Predicts 2017: Endpoint and Mobile Security

Security and risk management leaders face an ever-increasing assortment of security threats to multiplatform, mobile and personal devices amid increasingly chaotic work styles. Gartner's predictions provide a guide to prioritize endpoint and mobile defenses.

Key Findings

• Mobile malware has not been an issue in the eyes of enterprises so far; however, mobile attacks are increasing in both number and pragmatism.
• Non-signature-based anti-malware solutions are increasingly effective and will soon displace local endpoint signature database maintenance.
• Microsoft's built-in tools provide comprehensive security policies for Office 365, yet provide limited integration with other common SaaS applications.
• Many organizations continue to use portable flash media to carry and share data physically between work systems, business contacts and so on, without benefit of rigorous oversight.
• Users readily share or copy business information into their mobile and cloud storage systems, and pass even more through personal email accounts, without considering the consequences.

Recommendations

Security and risk management leaders responsible for endpoint and mobile security should:

• Evaluate and implement MTD solutions to strengthen their mobile security posture as a complement to EMM.
• View current nonsignature malware prevention solutions as a tactical measure only, since only one or two of the current bumper crop of endpoint protection vendors will survive beyond 2020.
• Demand and develop data security policy uniformity across SaaS applications. Prioritize third-party data security controls over built-in siloed data security from the SaaS application provider.
• Work with end-user groups to showcase EFSS as a complete replacement for physical media exchange. Provide incentives to introduce cloud-based file sharing as a preferred replacement.
• Limit flash data sharing to specific situations where physical isolation and manual transfers are absolute necessities.
• Promote file-based protections, and re-evaluate their utility in light of the reality of data leakage.

Strategic Planning Assumptions

By 2019, 25% of mobile-ready enterprises will deploy mobile threat defense capabilities on enterprise-issued mobile devices.

80% of current emerging vendors in the nonsignature malware prevention market will be acquired or merge by 2020.

By 2020, 50% of Microsoft Office 365 customers will maintain policy consistency across multiple SaaS products using third-party cloud access security broker (CASB) and enterprise mobility management (EMM) tools.

By 2020, 60% of current portable physical flash data carriers will be replaced by cloud-based business data sharing.

By 2020, capabilities such as enterprise digital rights management (EDRM) encryption will be the only durable, granular, file-level mobile data protection.

Analysis

Every year, Gartner analysts offer predictions on what we see as the key issues facing the markets we cover. Gartner's endpoint and mobile security analysts have developed a set of predictions in this space for 2017 and beyond. Security and risk leaders should consider these forward-looking Strategic Planning Assumptions when allocating resources and selecting products and services.

What You Need to Know

In this research, Gartner's analysts look ahead of present-day markets for notable trends in network segmentation, rights-managed encryption, native mobile containment and cloud security. In addition to Strategic Planning Assumptions in this research, several Gartner analysts use near-term flags to help clients track and closely monitor trends as they occur before the year of predicted full impact. The impact of the predictions in this research are shown in Figure 1 as a series of transitions in practices for media and file protection, authentication, SaaS policy management, and malware defense.

Figure 1. Predicted Changes in Endpoint and Mobile Security

Source: Gartner (November 2016))

Strategic Planning Assumptions

Strategic Planning Assumption: By 2019, 25% of mobile-ready enterprises will deploy mobile threat defense capabilities on enterprise issued mobile devices.

Analysis by: Dionisio Zumerle

Key Findings:

Mobile malware has not been an issue in the eyes of enterprises so far.¹ However, mobile attacks (Pegasus, XcodeGhost) and vulnerabilities (Stagefright, Heartbleed) are increasing in terms of both number and pragmatism. Enterprises are now looking for solutions that can enhance their mobile security posture.

Mobile threat defense (MTD) solutions combine signature-based checks with behavioral anomaly detection on the device, network and app layer.

Market Implications:

The first anti-malware solutions offered for mobile devices have been mainly offering signature-based anti-malware. However, enterprises have been finding little value here, as mobile apps on commercial app stores already undergo a similar process before publication. Furthermore, many of the most advanced attacks do not come in the form of an app on a commercial app store.

The offerings have been maturing their behavioral threat detection functionality and becoming more enterprise-friendly. Many MTD players are partnering with EMM suites to collaborate with mobile device management (MDM) tools and act in the case of an identified threat on a device.

Visibility of any third-party solution is limited to what mobile platforms allow them to see. Certain parameters and background processes are invisible to any app on a mobile device, and advanced attacks could still bypass some of these solutions. MTD variations with an always-on VPN connection to analyze traffic could be preferred by certain enterprises looking for greater security assurance.

Recommendations:

Security and risk managers responsible for endpoint and mobile security must:

• Start now to evaluate MTD tools, and gradually implement these solutions in complement to EMM.
• Propose installation of an MTD product in situations where BYO users are unwilling to allow EMM supervision on personal devices. MTD products emphasize individual protection rather than enterprise monitoring.

Strategic Planning Assumption: 80% of current emerging vendors in the nonsignature malware prevention market will be acquired or merge by 2020.

Analysis by: Peter Firstbrook

Key Findings:

The $4 billion enterprise market for endpoint protection is dominated by incumbent endpoint protection platform (EPP) vendors that are overly reliant on aging, signature-based detection.

In contrast, emerging solutions in the non-signature-based malware prevention market do not rely upon a traditional signature database. These solutions are complementary to the current EPP solutions; that is, the agent can coexist on the same machine side-by-side with an EPP agent without causing system stability or performance issues. Non-signature-based malware prevention also represents a strategic and preferred alternative, since the usefulness of signature approaches is declining as more effective alternatives are demonstrated.

Most current non-signature-based solutions have not yet earned sufficient market confidence to outright displace the incumbent EPP providers. However, several stand out for successful real-world client deployments and lab testing (such as AV-TEST Institute/AV-TEST.org), and make credible claims to replace the legacy anti-malware detection systems.

Complete replacement of existing EPP solutions is not simple. Most organizations use other important features in the EPP suites, such as endpoint firewalls, data loss prevention (DLP), peripheral device control, intrusion prevention, antivirus for Exchange servers or network storage, and disk encryption. Moreover, startups tend to focus on only one or two detection techniques. Successful solutions will use a number of different protection techniques. Consequently, companies cannot simply rip and replace existing EPP deployments.

Market Implications:

The flurry of startups in the endpoint protection market is not unprecedented. Since the late 1990s, a series of endpoint security markets has emerged only to be subsumed by the incumbent EPP giants. Consider that the personal firewall, spyware protection, port control, hard-drive encryption and data loss prevention markets were all expensive stand-alone solutions at one point. These products are now standard features of EPP suites, and the inclusion did not result in significant cost increases to the suites themselves.

New players in the EPP market will need to adjust their roadmaps to provide competitive features to address the entire EPP suite, and in many cases will take advantage of embedded capabilities in Windows 10. Incumbents, on the other hand, will need to shed reliance on signatures.

Recommendations:

Security and risk managers responsible for endpoint and mobile security must:

• Choose solutions that offer multiple malware prevention techniques and are focused on replacing the traditional endpoint signature database.
• Prepare for only one or two of the current trove of endpoint protection vendors to survive beyond 2020.
• Keep contract terms short. All EPP purchases should be treated as tactical solutions.
• Take inventory of all EPP features in use, not just anti-malware, and prepare a holistic replacement plan for all functions.

Strategic Planning Assumption: By 2020, 50% of Microsoft Office 365 customers will maintain policy consistency across multiple SaaS products using third-party CASB and EMM tools.

Analysis by: Brian Reed

Key Findings:

The Microsoft Office 365 ecosystem includes a bevy of tools and controls to improve security. However, Office 365 is seldom, if ever, the only SaaS application that an organization will deploy. The reality is that these built-in tools from Microsoft provide comprehensive security for Office 365, yet provide limited integration with other common SaaS applications, such as Box, Dropbox, Google Apps for Work, Salesforce, ServiceNow and Workday. Relying solely on the built-in data security controls within Office 365 leaves you also having to apply adequate controls to every other SaaS application, which may or may not be uniform with the data security controls applied to Office 365.

Even Microsoft understands this – hence Microsoft's acquisitions of both Adallom (a CASB) and Secure Islands (for data classification) in 2015. These acquisitions by Microsoft form the foundation of information-centric protection offerings, including Secure Productive Enterprise suite and Azure Information Protection, which focus on securing information itself, as opposed to securing data activity on endpoints or through SaaS applications.

Market Implications:

Organizations need data security policy uniformity across SaaS applications. Vendors are repositioning their products in ways that can help orchestrate fewer policies or a single data security policy across multiple form factors of mobile devices and scenarios involving multiple SaaS applications. To remain competitive, vendors must offer products that scale easily to multiple SaaS applications, rather than built-in siloed data security specific to each SaaS application provider.

Recommendations:

Security and risk managers responsible for endpoint and mobile security must:

• Quantify policy error risks and incomplete data controls caused by management of separate data security policies across multiple SaaS applications in multiple products, particularly for mobile users, as justification for a investing in a policy unification project.
• Unify policies across SaaS applications through the implementation of both third-party CASB and EMM products. This can provide an integrated homogeneous data security policy across multiple disparate SaaS services.
• Take an information-centric approach to security and move away from trying to secure the network or device that accesses content, and secure the information itself.

Strategic Planning Assumption: By 2020, 60% of current portable physical flash data carriers will be replaced by cloud-based business data sharing.

Analysis by: Bart Willemsen and John Girard

Key Findings:

Many organizations continue to use flash drives to transfer data physically. The risks involved, such as theft, loss or abuse of either the carrier or its content, have always been obvious. However, many companies have ignored or given up on attempting strict usage controls and encryption. These drives can be shared offline, which means that the data passes beyond anyone's ability to track.

Users complain about protection measures, and still leak data by sharing files with third parties, even unintentionally moving copies to other systems through acts as simple as opening a presentation on someone else's PC at a meeting. To make matters worse, this type of protection can fail when the external drive type is a file transfer app, optical drive, hard drive, phone or other memory device not recognized as flash.

The degree to which data breaches occur through removable media is not clear, but this is a contributing factor to lawsuits alleging data leakage, as are fines and penalties. Poor handling of removable media will become a showcase for unacceptable risk.

Market Implications:

Specialized high-security removable media is an order of magnitude more expensive in cost compared to generic media. A small number of vendors continue to sell these into niche industry sectors, including government. Both highly secured and software-encrypted generic media can be voluntarily misused, and shared files remain difficult to track and audit.

In contrast, cloud-based enterprise file synchronization and sharing (EFSS) solutions are highly scalable and can be made highly secure, to the point where EFSS providers are making it easy for companies to manage file encryption as well as all of the keys used for sharing files in third-party storage services. Online storage and sharing means that risk mitigation measures in data management, including user authentication, access policies, names of files and their contents, can be tracked, logged and audited on a granular level in near-real time.

As more applications move to cloud environments, confidence in the use of cloud infrastructure is increasing. SaaS operations will increasingly include the implementation of CASB and other mitigating measures to supersede the costly security implication of retaining physical data carriers for exchange purposes.

Risk-mitigating measures in data life cycle management include a granular approach for further processing and adoption of encryption, tokenization and access security measures. User authorization and authentication, data encryption, and transparent data location controls in a cloud-based environment provide organizations with controls that will increasingly supersede existing measures used for physical data carriers.

Recommendations:

Security and risk managers responsible for endpoint and mobile security must:

• Showcase encrypted EFSS as a complete replacement for physical media exchange. Provide incentives, including improvements to business process workflow, to introduce cloud-based file sharing as a preferred replacement.
• Limit flash data sharing to specific situations where physical isolation and manual transfers are absolute necessities. Apply risk-benefit analysis for the total cost and effective coverage of mitigating measures in both physical and cloud-based personal data exchange scenarios
• Promote file-based protections such as EDRM and have them re-evaluated in light of the reality of data leakage brought about by mobile work styles, personal devices, cloud sync and sharing systems, and so on.

Strategic Planning Assumption: By 2020, capabilities such as EDRM encryption will be the only durable, granular, file-level mobile data protection.

Analysis by: John Girard

Key Findings:

Attacks intended to bring down infrastructure are serious concerns, but the greatest risks for many companies are theft, loss and misuse of critical business information, and the penalties for compliance violations and damages. IT departments assume that device boundary defenses are the most important points at which to protect access to data. But hackers and insiders are adept at exploiting vulnerabilities in networks, OSs, apps, firewalls and users in order to claim information. Further complicating the situation, users readily share or copy this same information into their mobile and cloud queues, flash drives, and personal email accounts in ways that make theft easier. Business data must move and be shared for a business to function.

Traditional endpoint boundary defenses, such as disk encryption, containers and DLP, are important and must not be abandoned. But next-generation defense-in-depth must take place at the level of individual files, must be persistent and must embody business rules for access. This is a strategic direction that is often overlooked because a logical choice is to use EDRM, which is not popular. If it is not overlooked, then the methods for protection are deemed to be unfriendly to users and administrators. But the fact remains that companies can no longer control data movement. These objections are obsolete, increase risks and need to be re-evaluated in light of the reality of data leakage brought about by mobile work styles, personal devices, cloud sync and sharing systems, and so on.

Market Implications:

Data losses are at an all-time high,² and data breaches – both criminal actions and careless accidents – must be prevented by any and all means. The competitive opportunity for vendors is to reduce the vulnerability of access to protected information by developing more scalable file-level protections that are independent of both the platform and the user's actions. A major success factor involves the reconciliation of keys and key management applied to different layers of encryption. In 2017, protection solutions must account for the many ways that business information needs protection as it moves. Vendors in at least nine endpoint encryption markets are converging on a blended set of defenses to close as many leak points as possible.

Recommendations:

Security and risk managers responsible for endpoint and mobile security must:

• Maintain a blend of several information protection methods while endpoint protection vendor market segments slowly converge.
• Look for faulty organizational assumptions that create weaknesses in your defense of sensitive information.
• Continue to use basic protection methods such as disk encryption and removable media encryption as a first line of defense against device-level data theft problems.
• Begin trials to implement EDRM or similar capabilities for everyday file protection. EDRM promises to be the most flexible and pervasive future technique to protect files, regardless of where they travel, using persistent policies from the moment of creation.

A Look Back

In response to your requests, we are taking a look back at some key predictions from previous years. We have intentionally selected predictions from opposite ends of the scale – one where we were wholly or largely on target, as well as one we missed.

On Target: 2005 Prediction – Fast-spreading virus or worm won't affect mobile devices before year-end 2007.

Original analysis by John Girard and John Pescatore

To combat a lot of mobile phone malware hype at the time, back in 2005, we predicted that fast-spreading mobile malware would not be a significant threat before year-end 2007. We published this in "Management Update: Fast-Spreading Virus or Worm Won't Affect Mobile Devices Before Year-End 2007" in 2005, and again in a 2009 Gartner blog post, "Whither Mobile Malware?" Our prediction named three conditions that would trigger problems. These included widespread adoption of smart wireless personal devices, ubiquitous use of wireless messaging to exchange executables and operating system convergence. Only the first trigger has been fully established.

The prediction was correct in terms of timing, but not in terms of impact. The first example of a propagating worm type of exploit happened on the iPhone in 2009.³ It was made possible due to a significant presence of a single OS-based phone (widespread smartphones and OS convergence) in a contiguous geographical network (network convergence), and affected people who had jailbroken their iPhones and installed Secure Shell (SSH) with a default system password (allowing unplanned exchange of executables and data). This was a real worm outbreak, not a simulation. Fortunately, the outbreak was contained in Australia, and only affected iPhones with these specific modifications.

Further examples of fast-spreading problems have been insignificant on the iPhone because Apple makes jailbreaking difficult, and was early to develop a curated app store. Those two factors have postponed the second trigger. Android was historically more vulnerable, due to lack of source control and easier jailbreaks, and thus fueled the establishment of the MTD market. Mobile device safeguards are improving on all platforms. Enterprise-grade security standards, OS lockdown by default, increasingly prompt platform patches and updates, and the use of EMMs to enforce safe configurations on smartphones and tablets further limit the ability to rapidly spread malware in enterprises. However, companies must be vigilant about inferior "BYO" devices that are not and cannot be made safe, as these devices could potentially fall victim to all three trigger conditions.

The qualified success of mobile device security should be regarded as a lesson and a warning for the Internet of Things (IoT) industries, because the same prediction conditions apply. The IoT world is far less standardized, and more vulnerable on a massive scale. So the three trigger conditions have been mitigated to a large extent on today's mobile devices, and are not presently controllable by any clear means in the IoT world. The October 2016 nationwide U.S. distributed denial of service (DDoS) attack⁴ is a poignant example. IoT industries need to consider the same trigger points as we cited for mobile devices, and put processes in place now to prevent worse incidents.

Missed: 2012 Prediction – By 2016, face recognition will become an enterprise-class authentication option for smartphones.

Original analysis by Ken Dulaney

This prediction appeared in "Predicts 2012: Mobile and Wireless Technologies Rise." In 2012, progress on face recognition was strongly anticipated, owing to improvements in software, cameras, broad optical spectrum analysis, 3D scanning and a strong desire for a better user experience (UX). The failure of face recognition to become popular is largely a matter of user attitude and a preference for simpler methods. In particular, Apple redirected interest for biometric authentication in smartphones with the introduction of Touch ID in 2012. Since then, the majority of buyers – and companies – seeking biometric authentication for smartphones have treated this as a "good enough" method. The prediction is valid, but it will take several more years before adoption is mainstream.

However, the risks for defeating fingerprint systems are troubling, and Gartner cautions against regarding fingerprints as enterprise-class authentication. For example, scanner resolution suffers due to cost margins; fingerprint samples can be obtained without consent; there is no test to determine if the fingerprint source is alive; and accountability deteriorates in multiuse shared device scenarios.

Although device-embedded fingerprint authentication modes are commonly integrated in mobile banking apps, the security best practice Gartner recommends is to use face and voice (singly or in combination) as well as scleral vein scans. These modes will likely gain both consumer and enterprise traction in mobile use cases by 2020, especially as adoption of Windows 10 with Fast Identity Online (FIDO) credentials and Windows Hello's out-of-the-box support for new biometric modes (face and iris) stimulates buyers' interest in those modes for other devices.