Monthly Archives: October 2015

Charles Leaver – New Security Threats Are Around The Corner With The Internet Of Things

Written By David Shefter And Presented By Ziften CEO Charles Leaver



We are now living in a brand-new world of the Internet of Things (IoT), and the threat of cyber threats and attacks grow greatly. As releases progress, new vulnerabilities are emerging.

Symantec launched a report this spring which analyzed 50 smart home devices and claimed “none of the examined devices offered shared authentication between the client and the server.” Previously this summer season, researchers showed the capability to hack into a Jeep while it was cruising on the highway, initially controlling the radio, windscreen wipers, air conditioning and lastly cutting the transmission.

Traditionally, toys, tools, appliance, and car producers have not had to safeguard against external dangers. Manufacturers of medical devices, elevators, HVAC, electrical, and plumbing infrastructure elements (all of which are likely to be connected to the Web in the coming years) have actually not always been security conscious.

As we are all aware, it is hard enough daily to secure computers, cell phones, servers, as well as the network, which have been through significant security monitoring, evaluations and evaluations for many years. How can you protect alarms, individual electronic devices, and home devices that relatively come out daily?

To start, one must define and think of where the security platforms will be implemented – hardware, software, network, or all the above?

Solutions such as Ziften pay attention to the network (from the device point of view) and use advanced machine-type learning to recognize patterns and scan for abnormalities. Ziften presently provides a global hazard analytics platform (the Ziften KnowledgeCloud), which has feeds from a variety of sources that enables evaluation of tens of millions of endpoint, binary, MD5, and so on data today.

It will be an obstacle to deploy software onto all IoT devices, a lot of which make use of FPGA and ASIC designs as the control platform(s). They are typically incorporated into anything from drones to vehicles to industrial and scada control systems. A a great deal of these devices operate on solid-state chips without a running operating system or x86 type processor. With insufficient memory to support innovative software, many simply can not support modern security software applications. In the realm of IoT, additional modification produces danger and a vacuum that strains even the most robust solutions.

Solutions for the IoT space require a multi-pronged method at the endpoint, which includes desktops, laptop computers, and servers presently combined with the network. At Ziften, we presently provide collectors for Windows, Linux, and OS X, supporting the core desktop, server, and network infrastructure which contains the intellectual property and assets that the assailants seek to obtain access to. After all, the criminals don’t actually want any details from the company fridge, but merely want to use it as a conduit to where the important data lives.

Nevertheless, there is an additional technique that we provide that can assist alleviate numerous current issues: scanning for abnormalities at the network level. It’s thought that usually 30% of devices linked to a corporate network are unknown IP’s. IoT patterns will likely double that number in the next 10 years. This is among the reasons why connecting is not always an obvious choice.

As more devices are connected to the Internet, more attack surfaces will emerge, resulting in breaches that are far more harmful than those of email, financial, retail, and insurance – things that could even position a risk to our way of living. Securing the IoT has to make use of lessons gained from traditional business IT security – and offer several layers, integrated to supply end-to-end robustness, capable of preventing and spotting threats at every level of the emerging IoT value chain. Ziften can assist from a wide range of angles today and in the future.

Ziften ZFlow Will Shine A Light On Your Security Blind Spots – Charles Leaver

Written By Andy Wilson And Presented By Charles Leaver CEO Ziften


Over the past few years, many IT organizations have embraced making use of NetFlow telemetry (network connection metadata) to enhance their security posture. There are many factors behind this: NetFlow is fairly affordable (vs. complete packet capture); it’s fairly simple to collect as the majority of Layer 3 network devices support NetFlow or the IANA requirement called IPFIX; and it’s simple to analyze using freeware or commercially supplied software. NetFlow can help get rid of blind spots in the architecture and can offer much required visibility into exactly what is really going on in the network (both internal and external). Flow data can likewise help in early detection of attacks (DoS and APT/malware) and can be utilized in baselining and anomaly detection techniques.

NetFlow can offer insight where little or no visibility exists. The majority of companies are collecting flows at the core, WAN and Internet layers of their networks. Depending upon routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the datacenter. The majority of companies are not routing all the way down to the access layer and are thus generally blind to some degree in this part of the network.


Carrying out full packet capturing in this area is still not 100% practical due to a variety of factors. The solution is to execute endpoint-based NetFlow to restore visibility and offer extremely important additional context to the other flows being collected in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop computer, or server), so it’s not dependent on the network infrastructure to create. ZFlow provides traditional ISO layer 3/4 data such as source and destination IP addresses and ports, however likewise supplies extra valuable Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and filepath of the executable, the user responsible for launching the executable, and whether it remained in the foreground or background. The latter are crucial details that network-based flows merely can not offer.



This crucial extra contextual data can help considerably decrease occurrences of false positives and supply abundant data to analysts, SOC personnel and incident handlers to enable them to quickly examine the nature of the network traffic and determine if it’s malicious or benign. Used in conjunction with network-based notifications (firewall software, IDS/IPS, web proxies and gateways), ZFlow can dramatically reduce the amount of time it requires to resolve a security event. And we know that time to identify harmful behavior is an essential determinant to how effective an attack becomes. Dwell times have lowered in current history however are still at undesirable levels – presently over 230 days that an enemy can roam undetected through your network collecting your most important data.

Below is a screenshot that reveals a port 80 connection to an Internet destination of Interesting realities about this connection that network-based tools might miss is that this connection was not initiated by a web browser, but rather by Windows Powershell. Another intriguing data point is that this connection was started by the ‘System’ account and not the logged-in user. These are both very eye-catching to a security analyst as it’s not a false positive and likely would require deeper investigation (at which point, the analyst might pivot into the Ziften console and see deeper into that system’s behavior – what actions or binaries were initiated before and after the connection, procedure history, network activity and more).


Ziften’s ZFlow shines a light on security blindspots and can supply the additional endpoint context of procedures, application and user attribution to help security workers much better comprehend exactly what is truly occurring in their environment. Integrated with network-based occasions, ZFlow can assist dramatically lower the time it takes to investigate and react to security alerts and drastically improve a company’s security posture.

Charles leaver – This Is The New Path To Endpoint Security As Blocking And Prevention Are Not Sufficient

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO

Standard endpoint security services, some of which have actually been around for over 20 years, rely heavily on the same defense methods year after year. And even though there is constantly development and strides to enhance, the underlying problem still exists. Dangers will always find a way into your organization. And in many cases, you will need to wait up until your deployed service finally identifies the danger prior to you even can start to assess the damage and possibly avoid it from taking place once again (when you get all the relevant details to make that informed decision, naturally). Another downside to these systems is that they often develop a big performance concern on the actual device they are protecting. This in turn causes unhappy end-users and other issues such as management and reliability.

But this blog site is not about abandoning your present service, but rather augmenting and empowering your general security posture. Organizations need to move towards and embrace those solutions that provide constant tracking and full visibility of all activity happening on their endpoint population. Stopping or preventing known malware from running is clearly crucial, however does not have the general defense required in today’s risk landscape. The ability to run deeper forensics from existing or sometimes more notably, past events, can actually just be done by solutions that offer constant monitoring. This information is very important in evaluating the damage and understanding the scope of the infection within your company.

This, of course, needs to be done effectively and with a limited quantity of system overhead.

Just as there are many systems in the standard endpoint security space, a brand-new league of suppliers is turning up in this crucial step of the evolution. The majority of these businesses have workers from the ‘old guard’ and comprehend that a brand-new vision is needed as the risk landscape continues to alter. Just reporting and alerting on only bad things is entirely missing the point. You MUST look at the whole picture, everyone and all habits and actions in order to offer yourself the very best possibility of reacting quickly and completely to hazards within your organization.

By making use of services that fall under this “New Path of Endpoint Security” world, Security Ops or Incident Responders within the organization will have the much required visibility they have actually been craving. We hear this continuously from our customers and potential customers and are doing our best to offer the solutions that help secure everyone.


Charles Leaver – To Easily Find Superfish Use The Ziften App For Splunk

Written By Ryan Hollman And Presented By Charles Leaver CEO Ziften


Background Info: Lenovo confessed to pre installing the Superfish adware on some client PCs, and unhappy customers are now dragging the business to court on the matter said PCWorld. A proposed class action suit was filed late the previous week against Lenovo and Superfish, which charges both businesses with “deceptive” commercial practices and of making Lenovo PCs prone from man in the middle attacks by pre loading the adware.

Having issues finding Superfish throughout your business? With the Ziften App for Splunk, you can find infected endpoints with a simple Splunk search. Merely search your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish


The following image shows the outcomes you would see in your Ziften App for Splunk if systems were contaminated. In this particular circumstance, we discovered numerous systems contaminated with Superfish.





The above results also refer to the binary “VirtualDiscovery.exe”. As it ends up, this is the core procedure responsible for the infections. In addition to the Superfish root certificate and VirtualDiscovery.exe binary, this software also puts down the following to the system:

A windows registry entry in:


INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be done on an endpoint directly from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is infected with Superfish, you will see outcomes just like the following image. If the system is tidy, you will see no outcomes.




Some analysts have mentioned that you can simply remove Superfish by removing the root certificate revealed above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal procedure does not continue throughout reboots. Merely removing the root cert does not work as VirtualDiscovery.exe will re-install the root cert after a system reboot.

The most basic method to get rid of Superfish from your system is to upgrade Microsoft’s built in AV product Windows Defender. Quickly after the public became aware of Superfish, Microsoft updated Windows Defender to remediate Superfish.

Other removal techniques exist, but updating Windows Defender is by far the simplest method.


Charles Leaver – 5 Top User Endpoint Behaviors That You Need To Be Aware Of

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Standard security software applications are not likely to detect attacks that are targeted to a specific company. The attack code will most likely be remixed to avert known malware signatures, while fresh command and control infrastructure will be stood up to evade recognized blacklisted network contacts. Resisting these fresh, targeted attacks needs protectors to identify more generic attack characteristics than can be discovered in unlimited lists of known Indicators of Compromise (IoC’s) from formerly analyzed attacks.

Unless you have a time machine to retrieve IoC’s from the future, understood IoC’s will not aid with fresh attacks. For that, you have to look out for suspicious habits of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing habits won’t be as conclusive as a malware signature match or IP blacklist hit, so they will need analyst triage to validate. Insisting upon conviction certainty prior to raising alerts indicates that new attacks will successfully evade your automated defenses. It would be equivalent to a parent neglecting suspicious kid habits without question until they receive a call from the police. You do not desire that call from the FBI that your enterprise has actually been breached when due analyst attention to suspect behaviors would have provided early detection.

Security analytics of observed user and endpoint habits looks to recognize attributes of prospective attack activity. Here we highlight a few of those suspect behaviors by way of general description. These suspect behaviors function as cyber attack tripwires, signaling protectors to prospective attacks in progress.

Anomalous Login Activity

Users and organizational units show learnable login activity patterns that can be examined for anomalous departures. Abnormalities can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be evaluated for remote IP address and geolocation, and login entropy can be determined and compared. Non-administrative users logging into numerous systems can be observed and reported, as it differs from expected patterns.

Anomalous Work Practices

Working outside typical work hours or outside established patterns of work activity can be suspect or a sign of insider risk activity or compromised credentials. Once again, abnormalities might be either spatial or temporal in nature. The workload active procedure mix can likewise be examined for adherence to established workgroup activity patterns. Work loads might differ somewhat, however tend to be reasonably constant across engineering departments or accounting departments or marketing departments, and so on. Work activity patterns can be device learned and analytical divergence tests applied to find behavioral abnormalities.

Anomalous Application Attributes

Common applications show relatively consistent attributes in their image metadata and in their active procedure profiles. Considerable departures from these observed activity standards can be a sign of application compromise, such as code injection. Whitelisted applications may be utilized by malware scripts in unusual ways, such as ransomware utilizing system tools to remove volume shadow copies to stymie recovery, or malware staging stolen data to disk, prior to exfiltration, with substantial disk resource demand.

Anomalous Network Activity

Typical applications exhibit reasonably constant network activity patterns that can be learned and characterized. Uncommon levels of network activity by uncommon applications are suspect because of that alone, as is unusual port activity or port scanning. Network activity at uncommon times or with unusual regularity (perhaps beaconing) or unusual resource demand are also worthy of attention. Unattended network activity (user not present) must constantly have a possible description or be reported, particularly if observed in considerable volume.

Anomalous System Fault Behavior

Anomalous fault habits could be indicative of a vulnerable or exposed system or of malware that is repeatedly reattempting some failed operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are also worth noting, such as not running mandated security or backup agents, or consistent faulting by those agents (causing a fault-restart-fault cycle).

When searching for Endpoint Detection and Response software, don’t have a false sense of security just because you have a huge library of recognized IOCs. The most effective services will cover these leading 5 generic attack characteristics plus a whole lot more.