Symantec Mobile Threat Defense: Threat Hunting? Here’s Your Flak Jacket in the Minefield

Browsing the web today can be like walking through a minefield: unsuspecting users, vulnerable to social engineering attacks, may stumble into malicious websites designed to compromise their devices, steal their information, and distribute malware. Web-borne threats are a risk to all endpoints, but especially to modern ones.

More than half of Internet users are accessing the web solely through their mobile devices, making mobile an appealing attack vector. For enterprise employees, mobile is fast becoming a preferred work platform where an exchange of corporate data occurs on a frequent (if not daily) basis. One wrong click into a malicious website via a vulnerable mobile browser, and harmful code can infect employees’ devices, spreading to other endpoints and putting sensitive corporate data at risk.

Symantec Endpoint Protection Mobile (SEP Mobile) integrates with Symantec Web Isolation to enable SOC teams to investigate, in a completely harm-free way, risky websites accessed through mobile endpoints. Web Isolation executes web sessions remotely, sending only safe rendering information to analysts’ browsers, therefore preventing malicious traffic from reaching their machines. SEP Mobile is the only security vendor to offer this technology as part of our mobile endpoint detection and response (EDR) arsenal of tools, allowing admins to navigate malicious or unwanted network content, without exposing themselves to threats.

We’ve previously discussed in detail the use of mobile EDR for combating advanced and persistent threats that exploit mobile OS vulnerabilities. SEP Mobile’s EDR provides visibility over indicators of compromise across the different stages of the attack kill chain, as well as deep forensic analysis to help security teams see links between certain incidents and understand attack flows. Connecting the dots between pieces of threat telemetry gives admins more confidence when determining the risk of an attack and deciding on the best response.

Our built-in web isolation is a critical part of these mobile EDR capabilities, enabling admins to dig even deeper into the attack context for more accurate threat hunting. Imagine being able to navigate the web “minefield” while wearing an invincible flak jacket – web isolation provides this type of protection to security analysts.

Let’s say you're monitoring security incident feeds in the SEP Mobile Management Console or in your organization’s SIEM. You see that a mobile end user communicated with a malicious site, triggering a high-risk threat alert. The malicious site in question could also pose a risk when opened on a traditional endpoint, so you can’t conduct further investigation into the site because you’re wary of opening it on your computer. From the SEP Mobile console, you can access any risky or policy-violating website in web isolation mode and see what threats mobile users are being exposed to, while remaining completely safe from malware.

Web Isolation works by creating a secure execution environment between end users and the web, so no malicious code can be downloaded or executed on analysts’ machines. Security teams can enter this secure environment and essentially “replay” the attack their users were vulnerable to.

Data gathered from the “minefield” can be leveraged for deep breach or security incident analysis. In phishing attacks, for example, analysts can see what their victims saw, and answer questions such as: What website did attackers try to impersonate? How were users tricked into getting to the website? What details did attackers try to steal? What information was at risk? Was the attack targeted or broad? Did it hurt the company’s brand?

A security incident associated with risky or unwanted content will open in the SEP Mobile Management Console when end-user access to a suspicious website is blocked. For example, if an end user clicks on a malicious link received through a social media app, SEP Mobile will automatically block the site, ensuring devices remain protected from threats. Then, analysts can use web isolation to better understand what an attacker tried to do, enabling security teams to implement additional actions in other security solutions as well as educate users.

SEP Mobile’s integration of Symantec’s Web Isolation technology is one more way we’re using assets across Symantec’s security portfolio to generate value no other vendors can offer. While other players may provide only web filtering and CASB capabilities, SEP Mobile offers strong mobile agents and web isolation for robust EDR. Granular forensics and visibility on the attack kill chain are powerful mobile EDR tools that provide more context on attacks – but there is nothing more effective for threat hunting than combining these tools with the ability to experience what the end user experienced during an attack. Security analysts can do this by putting on the Web Isolation “flak jacket” and safely navigating the attack minefield.