Foreign-made apps like TikTok mean more risks for federal employees
February 11, 2020 11:38 am
9 min read
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Whether it’s the use of TikTok or the need to protect multiple pathways to commercial clouds, federal cybersecurity challenges keep multiplying. For more about some of the emerging threats, Federal Drive with Tom Temin spoke with the vice president for federal at Tanium, Ralph Kahn.
Tom Temin: This whole end point in mobile security has become a bigger and bigger and bigger issue. Even in the cloud era, there’s end point access via mobile devices. But recently the Defense Department said, everybody get rid of TikTok and this is an application that I guess is virally popular. I confess I don’t know anything about it, but I see people giggling at it all the time. But what about apps like that? Or TikTok itself? Is there an emerging threat from this kind of thing?
Ralph Khan: It’s funny, my kids love that app, and I asked them to uninstall it as well. And, you know, in today’s environment, you have to be increasingly sensitive and aware of what you’re putting on your devices. You need to know about the supply chain. Actually. And you know, if you’re a 14 year old, you’re not thinking about supply chain. Yyou’re thinking about Oh, it’s cool. It works. I want to use it, right? And sometimes even soldiers who are 18, 19 and 20 have the same issue. In this case, the APP is from a Chinese manufacturer, and one of the issues we have is because of the rules that country operates under. You really don’t know what the what the app does, where the data is going, what they could do with it, and you have to be very, very careful. Nation states have interests, and if I was a nation state wanted to do something. Sure, I’d say there’s no problem with it. But if you look at the history of various nation states, many of the nation states that are very strong in cyber warfare have a history of partnership with commercial industry. As a matter of fact, many of the top commercial companies came from people with strong ties to their military and their government. And that creates a risk, right? It may be there it may not, but it’s a risk that I think wisely the U. S. Government is not taking.
Tom Temin: Yet because this whole idea of mobile devices and the idea that we don’t want cyber security measures to make it impossible for people to log on or enjoy life or use their devices. And yet, even if you had a non-government device in a government installation than your location is known regardless so as these risks keep multiplying, then you keep hearing the term risk management. How does this really work in an operational or programmatic sense? It’s a nice idea, but how do you do it?
Ralph Khan: So I think risk management is a subset of management in general. If you want to manage something, you identify the scope of the thing you want to manage, the metrics you’re going to use to rate yourself, and then you go about the process of achieving those metrics over the thing that you want to manage. The government, both civilian and DoD, has spent a lot of time successfully working on identifying what they have, what the various risks are, like things like compliance. You can look at things like the miter attack framework right that gives you a really specific view into the TTPs that an adversary may use to attack you. Those are very measurable things. Do you have controls in place that are going to block the following TTPs that might attack framework? How long does it take you when a vulnerabilities discovered to patch it and remediate it so you don’t have it right? Those are metrics you can use to manage your risk.
Tom Temin: Such as the difference between when patch Tuesday patches come in. And do you have them up Tuesday afternoon? Or is a week from the following Friday?
Ralph Khan: That’s right. As I sit here and look at things that I hope the government begins to move towards right, you look at CDM, which is still kind of at 72 hours to get something done, and you look at commercial industry. When the latest Microsoft crypto-vulnerability came out, most of commercial industry was patched same day. Many government agencies are still struggling to do that weeks later, and it’s not a technology issue. It’s a process issue. They’re used to thinking about patching in a particular way, and their approach, their thoughts and frankly, some of their tools haven’t kept pace with the speed with which they need to be able to do that to protect themselves.
Tom Temin: I guess it almost sounds like with threats growing exponentially, you need some sort of a log rhythmic approach, and I don’t not quite sure what that means, but it seems like you can’t keep chasing the risks because of the exploding number of them. So you need some overarching way that protects the agency, but you can’t stamp out everything.
Ralph Khan: You can’t. So I think what a lot of the smart agencies and many of the commercial companies they’re doing is they’re looking to automation, right? So they’re employing technologies that operate at bigger scales that operate more quickly and that encourage automation. So, for instance, if you had a series of security controls that you knew needed to be configured a particular way, you could, using automation, check if they were configured or not, and if they weren’t take that end point, quarantine it for a little bit, fix it and put it back online. Humans don’t need to be involved in that, and that’s how you begin to deal with complexity. You do it with speed and scale and automation. And so if you look at it places like the U. S. Air Force, they’re beginning to do this. They have already 365 policy, where if they see a vulnerability, it needs to be done within a day. And so they’re moving to a much more aggressive at scale, at speed automated way of reducing the complexity for them.
Tom Temin: With all of these agencies moving to not just one, but multiple commercial clouds. Plus, you have multiple access points per employee. Maybe 2-3 is not uncommon. How does that affect the calculus for risk reduction?
Ralph Khan: That’s certainly adds to the complexity, right? The more communication paths you have, the more controls you need to make sure those communication pass air encrypted. They’re secure,
they’re available. And then when you move to the cloud, that’s just another end point, happens to be a virtual in point, but t’s just another end point. It might be a container, and the proliferation of those add more things you need to manage. So having a tool that allows you to manage its scale with speed and do automation gets even more critical, the more complex your environment gets.
Tom Temin: Do you think that the mobile device manufacturers and the manufacturers of mobile device management systems in the various variants of those, are they up to where they need to be, from a protection standpoint?
Ralph Khan: Managing mobile devices and even managing IOT devices are very different because their usage patterns are characterized differently, the things you can do with them are very different, and the communication infrastructure they use are different. So if you take a mobile device, you take android devices those air fairly straightforward and easy to manage. And third parties can do a lot of things with them using mobile device management. You flip over to Apple on the other side, and that’s a closed ecosystem. So mobile device management tools can’t be as effective in that environment, because Apple just won’t give the developers access to the low level calls they need to be effective. You have this kind of hetero genius world, and it’s even worse than IOT. It’s the Wild West. You have hundreds of vendors putting stuff out there, none of which is manageable. You can kind of tell it’s there. You know that’s gonna be the Achilles heel that we’re gonna have to watch out for carefully over the next decade.
Tom Temin: I sometimes wonder about the password keeper apps. Who knows what the back door of those is?
Ralph Khan: I have the same concern you do. Who made the password key? Perhaps. What happens if the key to that gets hacked or somebody finds a flaw in it? It’s a big risk. So the whole password thing, I think I am hopeful we’ll make way for you know, kind of a multi factor authentication and things where using biometrics, that’s begun in the mobile world, and I think that’s very promising.
Tom Temin: Tanium tracks the various risks and you specialize kind of in an end point and end point device protection. What are the trends you’re seeing right now that people should just be alert to from that standpoint?
Ralph Khan: One of the interesting things that agencies and companies have discovered as they begin the process of figuring out more about what they have on what’s on their end point. It turns out that they have tons of agents on their end points, right? Most people thought they had five. The averages is 10. And when I look across the federal government, most of our customers are in the 15 to 25 range. And a lot of the CIOs air saying, “hey, that’s a lot.” And studies have borne out. Forbes published a study back in September where it demonstrated that the more agents you have and the more complexity you have on your end point, the more likely you are to get breached. And so CIOs are rightfully going, okay, now I have a picture of what I have, how do I consolidate all those little point tools into something smaller? Do I need them? Is there a platform that I could use that would do the same things? That would reduce the agent count and reduce my complexity? So it’s reduced complexity, get faster, more scale and automation. Those are the things I see happening right now.
Tom Temin: Sounds like there’s a lot of maturity yet to happen in the architecture of mobile devices.
Ralph Khan: I think so. I think it’s a lot of the Wild West. You can download whatever you want. If you look at the Google play store, very little security on that. You know, a Russian troll farm can upload an app and have that downloaded to thousands of machines in the U. S., and impact an election. We’ll know soon enough, I guess.
Tom Temin: Ralph Khan is vice president for federal at Tanium. Thanks so much for joining me.