July 27, 2022
Don’t assume users and employees will only use desktops to go about their business – even if that’s what they are supposed to do.
Your SIEM solution works best when it has visibility into your organization’s entire technical infrastructure. If there are blind spots, managing risk and ensuring compliance becomes much more challenging.
Most enterprise offices are desktop-oriented workplaces. It’s natural for executives, managers, and IT security leaders to assume that employees and users will conduct their business using their desktops.
However, this isn’t always the case. Mobile devices tend to find their way into business processes in unexpected ways. The scenarios are endless – executives may need to access real-time databases while traveling, sales staff may find it easier to communicate with customers through social media, and the list goes on.
If these mobile-oriented use cases are not included in the organization’s security policy, they may simply go unnoticed. Without visibility into mobile interactions, creating and enforcing a mobile security policy is virtually impossible. Enterprise security leaders need to pay special attention to the way their SIEM solution ingests log data from mobile endpoints, especially on Android.
Raise Awareness of Shadow IT Risks
Implementing a strict no-mobile policy doesn’t necessarily eliminate mobile device risks. This is especially true if the policy is not enforced in a robust way. History shows that when employees feel mobile device security policies are getting in the way of productivity and usability, they are more likely to break those policies when the opportunity arises.
Your organization’s mobile management policy has an outsized impact on its susceptibility to shadow IT risks. Whether your organization implements a no-mobile policy, a bring-your-own-device policy, or a company-owned device policy, your SIEM should prioritize the collection and analysis of mobile device logs.
This is one of the best ways to ensure your organization’s information security policies are being followed in good faith. Every employee, from the boardroom to the mailroom, has a role to play in cybersecurity.
Start Classifying Endpoint Logs by Operating System
Attackers may exploit endpoint vulnerabilities in mobile devices like phones and tablets to gain access to corporate networks. Separating incoming logs by operating system is the first step towards optimizing your ability to detect and analyze insider threats on mobile devices.
When it comes to log management, the two biggest mobile operating systems in use today work in slightly different ways:
- iOS does not log events on its own, but it does log application crash reports. You can log application events using an API and gain access to data generated by Apple’s built-in security features.
- Android offers a dedicated platform for system and application logs. This lets security professionals easily filter and view application logs, event logs, and system logs. You can also use this platform to separate logs into their unique programming language classes (C, C++, Java, etc.)
Exabeam is an excellent solution for capturing and analyzing user behavior on both mobile devices. Information security professionals can use Exabeam to establish the relative severity of different Android logs based on their type and characteristics.
How to Use Prioritize Android Log Data in Exabeam
Since Android lets security professionals manage log data through multiple categories, Exabeam users can implement the following classes to separate specific Android logs from the rest of the device’s incoming data:
- Application Logs use the android.util.Log class to generate messages. Each application can set specific severity levels and descriptive tags to individual logs, which enables Exabeam to filter application logs and set alerts for specific behaviors.
- Event Logs generate messages using the android.util.EventLog class. Log entries are comprised of a log message string alongside binary-formatted tag codes and parameters. These are stored in /system/etc/event-log-tags.
- System Logs separate the messages they generate from application logs using the android.util.Slog class. This makes it easy for Exabeam users to quickly distinguish between application and system logs in the Android framework.
Keep in mind that Android automatically shares logs to applications with READ_LOGS permission. That means that you can unintentionally leak sensitive data with other apps when sharing log data. Instead of transmitting Android logs containing sensitive data, consider providing direct access through the Exabeam client so that the data does not move from one server to another.
Have Castra Create Custom Exabeam Rulesets for Your Organization
Castra's expertise can be an invaluable asset in helping enterprise IT leaders secure mobile endpoints and gain visibility into Android-generated logs in Exabeam. We continuously fine-tune our custom rulesets to correspond to the real-world threats our customers face daily, and we gather feedback to improve those rules’ performance over time.
Speak to one of our experts and find out how Castra can help your enterprise reduce the risk associated with mobile endpoints and shadow IT usage.