Monthly Archives: November 2016

Charles Leaver – Take These Actions If You Want To Prevent Cyber Attacks

Written By Charles Leaver CEO Ziften


No company, however small or large, is immune from a cyber attack. Whether the attack is started from an outside source or from an insider – no company is completely protected. I have lost count of the number of times that senior managers from organizations have said to me, “why would anybody wish to hack us?”

Cyber Attacks Can Take Numerous Types

The expansion of devices that can link to organization networks (laptops, smart phones and tablets) mean an increased threat of security vulnerabilities. The goal of a cyber attack is to exploit those vulnerabilities.


One of the most typical cyber attack approaches is making use of malware. Malware is code that has a malicious intent and can include infections, Trojans and worms. The objective with malware is frequently to steal sensitive data or even ruin computer networks. Malware is often in the form of an executable file that will spread out across your network.

Malware is ending up being a lot more sophisticated, and now there is rogue malware that will masquerade itself as legitimate security software that has been created to secure your network.

Phishing Attacks

Phishing attacks are also common. Most often it’s an email that is sent out from an allegedly “trusted authority” asking that the user supply individual data by clicking a link. A few of these phishing e-mails look really authentic and they have actually tricked a great deal of users. If the link is clicked and data input the info will be taken. Today an increasing number of phishing e-mails can contain ransomware.

Password Attacks

A password attack is one of the easiest types of cyber attacks. This is where an unapproved 3rd party will attempt to gain access to your systems by “cracking” the login password. Software can be utilized here to carry out brute force attacks to predict passwords, and mix of words utilized for passwords can be compared utilizing a dictionary file.

If an enemy gains access to your network through a password attack then they can quickly introduce harmful malware and cause a breach of your delicate data. Password attacks are one of the simplest to avoid, and rigorous password policies can provide a really reliable barrier. Altering passwords regularly is also recommended.

Denial of Service

A Denial of Service (DoS) attack is everything about triggering maximum disruption of the network. Attackers will send very high volumes of traffic through the network and typically make numerous connection demands. The result is an overload of the network and it will shut down.

Several computer systems can be used by hackers in DoS attacks that will produce extremely high levels of traffic to overload the network. Just recently the largest DoS attack in history utilized botnets against Krebs On Security. Frequently, endpoint devices connected to the network such as PC’s and laptops can be hijacked and will then contribute to the attack. If a DoS attack is experienced, it can have serious repercussions for network security.

Man in the Middle

Man in the middle attacks are attained by impersonating endpoints of a network during an information exchange. Details can be stolen from the end user or even the server that they are interacting with.

How Can You Totally Avoid Cyber Attacks?

Complete prevention of a cyber attack is impossible with current innovation, however there is a lot that you can do to safeguard your network and your delicate data. It is very important not to think that you can simply purchase and implement a security software suite and then sit back. The more advanced cyber crooks are aware of all of the security software application services on the market, and have actually created approaches to conquer the safeguards that they supply.

Strong and often changed passwords is a policy that you should embrace, and is one of the most convenient safeguards to implement. The encryption of your sensitive data is another no-brainer. Beyond setting up antivirus and malware defense suites in addition to a good firewall program, you must guarantee that routine backups are in place and also you have a data breach occurrence response/remediation plan in case the worst occurs. Ziften helps organizations constantly monitor for threats that might survive their defenses, and take action instantly to remove the danger completely.

Charles Leaver – An Essential Primer For Security Pros Before Migration To The Cloud

Written By Logan Gilbert And Posted By Charles Leaver Ziften CEO


Fears Over Compliance And Security Prevent Companies From Cloud Migration

Migrating segments of your IT operations to the cloud can appear like a huge chore, and a dangerous one at that. Security holes, compliance record keeping, the danger of presenting errors into your architecture … cloud migration presents a great deal of scary concerns to deal with.

If you have actually been hesitant about moving, you’re not alone – but help is on the way.

When Evolve IP surveyed 1,000+ IT professionals earlier this year for their Adoption of Cloud Services North America report, 55% of those polled stated that security is their biggest issue about cloud adoption. For companies that don’t currently have some cloud existence, the number was even greater – 70%. The next largest barrier to cloud adoption was compliance, mentioned by 40% of participants. (That’s up 11% this year.).

However here’s the bigger problem: If these issues are keeping your business from the cloud, you cannot take advantage of the efficiency and expense benefits of cloud services, which ends up being a tactical obstacle for your entire company. You require a method to migrate that also answers concerns about security, compliance, and operations.

Improved Security in Any Environment With Endpoint Visibility.

This is where endpoint visibility wins the day. Being able to see exactly what’s going on with every endpoint offers you the visibility you have to enhance security, compliance, and functional effectiveness when you migrate your data center to the cloud.

And I suggest any endpoint: desktop, laptop, mobile phone, server, VM, or container.

As a long time IT pro, I understand the temptation to think you have more control over your servers when they’re locked in a closet and you’re the one who holds the keys. Even when you understand that parts of your environment count on kludges, they’re your kludges, and they’re stable. Plus, when you’re running your own data center – unlike when you remain in the cloud – you can use network taps and an entire host of monitoring tools to look at traffic on the wire, find out a great deal about who’s talking to whom, and fix your issues.

But that level of information fades in comparison to endpoint visibility, in the data center or in the cloud. The granularity and control of Ziften’s system offers you a lot more control than you might ever get with a network tap. You can spot malware and other issues anywhere (even off your network), isolate them instantly, then track them back to whichever user, application, device, or procedure was the weak link in the chain. Ziften provides the ability to perform look back forensics and to quickly fix concerns in much less time.

Removing Your Cloud Migration Nightmares.

Endpoint visibility makes a big distinction anytime you’re ready to migrate part of your environment to the cloud. By examining endpoint activity, you can establish a baseline stock of your systems, clean out wildcard assets such as orphaned VMs, and ferret out vulnerabilities. That gets all assets secure and stable within your own data center prior to your transfer to a cloud supplier like AWS or Azure.

After you’ve moved to the cloud, continuous visibility into each user, application and device means that you can administer all segments of your infrastructure better. You prevent losing resources by preventing VM expansion, plus you have an in-depth body of data to satisfy the audit requirements for NIST 800-53, HIPAA, and other compliance regulations.

When you’re ready to relocate to the cloud, you’re not doomed to weak security, incomplete compliance, or functional SNAFUs. Ziften’s approach to endpoint security offers you the visibility you need for cloud migration without the nightmares.

Charles Leaver – Ziften Tool For Endpoint Visibility And Immediate Incident Action

Written By Logan Gilbert And Presented By Charles Leaver


Ziften helps with incident response, remediation, and examination, even for endpoints that are not connected to your network.

When incidents occur, security experts have to act quickly and thoroughly.

With telecommuting workforces and business “cloud” infrastructures, removal and analysis on an endpoint position a genuinely overwhelming job. Below, view how you can utilize Ziften to do something on the endpoint and identify the origin and proliferation of a compromise in minutes – no matter where the endpoints are located.

Initially, Ziften notifies you to malicious activities on endpoints and directs you to the cause of the alert. In seconds, Ziften lets you take remediation actions on the endpoint, whether it’s on the corporate network, a worker’s home, or the local coffee shop. Any removal action you ‘d usually carry out through a direct access to the endpoint, Ziften offers through its web console.

Simply that rapidly, remediation is looked after. Now you can use your security expertise to go risk hunting and conduct a bit of forensics work. You can immediately dive into much more information about the process that resulted in the alert; and then ask those necessary questions to discover how widespread the problem is and where it propagated from. Ziften delivers detailed event removal for security experts.

See directly how Ziften can help your security team zero in on threats in your environment with our 30 day complimentary trial.

Charles Leaver – After OPM Breach Review The Message Is Clear For CISO’s

Written by Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


Cyber attacks, credited to the Chinese federal government, had actually breached delicate workers databases and stolen data of over twenty two million current, previous, and potential U.S. government employees and members of their family. Stern cautions were disregarded from the Office of the Inspector General (OIG) to close down systems without present security authorization.

Presciently, the OIG particularly cautioned that failure to close down the unauthorized systems carried nationwide security ramifications. Like the captain of the Titanic who maintained flank speed through an iceberg field, the OPM reacted,

” We concur that it is very important to preserve updated and valid ATO’s for all systems but do not believe that this condition rises to the level of a Material Weakness.”

In addition the OPM worried that shutting down those systems would indicate a lapse in retirement and employee benefits and paychecks. Given an option in between a security lapse and a functional lapse, the OPM opted to operate insecurely and were pwned.

Then director, Katherine Archuleta, resigned her position in July 2015, a day after exposing that the scope of the breach significantly surpassed original assessments.

Regardless of this high worth info maintained by OPM, the agency cannot prioritize cyber security and sufficiently safe and secure high value data.

Exactly what are the Lessons for CISO’s?

Logical CISO’s will want to avoid professional immolation in a massive flaming data breach catastrophe, so let’s rapidly evaluate the key lessons from the Congressional report executive summary.

Focus on Cybersecurity Commensurate with Asset Value

Have an effective organizational management structure to implement risk appropriate IT security policies. Chronic lack of compliance with security best practices and lagging suggestion application timelines are indicators of organizational failure and bureaucratic atherosclerosis. Shock the organization or make preparations for your post-breach panel grilling prior to the inquisitors.

Don’t Tolerate a Complacent State of Information Security

Have the essential tracking in place to maintain critical situational awareness, leave no observation gaps. Do not fail to understand the scope or degree or gravity of cyber attack indicators. Presume if you determine attack indicators, there are other indications you are missing out on. While OPM was forensically monitoring one attack channel, another parallel attack went unobserved. When OPM did take action the attackers understood which attack had actually been detected and which attack was still effective, quite important intelligence to the attacker.

Enforce Basic Needed Security Tools and Quickly Deploy Cutting Edge Security Tools

OPM was woefully irresponsible in executing mandated multi-factor authentication for privileged accounts and failed to deploy available security technology that might have prevented or alleviated exfiltration of their most valuable security background investigation files.

For privileged data or control access authentication, the expression “password protected” has been an oxymoron for years – passwords are not protection, they are an invitation to jeopardize. In addition to appropriate authentication strength, total network monitoring and visibility is needed for prevention of sensitive data exfiltration. The Congressional investigation blamed careless cyber hygiene and inadequate system traffic visibility for the attackers’ consistent presence in OPM networks.

Don’t Fail to Escalate the Alarm When Your Critically Delicate Data Is Under Attack

In the OPM breach, observed attack activity “should have sounded a high level multi-agency national security alarm that a sophisticated, consistent actor was looking to access OPM’s highest value data.” Rather, nothing of consequence was done “till after the agency was severely compromised, and up until after the agency’s most delicate info was lost to dubious actors.” As a CISO, sound that alarm in good time (or rehearse your panel look face).

Finally, don’t let this be said of your business security posture:

The Committee acquired documentation and testaments proving OPM’s info security posture was weakened by a woefully unsecured IT environment, internal politics and bureaucracy, and inappropriate priorities related to the implementation of security tools that slowed crucial security decisions.

Charles Leaver – You Must Be Prepared For The Security Issues That Cloud Migration Brings

Written By Charles Leaver CEO Ziften


What Worries Business CISOs When Migrating To The Cloud

Moving to the cloud offers a variety of advantages to enterprise organizations, but there are real security issues that make switching over to a cloud environment worrisome. What CISOs desire when migrating to the cloud is constant insight into that cloud environment. They need a way to monitor and determine threat and the self-confidence that they have the proper security controls in place.

Increased Security Threat

Migration to the cloud indicates using managed IT services and lots of people think this suggests giving up a high level of visibility and control. Although the leading cloud suppliers use the most recent security technology and file encryption, even the most up to date systems can stop working and expose your delicate data to the cyber criminals.

In reality, cloud environments are subject to comparable cyber hazards as private enterprise data centers. However, the cloud is becoming a more attractive target due to the substantial quantity of data that has been saved on servers in the cloud.

Cyber attackers understand that organizations are slowly moving to the cloud, and they are currently targeting cloud environments. Alert Logic, a security as a service provider, published a report that concluded that those who make IT decisions should not presume that their data that is stored off site is more difficult for cyber bad guys to get.

The report went on to mention that there had been a 45% increase in application attacks against implementations in the cloud. There had actually also been an increase in attack frequency on businesses that save their infrastructure in the cloud.

The Cloud Is a Glittering Prize

With the shifting of important data, production workloads, and software applications to cloud environments these revelations must not come as a surprise. A statement from the report stated, “… hackers, like everybody else, have a minimal quantity of time to complete their job. They wish to invest their time and resources into attacks that will bear the most fruit: companies utilizing cloud environments are mainly thought about as that fruit bearing prize.”

The report likewise suggests that there is a misunderstanding within companies about security. A number of enterprise decision makers were under the impression that as soon as a cloud migration had actually happened then the cloud service provider would be totally responsible for the security of their data.

Security in The Cloud Has to Be A Shared Responsibility

All businesses must take responsibility for the security of their information whether it is hosted in house or in the cloud. This responsibility can not be entirely relinquished to a cloud provider. If your business struggles with a data breach while utilizing cloud management services, it is not likely that you would have the ability to avert obligation.

It is important that every company fully comprehends the environment and the threats that are related to cloud management. There can be a myriad of legal, financial, commercial, and compliance risks. Prior to moving to the cloud make certain to scrutinize contracts so that the supplier’s liability is fully understood if a data breach were to happen.

Vice president of Alert Logic Will Semple said, “the secret to safeguarding your crucial data is being educated about how and where along the ‘cyber kill chain’ hackers penetrate systems and to utilize the ideal security tools, practices and financial investment to combat them.”

Cloud Visibility Is Critical

Whether you are using cloud management services or are hosting your very own infrastructure, you require complete visibility within your environment. If you are considering the migration of part – or all – of your environment to the cloud then this is vital.

After a cloud migration has actually taken place you can depend on this visibility to monitor each user, device, application, and network activity for possible risks and possible hazards. Hence, the administration of your infrastructure ends up being a lot more effective.

Do not let your cloud migration lead to weakened security and insufficient compliance. Ziften can help preserve cloud visibility and security for your existing cloud implementations, or future cloud migrations.


Charles Leaver – You Can Prevent A Cyber Attack If You Implement The Right Endpoint Management

Written By Charles Leaver, CEO Ziften


Determine and manage any device that needs access to your business network.

When a company becomes larger so does its asset footprint, and this makes the task of handling the whole set of IT assets a lot more difficult. IT management has actually changed from the days where IT asset management consisted of keeping records of devices such as printers, making an inventory of all set up applications and ensuring that anti-virus suites were up to date.

Today, organizations are under constant threat of cyber attacks and using malicious code to infiltrate the corporate network. Numerous devices now have network access abilities. Gone are the days when only desktop PC’s connected to a business network. Now there is a culture of bring your own device (BYOD) where cell phones, tablets and laptops are all encouraged to connect to the network.
While this offers versatility for the companies with the ability for users to connect from another location, it opens a whole new variety of vulnerabilities as these different endpoints make the challenge of business IT security a whole lot more complex.

What Exactly Is Endpoint Management?

It is essential that you have actually a policy based technique to the endpoint devices that are connected to your network to lessen the danger of cyber attacks and data breaches. Making use of laptops, tablets, cell phones and other devices may be convenient, but they can expose organizations to a large range of security risks. The primary objective of a sound endpoint management strategy should be that network activities are carefully kept track of and unauthorized devices can not access the network.

Most endpoint management software is most likely to check that the device has an os that has been approved, in addition to antivirus software applications, and analyze the device for upgraded private virtual network systems.

Endpoint management services will identify and control any device that needs access to the corporate network. If anyone is attempting to access the business environment from a non certified device they will be rejected. This is vital to combat attacks from cyber criminals and breaches from malicious groups.

Any device which does not comply with endpoint management policies are either quarantined or approved restricted access. Local administrative rights may be gotten rid of and searching the Internet limited.

Organizations Have The Ability To Do More

There are a number of techniques that a business can utilize as part of their policy on endpoint management. This can consist of firewall software (both network and personal), the encryption of delicate data, more powerful authentication approaches which will definitely include the use of difficult to crack passwords that are frequently altered and device and network level antivirus and anti-malware security.

Endpoint management systems can work as a server and client basis where a software application is deployed and centrally managed on a server. The client program will need to be set up on all endpoint devices that are licensed to access the network. It is also possible to utilize a software as a service (SaaS) design of endpoint management where the supplier of the service will host and take care of the server and the security applications from another location.

When a client device attempts a log in then the server based application will scan the device to see if it adheres to the company’s endpoint management policy, and after that it will confirm the credentials of the user before access to the network can be granted.

The Issue With Endpoint Management Systems

The majority of companies see security software applications as a “complete treatment” however it is not that clear cut. Endpoint security software that is purchased as a set and forget system will never ever suffice. The skilled cyber attackers out there understand about these software services and are establishing destructive code that will avert the defenses that a set and forget application can offer.

There needs to be human intervention and Jon Oltsik, contributor at Network World stated “CISOs must take ownership of endpoint security and designate a group of professionals who own endpoint security controls as part of a general responsibility for incident prevention, detection, and response.”

Ziften’s endpoint security solutions supply the constant monitoring and forensic look back visibility that a cyber security group requires to discover and act on to prevent any malicious infiltrations spreading out and taking the sensitive data of the business.


Charles Leaver – 2016 Splunk.conf Demonstrates Adaptive Response Is Key

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO

All the current success from Splunk

Recently I went to the annual Splunk conference in the great sunshine state – Florida. The Orlando-based occasion allowed for Splunkers from all over the world to familiarize themselves with the current and greatest offerings from Splunk. Although there were an array of enjoyable activities throughout the week, it was clear that attendees existed to learn. The announcement of Splunk’s security-centric Adaptive Response effort was well-received and so happens to integrate quite nicely with Ziften’s endpoint service.

Of particular interest, the “Transforming Security” Keynote Presentation presented by Monzy Merza, Director of Cyber Research and Chief Security Evangelist for Splunk, Haiyan Song, SVP Security Markets for Splunk, and Mike Stone, CDIO for the UK Ministry of Defense, showed the power of Splunk’s brand-new Adaptive Response user interface to countless guests.

In the clip just below extracted from that Keynote, Monzy Merza exhibits how critical data supplied by a Ziften agent can likewise be used to enact bi-directional performance from Splunk by sending out instructional logic back to the Ziften agent to take instant actions on a jeopardized endpoint. Monzy had the ability to effectively determine a jeopardized Linux server and remove it off the live network for further forensic investigation. By not only offering crucial security data to the Splunk instance, but also permitting the user to remain on the very same user interface to take functional and security actions, the Ziften endpoint agent allows users to bi-directionally use Splunk’s powerful framework to take instantaneous action across all operating systems in an exacting manner. After the talks our cubicle was overloaded with demos and very fascinating conversations concerning operations and security.

Have a look at a three minute Monzy extract from the Keynote:

Over the weekend I had the ability to process the wide selection of technical discussions I had with hundreds of brilliant people in our cubicle at.conf. One of the amusing things I found – which nobody would freely admit unless I pulled it out of them – is that most of us are beginner-to-intermediate SPL( Splunk Processing Language) users. I also observed the obvious: incident response was the main focus of this year’s event.

However, many people utilize Ziften for Splunk for a range of things, such as application and operations management, network tracking, and user behavior modeling. In an effort to light up the broad functionality of our Splunk App, here’s a taste of exactly what folks at.conf2016 liked most about Ziften for Splunk:

1) It’s wonderful for Business Security.

a. Generalized platform for digesting real-time data and taking immediate action
b. Autotomizing removal from a wide scope of indications of compromise

2) IT Operations like us.

a. Systems Tracking, Hardware Lifecycle, Management Of Resources
b. Management of Applications – Compliance, License Rationalization, Susceptibilities

3) Network Tracking with ZFlow is a game changer.

a. ZFlow ties netflow with binary, user and system data – in a single Splunk SPL entry. Do I need to state more here? This is the best Holy Grail from Indiana Jones, people!

4) Our User Behavior Modeling goes beyond just notifications.

a. This could be connected back under IT Operations however it’s becoming its own monster
b. Ziften’s tracking of software use, logins, elevated binaries, timestamps, etc is readily viewable in Splunk
c. Ziften offers a totally free Security Centric Splunk package, but we transform all of the data we gather from each endpoint to Splunk CIM language – Not simply our ‘Notifications’.

Ultimately, using a single Splunk Adaptive Response interface to manage a multitude of tools within your environment is exactly what assists build a strong enterprise fabric for your company – one where operations, security and network teams more fluidly overlap. Make better decisions, much faster. Find out on your own with our complimentary One Month trial of Ziften for Splunk!

Charles Leaver – If You Continue To Use Adobe Flash You Will Get Hacked

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


Get Tough or Get Attacked.

Extremely experienced and talented cyber attack teams have actually targeted and are targeting
your organization. Your vast endpoint population is the most common point of entry for
competent attack groups. These business endpoints number in the thousands, are loosely managed,
laxly set up, and swarming with vulnerability direct exposures, and are operated by partially
trained, credulous users – the ideal target-rich chance. Mikko Hypponen, chief research officer
at F-Secure, typically says at industry symposia: “How many of the Fortune 500 are hacked
today? The response: 500.”

And how long did it take to penetrate your organization? White hat hackers carrying out
penetration screening or red group workouts typically compromise target businesses within the
first couple of hours, despite the fact that fairly and legally restrained in their approaches.
Black hat or state sponsored hackers may achieve penetration much more rapidly and protect
their presence indefinitely. Provided typical enemy dwell periods measured in hundreds of days,
the time-to-penetration is minimal, not an impediment.

Exploitation Packages

The industrialization of hacking has produced a black market for attack tools, including a
range of software applications for determining and making use of client endpoint
vulnerabilities. These exploit sets are marketed to cyber enemies on the dark web, with lots of
exploit package families and suppliers. An exploitation set runs by examining the software
application setup on the endpoint, recognizing exposed vulnerabilities, and using an
exploitation to a vulnerability direct exposure.

A relative handful of frequently released endpoint software represent the bulk of exploitation
set targeted vulnerabilities. This results from the sad truth that complex software
applications have the tendency to show a continual flow of susceptibilities that leave them
continually vulnerable. Each patch release cycle the exploitation package developers will
download the latest security patches, reverse engineer them to find the underlying
vulnerabilities, and update their exploitation sets. This will often be done quicker than
enterprises use patches, with some vulnerabilities remaining unpatched and ripe for
exploitation even years after a patch is released.

Adobe Flash

Prior to extensive adoption of HTML 5, Adobe Flash was the most typically utilized software for
abundant Internet material. Even with increasing adoption of HTML 5, legacy Adobe Flash
preserves a considerable following, maintaining its long-held position as the darling of
exploit kit authors. A recent research study by Digital Shadows, In the Business of
Exploitation, is useful:

This report evaluates 22 exploitation kits to comprehend the most regularly exploited software.
We tried to find patterns within the exploitation of vulnerabilities by these 22 sets to reveal
what vulnerabilities had actually been exploited most commonly, paired with how active each
exploitation kit was, in order to inform our evaluation.

The vulnerabilities exploited by all 22 exploit packages showed that Adobe Flash Player was
likely to be the most targeted software, with 27 of the seventy six determined vulnerabilities
exploited relating to this software application.

With relative consistency, dozens of fresh vulnerabilities are revealed in Adobe Flash monthly.
To exploit kit developers, it is the gift that keeps on giving.

The industry is discovering its lesson and moving beyond Flash for abundant web material. For
example, a Yahoo senior developer blogging just recently in Streaming Media noted:

” Adobe Flash, in the past the de-facto requirement for media playback online, has lost favor
in the industry due to increasing issues over security and performance. At the same time,
needing a plugin for video playback in browsers is losing favor amongst users as well. As a
result, the market is moving toward HTML5 for video playback.”

Amit Jain, Sep 21, 2016

Eradicating Adobe Flash

One step organizations may take now to solidify their endpoint configurations is to get rid of
Adobe Flash as a matter of enterprise security policy. This will not be an easy task, it might
hurt, but it will be handy in reducing your business attack surface. It involves blacklisting
Adobe Flash Player and enforcing browser security settings disabling Flash material. If done
properly, this is what users will see where Flash content appears on a legacy website:


This message confirms two realities:

1. Your system is effectively configured to decline Flash content.

Congratulate yourself!

2. This site would jeopardize your security for their convenience.

Ditch this site!