Monthly Archives: October 2016

Charles Leaver – Illumination Advances Means A New Start For Endpoints

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

The dissolving of the standard border is occurring fast. So where does this leave the endpoint?

Investment in boundary security, as defined by firewall programs, managed gateways and invasion detection/prevention systems (IDS/IPS), is altering. Investments are being questioned, with returns not able to conquer the expenses and complexity to develop, keep, and justify these old defenses.

Not only that, the paradigm has altered – workers are not solely working in the workplace. Many individuals are logging hours from home or while out in the field – neither location is under the umbrella of a firewall. Instead of keeping the cyber criminals out, firewall software often have the opposite result – they avoid the authorized people from being efficient. The paradox? They develop a safe haven for assailants to breach and conceal for months, then traverse to vital systems.

So What Has Changed So Much?

The endpoint has actually become the last line of defense. With the previously mentioned failure in border defense and a “mobile all over” labor force, we should now impose trust at the endpoint. Easier said than done, however.

In the endpoint area, identity & access management (IAM) tools are not the perfect answer. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler can not conquer one simple truth: trust surpasses easy recognition, authentication, and permission.

Encryption is a 2nd effort at securing whole libraries and individual assets. In the most recent (2016) Ponemon study on data breaches, file encryption only saved 10% of the expense per breached record (from $158 to $142). This isn’t really the remedy that some make it seem.

The Whole Picture is changing.

Organizations needs to be prepared to welcome brand-new paradigms and attack vectors. While organizations need to provide access to trusted groups and individuals, they need to resolve this in a better method.

Critical organization systems are now accessed from anywhere, whenever, not just from desks in business office buildings. And contractors (contingent workforce) are quickly making up over 50% of the total enterprise labor force.

On endpoint devices, the binary is primarily the issue. Probably benign incidents, such as an executable crash, might indicate something basic – like Windows 10 Desktop Manager (DWM) restarting. Or it might be a much deeper problem, such as a malicious file or early indicators of an attack.

Trusted access does not solve this vulnerability. In accordance with the Ponemon Institute, between 70% and 90% of all attacks are caused by human mistakes, social engineering, or other human factors. This needs more than easy IAM – it needs behavioral analysis.

Rather than making good much better, perimeter and identity access companies made bad faster.

When and Where Does the Bright Side Begin?

Taking a step back, Google (Alphabet Corp) revealed a perimeter-less network design in late 2014, and has made considerable development. Other businesses – from corporations to federal governments – have actually done this (in silence and less extremely), however BeyondCorp has done this and revealed its solution to the world. The style viewpoint, endpoint plus (public) cloud displacing cloistered business network, is the crucial idea.

This alters the entire discussion on an endpoint – be it a laptop, PC, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint truly is the last line of defense, and needs to be protected – yet also report its activity.

Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to tools and services based upon a user’s physical location or the stemming network; instead, access policies are based on information about a device, its state, and its associated user. BeyondCorp considers both external networks and internal networks to be entirely untrusted, and gates access to apps by dynamically asserting and imposing levels, or “tiers,” of access.

By itself, this seems harmless. But the reality is that this is an extreme new design which is imperfect. The access requirements have moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, instead of a centralized design with capacity for breaches, hacking, and hazards at the human level (the “soft chewy center”).

The good part of the story? Breaching the boundary is very challenging for potential opponents, while making network pivoting almost impossible as soon as they are past the reverse proxy (a common system utilized by opponents today – showing that firewalls do a better job of keeping the bad guys in rather than letting the genuine users get out). The inverse design even more applies to Google cloud servers, probably tightly managed, inside the perimeter, versus client endpoints, who are all out in the wild.

Google has done some good improvements on tested security approaches, notably to 802.1 X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).

Why is this crucial? What are the gaps?

Ziften believes in this approach due to the fact that it emphasizes device trust over network trust. However, Google doesn’t particularly reveal a device security agent or stress any form of client-side tracking (apart from very rigorous configuration control). While there might be reporting and forensics, this is something which every company needs to be familiar with, since it’s a matter of when – not if – bad things will take place.

Since implementing the initial stages of the Device Inventory Service, we’ve ingested billions of deltas from over 15 data sources, at a typical rate of about 3 million per day, totaling over 80 terabytes. Maintaining historic data is important in permitting us to understand the end-to-end life cycle of a certain device, track and examine fleet-wide trends, and carry out security audits and forensic examinations.

This is a costly and data-heavy procedure with two shortcomings. On ultra-high-speed networks (used by the likes of Google, universities and research study organizations), ample bandwidth allows for this type of interaction to happen without flooding the pipes. The very first concern is that in more pedestrian corporate and government circumstances, this would cause great user interruption.

Second, computing devices need to have the horse power to continuously gather and send data. While the majority of workers would be delighted to have present developer-class workstations at their disposal, the cost of the devices and process of revitalizing them on a regular basis makes this excessive.

An Absence of Lateral Visibility

Few systems really generate ‘improved’ netflow, augmenting conventional network visibility with abundant, contextual data.

Ziften’s patented ZFlow ™ provides network flow information on data produced from the endpoint, otherwise accomplished using brute force (human labor) or costly network devices.

ZFlow serves as a “connective tissue” of sorts, which extends and completes the end-to-end network visibility cycle, adding context to on-network, off-network and cloud servers/endpoints, enabling security groups to make faster and more informed and precise choices. In essence, investing in Ziften services result in a labor cost saving, plus a boost in speed-to-discovery and time-to-remediation due to innovation acting as a replacement for people resources.

For organizations moving/migrating to the public cloud (as 56% are preparing to do by 2021 in accordance with IDG Enterprise’s 2015 Cloud Study), Ziften offers unmatched visibility into cloud servers to better monitor and secure the complete infrastructure.

In Google’s environment, only corporate-owned devices (COPE) are enabled, while crowding out bring-your-own-device (BYOD). This works for a business like Google that can give out brand-new devices to all personnel – phone, tablet, laptop computer, etc. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device must meet Google requirements, having either a TPM or a software equivalent of a TPM, to hold the X. 509 cert utilized to validate device identity and to assist in device-specific traffic encryption. There should be several agents on each endpoint to verify the device validation asserts called out in the access policy, which is where Ziften would have to partner with the systems management agent supplier, given that it is most likely that agent cooperation is essential to the process.


In summary, Google has actually established a world-class solution, however its applicability and functionality is restricted to organizations like Alphabet.

Ziften uses the same level of functional visibility and security defense to the masses, using a light-weight agent, metadata/network flow monitoring (from the endpoint), and a best-in-class console. For companies with specialized requirements or incumbent tools, Ziften provides both an open REST API and an extension framework (to augment consumption of data and activating response actions).

This yields the advantages of the BeyondCorp design to the masses, while securing network bandwidth and endpoint (machine) computing resources. As companies will be sluggish to move completely away from the business network, Ziften partners with firewall software and SIEM vendors.

Finally, the security landscape is gradually moving to managed detection & response (MDR). Managed security service providers (MSSP’s) offer traditional monitoring and management of firewall programs, gateways and border intrusion detection, but this is inadequate. They lack the abilities and the technology.

Ziften’s service has been tested, integrated, approved and executed by a number of the emerging MDR’s, highlighting the standardization (capability) and versatility of the Ziften platform to play an essential role in remediation and event response.