additional reminders that while no specific threats to federal networks have been detected, vigilance will continue to be paramount.

Registration requirements everywhere

In addition to persistent threats, federal agencies also need to comply with mandates that require event logging. Mobile device security is central to meeting the no-trust requirements set out in the Biden administration’s executive order and means agencies need ongoing certification of the device.

To ensure organizations meet the requirements under the device substrate for trust architectures, logging of security events for mobile devices is essential.

OMB M-21-31

In August 2021, the Office of Management and Budget issued M-21-31, which developed a maturity model for event log management in response to Executive Order 14028 improving the nation’s cybersecurity. OMB M-210-31 defines four levels of maturity:

  • EL0 is inactive: The critical registration requirements are either not met or are only partially met.
  • EL1 Standard: Only the most critical registration requirements are met.
  • EL2 Medium: Satisfy the registration requirements of the highest and medium critical score.
  • EL3 AdvancedRecording requirements are met at all levels of criticality.

To meet the basic level of logging as required by management under OMB M-21-31, agencies need to collect and maintain the following security logs from their Enterprise Mobility Management or Mobile Threat Detection (MTD) solutions:

  • alerts
  • general data
  • Device data
  • order data
  • Device Policy Settings
  • Device Configurations
  • Network Configurations
  • Event logs, audits, and crashes
  • MTD Agent Information

In short, mobile device security and event logging are mandatory to meet OMB requirements as agencies move towards compliance with EO 14028.

FISMA Financial Measures for 2022

In December 2021, the Executive Office of the President and the Department of Homeland Security jointly released Version 1 of the FISMA CIO Metrics, which will be used to monitor agencies’ progress toward strengthening federal cybersecurity. This release updates the standards of the Federal Information Security Modernization Act to reflect the new reporting requirements described in the Executive Order.

Under the definition of “hardware assets”, the FISMA CIO metrics specifically include portable devices such as smartphones, tablets, and pagers.

As part of the environment census, agencies need to include these devices under two divisions:

  • Section 1.2 On the number of hardware assets that are running in an unclassified environment
  • Item 5.1 on the number of government-provided hardware assets that are fully IPv6-enabled

All this makes sense. If the agency does not include a mobile device in its inventory of assets, it will not be able to manage it or collect records for it.

Mobile device authentication and registration

Researching the event log data that agencies need to collect from MTD agents, the details become more difficult. Under OMB M-21-31, agencies also need documentation about:

  • Proxy activation status
  • Detect threats from a variety of vulnerabilities
  • Phishing Protection Status
  • Tampering with agents, applications, or systems
  • Franchise Escalation
  • middle man attack activities
  • Treatment measures taken
  • The last time devices synced with enterprise systems

Mobile Device Management and Enterprise Mobility Management solutions create the log system required to meet minimum baselines. However, with the increasing persistent threats to federated networks, minimum baselines for compliance are not the same as effective security.

Detect mobile threats to security and compliance

Continuous certification of the device is the MRI of structures with zero confidence. Agencies need real-time analysis of mobile devices across five areas, along with records that demonstrate visibility in each area:

  • Device weaknesses
  • Operating System Weaknesses
  • network attacks
  • Phishing attacks
  • Application weaknesses

To keep federal networks safe and secure, agencies need an MTD solution that gives them the persistent certification and login they need to fulfill these compliance mandates.

They also need an MTD that can prevent attacks even when the devices are not networked. Oftentimes, attackers use unsecured cellular networks as part of their attacks. Devices can be compromised without a public wireless connection.

Secure all mobile endpoints with Zimperium zIPS

Zimperium zIPS is the only mobile security solution with real-time machine learning-based on-device detection for Android, iOS, and Chromebooks to implement non-trust structures while meeting security logging compliance requirements.

Zimperium captures forensic and other events to get real-time or near-real-time feedback on a mobile device’s security posture. Recognizes normal web traffic activity, such as secure websites. When it detects abnormal activity on a device, zIPS sends an alert to the user and prevents malicious activity, such as stopping the loading of a phishing link. The zIPS z9 engine is the only solution to provide mobile threat defense for the entire device, having detected every mobile penetration for the past six years.

Being the only machine learning-based detection engine on the device, the Zimperium z9 Z9 detection engine fully protects the device whether it’s online or not – protecting devices from threat actors that disconnect or redirect traffic when connected to a cellular tower. Since zIPS is neither signature nor cloud-based, it supports end-to-end endpoint security by filling in the gaps created with mobile devices.

Zimperium provides an MTD maturity model that accelerates agency compliance with the OMB Memorandum. The maturity levels of the model provide guidance through threat focus areas, policy recommendations, milestones, and degrees of security. After determining the maturity level, the MTD Maturity Model proposes the next steps, including specific measurements, metrics, and outcomes.