Personal mobile devices, which are often used for work purposes, are attractive targets for a variety of attacks on corporate infrastructure. Let us look at the features of Endpoint Detection and Response (EDR) systems and learn how they can help protect against targeted attacks targeting mobile devices.
In terms of technology, modern smartphones and tablets often surpass the capabilities of a typical employee workstation. The number of mobile devices has been rapidly increasing. It surpassed the number of workstations back in 2015. Being both a personal device (with an installed banking app, user correspondence, photo, and video materials) and, at the same time, an access point to corporate resources, a mobile device is a real treasure trove for a wide range of cyber-attacks.
Actually, all possible vectors of attacks on workstations are only a subset of attacks on mobile devices due to the presence of many sensors (accelerometer, magnetometer GPS, etc.), admin rights, limited capabilities of antivirus software, not perfect backup and disaster recovery procedures, and uncontrolled connections to insecure wireless networks.
The issue is made worse because a basic attack targeting only a user’s personal area often can also pose threats to corporate resources, since multi-factor authentication, a common protective measure, is ineffective when a mobile device has been hacked. It is worth noting that keyloggers and other types of spyware can cause a range of other security issues that should not be overlooked.
As smartphones emerged, the need to safeguard mobile devices led to the development of modified Endpoint Protection Platforms. These new EPPs were explicitly designed to work with mobile operating systems.
The formation and evolution of EDR, XDR, and EPP solutions for mobile device protection
The creation of security solutions for endpoints and, in particular, mobile platforms is closely related to the understanding of attack vectors targeting both a specific device and the infrastructure of an organization as a whole.
Initially, mobile security products were similar to those used on desktop computers. These solutions only included a basic antivirus scanner that primarily used signature detection and a simple firewall. They even could not always send reports to a central server. Obviously, this is not enough in current conditions as attackers use various methods such as introducing malware, exfiltrating\altering data, and network compromise to carry out attacks.
According to OWASP, the top 10 security risks (including those that threaten mobile apps) include attacks that are far beyond the scope of traditional antivirus solutions. For instance, in recent years, issues related to Broken Access Control have become more common. These problems often occur in legitimate third-party apps on the device rather than in traditional forms of malware.
The mobile device protection industry has grown to include a broader range of capabilities and expanded coverage. Companies that create mobile security solutions now offer control over network connections, protection against fraudulent apps and SMS phishing, and application access control. According to Gartner, there are over ten essential components that a mobile device protection solution must have in order to be considered a market leader and be included in their “magic quadrant.”
EPP solutions provide excellent protection against new threats based on already-known malware. However, more sophisticated means are required to protect against less massive, targeted, more aggressive, and more sophisticated attacks. An endpoint security system needs to adapt to the contemporary landscape of complex threats. It must be able to detect advanced attacks aimed at endpoints and quickly respond to detected incidents.
Such solutions form an independent class of applications - Endpoint Detection and Response, EDR. Gartner researchers identify several mandatory properties of these solutions: prevention, detection, response, and prediction.
Modern EDRs can:
- Provide real-time monitoring of endpoints.
- Detect and prioritize information security incidents.
- Record and store information on events occurring at endpoints.
- Provide information for incident investigations.
- Respond to incidents.
- Interact with EPP solutions.
Serious threats can go unnoticed if data for analysis is collected from each device separately. Next-generation solutions (XDR) aim to provide a more comprehensive view of an organization’s security posture by collecting and analyzing data from multiple devices and infrastructure elements. This allows them to detect and respond to threats more effectively, as they can automatically correlate events and actions across the entire organization. XDR systems are designed to cover all security levels of various devices simultaneously.
XDR collects information from various sources and uses statistical models and machine learning to identify incidents that EDR or EPP solutions would not be able to detect on a single device or when the event is not deemed suspicious on a single device. The unified management console of an XDR system enables you to view, analyze, and respond to threats very quickly. This leads to an improvement in both the overall security of the organization’s infrastructure and the accuracy of alerts.
EDR/XDR and fraud detection solutions
The greater the number of sources of information for analysis, the more accurate systems based on machine learning techniques become. When mobile devices are used, it is possible to increase the amount of data gathered in order to identify anomalies and incidents.
A method that utilizes a significant number of indicators has already proven effective in anti-fraud solutions for safeguarding bank clients from fraud. The banking system analyzes a user’s typical behavior, habits, transactions and alerts the bank about non-standard or risky actions. This is similar to how a comprehensive EDR/XDR security solution operates.
The basic tech characteristics being analyzed are similar to those used for a laptop or workstation:
- Versions of applications and operating systems.
- Any hidden or malicious apps installed.
- System and network settings.
- Whether apps have access to important functions, such as the camera.
This information is complemented by characteristics specific to mobile devices, such as phone calls and SMS history, location, etc. Some solutions already analyze activity from popular messaging apps like WhatsApp or Telegram, which are increasingly becoming the primary way people communicate.
When analyzing the most advanced attacks, researchers have long noted that the weakest point is the user. Knowing user habits allows voice assistants to guess their preferences. At the same time, it enables security solutions to understand possible negative phenomena in advance. It is no longer enough to rely on antivirus alone. You need a lot of data and advanced analysis tools to deal with modern attacks comprehensively.
Conclusion
As more mobile devices are gaining access to corporate networks, it is necessary to ensure that they are adequately secured. Advanced EDR/XDR solutions, in addition to traditional security measures, can also consider the various sensors and features present on modern smartphones. The experience gained in developing fraud detection solutions can be helpful in this context, as it allows identifying patterns and anomalies in user behavior based on many criteria.
About the author: Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.