Securing Mobile Phones on the Organization Level- Interview with Kaymera CEO Avi Rosen
Avi Rosen has been in the field of cyber security for the past 20 years, long before the term cyber security was even coined. His background in software development led him to the fast-developing infosecurity sector: he became vice president for research and development at Cyota, which was bought by industry giant RSA for $145 million in 2005. At RSA he headed up the company’s Anti-fraud product group. In 2013 he co-founded Kaymera, a company dedicated to delivering sophisticated mobile security to protect organizations and governments from mobile threats. In this article, he lays out his views on why intelligence gathering from mobile devices has become such an imminent security threat, and what we as users can do to keep our devices and data safe. Share
What's made you focus on mobile security?
In recent years, the intelligence gathering domain became very much focused on mobile devices. Mobile devices are considered to be the ultimate intelligence gathering tools, providing unlimited access to end user’s data and serving as an “intelligence tool box” in the hands of an attacker. Due to that shift in focus, we decided to build a solution that uses our knowledge of intelligence gathering techniques, and applies robust and effective protective measures to users' privacy everywhere. This is how Kaymera came about, delivering military-grade mobile security solutions for governments and the commercial sector. We provide complete protection against threats without affecting the usability of devices, which means users can fully benefit and utilize the capabilities of their mobile device while being protected against all mobile related threats.
There are many security apps out there. What makes Kaymera a unique one?
Our product is a lot more than just an app. It provides a complete Mobile Threat Defense solution at the organizational level.
Our unique approach is to break down the organization’s mobile estate into different layers, identifying in the process different security needs and different risk levels of the various functions. We then apply different solutions for each layer, with various protection mechanisms and security policies to match the levels of risk and security needs identified.
Kaymera's hardened secured device as an example, might be a good fit for those organization’s functions that are the most sensitive in terms of their security needs and that might face the highest level of risk while other functions who are not as sensitive would have their security needs satisfied with the Kaymera mobile threat defense application on top of their BYOD managed device..
Can you tell us a bit more about your hardened device?
We take a conventional, state-of-the-art smartphone and rebuild it with our own operating system, which is very similar to the system previously installed, but with added, built-in, security layers such as voice and data encryption, secure networking, protection against man-in-the middle attacks, malware and highly targeted Trojan attacks, physical data extraction techniques etc.,, all without affecting the usability, productivity and user experience.
The device looks and acts the same as a standard smartphone, but unlike normal security apps, Kaymera delivers complete, built-in (instead of bolt-on) effective protection. It delivers top-level military grade security, applicable to government sectors, as well as corporate enterprises with that require advanced mobile security measures.
We also provide an application that can be installed on any device (iOS as well as Android) in a BYOD environment into which we've implemented many of the same security features following the same layered security approach. Naturally, this application cannot provide the same level of security as the hardened device provides however, it can definitely satisfy the security needs of those organization layers that face a lower level of risk. This Mobile Threat Defense application introduces highly advanced abilities to avoid, protect and detect threats, while providing complete transparency and visibility into the devices’ risk level and security posture to help maintain an overall solid mobile cyber security health throughout the entire organization. Last but not least is our solution that helps connecting any landline phone to the organization secured communication hub, enabling secured communication channels between landline phones, Kaymera hardened devices and other BYOD devices powered by the Kaymera mobile threat defense application.
How does the Kaymera solution work?
We've added 4 layers of security to both our secured operating system and our mobile threat defense application:
- The first layer is encryption of data at rest as well as data in motion: every call, message and data transmission is transferred via an encrypted channel. Data sits on the device in an encrypted form.
- The second layer is protection of the device from penetration of malicious code or rogue applications. This layer monitors and scans the various interfaces to and from the device (Cellular, Web, Bluetooth, WiFi, USB etc.) for any exploit or misuse..
- The third layer is prevention of any unauthorized processes or applications that try to use the device's resources, such as the microphone, camera or GPS, with a malicious intent..
- The fourth layer is detection where the WiFi network, data channels and cellular network are being constantly scanned for anomalies, as well as detecting anomalies of applications and processes on the device itself.
All those layers feed our powerful, self-learning Threat Risk Engine that based on the advanced risk analytics applied and past experiance, generates a risk score according to which restrictive security policies are enforced. The Kaymera Threat Risk Engine looks at thousands of parameters to assesses the risk level a user is facing in order to apply to most adequate security policy at any given time. Since usually 99% of the time the risk level is low, users can enjoy maximum functionality, productivity, ease of use and care free environment most of the time. In cases where anomalies are detected and a high risk level was generated, a powerful restrictive security policy is enforced to deal with any threat and manage any risk.. Whether it's a ‘Man-in-the-middle’ attack, voice or data interception, physical access to data or malware and Trojan attacks, if a malicious behavior was identified, the system can block access to resources for the entire organization if needed, based on that risk analytics outcome.
Is this done automatically or do you need to have someone to watch over the whole operation?
Some of these mechanisms are predefined out of the box. Kaymera also allows the IT security operator at the organization level to apply specific security measures based on the organization’s security policy. Everything is being managed through the management console that we provide, which can the be integrated into the IT security systems that are already in place.
How do you balance between usability and security?
Our system utilizes a "Risk Based Restriction" approach. Assuming that 99% of the users are not at risk 99% the time, allows the system to work regularly without affecting productivity or usability at all. Only when a high risk has been identified, are restrictive security measures applied.. For example: a user can connect to an unsecure WiFi network without any problem since the encryption layer encrypts his data regardless if this network is secured or not but when a ‘man-in-the-middle’ attack, for example from a compromised WiFi access point is identified, the system will, automatically disconnect from that network while of course communicate to the user on the identified risk.
What about applications installed by the users?
Most apps are legitimate, but if they require resources that are not crucial for their core functionality, we will limit them.
Once a downloaded app is identified as malicious or tries to leverage vulnerabilities, we can block it from being installed altogether and remove it from the system instead of blocking all apps, which is not our goal.
Unless an app was identified as malicious or risky, you can install any app, anytime. 99% of the time you won't even know that Kaymera is there protecting the device and data, but once you face a risk, that's when we get involved, securing your communications and your data. It doesn’t require you as a user to do anything specific; the system takes care of it for you.
What is the difference in approach between securing an Android phone and an iOS phone?
Generally speaking, there's very little one can do to secure an iPhone or an iPad.
As I mentioned earlier, we create hardened devices with our own proprietary version, but we can only do that with the Android operating system. When you use an app on iOS, you can only see what iOS allows you to see, and since that's very limited, you need to rely on the operating system to provide the underlying security for you.
The iOS hack that was recently discovered (AKA the Trident Hack) was able to exploit vulnerabilities at the iPhone’s operating system level, and through that take full control over the device, gathering information, using various functions, and leave no trace. None of the security apps from the various vendors out there that were running on top of the iOS operating system could even identify not to mention protect against such attack vectors.
Those vulnerabilities were out there for months, if not years, but there was not a single app that managed to identify it except, of course, those who took advantage of it. That puts the iOS operating system in a totally different public light. We of course at Kaymera were already aware that such exploits and iOS level vulnerabilities exist and have created our robust defensive system and secured hardened devices with the main purpose to battle such threats that are most common in military or government environments. Nowadays we see migration of advanced, military grade intelligence gathering tools to the commercial space where they are being used for commercial espionage and business intelligence gathering purposes.
To sum things up, iOS cannot be effectively protected against zero-day attacks and any application that claims otherwise is misleading its users. Our Mobile Threat Defense application is highly sophisticated, but it's still just an app that relays on the underlying operating system to provide a solid ground for its operation.. In a nutshell, you can reduce the risk significantly by installing our Mobile Threat Defense app on a BYOD device, however this will not provide you with a bullet proof vest. If the potential risk and security requirements is high we recommend using our hardened device and switch to Android.
Is it true to say that the more sophisticated phones become, the more prone they are to cyber-attacks?
Phones are sophisticated enough, but sophistication is not the issue here. We need to ask why phones are being targeted, and why they're considered the ultimate intelligence tool. A smartphone is a powerful data gathering tool: it's got GPS and we carry it on us at all times, it has a large storage capacity, robust communication channels that can be recorded and stored locally, it's constantly connected to the network for ease of access, control and over-the-air data exfiltration, it has a microphone so rooms can be tapped, it has a camera for visual recording capacity etc., etc.
Just think about how much energy, how complex of an operation and how many different devices were required in the past to gather all that intelligence; you'd need to break into a room and record whatever you could, at the risk of getting caught, and you'd still only be able to gather very limited information. Today all you need is hack into a phone once, and start gathering data 24/7.
Cyber criminals have shifted from targeting laptops and computers to targeting mobile devices - for them, it’s the holy grail, because in 2016, smartphones have become a perfect tool for intelligence gathering.
How do you see the future of mobile cyber security?
I believe mobile security is still currently hugely underestimated. Many organizations have applied different levels of security by restriction schemes, but most of them are not really aware of how easy it is to access data or intercept communications using various techniques. Intelligence gathering tools used to be restricted to the military and intelligence agencies only, but nowadays, they are being used by cyber criminals. The more attacks that are revealed, the more organizations will take mobile security seriously, and when they do, they will have to avoid a one-size-fits-all solution approach and match the solutions applied to the various organization layers, risk levels and security needs while focusing on enablement and productivity.