Category Archives: Endpoint Security

Charles Leaver – Environments That Are Not Managed Correctly Will Not Be Secure And Vice Versa

Written by Charles Leaver Ziften CEO


If your business computing environment is not effectively managed there is no way that it can be completely protected. And you cannot efficiently manage those complicated enterprise systems unless there’s a strong feeling that they are safe and secure.

Some may call this a chicken-and-egg circumstance, where you do not know where to start. Should you start with security? Or should you start with system management? That is the incorrect approach. Think of this instead like Reese’s Peanut Butter Cups: It’s not chocolate initially. It’s not peanut butter first. Instead, both are blended together – and treated as a single delicious treat.

Many organizations, I would argue too many companies, are structured with an IT management department reporting to a CIO, and with a security management group reporting to a CISO. The CIO group and the CISO team do not know each other, talk to each other just when definitely essential, have distinct budget plans, definitely have separate concerns, read various reports, and utilize different management platforms. On an everyday basis, what constitutes a job, a problem or an alert for one team flies entirely under the other team’s radar.

That’s bad, because both the IT and security teams must make assumptions. The IT team thinks that all assets are secure, unless somebody notifies them otherwise. For example, they assume that devices and applications have actually not been compromised, users have not escalated their privileges, and so-on. Likewise, the security group presumes that the servers, desktops, and mobiles are working correctly, operating systems and apps fully updated, patches have been used, etc

Given that the CIO and CISO teams aren’t speaking with each other, do not understand each others’ functions and goals, and aren’t using the very same tools, those assumptions may not be right.

And again, you can’t have a safe and secure environment unless that environment is appropriately managed – and you cannot manage that environment unless it’s protected. Or to put it another way: An unsecure environment makes anything you perform in the IT organization suspect and unimportant, and means that you cannot know whether the details you are seeing are appropriate or controlled. It may all be fake news.

How to Bridge the IT / Security Gap

Ways to bridge that gap? It sounds easy however it can be difficult: Guarantee that there is an umbrella covering both the IT and security groups. Both IT and security report to the exact same individual or structure someplace. It might be the CIO, it might be the CFO, it might be the CEO. For the sake of argument here, let’s state it’s the CFO.

If the company doesn’t have a safe and secure environment, and there’s a breach, the worth of the brand and the business can be reduced to absolutely nothing. Similarly, if the users, devices, infrastructure, application, and data aren’t managed well, the company cannot work effectively, and the value drops. As we’ve discussed, if it’s not properly managed, it cannot be secured, and if it’s not protected, it cannot be well managed.

The fiduciary obligation of senior executives (like the CFO) is to safeguard the worth of business assets, which implies making certain IT and security talk to each other, comprehend each other’s concerns, and if possible, can see the very same reports and data – filtered and shown to be significant to their specific areas of duty.

That’s the thinking that we adopted with the development of our Zenith platform. It’s not a security management tool with IT abilities, and it’s not an IT management tool with security abilities. No, it’s a Peanut Butter Cup, designed equally around chocolate and peanut butter. To be less confectionery, Zenith is an umbrella that gives IT teams exactly what they require to do their jobs, and provides security teams exactly what they need too – without coverage gaps that might weaken presumptions about the state of enterprise security and IT management.

We have to ensure that our organization’s IT infrastructure is built on a safe and secure structure – and also that our security is executed on a well managed base of hardware, infrastructure, software and users. We cannot run at peak efficiency, and with full fiduciary obligation, otherwise.

Charles Leaver – More Working From Home Now So Constant Visibility Of The Endpoint Is A Must

Written By Roark Pollock And Presented By Charles Leaver Ziften CEO


A study recently completed by Gallup found that 43% of Americans that were employed worked remotely for a few of their work time in 2016. Gallup, who has actually been surveying telecommuting patterns in the United States for practically a decade, continues to see more workers working beyond traditional offices and more of them doing this for a greater number of days out of the week. And, obviously the number of linked devices that the typical employee utilizes has jumped too, which assists encourage the convenience and desire of working far from the workplace.

This mobility definitely makes for happier employees, and one hopes more efficient employees, however the problems that these patterns represent for both systems and security operations teams must not be overlooked. IT systems management. IT asset discovery, and threat detection and response functions all take advantage of real time and historic visibility into user, device, application, and network connection activity. And to be really reliable, endpoint visibility and tracking ought to work no matter where the user and device are running, be it on the network (local), off the network but connected (remotely), or detached (not online). Present remote working patterns are significantly leaving security and operational teams blind to prospective problems and hazards.

The mainstreaming of these trends makes it even more hard for IT and security groups to restrict what was previously considered greater threat user behavior, for example working from a coffeehouse. However that ship has actually sailed and today security and systems management teams have to have the ability to thoroughly track device, network activity, user and application, detect abnormalities and inappropriate actions, and enforce suitable action or remediation regardless of whether an endpoint is locally linked, from another location linked, or disconnected.

Additionally, the fact that lots of employees now regularly gain access to cloud-based applications and assets, and have backup USB or network connected storage (NAS) drives at their homes further magnifies the requirement for endpoint visibility. Endpoint controls frequently supply the one and only record of remote activity that no longer always terminates in the corporate network. Offline activity presents the most extreme example of the need for constant endpoint monitoring. Plainly network controls or network monitoring are of little use when a device is running offline. The installation of a suitable endpoint agent is crucial to ensure the capture of very important security and system data.

As an example of the kinds of offline activities that could be spotted, a customer was recently able to monitor, flag, and report unusual habits on a business laptop. A high level executive moved large amounts of endpoint data to an unapproved USB drive while the device was offline. Because the endpoint agent had the ability to gather this behavioral data throughout this offline duration, the customer was able to see this unusual action and follow up appropriately. Through the continuous monitoring of the device, applications, and user behaviors even when the endpoint was detached, provided the client visibility they never had before.

Does your company have continuous tracking and visibility when employee endpoints are not connected? If so, how do you achieve this?

Charles Leaver – Defining An Endpoint And Protecting It Will Increase In Difficulty As Connected Devices Rise

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


In the very recent past everyone understood exactly what you suggested if you raised the issue of an endpoint. If someone wanted to sell you an endpoint security product, you understood what devices that software was going to protect. However when I hear someone casually talk about endpoints today, The Princess Bride’s Inigo Montoya comes to mind: “You keep using that word. I don’t think it suggests exactly what you think it implies.” Today an endpoint could be nearly any type of device.

In truth, endpoints are so varied these days that people have actually taken to calling them “things.” According to Gartner at the close of 2016 there were greater than six billion “things” connected to the internet. The consulting company predicts that this number will grow to twenty one billion by the year 2020. The business utilization of these things will be both generic (e.g. connected light bulbs and Heating and Cooling systems) and market specific (e.g. oil well safety tracking). For IT and security groups responsible for linking and protecting endpoints, this is just half of the brand-new difficulty, nevertheless. The acceptance of virtualization innovation has actually redefined exactly what an endpoint is, even in environments in which these groups have generally run.

The previous ten years has actually seen an enormous change in the method end users access information. Physical devices continue to be more mobile with lots of info workers now doing the majority of their computing and communication on laptops and smart phones. More importantly, everybody is becoming an info employee. Today, better instrumentation and monitoring has permitted levels of data collection and analysis that can make the insertion of information technology into almost any task lucrative.

At the same time, more standard IT assets, especially servers, are becoming virtualized to remove some of the traditional constraints in actually having those assets tied to physical devices.

These 2 patterns together will impact security groups in important ways. The totality of “endpoints” will include billions of long-lived and unsecure IoT endpoints as well as billions of virtual endpoint instances that will be scaled up and down as needed as well as moved to various physical areas as needed.

Enterprises will have very different worries about these two general kinds of endpoints. Over their life times, IoT devices will have to be protected from a host of risks some of which have yet to be thought up. Tracking and protecting these devices will need advanced detection abilities. On the plus side, it will be possible to preserve distinct log data to enable forensic examination.

Virtual endpoints, on the other hand, provide their own crucial issues. The capability to move their physical location makes it far more hard to guarantee right security policies are constantly attached to the endpoint. The practice of reimaging virtual endpoints can make forensic examination tough, as important data is normally lost when a new image is applied.

So it is irrelevant what word or phrases are used to explain your endpoints – endpoint, systems, client device, user device, mobile phone, server, virtual machine, container, cloud workload, IoT device, and so on – it is important to comprehend exactly what someone indicates when they utilize the term endpoint.

Charles Leaver – Gives Us Customized Security Solutions Say RSA 2017 Delegates

Written By Michael Vaughan And Presented By Charles Leaver Ziften CEO


More tailored options are needed by security, network and functional groups in 2017

Many of us have actually attended security conventions over the years, but none bring the very same high level of enjoyment as RSA – where security is talked about by the world. Of all the conventions I have actually gone to and worked, absolutely nothing comes close the passion for new technology individuals showed this past week in downtown San Francisco.

After taking a few days to digest the dozens of discussions about the needs and limitations with existing security tech, I’ve had the ability to synthesize a particular theme amongstparticipants: Individuals desire customized solutions that match their environment and will work throughout multiple internal teams.

When I describe the term “people,” I indicate everyone in attendance regardless of technological segment. Operational professionals, security professionals, network veterans, as well as user habits analysts often visited the Ziften cubicle and shared their experiences.

Everyone appeared more prepared than ever to discuss their wants and needs for their environment. These attendees had their own set of objectives they wanted to obtain within their department and they were desperate for responses. Since the Ziften Zenith solution offers such broad visibility on enterprise devices, it’s not surprising that our cubicle stayed crowded with individuals eager to learn more about a brand-new, refreshingly easy endpoint security innovation.

Guests came with grievances about myriad enterprise-centric security problems and looked for deeper insight into what’s actually taking place on their network and on devices traveling in and out of the workplace.

End users of old-school security products are on the hunt for a newer, more essential software applications.

If I could choose simply one of the regular questions I received at RSA to share, it’s this one:

” Exactly what is endpoint discovery?”

1) Endpoint discovery: Ziften reveals a historical view of unmanaged devices which have actually been connected to other business endpoints at some stage. Ziften permits users to discover known
and unidentified entities which are active or have actually been interactive with recognized endpoints.

a. Unmanaged Asset Discovery: Ziften uses our extension platform to expose these unidentified entities operating on the network.

b. Extensions: These are custom fit solutions tailored to the user’s particular wants and
requirements. The Ziften Zenith agent can execute the appointed extension on a single occasion, on a schedule or on a continuous basis.

Generally after the above description came the genuine reason they were attending:

People are searching for a vast array of services for numerous departments, including executives. This is where working at Ziften makes answering this concern a treat.

Just a part of the RSA participants are security professionals. I spoke to lots of network, operation, endpoint management, vice presidents, general supervisors and channel partners.

They plainly all utilize and comprehend the requirement for quality security software applications however relatively find the translation to service value missing among security vendors.

NetworkWorld’s Charles Araujo phrased the problem rather well in an article a short article recently:

Businesses should also rationalize security data in a business context and manage it holistically as part of the overall IT and organization operating model. A group of suppliers is also trying to tackle this obstacle …

Ziften was among only 3 companies mentioned.

After listening to those wants and needs of individuals from different business critical backgrounds and describing to them the abilities of Ziften’s Extension platform, I typically described how Ziften would modulate an extension to solve their need, or I provided a quick demo of an extension that would permit them to overcome a difficulty.

2) Extension Platform: Tailored, actionable solutions.

a. SKO Silos: Extensions based upon fit and requirement (operations, network, endpoint, etc).

b. Custom Requests: Require something you do not see? We can repair that for you.

3) Enhanced Forensics:

a. Security: Danger management, Risk Assessment, Vulnerabilities, Metadata that is suspicious.

b. Operations: Compliance, License Rationalization, Unmanaged Assets.

c. Network: Ingress/Egress IP movement, Domains, Volume metadata.

4) Visibility within the network– Not simply exactly what enters and goes out.

a. ZFlow: Lastly see the network traffic inside your enterprise.

Needless to say, everybody I spoke to in our booth rapidly understood the crucial significance of having a product such as Ziften Zenith running in and across their enterprise.

Forbes author, Jason Bloomberg, said it best when he just recently described the future of business security software and how all indications point toward Ziften blazing a trail:

Perhaps the broadest disruption: vendors are improving their ability to understand how bad actors behave, and can thus take steps to prevent, detect or reduce their malicious activities. In particular, today’s vendors comprehend the ‘Cyber Kill Chain’ – the actions a competent, patient hacker (known in the biz as an advanced persistent threat, or APT) will require to attain his or her wicked goals.

The product of U.S. Defense specialist Lockheed Martin, The Cyber Kill Chain consists of 7 links: reconnaissance, weaponization, shipment, exploitation, setup, establishing command and control, and actions on goals.

Today’s more innovative suppliers target one or more of these links, with the goal of avoiding, discovering or reducing the attack. Five vendors at RSA emerged in this category.

Ziften offers an agent based  technique to tracking the habits of users, devices, applications, and
network components, both in real-time along with throughout historic data.

In real time, analysts utilize Ziften for threat identification and prevention, while they utilize the historic data to uncover steps in the kill chain for mitigation and forensic functions.

Charles Leaver – Ziften Tool For Endpoint Visibility And Immediate Incident Action

Written By Logan Gilbert And Presented By Charles Leaver


Ziften helps with incident response, remediation, and examination, even for endpoints that are not connected to your network.

When incidents occur, security experts have to act quickly and thoroughly.

With telecommuting workforces and business “cloud” infrastructures, removal and analysis on an endpoint position a genuinely overwhelming job. Below, view how you can utilize Ziften to do something on the endpoint and identify the origin and proliferation of a compromise in minutes – no matter where the endpoints are located.

Initially, Ziften notifies you to malicious activities on endpoints and directs you to the cause of the alert. In seconds, Ziften lets you take remediation actions on the endpoint, whether it’s on the corporate network, a worker’s home, or the local coffee shop. Any removal action you ‘d usually carry out through a direct access to the endpoint, Ziften offers through its web console.

Simply that rapidly, remediation is looked after. Now you can use your security expertise to go risk hunting and conduct a bit of forensics work. You can immediately dive into much more information about the process that resulted in the alert; and then ask those necessary questions to discover how widespread the problem is and where it propagated from. Ziften delivers detailed event removal for security experts.

See directly how Ziften can help your security team zero in on threats in your environment with our 30 day complimentary trial.

Charles Leaver – If You Continue To Use Adobe Flash You Will Get Hacked

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


Get Tough or Get Attacked.

Extremely experienced and talented cyber attack teams have actually targeted and are targeting
your organization. Your vast endpoint population is the most common point of entry for
competent attack groups. These business endpoints number in the thousands, are loosely managed,
laxly set up, and swarming with vulnerability direct exposures, and are operated by partially
trained, credulous users – the ideal target-rich chance. Mikko Hypponen, chief research officer
at F-Secure, typically says at industry symposia: “How many of the Fortune 500 are hacked
today? The response: 500.”

And how long did it take to penetrate your organization? White hat hackers carrying out
penetration screening or red group workouts typically compromise target businesses within the
first couple of hours, despite the fact that fairly and legally restrained in their approaches.
Black hat or state sponsored hackers may achieve penetration much more rapidly and protect
their presence indefinitely. Provided typical enemy dwell periods measured in hundreds of days,
the time-to-penetration is minimal, not an impediment.

Exploitation Packages

The industrialization of hacking has produced a black market for attack tools, including a
range of software applications for determining and making use of client endpoint
vulnerabilities. These exploit sets are marketed to cyber enemies on the dark web, with lots of
exploit package families and suppliers. An exploitation set runs by examining the software
application setup on the endpoint, recognizing exposed vulnerabilities, and using an
exploitation to a vulnerability direct exposure.

A relative handful of frequently released endpoint software represent the bulk of exploitation
set targeted vulnerabilities. This results from the sad truth that complex software
applications have the tendency to show a continual flow of susceptibilities that leave them
continually vulnerable. Each patch release cycle the exploitation package developers will
download the latest security patches, reverse engineer them to find the underlying
vulnerabilities, and update their exploitation sets. This will often be done quicker than
enterprises use patches, with some vulnerabilities remaining unpatched and ripe for
exploitation even years after a patch is released.

Adobe Flash

Prior to extensive adoption of HTML 5, Adobe Flash was the most typically utilized software for
abundant Internet material. Even with increasing adoption of HTML 5, legacy Adobe Flash
preserves a considerable following, maintaining its long-held position as the darling of
exploit kit authors. A recent research study by Digital Shadows, In the Business of
Exploitation, is useful:

This report evaluates 22 exploitation kits to comprehend the most regularly exploited software.
We tried to find patterns within the exploitation of vulnerabilities by these 22 sets to reveal
what vulnerabilities had actually been exploited most commonly, paired with how active each
exploitation kit was, in order to inform our evaluation.

The vulnerabilities exploited by all 22 exploit packages showed that Adobe Flash Player was
likely to be the most targeted software, with 27 of the seventy six determined vulnerabilities
exploited relating to this software application.

With relative consistency, dozens of fresh vulnerabilities are revealed in Adobe Flash monthly.
To exploit kit developers, it is the gift that keeps on giving.

The industry is discovering its lesson and moving beyond Flash for abundant web material. For
example, a Yahoo senior developer blogging just recently in Streaming Media noted:

” Adobe Flash, in the past the de-facto requirement for media playback online, has lost favor
in the industry due to increasing issues over security and performance. At the same time,
needing a plugin for video playback in browsers is losing favor amongst users as well. As a
result, the market is moving toward HTML5 for video playback.”

Amit Jain, Sep 21, 2016

Eradicating Adobe Flash

One step organizations may take now to solidify their endpoint configurations is to get rid of
Adobe Flash as a matter of enterprise security policy. This will not be an easy task, it might
hurt, but it will be handy in reducing your business attack surface. It involves blacklisting
Adobe Flash Player and enforcing browser security settings disabling Flash material. If done
properly, this is what users will see where Flash content appears on a legacy website:


This message confirms two realities:

1. Your system is effectively configured to decline Flash content.

Congratulate yourself!

2. This site would jeopardize your security for their convenience.

Ditch this site!

Charles Leaver – Illumination Advances Means A New Start For Endpoints

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

The dissolving of the standard border is occurring fast. So where does this leave the endpoint?

Investment in boundary security, as defined by firewall programs, managed gateways and invasion detection/prevention systems (IDS/IPS), is altering. Investments are being questioned, with returns not able to conquer the expenses and complexity to develop, keep, and justify these old defenses.

Not only that, the paradigm has altered – workers are not solely working in the workplace. Many individuals are logging hours from home or while out in the field – neither location is under the umbrella of a firewall. Instead of keeping the cyber criminals out, firewall software often have the opposite result – they avoid the authorized people from being efficient. The paradox? They develop a safe haven for assailants to breach and conceal for months, then traverse to vital systems.

So What Has Changed So Much?

The endpoint has actually become the last line of defense. With the previously mentioned failure in border defense and a “mobile all over” labor force, we should now impose trust at the endpoint. Easier said than done, however.

In the endpoint area, identity & access management (IAM) tools are not the perfect answer. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler can not conquer one simple truth: trust surpasses easy recognition, authentication, and permission.

Encryption is a 2nd effort at securing whole libraries and individual assets. In the most recent (2016) Ponemon study on data breaches, file encryption only saved 10% of the expense per breached record (from $158 to $142). This isn’t really the remedy that some make it seem.

The Whole Picture is changing.

Organizations needs to be prepared to welcome brand-new paradigms and attack vectors. While organizations need to provide access to trusted groups and individuals, they need to resolve this in a better method.

Critical organization systems are now accessed from anywhere, whenever, not just from desks in business office buildings. And contractors (contingent workforce) are quickly making up over 50% of the total enterprise labor force.

On endpoint devices, the binary is primarily the issue. Probably benign incidents, such as an executable crash, might indicate something basic – like Windows 10 Desktop Manager (DWM) restarting. Or it might be a much deeper problem, such as a malicious file or early indicators of an attack.

Trusted access does not solve this vulnerability. In accordance with the Ponemon Institute, between 70% and 90% of all attacks are caused by human mistakes, social engineering, or other human factors. This needs more than easy IAM – it needs behavioral analysis.

Rather than making good much better, perimeter and identity access companies made bad faster.

When and Where Does the Bright Side Begin?

Taking a step back, Google (Alphabet Corp) revealed a perimeter-less network design in late 2014, and has made considerable development. Other businesses – from corporations to federal governments – have actually done this (in silence and less extremely), however BeyondCorp has done this and revealed its solution to the world. The style viewpoint, endpoint plus (public) cloud displacing cloistered business network, is the crucial idea.

This alters the entire discussion on an endpoint – be it a laptop, PC, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint truly is the last line of defense, and needs to be protected – yet also report its activity.

Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to tools and services based upon a user’s physical location or the stemming network; instead, access policies are based on information about a device, its state, and its associated user. BeyondCorp considers both external networks and internal networks to be entirely untrusted, and gates access to apps by dynamically asserting and imposing levels, or “tiers,” of access.

By itself, this seems harmless. But the reality is that this is an extreme new design which is imperfect. The access requirements have moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, instead of a centralized design with capacity for breaches, hacking, and hazards at the human level (the “soft chewy center”).

The good part of the story? Breaching the boundary is very challenging for potential opponents, while making network pivoting almost impossible as soon as they are past the reverse proxy (a common system utilized by opponents today – showing that firewalls do a better job of keeping the bad guys in rather than letting the genuine users get out). The inverse design even more applies to Google cloud servers, probably tightly managed, inside the perimeter, versus client endpoints, who are all out in the wild.

Google has done some good improvements on tested security approaches, notably to 802.1 X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).

Why is this crucial? What are the gaps?

Ziften believes in this approach due to the fact that it emphasizes device trust over network trust. However, Google doesn’t particularly reveal a device security agent or stress any form of client-side tracking (apart from very rigorous configuration control). While there might be reporting and forensics, this is something which every company needs to be familiar with, since it’s a matter of when – not if – bad things will take place.

Since implementing the initial stages of the Device Inventory Service, we’ve ingested billions of deltas from over 15 data sources, at a typical rate of about 3 million per day, totaling over 80 terabytes. Maintaining historic data is important in permitting us to understand the end-to-end life cycle of a certain device, track and examine fleet-wide trends, and carry out security audits and forensic examinations.

This is a costly and data-heavy procedure with two shortcomings. On ultra-high-speed networks (used by the likes of Google, universities and research study organizations), ample bandwidth allows for this type of interaction to happen without flooding the pipes. The very first concern is that in more pedestrian corporate and government circumstances, this would cause great user interruption.

Second, computing devices need to have the horse power to continuously gather and send data. While the majority of workers would be delighted to have present developer-class workstations at their disposal, the cost of the devices and process of revitalizing them on a regular basis makes this excessive.

An Absence of Lateral Visibility

Few systems really generate ‘improved’ netflow, augmenting conventional network visibility with abundant, contextual data.

Ziften’s patented ZFlow ™ provides network flow information on data produced from the endpoint, otherwise accomplished using brute force (human labor) or costly network devices.

ZFlow serves as a “connective tissue” of sorts, which extends and completes the end-to-end network visibility cycle, adding context to on-network, off-network and cloud servers/endpoints, enabling security groups to make faster and more informed and precise choices. In essence, investing in Ziften services result in a labor cost saving, plus a boost in speed-to-discovery and time-to-remediation due to innovation acting as a replacement for people resources.

For organizations moving/migrating to the public cloud (as 56% are preparing to do by 2021 in accordance with IDG Enterprise’s 2015 Cloud Study), Ziften offers unmatched visibility into cloud servers to better monitor and secure the complete infrastructure.

In Google’s environment, only corporate-owned devices (COPE) are enabled, while crowding out bring-your-own-device (BYOD). This works for a business like Google that can give out brand-new devices to all personnel – phone, tablet, laptop computer, etc. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device must meet Google requirements, having either a TPM or a software equivalent of a TPM, to hold the X. 509 cert utilized to validate device identity and to assist in device-specific traffic encryption. There should be several agents on each endpoint to verify the device validation asserts called out in the access policy, which is where Ziften would have to partner with the systems management agent supplier, given that it is most likely that agent cooperation is essential to the process.


In summary, Google has actually established a world-class solution, however its applicability and functionality is restricted to organizations like Alphabet.

Ziften uses the same level of functional visibility and security defense to the masses, using a light-weight agent, metadata/network flow monitoring (from the endpoint), and a best-in-class console. For companies with specialized requirements or incumbent tools, Ziften provides both an open REST API and an extension framework (to augment consumption of data and activating response actions).

This yields the advantages of the BeyondCorp design to the masses, while securing network bandwidth and endpoint (machine) computing resources. As companies will be sluggish to move completely away from the business network, Ziften partners with firewall software and SIEM vendors.

Finally, the security landscape is gradually moving to managed detection & response (MDR). Managed security service providers (MSSP’s) offer traditional monitoring and management of firewall programs, gateways and border intrusion detection, but this is inadequate. They lack the abilities and the technology.

Ziften’s service has been tested, integrated, approved and executed by a number of the emerging MDR’s, highlighting the standardization (capability) and versatility of the Ziften platform to play an essential role in remediation and event response.

Charles Leaver – Adobe Flash Continues To Provide A Network Security Risk

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

Are you Still Running Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?

With Independence day looming a metaphor is needed: Flash is a bit like lighting fireworks. There may be less dangerous methods to achieve it, but the only sure method is just to avoid it. And with Flash, you need not fight pyromaniac rises to avoid it, simply manage your endpoint setups.




Why would you want to do this? Well, performing a Google query for “Flash vulnerability” returns thirteen-million results! Flash is old and finished and ripe for retirement, as Adobe stated themselves:

Today [November 30, 2015], open standards like HTML5 have actually developed and provide much of the capabilities that Flash ushered in… Looking ahead, we encourage content developers to develop with new web standards…

Run a vulnerability scanner across your endpoint population. See any Flash mention? Yes, in the typical enterprise, zillions. Your enemies understand that likewise, they are depending on it. Thanks very much for your contribution! Simply continue to overlook those pesky security blog writers, like Brian Krebbs:

I would advise that if you use Flash, you ought to strongly consider removing it, or a minimum of hobbling it up until and unless you need it.

Ignoring Brian Krebs’ suggestions raises the chances your enterprise’s data breach will be the headline story in one of his future blog posts.


Flash Exploits: the Preferred Exploit Kit Component

The limitless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Nation state cyber attackers and the much better resourced syndicates can call upon Flash zero days. They aren’t difficult to mine – release your fuzz tester versus the creaking Flash codebase and view them being presented. If an offending cyber group can’t call upon zero days, not to worry, there are plenty of newly released Flash Common Vulnerabilities and direct Exposures (CVE) to draw upon, before enterprise patch cycles catch up. For exploit kit authors, Flash is the gift that keeps giving.

A recent FireEye blog post exhibits this normal Flash vulnerability development – from virgin zero-day to freshly hatched CVE and prime business exploit:

On May 8, 2016, FireEye identified an attack making use of a formerly unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the problem to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 simply four days later on (Posted to FireEye Threat Research Blog on May 13, 2016).

As a rapid test then, inspect your vulnerability report for that entry, for CVE-2016-4117. It was used in targeted cyber attacks as a zero-day even before it became a known vulnerability. Now that it is known, popular exploitation kits will find it. Be prepared.

Start a Flash and QuickTime Elimination Job

While we haven’t discussed QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you get rid of all support for QuickTime? Including on macOS? Or simply Windows? How do you discover the unsupported variations – when there are many drifting around?




By not doing anything, you can flirt with disaster, with Flash vulnerability exposures rife throughout your client endpoint environment. Otherwise, you can begin a Flash and QuickTime elimination job to move to a Flash-free business. Or, wait, perhaps you inform your users not to glibly open e-mail attachments or click on links. User education, that constantly works, right? I don’t believe so.

One issue is that a few of your users work function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to hiring departments, or legal notifications sent out to legal departments.

Let’s take a more detailed look at the Flash exploit described by FireEye in the blog cited above:

Attackers had embedded the Flash exploitation inside a Microsoft Office document, which was then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the opponents might disseminate their exploit by means of URL or e-mail attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this specific attack for a target running Windows and Microsoft Office.



Even if the Flash-adverse enterprise had thoroughly purged Flash enablement from all their different internet browsers, this exploit would still have been successful. To completely eliminate Flash needs purging it from all web browsers and disabling its execution in ingrained Flash objects within Microsoft Office or PDF files. Definitely that is a step that should be taken at least for those departments with a task function to open attachments from unsolicited e-mails. And extending outwards from there is a worthy configuration solidifying objective for the security conscious enterprise.

Not to mention, we’re all waiting for the first post about QuickTime vulnerability which brings down a major enterprise.


Charles Leaver – Ransomware Threats Are Increasing So Take Action To Protect Your Organization

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is customized to business attack campaigns has emerged in the wild. This is an apparent development of consumer-grade ransomware, driven by the bigger bounties which enterprises have the ability to pay out paired to the sheer scale of the attack area (internet facing endpoints and un-patched software applications). To the cyber attacker, your business is an appealing target with a huge fat wallet simply pleading to be overturned.

Your Company is an Enticing Target

Easy Google queries may currently have determined unpatched internet facing servers by the ratings throughout your domain, or your credulous users might already be opening “spear phishing” e-mails crafted just for them most likely authored by people they are familiar with.

The weaponized invoices are sent to your accounting department, the weaponized legal notices go to your legal department, the weaponized resumes go to your personnels department, and the weaponized trade publication articles go to your public relations company. That must cover it, to begin with. Add the watering hole drive-by’s planted on industry websites often visited by your employees, the social networks attacks targeted to your key executives and their families, the infected USB sticks strewn around your facilities, and the compromises of your providers, customers, and organization partners.

Business compromise isn’t really an “if” but a “when”– the when is consistent, the who is legion.

The Arrival Of Targeted Ransomware

Malware researchers are now reporting on enterprise-targeted ransomware, a natural evolution in the money making of enterprise cyber intrusions. Christiaan Beek and Andrew Furtak explain this in an excerpt from Intel Security Advanced Threat Research, February 2016:

” During the past few weeks, we have actually gotten information about a new campaign of targeted ransomware attacks. Instead of the typical modus operandi (phishing attacks or drive-by downloads that cause automatic execution of ransomware), the hackers gained persistent access to the victim’s network through susceptibility exploitation and spread their access to any connected systems that they could. On each system, several tools were utilized to discover, encrypt, and erase the original files as well as any backups.”

Careful reading of this citation immediately reveals actions to be taken. Preliminary penetration was by “vulnerability exploitation,” as is typically the case. A sound vulnerability management program with tracked and implemented exposure tolerances (determined in days) is mandatory. Because the cyber attackers “spread their access to any connected system,” it is also requisite to have robust network division and access controls. Think about it as a water tight compartment on a warship to prevent sinking when the hull is breached. Of unique note, the assailants “delete the initial files along with any backups,” so there must be no delete access from a compromised system to its backup files – systems must just have the ability to append to their backups.

Your Backups Are Not Current Are They?

Naturally, there must be current backups of any files that need to survive a business intrusion. Paying the ransom is not an effective alternative because any files created by malware are naturally suspicious and should be considered polluted. Business auditors or regulators can decline files excreted from some malware orifice as legally legitimate, the chain of custody having been completely broken. Financial data may have been altered with deceitful transactions, configuration data may have been interfered with, infections may have been planted for later re-entry, or the malware file manipulations may simply have had errors or omissions. There would be no way to place any confidence in this data, and accepting it as valid might even more compromise all future downstream data dependent upon or originated from it. Treat ransomware data as trash. Either have a robust backup plan – regularly evaluated and confirmed – or prepare to suffer your losses.

Exactly what is Your Preparation for a Breach?

Even with sound backups privacy of impacted data must be presumed to be breached due to the fact that it was read by malware. Even with comprehensive network logs, it would be unwise to show that no data had actually been exfiltrated. In a targeted attack the cyber attackers generally take data stock, examining a minimum of samples of the data to assess its potential value – they could be leaving money on the table otherwise. Data ransom demands might simply be the last monetization phase in a business breach after mining all other worth from the intrusion given that the ransom demand exposes the compromise.

Have a Thorough Remediation Strategy

One need to assume that qualified enemies have actually organized numerous, cunningly-concealed avenues of re-entry at various staggered time points (well after your crisis group has actually stood down and costly consultants flown off to their next gig). Any roaming proof remaining was thoroughly staged to misguide detectives and deflect blame. Expensive re-imaging of systems should be exceedingly extensive, touching every sector of the disk throughout its whole recording surface area and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to compromise MBR’s.

Likewise, don’t assume system firmware has not been jeopardized. If you can upgrade the firmware, so can hackers. It isn’t hard for hacking organizations to check out firmware hacking options when their business targets standardize system hardware setups, permitting a little lab effort to go a long way. The industrialization of cyber crime enables the advancement and sale of firmware hacks on the dark net to a wider criminal market.

Assistance Is Available With Great EDR Tools

After all of this bad news, there is an answer. When it concerns targeted ransomware attacks, taking proactive steps instead of reactive cleanup is far less unpleasant. An excellent Endpoint Detection and Response (EDR) tool can help on both ends. EDR tools are good for determining exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best eliminated from the environment (Adobe Flash, for instance). EDR tools are likewise proficient at tracking all significant endpoint incidents, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers count on endpoint opacity to assist with hiding their actions from security personnel, however EDR is there to allow open visibility of significant endpoint incidents that might signal an attack in progress. EDR isn’t really limited to the old anti-virus convict-or-acquit model, that allows newly remixed attack code to evade AV detection.

Great EDR tools are constantly alert, always reporting, constantly tracking, readily available when you need it: now or retroactively. You wouldn’t turn a blind eye to business network activity, so don’t turn a blind eye to enterprise endpoint activity.


Charles Leaver – Six Damage Control Questions To Ask Prior To A Breach

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The reality of modern life is that if cyber assailants want to breach your network, then it is just a matter of time before they will be successful. The endpoint is the most typical vector of attack, and individuals are the most significant point of susceptibility in any organization. The endpoint device is where they connect with whatever information that a cyber attacker wants: intellectual property, credentials, cyber ransom, etc. There are brand-new Next Generation Endpoint Security (NGES) services, of which Ziften is a leader, that supply the required visibility and insight to assist reduce or prevent the possibilities or duration of an attack. Methodologies of avoidance include minimizing the attack surface area through getting rid of recognized vulnerable applications, cutting version expansion, eliminating harmful procedures, and guaranteeing compliance with security policies.

But avoidance can just go so far. No solution is 100% effective, so it is important to take a proactive, real-time approach to your environment, viewing endpoint behavior, identifying when breaches have actually taken place, and responding right away with remediation. Ziften also provides these capabilities, normally called Endpoint Detection and Response, and companies should change their frame of mind from “How can we avoid attacks?” to “We are going to be breached, so what do we do then?”

To comprehend the true breadth or depth of an attack, organizations have to have the ability to take a look back and rebuild the conditions surrounding a breach. Security investigators need answers to the following six questions, and they need them quick, considering that Incident Response personnel are surpassed and dealing with limited time windows to alleviate damage.

Where was the cyber attack behavior initially seen?

This is where the ability to look back to the point in time of preliminary infection is important. In order to do this effectively, organizations have to be able to go as far back in time as necessary to recognize patient zero. The unfortunate state of affairs according to Gartner is that when a cyber breach takes place, the average dwell time prior to a breach is identified is a shocking 205 days. According to the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, assailants had the ability to permeate companies within minutes. That’s why NGES services that do not continuously monitor and record activity however rather regularly poll or scan the endpoint can miss out on the preliminary crucial penetration. Also, DBIR discovered that 95% of malware types appeared for less than a month, and four out of 5 didn’t last 7 days. You need the capability to continuously monitor endpoint activity and look back in time (however long ago the attack took place) and reconstruct the preliminary infection.

How did it act?

What took place step by step after the initial infection? Did malware execute for a second every 5 minutes? Was it able to get escalated privileges? A constant picture of what happened at the endpoint behaviorally is important to get an examination started.

How and where did the cyber attack spread after initial compromise?

Generally the enemy isn’t after the info readily available at the point of infection, but rather want to use it as a preliminary beachhead to pivot through the network to get to the valuable data. Endpoints include the servers that the endpoints are linked to, so it is essential to be able to see a complete image of any lateral motion that happened after the infiltration to understand exactly what assets were compromised and possibly also contaminated.

How did the infected endpoint(s) behavior(s) alter?

What was going on prior to and after the infection? What network connections were being made? Just how much network traffic was flowing? What procedures were active before and after the attack? Immediate answers to these questions are vital to quick triage.

What user activity happened, and was there any possible insider participation?

What actions did the user take in the past and after the infection took place? Was the user present on the device? Was a USB drive inserted? Was the time interval outside their typical use pattern? These and much more artifacts must be offered to paint a full picture.

What mitigation is required to deal with the attack and prevent the next?

Reimaging the infected computer(s) is a time-consuming and expensive solution but sometimes this is the only method to know for sure that all of the hazardous artifacts have actually been removed (although state-sponsored attacks might embed into system or drive firmware to remain immune even to reimaging). But with a clear image of all activity that occurred, simpler actions such as getting rid of harmful files from all systems affected might be adequate. Re-examining security policies will most likely be necessary, and NGES solutions can assist automate future actions should similar situations occur. Automatable actions consist of sandboxing, cutting off network access from contaminated computers, killing processes, and far more.

Do not wait until after a breach happens and you have to contract an army of experts and spend time and finances piecing the facts together. Make sure you are prepared to respond to these 6 crucial concerns and have all the responses within your grasp in minutes.