BlackBerry's 7th Annual Security Summit was this week. CEO John Chen again opened the event with a keynote. He is proud of the pivot that he has taken BlackBerry on over the last seven years, moving the firm from a smartphone vendor to a security vendor. With the threats we now have, the need for a comprehensive approach to securing the user has never been more important because, most often, it is the user that is the source of a breach.
Like many speakers, John plays off an audience, and without that audience, we lost the energy and humor that typically defines one of his talks. So rightly, he let others carry most of the message this morning. This deferring to others is the best practice. Not everyone is good at everything, and performing in front of a camera is an entirely different skill set than performing in front of a live audience.
Of the vendors I cover, the one that does the best job of securing the user across all the hardware they use is BlackBerry. Chen concluded, as he virtually passed the microphone to Rob Smith, one of the leading security analysts at Gartner, that companies that are struggling with getting the level of consistent, affordable security over the host of devices employees are using. To address this, he said BlackBerry has developed the perfect approach to the problem. This message wasn't subtle, nor was it over the top, and he struck a nice brief balance while promoting his company's solutions and services.
Gartner's Rob Smith: UES needed to survive In a COVID-19 world
Smith was brought on stage as an independent (from BlackBerry) analyst to talk about how the world has changed since the pandemic began. He was taped in Amsterdam, showcasing one of the benefits to this new world in that speakers can be brought in from anyplace, and all they need to do is pre-tape the talk (and you gain the ability to shoot in segments, leading to a more refined end product).
Rob opened with the three waves of the Pandemic. The first wave was getting people up and running remotely. The second wave was most focused on making the connections safe by turning on AV and securing the user. And finally, the third wave or phase is focused on optimizing the result. You must realize in phase 3 that all employees aren't equal, and their data isn't equal either.
He advises firms to build a virtual persona for each employee class. He also advises that those who need a higher level of security need hardware that can be adequately secured, not consumer hardware, but hardware certified to be secure enough for what will reside on it. The third variable is what data they have access to and where it resides. Is the data, like healthcare data, regulated, on-premises, or in the cloud, and what kind of access is needed? Finally, where is the data located and what unique regulations cover the data where it resides? For example, states in the U.S. have different regulations, as do countries, with Germany used as an example of a country with extremely high requirements.
Depending on those variables, the solution might include virtualization, VPNs, and specialized hardware, but however you get there, the solution should be built from a model. Rob took us through a short history of how MDM (Mobile Device Management) evolved to become EMM (Enterprise Mobility Management, to finally UEM (Unified Endpoint Management). The focus was to get all devices that a user might need underneath a single security umbrella with a common dashboard so that the security team could more easily manage everything with a single view. UEMs weren't that popular until this year, but with the staffing difficulties coupled with the workforce's remote nature, UEMs have become incredibly popular. Experiences have shown that costs are reduced, ease of use for admins has increased, and exposures are being mitigated more effectively.
He advises that patching should be changed by moving VPN activity to the cloud and making it much more dynamic, driven by need, not by the vendor's schedule.
Rob then covered the evolution of anti-virus software starting from the early definition-based efforts to EDR (Endpoint Detection and Response) and automation, which is where we are now with offerings like BlackBerry's Cylance. Why the automation part is essential is because EDR without it is too labor-intensive to be practical. Gartner recommends this solution still be wrapped by professional staff to cover any gaps in the solution.
Now this covers PCs, but what about mobile devices? Mobile Threat Defense (which is often confused with Mobile Device Management, which is quite different), is still limited, only catching about 20% of the attacks.
What's needed is Unified Endpoint Security (UES), which includes all the components needed to manage both PCs and Mobile Devices. With this added telemetry, admins get a far more granular level of control and more effectively secure the users and the devices they use. COVID is driving the rapidly increasing demand for UES.
Always-on VPN, which is still common, causes a series of problems, including performance (particularly with Zoom calls) and tons of inefficiencies and unique security problems. Rob recommends a Zero Trust approach where you use UES as part of the authentication process. Based on the user and the device, a security solution is dynamically applied to mitigate the unique exposures that the user, their location, and the device indicate. For example, if the user is a full employee on-premises in a secure area with authorized hardware, they'd get full access; if they are an intern in a remote, insecure area with unauthorized hardware, they are severely limited in terms of access due to the relative exposures.
Wrapping up: UES is the answer
Using a third-party analyst or customer to make a case for a type of tool is a best practice because, in this regard, they'll be more credible than the vendor will be. But only a customer can advocate a specific tool because if the analyst does that, they'll bleed credibility as a paid speaker. BlackBerry did this exactly right in that Smith focused on the market trends, requirements, and product classes, concluding that the class of product BlackBerry offers to address UES's remote work problem is the least costly and most effective class.
BlackBerry pretty much stands alone here, which is why they have historically had strong customer advocates like Bank of America. In the end, the point of this opening talk was clear: in an enterprise where exposures are high and the ability to fully staff, particularly during a pandemic, is constrained, only a UES approach will both be affordable and effective.
This speech was an excellent opening for the firm that arguably sells the best UES tool in the market.