Niccolò Paganini’s Caprice No. 24 in A Minor is a famous and notoriously difficult composition that only the most advanced violinists can play. It’s made up of a theme, along with Paganini’s own variations. But as respectable as it is on its own, it’s been discovered and rediscovered by a large number of composers and artists over the years for new audiences, many of whom may not have realized they were listening to Paganini in the first place.
Each variation on a theme can provide new insights, because they challenge the audience to hear things that they may not have otherwise noticed. But without knowledge of the original theme, there’s also a chance of missing out on the big picture. In some ways, the discussion around mobile security takes on its own variations of a theme, because many people share common concepts on risk but their priorities on what must be done vary greatly.
I’ve had discussions with people who see mobile security as a data at rest issue, namely how to protect and remove data once it reaches the mobile device. That argument may address some of the issues with lost and stolen devices, but it does not address what happens if there is a malicious adversary trying to control the device.
Then there are networking teams who see mobile security as a network blocking issue, namely that they’ll do whatever they can to keep BYOD and unsanctioned devices off their corporate network. That may be a way to keep infected mobile devices out of sight, out of mind, but it doesn’t really make the sanctioned devices any safer to use.
There are also networking teams who see mobile security as being a remote access issue, but as applications move to the cloud, the use case for remote access becomes fuzzy, and the use of standalone VPN appliances even fuzzier.
It’s important to ask whether you’re addressing the problem itself, or a variation of the problem. For example, while each of the problems above are valid in their own right, the bigger issue is that organizations often lack ways to enforce security policies that could prevent improper application traffic and threats from reaching the device in the first place.
These thoughts come to mind as I read through NIST Special Publication 1800-4, which outlines the problem in mobile security. Section 4.4.1 discusses threats (including mobile malware) and Section 4.4.2 discusses exploitable vulnerabilities, both of which are at the heart of modern cyberattacks.
At Palo Alto Networks, we believe that prevention is a necessary and critical measure to prevent exploits and malware from reaching the device in the first place. The next-generation security platform provides an integrated approach toward the use of global threat intelligence to stop threats in application traffic. With GlobalProtect, all corporate application traffic is inspected by the next-generation security platform, regardless of where the user is located. This enables the organization to take a prevention-first approach by applying security policy to stop both known and unknown mobile threats.
As mobile security becomes better understood, it is important to develop strategies and frameworks that will help foster broader understanding of the issues at play – not just one or two variations. Stopping threats won’t come from solving the variations of the theme, but rather by addressing the core of the problem itself. Plan for prevention first in order to strengthen your mobile security strategy.
[Palo Alto Networks Blog]