In the 3rd quarter of 2014 IBM has completed a survey among mobile security professionals looking at mobile security capabilities deployed by enterprises. Combined with IBM's mobile security framework that spans device, content, application and transactions, IBM was able to create a fact-based maturity model for enterprise mobile security. View this presentation to learn: - What are the key requirements for a mature mobile security program - What are the key current and future areas of investment for enterprises in mobile security - How IBM capabilities align with these emerging requirements View the full on-demand webcast: http://securityintelligence.com/events/path-towards-securing-mobile-enterprise/#.VYxa2PlVhBf

1. © 2014 IBM Corporation
IBM Security Systems
Are We There Yet? The Path Towards
Securing the Mobile Enterprise
Yishay Yovel
Program Director, Fraud and Mobile Strategy
IBM Security
©1 2014 IBM Corporation

2. © 2014 IBM Corporation
IBM Security Systems
2
ABOUT THE SURVEY

3. Survey Respondents Demographics
Total Response: 209

4. Survey Respondents Demographics: Larger Enterprises

5. © 2014 IBM Corporation
IBM Security Systems
5
IBM MOBILE SECURITY FRAMEWORK

6. Enterprise Applications
and Cloud Services
and Data Protection
© 2014 IBM Corporation
IBM Security Systems
IBM Mobile Security Framework - Requirements
6
Security Intelligence
Identity, Fraud,
Transaction Security
Application Security
Content Security
Enterprise
Device Security
Personal and
Consumer
DATA
Device Security Content Security Application Security Transaction Security
Provision, manage
and secure
Corporate and
BYOD devices
Secure enterprise
content access
and sharing
Develop
vulnerability free,
tamper proof and
risk aware
applications
Prevent and detect
high risk mobile
transactions from
employees,
customers and
partners
Security Intelligence
A unified architecture for integrating mobile security information and event
management (SIEM), log management, anomaly detection, and configuration and
vulnerability management

7. © 2014 IBM Corporation
IBM Security Systems
7
THE CURRENT STATE OF AFFAIRS

8. Survey Respondents Demographics : Mobile Attributes

9. Mobile Security incidents

10. Enterprises see a wide range of business and technical risks spanning
all pillars of the framework, malware risk is emerging

11. Enterprises have rolled out core device/content security capabilities,
application and transaction security capabilities are emerging

12. © 2014 IBM Corporation
IBM Security Systems
12
DEVICE AND CONTENT SECURITY

13. Mobile Device, Content Management
Enterprise doc catalog
View, edit, create, & sync
files across devices
Protect and contain
sensitive content
Activate & manage users,
devices & policies
Enterprise app catalog
Operations & service
desk management
Secure Productivity Suite
Complete set of work
tools & app security
Identity & access controls
Data leak prevention &
app compliance rules
Secure network access
for business apps
Extend content in
corporate file repositories
Access intranet sites
Secure Document Sharing
Mobile Enterprise
Gateway
Advanced Mobile
Management

14. Enterprises deploy basic controls to address “device lost” scenario,
extended requirements for “risky devices” emerging

15. Enterprise deploy secure containers to control enterprise content for
BYOD, emerging capabilities for more granular content control

16. © 2014 IBM Corporation
IBM Security Systems
16
APPLICATION SECURITY

17. © 2014 IBM Corporation
IBM Security Systems
IBM Application Security capabilities
Application Security Management
Assess
business impact
Inventory
assets
Test
Applications
Static
Analysis
17 IBM and Business Partner Only
Determine
compliance
Measure status
and progress
Prioritize
vulnerabilities
Utilize resources effectively to identify and mitigate risk
Dynamic
Analysis
Mobile
Application
Analysis
Interactive
Analysis
Protect
Deployed Applications
Intrusion
Prevention
Database
Activity
Monitoring
Web
Application
SIEM Firewall
Mobile
Application
Protection

18. Appscan and Worklight: Integrated App development and vulnerability Scanning
© 2014 IBM Corporation
IBM Security Systems
18 IBM and Business Partner Only

19. Enterprises address app security for their own apps, less focused on
risk from 3rd party apps and theft of their own apps

20. © 2014 IBM Corporation
IBM Security Systems
20
TRANSACTION SECURITY

21. Transaction security: New Breed of Financial Mobile Malware is
coming

22. Transaction Security: Flagging malware infected devices, enables
mobile fraud detection

23. Transaction security focuses on securing “flow”, limited focus on
fraud risk (malware) and transaction anomalies

24. © 2014 IBM Corporation
IBM Security Systems
24
FUTURE AREAS OF INVESTMENT

25. Investments spans all pillars of the maturity model

26. Beyond the basics, organizations are increasing focus on App Security,
emerging interest in transaction security

27. Most organizations will increase mobile security budgets to reap the
benefits of mobile productivity

28. © 2014 IBM Corporation
IBM Security Systems
28
SUMMARY

29. © 2014 IBM Corporation
IBM Security Systems
Security solutions for the mobile enterprise
Personal and
Consumer
29
Security Intelligence
Transaction Security
Application Security
Device Security Content Security Application Security Transaction Security
• Enroll, provision and configure
devices, settings and mobile
policy
• Fingerprint devices with a
unique and persistent mobile
device ID
• Remotely Locate, Lock and
Wipe lost or stolen devices
• Enforce device security
compliance: passcode,
encryption, jailbreak / root
detection
• Restrict copy, paste and share
• Integration with Connections,
SharePoint, Box, Google Drive,
Windows File Share
• Secure access to corporate
mail, calendar and contacts
• Secure access to corporate
intranet sites and network
Software Development Lifecycle
• Integrated Development
Environment
• iOS / Android Static Scanning
Application Protection
• App Wrapping or SDK Container
• Hardening & Tamper
Resistance
IBM Business Partner (Arxan)
• Run-time Risk Detection
Malware, Jailbreak / Root, Device
ID, and Location
• Whitelist / Blacklist Applications
Access
• Mobile Access Management
• Identity Federation
• API Connectivity
Transactions
• Mobile Fraud Risk Detection
• Cross-channel Fraud Detection
• Browser Security / URL Filtering
• IP Velocity
Security Intelligence
Enterprise Applications
and Cloud Services
Identity, Fraud,
and Data Protection
Content Security
Device Security
DATA
Enterprise
IBM Security
AppScan
IBM Security
Access Manager
IBM Mobile Security Solutions
IBM Mobile Security Services
Security Intelligence
IBM Mobile First powered by…
IBM QRadar Security
Intelligence Platform

30. Summary
• Enterprises are making investments across all pillars of the IBM Mobile
Security Framework, but we are “half way there”
• Current investment focus on device and content security which supports the
BYOD program
• Future investments will address the development of secure mobile applications
end eventually transaction fraud risk
• Use the IBM Mobile Security Framework to build a prioritized roadmap
for your investments in mobile security for your BYOD program,
Employee productivity and Customer Engagement
• Follow this link: http://ibm.com/security/mobile

31. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection
and response to improper access from within and outside your enterprise. Improper access can result in information being altered,
destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely
effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive
security approach, which will necessarily involve additional operational procedures, and may require other systems, products or
services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR
WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
© 2014 IBM Corporation
IBM Security Systems
31
www.ibm.com/security
© Copyright IBM Corporation 2014. THE INFORMATION IN THESE MATERIALS ARE PROVIDED "AS IS" WITHOUT ANY WARRANTY,
EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of
the agreements under which they are provided. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable
license agreement governing the use of IBM software. These materials are current as of the initial date of publication and may be
changed by IBM at any time. Not all offerings are available in every country in which IBM operates. Product release dates and/or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other
factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, ibm.com and
other IBM products and services are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the
Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml