IBM Security MaaS360

 View Only

You've got questions - we've got answers! Activating MaaS360 User Risk Management for free

By Margaret Radford posted Fri April 28, 2023 06:01 PM


The IBM Security MaaS360  team recently hosted an Ask Me Anything about activating MaaS360's User Risk Management for free.
We also discussed the Mobile Threat Management feature that is available in our Enterprise suite or as an add-on part to any of our other suites.

We have a very aggressive roadmap for threat managements, so get onboard and start leveraging our free User Risk Management and then consider Mobile Threat Management in order to take advantage of additional threat detections/response and everything there is to come. 
To get started, simply log into your MaaS360 portal, go to Setup>Services and enable User Risk Management for free. Then watch those threat telemetry events roll in.  

You can watch the on demand Ask Me Anything recording here

If you have any additional questions, post them as a reply to this blog. You can also reach out to your account representative or you can contact the IBM MaaS360 Customer Success team by selecting Contact Us at our success hub located here.

For reference here are the answers to your questions that you posed during the session. Additional resources are located at the bottom of the blog. 

Question:  Answer: 
Do you need Mobile Threat Management to use User Risk Management for it to work?  No, User Risk Management is a standalone service that's available to all of our customers.  The Mobile Threat Management piece is an add-on that gets you the extra detections and responses that are part of Threat Management.  Think of User Risk Management as a way to process threat telemetry and develop a user risk and device risk profiles just based on day to day activities when managing devices.  Threat Management compliments User Risk Management. 
What license level is User Risk Management a part of?  User Risk Management is available in all of our license bundles (suites) - Essentials, Deluxe, Premier, and Enterprise. 
Threat Management is a part of Enterprise but it can also be purchased as an add-on part that you can purchase. For example, if you have Essentials, you can purchase the standalone Mobile Threat Management add-on part  for $1 per month per device, or you can choose to upgrade to Enterprise bundle. 
Link to Suite (bundle) descriptions 
Can you elaborate on the secure email client road map concerning phishing detections? 
Currently the email phishing detection that we have is available within our secure mail client. So if you're an organization that uses our secure mail solution, phishing detection works within within that app. We built code in that application and what it does when you configure the Endpoint Security policy and  push the policy to the device, we scan emails for any URLs that are present within that email. We take that URL and we use an API to test that URL against the IBM X-Force Exchange Threat Intelligence database. If it is a known malicious URL, the API call will return a positive. We and X-Force Threat Exchange don't store any customer data. It's simply a test of whether that URL is present or you get a hit that the URL is flagged as malicious by the X-Force Threat Exchange. If it does, then the user gets a warning in the email that the email has a compromised URL in it and to delete the email. The phishing detection, today within the product supports SMS as well.  SMS detection is very similar; we scan the SMS messages, look for URLs,  use an API  to test whether that URL is flagged as malicious or not and generate a threat event. The road map that is in place for later this year is adding broader phishing and malicious content detections beyond just SMS and our own email client, into other applications by implementing a broader phishing detection. If you're entitled to Mobile Threat Management today, as we add capabilities, add detections and improve detections, you will get the benefit of that in the future. 
Are there any prerequisites to turn on User Risk Management? No. You should be able to simply log into the portal and enable User Risk Management in Setup>Services.  If you are having trouble doing that, please contact IBM Technical Support by opening a case from the headset icon in the upper right of the portal or contacting your support providing IBM Business Partner. 
Note: We migrated existing customers who had User Risk Management enabled to an improved version which has a number of upgrades including near realtime user risk engine.
Is the Security Dashboard an add-on feature?  No, The Security Dashboard becomes available when you enable User Risk Management. Threat events flow into the User Risk Management engine, then they are scored based on the Risk Rule Configurator and then they surface in the Security Dashboard. The Security Dashboard is the visualization of User Risk Management. If you are entitled to Mobile Threat Management, those events will also be surfaced in the Security Dashboard. 
Does this product also work for exploits such as voice over LTE or phone calls in general? No. Currently there are no capabilities to cover that. Unsure if there are any third party or point solutions who are covering that. 
If a user receives a phishing email, are they notified. And are they still able to access the malicious link?  They are notified. The user gets a red banner within the email which indicates the email contains a phishing link. The user can still click on it; we can't strip it from the email we can only warn the user. 
What's the first thing you should do after enabling User Risk Management for the first time?  Turn it on and wait 24 hours. Then go into the Security Dashboard and you should see some of the mobile device management threat events coming into the dashboard. You will see a baseline risk score developed that you can watch over time for trends. You can then see those events and drill down. It takes a little while for enough data to flow in. Then daily, you can review the Security Dashboard. You might see a spike in your overall risk score and drill down to determine why.  For example, you might determine you are being targeted by a phishing campaign or something is going on in your environment. 
How would an organization determine what an acceptable average risk score would be for them? As we develop baselines and as we collect more and more data, in the future we're planning  on giving you the benefit of some comparisons. For example, how does your risk score compare with other customers of your size and industry. 
Today the risk scoring is for trend purposes. You would establish a risk score that you think is acceptable based on your research and what's contributing to that score. And then you would look for changes in that score. 
In the future and as we collect more data, you will be able to compare your risk score to other organizations based on size and industry. 
Can you explain the difference between the prior version of Mobile Threat Management and the new Mobile Threat Management version - do the malware and jailbreak/rooted detection work the same?  The malware, jailbreak/rooted, and insecure wifi detection are the same as they were in the previous version of Mobile Threat Management. In the previous version they were a little difficult to find and configure in the MDM policy. Now they have been surfaced in the new Endpoint Security policy. 
They are easier to find and configure and they still use IBM Trusteer threat intelligence. IBM Trusteer services the commercial banking industry with an SDK that can prevent users from accessing their  banking system when they have malware, jail break/rooted or they are on an insecure wifi. Their treat intelligence is very broad and very deep so we leverage that by instrumenting the IBM Trusteer SDK into our app.  In the past the response to those detections were Compliance Rules. Now we have our Security Dashboard and can more easily view these events. 

User Risk Management Product Documentation
Mobile Threat Management Product Documentation