Category Archives: Endpoint Security

Charles Leaver – The Key To SysSecOps Is Flexibility

Written By Charles Leaver


You will find that endpoints are all over. The device you’re reading this on is an endpoint, whether it’s a desktop, notebook, tablet, or phone. The HVAC controller for your building is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the connected automobile. So are the Web servers, storage servers, and Active Directory site servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers operating on Windows and/or Linux.

They’re all endpoints, and all are necessary to handle.

They have to be managed from the IT side (from IT administrators, who hopefully have appropriate IT-level visibility of each connected thing like those security cams). That management means making certain they’re linked to the ideal network zones or VLANs, that their software applications and configurations the current version, that they’re not creating a flood on the network with bad packets due to electrical faults etc.

Those endpoints likewise need to be managed from the security point of view by CISO groups. Every endpoint is a prospective entrance into the business network, which implies the devices need to be locked down – default passwords never used, all security patches used, no unapproved software set up on the device’s embedded web server. (Kreb’s details how, in 2014, hackers broke into Target’s network through its A/C system.).

The Operations of Systems and Security.

Systems Security Operations, or SysSecOps, brings those 2 worlds together. With the best type of SysSecOps state of mind, and tools that support the proper workflows, IT and security employees get the very same data and can collaborate together. Sure, they each have different jobs, and respond differently to trouble notifications, however they’re all managing the very same endpoints, whether in the pocket, on the desk, in the utility closet, in the data center, or in the cloud.

Test Report from Ziften Zentih.

We were thrilled when the just recently released Broadband-Testing report praised Zenith, Ziften’s flagship endpoint security and management platform, as being perfect for this kind of circumstance. To quote from the current report, “With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more. Considering that its definition of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it holds true blanket coverage.”.

Broadband-Testing is an independent screening center and service based in Andorra. They describe themselves as, “Broadband-Testing interacts with vendors, media, financial investment groups and VCs, analysts and consultancies alike. Checking covers all elements of networking hardware and software, from ease of use and efficiency, through to increasingly important aspects such as device power consumption measurement.”

Back to versatility. With endpoints everywhere (once again, on the desk, in the utility closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system must go everywhere and do anything, at scale. Broadband-Testing composed:

“The configuration/deployment choices and architecture of Ziften Zenith permit a really flexible deployment, on or off-premise, or hybrid. Agent implementation is simplicity itself with absolutely no user requirements and no endpoint invasion. Agent footprint is likewise minimal, unlike lots of endpoint security solutions. Scalability likewise looks to be outstanding – the most significant consumer release to date is in excess of 110,000 endpoints.”

We cannot help but take pride in our product Zenith, and exactly what Broadband-Testing concluded:

“The emergence of SysSecOps – combining systems and security operations – is an uncommon moment in IT; a hype-free, good sense technique to refocusing on how systems and security are handled inside a company.

Key to Ziften’s endpoint technique in this classification is overall visibility – after all, how can you secure what you can’t see or don’t know exists in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Deployment is easy, specifically in a cloud-based situation as tested. Scalability likewise looks to be outstanding – the biggest customer implementation to date remains in excess of 110,000 endpoints.

Data analysis choices are comprehensive with a big quantity of details offered from the Ziften console – a single view of the whole endpoint infrastructure. Any object can be evaluated – e.g. Binaries, applications, systems – and, from a process, an action can be specified as an automatic function, such as quarantining a system in the event of a potentially malicious binary being found. Multiple reports are predefined covering all aspects of analysis. Alerts may be set for any event. Additionally, Ziften provides the idea of extensions for custom data collection, beyond the reach of a lot of vendors.

And with its External API functionality, Ziften-gathered endpoint data can be shared with a lot of 3rd party applications, thus adding more value to a customer’s existing security and analytics infrastructure investment.

Overall, Ziften has an extremely competitive offering in exactly what is an extremely worthy and emerging IT classification in the form of SysSecOps that is extremely worthwhile of examination.”.

We hope you’ll think about an assessment of Zenith, and will agree that when it pertains to SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket coverage that both your IT and CISO groups have actually been searching for.

Charles Leaver – Ransomware Can Be Avoided And Managed With These 4 Steps

Written By Alan Zeichick And Presented By Charles Leaver


Ransomware is genuine, and is striking people, organisations, schools, healthcare facilities, local governments – and there’s no sign that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s face it: Ransomware is most likely the single most reliable attack that cyber criminals have ever created. Anyone can develop ransomware utilizing easily available tools; any money received is most likely in untraceable Bitcoin; and if something goes wrong with decrypting someone’s hard disk drive, the hacker isn’t impacted.

A company is hit with ransomware every 40 seconds, according to some sources, and sixty percent of malware issues were ransomware. It hits all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na worsen.

The good news: We can resist. Here’s a four-step fight plan.

Good Basic Hygiene

It starts with training staff members ways to deal with destructive e-mails. There are falsified messages from company partners. There’s phishing and target spearphishing. Some will get through e-mail spam/malware filters; staff members need to be taught not to click links in those messages, or naturally, not to give permission for apps or plug-ins to be installed.

Even so, some malware, like ransomware, is going to get through, often making use of out-of-date software or unpatched systems, as in the Equifax breach. That’s where the next action comes in:

Making sure that all end points are thoroughly patched and completely current with the current, most safe and secure operating systems, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the endpoint is healthy, and has the ability to best fight off the infection.

Ransomware isn’t an innovation or security problem. It’s a service problem. And it’s a lot more than the ransom that is demanded. That’s nothing compared to loss of productivity because of downtime, bad public relations, disgruntled clients if service is interfered with, and the cost of reconstructing lost data. (And that presumes that valuable copyright or safeguarded financial or client health data isn’t really stolen.).

Exactly what else can you do? Backup, backup, backup, and secure those backups. If you do not have safe, guaranteed backups, you cannot bring back data and core infrastructure in a timely fashion. That consists of making everyday snapshots of virtual machines, databases, applications, source code, and configuration files.

Services require tools to spot, recognize, and avoid malware like ransomware from dispersing. This needs continuous monitoring and reporting of exactly what’s occurring in the environment – consisting of “zero day” attacks that haven’t been seen prior to this. Part of that is monitoring endpoints, from the cellphone to the PC to the server to the cloud, to ensure that all end points are current and safe, and that no unforeseen modifications have actually been made to their underlying setup. That way, if a machine is infected by ransomware or other malware, the breach can be identified rapidly, and the device isolated and closed down pending forensics and recovery. If an endpoint is breached, fast containment is important.

The 4 Strategies.

Good user training. Updating systems with patches and fixes. Supporting everything as frequently as possible. And utilizing monitoring tools to help both IT and security groups find problems, and react quickly to those issues. When it comes to ransomware, those are the four battle tested strategies we have to keep our companies safe.

You can learn more about this in a brief 8 minute video, where I talk with a number of market experts about this issue:

Charles Leaver – Our Partnership With Microsoft Will Help You Defend Your Network

Written By David Shefter And Presented By Charles Leaver


This week we revealed a cooperation with Microsoft that brings together Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) delivering a cloud-based, “single pane of glass” to discover, view, investigate, and react to innovative cyber-attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptops, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that allows enterprise consumers to identify, examine, respond and remediate advanced threats on their networks, off-network, and in the data center and cloud.

Imagine a single solution throughout all the devices in your enterprise, providing scalable, cutting-edge security in a cost-efficient and easy to use platform. Making it possible for enterprises across the world to protect and handle devices through this ‘single pane of glass’ provides the promise of lower operational expenses with true boosted security providing real time worldwide hazard protection with details collected from billions of devices worldwide.

The Architecture Of Microsoft And Ziften

The diagram listed below provides a summary of the service parts and integration between Windows Defender ATP and Ziften Zenith.

Endpoint examination abilities allow you to drill down into security signals and understand the scope and nature of a prospective breach. You can submit files for deep analysis, receive the outcomes and take action without leaving the Windows Defender ATP console.

Identify and Contain Risks

With the Windows Defender ATP and Ziften Zenith integration, organizations can easily discover and contain threats on Windows, macOS, and Linux systems from a single console. Windows Defender ATP and Ziften Zenith provide:

Based on behavior, powered by the cloud, advanced attack detection. Discover the attacks that get past all other defenses (after a breach has been detected).

Rich timeline for forensic examination and mitigation. Quickly examine the scope of any breach or believed habits on any machine through an abundant, 6-month device timeline.

Built in special threat intelligence knowledge base. Hazard intelligence to quickly identify attacks based on monitoring and data from billions of devices.

The image shown below shows much of the macOS and Linux risk detection and response abilities now offered with Windows Defender ATP.

At the end of the day, if you’re looking to secure your endpoints and infrastructure, you need to take a tough look at Windows Defender ATP and Ziften Zenith.

Charles Leaver – Ways To Prevent The KRACK Vulnerability Causing You problems

Written By Dr Al Hartmann And Presented By Charles Leaver


Enough media attention has been produced over the Wi-Fi WPA2 defeating Key Reinsertion Attack (KRACK), that we don’t need to re-cover that ground. The initial discoverer’s website is an excellent place to review the issues and link to the in-depth research findings. This might be the most attention paid to a fundamental communications security failure since the Heartbleed attack. During that earlier attack, a patched version of the susceptible OpenSSL code was launched on the exact same day as the public disclosure. In this brand-new KRACK attack, similar accountable disclosure standards were followed, and patches were either already launched or soon to follow. Both wireless end points and wireless network devices should be appropriately patched. Oh, and all the best getting that Chinese knockoff wireless security cam bought off eBay patched quickly.

Here we will simply make a couple of points:

Take inventory of your wireless devices and take action to ensure appropriate patching. (Ziften can perform passive network stock, consisting of wireless networks. For Ziften monitored end points, the readily available network interfaces in addition to used patches are reported.) For business IT staff, it is patch, patch, patch every day anyhow, so absolutely nothing brand-new here. However any unmanaged wireless devices ought to be identified and verified.

iOS and Windows endpoints are less prone, while unpatched Linux and Android endpoints are highly prone. A lot of Linux end points will be servers without wireless networking, so not as much exposure there. But Android is another story, especially given the balkanized state of Android upgrading throughout device producers. Probably your business’s greatest exposure will be Android and IoT devices, so do your threat analysis.

Avoid wireless access by means of unencrypted protocols such as HTTP. Adhere to HTTPS or other encrypted protocols or utilize a protected VPN, however be aware some default HTTPS sites enable jeopardized devices to force downgrade to HTTP. (Note that Ziften network monitoring reports IP addresses and ports utilized, so check out any wireless port 80 traffic on unpatched endpoints.).

Continue whatever wireless network health practices you have actually been employing to recognize and silence rogue access points, wireless devices that are unapproved, etc. Grooming access point placement and transmission zones to lessen signal spillage outside your physical boundaries is likewise a wise practice, given that KRACK opponents should be present in your area within the wireless network. Do not give them advantaged positioning opportunities inside or near your environment.

For a more wider conversation around the KRACK vulnerability, take a look at our recent video on the subject:

Charles Leaver – Amazing Enthusiasm For Ziften At Splunk .conf

Written By Josh Applebaum And Presented By Charles Leaver


Like many of you, we’re still recovering from Splunk.conf recently. As usual,. conf had excellent energy and the people who were in participation were passionate about Splunk and the numerous use cases that it provides through the big app ecosystem.

One important statement throughout the week worth mentioning was a new security offering referred to as “Content Updates,” which essentially is pre-built Splunk searches for helping to find security events.

Generally, it takes a look at the newest attacks, and the Splunk security team produces new searches for how they would hunt through Splunk ES data to discover these types of attacks, and after that ships those new searches down to customer’s Splunk ES environments for automatic alerts when seen.

The best part? Because these updates are utilizing mostly CIM (Common Info Model) data, and Ziften occupies a lot of the CIM models, Ziften’s data is already being matched against the new Content Updates Splunk has produced.

A fast demonstration showed which vendors are adding to each type of “detection” and Ziften was mentioned in a great deal of them.

For instance, we have a current blog post that shares how Ziften’s data in Splunk is used to identify and react to WannaCry.

In general, with the approximately 500 individuals who came by the booth over the course of.conf I have to say it was among the best occasions we’ve done in terms of quality discussions and interest. We had nothing but favorable evaluations from our thorough discussions with all walks of business life – from highly technical analysts in the public sector to CISOs in the financial sector.

The most common discussion usually started with, “We are just starting to implement Splunk and are new to the platform.” I like those, since people can get our Apps for free and we can get them an agent to experiment with and it gets them something to utilize right out of the box to show worth instantly. Other folks were really seasoned and truly liked our approach and architecture.

Bottom line: People are truly thrilled about Splunk and genuine services are offered to help people with genuine issues!

Curious? The Ziften ZFlow App and Technology Add-on assists users of Splunk and Splunk ES use Ziften-generated extended NetFlow from end points, servers, and cloud VMs to see what they are missing out on at the edge of their network, their data centers, and in their cloud implementations.

Charles Leaver – Watch This Video Showing Our Endpoint Security Architecture

Written By Mike Hamilton And Presented By Ziften CEO Charles Leaver


End Point security is a hot topic nowadays. And there are great deals of different suppliers out there touting their wares in this market. However it’s in some cases challenging to understand just what each supplier supplies. What’s much more hard is to understand how each supplier solution is architected to supply their services.

I believe that the back-end architecture of whatever you choose can have a profound impact on the future scalability of your application. And it can develop lots of unanticipated work and expenses if you’re not mindful.

So, in the spirit of transparency, and because we believe our architecture is not the same, unique and effective, we welcome all end point security vendors to “show us your architecture”.

I’ll kick this off in the following video where I show you the Ziften architecture, and a number of exactly what I think about tradition architectures for contrast. Specifically, I’ll talk about:

– Ziften’s architecture designed using next gen cloud principles.
– One company’s peer-to-peer “mish-mash” architecture.
– Legacy hub-spoke-hub architectures.

I have actually revealed you the power of our genuinely cloud-based platform. Now it’s my competitor’s turn. Come on folks – show us your architectures!

Charles Leaver – Your Can Integrate Ziften’s Advanced Endpoint Products With Your Security Architecture Seamlessly

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


Security practitioners are by nature a mindful bunch. Cautiousness is a characteristic most folks likely have coming into this market given its objective, however it’s also certainly a characteristic that is learned in time. Ironically this is true even when it comes to including extra security controls into an already established security architecture. While one might assume that more security is better security, experience teaches us that’s not necessarily the case. There are in fact various issues associated with deploying a new security product. One that often shows up near the top of the list is how well a brand-new product integrates with existing products.

Integrating issues are available in numerous tastes. Primarily, a new security control shouldn’t break anything. However furthermore, new security services have to gracefully share danger intelligence and act upon threat intelligence collected throughout a company’s entire security infrastructure. In other words, the new security tools ought to collaborate with the existing community of tools in place such that “1 + 1 = 3”. The last thing that the majority of IT and security operations groups need is more siloed products/ tools.

At Ziften, this is why we’ve constantly focused on building and providing an entirely open visibility architecture. Our company believe that any new systems and security operations tools have to be created with enhanced visibility and information sharing as key design requirements. However this isn’t a one way street. Producing basic integrations requires technology partnerships between market vendors. We consider it our duty to work with other innovation companies to equally integrate our products, therefore making it easy on consumers. Unfortunately, numerous suppliers still believe that integration of security products, specifically new endpoint security products is extremely tough. I hear the concern continuously in client discussions. But info is now appearing showing this isn’t necessarily the case.

Recent study work by NSS Labs on “advanced endpoint” services, they report that Worldwide 2000 clients based in North America have actually been pleasantly surprised with how well these types of products integrate into their existing security architectures. In accordance with the NSS research study entitled “Advanced Endpoint Protection – Market Analysis and Survey Results CY2016”, which NSS subsequently provided in the BrightTalk webinar below, respondents that had actually already released sophisticated endpoint items were far more favorable concerning their capability to integrate into existing security architectures than were respondents that were still in the planning stages of purchasing these services.

Specifically, for participants that have actually currently released sophisticated endpoint products: they rank integration with already established security architectures as follows:

● Excellent 5.3 %
● Good 50.0 %
● Average 31.6 %
● Poor 13.2 %
● (Terrible) 0.0 %

Compare that to the more conservative responses from people still in the preparation phase:

● Excellent 0.0 %
● Good 39.3 %
● Average 42.9 %
● Poor 14.3 %
● (Horrible) 3.6 %

These statements are encouraging. Yes, as kept in mind, security people tend to be pessimists, however in spite of low expectations respondents are reporting positive results when it comes to integration experiences. In fact, Ziften consumers generally show the very same initial low expectations when we initially go over the integration of Ziften services into their already established community of products. However in the end, clients are wowed by how easy it is to share details with Ziften services and their already established infrastructure.

These study results will hopefully help reduce concerns as newer service adopters may check out and rely on peer recommendations before making purchase choices. Early mainstream adopters are clearly having success releasing these services and that will ideally help to minimize the natural cautiousness of the true mainstream.

Certainly, there is significant distinction between products in the space, and companies should continue to carry out proper due diligence in understanding how and where products integrate into their broader security architectures. However, fortunately is that there are services not just fulfilling the needs of customers, however really out performing their preliminary expectations.

Charles Leaver – Using Ziften And Splunk Easily Detect WannaCry And Respond

Written by Joel Ebrahami and presented by Charles Leaver


WannaCry has generated a great deal of media attention. It may not have the huge infection rates that we have actually seen with a lot of the previous worms, but in the current security world the amount of systems it had the ability to contaminate in one day was still rather staggering. The objective of this blog post is NOT to provide an in-depth analysis of the threat, but rather to look how the threat behaves on a technical level with Ziften’s Zenith platform and the combination we have with our technology partner Splunk.

WannaCry Visibility in Ziften Zenith

My very first action was to connect to Ziften Labs risk research study group to see exactly what info they could provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, heads up our research study group and notified me that they had samples of WannaCry presently running in our ‘Red Lab’ to look at the behavior of the danger and perform more analysis. Josh sent me over the information of exactly what he had found when analyzing the WannaCry samples in the Ziften Zenith console. He delivered over those details, which I provide here.

The Red Lab has systems covering all the most common operating systems with various services and setups. There were already systems in the lab that were intentionally vulnerable to the WannaCry threat. Our worldwide threat intelligence feeds used in the Zenith platform are updated in real time, and had no trouble discovering the virus in our lab environment (see Figure 1).

Two lab systems have been recognized running the destructive WannaCry sample. While it is great to see our international risk intelligence feeds upgraded so quickly and identifying the ransomware samples, there were other behaviors that we discovered that would have determined the ransomware risk even if there had actually not been a threat signature.

Zenith agents collect a huge quantity of information on what’s occurring on each host. From this visibility data, we create non signature based detection methods to look at generally malicious or anomalous habits. In Figure 2 shown below, we show the behavioral detection of the WannaCry ransomware.

Examining the Scope of WannaCry Infections

As soon as it has been identified either through signature or behavioral approaches, it is very simple to see which other systems have actually also been contaminated or are exhibiting comparable behaviors.

WannaCry Detections with Ziften and Splunk

After examining this details, I chose to run the WannaCry sample in my own environment on a susceptible system. I had one vulnerable system running the Zenith agent, and in this case my Zenith server was currently configured to integrate with Splunk. This permitted me to look at the exact same data inside Splunk. Let me make it clear about the integration we have with Splunk.

We have two Splunk apps for Zenith. The very first is our technology add-on (TA): its function is to consume and index ALL the raw data from the Zenith server that the Ziften agents produce. As this information arrives it is massaged into Splunk’s Common Information Model (CIM) so that it can be normalized and simply searched in addition to utilized by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA also consists of Adaptive Response abilities for acting from actions that are rendered in Splunk ES. The second app is a dashboard for showing our info with all the graphs and charts readily available in Splunk to allow digesting the data a lot easier.

Given that I currently had the information on how the WannaCry threat acted in our research lab, I had the advantage of knowing what to look for in Splunk utilizing the Zenith data. In this case I had the ability to see a signature alert by using the VirusTotal integration with our Splunk app (see Figure 4).

Hazard Searching for WannaCry Ransomware in Ziften and Splunk

But I wanted to put on my “event responder hat” and investigate this in Splunk using the Zenith agent information. My very first thought was to browse the systems in my laboratory for ones running SMB, since that was the preliminary vector for the WannaCry attack. The Zenith data is encapsulated in different message types, and I understood that I would most likely find SMB data in the running process message type, nevertheless, I used Splunk’s * regex with the Zenith sourcetype so I might browse all Zenith data. The resulting search appeared like ‘sourcetype= ziften: zenith: * smb’. As I expected I got one result back for the system that was running SMB (see Figure 5).

My next action was to utilize the very same behavioral search we have in Zenith that searches for common CryptoWare and see if I might get outcomes back. Once again this was really easy to do from the Splunk search panel. I used the same wildcard sourcetype as in the past so I might search throughout all Zenith data and this time I added the ‘delete shadows’ string search to see if this habit was ever provided at the command line. My search looked like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned results, shown in Figure 6, that revealed me in detail the procedure that was developed and the complete command line that was performed.

Having all this info inside of Splunk made it really easy to figure out which systems were vulnerable and which systems had actually already been jeopardized.

WannaCry Remediation Using Splunk and Ziften

Among the next steps in any type of breach is to remove the compromise as quick as possible to prevent additional destruction and to act to prevent other systems from being jeopardized. Ziften is among the Splunk founding Adaptive Response members and there are a number of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to mitigate these dangers through extensions on Zenith.

In the case of WannaCry we actually could have used practically any of the Adaptive Response actions presently offered by Zenith. When aiming to reduce the effect and avoid WannaCry initially, one action that can happen is to shut down SMB on any systems running the Zenith agent where the variation of SMB running is known vulnerable. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the susceptible systems where we wished to stop the SMB service, therefore preventing the exploit from ever happening and allowing the IT Operations team to get those systems patched prior to beginning the SMB service once again.

Avoiding Ransomware from Spreading out or Exfiltrating Data

Now in the case that we have currently been compromised, it is crucial to prevent additional exploitation and stop the possible exfiltration of delicate information or company intellectual property. There are really three actions we might take. The first two are comparable where we might kill the harmful process by either PID (process ID) or by its hash. This is effective, however given that many times malware will just generate under a brand-new procedure, or be polymorphic and have a various hash, we can use an action that is ensured to prevent any incoming or outgoing traffic from those infected systems: network quarantine. This is another example of an Adaptive Response action offered from Ziften’s integration with Splunk ES.

WannaCry is already decreasing, however hopefully this technical blog shows the value of the Ziften and Splunk integration in dealing with ransomware threats against the endpoint.

Charles Leaver – Easily Assess A Next Gen Endpoint Security Service Using These 10 Pointers

Written By Roark Pollock And Presented By Charles Leaver CEO Ziften


The Endpoint Security Buyer’s Guide

The most typical point for an advanced consistent attack or a breach is the endpoint. And they are certainly the entry point for many ransomware and social engineering attacks. The use of endpoint protection products has actually long been considered a best practice for protecting end points. Regrettably, those tools aren’t keeping up with today’s hazard environment. Advanced threats, and truth be told, even less advanced threats, are frequently more than sufficient for fooling the typical staff member into clicking something they shouldn’t. So companies are looking at and evaluating a variety of next generation end point security (NGES) solutions.

With this in mind, here are 10 suggestions to think about if you’re looking at NGES solutions.

Tip 1: Start with the end in mind

Don’t let the tail wag the dog. A danger decrease strategy must always start by examining issues then looking for possible fixes for those problems. But all frequently we get enamored with a “shiny” new innovation (e.g., the latest silver bullet) and we end up attempting to shoehorn that innovation into our environments without fully evaluating if it solves an understood and determined problem. So exactly what issues are you aiming to fix?

– Is your existing endpoint protection tool failing to stop threats?
– Do you require better visibility into activity on the end point?
– Are compliance requirements mandating continuous endpoint tracking?
– Are you aiming to decrease the time and costs of incident response?

Specify the issues to address, then you’ll have a measuring stick for success.

Suggestion 2: Know your audience. Exactly who will be utilizing the tool?

Comprehending the issue that has to be resolved is a crucial initial step in understanding who owns the problem and who would (operationally) own the solution. Every functional team has its strengths, weaknesses, preferences and prejudices. Specify who will need to utilize the solution, and others that could benefit from its usage. Is it:

– Security group,
– IT operations,
– The governance, risk and compliance (GRC) team,
– Helpdesk or end user assistance group,
– And even the server team, or a cloud operations team?

Tip 3: Know what you imply by end point

Another often ignored early step in specifying the problem is specifying the endpoint. Yes, all of us used to know what we meant when we said endpoint but today end points are available in a lot more ranges than before.

Sure we want to protect desktops and laptops however how about mobile devices (e.g. phones and tablets), virtual endpoints, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, can be found in numerous flavors so platform support has to be addressed as well (e.g. Windows only, Mac OSX, Linux, etc?). Also, consider support for end points even when they are working remote, or are working offline. What are your needs and exactly what are “nice to haves?”

Pointer 4: Start with a foundation of continuous visibility

Continuous visibility is a foundational ability for dealing with a host of security and operational management concerns on the end point. The old saying is true – that you can’t manage what you cannot see or measure. Even more, you cannot secure what you can’t correctly manage. So it must begin with constant or all-the-time visibility.

Visibility is foundational to Security and Management

And think of what visibility suggests. Enterprises require a single source of fact that at a minimum monitors, stores, and evaluates the following:

– System data – events, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – attributes of installed apps and use patterns
– Binary data – characteristics of installed binaries
– Processes data – tracking details and statistics
– Network connection data – statistics and internal behavior of network activity on the host

Suggestion 5: Track your visibility data

End point visibility data can be saved and analyzed on premise, in the cloud, or some combination of both. There are advantages to each. The appropriate method differs, but is normally enforced by regulatory requirements, internal privacy policies, the endpoints being monitored, and the general expense considerations.

Know if your company needs on premise data retention

Know whether your company allows for cloud based data retention and analysis or if you are constrained to on-premise services only. Within Ziften, 20-30% of our customers store data on premise merely for regulative factors. Nevertheless, if lawfully an alternative, the cloud can provide expense benefits (among others).

Tip 6: Know exactly what is on your network

Understanding the issue you are trying to solve needs understanding the assets on the network. We have found that as much as 30% of the end points we at first find on clients’ networks are unmanaged or unidentified devices. This clearly creates a huge blind spot. Reducing this blind spot is an important best practice. In fact, SANS Critical Security Controls 1 and 2 are to perform a stock of licensed and unapproved devices and software attached to your network. So search for NGES solutions that can fingerprint all linked devices, track software stock and usage, and perform on-going continuous discovery.

Suggestion 7: Know where you are exposed

After finding out what devices you need to monitor, you have to ensure they are running in up to date configurations. SANS Critical Security Controls 3 suggests ensuring safe and secure configurations monitoring for laptop computers, workstations, and servers. SANS Critical Security Controls 4 recommends allowing constant vulnerability evaluation and remediation of these devices. So, search for NGES services that provide all the time monitoring of the state or posture of each device, and it’s even better if it can assist implement that posture.

Also try to find solutions that provide constant vulnerability assessment and removal.

Keeping your general end point environment hardened and devoid of critical vulnerabilities avoids a substantial quantity of security issues and eliminates a great deal of backend pressure on the IT and security operations groups.

Tip 8: Cultivate constant detection and response

A crucial objective for many NGES services is supporting continuous device state monitoring, to make it possible for effective risk or event response. SANS Critical Security Control 19 recommends robust event response and management as a best practice.

Try to find NGES solutions that offer all-the-time or constant hazard detection, which leverages a network of global hazard intelligence, and several detection techniques (e.g., signature, behavioral, artificial intelligence, etc). And try to find incident response services that help focus on identified risks and/or concerns and provide workflow with contextual system, application, user, and network data. This can help automate the proper response or next steps. Lastly, understand all the response actions that each solution supports – and search for a solution that supplies remote access that is as close as possible to “sitting at the end point keyboard”.

Suggestion 9: Think about forensics data gathering

In addition to incident response, companies must be prepared to address the requirement for forensic or historic data analysis. The SANS Critical Security Control 6 advises the upkeep, tracking and analysis of all audit logs. Forensic analysis can take numerous forms, but a structure of historical end point monitoring data will be crucial to any examination. So look for services that maintain historic data that allows:

– Forensic tasks include tracing lateral risk movement through the network over time,
– Determining data exfiltration efforts,
– Figuring out origin of breaches, and
– Identifying suitable remediation actions.

Idea 10: Tear down the walls

IBM’s security team, which supports an excellent environment of security partners, estimates that the typical enterprise has 135 security tools in place and is dealing with 40 security suppliers. IBM customers definitely tend to be big businesses however it’s a common refrain (grievance) from companies of all sizes that security solutions do not integrate properly.

And the problem is not simply that security solutions do not play well with other security services, but likewise that they do not constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations have to think about these (and other) integration points along with the supplier’s desire to share raw data, not simply metadata, through an API.

Bonus Idea 11: Prepare for customizations

Here’s a bonus idea. Assume that you’ll wish to customize that glossy new NGES service quickly after you get it. No service will satisfy all your requirements right out of the box, in default setups. Find out how the service supports:

– Customized data collection,
– Notifying and reporting with customized data,
– Custom scripting, or
– IFTTT (if this then that) functionality.

You know you’ll desire new paint or new wheels on that NGES service soon – so make certain it will support your future modification tasks easy enough.

Look for support for easy modifications in your NGES service

Follow the bulk of these ideas and you’ll unquestionably avoid a lot of the typical errors that plague others in their assessments of NGES solutions.

Charles Leaver – You Must Monitor Cloud Activities And Our Enhanced NetFlow Will Do This For You

Written by Roark Pollock and Presented by Ziften CEO Charles Leaver


In accordance with Gartner the public cloud services market surpassed $208 billion last year (2016). This represented about a 17% increase year over year. Pretty good when you consider the ongoing issues most cloud customers still have concerning data security. Another particularly interesting Gartner discovery is the typical practice by cloud consumers to contract services to several public cloud companies.

In accordance with Gartner “most organizations are already using a mix of cloud services from different cloud companies”. While the business rationale for making use of numerous suppliers is sound (e.g., avoiding supplier lock in), the practice does develop additional intricacy inmonitoring activity across an company’s increasingly dispersed IT landscape.

While some companies support more superior visibility than others (for example, AWS CloudTrail can monitor API calls throughout the AWS infrastructure) organizations have to comprehend and resolve the visibility problems associated with relocating to the cloud despite the cloud service provider or companies they deal with.

Regrettably, the capability to track application and user activity, and networking communications from each VM or endpoint in the cloud is restricted.

Regardless of where computing resources live, organizations must answer the concerns of “Which users, machines, and applications are communicating with each other?” Organizations require visibility throughout the infrastructure in order to:

  • Quickly determine and focus on issues
  • Speed origin analysis and identification
  • Lower the mean-time to repair issues for end users
  • Rapidly determine and eliminate security threats, reducing total dwell times.

Conversely, bad visibility or bad access to visibility data can lower the effectiveness of existing management and security tools.

Organizations that are comfortable with the ease, maturity, and relative inexpensiveness of monitoring physical data centers are going to be dissatisfied with their public cloud alternatives.

What has been lacking is a simple, ubiquitous, and sophisticated service like NetFlow for public cloud infrastructure.

NetFlow, naturally, has had 20 years approximately to become a de facto requirement for network visibility. A common deployment includes the tracking of traffic and aggregation of flows at network chokepoints, the retrieval and storage of flow data from numerous collection points, and the analysis of this flow information.

Flows include a basic set of source and destination IP addresses and port and protocol info that is generally collected from a router or switch. Netflow data is relatively low-cost and simple to collect and supplies nearly common network visibility and enables analysis which is actionable for both network tracking and efficiency management applications.

Most IT staffs, especially networking and some security groups are very comfy with the technology.

But NetFlow was developed for resolving exactly what has actually become a rather restricted issue in the sense that it just gathers network info and does so at a minimal variety of potential locations.

To make much better use of NetFlow, 2 key modifications are required.

NetFlow to the Edge: First, we need to expand the useful deployment situations for NetFlow. Instead of just collecting NetFlow at networking choke points, let’s broaden flow collection to the edge of the network (servers, clients and cloud). This would greatly expand the big picture that any NetFlow analytics offer.

This would permit companies to augment and leverage existing NetFlow analytics tools to get rid of the growing visibility blind spot into public cloud activity.

Rich, contextual NetFlow: Second, we need to utilize NetFlow for more than simple visibility of the network.

Instead, let’s utilize an extended version of NetFlow and take account of details on the device, application, user, and binary responsible for each monitored network connection. That would allow us to quickly link every network connection back to its source.

In fact, these two modifications to NetFlow, are precisely what Ziften has actually achieved with ZFlow. ZFlow provides an broadened version of NetFlow that can be released at the network edge, including as part of a VM or container image, and the resulting data gathering can be consumed and analyzed with existing NetFlow analysis tools. As well as conventional NetFlow Internet Protocol Flow Info eXport (IPFIX) visibility of the network, ZFlow provides greater visibility with the inclusion of info on device, application, user and binary for each network connection.

Ultimately, this permits Ziften ZFlow to deliver end-to-end visibility between any 2 endpoints, physical or virtual, removing traditional blind spots like east-west traffic in data centers and business cloud deployments.