Monday, February 12, 2024

How a Minnesota law firm brings mission critical security to myriad mobile devices

The next BriefingsDirect mobile devices security and privacy discussion examines how a new balance needs to be struck between giving users at the remote edge all the productivity they want, while protecting the most sensitive information.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.


Stay here to learn how a Minnesota law firm puts the power of diverse mobility to widespread use and keeps confidential and regulated data under strict control.

Here to share his story of how to guide small and medium-sized businesses (SMBs) to the edge and back safely is Mark Hatfield, IT Director at Jeff Anderson Associates, and IT Infrastructure and Security Consultant at Hatfield Engineering Corp., both in St. Paul, Minnesota. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Mark, what are some of the major business and productivity trends that have pushed the demand for all kinds of mobile devices in the field?


Hatfield: For the first time, were living in a world where both company data and documents are accessible from anywhere. Before, it was primarily email. Also, were seeing more and more mobile -- advanced mobile devices, such as the iPad Pro, capable of a lot more than your smartphones. We need to make sure that these mobile devices are as secure as possible.


In the past, what we had to secure them were mobile device management (MDM) solutions, but those are not security solutions by themselves. They did have some basic security settings, but what was missing from these new endpoints in their advanced state -- accessing sensitive corporate data -- was that we didnt have a full-blown security client such as Bitdefender, which we now have on our workstations, servers, and laptops, all reporting back to me in real time whats happening.


Gardner: In order for the productivity to take place and for the security to be accommodated, have you had to do some jerry-rigging or, are these off-the-shelf solutions? How do you even approach a solution at the edge such as youre describing?


Hatfield: Well, if you take a look at the world of MDM, its very much a roll-your-own solutionI mean that in the broadest sense. So, you try to put controls on there and you try to say, “Hey, your phone has to be up to date. You have to have a passcode to unlock it. If its jailbroken or hacked, were not going to allow it.” You can even do things and say, “Well, since we only have iPhones, were only going to allow iPhones to connect.”


Thats all well and good, but that does not stop, for example, malware. It doesnt give you the capability to filter the content in the web filtering, and it certainly doesnt give you the visibility to view inside of the web traffic that the users are browsing to on these mobile devices.


Gardner: So, you start out with the Wild West, but you have to bring it under law and order. Lets learn why thats so important. Tell us about Jeff Anderson Associates and why it is so important that the privacy and management of this critical data is controlled, managed, and secured.


Hatfield: Jeff Anderson is the premier law firm in the United States for survivors of sexual abuseJeff Anderson is one of the key pioneers in the field. For the survivors that we represent, that data is extremely confidential and sensitive both from a personal and a legal standpoint.

In the past, you would have individuals accessing just email, but now we have people that need to access sensitive legal documents from their mobile devices. I needed to add an extra layer of security.

As I mentioned beforein the past, you would have individuals accessing just email, but now we have people that need to access sensitive legal documents from their mobile devices. I needed to add an extra layer of security that MDM was missing.


Gardner: And, of course, these are law firms, so theres active discovery going on. Theyre out in the field, theyre interviewing people, theyre taking pictures of evidence. Theres myriad types of media modes and structured and unstructured data. This is no small task -- to give them safely the full purview of what they want to do their jobs.


Confidential in the cloud


Hatfield: Also, since were shifting everything to the cloud, it means that all of our legal documents are available in the cloud.


Literally, if we allow it, a mobile device can access any of our legal documents from anywhere. It would be disastrous for an unauthorized individual to gain access to those legal documents, both from a personal traumatic point of view for the survivors and also from a legal point of viewWe are required to keep those documents safe. They contain sensitive information we need to keep secure.


Gardner: And as you mentioned, a lot of this is going up to the cloud, so were hop, skipping and jumping over various networks. And so, the in between, the edge, and the cloud all need to be considered as well.

Hatfield: Thats the other thing thats changed, too. In the past, you had users that were going to access more sensitive corporate data such as documents and applications. They were required to connect to our private, secured corporate Wi-Fi. But now, with the mobile devices, theyre out everywhere. Theyre in a coffee shop where theres public Wi-Fi.


We dont get to control where these mobile edge devices connect from, so we have to make sure that even if theyre connected to a public Wi-Fi spot and making it all the way back to our cloud to access sensitive documents, that they remain secure all the way there and all the way back.


Also, we need to make sure that those phones are free from infection. There could literally be something on the phone that’s snooping on what the end user is looking at on those mobile devices.


Gardner: Right. While were using Jeff Anderson and Associates as our use case today, and well be digging more into how that solution came about, this applies to lots of other SMBs, enterprises, or even departments or divisions within enterprises.


As a consultant, are you seeing these demands across the board -- or only in a handful of industries? Other than Jeff Anderson Associates, where are the use cases in verticals that this demand for mobile security is cropping up?


Hatfield: I also consult for Baldwin Supply in MinneapolisThey supply industrial parts. They do customized conveyor belts for large agricultural, industrial applications. They dont have legal documents that users out in the field need to access, but they need to access their main company applications that have sensitive information such as sales figures and customer data.

Companies need to access their main company applications out in the world. They need to be able to access data anywhere -- all through their mobile devices. And that information has to be kept secure.

They need to be out in the world as a field representative. When theyre in a factory, they need to be able to access that data anywhere, and they need to be able to add data, and even get the client an on-site, all through their mobile device. Maybe its not the same level of sensitivity and security that a law firm requires, but that information still has to be kept secure.


Gardner: imagine that the mobile edge is pervasive across almost all business now. Theres not too many that wouldnt want to have the capability to do mobile device security and compliance in the best way possible.


Hatfield: Yes. It used to be for you to get that kind of access on a mobile device, you had to do some type of expensive third-party implementation. For example, Microsoft 365, out of the box even for a small business, they give you access to WordExcelSharePointOneDrive, not just Outlook accessing your email. So, every single business is going to get that access and regardless of what business youre in, you still want to keep your data secure.


BYOD means keeping work data separate


Gardner: Now, it wasnt that long ago when people had to decide: Do we allow Bring Your Own Device, (BYOD) or not? It seems to me that we dont even concern ourselves anymore whether its your device or their device as long as its a device. So, we have to secure all the devices, not just a handful of certain standardized ones, for example.


Hatfield: Correct. That obviously makes it more complicated. In the world of MDM, you basically end up creating two basic scenarios: One for the corporate-owned devices, the other one for BYOD.


The BYOD devices, I’m not concerned about their personal information, but any apps that I deployed to them that are corporate apps that access corporate data, I need to ensure that piece of it on the BYOD device is secure. Also, if need be, we need to be able to wipe that piece of the data off of their device without touching the rest of the data on the device.

With a corporate device, we can just say erase the whole thing if we need to. We dont want to erase peoples photos of their children and things like that. They would get really upset. Its not really within our purview to do that. But, we do need to keep that corporate data separate and secure and make sure we have the capability to delete it if necessary.


Gardner: Best practices for security always include onboarding and offboarding people properly Thats also probably more complex on the device edge.


Hatfield: Yes, it isIf you spend a lot of time properly implementing an MDM solution, you can automate a lot of that with the two different scenarios. Its no easy taskOnce you get it all working, its really great.


Im going to take that same approach with the Bitdefender Mobile. Meaning, just like at on premise, I have different policies for laptops versus workstations versus servers. Im going to end up with customized policiesOne that applies to corporate MDM devices and another policy that applies to BYOD devices at a high level.


Well probably need to break that down a little bit between Android and Apple, right? The differences are a little bit more subtle, but at the high level, Im going to end up with two policies that are very dialed-in to provide the needed security while also allowing the user to properly use their device.


Gardner: Lets dig into the Jeff Anderson Associates use case a bit moreTell us how you developed your security posture at the mobile edge and how you brought it to full execution in this particular organization?


Hatfield: Typically, in the past, we had just put email on peoples mobile devices, and weve always had a mix of corporate-owned and BYOD. So thats where we started, where many people did, and then we added MDM Then we started giving them access to more things such as Word and Excel, so they could open up attachments.

As we shifted our documents to the cloud, Microsoft was providing a SharePoint client for your mobile devices. But I said "We need more here." 

But then, as we shifted our documents to the cloud, Microsoft was providing a SharePoint client for your mobile device, and the end user could access all that dataAt that point, I said, “We need more here.” In my mind, these MDMs have almost become full-fledged user endpoints like a laptopThey can access the same data, they can perform the same functionality, but what are they missing?


They dont have a security client like Bitdefender, right? We managed our on-premises devices with a group policy and we managed our mobile devices with MDMI dont just rely on group policy to secure my endpoints on-premises, I also have to have that security clientI take that same philosophy and extend it out to the mobile devices because, if you take a look at the iPad Pro, it is essentially a laptop.


Gardner: Its a fat client for sure, right? Thats not a thin client, thats a fat client.


Hatfield: Right. It can do everything the laptop can do.


Gardner: Yes. And one of the ways to protect a laptop would be to make it a virtual client at the edge. Everything is really just going back to the cloud. Is that the solution for mobile devices, too?


Hatfield: No. I used to do a ton of remote desktop. On-premises, it works extremely well. If youre going to say, for example, Im going to create a whole virtual desktop thats either hosted in the cloud or on-premises for an end user, how well that performs is based on how good their connectivity speed is, and the latency. You could control that on-premises or on your corporate controlled Wi-FiBut when end users are wherever, the problem is no one knows what the quality of their connection is going to be.

Yes, its enough to surf the internet and get email, but if theyre trying to access an entire virtual desktop in the cloud or even one thats hosted on-premises, theyre not going to have a good experience. I very much have shifted to that were focused on the clients or on the endpoints, but all the data is in the cloud.


Also more and more, were seeing where Microsoft and others are starting to shift the actual client to a web browser. So, it doesnt make as much sense as it used to, to create a virtual desktop if the users are accessing most of their apps in a web browser, and thats all optimized.


Gardner: You find yourself wanting more security for more types of apps and uses at the edge, you didnt know of anything off-the-shelf you could easily drop inYou had to do some customization. Tell us about that mobile security pilot, or proof of concept journey, and where you are with it right now.


Secure success on all endpoints


Hatfield: The mobile device solution that we utilize is Microsoft Intune. Were very heavy into Office 365. It seemed like a natural fitfor the integration. Then, we were looking for an additional security client that can handle malware and those types of scenariosI was very intrigued by Bitdefender. If you have Intune, the Bitdefender technology and security client that gets installed on the mobile device endpoint adds even more functionality. It ties into Intune.


Im kind of marrying the two worlds together. In addition to that, Ive been extremely impressed with Bitdefender for all of our other needs -- our servers, our workstations, and laptops. Theyve been extremely helpful. Theyve kept us extremely safe. The other thing that differentiates Bitdefender from many of the vendors Ive worked with, is that they listen to your suggestions and they actually act on them.


I view it as a partnership that has worked out fantastic for doing all of our traditional endpoints. Now Im looking to add that to the mobile device, plus, its going to integrate with our MDM solution bringing us even more power.


Gardner: How does that remote agent on the mobile device process work? Are you in control of that? Do you feel like the user experience is okay? Are they oblivious to it? Is there any degradation of functionality at the edge when you deploy and use an agent like that for security and management?


Hatfield: Thats where the testing comes in. Anytime youre going to deploy something new, you have to start with some test devices and really, really fine tune it because you cannot inconvenience the user much. You cant slow down their performance. Theyre basically not going to tolerate itTheyll go to upper management. Upper management isnt going to tolerate it. Theyll say, “Hey, security is nice, but if we cant do our job, then security doesnt mean anything.”

Anytime you deploy something new, you have to start with test devices and really fine tune it. But you cannot inconvenience the user or slow them down. They won't tolerate it. 

They have a good point. So, if you do all of your fine tuning and you make it as secure as possible while at the same time making it so the user almost doesn’t even notice, then your acceptance from the users is going to be much better than if you try to force something on them thats inconvenient and that gives them a negative performance experience.


Gardner: When youve crossed that hurdle and you have a good agent thats helping you with security, youre going to deliver that analysis and data somewhere. Have you started using any security operations centers (SOCs) in the cloud or other services so that you can automate or at least streamline the process of analyzing and getting any threat reports in as near real time as possible?


Keeping track of all the data


Hatfield: Bitdefender recently added Endpoint Detection and Response (EDR), to their product line and that is pulling lots of extra data from the client and compiling it and making it easy to look at.


It not only understands whats going on in the endpoint, but they also have call agents that reach into Office 365 so it knows about Azure authentication, it knows about SharePoint and OneDrive documents. And its compiling all of that for us so that if there is something to look at, its very, very easy in that reporting center to dial in to what you want it to see, complete with graphs and flows.


Lets say there is something that maybe caught your eye and didnt look right. I cannot just click on it and say, “Well, scan it. Is it a virus or not?” I can actually go in because of EDR and I can see, “Oh, this application talked to this, and it went up to this web site. Yes, its okay, its valid, I can whitelist it right now.”


Im not going to get that alert anymore. Without that EDR component, we would have had to dig through logs for hours and hours, if we could have found the time to do that.


I was very happy to learn that the EDR component in Bitdefender will be available to extend the mobile device endpoints. Im thinking that that EDR component is going to also be tying into Intune and feeding it more data.


We also do quite a bit of security in Microsofts own realm in the Azure cloud. Youre marrying it all together so that all of your data is coming together in an interface where its very easy for you to clearly see what is happening.


Gardner: That ease of security management, if you will, is super important in the SMBsbecause more often than not in those organizations, the IT director is also the security chief. And thats the case with you as well.

How important is it for you to be able to get what you need quickly and easily, with as much automation and streamlining as possible?


Hatfield: It’s extremely important. Yes, Im the IT Director, Im the head of security. I was a security auditor as a consultant for years before that. I was also a Microsoft Certified Systems Engineer, so I do a lot of the 365 engineeringI wear a lot of hatsWe dont have a lot of time.


The technology keeps getting more and more complex and coming at us faster and faster, and the users’ expectations keep growing too, as theyre handed this new technology. So, theres no way that we could investigate and feel as secure as we do without that type of EDR solution in place.


Gardner: Lets go back and revisit the experiences of those folks at Jeff Anderson Associates -- super sensitive information, all sorts of in-the-field activities probably often in a courtroom setting where time is of the essence when youre doing discovery of reaction to witnesses or other reports. Whats been the result? How have you been able to quantify or qualify your capability to secure that edge and give them the productivity and security and compliance and privacy that they want?


Secure documents in the courtroom


Hatfield: So far, its worked out really well. Weve added a whole other layer of security. I worked very hard to make sure that the settings that we were applying were not hindering their performance in a noticeable fashion. Perhaps we did have to bother the user” for a minute just to get it set up initially and make sure it was working. But since then, we havent had to bother them at all.

Wi-Fi is available everywhere, even in the courtroom. If the lawyers need a document in our cloud, they are accessing it on an iPad, or a phone in a pinch. They have to have access to that document. 

Wi-Fi is available everywhere, even the courtroom. If they dont have a document that they copied to their laptop locally or they need an additional document. Its in our cloud, whether theyre accessing that on an iPad, or even on a phone in a pinch, they have access to that document. So, I think its worked out very well.


Gardner: Do you have any metrics or key performance indicators (KPIs) that are important for you to measure how you’re doing your job or how your suppliers are performing their jobs? What do you look for when you say, “Im getting my moneys worth here?”


Hatfield: The first thing is were not getting any infections. Secondly, it tells you what its blocking, too. When we go up there, I dont have anything new whitelisted when I roll it out.


Im seeing everything that it blocks and looks at. So, those are kind of my metrics -- is it looking at everything? Is it reading inside of the HTTPS web surfing that the end users are doing? Check, it does that.


Is it looking at when a user pulls a document down from SharePoint? Is it scanning it for anti-malware? Yes, it is. On the EDR side, is it looking at things such as a user who is pulling down thousands of documentswhich would be out of place for a mobile device, and that sets off an alert? Ill even do scenarios that maybe a common attacker would use to see that I get those alerts. Those are the metrics I use.


Gardner: Its also important for SMBs where theres a jack of all IT trades such as yourself that youre getting support and the sense of partnership from the supplier. Has Bitdefender been a good fit in that regard?


Bitdefender: Partner in problem solving


Hatfield: Theyve been amazingIts an unfortunate trend in our industry where you see company consolidation and theyve taken a hatchet to the support staff. Theyve outsourced a lot of it. So, support is not immediately availableYoure starting with somebody thats too low-level for the problem youre working on -- and a lot of times theyre almost no help at all.


That is not the experience with BitdefenderThey will either immediately or very quickly get you to the person you need that can help you solve the problem. They are real engineers that understand the product and you can go through it with them.


Theres been a few rare situations where theyve remarked, “Wow, youve stumbled onto a scenario here where there might be a bug.” Theyll actually bring it to development to have them confirm it. Ive had one or two situations where they did confirm and then they provided an immediate fix, and the turnaround time was days. That doesnt happen with any other companies I have worked with, and I have worked with just about all of them.


Gardner: Lets look to the future. Mark, what would you like to see happening on the mobile security front over the next few years? Do you have any ideals in terms of the service, the variety of coverage, the amount of automation or even intelligence brought to bear? What would you like to see in your wish list for the future on the mobile edge?


Hatfield: On the mobile edgeof course, I want to see all aspects of it covered. But what I think youre going to need to have it do too is artificial intelligence (AI), where because of EDR, it is pulling an immense amount of detailed information from the mobile devices and your other endpoints about the applications and which executable talks to which web site, and its analyzing the entire behavior set.


But I dont have time to look through all of that. So, youre going to need something that can, in an intelligent fashion, look at that gigantic amount of data and come to some conclusions.

Initially, it would be alerts sent to you, but what I want to see is if scenario A, B, or C happens, it can go ahead and disable the users account automatically. Some of this is available in parts of Bitdefender, where you can configure it to take automated actions on your behalf. I dont have to get a notification; I dont have to look at it because Im not going to have time.


If the good actors are relying on AI to help increase safety and productivity, unfortunately the malicious actors are going to be using AI for nefarious purposes, too. Without that automation piece and without it being intelligent, and without its capability to take actions on your behalf when needed, you will not have time to respondIts going to take that level of sophistication to keep us safe in the future.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: Bitdefender.

You may also be interested in: