Mobile device logging: the MRI for healthy networks

This content is sponsored by Zimperium.

While logging may not be the most interesting part of identifying and mitigating threats to federal systems, it is one of the most important.

Security event logs are used to protect system and network health. They give visibility into whether an organization has all the controls it needs to mitigate attacks. Just like an annual MRI provides visibility into current state of health for issues that are not visible otherwise, mobile threat detection gives agencies visibility into otherwise obfuscated device health issues.

To prevent mobile security from being the Achilles heel of network health, agencies need solutions that help them log security events on their devices.

Mitigating risks from persistent threats

Persistent threats to federal networks have only increased over in recent months. In mid-February, the Cybersecurity & Infrastructure Security Agency noted that Russian state-backed actors were targeting cleared defense contractors. Since that time, CISA has released additional reminders that while no specific threats to federal networks have been detected, vigilance will continue to be of the utmost importance.

Logging requirements everywhere

In combination with persistent threats, federal agencies also need to comply with mandates that require event logging. Mobile device security is fundamental to meeting zero trust requirements set out in the Biden administration executive order and means agencies need continuous device attestation.

To ensure organizations meet the requirements under the device pillar for zero trust architectures, security event logging for mobile devices is imperative.

OMB M-21-31

In August 2021, the Office of Management and Budget released M-21-31, which set out a maturity model for event log management in response to EO 14028 on Improving the Nation’s Cybersecurity. OMB M-210-31 defines four maturity levels:

EL0 Ineffective: Logging requirements of highest criticality are either not met or only partially met.
EL1 Basic: Only logging requirements of highest criticality are met.
EL2 Intermediate: Logging requirements of the highest and intermediate criticality are met.
EL3 Advanced: Logging requirements at all criticality levels are met.

To meet even a basic level of logging as required by the administration under OMB M-21-31, agencies need to collect and retain the following security logs from their enterprise mobility management or mobile threat detection (MTD) solutions:

Alerts
General data
Device data
Application data
Device policy settings
Device configurations
Network configurations
Event, audit and crash Logs
MTD agent information

In short, mobile device security and event logging are mandatory to meet OMB requirements as agencies move toward complying with EO 14028.

Fiscal 2022 CIO FISMA Metrics

In December 2021, the Executive Office of the President and the Department of Homeland Security jointly issued Version 1 of the FISMA CIO Metrics, which will be used to monitor agencies’ progress toward strengthening federal cybersecurity. This release updates Federal Information Security Modernization Act metrics to reflect new reporting requirements outlined in the executive order.

Under the definition of “hardware assets,” the FISMA CIO Metrics specifically include mobile devices like smartphones, tablets and pagers.

As part of enumerating the environment, agencies need to include these devices under two sections:

Section 1.2 on the number of hardware assets operated in an unclassified environment
Section 5.1 on the number of government-furnished hardware assets that are fully IPv6-enabled

All of this makes sense. If an agency does not include a mobile device in its asset inventory, it won’t be able to manage it or collect logs for it.

Mobile device attestation and logging

Digging into the event log data that agencies need to collect from their MTD agents, the specifics become even more challenging. Under OMB M-21-31, agencies also need documentation about:

Agent activation status
Threat detection of variety of vulnerabilities
Phishing protection status
Tampering of agents, apps or systems
Privilege escalation
Man-in-the-middle attack activities
Remediation actions taken
Last time devices synched with enterprise systems

Mobile device management and enterprise mobility management solutions create the system of record needed to meet minimum baselines. However, with persistent threats to federal networks on the rise, minimum compliance baselines are not the same as effective security.

Mobile threat detection for security and compliance

Continuous device attestation is the MRI for zero trust architectures. Agencies need real-time mobile device analysis across five areas, along with the logs proving visibility into each one:

Device weaknesses
Operating system vulnerabilities
Network attacks
Phishing attacks
Application vulnerabilities

To keep federal networks healthy and secure, agencies need an MTD solution that gives them the continuous attestation and logging they need to meet these compliance mandates.

They also need MTD that can prevent attacks even when devices are not connected to networks. Often, threat actors will use insecure cellular networks as part of their attacks. Devices can be at risk without connecting to a public wireless connection.

Securing all mobile endpoints with Zimperium zIPS

Zimperium zIPS is the only mobile security solution with real-time, on-device machine learning–based detection for Android, iOS and Chromebook for implementing zero trust architectures while meeting compliance requirements for security logging.

The Zimperium solution captures forensic and other events for real-time or near-real-time feedback on a mobile device’s security posture. It recognizes normal web traffic activity, like safe websites. When it detects abnormal activity on a device, zIPS sends the user an alert and blocks malicious activity, like stopping a phishing link from loading. The zIPS z9 engine is the only solution to provide mobile threat defense for the entire device, having detected every mobile exploit over the last six years.

As the only fully on-device machine learning–based detection engine, Zimperium z9 zero-day detection engine protects the whole device whether connected to the internet or not—protecting devices from threat actors disconnecting or redirecting traffic when connected to a cellular tower. Since zIPS is not signature-based or cloud-dependent, it supports holistic endpoint security by filling in the gaps created with mobile devices.

Zimperium provides an MTD maturity model that accelerates agency compliance with the OMB memorandum. The model’s maturity levels offer guidance through threat focus areas, policy recommendations, milestones and security scores. After determining a level of maturity, the MTD maturity model suggests the next steps, including measurements, metrics and specific outcomes.

For more information on contract vehicles and how to leverage your cybersecurity funding or fiscal year-end spending, please click here: https://get.zimperium.com/leverage-fy22-cyber-funding/.

Insight by Zimperium