McAfee MVISION MobileAnalysis & Intel on Mobile Threat Metrics & Protecting Public Sector from Zero-day Attacks with Machine Learning Detection

Andrew Osborn | CISSP, GSLC

VP | Global Solutions - Telco & Gov't

MCAFEE CONFIDENTIAL

Early Gift to you?

* So what do they have in common?

MCAFEE CONFIDENTIAL

Even Apple has stated...

An Endpoint is an Endpoint is an Endpoint…And just another attack surface!

MCAFEE CONFIDENTIAL

10m devices without a passcode

4m devices with encryption disabled

3m developer options enabled

2.1m devices with unknown sources enabled

1.4m devices with USB debugging

250k internal network access

Discerning <or> Intriguing Metrics?

28% of tampered devices were NOT rooted

219m file system changed events

2m daemon anomaly

20.4m total scans

81m connections to open Wi-Fi nets

16m total active MitM attacks

* Malicious Profiles more prevalent than malware for

iOS

MCAFEE CONFIDENTIAL

MVISION Platform Analytics for nation State:

• NSO, Gamma, LU, the

Russian Military Intel Service’s

(GRU), China & APT41, DPRK

& Lazarus and countless other

known Nation State Actor(s)

and players are actively using

these threats as attack

surfaces in order to gain

access to either multiple,

targeted devices or upstream

servers / services and the data

• Also used in potential

coordinated DDoS attacks

• MVISIONS’s solution is

designed to stop these types

of attacks at their very earliest

stage of the Cyber Kill Chain

MCAFEE CONFIDENTIAL

A novel if not effective way?

MCAFEE CONFIDENTIAL

Mobile Security Attack Framework Alignment

* Cyber Kill Chain

* MITRE ATT&CK for Mobile

• NIST Special Publications > FISMA > FedRAMP• NIAP Common Criteria & NSA Mobility Capability Pkgs• Cybersecurity Information Sharing Act (CISA) Exec

Mandates• Dept. of Homeland Security Continuous Diagnostics &

Mitigation• Groups: Advanced Technology Academic Research Center

(ATARC)

MCAFEE CONFIDENTIAL

Local Guidance & Framework; Is this for us too?

• Australia’s Office of the Australian Information Commissioner (OAIC):

o Notifiable Data Breaches (NDB) notification & protection against mobile device threats

scheme

o “Must cover multiple access levels, including device, app, network, and content

protection” and “real-time monitoring is an essential part” of the required security

measures…

• Australian Signals Directorate (ASD):

o Published ‘how-to’ guides for tackling getting more organizations to adopt security

protocols and strategies like phishing detection & prevention

• APEC Cross-Border Privacy Rules (ACBPR):

o Protects flow of data and privacy of data for Japan and other AsiaPac partners

o Although the system solutions are voluntary, there are enforceable rules governing

international transfers of data provides both strong privacy protections

• Information & Communications Technology (ICT):

o Provides a Gov’t framework for Cybersecurity and architecture, which include mobility

and IoT and is akin to the U.S.’s NIST’s FISMA and include Cloud Standards

• Groups/Alliances:

o Australian Competition & Consumer Commission (ACCC) & Cloud Security Alliance:

Security, Trust & Assurance Registry (CSA STAR)* What does it mean; guidance / compliance / best practices around securing, collecting threat Intel is already been made!

MCAFEE CONFIDENTIAL

* Doesn’t matter

how many ‘Jedi

moves’ you have,

it only takes one

time to lower your

guard to get

‘“owned”

It might seem unfair?

MCAFEE CONFIDENTIAL

What makes up mobile attacks?

Device Attacks

THE Sole

Objective for

Persistent

Foothold

Network Attacks

The Primary

Mechanism for

Targeted Attacks

Malicious Apps

Untargeted,

Advertising &

Fraud Threats

Phishing Sites

Untargeted,

Fraud & Exploit

Delivery

Start of targeted attacks> 90%

MCAFEE CONFIDENTIAL

Patented Detection Engine Designed for Mobile

Detection engine uses machine learning and behavioral

analysis to provide real-time, on-device protection

against both known and unknown threats

Device Networ

k

Applicatio

n

On-device▪ No need for cloud lookup

Advanced Threat Classifiers▪ 99.999% effective

ML for malware▪ Stop exploits without updates

ML for phishing▪ Only proven way to prevent phishing attacks

Phishing

Attacks

MCAFEE CONFIDENTIAL

How can we help?

• Identification of devices risko On outdated/vulnerable OSo Compliance violationso Configuration issues

• Exploit detection o On device

• Deepest set of device threat detection and remediation controlso 24 specific device policies

• Adding security value and controls onto specialized platformso Samsung KNOXo Android Enterprise

• Application Vettingo iOS & Android-based

• Broadest range of network threat

detection and remediation

controls

o 21 specific network policies

o Layer 2 through 7 detection

• Ability to trigger remediations

o Wi-Fi disconnect

o VPN

o Block specific app traffic

MCAFEE CONFIDENTIAL

MVISION is Not an EMM/MDM... It Complements Them

MVISION is the ‘only MTD solution’ capable of working with multiple EMMs in one implementation:

Intune

X

EMM MVISION

X

X

X X

X X

(X) X

X

X

X

X

X

X

X

X

Access controls to corporate email, VPN, app delivery & removal

Features & Benefits

Secure corporate document sharing & secure web security

Ability to revoke access from non-compliant mobile devices

“Always on” protection on the device

Detect if device has proper security enabled (e.g., pin, encryption)

Jailbreak detection

Root/compromise detection

Network attack (e.g., MITM, rogue access points) detection

OS compromise & exploitation detection

Malicious app and profile detection

Mobile phishing detection

Provide detailed app risk & privacy analysis

Reconnaissance scan detection

Detailed mobile threat intelligence and forensics

MCAFEE CONFIDENTIAL

Is that my job; we’ll get to it!?

MCAFEE CONFIDENTIAL

MVISION Mobile Advanced App Analysis

Dynamic & Static Analysis of Mobile Applications - ATD & AST but for Mobile Apps

Machine Intelligence – Risk Scoring

Advanced App Analysis Engine

Analysis

• Dynamic Analysis

• Static Analysis

• Cross Application Correlation

• 3rd Party Code

• Payload Inspection

• Various Threat Engines

Forensic Correlation

• Registrant History

• Communications

• URL Reputation

• Data Leakage

• Privacy Violations

• Security Violations

• Distribution Footprint

Validation

• OWASP Mobile Top 10

• Chain of Trust

• SSL Certificate Validation

• Vulnerabilities

• Certificate Pinning

• Repacking

• Developer Reputation

MCAFEE CONFIDENTIAL

MVISION Mobile ADVANCEDPowered by industry leading mobile threat protection technology

Danger Zone

Multi-EMM Integration

Phishing Attack Detection

App Privacy and Security Risk Reporting

Customized App Compliance Policies

On Device Remediation

EMM Remediation

Fully Customizable User Notifications

MCAFEE CONFIDENTIAL

Questions?

McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the U.S. and/or other countries.

Other names and brands may be claimed as the property of others.

Copyright © 2019 McAfee, LLC.