CrowdStrike Is the First to Bring Endpoint Detection and Response (EDR) to Mobile Devices

I am thrilled to announce the first endpoint detection and response (EDR) solution for mobile devices: CrowdStrike Falcon® for Mobile™. It is the only comprehensive tool that enables proactive threat identification and response, and incident investigation, on Android and iOS mobile devices. This new solution, which will be generally available in May, is based on CrowdStrike’s tried, tested, and proven EDR technology for enterprise endpoints. The launch of Falcon for Mobile means customers can now leverage the industry-leading features of the CrowdStrike® Falcon® platform — EDR, managed threat hunting, single agent architecture, and massive threat telemetry — to effectively defend enterprise mobile devices. For the first time, organizations can extend their enterprise endpoint protection capabilities to mobile devices without introducing additional integrations, unwarranted complexity and disparate products.

Why Falcon for Mobile Was Developed

Cloud and mobility have completely changed the way employees work, providing speed and flexibility in accessing information, but also exposing the enterprise to yet another threat vector. The workforce is more reliant than ever on business-critical applications, which can access confidential information from multiple devices at any time and anywhere. Yet security teams lack visibility into mobile threat activity, due to the inadequate, complex and difficult nature of today’s mobile threat defense solutions. If you download a legitimate app from the App Store and your device hasn’t been jailbroken, you are likely well covered. However, mobile platforms have become an increasingly popular attack surface for threat actors using tactics such as malicious apps, phishing and network attacks involving spoofing IPs or domains. In addition, data sharing across applications, as well as taking screenshots, increase the risk of inadvertent data exposure by a trusted user or intentional exfiltration by an insider. Although mobile device management (MDM) solutions have been available for years, they don’t address these core security concerns — and the mobile threat defense (MTD) solutions that have been introduced have been slow to catch on. In fact, according to Gartner, less than 10 percent of organizations have purchased a solution for mobile security and threat detection. This may be because the available solutions don’t provide visibility and hunting — they just try to detect malware attacks and traditional threats — which is inadequate for addressing today’s threats.

Cloud-Native Technology, Single Lightweight Agent, Unified Management Console

CrowdStrike has taken a visibility-first approach to endpoint protection. EDR security on endpoints has resulted in detection and prevention of a whole new class of attacks and breaches. Falcon for Mobile uses this same approach, delivering mobile security via a lightweight Falcon agent to provide real-time visibility into device activity, so security teams can hunt and investigate based on that data. As with all Falcon solutions, Falcon for Mobile is managed via the central Falcon console. We have always believed in extending the definition of endpoint to encompass all kinds of compute devices. Our Falcon platform works across laptops, desktops, servers, workstations, data centers and cloud, without requiring separate products for different kinds of endpoints. Falcon for Mobile takes this one step further by adding coverage for mobile devices.

We Listened to Customers

Before development of Falcon for Mobile began, we listened to a wide-range of customers to ensure we were giving them the solution they want. These conversations culminated in a list of capabilities our customers feel are most critical: Visibility: Organizations want as much visibility as possible into the Android and iOS devices connected across their enterprise. Access to enterprise apps such as Workday, Salesforce and Box are now ubiquitous on mobile devices, and customers need visibility into the usage of sensitive corporate data. Also, they want us to identify vulnerable devices, such as those that need upgrading and those that have been jailbroken or rooted. Enterprise App Behavior Monitoring:

 

Security teams want the ability to monitor enterprise application behavior on both Android and iOS devices, such as network telemetry data and clipboard events and they also want to able to identify risky WI-FI and bluetooth connections.

 

Falcon for Mobile’s innovative dynamic app shielding technology provides enhanced monitoring of third-party enterprise apps on Android devices, further protecting sensitive corporate data and expanding app behavior monitoring to include process and data access events. Dynamic app shielding provides this deep telemetry into the behavior of Android apps, similar to what Falcon provides on other systems. This is how dynamic app shielding works:
  • Enterprise apps that will be monitored are identified by the admin, with apps and the Falcon agent combined into a container and pushed to the device. This can be accomplished in tandem with an MDM.
  • All apps monitored by Falcon for Mobile are easily identified by the user.
  • The Falcon sensor monitors network events, clipboard events, process events and importantly, data access events for all shielded applications. This means If an insider attempts to exfiltrate data via a user interaction — such as cutting and pasting or taking a screenshot from a protected app such as Workday or Salesforce — Falcon for Mobile sees the behavior and can prevent it.
  • If an unprotected app attempts to communicate with a protected app, the Falcon sensor monitors this behavior and provides deep visibility at the operating system level.
Privacy-by-Design and Performance First: Falcon for Mobile focuses on customer-designated corporate apps with no monitoring of personal applications on the device such as text messaging, email, photos or browsing history. Falcon for Mobile is built using “Privacy-by-Design” and “Performance First” principles enabling users to adopt Falcon with confidence, without privacy concerns or performance issues. Sensors for Android and iOS are extremely high performance and lightweight with a nominal effect on battery life or data bandwidth usage. Threat Hunting: Customers want the ability to hunt for themselves, and they are also looking for expert threat hunters to help them. In addition, they want to be able to hunt across their entire environment, including mobile, desktop, server and data center platforms. If they have a suspicious IP, for instance, they want a single place to search. They also want integrated threat intelligence to help direct their hunting activities so they can be forewarned regarding emerging mobile threats and tradecraft. Easy Adaptability and Interoperability: Customers told us they want a solution that is easy to deploy and manage, for both end users and the security team. By leveraging the CrowdStrike Falcon® platform, we are able to centralize endpoint management to include mobile, which makes it easy to enroll devices and leverage the skills of the Falcon team. In addition, Falcon for Mobile seamlessly integrates with customers’ existing mobile solutions such as MDM, enterprise mobility management (EMM), unified endpoint management (UEM) and MTD.

 

For users, Falcon for Mobile’s lightweight agent ensures low battery usage, and user privacy is respected by letting users know which apps are being managed by Falcon for Mobile and which aren’t. No user wants the organization to be able to check out what they are doing on their personal Facebook or Instagram accounts.

To Summarize

Falcon for Mobile provides comprehensive visibility that extends across your enterprise — from mobile devices to the data center. Our lightweight sensor technology is ideal for mobile devices, and CrowdStrike’s cloud-native platform provides the perfect conduit to manage, administer and hunt for data. Our enterprise app behavior monitoring capability provides the visibility and telemetry required to identify malicious behavior, while enabling customers to perform threat hunting — either by themselves or with the Falcon Overwatch™ team of experts. This telemetry can be used to provide visibility into insider threats, unauthorized or accidental data exposure, and network spoofing. These capabilities populate a series of dashboards within Falcon Insight™, our EDR solution, enabling security teams to view mobile devices, search for events, and easily manage and enroll devices.

Additional Resources