How a Minnesota Law Firm Brings Mission Critical Security to Myriad Mobile Devices

Dana Gardner

13/02/2024 05:51 PM

The next BriefingsDirect mobile devices security and privacy discussion examines how a new balance needs to be struck between giving users at the remote edge all the productivity they want, while protecting the most sensitive information.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

Stay here to learn how a Minnesota law firm puts the power of diverse mobility to widespread use and keeps confidential and regulated data under strict control.

Here to share his story of how to guide small and medium-sized businesses (SMBs) to the edge and back safely is Mark Hatfield, IT Director at Jeff Anderson & Associates, and IT Infrastructure and Security Consultant at Hatfield Engineering Corp., both in St. Paul, Minnesota. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Mark, what are some of the major business and productivity trends that have pushed the demand for all kinds of mobile devices in the field?

Hatfield: For the first time, we’re living in a world where both company data and documents are accessible from anywhere. Before, it was primarily email. Also, we’re seeing more and more mobile -- advanced mobile devices, such as the iPad Pro, capable of a lot more than your smartphones. We need to make sure that these mobile devices are as secure as possible.

Hatfield

In the past, what we had to secure them were mobile device management (MDM) solutions, but those are not security solutions by themselves. They did have some basic security settings, but what was missing from these new endpoints in their advanced state -- accessing sensitive corporate data -- was that we didn’t have a full-blown security client such as Bitdefender, which we now have on our workstations, servers, and laptops, all reporting back to me in real time what’s happening.

Gardner: In order for the productivity to take place and for the security to be accommodated, have you had to do some jerry-rigging or, are these off-tlf solutions? How do you even approach a solution at the edge such as you’re describing?

Hatfield: Well, if you take a look at the world of MDM, it’s very much a roll-your-own solution. I mean that in the broadest sense. So, you try to put controls on there and you try to say, “Hey, your phone has to be up to date. You have to have a passcode to unlock it. If it’s jailbroken or hacked, we’re not going to allow it.” You can even do things and say, “Well, since we only have iPhones, we’re only going to allow iPhones to connect.”

That’s all well and good, but that does not stop, for example, malware. It doesn’t give you the capability to filter the content in the web filtering, and it certainly doesn’t give you the visibility to view inside of the web traffic that the users are browsing to on these mobile devices.

Gardner: So, you start out with the Wild West, but you have to bring it under law and order. Let’s learn why that’s so important. Tell us about Jeff Anderson & Associates and why it is so important that the privacy and management of this critical data is controlled, managed, and secured.

Hatfield: Jeff Anderson is the premier law firm in the United States for survivors of abuse. Jeff Anderson is one of the key pioneers in the field. For the survivors that we represent, that data is extremely confidential and sensitive both from a personal and a legal standpoint.

In the past, you would have individuals accessing just email, but now we have people that need to access sensitive legal documents from their mobile devices. I needed to add an extra layer of security.

As I mentioned before, in the past, you would have individuals accessing just email, but now we have people that need to access sensitive legal documents from their mobile devices. I needed to add an extra layer of security that MDM was missing.

Gardner: And, of course, these are law firms, so there’s active discovery going on. They’re out in the field, they’re interviewing people, they’re taking pictures of evidence. There’s myriad types of media modes and structured and unstructured data. This is no small task -- to give them safely the full purview of what they want to do their jobs.

Confidential in the cloud

Hatfield: Also, since we’re shifting everything to the cloud, it means that all of our legal documents are available in the cloud.

Literally, if we allow it, a mobile device can access any of our legal documents from anywhere. It would be disastrous for an unauthorized individual to gain access to those legal documents, both from a personal traumatic point of view for the survivors and also from a legal point of view. We are required to keep those documents safe. They contain sensitive information we need to keep secure.

Gardner: And as you mentioned, a lot of this is going up to the cloud, so we’re hop, skipping and jumping over various networks. And so, the in between, the edge, and the cloud all need to be considered as well.

Hatfield: That’s the other thing that’s changed, too. In the past, you had users that were going to access more sensitive corporate data such as documents and applications. They were required to connect to our private, secured corporate Wi-Fi. But now, with the mobile devices, they’re out everywhere. They’re in a coffee shop where there’s public Wi-Fi.

We don’t get to control where these mobile edge devices connect from, so we have to make sure that even if they’re connected to a public Wi-Fi spot and making it all the way back to our cloud to access sensitive documents, that they remain secure all the way there and all the way back.

Also, we need to make sure that those phones are free from infection. There could literally be something on the phone that’s snooping on what the end user is looking at on those mobile devices.

Gardner: Right. While we’re using Jeff Anderson and Associates as our use case today, and we’ll be digging more into how that solution came about, this applies to lots of other SMBs, enterprises, or even departments or divisions within enterprises.

As a consultant, are you seeing these demands across the board -- or only in a handful of industries? Other than Jeff Anderson & Associates, where are the use cases in verticals that this demand for mobile security is cropping up?

Hatfield: I also consult for Baldwin Supply in Minneapolis. They supply industrial parts. They do customized conveyor belts for large agricultural, industrial applications. They don’t have legal documents that users out in the field need to access, but they need to access their main company applications that have sensitive information such as sales figures and customer data.

Companies need to access their main company applications out in the world. They need to be able to access data anywhere -- all through their mobile devices. And that information has to be kept secure.

They need to be out in the world as a field representative. When they’re in a factory, they need to be able to access that data anywhere, and they need to be able to add data, and even get the client an “on-site,” all through their mobile device. Maybe it’s not the same level of sensitivity and security that a law firm requires, but that information still has to be kept secure.

Gardner: I imagine that the mobile edge is pervasive across almost all business now. There’s not too many that wouldn’t want to have the capability to do mobile device security and compliance in the best way possible.

Hatfield: Yes. It used to be for you to get that kind of access on a mobile device, you had to do some type of expensive third-party implementation. For example, Microsoft 365, out of the box even for a small business, they give you access to Word, Excel, SharePoint, OneDrive, not just Outlook accessing your email. So, every single business is going to get that access and regardless of what business you’re in, you still want to keep your data secure.

BYOD means keeping work data separate

Gardner: Now, it wasn’t that long ago when people had to decide: Do we allow Bring Your Own Device, (BYOD) or not? It seems to me that we don’t even concern ourselves anymore whether it’s your device or their device as long as it’s a device. So, we have to secure all the devices, not just a handful of certain standardized ones, for example.

Hatfield: Correct. That obviously makes it more complicated. In the world of MDM, you basically end up creating two basic scenarios: One for the corporate-owned devices, the other one for BYOD.

The BYOD devices, I’m not concerned about their personal information, but any apps that I deployed to them that are corporate apps that access corporate data, I need to ensure that piece of it on the BYOD device is secure. Also, if need be, we need to be able to wipe that piece of the data off of their device without touching the rest of the data on the device.

With a corporate device, we can just say erase the whole thing if we need to. We don’t want to erase people’s photos of their children and things like that. They would get really upset. It’s not really within our purview to do that. But, we do need to keep that corporate data separate and secure and make sure we have the capability to delete it if necessary.

Gardner: Best practices for security always include onboarding and offboarding people properly That’s also probably more complex on the device edge.

Hatfield: Yes, it is. If you spend a lot of time properly implementing an MDM solution, you can automate a lot of that with the two different scenarios. It’s no easy task. Once you get it all working, it’s really great.

I'm going to take that same approach with the Bitdefender Mobile. Meaning, just like at on premise, I have different policies for laptops versus workstations versus servers. I’m going to end up with customized policies. One that applies to corporate MDM devices and another policy that applies to BYOD devices at a high level.

We’ll probably need to break that down a little bit between Android and Apple, right? The differences are a little bit more subtle, but at the high level, I’m going to end up with two policies that are very dialed-in to provide the needed security while also allowing the user to properly use their device.

Gardner: Let’s dig into the Jeff Anderson & Associates use case a bit more. Tell us how you developed your security posture at the mobile edge and how you brought it to full execution in this particular organization?

Hatfield: Typically, in the past, we had just put email on people’s mobile devices, and we’ve always had a mix of corporate-owned and BYOD. So that’s where we started, where many people did, and then we added MDM Then we started giving them access to more things such as Word and Excel, so they could open up attachments.

As we shifted our documents to the cloud, Microsoft was providing a SharePoint client for your mobile devices. But I said "We need more here."

But then, as we shifted our documents to the cloud, Microsoft was providing a SharePoint client for your mobile device, and the end user could access all that data. At that point, I said, “We need more here.” In my mind, these MDMs have almost become full-fledged user endpoints like a laptop. They can access the same data, they can perform the same functionality, but what are they missing?

They don’t have a security client like Bitdefender, right? We managed our on-premises devices with a group policy and we managed our mobile devices with MDM. I don’t just rely on group policy to secure my endpoints on-premises, I also have to have that security client. I take that same philosophy and extend it out to the mobile devices because, if you take a look at the iPad Pro, it is essentially a laptop.

Gardner: It’s a client for sure, right? That’s not a thin client, that’s a client.

Hatfield: Right. It can do everything the laptop can do.

Gardner: Yes. And one of the ways to protect a laptop would be to make it a virtual client at the edge. Everything is really just going back to the cloud. Is that the solution for mobile devices, too?

Hatfield: No. I used to do a ton of remote desktop. On-premises, it works extremely well. If you’re going to say, for example, I’m going to create a whole virtual desktop that’s either hosted in the cloud or on-premises for an end user, how well that performs is based on how good their connectivity speed is, and the latency. You could control that on-premises or on your corporate controlled Wi-Fi. But when end users are wherever, the problem is no one knows what the quality of their connection is going to be.

Yes, it’s enough to surf the internet and get email, but if they’re trying to access an entire virtual desktop in the cloud or even one that’s hosted on-premises, they’re not going to have a good experience. I very much have shifted to that we’re focused on the clients or on the endpoints, but all the data is in the cloud.

Also more and more, we’re seeing where Microsoft and others are starting to shift the actual client to a web browser. So, it doesn’t make as much sense as it used to, to create a virtual desktop if the users are accessing most of their apps in a web browser, and that’s all optimized.

Gardner: You find yourself wanting more security for more types of apps and uses at the edge, you didn’t know of anything off-tlf you could easily drop in. You had to do some customization. Tell us about that mobile security pilot, or proof of concept journey, and where you are with it right now.

Secure success on all endpoints

Hatfield: The mobile device solution that we utilize is Microsoft Intune. We’re very heavy into Office 365. It seemed like a natural fit, for the integration. Then, we were looking for an additional security client that can handle malware and those types of scenarios. I was very intrigued by Bitdefender. If you have Intune, the Bitdefender technology and security client that gets installed on the mobile device endpoint adds even more functionality. It ties into Intune.

I’m kind of marrying the two worlds together. In addition to that, I’ve been extremely impressed with Bitdefender for all of our other needs -- our servers, our workstations, and laptops. They’ve been extremely helpful. They’ve kept us extremely safe. The other thing that differentiates Bitdefender from many of the vendors I’ve worked with, is that they listen to your suggestions and they actually act on them.

I view it as a partnership that has worked out fantastic for doing all of our traditional endpoints. Now I’m looking to add that to the mobile device, plus, it’s going to integrate with our MDM solution bringing us even more power.

Gardner: How does that remote agent on the mobile device process work? Are you in control of that? Do you feel like the user experience is okay? Are they oblivious to it? Is there any degradation of functionality at the edge when you deploy and use an agent like that for security and management?

Hatfield: That’s where the testing comes in. Anytime you’re going to deploy something new, you have to start with some test devices and really, really fine tune it because you cannot inconvenience the user much. You can’t slow down their performance. They’re basically not going to tolerate it. They’ll go to upper management. Upper management isn’t going to tolerate it. They’ll say, “Hey, security is nice, but if we can’t do our job, then security doesn’t mean anything.”

Anytime you deploy something new, you have to start with test devices and really fine tune it. But you cannot inconvenience the user or slow them down. They won't tolerate it.

They have a good point. So, if you do all of your fine tuning and you make it as secure as possible while at the same time making it so the user almost doesn’t even notice, then your acceptance from the users is going to be much better than if you try to force something on them that’s inconvenient and that gives them a negative performance experience.

Gardner: When you’ve crossed that hurdle and you have a good agent that’s helping you with security, you’re going to deliver that analysis and data somewhere. Have you started using any security operations centers (SOCs) in the cloud or other services so that you can automate or at least streamline the process of analyzing and getting any threat reports in as near real time as possible?

Keeping track of all the data

Hatfield: Bitdefender recently added Endpoint Detection and Response (EDR), to their product line and that is pulling lots of extra data from the client and compiling it and making it easy to look at.

It not only understands what’s going on in the endpoint, but they also have call agents that reach into Office 365 so it knows about Azure authentication, it knows about SharePoint and OneDrive documents. And it’s compiling all of that for us so that if there is something to look at, it’s very, very easy in that reporting center to dial in to what you want it to see, complete with graphs and flows.

Let’s say there is something that maybe caught your eye and didn’t look right. I cannot just click on it and say, “Well, scan it. Is it a virus or not?” I can actually go in because of EDR and I can see, “Oh, this application talked to this, and it went up to this web site. Yes, it’s okay, it’s valid, I can whitelist it right now.”

I’m not going to get that alert anymore. Without that EDR component, we would have had to dig through logs for hours and hours, if we could have found the time to do that.

I was very happy to learn that the EDR component in Bitdefender will be available to extend the mobile device endpoints. I’m thinking that that EDR component is going to also be tying into Intune and feeding it more data.

We also do quite a bit of security in Microsoft’s own realm in the Azure cloud. You’re marrying it all together so that all of your data is coming together in an interface where it’s very easy for you to clearly see what is happening.

Gardner: That ease of security management, if you will, is super important in the SMBs, because more often than not in those organizations, the IT director is also the security chief. And that’s the case with you as well.

How important is it for you to be able to get what you need quickly and easily, with as much automation and streamlining as possible?

Hatfield: It’s extremely important. Yes, I’m the IT Director, I’m the head of security. I was a security auditor as a consultant for years before that. I was also a Microsoft Certified Systems Engineer, so I do a lot of the 365 engineering. I wear a lot of hats. We don’t have a lot of time.

The technology keeps getting more and more complex and coming at us faster and faster, and the users’ expectations keep growing too, as they’re handed this new technology. So, there’s no way that we could investigate and feel as secure as we do without that type of EDR solution in place.

Gardner: Let’s go back and revisit the experiences of those folks at Jeff Anderson & Associates -- super sensitive information, all sorts of in-the-field activities probably often in a courtroom setting where time is of the essence when you’re doing discovery of reaction to witnesses or other reports. What’s been the result? How have you been able to quantify or qualify your capability to secure that edge and give them the productivity and security and compliance and privacy that they want?

Secure documents in the courtroom

Hatfield: So far, it’s worked out really well. We’ve added a whole other layer of security. I worked very hard to make sure that the settings that we were applying were not hindering their performance in a noticeable fashion. Perhaps we did have to “bother the user” for a minute just to get it set up initially and make sure it was working. But since then, we haven’t had to bother them at all.

Wi-Fi is available everywhere, even in the courtroom. If the lawyers need a document in our cloud, they are accessing it on an iPad, or a phone in a pinch. They have to have access to that document.

Wi-Fi is available everywhere, even the courtroom. If they don’t have a document that they copied to their laptop locally or they need an additional document. It’s in our cloud, whether they’re accessing that on an iPad, or even on a phone in a pinch, they have access to that document. So, I think it’s worked out very well.

Gardner: Do you have any metrics or key performance indicators (KPIs) that are important for you to measure how you’re doing your job or how your suppliers are performing their jobs? What do you look for when you say, “I’m getting my money’s worth here?”

Hatfield: The first thing is we’re not getting any infections. Secondly, it tells you what it’s blocking, too. When we go up there, I don’t have anything new whitelisted when I roll it out.

I’m seeing everything that it blocks and looks at. So, those are kind of my metrics -- is it looking at everything? Is it reading inside of the HTTPS web surfing that the end users are doing? Check, it does that.

Is it looking at when a user pulls a document down from SharePoint? Is it scanning it for anti-malware? Yes, it is. On the EDR side, is it looking at things such as a user who is pulling down thousands of documents, which would be out of place for a mobile device, and that sets off an alert? I’ll even do scenarios that maybe a common attacker would use to see that I get those alerts. Those are the metrics I use.

Gardner: It’s also important for SMBs where there’s a jack of all IT trades such as yourself that you’re getting support and the sense of partnership from the supplier. Has Bitdefender been a good fit in that regard?

Bitdefender: Partner in problem solving

Hatfield: They’ve been amazing. It’s an unfortunate trend in our industry where you see company consolidation and they’ve taken a hatchet to the support staff. They’ve outsourced a lot of it. So, support is not immediately available. You’re starting with somebody that’s too low-level for the problem you’re working on -- and a lot of times they’re almost no help at all.

That is not the experience with Bitdefender. They will either immediately or very quickly get you to the person you need that can help you solve the problem. They are real engineers that understand the product and you can go through it with them.

There’s been a few rare situations where they’ve remarked, “Wow, you’ve stumbled onto a scenario here where there might be a bug.” They’ll actually bring it to development to have them confirm it. I’ve had one or two situations where they did confirm and then they provided an immediate fix, and the turnaround time was days. That doesn’t happen with any other companies I have worked with, and I have worked with just about all of them.

Gardner: Let’s look to the future. Mark, what would you like to see happening on the mobile security front over the next few years? Do you have any ideals in terms of the service, the variety of coverage, the amount of automation or even intelligence brought to bear? What would you like to see in your wish list for the future on the mobile edge?

Hatfield: On the mobile edge, of course, I want to see all aspects of it covered. But what I think you’re going to need to have it do too is artificial intelligence (AI), where because of EDR, it is pulling an immense amount of detailed information from the mobile devices and your other endpoints about the applications and which executable talks to which web site, and it’s analyzing the entire behavior set.

But I don’t have time to look through all of that. So, you’re going to need something that can, in an intelligent fashion, look at that gigantic amount of data and come to some conclusions.

Initially, it would be alerts sent to you, but what I want to see is if scenario A, B, or C happens, it can go ahead and disable the user’s account automatically. Some of this is available in parts of Bitdefender, where you can configure it to take automated actions on your behalf. I don’t have to get a notification; I don’t have to look at it because I’m not going to have time.

If the good actors are relying on AI to help increase safety and productivity, unfortunately the malicious actors are going to be using AI for nefarious purposes, too. Without that automation piece and without it being intelligent, and without its capability to take actions on your behalf when needed, you will not have time to respond. It’s going to take that level of sophistication to keep us safe in the future.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.