Monthly Archives: May 2017

Charles Leaver – The WannaCry Ransomware Threat Is Real And Here Is How Ziften Can Help

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO


Answers To Your Questions About WannaCry Ransomware

The WannaCry ransomware attack has actually infected more than 300,000 computer systems in 150 nations up until now by exploiting vulnerabilities in Microsoft’s Windows os.
In this short video Chief Data Scientist Dr. Al Hartmann and I talk about the nature of the attack, as well as how Ziften can help organizations safeguard themselves from the vulnerability referred to as “EternalBlue.”.

As mentioned in the video, the issue with this Server Message Block (SMB) file-sharing service is that it’s on a lot of Windows os and discovered in the majority of environments. Nevertheless, we make it simple to identify which systems in your environment have actually or have not been patched yet. Significantly, Ziften Zenith can likewise remotely disable the SMB file sharing service totally, providing organizations important time to make sure that those computers are correctly patched.

If you’re curious about Ziften Zenith, our 20 minute demonstration consists of a consultation with our professionals around how we can help your company prevent the worst digital disaster to strike the internet in years.

Charles Leaver – Easily Assess A Next Gen Endpoint Security Service Using These 10 Pointers

Written By Roark Pollock And Presented By Charles Leaver CEO Ziften


The Endpoint Security Buyer’s Guide

The most typical point for an advanced consistent attack or a breach is the endpoint. And they are certainly the entry point for many ransomware and social engineering attacks. The use of endpoint protection products has actually long been considered a best practice for protecting end points. Regrettably, those tools aren’t keeping up with today’s hazard environment. Advanced threats, and truth be told, even less advanced threats, are frequently more than sufficient for fooling the typical staff member into clicking something they shouldn’t. So companies are looking at and evaluating a variety of next generation end point security (NGES) solutions.

With this in mind, here are 10 suggestions to think about if you’re looking at NGES solutions.

Tip 1: Start with the end in mind

Don’t let the tail wag the dog. A danger decrease strategy must always start by examining issues then looking for possible fixes for those problems. But all frequently we get enamored with a “shiny” new innovation (e.g., the latest silver bullet) and we end up attempting to shoehorn that innovation into our environments without fully evaluating if it solves an understood and determined problem. So exactly what issues are you aiming to fix?

– Is your existing endpoint protection tool failing to stop threats?
– Do you require better visibility into activity on the end point?
– Are compliance requirements mandating continuous endpoint tracking?
– Are you aiming to decrease the time and costs of incident response?

Specify the issues to address, then you’ll have a measuring stick for success.

Suggestion 2: Know your audience. Exactly who will be utilizing the tool?

Comprehending the issue that has to be resolved is a crucial initial step in understanding who owns the problem and who would (operationally) own the solution. Every functional team has its strengths, weaknesses, preferences and prejudices. Specify who will need to utilize the solution, and others that could benefit from its usage. Is it:

– Security group,
– IT operations,
– The governance, risk and compliance (GRC) team,
– Helpdesk or end user assistance group,
– And even the server team, or a cloud operations team?

Tip 3: Know what you imply by end point

Another often ignored early step in specifying the problem is specifying the endpoint. Yes, all of us used to know what we meant when we said endpoint but today end points are available in a lot more ranges than before.

Sure we want to protect desktops and laptops however how about mobile devices (e.g. phones and tablets), virtual endpoints, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, can be found in numerous flavors so platform support has to be addressed as well (e.g. Windows only, Mac OSX, Linux, etc?). Also, consider support for end points even when they are working remote, or are working offline. What are your needs and exactly what are “nice to haves?”

Pointer 4: Start with a foundation of continuous visibility

Continuous visibility is a foundational ability for dealing with a host of security and operational management concerns on the end point. The old saying is true – that you can’t manage what you cannot see or measure. Even more, you cannot secure what you can’t correctly manage. So it must begin with constant or all-the-time visibility.

Visibility is foundational to Security and Management

And think of what visibility suggests. Enterprises require a single source of fact that at a minimum monitors, stores, and evaluates the following:

– System data – events, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – attributes of installed apps and use patterns
– Binary data – characteristics of installed binaries
– Processes data – tracking details and statistics
– Network connection data – statistics and internal behavior of network activity on the host

Suggestion 5: Track your visibility data

End point visibility data can be saved and analyzed on premise, in the cloud, or some combination of both. There are advantages to each. The appropriate method differs, but is normally enforced by regulatory requirements, internal privacy policies, the endpoints being monitored, and the general expense considerations.

Know if your company needs on premise data retention

Know whether your company allows for cloud based data retention and analysis or if you are constrained to on-premise services only. Within Ziften, 20-30% of our customers store data on premise merely for regulative factors. Nevertheless, if lawfully an alternative, the cloud can provide expense benefits (among others).

Tip 6: Know exactly what is on your network

Understanding the issue you are trying to solve needs understanding the assets on the network. We have found that as much as 30% of the end points we at first find on clients’ networks are unmanaged or unidentified devices. This clearly creates a huge blind spot. Reducing this blind spot is an important best practice. In fact, SANS Critical Security Controls 1 and 2 are to perform a stock of licensed and unapproved devices and software attached to your network. So search for NGES solutions that can fingerprint all linked devices, track software stock and usage, and perform on-going continuous discovery.

Suggestion 7: Know where you are exposed

After finding out what devices you need to monitor, you have to ensure they are running in up to date configurations. SANS Critical Security Controls 3 suggests ensuring safe and secure configurations monitoring for laptop computers, workstations, and servers. SANS Critical Security Controls 4 recommends allowing constant vulnerability evaluation and remediation of these devices. So, search for NGES services that provide all the time monitoring of the state or posture of each device, and it’s even better if it can assist implement that posture.

Also try to find solutions that provide constant vulnerability assessment and removal.

Keeping your general end point environment hardened and devoid of critical vulnerabilities avoids a substantial quantity of security issues and eliminates a great deal of backend pressure on the IT and security operations groups.

Tip 8: Cultivate constant detection and response

A crucial objective for many NGES services is supporting continuous device state monitoring, to make it possible for effective risk or event response. SANS Critical Security Control 19 recommends robust event response and management as a best practice.

Try to find NGES solutions that offer all-the-time or constant hazard detection, which leverages a network of global hazard intelligence, and several detection techniques (e.g., signature, behavioral, artificial intelligence, etc). And try to find incident response services that help focus on identified risks and/or concerns and provide workflow with contextual system, application, user, and network data. This can help automate the proper response or next steps. Lastly, understand all the response actions that each solution supports – and search for a solution that supplies remote access that is as close as possible to “sitting at the end point keyboard”.

Suggestion 9: Think about forensics data gathering

In addition to incident response, companies must be prepared to address the requirement for forensic or historic data analysis. The SANS Critical Security Control 6 advises the upkeep, tracking and analysis of all audit logs. Forensic analysis can take numerous forms, but a structure of historical end point monitoring data will be crucial to any examination. So look for services that maintain historic data that allows:

– Forensic tasks include tracing lateral risk movement through the network over time,
– Determining data exfiltration efforts,
– Figuring out origin of breaches, and
– Identifying suitable remediation actions.

Idea 10: Tear down the walls

IBM’s security team, which supports an excellent environment of security partners, estimates that the typical enterprise has 135 security tools in place and is dealing with 40 security suppliers. IBM customers definitely tend to be big businesses however it’s a common refrain (grievance) from companies of all sizes that security solutions do not integrate properly.

And the problem is not simply that security solutions do not play well with other security services, but likewise that they do not constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations have to think about these (and other) integration points along with the supplier’s desire to share raw data, not simply metadata, through an API.

Bonus Idea 11: Prepare for customizations

Here’s a bonus idea. Assume that you’ll wish to customize that glossy new NGES service quickly after you get it. No service will satisfy all your requirements right out of the box, in default setups. Find out how the service supports:

– Customized data collection,
– Notifying and reporting with customized data,
– Custom scripting, or
– IFTTT (if this then that) functionality.

You know you’ll desire new paint or new wheels on that NGES service soon – so make certain it will support your future modification tasks easy enough.

Look for support for easy modifications in your NGES service

Follow the bulk of these ideas and you’ll unquestionably avoid a lot of the typical errors that plague others in their assessments of NGES solutions.

Charles Leaver – Ziften Is Better At Total End To End Protection Than Anybody Else

Written By Ziften CEO Charles Leaver


Do you want to handle and secure your end points, your network, the cloud and your data center? In that case Ziften can provide the ideal solution for you. We gather data, and allow you to associate and use that data to make decisions – and keep control over your business.

The information that we obtain from everybody on the network can make a real world difference. Think about the inference that the U.S. elections in 2016 were affected by cyber criminals in another country. If that’s the case, hackers can do practically anything – and the concept that we’ll choose that as the status quo is just ridiculous.

At Ziften, we believe the best method to combat those dangers is with greater visibility than you have actually ever had. That visibility goes across the entire enterprise, and connects all the major players together. On the back end, that’s genuine and virtual servers in the cloud and in the data center. That’s containers and infrastructure and applications. On the other side, it’s laptops and PC’s, irrespective of where and how they are linked.

End to end – that’s the thinking behind all that we do at Ziften. From endpoint to cloud, all the way from a web browser to a DNS server. We connect all that together, with all the other components to provide your company a total service.

We likewise capture and store real-time data for as much as 12 months to let you understand what’s occurring on the network today, and supply historic trend analysis and warnings if something is modified.

That lets you spot IT faults and security concerns instantly, as well as be able to ferret out the root causes by looking back in time to see where a fault or breach may have initially taken place. Active forensics are an outright must in this business: After all, where a fault or breach triggered an alarm might not be the place where the issue began – or where a hacker is operating.

Ziften offers your IT and security groups with the visibility to understand your existing security posture, and recognize where enhancements are needed. Endpoints non-compliant? Found. Rogue devices? These will be discovered. Penetration off-network? This will be detected. Obsolete firmware? Unpatched applications? All found. We’ll not only assist you discover the issue, we’ll assist you fix it, and make certain it remains fixed.

End-to-end security and IT management. Real-time and historical active forensics. Onsite, offline, in the cloud. Incident detection, containment and response. We have actually got it all covered. That’s what makes Ziften so much better.

Charles Leaver – You Must Monitor Cloud Activities And Our Enhanced NetFlow Will Do This For You

Written by Roark Pollock and Presented by Ziften CEO Charles Leaver


In accordance with Gartner the public cloud services market surpassed $208 billion last year (2016). This represented about a 17% increase year over year. Pretty good when you consider the ongoing issues most cloud customers still have concerning data security. Another particularly interesting Gartner discovery is the typical practice by cloud consumers to contract services to several public cloud companies.

In accordance with Gartner “most organizations are already using a mix of cloud services from different cloud companies”. While the business rationale for making use of numerous suppliers is sound (e.g., avoiding supplier lock in), the practice does develop additional intricacy inmonitoring activity across an company’s increasingly dispersed IT landscape.

While some companies support more superior visibility than others (for example, AWS CloudTrail can monitor API calls throughout the AWS infrastructure) organizations have to comprehend and resolve the visibility problems associated with relocating to the cloud despite the cloud service provider or companies they deal with.

Regrettably, the capability to track application and user activity, and networking communications from each VM or endpoint in the cloud is restricted.

Regardless of where computing resources live, organizations must answer the concerns of “Which users, machines, and applications are communicating with each other?” Organizations require visibility throughout the infrastructure in order to:

  • Quickly determine and focus on issues
  • Speed origin analysis and identification
  • Lower the mean-time to repair issues for end users
  • Rapidly determine and eliminate security threats, reducing total dwell times.

Conversely, bad visibility or bad access to visibility data can lower the effectiveness of existing management and security tools.

Organizations that are comfortable with the ease, maturity, and relative inexpensiveness of monitoring physical data centers are going to be dissatisfied with their public cloud alternatives.

What has been lacking is a simple, ubiquitous, and sophisticated service like NetFlow for public cloud infrastructure.

NetFlow, naturally, has had 20 years approximately to become a de facto requirement for network visibility. A common deployment includes the tracking of traffic and aggregation of flows at network chokepoints, the retrieval and storage of flow data from numerous collection points, and the analysis of this flow information.

Flows include a basic set of source and destination IP addresses and port and protocol info that is generally collected from a router or switch. Netflow data is relatively low-cost and simple to collect and supplies nearly common network visibility and enables analysis which is actionable for both network tracking and efficiency management applications.

Most IT staffs, especially networking and some security groups are very comfy with the technology.

But NetFlow was developed for resolving exactly what has actually become a rather restricted issue in the sense that it just gathers network info and does so at a minimal variety of potential locations.

To make much better use of NetFlow, 2 key modifications are required.

NetFlow to the Edge: First, we need to expand the useful deployment situations for NetFlow. Instead of just collecting NetFlow at networking choke points, let’s broaden flow collection to the edge of the network (servers, clients and cloud). This would greatly expand the big picture that any NetFlow analytics offer.

This would permit companies to augment and leverage existing NetFlow analytics tools to get rid of the growing visibility blind spot into public cloud activity.

Rich, contextual NetFlow: Second, we need to utilize NetFlow for more than simple visibility of the network.

Instead, let’s utilize an extended version of NetFlow and take account of details on the device, application, user, and binary responsible for each monitored network connection. That would allow us to quickly link every network connection back to its source.

In fact, these two modifications to NetFlow, are precisely what Ziften has actually achieved with ZFlow. ZFlow provides an broadened version of NetFlow that can be released at the network edge, including as part of a VM or container image, and the resulting data gathering can be consumed and analyzed with existing NetFlow analysis tools. As well as conventional NetFlow Internet Protocol Flow Info eXport (IPFIX) visibility of the network, ZFlow provides greater visibility with the inclusion of info on device, application, user and binary for each network connection.

Ultimately, this permits Ziften ZFlow to deliver end-to-end visibility between any 2 endpoints, physical or virtual, removing traditional blind spots like east-west traffic in data centers and business cloud deployments.