Mobile device

Mobile device logging: IRM for healthy networks

This content is sponsored by Zimperium.

While logging may not be the most valuable part of identifying and mitigating threats to federal systems, it is one of the most important.

Security event logs are used to protect system and network integrity. They provide insight into whether an organization has all the controls it needs to mitigate attacks. Just as an annual MRI provides visibility into the current health status of issues that would not otherwise be visible, mobile threat detection gives agencies visibility into otherwise obscured device health issues.

To prevent mobile security from being the Achilles heel of network health, agencies need solutions that help them log security events on their devices.

Persistent Threat Risk Mitigation

Persistent threats to federal networks have only increased in recent months. In mid-February, the Cybersecurity & Infrastructure Security Agency noted that Russian state-backed actors were targeting licensed defense contractors. Since then, CISA has issued additional reminders stating that while no specific threats to federal networks have been detected, vigilance will continue to be of the utmost importance.

Logging requirements everywhere

In addition to persistent threats, federal agencies must also comply with warrants that require the logging of events. Mobile device security is fundamental to meeting the zero-trust requirements set out in the Biden administration’s executive order and means agencies need ongoing device attestation.

To ensure that organizations meet the Device Pillar requirements for Zero Trust Architectures, security event logging for mobile devices is imperative.

CAMO M-21-31

In August 2021, the Office of Management and Budget released M-21-31, which defines a maturity model for managing event logs in response to EO 14028 on improving the cybersecurity of the nation. OMB M-210-31 defines four levels of maturity:

  • EL0 Ineffective: The most critical logging requirements are not met or are only partially met.
  • EL1 Basic: Only the most critical logging requirements are satisfied.
  • EL2 Intermediate: The highest and intermediate criticality logging requirements are met.
  • EL3 Advanced: Logging requirements at all criticality levels are met.

To achieve even a basic level of logging as required by the administration under OMB M-21-31, agencies should collect and retain the following security logs from their mobility management solutions: Enterprise or Mobile Threat Detection (MTD):

  • Alerts
  • General data
  • Device data
  • Application Data
  • Device policy settings
  • Device configurations
  • Network settings
  • Event, audit, and crash logs
  • MTD Agent Information

In short, mobile device security and event logging are mandatory to meet OMB requirements as agencies move toward EO 14028 compliance.

CIO FISMA Indicators for FY2022

In December 2021, the Executive Office of the President and the Department of Homeland Security jointly released Version 1 of the FISMA CIO Measures, which will be used to monitor the agencies’ progress toward strengthening federal cybersecurity. This release updates the measures of the Federal Information Security Modernization Act to reflect the new reporting requirements outlined in the Executive Order.

Under the definition of “hardware assets”, FISMA CIO metrics specifically include mobile devices such as smartphones, tablets and pagers.

As part of the environment enumeration, agencies should include these devices in two sections:

  • Section 1.2 on the number of physical assets operated in an unclassified environment
  • Section 5.1 on the number of government-provided hardware assets that are fully IPv6-capable

It all makes sense. If an agency does not include a mobile device in their asset inventory, they will not be able to manage it or collect logs for it.

Mobile Device Attestation and Logging

When digging into the event log data that agencies need to collect from their MTD agents, the details become even more difficult. Under OMB M-21-31, agencies also require documentation of:

  • Agent activation state
  • Threat detection of various vulnerabilities
  • Phishing protection status
  • Tampering with agents, applications or systems
  • Escalation of privileges
  • Man-in-the-middle attack activities
  • Corrective measures taken
  • The last time devices were synchronized with company systems

Mobile device management and enterprise mobility management solutions create the system of record needed to meet minimum baselines. However, with the increase in persistent threats on federal networks, minimum compliance basics are not the same as effective security.

Mobile threat detection for security and compliance

Continuous device attestation is IRM for Zero Trust Architectures. Agencies need real-time mobile device analytics in five areas, along with logs proving the visibility of each:

  • Device Weaknesses
  • Operating system vulnerabilities
  • Network attacks
  • Phishing attacks
  • Application vulnerabilities

To keep federal networks healthy and secure, agencies need an BAT solution that gives them the continuous attestation and logging they need to meet those compliance mandates.

They also need an MTD that can prevent attacks even when devices are not connected to networks. Often hackers use unsecured cellular networks as part of their attacks. Devices can be at risk if they don’t connect to a public wireless connection.

Secure all mobile devices with Zimperium zIPS

Zimperium zIPS is the only mobile security solution with real-time machine learning-based on-device detection for Android, iOS, and Chromebook for implementing Zero Trust architectures while meeting compliance requirements for the security logging.

The Zimperium solution captures forensic and other events for real-time or near real-time feedback on a mobile device’s security posture. It recognizes normal web traffic activity, such as secure websites. When it detects abnormal activity on a device, zIPS sends an alert to the user and blocks malicious activity, such as stopping a phishing link from loading. The zIPS Engine z9 is the only solution to provide full-device mobile threat defense, having detected all mobile exploits for the past six years.

As the only machine learning-based detection engine fully integrated into the device, the Zimperium z9 zero-day detection engine protects the entire device whether it is connected to the Internet or not, protecting devices against malicious actors who disconnect or redirect traffic when connected to a cell tower. Since zIPS is not signature-based or cloud-dependent, it supports overall endpoint security by filling the gaps created with mobile devices.

Zimperium provides an BAT maturity model that accelerates agency compliance with the OMB memorandum. The model’s maturity levels provide guidance on priority threat areas, policy recommendations, milestones, and security scores. After determining a maturity level, the MTD maturity model suggests next steps, including specific measures, metrics, and outcomes.