Today we are excited to announce the availability of network protection, an automated on-device analysis of network connections that defends against man-in-the-middle (MitM) attacks and ensures information is being securely transmitted. With every enterprise now shifting towards a mobile-first, cloud-first workplace, employees’ day-to-day work now happens beyond the traditional enterprise perimeter.
The enterprise security risks from man-in-the-middle attacks
Many enterprises encrypt sensitive corporate data on mobile devices, but attackers can intercept and decrypt this data via man-in-the-middle attacks using equipment that costs less than $100.
Data in transit on mobile devices is an unmitigated security risk for many organizations. Employees tend to freely connect to public Wi-Fi networks on their smartphones and tablets, not thinking twice about installing proxies to gain access. Unfortunately, they are also largely unaware this can enable attackers to decrypt all encrypted traffic streams going to and from their devices.
Why Lookout network protection is better
Lookout network protection is the most actionable defense against MitM attacks because it focuses on the risks that are the most relevant to enterprises, namely, attempts to intercept encrypted data in transit. The Lookout endpoint app automatically detects when a device connects to a new network (Wi-Fi, cellular, VPN, tethered) and immediately runs a series of health checks on that new network to ensure that it is behaving properly. Examples of checks performed include determining that the Root Certificate Authority used to issue SSL certificates for HTTPS sites matches expected values and that the cipher suites and TLS versions used are strong.Why Lookout network protection delivers better protection from MitM attacks:Automatic detection — Whenever a device connects to a new network, the on-device Lookout app automatically checks reference servers with known certificate properties and a known TLS configuration. This allows us to compare expected network configuration properties with the established network properties we see. By analyzing whether these established connections meet expected properties, we can determine whether connections are being tampered with by utilizing any of the methods described above (Host certificate hijacking, TLS downgrade, and others).Reduced false positives — Most progressive mobility programs do not restrict an employee’s ability to connect to cafe, hotel, or airport Wi-Fi networks as that would hinder productivity. However, some approaches to MitM detection will surface admin alerts for this everyday activity. These approaches lead to an abundance of false positives that are not actionable by the average IT organization.The Lookout approach focuses on the risky types of connections that put encrypted data at risk and thus are not reasonable for employee use. By having an endpoint agent on the device, we are able to introduce a lightweight solution to the user that doesn't require a VPN to analyze network traffic. This minimizes false positives, enabling users to stay connected and productive on the go.Remediation — If a new network connection is deemed unsafe, Lookout will alert the employee, letting them know of the threat and that they should disconnect from the Wi-Fi network or uninstall the configuration profile.Lookout is also able to apply automated remediation via Mobile Device Management solutions during a MitM attack, if a secure connection is present.