Hello, everybody, and welcome to What's the problem, the show that explores problems in the world of cyber security.
Today, we are fortunate, not just for the first time but for the second, to have Graham Smith on IBM joining us.
Mike Krass: Grahams, say hello to the listeners.
Mike Krass: Graham, waive your right hand because last time you were on the show with that left hand for the listeners.
Graham Smith: Waving the left hand for the listeners. It’s great to be back, Mike. Thanks for having me again.
Mike Krass: Absolutely. We'll go with an abbreviated first question of why you're qualified to talk about security. Because if you've been listening to the show, you should listen to the first episode with Graham anyways. Graham, just to give a little bit of a nibble, as a shorter version of why you're qualified to talk about security. Can you tell the listeners?
Graham Smith: I'll go ahead and just give my role real quick. As I went over my background, in the last episode, I am the IBM Security software seller for the Southeastern Territory, which includes DC, Maryland, Virginia, public education, and all public entities through DC, Maryland, Virginia, as well as some selected healthcare institutions. I've been in security for about three and a half years now and selling the full portfolio so sim, automated response, identity access, and database management.
Mike Krass: And if I remember, he used to do a little bit of endpoint security. Are you still? Am I correct?
Graham Smith: Correct. Sorry, endpoint security as well. That's one of our tools that I worked on previously and is taking a back burner on my portfolio, but still something that I work on on the side as well.
Mike Krass: Well, I'm going to be a trial lawyer here. I'm going to lead you to this second question. Normally, the second question is, “Hey, Graham, name a problem.” But guess what? We already know we want to talk about endpoint security, so let's talk specifically about endpoint security. You were thinking about the supply chain thing about telecom providers like Verizon and AT&T. Let's settle down there, Graham. What is a problem in the endpoint security space?
Graham Smith: As I said, I am working on the full portfolio, including endpoint management. I came from a background in endpoint management and enterprise mobility management, and managing the whole mobile environment. So not just smartphones, but laptops and desktops, and tablets. I would have to say that one of the biggest issues that I have seen working in the endpoint management space and mobile environment, whether it's through the distribution network with the major vendors like AT&T and Verizon, or just working with the public entities directly, who are purchasing from these major vendors, is trying to meet compliance guidelines for each industry. So whether it's health trying to meet data protection guidelines or public safety, the FBI or CGIs suggest public safety requirements. Those were the biggest use cases and issues we saw coming to our desk when clients were looking for an enterprise mobility management solution, trying to ensure that all their devices were locked down and secured. Trying to meet all of those compliance standards is something that people struggle with. There are a lot of different ways to do it. But I think what most people were looking for was a custom, tailored, a downloadable situation where you can have your enterprise mobility management solution, but it comes with the sausages and hippo requirements, policies, and compliance regulations that you need to be preloaded out of the box into the solution. And there aren't a lot of solutions that come with that, so I would have to say that one of the biggest issues we faced was trying to get people the out-of-the-box solution that they were looking for to try to meet these industries' federal regulations and certifications.
Mike Krass: Are you saying that IBM does do that? Or do you have more of a bespoke? Could I call it more out of the box, but not purely like rip the cellophane off, and it's out of the box?
Graham Smith: I’ll try not to be too biased and talk about IBM products here. But IBM does have a good endpoint management solution. As far as MaaS360, it's one of the premier enterprise-level solutions, and I wouldn't say we're the only ones that offer the out of box experience. There are a couple of our competitors that do as well. The difficulty of trying to align them with all the security policies and compliance guidelines within the solution is something that many people were looking for. And none of the solutions have built into them unless you are making sure that you hire the right services. The services side of things when implementing a new IoT solution is always going to add to your budget quite handily, especially when trying to meet federal regulations. Trying to find the right price to get people the out-of-the-box experience they're looking for, especially because many of these entities were publicly funded state entities with a minimal budget. So that was one of the struggles I saw in securing public data across the United States, especially at the endpoint level.
Mike Krass: So you broached the topic earlier? And I'd like you to answer this question, not just from the perspective of IBM but also from the competitors. You mentioned that a few other folks besides IBM do this out of the box. How many air quotes don't out-of-the-box solutions require any solutions provider? Or some sort of professional services contract behind it? Are there any that you can truly get out of the box? And then configure yourself? Or is a professional services component always involved in configuring and setting up?
Graham Smith: Yeah, that's a great question, Mike. I can't speak to our competitors. But for IBM, we always tried to include five hours of services, just baseline into these mastery 60 solutions that we were selling. We want to make sure that people have the starting ground they need. First off, the most important thing with an enterprise mobility management solution is getting visibility over your entire mobile environment. So first things first are ensuring that we're working directly with their vendor provider regarding their devices, whether Verizon, AT&T, or Sprint, and ensuring that we upload their devices into the solution. There are a couple of ways to do this. You can go through a manual enrollment route, where you enter a spreadsheet into the solutions and send out a bunch of registration requests to each device.
Mike Krass: Oh, through the device by device?
Graham Smith: Exactly. But the best way to do it at an enterprise level, because obviously, that's going to require a lot of manual work for your IT staff, is working directly with Verizon AT&T sprint to work through device enrollment programs. Device enrollment programs give you a little bit better out-of-the-box experience, and these device enrollment programs are not just unique to MaaS360. These are enrollment programs that all the major vendors use for enterprise mobility management solutions. The two device enrollment programs, the main ones or Android enterprise, Apple business manager, and Samsung KNOX. The way that this work is we a vendor for the enterprise mobility management solutions, so for us at IBM, it would be the MaaS360. We would be working directly with your cellular provider and you as the client throughout the experience, making sure that there's a constant train of communication, how many devices you're looking to enroll, when are you looking to enroll them, and then making sure we work with the cellular provider to go through those device enrollment programs. It's not a one-to-one SMS text registration but a full enterprise-level initiation of these devices into the solution. The way it would work is once the client decides how many devices they want from the vendor, whether it's one of the big ones, Verizon, Sprint, and At&T, they would then come to us and say, “Hey, this is how many devices thereby. We need to match this device count with the amount of license counts, so we would then get them the licenses they need. We would then ask Verizon, AT&T, and Sprint to open up one of these device enrollment program portals. The apple business manager, if they purchased iOS devices, the Android enterprise that they purchased Android devices or the Samsung KNOX where they purchased Samsung devices.
And then, since you know Verizon, AT&T and Sprint, are the ones distributing the hardware here, whether it's tablets, smartphones, or laptops, they would have the exact serial numbers to input into those device enrollment programs so easily enabling enrollment of 10,000 devices without having to get an individual spreadsheet, send out SMS, and one to one invitation request to joining the solution. So that's the enterprise-level scalability of the solution, which many people are looking for. We're out of the box, and that's something that most of the major providers outside of IBM do provide.
Once you get to that stage, the services talk comes into consideration. I'm pretty technically adept. I've worked within the MaaS360 solution a lot. As a new client walking into it, it is something that you wouldn't be able to operate without services, and that was your original question, a long-winded answer here. But it is something you would be able to work on directly if you have familiarity with mobile devices and how you can operate within settings and get serial numbers from settings. That's the only technical training you need, and the part of the service helps a lot with getting set up. But all of these solutions are solutions that an internal IT staff should manage, and I think that's the biggest thing.
And something that I talked about with you a little bit prior is one of the biggest things that I saw, as far as success with managing one of these enterprise level solutions is having an IT admin specifically monitoring all the visibility of all the devices going into the solution, at least once a day, making sure all the devices are online, no devices are lost or stolen—just making sure that nothing is compromised on a daily basis. And having a body in the seat of that admin seat and watching over and gaining visibility over the mobile environment. That would be one of the biggest things posts, initial services cost and getting set up and working with your vendors to get all the devices moved into device enrollment programs. It’s having an admin in that seat to watch the solution take care of the visibility of the environment.
Mike Krass: The last question here will be skeptical. I need you to correct me. It's called the device enrollment portal, or what's the portal called?
Graham Smith: The device enrollment program. Your apple business manager and Android enterprise are the intermediaries between the big vendor and the public organizations using the solution.
Mike Krass: Yes, I've got my feet in the shoes of the security buyer IT manager for the Fairfax County school system monitor. You might have picked that on purpose, so you're telling me, “Mr. IBM sales guy or Mr. IBM sales guys competitor. I can securely enroll all these devices. We will use either Samsung Knox, the apple one, or the Android One, and the telecom company AT&T or Sprint, or Verizon; will be able to access this securely. And as the IT manager sitting in Virginia will be able to access it securely and nobody else.
I asked that question because it seems to a vulnerable point that it used to be more of a BYOD policy for the school district. And employers will give you a cash addition to each paycheck to pay for your cell phone or something. The county says, “What? We got to button this down. We can't let every Joe and Jane run in here with iPads, Android, and tablets.” It just seems to be a point of vulnerability. I'm trusting the Android, Apple, and or Samsung enrollment programs because if it gets enrolled incorrectly from the beginning, it will be an absolute nightmare to undo. Or there could be an opportunity for one of our clients to use the word fraudsters to say fraudsters are everywhere. It'd be an opportunity for fraudsters to open up or identify that part of the attack surface that wasn't there. Fairfax is upgraded, and they're ditching the BYOD thing. And now they're going into this enrollment program. I'm the skeptical IT manager here, and I'm just asking this final question of our episode: how secure can this be? Has anybody ever had any intrusions at the deployment level that screwed him up from day one?
Graham Smith: Yeah, that's a fantastic question. In my experience, at least through the enterprise level enrollment. I have ever seen any kind of breach or hack at that point of the dip. You brought up something very interesting, the Bring Your Own Device piece. So for the Bring Your Own Device piece, you cannot enroll those personal-owned devices through an enterprise-level program like Apple business manager, Android enterprise, or Samsung Knox if you purchase them personally. Even if you got a stipend from your corporation, you would have to enroll those through the one-to-one SMS text message deployment, and email deployment. So that is something that we had to delineate to clients more than not, because a lot of times, there's already a previous deployment of 100-150 guests, bring your own devices. We're going to a public entity and saying, “Oh, well, you'll have to do one-to-one enrollment for all. Currently, bring your own device, as well as enroll the new devices that you're purchasing. Not just that, but when you enroll a device within an enterprise-level management tool, like MaaS360, Intune, VMware, or any of the above, you have to wipe the device. So to your question about ensuring the devices are safe while enrolled. Every mobility management platform I'm familiar with requires a factory default wipe of the device before enrollment to allow the management software to take control of the device. So once that happens, you can go back and do an Apple or Android cloud backup and get all your data back once the device is enrolled into the solution. It's a completely blank device. It's freshly made, brand new, and from the BYOD or corporate-owned device side. So that eliminates the threat aspect there. But then, once the cloud backups are downloaded, for instance, on a bring your device, many people can have harmful data, and that's exactly when the tool comes in action. So if someone downloads a cloud backup on a personally owned device, and you know, they have some kind of phishing email or malware instance, downloaded onto one of their applications on their device that was like a privately downloaded open source application or something like that. That's when the MaaS360 of the intensity of VM wears, immediately go and say, “Hey, this device is flagged. You need to look into this device. This device has been a vulnerability scan for malware. There's a phishing email on here.” It will tell you all of those vulnerabilities within that device. If you set it up and get it set up at the enterprise level through one of these device enrollment programs, you'll be able to access email threads and Text Message threads. It's not just the hardware and device security but all the corporate access data on the device. So even user Active Directory, all that is taken into account into these solutions and managed from a security policy level within the solution by the admin. We get rid of any deployment level intrusion by the wipe, but once the devices are cloud backups, that's when you can spy out any previous vulnerabilities or susceptibilities, especially in a bring your own device.
Mike Krass: Yeah, and that's where you saw where I was driving that conversation train. We're spinning up 5000 device deployment. I can just slip in one year with some malware on it, and nobody's really going to know. Maybe I don't get it directly from the OEM, not being Verizon, but your actual original equipment manufacturer. Maybe I can slip in like a BYOD want my own devices and friends snap something receptor and bring something nasty onto the network or into the environment. But it seems as if that would get detected fairly quickly, as soon as that cloud backup, because we'd look at that event log and you'd see he downloaded an iCloud backup.
We didn't have all of these alarm bells going off before that, and now we do, and it's this specific device with the serial number because that's how it is brought on through the enrollment program. We know exactly whose device it is. We know exactly what's going wrong with it. We can now address that as security for an IT department. Since not a lot of public school districts have fully functional security operation centers, it's more like an IT department that would notice that
Graham Smith: And that is also where some compliance and security policy use cases come into place. Once you enroll those devices, you can see some of your susceptibilities on the Bring Your Own Device side on the corporate side. Usually, you don't have any on the corporate side because they're brand new devices. But that gives you an idea of what your end users are doing. Post cloud backup, and you can tailor your security and compliance policies based on that. Make sure that you're locking people down with VPNs and doing single sign-on for all corporate applications and corporate email. Make sure people are who they say they are on the Bring Your Own Device, especially because those devices are more susceptible to getting lost and stolen, which is probably the biggest issue regarding mobile security. Meeting the compliance standards for sausages and HIPAA is extremely important, but at the end of the day lost and stolen devices. If someone has access to a physical device, that's the easiest way for someone to get into your corporate network. So that's one of the things that we try to deploy with public safety use cases, as well as making sure that they have geo tracking on devices, making sure that they can set off a siren on a device or loud noise, and make sure that they can wipe the device remotely. So when it comes back to the overall security posture of your endpoints and making sure you meet up with these compliance standards that the federal government is distributing, as well as bring your own devices, it's custom tailoring the security policies and compliance pieces within the solution over a period of time to once you get to that stable security posture point where you have the full visibility. And that's really where the services come in is, right at the beginning, as we talked about a couple of minutes ago.
Many people can identify some of those susceptibilities based on what they're seeing in their first 10 to 15 days with devices and rolling the solution and can monitor it and be their own consultant. But with meeting some of the citizen HIPAA compliance policies, we just recommend having services because we have services folks who have been there before done that, and making sure that we get them the correct security policies for each of their industries, and making sure all the compliance standards are within reason of what they're looking for. The compliance pieces from the federal government make it more likely and more applicable to have a services team when you're starting to build out the solution. But you can build one of these out yourself if you know what you're looking for, and I know where some of your susceptibility lies, as far as your mobile environment, so
Mike Krass: Well, we're coming up on time here. I wanted to share a story you just reminded me of—talking about an incident response plan concerning these endpoint devices. This was before COVID says the fall of 2019.
I was in Seoul, Korea, and a friend who lives in Texas also happened to be there with her husband. He was there for work. She was over there because why not. It was funny. We were messaging on here. We just got here into the olive branch of the airport and were taken off. We missed each other, and she texted me about a day later and said, " Listen, I just landed back in Texas, and I forgot my work iPad in the JW Marriott.” I was staying at a hotel next to that because we exchanged information about where we were. And I was like, I can go get it for you. I live one state over from I can easily get this back to America if you need to. The incident response plan was interesting because she said, “Let me check that. I'll probably take you up on that.” And six hours later, she messaged me back and said, “It's already been remotely wiped on the device. All my logins have been destroyed.”
The security IT team doesn't want you to touch it because they don't know who you are. And they'd rather do it if they've already deleted all the data and the applications and everything off the physical device. She worked for this big global company that will have a courier box it up, secure the device, brings it back, and ship it back to Texas as an overnight freight or whatever. Their IRP indicated something around once it gets back to Texas. It'll be air gap play for I can connect it to anything read look at it to make sure that nothing was added in transit or when he left it behind. It's just so interesting to hear that incident response plan they had for their endpoint devices that they didn't want you to touch. They didn't want a good Samaritan. No good Samaritans were allowed to appreciate the offer, but staying away from our devices was essentially the comment they gave back, which is no big deal. It doesn't matter. I don't care. But as we close this episode, it comes back to what you're talking about, having a clear plan they're having. I would argue that five hours out of the gate is not an unreasonable amount of PFS time to build into a contract. In fact, it seems low, and I'm being honest. But I'm sure that came up whether I don't know if they bought IBM or somebody else. I'm sure it came up throughout the sales cycle where they just wanted to know like, " Okay, when we send somebody halfway across the world.” They accidentally print their phone, which is a real thing that happens to smart people. All the forget phones halfway across the globe, like, what the heck is gonna happen there? Because we don't know what to do.
Graham Smith: The corporate incident response plan you just laid out is what most people have. That's a pretty standard operating procedure, and I think that just the cost of a risk of a data breach is not worth the cost of $1,000 device. And a lot of times, whether you can retrieve it, whether it's just at a hotel, like in your example, or one of the examples, I saw you earlier where a police officer left his phone at a Starbucks and got taken by a actual hacker and was used against them. It's a situation like that, where you want to know who's behind the other screen.
At that point, you don't want the device back. You want to know who the perpetrator is. So at that point, it's more of an investigation. It's more of locking down our data, protecting our environment, protecting everything we have on our networks, and locking out that device. And that’s the point of these tools when a device goes haywire or off, the rails is stolen, or lost. You want to cut all access to your network from that device as quickly as possible. And just as you said, it sounds that was your friend's plan, which is the one I would recommend to anyone, regardless of industry. It's way more valuable to protect your network than to protect an individual hardware device.
Mike Krass: Well, Graham, I appreciate you being on the show. Not once, but twice. And as you've been on once already, we're not going to embarrass you with a bad haircut question because you've already told us about your terrible haircut. As we close this episode, though, I would like to ask you to remind folks how to get in touch with you. If the listeners want to reach out, what's the best way to get in touch with you?
Graham Smith: I'm available on LinkedIn. Via Graham Smith. I think my username is grahamsmith72. If you want to get finite with it, and then if you have any security posture questions, any consulting questions around cybersecurity, or anything about the episode that we talked about today or the previous episode, you can reach me at firstname.lastname@example.org.
Mike Krass: Awesome, Graham. Thank you so much. Say goodbye to our listeners for the second time.
Graham Smith: Goodbye, listeners. Thank you so much for having me, Mike. It was a pleasure.
Graham Smith is a Cyber Security Sales Specialist at IBM focused on the public sector. In his spare time, Graham is a Board Member with Soul’s Harbor Rehabilitation.