Many of us would rather give up one of our limbs than stop using our mobile phones or tablets. But as we become more addicted to mobiles, it means more opportunities to be infected by malware and other exploits. And if our phones are infected, chances are attackers can use them as a gateway to our corporate networks.
Mobile threats are on the rise, due to a perfect storm of circumstances. Mobile devices have traditionally been less protected than desktops, and the amount of malware in app stores is increasing. Some apps that claim to protect users are really infection vectors, known as ‘FakeAV’. Millions of users have downloaded these apps, quickly turning BYOD into BYOT — Bring Your Own Trouble.
In addition, reading emails on your phone means you have less time and less screen real estate to scrutinize their content, making it more likely you will open a phished attachment, click on a malicious link, or bring up a document that contains malware.
Finally, poorly constructed apps that are susceptible to man-in-the-middle attacks allow hackers to intercept data as it passes from a device to a server. Last February, security researcher Will Strafach identified dozens of IOS apps vulnerable to these kinds of attacks.
As a result of these threats, traditional AV vendors such as Avast, Symantec, and others have produced mobile versions of their endpoint apps. And a new category of startups — like Lookout Security, NowSecure, and Skycure — have begun to provide defense in depth for mobiles. Another player in this space is Check Point Software, which has rebranded its Mobile Threat Protection product as SandBlast Mobile (SBM).
This is a completely different product from the SandBlast product I reviewed last year. Check Point acquired the technology behind SBM two years ago when it bought Lacoon, another Israeli security vendor. I looked at SBM in June for this review.
SBM fits in between mobile device managers (MDMs) and security event log analyzers, and actually makes it easier to manage the overall security footprint of your entire mobile device fleet. You will still need an MDM product to really implement things such as application whitelisting, segregating work apps and data from personal ones, tracking a stolen phone, controlling network access, and other tasks that aren’t necessarily security-related. One of the nice things about SBM is that it works well with several MDMs, including Airwatch, MobileIron, Maas360, Blackberry Enterprise Server, and Good Technology.
David Strom/Check Point
SBM’s phone status screen is simple and doesn’t have many controls.
SBM comes with two critical parts: a smartphone app, either for Android (running at least v4.03) or iOS (running at least v8), and a web-based console that connects to various cloud components, including Check Point’s ThreatCloud malware investigation service. ThreatCloud collects malware and exploits from more than 100,000 nodes sitting on networks around the globe; it currently contains more than 11 million samples.
This is probably the simplest Check Point product that I have ever used because you can get it as a complete software-as-a-service tool that requires no hardware. (If you would rather have your data remain on-premises, Check Point sells a separate hardware appliance that will satisfy this requirement.)
The hardest part will be setting up integration with your MDM and log analyzers, as well as activating your end users. You can activate SBM either manually or automatically by installing it via an MDM. The manual method sends out a link to download the app via email or SMS notification.
I tested the SaaS version on a variety of Android and iOS phones, including my own iPhone 7. I tried both manual install methods as well as using the Airwatch MDM to automatically install SBM through one of its policies. Once downloaded, it is just a few clicks to install, even on iOS devices where extra confirmation dialogs are required.
SBM scans in depth
SBM runs four different protective scans on your mobile devices The first type of scan is the analysis of known threats and malware signatures – which is what typical phone-based AV tools do.
Sandblast also adds three additional scans: