Machine learning-based threat detection is coming to your smartphone
- 06 October, 2017 01:33
Part of a growing trend, MobileIron announced today that it is adding machine learning-based threat-detection software to its enterprise mobility management (EMM) client, which it said will help address an increase in mobile attacks.
The Mountain View, Calif.-based company said it has partnered with Zimperium, a maker of machine learning-based behavioral analysis and threat detection software that monitors mobile devices for nefarious activity and apps.
MobileIron said it will integrate Zimperium's z9 Engine software with its security and compliance client. The software will reside on users' iOS or Android smartphones or tablets, and it will also become a part of IT administrators' EMM control consoles. That upgrade to MobileIron's EMM client will "automate the process of detecting and responding to mobile threats," MobileIron stated.
Other EMM vendors are looking at the machine-learning space and forming partnerships, such as BlackBerry and Zimperium, as have PC players including Dell with Cylance. But it’s not entirely clear how effective mobile threat detection (MTD) via machine learning algorithms is, and there are still a relatively small number of companies that have deployed the technology, according to Jack Gold, principal analyst with research firm J.Gold Associates.
Nicholas McQuire, vice president of enterprise research at CCS Insight, said there's currently a lot of marketing hype around what machine learning and artificial intelligence can do, but the technology has tremendous promise for reducing malware.
Over the past two years, mobile attacks have doubled, which has led to a corresponding rise in IT departments' interest in mobile security — and MTD in particular, McQuire said. This year, more than 35% of IT decision makers listed device security, malware and threat protection as the biggest priorities for investment in the enterprise mobility and security space, according to CCS's 2017 Workplace Technology Survey. The survey was performed in August and the full results of it have not yet been released.
"In our view, the integration of EMM and MTD is crucial in addressing customer needs today and is also an important area of innovation for leading technology suppliers in the future," McQuire said. "It's becoming a core part of [the EMM] industry. There's absolutely no question about that."
McQuire added, however, that it's currently impossible to say how effective machine-learning is at detecting potential mobile threats, as it's still a nascent technology.
EMM threat detection a mixed bag
Mobile threat detection and defense tools use a mix of vulnerability management, anomaly detection, behavioral profiling, intrusion prevention, and transport security technologies to defend mobile devices and applications from advanced threats, according to Gartner. MTD products should provide four levels of protection, according to the research firm:
- Detecting device behavioral anomalies by tracking expected and acceptable use patterns
- Performing vulnerability assessments by inspecting devices for configuration weaknesses that will lead to malware execution
- Monitoring network traffic and disabling suspicious connections to and from mobile devices
- Identifying malicious apps and apps that can put enterprise data at risk through reputation scanning and code analysis
Along with Zimperium, LookOut, Skycure (now part of Symantec) and Wandera are the leaders in the mobile threat detection and defense market, each using its own machine learning algorithm to detect potential threats.
Wandera, for example, just publicly released its threat detection engine MI:RIAM.
This past May, using a collection of technologies that span the machine learning spectrum, MI:RIAM reportedly detected more than 400 strains of repackaged SLocker ransomware targeting businesses’ mobile fleets, according Jeanine Sterling, a research director with IT consultancy Frost & Sullivan.
"Most had thought this particular variant had disappeared, but MI:RIAM did what a machine learning solution does: It drew upon millions of historical data points and recognized SLocker’s digital DNA. Without machine learning, that kind of discovery just never would have happened," Sterling stated in an email response to Computerworld.
Google and Microsoft join the threat detection market
Microsoft has also been deploying machine learning-based threat detection technology in its Windows 10 platform, which also incorporates EMM capability via its InTune cloud service. The latest Microsoft OS employs Windows Defender Advanced Threat Protection, a cloud-based, artificial intelligence built on top of the Microsoft Intelligent Security Graph (ISG) that Microsoft said can identify new threats, including ransomware.
Google has also rolled out a machine learning algorithm, which it calls “Peer Group Analysis,” to identify potentially harmful mobile apps in its Google Play store that collect or send sensitive data without a clear need, and makes it easier for users to find apps that provide the right functionality and respect their privacy.
“For example, most coloring book apps don't need to know a user's precise location to function, and this can be established by analyzing other coloring book apps,” Google recently stated in its Developers Blog.
Zimperium’s machine-learning technology has not been limited to mobile devices, and it has been white-labeled inside several mobile banking applications, McQuire said. “At the moment enterprises are highly interested in the technology, but there have been barriers,” he said.
One of the issues stalling MTD uptake has been a reluctance by enterprises to purchase products separate from their EMM vendors, as well as pushback from users who are leery about installing the software on their smartphones and tablets. So, to date, MTD software has not been widely deployed, McQuire said.
Initial feedback on threat detection positive
Zimperium's product differentiates itself from cloud-based competitors as its z9 Engine software resides on the mobile device and looks not only at malware, but also at potential network and Wi-Fi hotspot threats and user behavior. It also looks at the basic health of a device, so if it's being jailbroken through a malware attack, it has the ability to remediate that attack in real time, according to McQuire. With cloud-based threat detection, there's a signal delay between when the software sees a threat and when it reacts to it, McQuire said.
Zimperium's z9 Engine monitors user behavior to keep malware from being downloaded onto the device, and it inspects the health of applications that get downloaded from Google Play or Apple's App Store, McQuire said. "Part of the machine learning element of this is it can then start to learn behavior and to an extent automate responses based on whether that device has become non-compliant or has been compromised through malware," McQuire said.
Machine learning — and the predictive analytics it makes possible — are receiving a significant amount of attention across the enterprise mobility landscape, according to Frost & Sullivan's Sterling.
"We’ve already seen this capability increasingly incorporated into mobile worker apps, and it makes tremendous sense to add it to mobile management solutions; especially as EMM evolves into UEM — Unified Endpoint Management — and also assumes responsibility for managing and securing select IoT devices," Sterling said.
Initial feedback from users of MTD technology has been positive, according to Sterling, but it's still early days, so the technology is just beginning to "make its way up the learning curve."
Are there consequences to additional machine learning on mobile devices?
"Clearly, increasing cyber-attacks and malware incidents have everyone on edge and looking for ways to combat this threat. Machine learning-based threat detection software promises quick, real-time identification of threats — and then quick, automated remediation," Sterling said. "The downside is the false alarm, which can become overwhelming and counterproductive."
Another concern with MTD has been that when housed on a mobile device, it could affect the smartphone or tablet’s performance as it gathers more and more data to analyze.
John Michelsen, chief product officer at Zimperium, said the z9 software is 99% effective in detecting malware, and it functions “offline.” Then the resulting threat “classifiers” or algorithms are used on-device to detect threats.
“Since the solution only reads attributes and does not write, it does not change anything on the device and cannot impact performance over time,” Michelsen said, adding that eliminating malicious apps can actually help device performance.
MTD solutions continue to be a mixed bag, according to Gold, but having many mobile devices in use at a company greatly increases the exposure and risk, so use of the technology is "certainly better" than having nothing, Gold said. "But most mobile threats are delivered via bad apps, and it’s not always clear that these products can catch all of those malware attacks," Gold said.
Zimperium's z9 Engine basically tries to use an understanding of what apps should do, how users should interact, and what functions on the device should be activated in order to detect bad actors, Gold said.
"This is much better than just signature matching like we’ve used on PCs for many years. But it’s hard to determine how successful the products are at detecting all threats. And attack vectors are different for Android than for iOS," Gold said, "so you have to have expertise in both if you want to successfully develop a threat mitigation product for mobile (unless you decide to only go after one platform). iOS is harder to develop for as Apple provides fewer hooks into the OS to monitor and attach to."
Correction: An earlier version of this story reported that Bank of America uses Zimperium technology in its mobile apps. A Zimperium spokesperson says the company has no relationship with Bank of America.