Insight by Zimperium

Mobile device event logging: A panacea for the digital endemic

This content is provided by Zimperium.

Malware, like ransomware and spyware, is rampant in federal networks. If agencies have learned nothing else in the last year, they have realized that they currently face a digital endemic. With mobile security as the Achilles heel of Zero Trust, mobile event logging can be a preventive care measure protecting federal network digital health. Just like cancer screenings can give preventative insights into physical health, mobile event logging acts as a digital health screening to detect and prevent potential threats to federal networks.

Digital Device Health Screening by Maturing Event Logging

August 27, 2021, Office of Management and Budget (OMB) memorandum M-21-31 outlines a “Maturity Model for Event Log Management.”

The memorandum gives four maturity levels defined as:

  • EL0 Ineffective: Logging requirements of highest criticality are either not met or only partially met
  • EL1 Basic: Only logging requirements of highest criticality are met
  • EL2 Intermediate: Logging requirements of the highest and intermediate criticality are met
  • EL3 Advanced: Logging requirements at all criticality levels are met

At the EL1 Basic level, agencies need to ensure that they have mobile devices (smartphones and tablets) and Mobile Threat Defense (MTD) server log alerts.

Further, agencies need to collect active and cold data storage logs for mobile devices and MTD agents. Under the technical details section, the data collected includes:

  • General
  • Device
  • Application
  • Device policy settings
  • Device configurations
  • Network configurations
  • Event/Audit/Crash logs
  • MTD agent information

The MTD agent information gets even more specific, pointing out that the event logging needs to include:

  • Agent Activation Status
  • Threat Detection of Variety of Vulns
  • Phishing Protection Status
  • Tampering of Agent, App, or System
  • Privilege Escalation
  • MITM Activities
  • Remediation Actions Taken
  • Last Time Device Synched with Enterprise Systems

All of this makes sense as mobile threats continue to increase exponentially. After all, mobile is often the most vulnerable endpoint, which makes threat actors want to target it. As an essential“highest criticality” logging requirement, every agency must include mobile device logging as part of the attestation and documentation process. No ZTA implementation is complete without mobile device security and logging as a preventive screening to protect themselves from the digital endemic they face.

Mobile Device Attestation and Documentation Challenges for ZTA

To comply with the ZTA Device pillar requirements, agencies need real-time analysis of mobile devices, ensuring protection against zero-day cyberattacks that include

  • device weaknesses,
  • OS vulnerabilities,
  • network attacks,
  • phishing attacks and
  • application vulnerabilities

This monitoring must be done across static and dynamic runtime environments. Without this “device attestation” capability, it is impossible to achieve a zero-trust posture since the device itself can be compromised.

While some “system of record” solutions such as Mobile Device Managers (MDM) provides data useful for device-trust assessments, many cannot provide near-real-time accounts of current risks and vulnerabilities on the device.  In addition to detection, they are adding remediation to terminate unauthorized access to data or services, assuring that the device’s cybersecurity posture and trustworthiness are sound.

Attestation is the process of monitoring device security. Meanwhile, MTD logging is the assurance aspect that proves trustworthiness. A complete ZTA implementation must include both the device monitoring and the documentation as proof that the agency continuously manages device security, preventing critical mobile.

Secure All Mobile Endpoints with Zimperium zIPS

Zimperium zIPS gives you a way to implement an MTD solution with the logging necessary to meet the OMB maturity requirements. zIPS is the only mobile security solution with real-time, on-device machine learning-based detection for Android, iOS, and Chromebook. With zIPS, public and private sector organizations can protect against known and unknown threats.

Zimperium provides an MTD Maturity Model that accelerates agency compliance with the OMB’s memorandum. The models’ maturity levels offer guidance through threat focus areas, policy recommendations, milestones, and security scores. After determining a level of maturity, the MTD Maturity Model suggests the next steps, including measurements, metrics, and specific outcomes. Public and private entities can use this model to strategize, execute, and communicate mobile risks across the organization. While some “system of record” solutions such as Mobile Device Managers provide data useful for device-trust assessments, Zimperium’s zIPS goes further, giving near real-time accounts of current risks and vulnerabilities to provide the necessary critical logging resources to help agencies meet EL1 Basic maturity level compliance.

Zimperium zIPS runs locally on mobile devices, recognizing normal baseline configurations for operating systems and apps. It also recognizes normal web traffic activity, like safe websites. When it detects abnormal activity on a device, zIPS sends the user an alert and blocks malicious activity, like stopping a phishing link from loading.

With zIPS, organizations have continuous mobile device monitoring without requiring a persistent connection for signature validation. zIPS uses the Zimperium z9 zero-day detection engine, protecting the whole device whether connected to the internet or not. This advanced mobile security protects devices from threat actors disconnecting or redirecting traffic when connected to a cellular tower. Since zIPS is not signature-based or cloud-dependent, it supports holistic endpoint security by filling in the gaps created with mobile devices.

The Zimperium solution captures forensic and other events for real-time or near-real-time feedback on a mobile device’s security posture. As the only fully on-device machine learning-based detection engine, the zIPS z9 engine is the only solution to provide mobile threat defense for the entire device, having detected every mobile exploit over the last six years.

Preventive digital health screening starts with mobile security and threat detection. As the threat landscape evolves and compliance initiatives focus on mobile event logging, the public and private sectors need to complement their existing EDR with the Zimperium Solution for a complete approach to Zero Trust that protects Federal Networks.