Transcript
are going to have a look at how we mitigate threats when a device goes walking. So if a device is lost, if a device is stolen, how we mitigate those threats, how we fix it, and not just from a technical perspective, which Ash will walk us through, but also from a process perspective. Who needs to know that a high-priority device has gone missing? Whether there's data that needs protecting, what controls, what part of the business needs to know that a device with sensitive data has gone walkabout, how we walk that through a process that contacts every part of the business that needs to know. Why is this important? Every individual has a device. A lot of individuals have multiple devices, and they will bring them to work. They could be issued by the employer, or it could be bring your own device, where we bring our own devices and roll them into an MDM solution. But what happens if they're stolen? What happens if my device gets lost? How do I mitigate those risks? We need to be able to control the sensitive data on those devices, access to applications, access to data. We need to be able to enforce some rules and make sure that that data is safe. I also need to make sure that my security posture is maintained, so different parts of the business need to know immediately that there is a threat to our security posture. If a device has gone missing, could be stolen, we don't know at this point in time, but there's lots of different areas of the business that need to know. First of all, the service desk. They may get a ticket coming in saying, hey, I've lost my device. Can you please help me? This could be provisioning a new device. It could be locking it, but the service desk is the first point of contact. We're going to talk to IT operations, and this is where Ash will go into some details about how we can interact with IT operations. We can look at how we can control applications on the device if we need to, but also wipe the device and secure that device. It could have sensitive data on it. It could be a high-priority device that someone high up in the company owns. The asset management team needs to know. Obviously, an asset has been lost. They need to update their records and take appropriate actions. Procurement and finance, we may need to purchase a new device. Legal team, again, depending on who has lost this device, in some cases could be a high-profile employee or a position of power. We need to get some insights and advice from the legal team. Security operations need to know, again, that there's an incident around a security posture. They will have an appropriate process that they need to follow and work through. And our risk and compliance team, again, we adhere to regulations. We adhere to controls. The building management team, this is an unusual one, but some organizations have smart apps on their phones that allow them to enter the building using their mobile phone as opposed to a plastic card, a physical card that they may use. So if your phone has gone missing, potentially our building access is potentially not secure. So we could have people coming into the building who shouldn't be there. And finally, maybe you want to talk to HR and training. Maybe this person has lost the device numerous times. Maybe there's a trend of not adhering to the corporate legislation, the guidelines, et cetera. So maybe we need to give them some training. Maybe we need to give them some advice. So I'm going to walk through quickly a process where we bring in an incident. And we can log an incident very quickly. And in this case, it's going to be someone has lost their phone. So Graham has logged a ticket. The service does let them know that his phone has been lost. It's simply going to put phone lost. I've lost my phone. Please help. And we're going to put that under the now security operations. And lost stolen equipment. We're going to mark as high priority. We're going to maybe send that to the security team. And I can pick that up. So we've logged that ticket. And that could be over the phone. It could be through email. It could be through the portal or some other method. But we have logged a ticket. I also want to link the customer's asset, which is their iPhone. This is the asset that's been lost. So now I've got a ticket ready to go. Now, a few things are going to happen with this ticket. One is I can see a number of tasks have appeared. So as we said before, and we looked at that wheel of business units that need to be contacted, I can see that we've logged a ticket with the building security team, our facilities team, legal team, purchasing, asset management, and operations team. So, again, we have created some tasks or the tickets with context about what they need to do. We've actually assigned one straightaway to an individual to say you need to remove access to these systems because they used their phone for multi-factor authentication. So, again, trying to reduce the impact from a security perspective. I've also logged a HR case. So, again, potentially training needed. We know there are VIP status. I can't see this ticket. It's in HR case management, but I just get a quick overview of this ticket. It's been logged and it's been sent to them, and they can pick that up and do whatever they need to do with it. The other thing is we have linked the device. So if I go and have a look at this device, we can get all the information from it. Again, we could be feeding in from the MDM solution to get all the information about that phone, but, again, it's a two-way street. I can actually interact with that device as well. Now, what the asset management team may do is mark it as stolen. If I save that, you can see it's been marked as stolen. And I can see some options here. Lock the asset, restart the asset, return asset to service, send a message, and wipe the asset. So, again, I can now, as well as receiving information from the MDM solution to populate the attributes and information about that phone, I can push requests to the MDM solution and say, hey, I want to wipe that asset or I want to lock that asset. So this could be part of my process when we have a lost or stolen phone. So I could hit that, wipe the asset. Warning, this action will wipe the mobile phone. This action is irreversible. Click OK to continue. I'm not going to do that now. And, again, I could also lock the asset. Warning, this action will lock the mobile phone. Click OK to continue. So I may want to lock it for now. Just make sure that someone can't use it. And we can go through the path of resetting or wiping that device further down the track as we need to. Now, at that point, you can see the processes have been initiated. And we'll have a look at some other processes when Ash finishes his demo. But what we've done is we've let a lot of parts of the business know there's a problem. And they can take up what they need to do. We don't have to go around and phone them, e-mail them, and hope that somebody follows the process. The process has been automated for us. And also the interaction with the phone itself via the integration with MDM. So with that, I'll hand over to Ash, and he'll have a look at how we can interact with that phone. We'll have a look at potentially looking at blocking some apps, first of all, and then how we wipe that device nice and quickly. So from here, I can run it automatically. Ash will show us how he can do it manually as well. Thanks, Kieran. So here we have an iPad, the iPad. We can see we've got some apps installed, registered and rolled in the Binding Neurons for MDM. We have the console there, the Binding Neurons for MDM console. And we can see the actual devices in here go into the device. This is the actual iPad here. You can see it's last checked in not long ago. We can see some installed apps. So the scenario is we've had a PSPF come out and said, we need to remove an app. And that app is TikTok. And we can see TikTok is there on the device. So we can remove that app quite simply and easily through the console. So we can find TikTok here. And we can see that's installed and it's managed. So we have full control over that. And we have our actions where we can distribute or exclude. So we're going to exclude straight away. So we've put TikTok into our system and taken ownership of that app if it got installed. And that enables us to get rid of this app. So we'll do some check-ins. We can go have a look at a few other things whilst this is happening. We can see all our config that we've pushed the device. So this is everything infrastructure-related. Everything that all the data that you want the user to have access to, we've pushed down those configs, those apps, those settings. They're all on there. And we can see on the right here TikTok has now been removed. And that literally took a few seconds to do and a few clicks to get that app off the device. So we have the ability as well through our mobile threat defense integration, which we've activated here quite easily through just one config. We can see in the mobile threat defense console that we have a device here. And we can see it has a normal risk posture. So we actually click on that and we can see the related threats and the history of related threats. So we can see we had one elevated threat and that was resolved. And yeah, it was a device pin. So it didn't have a pin code on the device. So very in-depth, detailed timeline history of threats that are happening on the device. We can see we removed TikTok from the device through a direction. And because in this scenario this device has been lost, we can actually click in here quite easily and wipe or retire the device. So if we were to retire the device, we would only remove the enterprise data from the device and the device would still stay there. We can actually wipe the device as well. We have the ability to also return to service. As Kieran demonstrated before, we can return that device to service so it doesn't have to be fully wiped. We can keep access to the apps and data and we keep the Wi-Fi payload so we can select a Wi-Fi profile there. But in this example, we really want to make sure that this device is not going to be compromised and not compromise that building access as well. So we're going to fully wipe the device. And because this is enrolled in Apple Business Manager using the device enrollment program, it is tied to the organisation anyway, but it'll just become effectively a brick to anyone else other than the organisation's employees. So we'll click on a wipe. And we can see within seconds that the device will start shutting down and erasing all that enterprise data. There we go. So the device has now been wiped. Go back to the device list. We can see that status is wiped. So it means that the command has been received by the device and that literally took a few seconds to do. So back over to you, Kieran, to take us through what we just saw. Yep. So before we close that, I'm just going to go through the security operations and the risk compliance piece as well. So you saw we had those tasks assigned to various parts of the business. We saw legal, asset management, facilities, HR all sort of notify the dissident and take on what they need to do out of their own individual processes. We're also going to talk to the security team. So we automatically create a security incident. If I look at the security incident, I can see all the relevant information, who is the customer, the summary that we've taken from the incident itself, again, service and category we've taken across. We've assigned this to the security team, and we have an owner. So Aileen has picked this up. There's a task come in immediately as well to look at whether it's sensitive or confidential information that is involved with this device. So, again, they can pick that up and mark it as confidential as well. I'll say we have sensitive data. So, again, you can start to update and classify this security instance as you need to. We can see where the original incident came from. So that's with the service desk itself. And, again, we can start to go through that process to sort of understand the incident and make sure we can close it off and make sure any mitigation actions are taken care of. I can see the asset as well, which will currently be marked as stolen, which you can see here. So all the information is made available. They're not guessing about any of the information. It's all presented to them as part of an integrated holistic process across the business. I've also created a risk. So why do we want to talk to the risk and compliance team? Security operations are doing their piece, but now risk and compliance need to be involved as well. So I can see here we've got a risk, and I'll just look at my list of active risks here, and I can see 7234 has been created as well. So this is kind of our risk register that our risk and compliance team would work from. And I click into this. Again, it's a slightly different screen. It changes and tailors to the persona who's looking at the relevant data or looking at it from their perspective. And now I can start to classify this risk. Now, the important thing about the risk is not just a risk on its own, and it's in isolation, but how it relates to more holistic business processes, things around controls. We'll have a lot of controls in place that need to be adhered to to support larger compliance and regulations, things like ISO or APRA, HIPAA, GDPR, et cetera. These controls are in place to help us adhere to them. So if a phone goes missing, there's a lot that could impact these controls. So we need to look at these controls and understand what's potentially impactful. So the encryption for passwords, that may be something to do with. SSO definitely. The physical security. We talked about the phone being used as a digital building card to get in and out of buildings, so definitely that might be an issue of security offices, et cetera. Electronic messaging, obviously, part of the phone. Accessible use of mobile devices. So suddenly there's a whole list of controls that are potentially impacted. And if you go to one of these controls, I'll look at the physical safeguards. I can see some information about that. If I was in the GRC role, the governance risk compliance role, I'd get more granular information, and I could take some actions there as well. We can create a mitigation plan if we need to, or we can link to existing mitigation plans. So, again, we can link these in as we need to. We can understand what would be impacted. And, again, when we look at these mitigation plans, all the information we're adding here around the risk and the security incident, all that will propagate down. We'll see all the impact of these mitigation plans. So are they worth doing? Yes, because we've got all these other incidents happening around the organization. Again, I can see where the security incident is as well, so I can see where that's up to. And as that moves along its lifecycle, I can sort of work in parallel with the security team rather than working in isolation. And as we understand and review this risk and we move on, we can understand its current status, its original status, and its target. So at the moment, we're targeting to make sure the likelihood is possible. The impact is minus, so that's kind of where we're not meeting currently the target. As we review this and get more comfortable with the risk and we perform mitigation actions, we can see the risk starts to go down, and that's shown by a green arrow. And, again, if we go to the list here, we can see the change is a good change as opposed to a bad change. So, again, that full visibility across the different parts of the business because it does impact them. They need to know about it. They don't want to sit in isolation and not know that a high-priority device has been lost or stolen. So back to the wheel. So what did we look at as part of this use case? So we saw the service has logged a ticket. We went to IT operations, and Ash walked us through how we revoke access, not just to the device, but applications as well. So, again, you could have threats via applications, and they may come in through the service desk, or you may get notifications that something's been installed. Ash showed how the MDM solution can go down to granular levels of application, but also then reset the device or put it into service mode, et cetera. We looked at the asset management team now. The procurement team bought and started to process to purchase a new phone. Legal team provided some guidance. We had that security incident logged. We saw how the risk ratio was updated and the impact controls were acknowledged as part of this whole issue. We looked at building management team now, and also HR. And, again, potentially they may not need to be involved, but it's good just to keep everyone across the issue and what needs to happen. So what did we just see? Just a small timeline. Obviously, Graham lost his mobile phone. He logged a high-priority incident with the service desk. We got the relevant departments updated straight away. We were then able to auto-wipe if we wanted to from the service desk, but then, obviously, we moved across, and Ash showed how we can wipe and control applications, et cetera, and do that threat analysis. I then had the risk and compliance team and the SecOps team investigate that security issue and make sure that they were taking all their appropriate actions. And, finally, just to kind of finish off this scenario, in fact, we found out just as we completed the demo that Graham actually found his phone. And if you remember, there's a previous video that Ash walked through about enrolling mobile phones. We were able to enroll that phone again under two minutes back to normal service, and Graham was able to get on with the rest of his day. So even though he lost his phone, he found it, and we could re-enroll it super fast. So thank you for that from myself and Ash. Hopefully, you've learned something with this video, and we look forward to sharing a few more. Thanks again. Thank you.