Category Archives: Cyber Attacks

Charles Leaver – Tackle Both Meltdown And Spectre With Our Help

Written By Josh Harriman And Presented By Charles Leaver

 

Ziften knows the most recent exploits affecting almost everybody who works on a computer or digital device. While this is a large statement, we at Ziften are working very hard helping our customers discover susceptible assets, repairing those susceptible systems, and monitoring systems after the repair for prospective performance issues.

This is a continuous examination by our team in Ziften Labs, where we keep up to date on the most recent malicious attacks as they progress. Today, the majority of the discussions are around PoC code (Proof of Concept) and what can theoretically happen. This will soon change as enemies benefit from these opportunities. The exploits I’m speaking, obviously, are Meltdown and Spectre.

Much has been discussed how these exploits were discovered and what is being done by the industry to find workarounds to these hardware concerns. For more information, I feel it’s appropriate to go right to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Assist?

An essential area that Ziften helps with in case of an attack by either technique is keeping an eye out for data exfiltration. Because these attacks are basically taking data they should not have access to, we believe the first and most convenient methods to safeguard yourself is to take this personal data off these systems. This data might be passwords, login credentials and even security keys for SSH or VPN access.

Ziften checks and notifies when processes that generally do not make network connections begin exhibiting this unusual habit. From these signals, users can quarantine systems from the network and / or eliminate procedures connected with these situations. Ziften Labs is keeping track of the advancement of the attacks that are most likely to become readily available in the real world related to these vulnerabilities, so we can better protect our customers.

Find – How am I Vulnerable?

Let’s take a look at areas we can check for susceptible systems. Zenith, Ziften’s flagship item, can simply and quickly find Operating Systems that have to be patched. Despite the fact that these exploits are in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be offered will be upgraded to the Operating System, and in other cases, the internet browser you use also.

In Figure 1 shown below, you can see an example of how we report on the readily available patches by name, and what systems have actually effectively installed each patch, and which have yet to install. We can likewise track failed patch installs. The example below is not for Meltdown or Spectre, however the KB and / or patch number for the environment could be occupied on this report to show the vulnerable systems.

The exact same applies for browser updates. Zenith keeps an eye out for software variations running in the environment. That data can be utilized to comprehend if all internet browsers are up to date once the fixes appear.

Mentioning browsers, one area that has already picked up steam in the attack circumstances is using Javascript. A working copy is shown here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge web browsers do not use Javascript any longer and mitigations are offered for other internet browsers. Firefox has a repair readily available here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome repair is coming out soon.

Repair – What Can I Do Now?

Once you have actually determined susceptible systems in your environment you definitely want to patch and fix them very quickly. Some safeguards you need to consider are reports of particular Anti Virus items triggering stability concerns when the patches are applied. Information about these concerns are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the capability to help patch systems. We can monitor for systems that require patches, and direct our product to use those patches for you and after that report success / failure and the status of those still requiring patching.

Given that the Zenith backend is cloud-based, we can even monitor your endpoint systems and use the needed patches when and if they are not linked to your business network.

Monitor – How is Everything Running?

Finally, there could be some systems that show performance destruction after the OS repairs are applied. These concerns seem to be restricted to high load (IO and network) systems. The Zenith platform assists both security and operational groups within your environment. Exactly what we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help reveal problems such as application crashes or hangs, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be used to monitor and signal on systems that start to show high utilization compared to the duration prior to the patch was used. An example of this tracking is shown in Figure 2 below (system names intentionally removed).

These ‘defects’ are still new to the general public, and much more will be gone over and discovered for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best educate and protect our customers and partners.

Charles Leaver – Learn About SysSecOps And Why It Is Essential

Written By Alan Zeichick And Presented By Charles Leaver

 

SysSecOps. That’s a new term, still not known by numerous IT and security administrators – however it’s being talked about within the market, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, refers to the practice of uniting security teams and IT operations groups to be able to make sure the health of enterprise technology – and having the tools to be able to react most effectively when problems happen.

SysSecOps concentrates on taking apart the information walls, disrupting the silos, that get in between security teams and IT administrators.

IT operations staff are there to guarantee that end-users have access to applications, and that vital infrastructure is operating 24 × 7. They wish to maximize access and accessibility, and require the data needed to do that task – like that a new staff member should be provisioned, or a disk drive in a RAID array has actually stopped working, that a brand-new partner has to be provisioned with access to a secure document repository, or that an Oracle database is ready to be migrated to the cloud. It’s everything about innovation to drive business.

Same Data, Various Use-Cases

While making use of endpoint and network monitoring information and analytics are clearly customized to fit the diverse needs of IT and security, it ends up that the underlying raw data is really the very same. The IT and security teams simply are taking a look at their own domain’s issues and situations – and doing something about it based on those use-cases.

Yet sometimes the IT and security groups have to work together. Like provisioning that brand-new service partner: It needs to touch all the best systems, and be done safely. Or if there is a problem with a remote endpoint, such as a mobile device or a system on the Industrial Internet of Things, IT and security may need to collaborate to figure out precisely what’s going on. When IT and security share the exact same data sources, and have access to the exact same tools, this job ends up being much easier – and hence SysSecOps.

Think of that an IT administrator detects that a server hard drive is nearing full capacity – and this was not prepared for. Perhaps the network had been breached, and the server is now being used to steam pirated movies across the Internet. It occurs, and finding and fixing that issue is a job for both IT and security. The data gathered by endpoint instrumentation, and displayed through a SysSecOps-ready monitoring platform, can help both sides working together more efficiently than would happen with conventional, unique, IT and security tools.

SysSecOps: It’s a new term, and a new concept, and it’s resonating with both IT and security groups. You can discover more about this in a brief nine-minute video, where I speak to a number of industry specialists about this subject: “Exactly what is SysSecOps?”

Charles Leaver – New Microsoft Word Feature Can Mean Phishing Attacks

Written By Josh Harriman And Presented By Charles Leaver

 

An interesting multifaceted attack has been reported in a current blog post by Cisco’s Talos Intelligence team. I wanted to discuss the infection vector of this attack as it’s quite interesting and something that Microsoft has actually pledged not to fix, as it is a function and not a bug. Reports are can be found about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is accomplished are reported in this blog from SecureData.

Distinct Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach an organization. Phishing attacks are one of the most common as opponents are relying on that somebody will either open a document sent out to them or go to a ‘fabricated’ URL. From there an exploit on a vulnerable piece of code generally gives them access to start their attack.

But in this case, the documents didn’t have a malicious thing embedded in the Word doc, which is a favorite attack vector, however rather a sly way of using this function that enables the Word program to connect out to obtain the real destructive files. By doing this they could hope or count on a much better success rate of infection as malicious Word files themselves can be scanned and erased before getting to the recipient.

Hunting for Suspicious Habits with Ziften Zenith

Here at Ziften, we wanted to be able to signal on this habit for our clients. Finding conditions that exhibit ‘strange’ habits such as Microsoft Word generating a shell is interesting and not anticipated. Taking it a bit further and searching for PowerShell running from that generated shell and it gets ‘very’ fascinating. By using our Search API, we can find these behaviors no matter when they occurred. We do not need the system to be on at the time of the search, if they have actually run a program (i.e. Word) that showed these habits, we can discover that system. Ziften is always gathering and sending relevant process details which is why we can discover the data without depending on the system state at the time of browsing.

In our Zenith console, I searched for this condition by looking for the following:

Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process commandline includes powershell

This returns the PIDs (Process ID) of the procedures we saw startup with these conditions. From there we can drill down to see the nitty gritty details.

In this very first screenshot, we can see details around the process tree (Word spawning CMD with Powershell under that) to the left, and to the right side you can observe information such as the System name and User, plus start time.

Below in the next image, we look at the CMD procedure and get details as to exactly what was passed to Powershell.

Probably when the user needed to answer this Microsoft Word pop-up dialog box, that is when the CMD shell utilized Powershell to head out and get some code hosted on the Louisiana Gov website. In the Powershell image below we can see more information such as Network Connect details when it was connecting to the website to pull the fonts.txt file.

That IP address (206.218.181.46) is in fact the Louisiana Gov site. In some cases we see intriguing data within our Network Connect information that might not match exactly what you anticipate.

After producing our Saved Search, we can notify on these conditions as they take place throughout the environment. We can likewise create extensions that change a GPO policy to not permit DDE and even take additional action and go and find these documents and eliminate them from the system if so desired. Having the ability to discover fascinating combinations of conditions within an environment is really powerful and we are very proud to have this feature in our product.

Charles Leaver – Pointers On Effective Security Awareness Training

Written By Charles Leaver Ziften CEO

 

Reliable business cybersecurity assumes that people – your staff members – do the right thing. That they do not turn over their passwords to a caller who declares to be from the IT department doing a “qualifications audit.” That they don’t wire $10 million to an Indonesian bank account after getting a midnight request from “the CEO”.

That they do not install an “immediate upgrade” to Flash Player based on a pop-up on a porn site. That they don’t overshare on social media. That they do not keep company details on file sharing services outside the firewall. That they don’t connect to unsecure WiFi networks. And they don’t click links in phishing emails.

Our research reveals that over 75% of security incidents are triggered or helped by employee mistakes.

Sure, you have actually set up endpoint security, email filters, and anti-malware services. Those preventative measures will probably be for nothing, though, if your staff members do the wrong thing time and again when in a harmful situation. Our cybersecurity efforts resemble having an expensive vehicle alarm: If you don’t teach your teen to lock the car when it’s at the shopping center, the alarm is worthless.

Security awareness isn’t enough, obviously. Workers will make mistakes, and there are some attacks that do not need an employee mistake. That’s why you require endpoint security, e-mail filters, anti-malware, etc. However let’s discuss reliable security awareness training.

Why Training Typically Doesn’t Have an Impact

Initially – in my experience, a lot of worker training, well, is poor. That’s especially true of training online, which is normally dreadful. However in most cases, whether live or canned, the training lacks trustworthiness, in part since numerous IT professionals are poor and unconvincing communicators. The training typically concentrates on communicating and implementing rules – not changing risky behavior and routines. And it resembles getting mandatory copy machine training: There’s nothing in it for the employees, so they don’t take it on board it.

It’s not about implementing guidelines. While security awareness training might be “owned” by different departments, such as IT, CISO, or HR, there’s often an absence of knowledge about exactly what a safe awareness program is. First of all, it’s not a checkbox; it has to be continuous. The training needs to be delivered in different methods and times, with a combination of live training, newsletters, small group conversations, lunch-and-learns, and yes, even online resources.

Safeguarding yourself is not complicated!

However a huge problem is the lack of objectives. If you do not know exactly what you’re aiming to do, you can’t see if you’ve done a great task in the training – and if dangerous habits really change.

Here are some sample objectives that can lead to effective security awareness training:

Supply staff members with the tools to recognize and deal with continuous daily security hazards they may receive online and via email.

Let workers understand they become part of the team, and they cannot simply count on the IT/CISO teams to manage security.

Stop the cycle of “unexpected ignorance” about safe computing practices.

Modify frame of minds toward more protected practices: “If you see something, state something”.

Review of business guidelines and procedures, which are described in actionable ways that are relevant to them.

Make it Pertinent

No matter who “owns” the program, it’s necessary that there is visible executive support and management buy-in. If the officers don’t care, the staff members won’t either. Effective training will not talk about tech buzzwords; rather, it will focus on changing habits. Relate cybersecurity awareness to your staff members’ individual life. (And while you’re at it, teach them how to keep themselves, their family, and their home safe. Odds are they do not know and are reluctant to ask).

To make security awareness training really relevant, obtain staff member concepts and motivate feedback. Measure success – such as, did the variety of external links clicked by workers go down? How about calls to tech assistance stemming from security violations? Make the training timely and real-world by consisting of current rip-offs in the news; regretfully, there are a lot of to choose from.

In short: Security awareness training isn’t enjoyable, and it’s not a silver bullet. Nevertheless, it is important for ensuring that dangerous staff member behaviors do not undermine your IT/CISO efforts to secure your network, devices, applications, and data. Make certain that you continuously train your employees, and that the training works.

Use Ziften Services For Your IT Security – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver

Having the right tools to hand is a given in our industry. But having the correct tools and services is one thing. Getting the best worth out of them can be an obstacle. Even with all the right objectives and properly skilled workers, there can be gaps. Ziften Services can help fill those gaps and keep you on track for success.

Ziften Services can enhance, or perhaps outright lead your IT Operations and Security teams to much better arm your company with 3 great offerings. Each one is customized for a particular requirement and given the statistics from a current report by ESG (Enterprise Strategy Group) entitled “Patterns in Endpoint Security Research Study”, which mentioned 51% of responders in the research study stated they will be releasing and utilizing an EDR (endpoint detection and response) service now and 35% of them plan to use managed services for the execution, proves the requirement is out there for correct services around these products and services. For that reason, Ziften is providing our services knowing that lots of companies lack the scale or knowledge to execute and completely make use of required tools such as EDR.

Ziften services are as follows:

Ziften Assess Service
Ziften Hunt Service
Ziften Respond Service

While each of the three services cover a distinct purpose, the latter 2 are more complementary to each other. Let’s look at each in a little more information to better comprehend the benefits.

Assess Service

This service covers both IT functional and security teams. To determine your success in correct documentation and adherence of processes and policies, you need to begin with a great strong baseline. The Assess services begin by conducting thorough interviews with crucial decision makers to truly comprehend what is in place. From there, a Ziften Zenith deployment provides monitoring and data collection of essential metrics within client device networks, data centers and cloud deployments. The reporting covers asset management and efficiency, licensing, vulnerabilities, compliance and even anomalous habits. The result can cover a range of issues such as M&An evaluations, pre cloud migration planning and regular compliance checks.

Hunt Service

This service is a real 24 × 7 managed endpoint detection and response (MDR) offering. Organizations battle to completely cover this essential aspect to security operations. That could be because of restricted personnel or vital know-how in danger hunting methods. Again, making use of the Ziften Zenith platform, this service utilizes continuous tracking throughout client devices, servers, cloud VMs supporting Windows, Mac OSX and Linux operating systems. Among the primary results of this service is considerably minimizing threat dwell times within the environment. This has been discussed on a regular basis in the past couple of years and the numbers are incredible, normally in the order of 100s of days that hazards remain covert within organizations. You require somebody that can actively hunt for these foes as well as can historically look back to previous events to discover behaviors you were not aware of. This service does provide some hours of dedicated Incident Response also, so you have all your bases covered.

Respond Service

When you are against the ropes and have a true emergency, this service is what you require. This is a tried and real IR team prepared for war 24 × 7 with a broad range of response tool sets at hand. You will receive immediate event assessment and triage. Advised actions align with the seriousness of the hazard and what response actions need to occur. The teams are really versatile and will work from another location or if needed, can be on site where conditions require. This could be your entire IR team, or will enhance and blend right in with your current group.

At the end of the day, you need services to help maximize your possibilities of success in today’s world. Ziften has three excellent offerings and desires all our clients to feel protected and aligned with the very best operational and security posture offered. Please reach out to us so we can help you. It’s what we love to do!

Charles Leaver – Equifax Breach Underlines The Need For Vulnerability Lifecycle Management

Written By Dr Al Hartmann And Presented By Charles Leaver

 

The following heading hit the news last week on September 7, 2017:

Equifax Inc. today announced a cyber security event possibly impacting roughly 143 million U.S. customers. Lawbreakers made use of a U.S. website application vulnerability to get to particular files. Based upon the business’s investigation, the unauthorized access happened from the middle of May through July 2017.

Lessons from Past Data Breaches

If you like your job, appreciate your role, and dream to maintain it, then do not leave the door open to attackers. A major data breach frequently starts with an un-patched vulnerability that is readily exploitable. And then the inevitable occurs, the cyber criminals are inside your defenses, the crown jewels have actually left the building, the press releases fly, high-priced specialists and external legal counsel rack up billable hours, regulators come down, claims are flung, and you have “some major ‘splainin’ to do”!

We have yet to see if the head splainer in the existing Equifax debacle will endure, as he is still in ‘splainin’ mode, asserting the infiltration began with the exploitation of an application vulnerability.

In such cases the normal rhumba line of resignations is – CISO initially, followed by CIO, followed by CEO, followed by the board of directors shakeup (specifically the audit and business obligation committees). Don’t let this take place to your professional life!

Steps to Take Right Away

There are some commonsense actions to take to prevent the unavoidable breach catastrophe resulting from unpatched vulnerabilities:

Take inventory – Inventory all system and data assets and map your network topology and connected devices and open ports. Know your network, it’s segmentation, what devices are attached, exactly what those devices are running, what vulnerabilities those systems and apps expose, what data assets they gain access to, the level of sensitivity of those assets, what defenses are layered around those assets, and exactly what checks remain in place along all prospective access points.

Improve and get tougher – Carry out best practices recommendations for identity and access management, network division, firewall software and IDS configurations, os and application configurations, database access controls, and data encryption and tokenization, while simplifying and cutting the number and complexity of subsystems throughout your enterprise. Anything too intricate to manage is too complex to secure. Choose configuration solidifying heaven over breach response hell.

Continually monitor and inspect – Periodic audits are needed but inadequate. Continuously monitor, track, and assess all appropriate security events and exposed vulnerabilities – create visibility, event capture, analysis, and archiving of every system and session login, every application launch, every active binary and vulnerability exposure, every script execution, every command provided, every networking contact, every database transaction, and every delicate data access. Any gaps in your security event visibility develop an opponent free-fire zone. Establish essential performance metrics, track them ruthlessly, and drive for ruthless improvement.

Don’t accept functional excuses for insufficient security – There are always secure and effective operational policies, however they might not be pain-free. Not suffering a devastating data breach is long down the organizational discomfort scale from the alternative. Functional expedience or running traditional or misaligned top priorities are not valid excuses for extenuation of bad cyber practices in an escalating danger environment. Lay down the law.

Charles Leaver – Lessons Learned From Equifax And What To Do

Written By Michael Levin And Presented By Charles Leaver

 

Equifax, one of the 3 major U.S. based credit reporting services just announced a significant data breach where hackers have taken sensitive information from 143 million United States consumers.

Ways that the Equifax security infiltration WILL impact you:

– Personal – Your individual and family’s identity info is now known to hackers and will be targeted!

– Company – Your organizations could be impacted and targeted.

– Nationally – Terrorist, Country States and organized crime groups could be involved or use this data to commit cyber crimes to obtain funds.

Protecting yourself is not complicated!

Five recommendations to secure yourself right away:

– Subscribe to a credit tracking service and/or lock your credit. The quickest way to be informed that your credit is compromised is through a credit tracking service. Equifax has already started the procedure of setting up complimentary credit tracking for those impacted. Other credit tracking services are readily available and ought to be thought about.

– Monitor all your financial accounts including credit cards and all savings accounts. Ensure that notifications are switched on. Make sure you are receiving instant text and email notices for any changes in your account or enhanced balances or transactions.

– Secure your bank and financial accounts, guarantee that two-factor authentication is switched on for all accounts. Learn about two level authentication and turn it on for all monetary accounts.

– Phishing e-mail messages can be your most significant day-to-day danger! Slow down when managing e-mail messages. Stop immediately clicking on every e-mail link and attachment you recieve. Instead of clicking on links and attachments in e-mail messages, go separately to the sites beyond the email message. When you get an e-mail, you were not anticipating from a name you recognize think about calling the sender independently before you click links or attachments.

– Strong passwords – think about changing all your passwords. Develop strong passwords and protect them. Utilize various passwords for your accounts.

Other Security Considerations:

– Backup all computers and upgrade operating systems and software applications routinely.

– Social network security – Sharing too much information on social media increases the threat that you will be taken advantage of. For example, informing the world, you are on holiday with photos opens the danger your house will be burglarized.

– Secure your devices – Do not leave your laptop, tablet or phone unattended even for a moment. Do not leave anything in your automobile you don’t desire taken because it’s simply a matter of time.

– Internet of things and device management – Understand how all your devices link to the Internet and exactly what info you are sharing. Check security settings for all devices including smart watches and fitness bands.

The value of training on security awareness:

– This is another crime, where security awareness training can help to minimize danger. Understanding new crimes and frauds in the news is a basic part of security awareness training. Ensuring that staff members, family and friends know this fraud will significantly decrease the likelihood that you will be taken advantage of.

– Sharing new scams and criminal activities you hear about in the news with others, is important to guarantee that individuals you appreciate do not succumb to these types of criminal activities.

Charles Leaver – Why Choose Generic When You Can Have Extensible?

Written By Charles Leaver Ziften CEO

Whether you call them extensions, or call them modifications – no matter what you call it, the best technology platforms can be customized to fit a company’s specific service requirements. Generic operations tools are fine at carrying out generic operations jobs. Generic security tools are great at resolving generic security obstacles. Generic can only take you up to a point, unfortunately, and that’s where extensibility steps in.

Extensibility shows up often when I’m talking to customers and prospective clients, and I’m proud that a Global 10 company picked Ziften over everyone else in the marketplace mainly on that basis. For that customer, and numerous others, the ability to deeply customize platforms is a necessity.

This isn’t about just creating custom-made reports or custom-made alerts. Let’s be truthful – the ability to develop reports are baseline capability of numerous IT operations and security management tools. Real extensibility goes deep into the service to offer it capabilities that fix real problems for the organization.

One customer used lots of mobile IoT devices, and needed to have our Zenith real-time visibility and control system be able to gain access to (and monitor) the memory of those devices. That’s not a basic feature provided by Zenith, due to the fact that our low footprint agent doesn’t hook into the operating system kernel or operate through basic device drivers. However, we worked with the client to customize Zenith with that ability – and it ended up being much easier than anybody imagined.

Another customer looked at the basic set of end point data that the agent gathers, and wanted to include extra data fields. They likewise wished to program the administrative console with customized actions using those data fields, and press those actions back out to those end points. No other endpoint tracking and security service was able to provide the function for adding that performance other than Ziften.

What’s more, the customer developed those extensions themselves … and owns the code and intellectual property. It’s part of their own secret sauce, their own business differentiator, and special to their organization. They couldn’t be happier. And neither are we.

With lots of other IT operations and security systems, if clients want extra functions or abilities, the only choice is to send that as a future feature demand, and hope that it appears in an upcoming version of the product. Till then, regrettable.

That’s not how we developed our flagship solutions, Zenith and ZFlow. Due to the fact that our endpoint agent isn’t really based on device drivers or kernel hooks, we can permit remarkable extensibility, and open that extensibility for customers to access directly.

Likewise, with our administrative consoles and back end monitoring systems; everything is adjustable. And that was integrated in right from the start.

Another aspect of personalization is that our real-time and historic visibility database can incorporate into your other IT operations and security platforms, including SIEM tools, danger intelligence, IT ticketing system, job orchestration systems, and data analytics. With Zenith and ZFlow, there are no silos. Ever.

When it comes to endpoint monitoring and management, extensions are increasingly where it’s at. IT operations and enterprise security teams need the ability to personalize their tools platforms to fit their exact requirements for tracking and handling IoT, standard endpoints, the data center, and the cloud. In many client discussions, our integrated extensibility has caused eyes to light up, and won us trials and deployments. Inform us about your custom requirements, and let’s see what we can do.

Charles Leaver – Risk And Security Management Tips And Advice

Written By Roark Pollock And Presented By Charles Leaver Ziften CEO

 

Danger management and security management have long been dealt with as different functions frequently performed by separate practical groups within a company. The recognition of the need for continuous visibility and control throughout all assets has increased interest in looking for common ground in between these disciplines and the availability of a brand-new generation of tools is allowing this effort. This conversation is very current offered the continued problem the majority of business organizations experience in attracting and retaining competent security personnel to manage and secure IT infrastructure. A marriage of activity can help to much better leverage these important personnel, decrease costs, and assist automate response.

Historically, threat management has been viewed as an attack mandate, and is generally the field of play for IT operations groups. In some cases described as “systems management”, IT operations teams actively carry out device state posture monitoring and policy enforcement, and vulnerability management. The goal is to proactively reduce potential threats. Activities that enhance risk reduction and that are performed by IT operations consist of:

Offensive Threat Mitigation – Systems Management

Asset discovery, inventory, and refresh

Software application discovery, usage tracking, and license rationalization

Mergers and acquisition (M&A) threat evaluations

Cloud workload migration, monitoring, and enforcement

Vulnerability evaluations and patch installs

Proactive helpdesk or systems analysis and problem response/ repair

On the other side of the field, security management is considered as a protective strategy, and is generally the field of play for security operations groups. These security operations groups are normally responsible for hazard detection, event response, and remediation. The objective is to respond to a risk or a breach as rapidly as possible in order to lessen impacts to the organization. Activities that fall directly under security management and that are carried out by security operations include:

Defensive Security Management – Detection and Response

Danger detection and/or threat searching

User behavior tracking / insider risk detection and/or searching

Malware analysis and sandboxing

Incident response and hazard containment/ elimination

Lookback forensic examinations and source decision

Tracing lateral threat motions, and further hazard removal

Data exfiltration determination

Effective businesses, naturally, need to play both offense AND defense similarly well. This need is driving companies to acknowledge that IT operations and security operations have to be as lined up as possible. Thus, as much as possible, it helps if these 2 groups are playing using the same playbook, or at least working with the same data or single source of fact. This indicates both teams ought to aim to use some of the exact same analytic and data collection tools and methodologies when it pertains to handling and securing their endpoint systems. And if companies depend on the exact same personnel for both jobs, it definitely helps if those individuals can pivot in between both jobs within the exact same tools, leveraging a single data set.

Each of these offending and defensive jobs is crucial to safeguarding a company’s copyright, track record, and brand name. In fact, managing and focusing on these jobs is exactly what often keeps CIOs and CISOs up at night. Organizations should acknowledge opportunities to align and combine groups, innovations, and policies as much as possible to ensure they are concentrated on the most immediate need along the current risk and security management spectrum.

When it comes to handling endpoint systems, it is clear that companies are approaching an “all the time” visibility and control design that enables continuous danger assessments, constant threat tracking, and even continuous efficiency management.

Thus, organizations have to search for these 3 crucial abilities when assessing brand-new endpoint security systems:

Solutions that provide “all the time” visibility and control for both IT operations teams and security operations groups.

Solutions that supply a single source of reality that can be utilized both offensively for risk management, and defensively for security detection and response.

Architectures that quickly integrate into existing systems management and security tool environments to provide even greater value for both IT and security groups.

Charles Leaver – Black Hat And Defocn 2017 Our Experiences

Written by Michael Vaughn And Presented By Ziften CEO Charles Leaver

 

Here are my experiences from Black Hat 2017. There is a slight addition in approaching this year’s synopsis. It is large in part because of the theme of the opening talk provided by Facebook’s Chief Security Officer, Alex Stamos. Stamos forecasted the significance of re focusing the security community’s efforts in working better together and diversifying security solutions.

“Working better together” is seemingly an oxymoron when analyzing the mass competitiveness among hundreds of security companies striving for clients throughout Black Hat. Based off Stamos’s messaging during the opening keynote this year, I felt it essential to add some of my experiences from Defcon too. Defcon has historically been an occasion for learning and includes independent hackers and security specialists. Last week’s Black Hat style concentrated on the social aspect of how companies should get along and truly help others and one another, which has constantly been the overlying message of Defcon.

Individuals checked in from around the globe last week:

Jeff Moss, aka ‘Dark Tangent’, the founder of Black Hat and Defcon, likewise wishes that to be the style: Where you aim to help people gain knowledge and learn from others. Moss desires guests to remain ‘excellent’ and ‘practical’ throughout the conference. That is in line with what Alex Stamos from Facebook communicated in his keynote about security companies. Stamos asked that all of us share in the obligation of assisting those that can not assist themselves. He likewise raised another relevant point: Are we doing enough in the security industry to truly help individuals instead of simply doing it to make money? Can we achieve the objective of truly helping individuals? As such is the juxtaposition of the 2 events. The primary differences in between Black Hat and Defcon is the more business consistency of Black Hat (from vendor hall to the presentations) to the true hacker community at Defcon, which showcases the creative side of what is possible.

The business I work for, Ziften, offers Systems and Security Operations software – offering IT and security teams visibility and control across all end points, on or off a business network. We likewise have a pretty sweet sock game!

Many attendees flaunted their Ziften support by decorating previous year Ziften sock styles. Looking excellent, feeling great!

The concept of signing up with forces to combat against the corrupt is something most participants from all over the world embrace, and we are not any different. Here at Ziften, we aim to really help our consumers and the community with our solutions. Why provide or depend on an option which is limited to only what’s inside the box? One that offers a single or handful of particular functions? Our software is a platform for integration and supplies modular, individualistic security and operational solutions. The whole Ziften team takes the imagination from Defcon, and we motivate ourselves to try and build new, custom-made features and forensic tools in which conventional security businesses would avoid or just remain taken in by daily tasks.

Delivering all the time visibility and control for any asset, anywhere is among Ziften’s main focuses. Our merged systems and security operations (SysSecOps) platform empowers IT and security operations groups to rapidly repair endpoint problems, decrease overall danger posture, speed risk response, and increase operations efficiency. Ziften’s protected architecture provides constant, streaming endpoint tracking and historic data collection for businesses, governments, and managed security service providers. And remaining with 2017’s Black Hat style of collaborating, Ziften’s partner integrations extend the value of incumbent tools and fill the spaces in between siloed systems.

Journalists are not enabled to take photos of the Defcon crowd, however I am not the press and this was prior to entering a badge required area:P The Defcon masses and jerks (Defcon mega-bosses using red shirts) were at a standstill for a strong twenty minutes waiting for preliminary access to the four enormous Track conference rooms on opening day.

The Voting Machine Hacking Village got a great deal of attention at the event. It was interesting but nothing brand-new for veteran guests. I expect it takes something notable to garner attention around specific vulnerabilities.? All vulnerabilities for most of the talks and particularly this village have actually currently been revealed to the proper authorities before the event. Let us understand if you require assistance locking down any of these (looking at you government folks).

More and more personal data is becoming available to the general public. For example, Google & Twitter APIs are easily and publicly available to query user data metrics. This data is making it much easier for hackers to social engineer focused attacks on people and specifically persons of power and rank, like judges and executives. This discussion entitled, Dark Data, demonstrated how a simple yet brilliant de-anonymization algorithm and some data made it possible for these 2 white hats to identify people with severe accuracy and reveal extremely personal info about them. This should make you hesitate about exactly what you have installed on your systems and individuals in your office. Most of the above raw metadata was gathered through a popular browser add-on. The fine tuning accompanied the algothrim and public APIs. Do you know exactly what web browser add-ons are running in your environment? If the response is no, then Ziften can help.

This discussion was clearly about exploiting Point-of-Sale systems. Although quite humorous, it was a tad scary at the speed at which one of the most frequently utilized POS systems can be hacked. This particular POS hardware is most typically used when leaving payment in a taxi. The base operating system is Linux and although on an ARM architecture and safeguarded by strong firmware, why would a business risk leaving the security of client charge card details exclusively in the hands of the hardware vendor? If you look for additional protection on your POS systems, then look no further than Ziften. We protect the most typically used business operating systems. If you want to do the fun thing and install the computer game Doom on one, I can send you the slide deck.

This person’s slides were off the charts exceptional. What wasn’t excellent was how exploitable the MacOS is during the setup process of very common applications. Basically every time you install an application on a Mac, it needs the entry of your intensified advantages. But what if something were to a little change code a few seconds prior to you entering your Administrator qualifications? Well, most of the time, most likely something bad. Concerned about your Mac’s running malware smart adequate to detect and alter code on typical susceptible applications prior to you or your user base entering credentials? If so, we at Ziften Technologies can help.

We assist you by not changing all your toolset, although we typically find ourselves doing just that. Our aim is to use the recommendations and present tools that work from various vendors, ensure they are running and set up, ensure the perscribed hardening is undoubtedly undamaged, and guarantee your operations and security groups work more effectively together to attain a tighter security matrix throughout your environment.

Key Takeaways from Black Hat & Defcon 2017:

1) More powerful together

– Alex Stamos’s keynote
– Jeff Moss’s message
– Visitors from all over the world interacting
– Black Hat should maintain a friendly neighborhood spirit

2) Stronger together with Ziften

– Ziften plays good with other software suppliers

3) Popular current vulnerabilities Ziften can assist avoid and fix

– Point-of-Sale accessing
– Voting machine tampering
– Escalating MacOS privileges
– Targeted specific attacks