ESG recently completed testing of BlackBerry Intelligent Security, which is designed to continuously evaluate risk and dynamically apply risk-based security policies to protect endpoints. Testing focused on ease of deployment and management and the simplification of the user experience.
While recent trends like the consumerization of IT and bring-your-own-device (BYOD) policies are ultimately rooted in and driven by a desire to maximize employee productivity, mobile devices and applications have expanded the security perimeter, and security still trumps these aspirations. Indeed, cybersecurity is a significant factor for four of the top five most-cited challenges organizations face when it comes to managing applications, data, and endpoints (see Figure 1).1
Mobile devices and applications are proving to be valuable to businesses, but they are also placing stress on their security postures. The line between personal and corporate identities has blurred, creating both privacy and protection challenges. Compounding the complexity of security is the fact that users’ expectations have changed about how, when, and where they can work—the concept of the office has been extended to include homes, coffee shops, and just about any global location with Internet access.
When a user only used a single device with a standard set of applications, profile changes were more predictable. Now, with users using multiple devices for business purposes, profile changes can be a nightmare to manage and maintain.
BlackBerry Intelligent Security
BlackBerry Intelligent Security (BIS) was designed to use machine learning (ML) and other predictive artificial intelligence (AI) techniques to dynamically adapt security policy based on numerous factors including device and user behavior, as well as location. BIS can re-authenticate continuously, unobtrusively, and passively without requiring legitimate users to be actively authenticated.
BIS builds on BlackBerry’s existing applications, endpoint management, and identity and access management (IAM) products, including BlackBerry UEM, BlackBerry Dynamics, and BlackBerry Enterprise Identity (EID) solutions. BIS integrates directly into UEM without requiring any new infrastructure. BIS will also work with existing third-party infrastructure, including external identity providers (IDPs) like Ping, Okta, and ADFS, and enterprise applications such as Salesforce and Office 365.
As shown in Figure 2, BIS analyzes a multitude of factors, including geographic location, device and application “DNA,” network trust and reputation, and time and use data. Many other contextual factors, such as PC/laptop and browser context, and individual and aggregate user behavior, are incorporated into the ML model. The result of the analysis is a real-time risk score.
BIS dynamically adapts security and policy posture based on the real-time risk score and applies remediation when needed. Users can be granted or denied access, presented with a security challenge, or required to authenticate with multi-factor authentication (MFA). Policies can include restrictions on access to applications as well as device features such as cameras. This enables the user experience and security posture to be mutually and dynamically optimized.
Real-time risk scoring factors include:
- Current location—is the current location inherently higher or lower risk? Is the current location and time consistent with past behavior? Is the current location and time possible based on last known location and time?
- Device, app, and network—has this device or app been used before, and how often? Has the device or app changed since last use? Has the network been used before? What is the network reputation?
- User Activity—what app or service is being accessed? What actions are being taken? Is the app, service, or action inherently higher or lower risk?
- User behavior—is this a normal time of use? Is the frequency of access or action normal? Is this behavior consistent with the user’s past behavior? Is this behavior consistent with other users’ past behavior? Does behavior across multiple devices and apps correlate in time and current context?
BlackBerry designed BIS to benefit CISOs, security practitioners, IT teams, and end-users. These benefits include:
- Increased security—BIS enables multi-factor authentication; can decrease lost device risk; can drastically reduce the success of device cloning, app cloning, and user impersonation; and can detect and remediate both intentional and unintentional data loss.
- Enhanced user experience—BIS adapts security and policy posture to actual context, eliminating static policies, and streamlines access to apps without having to re-authenticate when in trusted locations. This can enable “zero sign-in” or increase timeouts in low-risk situations; alternatively, BIS can force reauthentication with password or MFA challenges in high risk environments.
- Enhanced efficiency—BIS streamlines access to apps and services; builds on existing investments in BlackBerry UEM, BlackBerry EID, and BlackBerry Dynamics; potentially eliminates the need for separate MFA solutions; automatically and dynamical adjusts policies based on context; relaxes security policies when the user is in a trusted location; and increases security policies when the user travels to a higher risk location.
ESG Technical Validation
ESG’s evaluation and testing of BlackBerry Intelligent Security involved using a demo environment to configure the solution with multiple group policies for various risk categories. We then used a mobile device, simulating use at lower and higher risk locations to evaluate dynamic changes to security policies and corresponding changes to the user experience. We focused on the efficiency of managing the solution and the simplification of the user experience.
ESG started with a preconfigured demo deployment of BlackBerry Intelligent Security integrated into BlackBerry UEM, managed through a standard web browser interface. We used the left pane navigation menu to review existing UEM groups and create a new group. UEM uses groups to assign policies to apps and users. BIS dynamically moves users between groups based on the current risk score. When the risk score changes, BIS updates the group membership and UEM applies the group’s policies to the user and apps.
As shown in Figure 3, UEM provided a table listing all groups, the number of users in each group, the assigned apps, and the assigned IT policies and profiles. We clicked on the group BH_Critical to edit the group configuration. The details page for the BH_Critical group provided tabs for settings, the BlackBerry 2FA, EID, users, and nested groups. The settings tab provided lists of roles, profiles, and apps. We clicked on the BH_Critical profile, which popped up a window with profile details. This enabled us to configure the profile, setting options such as password parameters, biometrics, requiring passwords on a specific device type, enabling device features, and many more.
The flexibility of UEM Groups enabled us to create many fine-grained security policies that we could apply to various users and applications as necessary.
Next, ESG navigated to the BIS policies tab to review existing policies and create a new policy. BIS policies control the dynamic change of security based on risk scores. BIS moves a user into a different UEM group, applying the group’s security policies, when the user’s real-time risk score matches the BIS policy.
As shown in Figure 4, BIS provides a list of policy profiles, the rank (order to be applied), applied users, and applied groups. We clicked on the plus sign to create a new policy profile, which brought up a new window with policy settings. BIS provides mappings between risk levels and UEM groups for critical, high, medium, and low behavioral risk, and high, medium, and low “geozone” (location) risk.
As shown in Figure 5, we clicked on Critical behavioral risk level, and BIS popped up a window enabling us to configure the group to which the user would be dynamically assigned when their real-time risk level was determined to be between 80% and 100%. Similarly, when we clicked on the Low geozone risk level, we were able to configure the group for each specific geozone. We were also able to configure the radius (sensitivity) for the geozone risk factors.
As with UEM groups, the flexibility of BIS policy profiles enabled us to create fine-grained dynamic policies. We created two policies matching the location of ESG’s offices, one for high behavioral risk and one for low behavioral risk. Users at ESG’s office with high risk were assigned to the BH_High group, which would disable the mobile device camera.
Next, we navigated to the BIS analytics portal to configure geozones. As shown in Figure 6, BIS provides a list and a map of existing geozones. We could edit existing zones by clicking on the zone, and we could create new geozones either by entering an address or by drawing a polygon on the map.
As the last administrative step, we navigated to the BIS settings pane. As shown in Figure 7, BIS supports role-based access control (RBAC), and we could configure multiple users with different levels of access. BIS provides the ability to limit administrator visibility of the user’s current location for privacy and regulatory compliance.
BIS provided controls to change the mode between passive and active. Passive mode computes and logs real-time risk scores and the application of BIS policy profiles but does not dynamically update group membership. This enables administrators to test and verify their configuration without adversely affecting users.
BIS settings also enabled us to configure the real-time behavioral risk score thresholds.
Why This Matters
In light of the ongoing global cybersecurity skills shortage—53% of organizations report a problematic shortage of cybersecurity skills2 —cybersecurity teams need tools that reduce workload and increase operational efficiency and efficacy.
ESG validated that Blackberry Intelligent Security is tightly integrated with Blackberry Unified Endpoint Management, enabling administrators to leverage their operating experience for enhanced efficiency. We found that managing complex security policies was simplified with a smart, easy to understand interface, and we were able to quickly and easily configure policies that would be dynamically adopted for varying levels of user behavioral and location risk.
ESG found that BIS and UEM combined to create an efficient and effective dynamic endpoint security system.
Efficacy and User Experience
ESG validated the efficacy of BIS in the demo environment using a Google Pixel mobile device. First, we configured the device to access the corporate Wi-Fi network. Next, we used an app to spoof the location data.3 This caused the device to report its location as the BlackBerry corporate office.
As shown in Figure 8, BIS analyzed location and behavior, and calculated that the user’s real-time risk was medium. Following the BIS policies, BIS dynamically moved the user to the UEM BH_Medium group and applied the BH_Medium group policies. Thus, when we logged in to the mobile device, we were presented with a fingerprint challenge, as controlled by the BH_Medium policies. We then used the BlackBerry email app to create an email with attachments. We were able to access the device’s local storage, camera, and photo library.
Next, we used the location spoofing app to change the device’s location to a nearby coffee shop. As shown in Figure 9, BIS analyzed location and behavior, and calculated that the user’s real-time risk was Critical. Applying the BIS policies, BIS dynamically moved the user to the UEM BH_Critical group and applied the BH_Critical group policies. Thus, when we logged in to the mobile device, we were presented with a password challenge, as required by the BH_Critical group policy. We then used the BlackBerry email app to create an email with attachments. Based on the newly applied policies, we could no longer access the device’s camera and photo library.
ESG also noted that BIS uses its own technology to secure BIS. As shown in Figure 10, when ESG logged in to BIS, we were asked to approve BIS’ access to the web browser location data. As with mobile devices, BIS calculated our risk in real time, and dynamically applied the appropriate policies. Thus, per BIS and UEM policies, when we logged in, we were presented with a password challenge.
Why This Matters
According to ESG research, common employee requests include simplified access to applications, remote access to business applications, simplified corporate data access, the ability to use personal devices for work, and reduced login time.4 Facing an always growing and evolving threat landscape, organizations must balance effective security with employee expectations and productivity.
ESG validated that Blackberry Intelligent Security adapts to changing conditions. This enables security teams to automatically enforce strict security when user risk is high while simplifying the user experience when user risk is low. In our test configuration, BIS permitted easy-to-use biometrics for login when BIS determined risk was low. When the user moved to a new location, BIS determined that risk was high, and dynamically applied new policies—biometrics were disabled, and the user was presented with the more secure password challenge. Simultaneously, the new policies disabled access to the camera and photo library.
ESG evaluated BIS analytics by logging in to the demo system analytics portal. As shown in Figure 11, the analytics dashboard provides summary data, including total active users and events, risk ranked by criticality, and a map-based overview of the location of all managed endpoints. At the bottom of the dashboard are time-based graphs of geozone and behavior risk.
Clusters of endpoints are indicated by the red circles with a number indicating the number of endpoints in the cluster. Users can zoom and scroll the map to get more information.
Next, from the analytics menu, we selected the event analytics, as shown in Figure 12. Each event represents a change in the real-time risk score. The left side of the page provided a tabular view of all events, while the right side provided a map view, showing clusters as red circles with the number of events. We zoomed and centered the map on the US. Hovering the mouse over the red circle popped up a window summarizing the number of different types of events. We were able to search and filter the event listing to quickly find critical information.
We selected users from the analytics menu, which brought up the user analytics page with a table listing all users, their real-time behavioral and geozone risk, and the time when the real-time risk score was updated. We clicked on a user, which brought up the user pane, as shown in Figure 13.
At the top of the user pane was a time-based graph of events showing changes to the user’s real-time risk score, and the bottom of the page showed a listing of all events for the user. Clicking on an event highlighted that event on the time graph and provided event details including location, behavioral and geozone risk scores, user activity, and the assigned action (dynamically assigned UEM group).
Why This Matters
With the proliferation of mobile devices and BYOD policies, organizations are managing a large volume of endpoints. According to ESG research, 49% of surveyed organizations manage 2,500 or more endpoints, 34% manage 5,000 or more, and 10% manage 20,000 or more.5 Many users with many devices combined with automation complicates the security analyst’s understanding of the environment.
ESG validated that BIS analytics provided a comprehensive overview of the security environment. Map-based analytics provided a visual representation of dynamic changes to geozone risk for an individual user and the whole organization. Event-based listings enabled us to understand the volume and frequency of updates to user risk. We found the user-level information to be helpful, especially for helpdesk scenarios, where a user may not understand why they were prompted for a password when a fingerprint previously was sufficient. Using the BIS analytics portal, ESG was able to develop a comprehensive understanding of the state of the environment and the automatic changes to risk and security policies.
The Bigger Truth
The volume and velocity of threats coupled with the ever-increasing network attack surface has made cybersecurity a top IT concern. However, IT’s drive to improve the business’ security posture is complicated by a number of factors. IT is growing more complex every year—66% of organizations say their IT environment is more complex compared with two years ago, driven by increases in users, devices, data, and emerging technology6 —and multiple endpoint types with their varying levels of threats and security create even more security complexity.
To secure their data, applications, and endpoints, organizations must expend more scarce resources—time, money, effort, and, most importantly, staff—and the result is an ever-more complicated environment. Tools that can simultaneously enhance user productivity, effectively prevent threats, and are simple to implement are essential.
ESG’s validation showed Blackberry Intelligent Security to be both efficient and effective. The tight integration between BIS and UEM enables security teams to easily add adaptive security to their endpoint security controls. Consistency across user interfaces reduces the learning curve, and security analysts can quickly create complex policies to match the needs of their environments, dynamically adapting security based on real-time behavioral and location risk.
Leveraging adaptive security, ESG was able to configure strict security for high risk situations, and relaxed security for low risk situations. Relaxing security improved user productivity and enhanced the user experience with automatic reauthentication, a reduction in the number of challenges, and an acceleration of the login process made possible by the use of biometrics.
The BIS analytics portal enabled ESG to rapidly develop an understanding of the current state of the environment. Historical data ensured we could understand the adaptive security—what changes were made to each users’ real-time risk score, why the change was made, and what policies were adopted based on the change.
If your organization wants to balance endpoint, application, and data security with improved user productivity and an enhanced user experience, you’ll want to take a closer look at how BlackBerry Intelligent Security can add adaptive security and machine learning to your security endpoint controls.
1. Source: ESG Master Survey Results, Modern Endpoint Management, December 2018.↩
2. Source: ESG Research Report, 2019 Technology Spending Intentions Survey, February 2019.↩
3. BIS includes technology to detect location spoofing. This technology was temporarily disabled by BlackBerry for ESG’s evaluation. Disabling location spoofing detection is not a production configuration option.↩
4. Source: ESG Master Survey Results, Modern Endpoint Management, December 2018.↩
6. Source: ESG Master Survey Results, 2019 Technology Spending Intentions Survey, March 2019.↩
ESG Technical Validations
The goal of ESG Technical Validations is to educate IT professionals about information technology solutions for companies of all types and sizes. ESG Technical Validations are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objectives are to explore some of the more valuable features and functions of IT solutions, show how they can be used to solve real customer problems, and identify any areas needing improvement. The ESG Validation Team’s expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments.