First published on CloudBlogs on Oct 04, 2016
A couple months ago you may have seen an announcement from our partner Lookout about the work we have been doing together.  The news was really exciting, but I wanted to wait until the code was done and generally available to provide a view of what we’re doing together and why we are so excited about this partnership. That time is finally here ! During the time we spent solidifying this partnership with Lookout, our companies spoke to a lot of organizations who emphasized that this integrated offering is exactly what they needed to address their enterprise mobile requirements – e.g. a solution that gives their employees the flexibility they need to be productive on their mobile devices, yet provides the organization with security and peace of mind that their enterprise assets are secure.

This partnership is great because it is great for our customers.

The thing I think is most valuable about this partnership is how the capabilities of Enterprise Mobility + Security (EMS) and Lookout are incredibly complimentary: Lookout has a rich knowledge of the security and compliance concerns on iOS and Android, and EMS has the rich solution for managing access to and protecting corporate assets .  This partnership also integrates our cloud services so that EMS can govern access to corporate resources based on the risk analysis Lookout has identified on every device. This is really impressive functionality for end users. I have really enjoyed getting to know the Lookout team and working closely with their leaders to develop ways for both of our technologies to work together to provide additional layers of security and protection for the corporate apps/data accessed by mobile devices.

What Impressed Me Most About Lookout

The first thing that really impressed me about Lookout was the sheer number of iOS and Android devices constantly sending telemetry back to the Lookout Security Cloud – a grand total surpassing 100M mobile devices !  Lookout has by far the largest and most up-to-date dataset of what’s happening in security and compliance for iOS and Android.  They analyze more than 30 M iOS and Android apps , as well as over 90k new apps every day .  Lookout has built a product that tens of millions of consumers around the world already use and love. With this massive dataset of intelligence, Lookout conducts complex correlations, predicts future risk, and identifies threats that would otherwise evade legacy systems. This type of performance would not be possible without Lookout’s massive global consumer footprint.  If you also believe, like we do, that “data is the new currency” – then Lookout has the data that matters here (and more of it than anyone else).   Their base of users is also growing rapidly – for example, if you opted for the packaged protection services from your wireless provider when you bought your current phone, then you might already be using Lookout. Lookout’s unique approach to solving the challenges of mobile security relies directly on having data on the majority of code in the mobile app ecosystem.   Lookout’s service scans apps submitted to some of the international app stores before those apps are even approved for distribution.  This means they actually get to see the code (and some of the attacks and threats!) before anyone else in the world.  Their data set is bigger – and they have it earlier – than anyone else. The way that Lookout uses machine learning and intelligence to identify malware and predict the actions of the makers of the malware is ingenious .  The malware space (in general) is a place where machines have to be used in the battle of good vs. bad to keep up with the rate of change – after all, the bad guys use machines to constantly morph their malware.  To analyze over 70,000 apps a day, machines have to do the bulk of the work just to keep up – but the it’s the nature of the analysis that Lookout does here that sets them apart. First, Lookout uses sophisticated static and behavioral analysis to identify malware or potentially unwanted apps – but that kind of functionality is just table stakes in today’s fight against the bad guys. To catch the really determined and sophisticated attackers, Lookout has built a set of capabilities which compares the app they are analyzing to all the apps they have analyzed previously to look for the tell-tale signals of malware. This analysis compares signatures, behavior, and all the analysis artifacts Lookout has gathered – all the way down to the binary code.  This is a process they call “app genome sequencing.”  What this means is that Lookout can essentially use their analysis of known threats from known attackers to predict new, never-before-seen threats . This is the same technology that enables their anti-malware to take a novel approach:  Going beyond using just signatures (like nearly every other security vendor), and adding in behavioral analysis and predictive intelligence.  Pretty incredible. What really blew me away, however, was when the Lookout team showed me a report pulled from their telemetry identifying all the consumer devices reporting back to their service from the Microsoft networks.  Sitting there on the table in front of me was a detailed list of every iOS and Android device used on our networks – along with a report covering each of the apps, risks, and threats Lookout had identified.  Just wow! If you want to go a lot deeper on what I’ve described here, check out this white paper .

The Microsoft Intelligent Security Graph – the Value of Data

When it comes to helping you protect and secure your organization, the value of data cannot be overstated .  The sophisticated attacks we’re all seeing in the news are very hard to identify and block – but all of the leave tracks.  The challenge is that these tracks are nearly impossible to find because they’re spread across tons of different log files – and most organizations simply do not have the ability to correlate these logs and look for the patterns that identify who’s being attacked, what the attackers are doing, where they’re spreading, and what the risk is to you and your customers. We are all swimming (OK – drowning ) in data.  The only way to identify the signals that matter – and find the patterns that assist you in protecting your organization – is for machines to do that.  Over the past couple of years, we have quietly been working on something incredible here at Microsoft – something that pulls together all of the telemetry and signal that comes in from the 100’s of cloud services that we operate.  We call this the Microsoft Intelligent Security Graph . Consider for a moment all of the signal that comes into Microsoft:

• Every month we update more than 1B PCs around the globe through Windows Update.
• Each month we also service more than 450B authentications across our consumer and enterprise service. We can see different attacks being waged at identities.
• We analyze more than 200B e-mails each month for malware and malicious web sites – and all of that signal goes into the graph.

The things we learn from this data about orchestrated attacks is nothing short of incredible – and all that signal is constantly coming in and going directly into the graph.  We take all of this data and then apply our own machine learning and data analytics – by doing this we can identify the suspicious and anomalous activities that characterize the DNA of these modern sophisticated attacks.  This is how we can deliver the recommendations and automated actions to protect, detect, and respond to all of these different attack vectors. This is a topic I spoke about in depth at Ignite just recently – watch the section of my session here . The Microsoft Intelligent Security Graph is working every second, of every minute of every day protecting you.  All told, we receive trillions of pieces of data from billions of devices every month through our cloud services, our extensive research, and our partnership with industry leaders and law enforcement through our Digital Crime Units and Cybersecurity Defense Operations Center .  All of this goes into the Intelligent Security Graph. This graph is unique to Microsoft .  Going forward, Lookout will be adding value to the graph via its integration with Intune.

The Industry-first Scenarios EMS + Lookout Deliver Together

Here’s How the Integration Works:

• Allow access from devices to corporate e-mail only if the risk score is “Secured” or “Low.”
• Not synchronize corporate files to a device if its risk score is “High.”
• Not allow access to any corporate assets if Lookout’s app is not running on the device and/or properly reporting device health. It will then automatically guide users to download and activate Lookout’s app.
• Enforce a policy to deny access for a specific group of business critical apps when devices are not compliant to Lookout. General purpose LoB apps, however, would not be restricted.
• Selectively allow access to a primary collection of apps regardless of risk, while restricting access to a secondary list of apps when risk score is “Secured” or “Low.”
• Receive alerts when “High” risk devices are detected in their environments.
• Automatically trigger Lookout’s self-remediation flow when devices are non-compliant or “High” risk to then block from accessing corporate resources.
• Retire or wipe a device when it becomes “High” risk.
• The service integration here is seamless to our enterprise customers leveraging the assets of EMS to enable unified device and user (both end-user and IT Professional) identity through Azure Active Directory.

The management of Lookout’s mobile security has been built directly into the Intune console, providing our joint customers with a “single pane of glass” management for this end-to-end solution.  Also, Lookout’s Mobile Endpoint Security can be enabled and managed directly from the Intune console. Another critical advantage that Lookout brings to enterprise mobile security from their consumer heritage is a great user experience .  For example:  If access to corporate resources is blocked, the end-user will be presented with the reasons why, told which specific apps are risky (aka have malware), and explain how they can fix the problem.  If the apps were not deployed by EMS, then they are likely personal apps.  In this latter case, and in the spirit of honoring user privacy and rights (especially on BYO devices), EMS will identify the steps required to lower the risk. Honoring end-user privacy is really, really important to both Microsoft and Lookout.  In the administrative console there will be multiple configurations that can be set in terms of the visibility of what apps are deployed on devices.  This is similar to what we do in EMS/Intune today.  Customers can restrict the solution to only show admins the apps on a device that have been deployed through EMS/Intune (I think this will be the common setting for BYO devices), or all the apps that have been installed on the device (the likely setting for corporate devices). This is important because: There are cases where IT should be able to see all the apps on a device, and there are other cases where they absolutely should not be able to see the entire list.  Each organization can adopt the settings that are right for their enterprise, their workforce, and their devices. Microsoft is already a deployed customer of Lookout; we use Lookout in conjunction with EMS on the iOS and Android devices here at Microsoft.  We are so excited about Lookout that we've even made an investment in them.

Enterprise Mobility Has to be Holistic

One of the fundamental beliefs we have at Microsoft is that you have to think holistically as you plan for and build out enterprise platforms and strategies.  This isn’t just a compelling abstract concept or a thoughtful collection of IT buzzwords – this is a foundational part of how the new technology landscape has to operate in order to survive in our attack-prone modern era.  In the case of enterprise mobility, start by understanding how you want to deliver the iconic and empowering work environment your end users want.  Then use this model to examine every detail of how you manage and protect the corporate assets being accessed and used. The work that we have been doing for the past several years to deliver engineered solutions that support the needs of IT and end users (and deliver both these things in a holistic way!) is unique in the market.   The knowledge that Lookout brings into our Enterprise Mobility platform strengthens this platform and gives customers a great new arsenal of protection and control.