Monthly Archives: November 2017

Charles Leaver – Learn About SysSecOps And Why It Is Essential

Written By Alan Zeichick And Presented By Charles Leaver


SysSecOps. That’s a new term, still not known by numerous IT and security administrators – however it’s being talked about within the market, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, refers to the practice of uniting security teams and IT operations groups to be able to make sure the health of enterprise technology – and having the tools to be able to react most effectively when problems happen.

SysSecOps concentrates on taking apart the information walls, disrupting the silos, that get in between security teams and IT administrators.

IT operations staff are there to guarantee that end-users have access to applications, and that vital infrastructure is operating 24 × 7. They wish to maximize access and accessibility, and require the data needed to do that task – like that a new staff member should be provisioned, or a disk drive in a RAID array has actually stopped working, that a brand-new partner has to be provisioned with access to a secure document repository, or that an Oracle database is ready to be migrated to the cloud. It’s everything about innovation to drive business.

Same Data, Various Use-Cases

While making use of endpoint and network monitoring information and analytics are clearly customized to fit the diverse needs of IT and security, it ends up that the underlying raw data is really the very same. The IT and security teams simply are taking a look at their own domain’s issues and situations – and doing something about it based on those use-cases.

Yet sometimes the IT and security groups have to work together. Like provisioning that brand-new service partner: It needs to touch all the best systems, and be done safely. Or if there is a problem with a remote endpoint, such as a mobile device or a system on the Industrial Internet of Things, IT and security may need to collaborate to figure out precisely what’s going on. When IT and security share the exact same data sources, and have access to the exact same tools, this job ends up being much easier – and hence SysSecOps.

Think of that an IT administrator detects that a server hard drive is nearing full capacity – and this was not prepared for. Perhaps the network had been breached, and the server is now being used to steam pirated movies across the Internet. It occurs, and finding and fixing that issue is a job for both IT and security. The data gathered by endpoint instrumentation, and displayed through a SysSecOps-ready monitoring platform, can help both sides working together more efficiently than would happen with conventional, unique, IT and security tools.

SysSecOps: It’s a new term, and a new concept, and it’s resonating with both IT and security groups. You can discover more about this in a brief nine-minute video, where I speak to a number of industry specialists about this subject: “Exactly what is SysSecOps?”

Charles Leaver – New Microsoft Word Feature Can Mean Phishing Attacks

Written By Josh Harriman And Presented By Charles Leaver


An interesting multifaceted attack has been reported in a current blog post by Cisco’s Talos Intelligence team. I wanted to discuss the infection vector of this attack as it’s quite interesting and something that Microsoft has actually pledged not to fix, as it is a function and not a bug. Reports are can be found about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is accomplished are reported in this blog from SecureData.

Distinct Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach an organization. Phishing attacks are one of the most common as opponents are relying on that somebody will either open a document sent out to them or go to a ‘fabricated’ URL. From there an exploit on a vulnerable piece of code generally gives them access to start their attack.

But in this case, the documents didn’t have a malicious thing embedded in the Word doc, which is a favorite attack vector, however rather a sly way of using this function that enables the Word program to connect out to obtain the real destructive files. By doing this they could hope or count on a much better success rate of infection as malicious Word files themselves can be scanned and erased before getting to the recipient.

Hunting for Suspicious Habits with Ziften Zenith

Here at Ziften, we wanted to be able to signal on this habit for our clients. Finding conditions that exhibit ‘strange’ habits such as Microsoft Word generating a shell is interesting and not anticipated. Taking it a bit further and searching for PowerShell running from that generated shell and it gets ‘very’ fascinating. By using our Search API, we can find these behaviors no matter when they occurred. We do not need the system to be on at the time of the search, if they have actually run a program (i.e. Word) that showed these habits, we can discover that system. Ziften is always gathering and sending relevant process details which is why we can discover the data without depending on the system state at the time of browsing.

In our Zenith console, I searched for this condition by looking for the following:

Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process commandline includes powershell

This returns the PIDs (Process ID) of the procedures we saw startup with these conditions. From there we can drill down to see the nitty gritty details.

In this very first screenshot, we can see details around the process tree (Word spawning CMD with Powershell under that) to the left, and to the right side you can observe information such as the System name and User, plus start time.

Below in the next image, we look at the CMD procedure and get details as to exactly what was passed to Powershell.

Probably when the user needed to answer this Microsoft Word pop-up dialog box, that is when the CMD shell utilized Powershell to head out and get some code hosted on the Louisiana Gov website. In the Powershell image below we can see more information such as Network Connect details when it was connecting to the website to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov site. In some cases we see intriguing data within our Network Connect information that might not match exactly what you anticipate.

After producing our Saved Search, we can notify on these conditions as they take place throughout the environment. We can likewise create extensions that change a GPO policy to not permit DDE and even take additional action and go and find these documents and eliminate them from the system if so desired. Having the ability to discover fascinating combinations of conditions within an environment is really powerful and we are very proud to have this feature in our product.

Charles Leaver – Ransomware Can Be Avoided And Managed With These 4 Steps

Written By Alan Zeichick And Presented By Charles Leaver


Ransomware is genuine, and is striking people, organisations, schools, healthcare facilities, local governments – and there’s no sign that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s face it: Ransomware is most likely the single most reliable attack that cyber criminals have ever created. Anyone can develop ransomware utilizing easily available tools; any money received is most likely in untraceable Bitcoin; and if something goes wrong with decrypting someone’s hard disk drive, the hacker isn’t impacted.

A company is hit with ransomware every 40 seconds, according to some sources, and sixty percent of malware issues were ransomware. It hits all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na worsen.

The good news: We can resist. Here’s a four-step fight plan.

Good Basic Hygiene

It starts with training staff members ways to deal with destructive e-mails. There are falsified messages from company partners. There’s phishing and target spearphishing. Some will get through e-mail spam/malware filters; staff members need to be taught not to click links in those messages, or naturally, not to give permission for apps or plug-ins to be installed.

Even so, some malware, like ransomware, is going to get through, often making use of out-of-date software or unpatched systems, as in the Equifax breach. That’s where the next action comes in:

Making sure that all end points are thoroughly patched and completely current with the current, most safe and secure operating systems, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the endpoint is healthy, and has the ability to best fight off the infection.

Ransomware isn’t an innovation or security problem. It’s a service problem. And it’s a lot more than the ransom that is demanded. That’s nothing compared to loss of productivity because of downtime, bad public relations, disgruntled clients if service is interfered with, and the cost of reconstructing lost data. (And that presumes that valuable copyright or safeguarded financial or client health data isn’t really stolen.).

Exactly what else can you do? Backup, backup, backup, and secure those backups. If you do not have safe, guaranteed backups, you cannot bring back data and core infrastructure in a timely fashion. That consists of making everyday snapshots of virtual machines, databases, applications, source code, and configuration files.

Services require tools to spot, recognize, and avoid malware like ransomware from dispersing. This needs continuous monitoring and reporting of exactly what’s occurring in the environment – consisting of “zero day” attacks that haven’t been seen prior to this. Part of that is monitoring endpoints, from the cellphone to the PC to the server to the cloud, to ensure that all end points are current and safe, and that no unforeseen modifications have actually been made to their underlying setup. That way, if a machine is infected by ransomware or other malware, the breach can be identified rapidly, and the device isolated and closed down pending forensics and recovery. If an endpoint is breached, fast containment is important.

The 4 Strategies.

Good user training. Updating systems with patches and fixes. Supporting everything as frequently as possible. And utilizing monitoring tools to help both IT and security groups find problems, and react quickly to those issues. When it comes to ransomware, those are the four battle tested strategies we have to keep our companies safe.

You can learn more about this in a brief 8 minute video, where I talk with a number of market experts about this issue:

Charles Leaver – Our Partnership With Microsoft Will Help You Defend Your Network

Written By David Shefter And Presented By Charles Leaver


This week we revealed a cooperation with Microsoft that brings together Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) delivering a cloud-based, “single pane of glass” to discover, view, investigate, and react to innovative cyber-attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptops, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that allows enterprise consumers to identify, examine, respond and remediate advanced threats on their networks, off-network, and in the data center and cloud.

Imagine a single solution throughout all the devices in your enterprise, providing scalable, cutting-edge security in a cost-efficient and easy to use platform. Making it possible for enterprises across the world to protect and handle devices through this ‘single pane of glass’ provides the promise of lower operational expenses with true boosted security providing real time worldwide hazard protection with details collected from billions of devices worldwide.

The Architecture Of Microsoft And Ziften

The diagram listed below provides a summary of the service parts and integration between Windows Defender ATP and Ziften Zenith.

Endpoint examination abilities allow you to drill down into security signals and understand the scope and nature of a prospective breach. You can submit files for deep analysis, receive the outcomes and take action without leaving the Windows Defender ATP console.

Identify and Contain Risks

With the Windows Defender ATP and Ziften Zenith integration, organizations can easily discover and contain threats on Windows, macOS, and Linux systems from a single console. Windows Defender ATP and Ziften Zenith provide:

Based on behavior, powered by the cloud, advanced attack detection. Discover the attacks that get past all other defenses (after a breach has been detected).

Rich timeline for forensic examination and mitigation. Quickly examine the scope of any breach or believed habits on any machine through an abundant, 6-month device timeline.

Built in special threat intelligence knowledge base. Hazard intelligence to quickly identify attacks based on monitoring and data from billions of devices.

The image shown below shows much of the macOS and Linux risk detection and response abilities now offered with Windows Defender ATP.

At the end of the day, if you’re looking to secure your endpoints and infrastructure, you need to take a tough look at Windows Defender ATP and Ziften Zenith.