Monthly Archives: January 2018

Charles Leaver – The Key To SysSecOps Is Flexibility

Written By Charles Leaver

 

You will find that endpoints are all over. The device you’re reading this on is an endpoint, whether it’s a desktop, notebook, tablet, or phone. The HVAC controller for your building is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the connected automobile. So are the Web servers, storage servers, and Active Directory site servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers operating on Windows and/or Linux.

They’re all endpoints, and all are necessary to handle.

They have to be managed from the IT side (from IT administrators, who hopefully have appropriate IT-level visibility of each connected thing like those security cams). That management means making certain they’re linked to the ideal network zones or VLANs, that their software applications and configurations the current version, that they’re not creating a flood on the network with bad packets due to electrical faults etc.

Those endpoints likewise need to be managed from the security point of view by CISO groups. Every endpoint is a prospective entrance into the business network, which implies the devices need to be locked down – default passwords never used, all security patches used, no unapproved software set up on the device’s embedded web server. (Kreb’s details how, in 2014, hackers broke into Target’s network through its A/C system.).

The Operations of Systems and Security.

Systems Security Operations, or SysSecOps, brings those 2 worlds together. With the best type of SysSecOps state of mind, and tools that support the proper workflows, IT and security employees get the very same data and can collaborate together. Sure, they each have different jobs, and respond differently to trouble notifications, however they’re all managing the very same endpoints, whether in the pocket, on the desk, in the utility closet, in the data center, or in the cloud.

Test Report from Ziften Zentih.

We were thrilled when the just recently released Broadband-Testing report praised Zenith, Ziften’s flagship endpoint security and management platform, as being perfect for this kind of circumstance. To quote from the current report, “With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more. Considering that its definition of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it holds true blanket coverage.”.

Broadband-Testing is an independent screening center and service based in Andorra. They describe themselves as, “Broadband-Testing interacts with vendors, media, financial investment groups and VCs, analysts and consultancies alike. Checking covers all elements of networking hardware and software, from ease of use and efficiency, through to increasingly important aspects such as device power consumption measurement.”

Back to versatility. With endpoints everywhere (once again, on the desk, in the utility closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system must go everywhere and do anything, at scale. Broadband-Testing composed:

“The configuration/deployment choices and architecture of Ziften Zenith permit a really flexible deployment, on or off-premise, or hybrid. Agent implementation is simplicity itself with absolutely no user requirements and no endpoint invasion. Agent footprint is likewise minimal, unlike lots of endpoint security solutions. Scalability likewise looks to be outstanding – the most significant consumer release to date is in excess of 110,000 endpoints.”

We cannot help but take pride in our product Zenith, and exactly what Broadband-Testing concluded:

“The emergence of SysSecOps – combining systems and security operations – is an uncommon moment in IT; a hype-free, good sense technique to refocusing on how systems and security are handled inside a company.

Key to Ziften’s endpoint technique in this classification is overall visibility – after all, how can you secure what you can’t see or don’t know exists in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Deployment is easy, specifically in a cloud-based situation as tested. Scalability likewise looks to be outstanding – the biggest customer implementation to date remains in excess of 110,000 endpoints.

Data analysis choices are comprehensive with a big quantity of details offered from the Ziften console – a single view of the whole endpoint infrastructure. Any object can be evaluated – e.g. Binaries, applications, systems – and, from a process, an action can be specified as an automatic function, such as quarantining a system in the event of a potentially malicious binary being found. Multiple reports are predefined covering all aspects of analysis. Alerts may be set for any event. Additionally, Ziften provides the idea of extensions for custom data collection, beyond the reach of a lot of vendors.

And with its External API functionality, Ziften-gathered endpoint data can be shared with a lot of 3rd party applications, thus adding more value to a customer’s existing security and analytics infrastructure investment.

Overall, Ziften has an extremely competitive offering in exactly what is an extremely worthy and emerging IT classification in the form of SysSecOps that is extremely worthwhile of examination.”.

We hope you’ll think about an assessment of Zenith, and will agree that when it pertains to SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket coverage that both your IT and CISO groups have actually been searching for.

Charles Leaver – Tackle Both Meltdown And Spectre With Our Help

Written By Josh Harriman And Presented By Charles Leaver

 

Ziften knows the most recent exploits affecting almost everybody who works on a computer or digital device. While this is a large statement, we at Ziften are working very hard helping our customers discover susceptible assets, repairing those susceptible systems, and monitoring systems after the repair for prospective performance issues.

This is a continuous examination by our team in Ziften Labs, where we keep up to date on the most recent malicious attacks as they progress. Today, the majority of the discussions are around PoC code (Proof of Concept) and what can theoretically happen. This will soon change as enemies benefit from these opportunities. The exploits I’m speaking, obviously, are Meltdown and Spectre.

Much has been discussed how these exploits were discovered and what is being done by the industry to find workarounds to these hardware concerns. For more information, I feel it’s appropriate to go right to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Assist?

An essential area that Ziften helps with in case of an attack by either technique is keeping an eye out for data exfiltration. Because these attacks are basically taking data they should not have access to, we believe the first and most convenient methods to safeguard yourself is to take this personal data off these systems. This data might be passwords, login credentials and even security keys for SSH or VPN access.

Ziften checks and notifies when processes that generally do not make network connections begin exhibiting this unusual habit. From these signals, users can quarantine systems from the network and / or eliminate procedures connected with these situations. Ziften Labs is keeping track of the advancement of the attacks that are most likely to become readily available in the real world related to these vulnerabilities, so we can better protect our customers.

Find – How am I Vulnerable?

Let’s take a look at areas we can check for susceptible systems. Zenith, Ziften’s flagship item, can simply and quickly find Operating Systems that have to be patched. Despite the fact that these exploits are in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be offered will be upgraded to the Operating System, and in other cases, the internet browser you use also.

In Figure 1 shown below, you can see an example of how we report on the readily available patches by name, and what systems have actually effectively installed each patch, and which have yet to install. We can likewise track failed patch installs. The example below is not for Meltdown or Spectre, however the KB and / or patch number for the environment could be occupied on this report to show the vulnerable systems.

The exact same applies for browser updates. Zenith keeps an eye out for software variations running in the environment. That data can be utilized to comprehend if all internet browsers are up to date once the fixes appear.

Mentioning browsers, one area that has already picked up steam in the attack circumstances is using Javascript. A working copy is shown here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge web browsers do not use Javascript any longer and mitigations are offered for other internet browsers. Firefox has a repair readily available here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome repair is coming out soon.

Repair – What Can I Do Now?

Once you have actually determined susceptible systems in your environment you definitely want to patch and fix them very quickly. Some safeguards you need to consider are reports of particular Anti Virus items triggering stability concerns when the patches are applied. Information about these concerns are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the capability to help patch systems. We can monitor for systems that require patches, and direct our product to use those patches for you and after that report success / failure and the status of those still requiring patching.

Given that the Zenith backend is cloud-based, we can even monitor your endpoint systems and use the needed patches when and if they are not linked to your business network.

Monitor – How is Everything Running?

Finally, there could be some systems that show performance destruction after the OS repairs are applied. These concerns seem to be restricted to high load (IO and network) systems. The Zenith platform assists both security and operational groups within your environment. Exactly what we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help reveal problems such as application crashes or hangs, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be used to monitor and signal on systems that start to show high utilization compared to the duration prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names intentionally removed).

These ‘defects’ are still new to the general public, and much more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best educate and protect our customers and partners.