CISA Recommends Three-Pronged Approach for Mobile Security

To protect mobile devices from cyber threats, organizations must implement and integrate three disparate technologies: enterprise mobility management, mobile application vetting and mobile threat defense, according to a soon-to-be-released white paper from the Cybersecurity and Infrastructure Security Agency. 

Branko Bokan, an official from CISA’s cybersecurity division, offered insights into the paper’s methodology and threat-based approach to cyber practices in Washington Tuesday. 

Bokan started his deep-dive into the agency’s findings with a question he said he likes to frequently pose: “How do you make a decision on where to spend your next cyber dollar?”

The cybersecurity official explained that people from agencies and industry alike frequently answer by saying they implement whatever their vendors, inspectors general, or risk management teams tell them to—and they often talk about managing these risks without identifying what the real risks are. 

To address the issue and boost defense, CISA recently developed and employed a new methodology known as “.govCAR” or Cybersecurity Architecture Review of the .gov domain. 

Based on an approach originally established by the Defense Department to look at the capabilities it supplies to other agencies, Bokan said .govCAR allows CISA to take a threat-based approach to cybersecurity risk management, which (unlike traditional cyber approaches) helps illuminate cyber capabilities from the viewpoints of bad actors.   

The next-generation approach allows insiders to take on the views of those they are protecting their systems against to identify areas where mitigations need to be applied to improve the entities’ defense.

“With this methodology, we can put ourselves in the shoes or in the position of an adversary to look at our cyber capabilities,” he explained. “And the first thing we do is enumerate all the threats—all the actual threats that we see in the wild today.”

A self-proclaimed “.govCAR evangelist,” Bokan said that once all the threats have been identified, experts can reflect on whether their capabilities are adequate at helping them detect and respond to the threats that they face.  

“So with that in mind, that methodology is very powerful,” he said. 

For the upcoming white paper, the agency examined the mobile architectures at various federal agencies using the methodology. Through the .govCAR analysis, the agency was able to identify how the agencies protect their mobile environments and sensitive data. 

Bokan said the most critical highlight of CISA’s findings suggest agencies and organizations should deploy enterprise mobility management, mobile application vetting and mobile threat defense capabilities together, not as standalone products, but as interoperable solutions.   

“They need to be integrated with each other,” Bokan explained. “It doesn’t necessarily mean they are from the same vendor, but they need to be able to talk to each other and respond to each other depending on what they are supposed to do.” 

Once released, Bokan said the white paper will include recommendations and actionable guidance that organizations can use as they consider future investments in mobile cybersecurity capabilities.