This is default featured slide 1 title

You can completely customize the featured slides from the theme theme options page. You can also easily hide the slider from certain part of your site like: categories, tags, archives etc. More »

This is default featured slide 2 title

You can completely customize the featured slides from the theme theme options page. You can also easily hide the slider from certain part of your site like: categories, tags, archives etc. More »

This is default featured slide 3 title

You can completely customize the featured slides from the theme theme options page. You can also easily hide the slider from certain part of your site like: categories, tags, archives etc. More »

This is default featured slide 4 title

You can completely customize the featured slides from the theme theme options page. You can also easily hide the slider from certain part of your site like: categories, tags, archives etc. More »

This is default featured slide 5 title

You can completely customize the featured slides from the theme theme options page. You can also easily hide the slider from certain part of your site like: categories, tags, archives etc. More »


Charles Leaver – The Security Industry Needs To Team Up To Win

Written By Charles Leaver


No one can fix cybersecurity alone. No single solution business, no one provider, nobody can take on the entire thing. To take on security needs cooperation between various players.

Sometimes, those players are at different levels of the option stack – some install on endpoints, some within applications, others within network routers, others at the telco or the cloud.

Sometimes, those players each have a specific best of breed component: one player specializes in e-mail, others in crypto, others in interfering with the kill chain.

From the business customer’s point of view, efficient security requires assembling a set of services and tools into a working whole. Speaking from the vendors’ viewpoint, reliable security needs tactical alliances. Sure, each vendor, whether making hardware, composing software, or using services, has its own products and copyright. However, all of us work much better when we collaborate, to allow integrations and make life easy for our resellers, our integrators- and the end customer.

Paradoxically, not just can vendors make more cash through tactical alliances, however end customers will conserve cash at the same time. Why? A number of factors.

Consumers don’t lose their cash (and time) with solutions which have overlapping abilities. Customers don’t need to squander profits (and time) creating custom integrations. And customers will not lose cash (and time) trying to debug systems that battle each other, such as by causing extra notifications or hard-to-find incompatibilities.

The Ultimate Trifecta – Products, Services, and Channels

All three interact to satisfy the requirements of the enterprise customer, and also benefit the vendors, who can focus on doing exactly what they do best, trusting strategic alliances to develop complete services out of jigsaw puzzle pieces.

Typically speaking, those services require more than easy APIs – which is where strategic alliances come in.

Think about the integration between products (like a network risk scanner or Ziften’s endpoint visibility options) and analytics options. End clients do not want to run a dozen various control panels, and they do not wish to manually associate anomaly findings from a lot of various security tools. Strategic alliances between solution suppliers and analytics options – whether on-site or in the cloud – make good sense for everyone. That includes for the channel, who can provide and support total services that are currently dialed in, already debugged, currently documented, and will work with the least difficulty possible.

Or consider the integration of products and managed security services providers (MSSPs). They want to provide potential clients pre-packaged options, preferably which can operate in their multi-tenant clouds. That indicates that the items need to be scalable, with synergistic license terms. They should be well-integrated with the MSSP’s existing control panels and administrative control systems. And naturally, they have to feed into predictive analytics and event response programs. The best method to do that? Through strategic alliances, both horizontally with other solution suppliers, and with significant MSSPs also.

What about major value add resellers (VAR)? VARs require solutions that are simple to understand, simple to support, and simple to add into existing security deployments. This makes new solutions more appealing, more economical, much easier to install, much easier to support – and enhance the VAR’s consumer relationships.

What do they look for when contributing to their product portfolio? Brand-new products that have tactical alliances with their existing solution offerings. If you do not dovetail in to the VAR’s portfolio partners, well, you probably don’t dovetail.

Two Examples: Fortinet and Microsoft

No one can fix cybersecurity alone, and that consists of giants like Fortinet and Microsoft.

Consider the Fortinet Fabric-Ready Partner Program, where innovation alliance partners integrate with the Fortinet Security Fabric by means of Fabric APIs and are able to actively collect and share info to enhance risk intelligence, enhance total threat awareness, and widen danger response from end to end. As Fortinet discusses in their Fortinet Fabric-Ready Partner Program Overview, “partner inclusion in the program signals to clients and the market as a whole that the partner has worked together with Fortinet and leveraged the Fortinet Fabric APIs to develop confirmed, end-to-end security services.”

Likewise, Microsoft is pursuing a comparable strategy with the Windows Defender Advanced Threat Protection program. Microsoft just recently chose only a few essential partners into this security program, stating, “We have actually spoken with our clients that they want protection and visibility into possible risks on all of their device platforms and we have actually turned to partners to help address this requirement. Windows Defender ATP provides security teams a single pane of glass for their endpoint security and now by teaming up with these partners, our customers can extend their ATP service to their entire install base.”

We’re the very first to confess: Ziften cannot resolve security alone. Nobody can. The very best way forward for the security industry is to move forward together, through strategic alliances bringing together product suppliers, service companies, and the channel. That way, we all win, vendors, service providers, channel partners, and enterprise clients alike.

Charles Leaver – The Key To SysSecOps Is Flexibility

Written By Charles Leaver


You will find that endpoints are all over. The device you’re reading this on is an endpoint, whether it’s a desktop, notebook, tablet, or phone. The HVAC controller for your building is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the connected automobile. So are the Web servers, storage servers, and Active Directory site servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers operating on Windows and/or Linux.

They’re all endpoints, and all are necessary to handle.

They have to be managed from the IT side (from IT administrators, who hopefully have appropriate IT-level visibility of each connected thing like those security cams). That management means making certain they’re linked to the ideal network zones or VLANs, that their software applications and configurations the current version, that they’re not creating a flood on the network with bad packets due to electrical faults etc.

Those endpoints likewise need to be managed from the security point of view by CISO groups. Every endpoint is a prospective entrance into the business network, which implies the devices need to be locked down – default passwords never used, all security patches used, no unapproved software set up on the device’s embedded web server. (Kreb’s details how, in 2014, hackers broke into Target’s network through its A/C system.).

The Operations of Systems and Security.

Systems Security Operations, or SysSecOps, brings those 2 worlds together. With the best type of SysSecOps state of mind, and tools that support the proper workflows, IT and security employees get the very same data and can collaborate together. Sure, they each have different jobs, and respond differently to trouble notifications, however they’re all managing the very same endpoints, whether in the pocket, on the desk, in the utility closet, in the data center, or in the cloud.

Test Report from Ziften Zentih.

We were thrilled when the just recently released Broadband-Testing report praised Zenith, Ziften’s flagship endpoint security and management platform, as being perfect for this kind of circumstance. To quote from the current report, “With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more. Considering that its definition of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it holds true blanket coverage.”.

Broadband-Testing is an independent screening center and service based in Andorra. They describe themselves as, “Broadband-Testing interacts with vendors, media, financial investment groups and VCs, analysts and consultancies alike. Checking covers all elements of networking hardware and software, from ease of use and efficiency, through to increasingly important aspects such as device power consumption measurement.”

Back to versatility. With endpoints everywhere (once again, on the desk, in the utility closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system must go everywhere and do anything, at scale. Broadband-Testing composed:

“The configuration/deployment choices and architecture of Ziften Zenith permit a really flexible deployment, on or off-premise, or hybrid. Agent implementation is simplicity itself with absolutely no user requirements and no endpoint invasion. Agent footprint is likewise minimal, unlike lots of endpoint security solutions. Scalability likewise looks to be outstanding – the most significant consumer release to date is in excess of 110,000 endpoints.”

We cannot help but take pride in our product Zenith, and exactly what Broadband-Testing concluded:

“The emergence of SysSecOps – combining systems and security operations – is an uncommon moment in IT; a hype-free, good sense technique to refocusing on how systems and security are handled inside a company.

Key to Ziften’s endpoint technique in this classification is overall visibility – after all, how can you secure what you can’t see or don’t know exists in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Deployment is easy, specifically in a cloud-based situation as tested. Scalability likewise looks to be outstanding – the biggest customer implementation to date remains in excess of 110,000 endpoints.

Data analysis choices are comprehensive with a big quantity of details offered from the Ziften console – a single view of the whole endpoint infrastructure. Any object can be evaluated – e.g. Binaries, applications, systems – and, from a process, an action can be specified as an automatic function, such as quarantining a system in the event of a potentially malicious binary being found. Multiple reports are predefined covering all aspects of analysis. Alerts may be set for any event. Additionally, Ziften provides the idea of extensions for custom data collection, beyond the reach of a lot of vendors.

And with its External API functionality, Ziften-gathered endpoint data can be shared with a lot of 3rd party applications, thus adding more value to a customer’s existing security and analytics infrastructure investment.

Overall, Ziften has an extremely competitive offering in exactly what is an extremely worthy and emerging IT classification in the form of SysSecOps that is extremely worthwhile of examination.”.

We hope you’ll think about an assessment of Zenith, and will agree that when it pertains to SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket coverage that both your IT and CISO groups have actually been searching for.

Charles Leaver – Tackle Both Meltdown And Spectre With Our Help

Written By Josh Harriman And Presented By Charles Leaver


Ziften knows the most recent exploits affecting almost everybody who works on a computer or digital device. While this is a large statement, we at Ziften are working very hard helping our customers discover susceptible assets, repairing those susceptible systems, and monitoring systems after the repair for prospective performance issues.

This is a continuous examination by our team in Ziften Labs, where we keep up to date on the most recent malicious attacks as they progress. Today, the majority of the discussions are around PoC code (Proof of Concept) and what can theoretically happen. This will soon change as enemies benefit from these opportunities. The exploits I’m speaking, obviously, are Meltdown and Spectre.

Much has been discussed how these exploits were discovered and what is being done by the industry to find workarounds to these hardware concerns. For more information, I feel it’s appropriate to go right to the source here (

What Do You Need To Do, and How Can Ziften Assist?

An essential area that Ziften helps with in case of an attack by either technique is keeping an eye out for data exfiltration. Because these attacks are basically taking data they should not have access to, we believe the first and most convenient methods to safeguard yourself is to take this personal data off these systems. This data might be passwords, login credentials and even security keys for SSH or VPN access.

Ziften checks and notifies when processes that generally do not make network connections begin exhibiting this unusual habit. From these signals, users can quarantine systems from the network and / or eliminate procedures connected with these situations. Ziften Labs is keeping track of the advancement of the attacks that are most likely to become readily available in the real world related to these vulnerabilities, so we can better protect our customers.

Find – How am I Vulnerable?

Let’s take a look at areas we can check for susceptible systems. Zenith, Ziften’s flagship item, can simply and quickly find Operating Systems that have to be patched. Despite the fact that these exploits are in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be offered will be upgraded to the Operating System, and in other cases, the internet browser you use also.

In Figure 1 shown below, you can see an example of how we report on the readily available patches by name, and what systems have actually effectively installed each patch, and which have yet to install. We can likewise track failed patch installs. The example below is not for Meltdown or Spectre, however the KB and / or patch number for the environment could be occupied on this report to show the vulnerable systems.

The exact same applies for browser updates. Zenith keeps an eye out for software variations running in the environment. That data can be utilized to comprehend if all internet browsers are up to date once the fixes appear.

Mentioning browsers, one area that has already picked up steam in the attack circumstances is using Javascript. A working copy is shown here (

Products like Edge web browsers do not use Javascript any longer and mitigations are offered for other internet browsers. Firefox has a repair readily available here ( A Chrome repair is coming out soon.

Repair – What Can I Do Now?

Once you have actually determined susceptible systems in your environment you definitely want to patch and fix them very quickly. Some safeguards you need to consider are reports of particular Anti Virus items triggering stability concerns when the patches are applied. Information about these concerns are here ( and here (

Zenith also has the capability to help patch systems. We can monitor for systems that require patches, and direct our product to use those patches for you and after that report success / failure and the status of those still requiring patching.

Given that the Zenith backend is cloud-based, we can even monitor your endpoint systems and use the needed patches when and if they are not linked to your business network.

Monitor – How is Everything Running?

Finally, there could be some systems that show performance destruction after the OS repairs are applied. These concerns seem to be restricted to high load (IO and network) systems. The Zenith platform assists both security and operational groups within your environment. Exactly what we like to call SysSecOps (

We can help reveal problems such as application crashes or hangs, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be used to monitor and signal on systems that start to show high utilization compared to the duration prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names intentionally removed).

These ‘defects’ are still new to the general public, and much more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best educate and protect our customers and partners.

Charles Leaver – Learn About SysSecOps And Why It Is Essential

Written By Alan Zeichick And Presented By Charles Leaver


SysSecOps. That’s a new term, still not known by numerous IT and security administrators – however it’s being talked about within the market, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, refers to the practice of uniting security teams and IT operations groups to be able to make sure the health of enterprise technology – and having the tools to be able to react most effectively when problems happen.

SysSecOps concentrates on taking apart the information walls, disrupting the silos, that get in between security teams and IT administrators.

IT operations staff are there to guarantee that end-users have access to applications, and that vital infrastructure is operating 24 × 7. They wish to maximize access and accessibility, and require the data needed to do that task – like that a new staff member should be provisioned, or a disk drive in a RAID array has actually stopped working, that a brand-new partner has to be provisioned with access to a secure document repository, or that an Oracle database is ready to be migrated to the cloud. It’s everything about innovation to drive business.

Same Data, Various Use-Cases

While making use of endpoint and network monitoring information and analytics are clearly customized to fit the diverse needs of IT and security, it ends up that the underlying raw data is really the very same. The IT and security teams simply are taking a look at their own domain’s issues and situations – and doing something about it based on those use-cases.

Yet sometimes the IT and security groups have to work together. Like provisioning that brand-new service partner: It needs to touch all the best systems, and be done safely. Or if there is a problem with a remote endpoint, such as a mobile device or a system on the Industrial Internet of Things, IT and security may need to collaborate to figure out precisely what’s going on. When IT and security share the exact same data sources, and have access to the exact same tools, this job ends up being much easier – and hence SysSecOps.

Think of that an IT administrator detects that a server hard drive is nearing full capacity – and this was not prepared for. Perhaps the network had been breached, and the server is now being used to steam pirated movies across the Internet. It occurs, and finding and fixing that issue is a job for both IT and security. The data gathered by endpoint instrumentation, and displayed through a SysSecOps-ready monitoring platform, can help both sides working together more efficiently than would happen with conventional, unique, IT and security tools.

SysSecOps: It’s a new term, and a new concept, and it’s resonating with both IT and security groups. You can discover more about this in a brief nine-minute video, where I speak to a number of industry specialists about this subject: “Exactly what is SysSecOps?”

Charles Leaver – New Microsoft Word Feature Can Mean Phishing Attacks

Written By Josh Harriman And Presented By Charles Leaver


An interesting multifaceted attack has been reported in a current blog post by Cisco’s Talos Intelligence team. I wanted to discuss the infection vector of this attack as it’s quite interesting and something that Microsoft has actually pledged not to fix, as it is a function and not a bug. Reports are can be found about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is accomplished are reported in this blog from SecureData.

Distinct Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach an organization. Phishing attacks are one of the most common as opponents are relying on that somebody will either open a document sent out to them or go to a ‘fabricated’ URL. From there an exploit on a vulnerable piece of code generally gives them access to start their attack.

But in this case, the documents didn’t have a malicious thing embedded in the Word doc, which is a favorite attack vector, however rather a sly way of using this function that enables the Word program to connect out to obtain the real destructive files. By doing this they could hope or count on a much better success rate of infection as malicious Word files themselves can be scanned and erased before getting to the recipient.

Hunting for Suspicious Habits with Ziften Zenith

Here at Ziften, we wanted to be able to signal on this habit for our clients. Finding conditions that exhibit ‘strange’ habits such as Microsoft Word generating a shell is interesting and not anticipated. Taking it a bit further and searching for PowerShell running from that generated shell and it gets ‘very’ fascinating. By using our Search API, we can find these behaviors no matter when they occurred. We do not need the system to be on at the time of the search, if they have actually run a program (i.e. Word) that showed these habits, we can discover that system. Ziften is always gathering and sending relevant process details which is why we can discover the data without depending on the system state at the time of browsing.

In our Zenith console, I searched for this condition by looking for the following:

Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process commandline includes powershell

This returns the PIDs (Process ID) of the procedures we saw startup with these conditions. From there we can drill down to see the nitty gritty details.

In this very first screenshot, we can see details around the process tree (Word spawning CMD with Powershell under that) to the left, and to the right side you can observe information such as the System name and User, plus start time.

Below in the next image, we look at the CMD procedure and get details as to exactly what was passed to Powershell.

Probably when the user needed to answer this Microsoft Word pop-up dialog box, that is when the CMD shell utilized Powershell to head out and get some code hosted on the Louisiana Gov website. In the Powershell image below we can see more information such as Network Connect details when it was connecting to the website to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov site. In some cases we see intriguing data within our Network Connect information that might not match exactly what you anticipate.

After producing our Saved Search, we can notify on these conditions as they take place throughout the environment. We can likewise create extensions that change a GPO policy to not permit DDE and even take additional action and go and find these documents and eliminate them from the system if so desired. Having the ability to discover fascinating combinations of conditions within an environment is really powerful and we are very proud to have this feature in our product.

Charles Leaver – Ransomware Can Be Avoided And Managed With These 4 Steps

Written By Alan Zeichick And Presented By Charles Leaver


Ransomware is genuine, and is striking people, organisations, schools, healthcare facilities, local governments – and there’s no sign that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s face it: Ransomware is most likely the single most reliable attack that cyber criminals have ever created. Anyone can develop ransomware utilizing easily available tools; any money received is most likely in untraceable Bitcoin; and if something goes wrong with decrypting someone’s hard disk drive, the hacker isn’t impacted.

A company is hit with ransomware every 40 seconds, according to some sources, and sixty percent of malware issues were ransomware. It hits all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na worsen.

The good news: We can resist. Here’s a four-step fight plan.

Good Basic Hygiene

It starts with training staff members ways to deal with destructive e-mails. There are falsified messages from company partners. There’s phishing and target spearphishing. Some will get through e-mail spam/malware filters; staff members need to be taught not to click links in those messages, or naturally, not to give permission for apps or plug-ins to be installed.

Even so, some malware, like ransomware, is going to get through, often making use of out-of-date software or unpatched systems, as in the Equifax breach. That’s where the next action comes in:

Making sure that all end points are thoroughly patched and completely current with the current, most safe and secure operating systems, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the endpoint is healthy, and has the ability to best fight off the infection.

Ransomware isn’t an innovation or security problem. It’s a service problem. And it’s a lot more than the ransom that is demanded. That’s nothing compared to loss of productivity because of downtime, bad public relations, disgruntled clients if service is interfered with, and the cost of reconstructing lost data. (And that presumes that valuable copyright or safeguarded financial or client health data isn’t really stolen.).

Exactly what else can you do? Backup, backup, backup, and secure those backups. If you do not have safe, guaranteed backups, you cannot bring back data and core infrastructure in a timely fashion. That consists of making everyday snapshots of virtual machines, databases, applications, source code, and configuration files.

Services require tools to spot, recognize, and avoid malware like ransomware from dispersing. This needs continuous monitoring and reporting of exactly what’s occurring in the environment – consisting of “zero day” attacks that haven’t been seen prior to this. Part of that is monitoring endpoints, from the cellphone to the PC to the server to the cloud, to ensure that all end points are current and safe, and that no unforeseen modifications have actually been made to their underlying setup. That way, if a machine is infected by ransomware or other malware, the breach can be identified rapidly, and the device isolated and closed down pending forensics and recovery. If an endpoint is breached, fast containment is important.

The 4 Strategies.

Good user training. Updating systems with patches and fixes. Supporting everything as frequently as possible. And utilizing monitoring tools to help both IT and security groups find problems, and react quickly to those issues. When it comes to ransomware, those are the four battle tested strategies we have to keep our companies safe.

You can learn more about this in a brief 8 minute video, where I talk with a number of market experts about this issue:

Charles Leaver – Our Partnership With Microsoft Will Help You Defend Your Network

Written By David Shefter And Presented By Charles Leaver


This week we revealed a cooperation with Microsoft that brings together Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) delivering a cloud-based, “single pane of glass” to discover, view, investigate, and react to innovative cyber-attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptops, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that allows enterprise consumers to identify, examine, respond and remediate advanced threats on their networks, off-network, and in the data center and cloud.

Imagine a single solution throughout all the devices in your enterprise, providing scalable, cutting-edge security in a cost-efficient and easy to use platform. Making it possible for enterprises across the world to protect and handle devices through this ‘single pane of glass’ provides the promise of lower operational expenses with true boosted security providing real time worldwide hazard protection with details collected from billions of devices worldwide.

The Architecture Of Microsoft And Ziften

The diagram listed below provides a summary of the service parts and integration between Windows Defender ATP and Ziften Zenith.

Endpoint examination abilities allow you to drill down into security signals and understand the scope and nature of a prospective breach. You can submit files for deep analysis, receive the outcomes and take action without leaving the Windows Defender ATP console.

Identify and Contain Risks

With the Windows Defender ATP and Ziften Zenith integration, organizations can easily discover and contain threats on Windows, macOS, and Linux systems from a single console. Windows Defender ATP and Ziften Zenith provide:

Based on behavior, powered by the cloud, advanced attack detection. Discover the attacks that get past all other defenses (after a breach has been detected).

Rich timeline for forensic examination and mitigation. Quickly examine the scope of any breach or believed habits on any machine through an abundant, 6-month device timeline.

Built in special threat intelligence knowledge base. Hazard intelligence to quickly identify attacks based on monitoring and data from billions of devices.

The image shown below shows much of the macOS and Linux risk detection and response abilities now offered with Windows Defender ATP.

At the end of the day, if you’re looking to secure your endpoints and infrastructure, you need to take a tough look at Windows Defender ATP and Ziften Zenith.

Charles Leaver – Ways To Prevent The KRACK Vulnerability Causing You problems

Written By Dr Al Hartmann And Presented By Charles Leaver


Enough media attention has been produced over the Wi-Fi WPA2 defeating Key Reinsertion Attack (KRACK), that we don’t need to re-cover that ground. The initial discoverer’s website is an excellent place to review the issues and link to the in-depth research findings. This might be the most attention paid to a fundamental communications security failure since the Heartbleed attack. During that earlier attack, a patched version of the susceptible OpenSSL code was launched on the exact same day as the public disclosure. In this brand-new KRACK attack, similar accountable disclosure standards were followed, and patches were either already launched or soon to follow. Both wireless end points and wireless network devices should be appropriately patched. Oh, and all the best getting that Chinese knockoff wireless security cam bought off eBay patched quickly.

Here we will simply make a couple of points:

Take inventory of your wireless devices and take action to ensure appropriate patching. (Ziften can perform passive network stock, consisting of wireless networks. For Ziften monitored end points, the readily available network interfaces in addition to used patches are reported.) For business IT staff, it is patch, patch, patch every day anyhow, so absolutely nothing brand-new here. However any unmanaged wireless devices ought to be identified and verified.

iOS and Windows endpoints are less prone, while unpatched Linux and Android endpoints are highly prone. A lot of Linux end points will be servers without wireless networking, so not as much exposure there. But Android is another story, especially given the balkanized state of Android upgrading throughout device producers. Probably your business’s greatest exposure will be Android and IoT devices, so do your threat analysis.

Avoid wireless access by means of unencrypted protocols such as HTTP. Adhere to HTTPS or other encrypted protocols or utilize a protected VPN, however be aware some default HTTPS sites enable jeopardized devices to force downgrade to HTTP. (Note that Ziften network monitoring reports IP addresses and ports utilized, so check out any wireless port 80 traffic on unpatched endpoints.).

Continue whatever wireless network health practices you have actually been employing to recognize and silence rogue access points, wireless devices that are unapproved, etc. Grooming access point placement and transmission zones to lessen signal spillage outside your physical boundaries is likewise a wise practice, given that KRACK opponents should be present in your area within the wireless network. Do not give them advantaged positioning opportunities inside or near your environment.

For a more wider conversation around the KRACK vulnerability, take a look at our recent video on the subject:

Charles Leaver – Pointers On Effective Security Awareness Training

Written By Charles Leaver Ziften CEO


Reliable business cybersecurity assumes that people – your staff members – do the right thing. That they do not turn over their passwords to a caller who declares to be from the IT department doing a “qualifications audit.” That they don’t wire $10 million to an Indonesian bank account after getting a midnight request from “the CEO”.

That they do not install an “immediate upgrade” to Flash Player based on a pop-up on a porn site. That they don’t overshare on social media. That they do not keep company details on file sharing services outside the firewall. That they don’t connect to unsecure WiFi networks. And they don’t click links in phishing emails.

Our research reveals that over 75% of security incidents are triggered or helped by employee mistakes.

Sure, you have actually set up endpoint security, email filters, and anti-malware services. Those preventative measures will probably be for nothing, though, if your staff members do the wrong thing time and again when in a harmful situation. Our cybersecurity efforts resemble having an expensive vehicle alarm: If you don’t teach your teen to lock the car when it’s at the shopping center, the alarm is worthless.

Security awareness isn’t enough, obviously. Workers will make mistakes, and there are some attacks that do not need an employee mistake. That’s why you require endpoint security, e-mail filters, anti-malware, etc. However let’s discuss reliable security awareness training.

Why Training Typically Doesn’t Have an Impact

Initially – in my experience, a lot of worker training, well, is poor. That’s especially true of training online, which is normally dreadful. However in most cases, whether live or canned, the training lacks trustworthiness, in part since numerous IT professionals are poor and unconvincing communicators. The training typically concentrates on communicating and implementing rules – not changing risky behavior and routines. And it resembles getting mandatory copy machine training: There’s nothing in it for the employees, so they don’t take it on board it.

It’s not about implementing guidelines. While security awareness training might be “owned” by different departments, such as IT, CISO, or HR, there’s often an absence of knowledge about exactly what a safe awareness program is. First of all, it’s not a checkbox; it has to be continuous. The training needs to be delivered in different methods and times, with a combination of live training, newsletters, small group conversations, lunch-and-learns, and yes, even online resources.

Safeguarding yourself is not complicated!

However a huge problem is the lack of objectives. If you do not know exactly what you’re aiming to do, you can’t see if you’ve done a great task in the training – and if dangerous habits really change.

Here are some sample objectives that can lead to effective security awareness training:

Supply staff members with the tools to recognize and deal with continuous daily security hazards they may receive online and via email.

Let workers understand they become part of the team, and they cannot simply count on the IT/CISO teams to manage security.

Stop the cycle of “unexpected ignorance” about safe computing practices.

Modify frame of minds toward more protected practices: “If you see something, state something”.

Review of business guidelines and procedures, which are described in actionable ways that are relevant to them.

Make it Pertinent

No matter who “owns” the program, it’s necessary that there is visible executive support and management buy-in. If the officers don’t care, the staff members won’t either. Effective training will not talk about tech buzzwords; rather, it will focus on changing habits. Relate cybersecurity awareness to your staff members’ individual life. (And while you’re at it, teach them how to keep themselves, their family, and their home safe. Odds are they do not know and are reluctant to ask).

To make security awareness training really relevant, obtain staff member concepts and motivate feedback. Measure success – such as, did the variety of external links clicked by workers go down? How about calls to tech assistance stemming from security violations? Make the training timely and real-world by consisting of current rip-offs in the news; regretfully, there are a lot of to choose from.

In short: Security awareness training isn’t enjoyable, and it’s not a silver bullet. Nevertheless, it is important for ensuring that dangerous staff member behaviors do not undermine your IT/CISO efforts to secure your network, devices, applications, and data. Make certain that you continuously train your employees, and that the training works.

Charles Leaver – Amazing Enthusiasm For Ziften At Splunk .conf

Written By Josh Applebaum And Presented By Charles Leaver


Like many of you, we’re still recovering from Splunk.conf recently. As usual,. conf had excellent energy and the people who were in participation were passionate about Splunk and the numerous use cases that it provides through the big app ecosystem.

One important statement throughout the week worth mentioning was a new security offering referred to as “Content Updates,” which essentially is pre-built Splunk searches for helping to find security events.

Generally, it takes a look at the newest attacks, and the Splunk security team produces new searches for how they would hunt through Splunk ES data to discover these types of attacks, and after that ships those new searches down to customer’s Splunk ES environments for automatic alerts when seen.

The best part? Because these updates are utilizing mostly CIM (Common Info Model) data, and Ziften occupies a lot of the CIM models, Ziften’s data is already being matched against the new Content Updates Splunk has produced.

A fast demonstration showed which vendors are adding to each type of “detection” and Ziften was mentioned in a great deal of them.

For instance, we have a current blog post that shares how Ziften’s data in Splunk is used to identify and react to WannaCry.

In general, with the approximately 500 individuals who came by the booth over the course of.conf I have to say it was among the best occasions we’ve done in terms of quality discussions and interest. We had nothing but favorable evaluations from our thorough discussions with all walks of business life – from highly technical analysts in the public sector to CISOs in the financial sector.

The most common discussion usually started with, “We are just starting to implement Splunk and are new to the platform.” I like those, since people can get our Apps for free and we can get them an agent to experiment with and it gets them something to utilize right out of the box to show worth instantly. Other folks were really seasoned and truly liked our approach and architecture.

Bottom line: People are truly thrilled about Splunk and genuine services are offered to help people with genuine issues!

Curious? The Ziften ZFlow App and Technology Add-on assists users of Splunk and Splunk ES use Ziften-generated extended NetFlow from end points, servers, and cloud VMs to see what they are missing out on at the edge of their network, their data centers, and in their cloud implementations.