Lacoon Mobile Threat Management Platform

The Lacoon Mobile Threat Management Platform Can Detect, Assess and Mitigate Your Mobile Risks


Lacoon’s unique multi-layer approach ensures enterprises have the visibility and coverage they need to manage their vulnerabilities and mitigate their risks. The Mobile Threat Platform delivers:

  • Advanced Threat Detection: with the ability to detect and classify Android and iOS mobile threats to employee (BYOD) and corporate devices and applications. Lacoon’s cloud-based Behavioral Risk Engine performs dynamic application risk assessments and behavior-based device and network anomaly detection, to identify zero-day attacks, APTs, malicious apps, time-bomb malware, evasive botnets, advanced rootkits, and more.
  • Risk Mitigation: with the ability support adaptive mitigation through on device responses, the dynamic activation of a virtual private network (VPN), or via policy enforcement changes within the enterprise’s existing mobility and security infrastructures to ensure corporate data is protected and remains safe until the threat is eliminated.
  • Vulnerability Assessments: with the ability to assess vulnerabilities on the device, in configurations and in the applications to enable effective mobile vulnerability management and risk mitigation to reduce the attack surface and meet compliance goals.

Only with the Lacoon Mobile Threat Management Platform can you effectively manage and mitigate the risks mobile devices and applications pose to corporate resources. With Lacoon you have the comprehensive coverage you need to reduce the risks of Android and iOS devices that enter your environment and augment the capabilities of your mobile device management (MDM), network access control (NAC) and security information and event management (SIEM) systems to strengthen your security stance.


Watch video Learn More Watch Demo

Lacoon’s Mobile Threat Management Platform shuts down attackers trying to steal your sensitive information and protect your mobile resources from cyber-espionage and cybercrime, so you can embrace mobile initiatives without fear.

Collects Risk Information and Enforces Attack Mitigation on the Device

The Mobile Threat Management Platform app runs in the background, with no change to the user’s experience. It collects and sends metadata to the Mobile Threat Management Platform Behavioral Risk Engine (BRE) for analysis to assign the device’s risk level and identify attacks. When an attack is detected, it triggers the app to notify the user and remediate, via Active Protection, as necessary.

  • Platforms — Lacoon supports iOS (iPhone and iPad) and Android devices.
  • Roll Out Options — the app can be conveniently distributed several ways:
    • Administrators can use the Mobile Threat Management Platform Dashboard to send users an email to prompt them to download the application.
    • The app can also be distributed via an enterprise’s mobile device management (MDM) solution.
  • Collection of Metadata – the app sends aggregated device configurations, applications, events and logs to the cloud-based BRE for analysis.
  • Attack Remediation and Mitigation – when an attack it detected, it triggers a variety of defense mechanisms (on the device and/or in the network), based on the policy set by the enterprise.
    • User Notification — the app can alert users to an infection or vulnerability, with detailed malware descriptions and prescriptive actions the user can follow to remove and eliminate the attack.
    • Active Protection — the app can re-route traffic to Lacoon’s Mobile Threat Management Platform Gateway for attack containment, including:
      • Blocking the traffic.
      • Dynamically implementing a virtual private network (VPN) to protect the integrity of the data.
    • MDM Enforcement — Lacoon can integrate with your MDM, Wrapper or NAC solutions to dynamically activate changes in access privileges in response to risk levels.

Analyzes Device, App and Network Data in the Cloud to Comprehensively Detect Attacks and Determine Real-Time Risk Levels

The Mobile Threat Management Platform Behavioral Risk Engine (BRE) analyzes information sent from the Mobile Threat Management Platform App using several proprietary, patent pending algorithms to identify known, unknown, targeted and emerging threats. It then generates a relevant, real-time risk score for each device that can be used to determine how traffic from each device should be handled.

Data collected

  • Device Information - OS versions, configuration files, logs, etc.
  • App info — signature and source (whether it came from an app store or was ‘side-loaded’) and the binary code of an app for “patient-zero”
  • Network Info — type (WiFi, 3G, 4G, etc.), event information and traffic patterns

The Cloud-based BRE determines if the device is infected using several proprietary, patent-pending detection mechanisms:

  • Behavioral Application Analysis – uses Sandboxed Emulation and Advanced Static Code Analysis to detect attacks that target enterprise assets. Unlike other solutions that analyze apps in isolation, without the context of what they will do when downloaded on a specific device (OS version), Mobile Threat Management Platform emulates the mobile devices in your environment to accurately identify malicious behaviors, such as:
    • Utilization of embedded exploits that can compromise secure containers
    • Keyloggers
    • Spyphones
    • Screen scrappers
    • File system tempering
    • Two-factor authentication exploits
  • AV Signature Feeds – includes the ability to identify known attack patterns, so you don’t need to deploy and manage another point solution for mass-market attack detection capabilities.
  • On-device Network and Event Anomaly Detection – identifies malicious command and control behavior and data exfiltration by unknown malware and rootkits.
  • Real-Time Risk Assessments that looks at the configuration state of a device, including the installation of malicious profiles or apps with fake or stolen certificates, and activity that indicates malicious behavior, such as rooting, jailbreaking, escalating privileges or connecting from an unsecured location, to prevent exploits, such as secure container compromises and man-in-the-middle (MitM) attacks.

Dynamically Assigns a Granular Risk Score to Each Device to Trigger Defense Mechanisms

Based on the analysis of the Mobile Threat Management Platform Behavioral Risk Engine (BRE), each device is assigned a real-time risk score (high, medium or low), which reflects the risk that device poses to your organization; this risk score will be adjusted according to any new findings from the BRE’s ongoing assessments.

There are three Risk Score Levels:

  • High Risk Score — if the device is found to be compromised or infected with malware or a malicious app that can compromise your resources.
  • Medium Risk Score — if the device is compromised by malware that poses a risk to the user’s personal information or has risky applications downloaded on it.
  • Low Risk Score — if the device poses no significant threat.

Risk scores are then used to determine how traffic from that device should be handled, based on pre-defined risk thresholds and policies set by you (via the Mobile Threat Management Platform Dashboard). Lacoon provides you granular risk management, allowing you to configure and personalize how you want to respond to each threat.

Proactively Prevents Malicious Activity and Data Exfiltration to Contain Threats

When the Mobile Threat Management Platform BRE identifies a mobile device that poses a risk to your organization, you have complete control over how that risk is mitigated. You can configure your risk thresholds and personalize the response for each, via the Mobile Threat Management Platform Dashboard.

Lacoon delivers unique dynamic network policy enforcement that triggers defense mechanisms only when risk thresholds are reached. This approach ensures you can effectively manage your mobile risks, by choosing when to activate and deactivate protection mechanisms according to the real-time threats you are facing. You can define when to use:

  • On-Device Mitigation– the app can alert users to an infection or vulnerability, with detailed malware descriptions and prescriptive actions they user can follow to remove and eliminate the attack.
  • Patent-Pending, Active Protection — the app can automatically re-route traffic to Lacoon’s Mobile Threat Management Platform Gateway to eliminate the threat at the network level.
    • Blocking malware from calling home or stealing data, among other things, to contain the attack and minimize any impact
    • Dynamically implementing a virtual private network (VPN) to protect the integrity of the data for the duration of the risk.
  • MDM, Wrapper and NAC Integration and Enforcement — Lacoon can integrate with your MDM, Wrapper, or NAC system to dynamically activate changes in access to protect your resources.
Potential Indicators That Can Be Used to Define Risk Level of a Device Examples of Remediation and Mitigation Capabilities
  • Device has been jailbroken (iOS).
  • Device has been rooted (Android).
  • Evidence of file system tampering
  • Evidence of screen scraping, eavesdropping or keylogging.
  • Device is accessing corporate information from a less secure network, such as a public WiFi hotspot.
  • Device is infected with malware or a malicious app.
  • Device has open, unpatched vulnerabilities.
  • Device is communicating with an unidentifiable server.
  • Installation of malicious profiles or apps with fake or stolen certificates.
  • Suspicious configuration changes, such as privilege escalations.
  • On-Device — notify and educate users about risky behavior.
  • On-Device — notify user of threat and provide remediation steps to remove malware/app and eliminate the threat.
  • Active Protection - dynamically activating a virtual private network (VPN) channel to protect privacy and integrity of communications.
  • Active Protection — blocking attack traffic to contain attacks.
  • Integrating with MDMs, Wrappers and NAC systems - change access privileges to critical corporate resources (email, internal apps, corporate network) to provide real-time risk management and dynamic policy enforcement.

Active Protection can prevent:

  • Malware from communicating with command and control (C&C) servers, by blocking this traffic.
  • Drive-by-downloads of malware, by blocking this traffic.
  • Man-in-the-Middle (MitM) attacks, by triggering VPN certificate-based encryption and an authenticated connection that prevents snooping or tampering with communications.

Providing Full Visibility and Control Over Your Mobile Security

The Mobile Threat Management Platform Dashboard is a web-based console that gives you real-time visibility on the risk profiles in your organization, detailed forensics on malicious and suspicious device behaviors and applications, and the ability to manage a mobile device’s alerts and protection mechanisms.

The Dashboard provides:

  • Detailed descriptions of security alerts and filtering capabilities.
  • Detailed risk scoring for a device, including infections, exploitable vulnerabilities and suspicious behaviors.
  • Detailed information on malicious and suspicious applications, including behavioral information; device and app correlation; malware classification (with malware families); and network information.
  • Real-time information on device connectivity and the health status of the Lacoon Mobile Threat Management Platform app on all enrolled devices.
  • The ability to integrate with MDM solutions, as well as SIEMs, Wrappers and NAC systems.
  • Enrolment capabilities for new mobile devices in your organization.
  • Management for administrators to set policies, investigate notifications and generate reports.

Secure iOS Devices

iPhones and iPads are Susceptible to Attack

While perceived as more secure than other mobile platforms, iOS is increasingly being exploited by attackers to gain access to sensitive data and resources. A recent study we conducted found that more than one in 1000 mobile devices are infected with malware or surveillance toolkits; of those infected, almost half (47%) were iOS devices.

It’s Not Just Jailbroken iOS Devices at Risk

A common misconception is that an iOS device, such as an iPhone or iPad, is not vulnerable if it’s not jailbroken. While it’s true jailbroken devices (which have removed the restrictions on what apps and extensions can be downloaded) are more susceptible to attacks than non-jailbroken devices, it turns out iOS devices don’t need to be jailbroken to be compromised. We have seen non-jailbroken iOS devices ‘in the wild’ all victim to:

  • Malicious apps, including those that use fake or stolen certificates to evade detection.
  • Malicious Profiles that can be used to make risky configuration changes or compromise Secure Containers.
  • Man-in-the-Middle attacks in public hot-spots.

Lacoon’s Unique Protection

Lacoon Mobile Threat Management Platform can identify and protect your mobile data and resources from advanced iOS attacks.

iOS Attack Lacoon’s Advanced Protection
Jailbreaking Devices:Downloading Mobile Remote Access Trojans (mRATs) Definitively identifies jailbreaks. Unlike MDM jailbreak detection methods that requires the user to open the app, Lacoon’s detection runs continuously in the background. Once a jailbreak is detected, it triggers a more detailed network analysis to detect suspicious behavior, and then blocks any malware communications to contain an attack.
Targeted Advanced Malware Using Fake Certificates Detects iOS apps that are using stolen or fraudulent certificates (33% of advanced persistent threats use fake or stolen certificates) and can block or remove them to stop the attack.
Malicious Profiles that Trigger: Risky Configuration Changes Secure Container Compromises Detects changes to configuration profiles that can compromise a secure container and result in a Man-in-the-Middle (MitM) attack; Lacoon can then block attack traffic and notify the user to remove the Profile.
Man-in-the Middle Identifies an iOS device accessing resources from a public hot-spot and minimize the risks by limiting what they can access or dynamically triggering a virtual private network (VPN) channel.
Read more

Secure Android Devices

The Rise of Android in the Enterprise

More and more employees are bringing Android devices to work and asking their corporate IT to connect and support them. Business units are also selecting Android phones and tablets, which tend to be easier to develop sophisticated apps for and less expensive than other platforms.

The Risks with Android

Given Android’s market share, it is an increasingly attractive target for attackers; it’s also increasingly difficult to secure.
This can be attributed to:

  • The open Google Play and 3rd party developer markets, which are great for innovation but, with 500+ apps introduced daily, provide attackers a lot of ways to hide and distribute their malware.
  • The fragmentation of the Android operating system (OS) across all the different vendor implementations.
  • A broken security patch model that leaves many devices vulnerable to exploit.

All of these variables make it virtually impossible for enterprises to keep up with all the potential threats to the Android devices in their environment — it only takes one malicious app to infiltrate a device and compromise its secure containers to gain access to encrypted enterprise data or the device’s microphone and camera.

Pioneering Secure Android Deployments

With the unique ability to collect, correlate and analyze all the different device, app and network variables in your environment, Lacoon can accurately assess and stop all the different Android risks you are facing. Only with Lacoon, can you confidently embrace Android devices.

Android Attack Lacoon’s Advanced Protection
Vulnerability Exploits Detects risky activity through sandbox analysis of applications coupled with the unique ability to emulate the specific target device (and its potential vulnerabilities) and then blocks its exploit.
Malware and Malicious Apps Identifies new, zero-day malware and malicious apps through advanced detection capabilities and then removes or blocks traffic from them to contain the attack.
Rootkits Detects when a device has been rooted and blocks malicious activity to contain attack.
Secure Container Compromises Looks at configuration state and changes to OS privileges to identify and then stop attacks attempting to infiltrate and steal sensitive app data.
Man-in-the Middle Identifies a device accessing resources from a public hot-spot and minimizes the risks by limiting what they can access or dynamically triggering a virtual private network (VPN) channel.
Read More

How Lacoon Mobile Threat Management Platform Protects Your Mobile Devices and User Privacy FAQ

User Privacy - only device metadata is collected and analyzed; the app is not monitoring any content. The Mobile Threat Management Platform app is focused on device characteristics and behaviors that indicate potential vulnerabilities or infections, not the content stored on or flowing through the device.   As a mobile security company, we encourage you to be vigilant about what you download onto your mobile device. it is important to understand what each and every app is going to do, including ours! This document attempts to answer your questions around the Lacoon Mobile Threat Management Platform app and our commitment to your privacy.  

Q. What does the Lacoon Mobile Threat Management Platform app do?

 
The Mobile Threat Management Platform app is designed to run in the background of your mobile device to help you keep it safe. It collects and sends anonymous, aggregate information to our cloud-based Behavioral Risk Engine (BRE), which analyzes that data to identify risky activity and advanced mobile attacks. Once an attack is identified, it will trigger the app to notify you of the risk and help you remove it to protect yourself.
 

Q. What content does Lacoon collect on my device?

 
Lacoon only collects aggregate information about different aspects of a device, the apps downloaded on that device and its general activity; Lacoon does NOT collect any personal information stored on or flowing through a device. Specifically, Lacoon collects:
 
  • Information about installed applications to identify those that are malicious. This includes the application’s binary signature and possibly their binary package, which are key to analyzing how the application works and detecting activity that is suspicious.
  • Information on the operating system file structure to identify compromised settings that could give an attacker access to your device and data.
  • Heuristics about the communications of suspicious apps to identify suspicious activity. This includes the timing and frequency of the apps’ communications.
 
Lacoon is looking for those devices and app behaviors that indicate your phone or tablet may be under attack or compromised; we are looking at information that tells us how things work, NOT what is being accessed or communicated.
 

Q. Does Lacoon collect or see any of my private information, calls, web activity, messages or photos?

 
No, lacoon does NOT collect any private information; we do NOT monitor or collect any message, photos/video or call content, web browsing activity or any location indicators. Lacoon does NOT collect any of the content associated with any of your application or communications.
 

Q. How does Lacoon use and secure my data?

 
Lacoon is committed to your privacy. We do not use the information from your mobile device for anything other than detecting if your device is infected. We do not share your data with anyone else to support our service. We have multiple layers of security in place, commiserate with the industry’s highest standards, to protect all the data in our systems.
 

Q. Can my IT Admins see what apps are installed on my device?

 
Your IT administrator(s) will not be able to see which apps you have on your device, unless it is infected. Only when an app is identified as suspicious or malicious, based on its behavior, will your IT admin see it. In this way, they can assist you; they will be able to explain what the app is doing that is risky (NOT the content of that app), so you can re-mediate and protect your device. Note, your admin will not have any visibility into any of the other apps on your device beyond the one(s) infected.
 

Q. What does Lacoon do to protect my device?

 
When a threat is detected on your mobile device, it can trigger several responses, based on the level of risk that threat poses:  
  1. Notification - you may receive a notification that alerts you to suspicious activity on your device; the notification will include information that helps you understand the risk and confirm whether you want to allow or stop the risky behavior.
  2. Remediation Information - when an attack is detected, you will receive a notification and remediation information that will help you quickly and easily stop and remove an attack.
  3. Active Protections - when an attack is detected, your Internet traffic will be redirected through our filtering gateway to block the malicious connections from your device to the attacker’s command and control server.
  Lacoon is laser-focused only on the attack communications; none of the other communications are impacted and none of the content of any of the communications is monitored or captured during the during the duration of Active Protection. In addition, because Active Protection is dynamically triggered to contain an attack, once you have removed the attack from your device (which we will help you do), it is automatically deactivated and your traffic goes back to its regular routes.
 

Q. Does Lacoon comply with the European Union’s privacy regulations?

 
Yes, Lacoon’s solution is fully compliant with the EU’s privacy regulations. The aggregate information from devices that are owned by users in the EU is routed to Lacoon’s analysis servers located within the EU territory and all the day is kept within the EU.