Monthly Archives: July 2015

Charles Leaver – People Rather Than Technology Are The Third Phase Of Cyber Security

Written By Kyle Flaherty And Presented By Charles Leaver Ziften CEO

Cyber attack impact on companies is often straightforward to measure, and the suppliers of tech services are constantly showing off various stats to reveal that you need to obtain their newest software (also Ziften). But one statistic is extremely shocking:

In The Previous Year Cyber Criminal Activity Cost Organizations $445 Billion And Cost 350,000 People Their Jobs.

The monetary losses are simple to take on board despite the fact that the amount is large. However the second part is worrying for all involved with cyber security. People are losing their employment because of what is happening with cyber security. The circumstances surrounding the job losses for all of these people is unidentified, and some might have deserved it if they were negligent. But the most fascinating thing about this is that it is well known that there is a shortage of talented individuals who have the capability to combat these cyber attacks.

While people are losing their positions there is likewise a demand that more gifted people are found to prevent the ever increasing hazard of cyber attacks. There is no argument that more individuals are needed, and they need to be more gifted, to win this war. However it is not going to take place today, this week and even this year. And while it would be fantastic if a truce could be negotiated with the cyber hackers until these resources are available, the reality is that the fight should go on. So how do you combat this?

Utilize Technology To Enable, Not Disable

For several years now suppliers of security tech have been offering technology to “prevent and block” cyber attacks. Then the vendors would return later on to offer the “next generation” service for preventing and stopping cyber attacks. And then a couple of years later on they were back once again to offer the latest technology which focussed on “security analytics”, “danger intelligence” and “operational insight”.

In every circumstance companies purchased the latest technology then they needed to add on professional services or even a FTE to operate the technology. Naturally each time it took a substantial quantity of time to get up to speed with the brand-new technology; a team that was struggling with high turnover because of the competitive nature of the cyber market. And while all of this was going on the attacks were becoming more consistent, more advanced, and more regular.

It’s About People Using Technology, Not The Other Way Around

The issue is that all of the CISO’s were focussed on the technology initially. These organizations followed the classic model of seeing an issue and producing technology that might plug that hole. If you think of a firewall program, it literally constructs a wall within technology, utilizing technology. Even the SIEM technology these companies had implemented was focused mainly on all the different connectors from their system into other systems and collecting all that info into one place. However what they had rather was one place because the technology centric minds had forgotten a critical aspect; individuals involved.

People are always good at innovating when confronted with danger. It’s a biological thing. In cyber security today we are seeing the third phase of development, and it is centered on individuals:

Phase 1 Prevent by developing walls
Phase 2 Detect by constructing walls and moats
Phase 3 View, inspect, and respond by evaluating user habits

The reason that this needs to be centered on people is not just about talent scarcities, but since individuals are really the problem. Individuals are the cyber hackers and also the ones putting your company at risk at the endpoint. The technologies that are going to win this battle, or at least allow for survival, are the ones that were constructed to not just enhance the capabilities of the person on the other side of that keyboard, but likewise concentrate on the behaviors of the users themselves, and not just the technologies themselves.


Charles Leaver – Total Visibility Of The Endpoint Is Demonstrated In This Webinar

Written By Josh Applebaum And Presented By Charles Leaver CEO Ziften Technologies




These days security risks and attack vectors are continuously developing, and organizations have to be more alert when it comes to monitoring their network infrastructure. The border of the network and the infrastructure security are frequently challenged because of no visibility of endpoint devices.

Visibility Of Endpoint Devices Is Now More Important Than Ever.

In a webinar hosted with our partner Lancope which was called “Extending Network Visibility: Down to the Endpoint.” The objective of this webinar was to show to security experts how additional visibility can be accomplished and context into network activity, the enhancement of present security investments (NetFlow, Firewall, SIEM, risk intelligence), and enhance incident response by getting real time and historic data for the endpoint. A mutual customer was included in the webinar who offered real life insights into the best ways to use security assets so that you can remain in front of external and insider risks.

A lot of you will not have actually had the ability to participate in the live event so we have decided to reveal the on demand version here on the Ziften blog. Feedback on this is welcomed and we would be delighted to get in touch with you to talk about in more detail.


Ziften Client Management Technical Approach – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


There has actually generally been a lack of visibility on Windows clients of the applications that are running and the resources that are being utilized. There efficient tools out there to monitor the server infrastructure and the network, but the client has actually constantly been the weakest element. This is why vendors such as Ziften have pioneered a brand-new class of solutions that are targeted at the management of security and the performance of clients in the enterprise, and this is called enterprise client management. Speaking from a technical perspective, in order to collect the big quantity of information that is readily available within Windows that is required to supply visibility of the client, there were 2 alternative approaches that needed consideration. We could have created custom driver code or utilized the standard API’s in Windows.

The development of driver code is considered as a last resort because there are some well understood issues:

An in depth understanding of the Windows kernel data structures and coding conventions is needed for driver development

Driver incompatibilities can exist even with the tiniest of system changes, for example with the month-to-month patch updates from Microsoft

A devastating system crash can take place if there is a driver code issue

3rd party driver code triggers most of the instabilities in Windows

Any solution that utilizes low level drivers in their agents do not utilize standard Windows user interfaces and they will “take control” from Windows. This can produce mayhem with the os of the desktops that are under management. If a driver malfunctions then it can crash the system and there is likewise a heightened security threat as these drivers perform at kernel level. “Anything a user can do that triggers a driver to malfunction in such a way that it triggers the system to crash or end up being unusable is a security flaw. When most coders are working on their driver, their focus is on getting the driver to work correctly and not whether a malicious hacker will attempt to make use of holes within the system” stated Microsoft about driver security.

So Ziften took the approach of developing our service around standard Windows interfaces, which has the following benefits:

Higher resilience to Windows updates and modifications that are likely to require driver modifications

Driver conflict susceptibility that can result in system crashes eradicated (Blue Screen of Death).

The possibility of coding errors that impacts system efficiency through the kernel interface is reduced.

Charles Leaver – If Your Users Want BYOD Then Minimize The Security Risks

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

If you are not curious about BYOD then your users, specifically your executive users, most likely will be. Being the most efficient with the least effort is what users desire. Using the most convenient, fastest, most familiar and comfortable device to do their work is the main aim. Also the convenience of using one device for both their work and individual activities is desired.

The issue is that security and ease-of-use are diametrically opposed. The IT department would usually choose complete ownership and control over all client endpoints. IT can disable admin rights and the client endpoint can be managed to a degree, such as just authorized applications being set up. Even the hardware can be limited to a particular footprint, making it much easier for IT to protect and control.

However the control of their devices is exactly what BYOD proponents are rebelling against. They want to pick their hardware, apps and OS, and also have the flexibility to install anything they like, whenever they like.

This is challenging enough for the IT security group, but BYOD can likewise greatly increase the quantity of devices accessing the network. Instead of a single desktop, with BYOD a user might have a desktop, laptop computer, mobile phone and tablet. This is an attack surface gone crazy! Then there is the issue with smaller devices being lost or stolen and even left in a bar under a cocktail napkin.

So exactly what do IT specialists do about this? The first thing to do is to establish situational awareness of “trusted” client endpoints. With its minimalist and driverless agent, Ziften can offer visibility into the applications, versions, user activity and security/ compliance software which is actually running on the endpoint. You can then restrict by enforceable policy what application, enterprise network and data interaction can be performed on all other (“untrusted”) devices.

Client endpoints will usually have security issues develop, like versions of applications that are vulnerable to attack, potentially harmful processes and disabling of endpoint security procedures. With the Ziften agent you will be informed of these issues and you can then take restorative action with your existing system management tools.

Your users have to accept the reality that devices that are untrusted and too dangerous must not be used to access organization networks, data and apps. Client endpoints and users are the source of the majority of malicious exploits. There is no magic with current technology that will make it possible to gain access to important business assets with a device which is out of control.


Charles Leaver – Find Out Where Your IT Endpoint Is Hurting With The Ziften Agent

Written by Dr Al Hartmann and presented by Ziften CEO Charles Leaver

It would be great if your IT client endpoints could inform you that they are sick instead of receiving unpleasant calls from dissatisfied IT users wouldn’t it? However the truth is that IT clients can not tell you when there is something wrong. Lots of IT people may disagree with the need for situational awareness, but you actually need this with your endpoints. The Ziften service makes this OK by:

With Ziften there is a minimalist driverless agent. This differs from traditional systems management or security agents and the Ziften package is really light-weight (around 1-2MB MSI package). But don’t let the small size fool you, it will offer performance management headroom and efficiency to attain more on IT endpoints, which will keep the users delighted and working. The Ziften agent can be compared with light beer, “Terrific taste, less filling.”

Also the Ziften agent monitors and reports on other agents that are implemented if there is excessive interference with foreground tasks.

With the Ziften agent you will receive other advantages that an agentless technique can not compare with. It can:

Offer real time response to dynamic events on the endpoint. If an agent is not present then periodic polling is needed, which suggests that endpoint events are reported in a cadence after they have happened and not in real time.

The Ziften agent can adaptively throttle interfering procedures. As an example, if a backup program is triggering extreme disturbance with user productivity, the backup program can be slowed up in favor of user efficiency.

It will alert on the failures of crucial services such as anti-viruses, backup, firewall programs and systems management. It holds true that an agentless technique might likewise do this, but it would not alert in real time so it is not as effective.

The Ziften Agent will alert on major security events that are discovered at the client endpoint in real time.

It will acknowledge activity and user existence. With the Ziften agent, user presence can be identified by viewing keyboard and last mouse use. It will likewise utilize the window proxy to identify which window is foreground and which are in background. With this information, the Ziften agent can identify application licenses really being utilized across the company.

If no agent is present then it is impossible to monitor and control when the endpoint is off the network. The Ziften agent can monitor off network endpoints and report cached observations when the endpoint reconnects. This eliminates off network blind spots in monitoring coverage. Also, the Ziften agent is able to implement policy even while disconnected.

Minimization of network traffic load in between client endpoints and the management server is possible with the Ziften agent. It achieves this by abstracting, filtering, and summing up and encoding time series observations.

So with the Ziften agent your endpoint clients can “tell you where it hurts”.