Organisations adopting bring your own device (BYOD) policies and cloud-computing apps should introduce passive scanning of mobile device traffic to identify malware rather than trying to actively scan the devices, a security architect has advised.
Maintaining an effective security perimeter requires assessment of the normal ‘trust relationships’ between network elements – and the ability to monitor ongoing network traffic for changes in those relationships – Tenable Network Security principal architect Dick Bussiere told CSO Australia.
In a mobile context, that means watching the traffic flowing to and from devices to look out for telltale signs of malicious activity. “If you ever try to scan an iPhone using an active scanner, you’re not going to see anything,” Bussiere explained. “However, you can determine what apps are being used on it just by watching the traffic being generated. You can learn a lot by just watching traffic.”
Increasing volumes of monitoring traffic, however, introduces the additional challenge of data proliferation. The solution, in Tenable’s case at least, has been to develop a many-to-one software architecture in which many instances of the company’s Nessus passive scanners are linked to a central monitoring database.
“If you are trying to use manual processes to maintain and completely understand your position from a vulnerability perspective, you cannot keep up any more,” Bussiere explained. “Collecting the data, and putting it into a searchable and query-able database where you can apply big-data principles to vulnerability analysis, allows you to learn certain things about your vulnerability position in a very reasonable time.
A separate log correlation engine also brings in conventional logs from servers and network equipment, adding further information that can be used to spot anomalies. This would, for example, make it easy to spot an external hacker attempting a brute-force password attack on a large number of company servers.
It’s important, Bussiere added, to ensure that analysis efforts mirror the business structure – for example, by grouping devices by owner in a way “that allows you to break the problem up into multiple segments to make it easier to solve.”
This particularly applies to BYOD models, where large numbers of devices will be deployed based on trust relationships not only with the corporate network, but with other devices including virtual servers and Web-based cloud applications.
This shift in application delivery may help ameliorate the inherent risk from mobile devices themselves, but it increases the burden on security administrators to extend their surveillance efforts to online environments. The key here, Bussiere warned, is constant monitoring and early action against any anomalies.
“The move to Web applications might help a bit on the client side, since you don’t have as many apps to worry about on the client side,” he explained. “But keep in mind that the browser is a very big vulnerability all the time. [Web app models] put a lot more pressure on the server side, and require a lot more diligence on the server side. You have a lot more to lose if that single application-based thing goes down.”