Monthly Archives: June 2015

Charles Leaver – The 30 Day OMB Cyber Security Sprint Had 8 Principles And We Have Supplied 8 Keys

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


After suffering a huge data breach at the Office of Management and Budget (OMB), agencies were ordered by Tony Scott, Federal Chief Information Officer, to take immediate and specific actions over the next 4 weeks to additionally improve the security of their data and systems. For this large organization it was a vibrant step, however the lessons gained from software application development showed that acting fast or sprinting can make a great deal of headway when approaching a problem in a small period of time. For big organizations this can be particularly real and the OMB is definitely large.

There were 8 principles that were focussed on. We have actually broken these down and supplied insight on how each concept could be more efficient in the timeframe to assist the government make considerable inroads in only a month. As you would expect we are taking a look at things from the endpoint, and by reading the eight principles you will find how endpoint visibility would have been essential to a successful sprint.

1. Protecting data: Better protect data at rest and in transit.

This is an excellent start, and rightly priority one, but we would definitely encourage OMB to add the endpoint here. Lots of data security services forget the endpoint, but it is where data can be most susceptible whether at rest or on the move. The team ought to inspect to see if they have the ability to evaluate endpoint software and hardware setup, including the existence of any data protection and system protection agents, not forgetting Microsoft BitLocker configuration checking. And that is just the start; compliance checking of mandated agents should not be forgotten and it must be carried out continually, enabling the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Enhance indication and warning.

Situational awareness resembles visibility; can you see exactly what is actually taking place and where and why? And obviously this needs to remain in real time. While the sprint is taking place it need to be confirmed that identity and tracking of logged-in users,, user focus activities, user existence indications, active processes, network contacts with process-level attribution, system stress levels, significant log events and a myriad of other activity indicators throughout many thousands of endpoints hosting vast oceans of processes is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security efficiency: Guarantee a robust capability to hire and keep cyber security personnel.

This is a challenge for any security program. Finding great skill is hard and keeping it much more so. When you wish to attract this kind of skillset then encourage them by offering the current tools for cyber battle. Make certain that they have a system that provides total visibility of what is happening at the endpoint and the entire environment. As part of the sprint the OMB need to analyse the tools that are in place and check whether each tool changes the security team from the hunted to the hunter. If not then replace that tool.

4. Boost awareness: Improve total risk awareness by all users.

Risk awareness begins with efficient risk scoring, and fortunately this is something that can be achieved dynamically all the way to the endpoint and help with the education of every user. The education of users is a problem that is never complete, as proven by the high success of social engineering attacks. However when security teams have endpoint risk scoring they have concrete products to reveal to users to demonstrate where and how they are susceptible. This real life situational awareness (see # 2) boosts user understanding, along with offering the security group with accurate info on say, understood software vulnerabilities, cases of jeopardized credentials and insider opponents, as well as continuously keeping track of system, user, and application activity and network points of contact, in order to apply security analytics to highlight heightened threats leading to security staff triage.

5. Standardizing and automating procedures: Decrease time needed to manage setups and patch vulnerabilities.

More protection should be required from security services, and that they are immediately deployable without tiresome preparation, network standup or comprehensive staff training. Did the solutions in place take longer than a few days to implement and require another full-time employee (FTE) or maybe 1/2 a FTE? If so you have to reconsider those services because they are most likely hard to use (see # 3) and aren’t doing the job that you need so you will need to enhance the current tools. Likewise, look for endpoint solutions that not just report software and hardware configurations and active services and processes, however applies the National Vulnerability Database to report on real running exposed vulnerabilities and then associates a total vulnerability score for each endpoint to assist in patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from occurrences: Contain malware proliferation, privilege escalation, and lateral motion. Rapidly identify and solve events and incidents.

The quick recognition and response to problems is the primary objective in the new world of cyber security. Throughout their Thirty Days sprint, OMB must evaluate their solutions and make certain to discover technologies that can not just monitor the endpoint, but track every process that runs and all of its network contacts consisting of user login efforts, to facilitate tracking of harmful software expansion and lateral network motion. The data derived from endpoint command and control (C2) accesses related to significant data breaches suggests that about half of jeopardized endpoints do not host identifiable malware, increasing the significance of login and contact activity. The right endpoint security will monitor OMB data for long term analysis, because many indicators of compromise appear just after the event, and even long afterwards, while relentless hackers might quietly lurk or remain inactive for long periods of time. Attack code that can be sandbox detonated and determined within minutes is not a sign of advanced attackers. This ability to keep clues and connect the dots across both spatial and temporal dimensions is essential to full identification and total non-recidivist resolution.

7. Strengthening systems lifecycle security: Boost fundamental security of platforms by purchasing more secure systems and retiring legacy systems in a timely manner.

This is a reputable goal to have, and an enormous difficulty at a big organization such as OMB. This is another place where the right endpoint visibility can instantly measure and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint incidents (such as application crashes or hangs, service failures, or system crashes), and other indications of endpoints outliving their useful or safe and secure service lives. Now you have a full stock list that you can focus on for retirement and replacement.

8. Decreasing attack surfaces: Reduce the complexity and quantity of things defenders have to safeguard.

If numbers 1 through 7 are done, and the endpoint is considered properly, this will be a huge step in decreasing the attack threat. However, in addition, endpoint security can likewise really supply a visual of the real attack surface. Consider the capability to quantify attack surface area, based upon a variety of unique binary images exposed across the whole endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image prevalence stats produces a normal “ski slope” distribution, with a long slim distribution tail suggesting huge numbers of extremely rare binary images (present on less than 0.1% of total endpoints). Ziften determines attack surface area bloat aspects, consisting of application sprawl and version proliferation (which also worsens vulnerability lifecycle management). Data from lots of consumer implementations exposes egregious bloat elements of 5-10X, compared with a tightly managed and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas creates a target-rich hackers’ paradise.

The OMB sprint is a fantastic reminder to all of us that good things can be accomplished rapidly, however that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a critical piece for OMB to think about as part of their 30-day sprint.


Charles Leaver – The Third reason Why The Costs Of A Data Breach Have Risen Will Probably Surprise You

Written by Patrick Kilgore presented by Charles Leaver CEO Ziften.

Recently 2 significant reports were released that celebrated large anniversaries. On the one hand, we saw the Mary Meeker 20th yearly Internet study. A part of the original industry analysis on the Internet was led by Meeker many years earlier and this report saw her mark 20 years of affecting viewpoints on the Internet. And ten years after Meeker’s very first observations on the Internet there was the first research study of data breach costs by the Ponemon Institute.

Only 10 years after the creation of the Internet it was exposed that there is an ugly drawback to the service that supplies major advantages to our companies and our lives. Today there are more yearly research studies released about data breaches than the Internet itself. Recently we spent hours evaluating and digesting two of the greatest data breach reports in the industry, the currently cited Ponemon report and the now extremely influential Verizon DBIR (the report is important enough simply to utilize an acronym).

There were intersections between the two reports, but the Verizon report should be given credit due to the fact that if you have actually had the ability to do anything in security for ten years, you must be doing something right. There are many interesting stats in the report however the factors for the general costs of data breaches soaring were of the most interest to us.

The Ponemon research studies have revealed 3 drivers behind the increased expense of a breach. The very first is that cyber attacks have increased in number and this has actually correlated in greater expenses to remediate these attacks. An increased per capita expense from $159 to $170 year on year has been pointed out. That’s a 5% jump from 42% to 47% of the overall root causes of a breach. Likewise, lost revenues as a result of a data breach have actually increased. In the aggregate, this increased from $1.33 M to $1.57 M in 2015. The reasons are because of the abnormal consumer turnover, the increased acquisition activity, and loss of goodwill that arises from being the target of a malicious attack. Nevertheless, the most interesting reason offered is that data breach expenses associated with detection and escalation have actually increased.

These expenses consist of investigations and forensics, crisis team management and audits and assessments. Now the trend appears to be gathering pace at just shy of a massive $1Billion. Organizations are only now starting to deploy the solutions required to constantly monitor the endpoint and supply a clear picture of the source and complete effect of a breach.

Organizations not just have to monitor the increase of gadgets in a BYOD world, however likewise aim to enhance the security resources they have already invested in to reduce the costs of these investigations. Threats have to be stopped in real time, rather than recognized retrospectively.

“Prevention may not be possible in the world we live in.” With destructive threats becoming more and more common, organizations will need to evolve their M.O. beyond standard AV services and look to the endpoint for total protection,” said Larry Ponemon in his webcast with IBM.


With Increased BYOD Usage Organizations Are Risking Data Loss Due To Employee Sharing And Passwords – Charles Leaver

Written By Ziften Technologies CEO Charles Leaver

If your company has implemented a bring your own device (BYOD) policy then you will be putting yourself at increased risk of cyber criminal activity and the loss of your data, due to the fact that the devices will usually have insufficient control and endpoint security in place. With mobile phones, workers often access consumer cloud services and utilise password practices that are not secure, and this accounts for a big portion of the risks associated with BYOD. Using endpoint software applications that offers visibility into precisely exactly what is running on a device can assist IT departments to understand and resolve their vulnerabilities.

BYOD is a common method for executives and workers to gain access to delicate business data on their individual tablets, laptop computers and smart phones. Nearly 9 from 10 businesses in Australia had actually approved a number of their senior IT staff member’s access to crucial company details through their own BYOD devices, and 57% declared that they had provided it to at least 80% of their management, exposed by a ZDNet Survey. With less privileged personnel and those that were brand-new the numbers supplied BYOD access was still up at 64%. These workers were not approved access to monetary details though.

With the variety of BYOD gadgets growing, a great deal of companies have actually not executed the appropriate endpoint management strategies to make their increasing mobile workflows protected. Practically 50% of the respondents stated that their companies had no BYOD policies, and just 17% validated that their practices were ISO 27001 certified.

Safe BYOD Is Most likely At The Most Danger From Passwords

Those companies that had taken actions to secure BYOD the execution of password and acceptable use policies were the most common. But passwords might represent a critical and distinct vulnerability in the implementation of BYOD, due to the fact that users frequently utilize the exact same passwords again and they are not strong enough. While organizations that have a BYOD policy will definitely increase the risks of a hacker attack, there may be an even higher risk which is internal stated previous Federal Trade Commission executive Paul Luehr, in an interview with CIO Magazine’s Tom Kaneshige.

Luehr informed Kaneshige “the most typical method BYOD policies affect data security and breaches remains in the cross-pollination of passwords.” “A person is probably using the same or very comparable password as the one they use on their home devices.”

Luehr kept in mind that prime risks for companies that permit BYOD are disgruntled staff members who will frequently leak essential data once they have been released, are prime risks for companies that have permitted BYOD. Because of BYOD the difference between work and home is disappearing, and dangerous behavior such as utilizing social networks on corporate networks is being practiced by some workers, and this can be a prelude to finally sharing delicate information either wilfully or carelessly utilizing cloud services. The efficiency gains that are made with BYOD need to be preserved with the execution of comprehensive endpoint security.