Charles Leaver – Changes For Endpoints With The Advent Of Illumination

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

The dissolving of the standard boundary is taking place quick. So what happens to the endpoint?

Investment in boundary security, as specified by firewalls, managed gateways and invasion detection/prevention systems (IDS/IPS), is changing. Investments are being questioned, with returns unable to conquer the costs and intricacy to develop, preserve, and validate these old defenses.

More than that, the paradigm has changed – workers are no longer specifically working in the workplace. Many individuals are logging hours from home or while traveling – neither area is under the umbrella of a firewall program. Instead of keeping the cyber criminals out, firewall software frequently have the opposite impact – they avoid the authorized people from being efficient. The paradox? They develop a safe house for hackers to breach and hide for many weeks, then traverse to vital systems.

So Exactly what Has Altered A lot?

The endpoint has actually become the last line of defense. With the aforementioned failure in perimeter defense and a “mobile everywhere” labor force, we should now enforce trust at the endpoint. Easier stated than done, nevertheless.

In the endpoint area, identity & access management (IAM) systems are not the perfect answer. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler can not conquer one simple truth: trust goes beyond basic identification, authentication, and permission.

File encryption is a second attempt at securing whole libraries and selected assets. In the most recent (2016) Ponemon study on data breaches, file encryption just saved 10% of the expense per breached record (from $158 to $142). This isn’t the panacea that some make it seem.

The Whole Picture is altering.

Organizations must be prepared to accept brand-new paradigms and attack vectors. While companies must supply access to trusted groups and individuals, they have to address this in a better way.

Critical company systems are now accessed from anywhere, any time, not simply from desks in business office complexes. And professionals (contingent labor force) are quickly consisting of over 50% of the total business workforce.

On endpoint devices, the binary is mainly the issue. Most likely benign occurrences, such as an executable crash, might indicate something basic – like Windows 10 Desktop Manager (DWM) restarting. Or it could be a much deeper issue, such as a malicious file or early indications of an attack.

Trusted access doesn’t resolve this vulnerability. According to the Ponemon Institute, between 70% and 90% of all attacks are brought on by human error, social engineering, or other human factors. This requires more than simple IAM – it needs behavioral analysis.

Rather than making good much better, boundary and identity access companies made bad quicker.

When and Where Does the Good News Begin?

Taking a step back, Google (Alphabet Corp) announced a perimeter-less network design in late 2014, and has made substantial development. Other businesses – from corporations to governments – have actually done this (quietly and less severe), but BeyondCorp has done this and shown its solution to the world. The style viewpoint, endpoint plus (public) cloud displacing cloistered enterprise network, is the crucial principle.

This changes the entire discussion on an endpoint – be it a laptop, PC, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint truly is the last line of defense, and must be secured – yet also report its activity.

Unlike the traditional perimeter security model, BeyondCorp does not gate access to tools and services based upon a user’s physical location or the originating network; instead, access policies are based on info about a device, its state, and its associated user. BeyondCorp thinks about both internal networks and external networks to be entirely untrusted, and gates access to apps by dynamically asserting and enforcing levels, or “tiers,” of access.

By itself, this seems harmless. However the truth is that this is an extreme brand-new design which is imperfect. The access requirements have actually moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, rather than a central model with capacity for breaches, hacks, and hazards at the human level (the “soft chewy center”).

The bright side? Breaching the perimeter is very challenging for would-be assailants, while making network pivoting next to impossible once past the reverse proxy (a typical system utilized by assailants today – proving that firewall programs do a better job of keeping the cyber criminals in rather than letting the good guys go out). The inverse design even more applies to Google cloud servers, probably tightly handled, inside the boundary, versus client endpoints, who are all out in the wild.

Google has actually done some great improvements on tested security methods, especially to 802.1 X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).

Why is this essential? Exactly what are the gaps?

Ziften believes in this approach due to the fact that it highlights device trust over network trust. Nevertheless, Google does not particularly show a device security agent or emphasize any kind of client-side monitoring (apart from extremely rigorous configuration control). While there might be reporting and forensics, this is something which every company needs to be knowledgeable about, since it’s a question of when – not if – bad things will occur.

Because executing the initial phases of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a normal rate of about three million each day, amounting to over 80 terabytes. Keeping historical data is important in enabling us to understand the end-to-end lifecycle of a given device, track and evaluate fleet-wide patterns, and carry out security audits and forensic examinations.

This is an expensive and data-heavy procedure with two shortcomings. On ultra-high-speed networks (used by organizations such as Google, universities and research study companies), adequate bandwidth enables this type of communication to take place without flooding the pipes. The first concern is that in more pedestrian corporate and federal government scenarios, this would cause great user disturbance.

Second, computing devices need to have the horse power to continuously gather and transfer data. While many staff members would be delighted to have present developer-class workstations at their disposal, the cost of the devices and procedure of refreshing them regularly makes this excessive.

A Lack of Lateral Visibility

Few products really create ‘enhanced’ netflow, augmenting standard network visibility with abundant, contextual data.

Ziften’s patented ZFlow ™ offers network flow information on data created from the endpoint, otherwise achieved utilizing brute force (human labor) or pricey network devices.

ZFlow serves as a “connective tissue” of sorts, which extends and finishes the end-to-end network visibility cycle, including context to on-network, off-network and cloud servers/endpoints, enabling security teams to make quicker and more educated and precise decisions. In essence, investing in Ziften services result in a labor savings, plus a boost in speed-to-discovery and time-to-remediation due to innovation serving as an alternative to people resources.

For companies moving/migrating to the cloud (as 56% are planning to do by 2021 in accordance with IDG Enterprise’s 2015 Cloud Study), Ziften offers unrivaled visibility into cloud servers to better monitor and protect the complete infrastructure.

In Google’s environment, just corporate-owned devices (COPE) are enabled, while crowding out bring your own device (BYOD). This works for a business like Google that can hand out new devices to all staff – phone, tablet, laptop computer, etc. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device should satisfy Google requirements, having either a TPM or a software application equivalent of a TPM, to hold the X. 509 cert utilized to confirm device identity and to help with device-specific traffic encryption. There needs to be numerous agents on each endpoint to validate the device validation predicates called out in the access policy, which is where Ziften would have to partner with the systems management agent provider, because it is likely that agent cooperation is necessary to the procedure.


In summary, Google has actually developed a world-class service, but its applicability and usefulness is limited to companies like Alphabet.

Ziften offers the very same level of functional visibility and security protection to the masses, using a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For companies with specialized requirements or incumbent tools, Ziften supplies both an open REST API and an extension framework (to augment consumption of data and setting off response actions).

This yields the advantages of the BeyondCorp design to the masses, while securing network bandwidth and endpoint (machine) computing resources. As companies will be slow to move totally away from the enterprise network, Ziften partners with firewall and SIEM suppliers.

Lastly, the security landscape is progressively shifting to managed detection & response (MDR). Managed security service providers (MSSP’s) provide traditional tracking and management of firewall software, gateways and border invasion detection, however this is insufficient. They do not have the skills and the technology.

Ziften’s solution has been tested, integrated, authorized and executed by a variety of the emerging MDR’s, showing the standardization (capability) and flexibility of the Ziften platform to play a crucial role in remediation and occurrence response.

Charles Leaver – The Same Message From The 2016 Verizon DBIR Report

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO


The Data Breach Investigations Report 2016 from Verizon Enterprise has been released reviewing 64,199 security occurrences leading to 2,260 security breaches. Verizon defines an event as compromising the stability, privacy, or accessibility on an info asset, while a breach is a verified disclosure of data to an unauthorized party. Since avoiding breaches is far less unpleasant than sustaining them Verizon provides numerous sections of advised controls to be utilized by security-conscious businesses. If you don’t care to check out the complete 80-page report, Ziften provides this Verizon DBIR analysis with a spotlight on Verizon’s EDR-enabled recommended controls:

Vulnerabilities Advised Controls

A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, consisting of vulnerability exposure timelines showing vulnerability management efficiency. The direct exposure timelines are very important given that Verizon emphasizes a methodical method that emphasizes consistency and coverage, versus haphazard practical patching.

Phishing Recommended Controls

Although Verizon advises user training to prevent phishing vulnerability, still their data shows almost a third of phishes being opened, with users clicking on the link or attachment more than one time in 10. Not good odds if you have at least ten users! Provided the inevitable click compromise, Verizon suggests placing effort into detection of abnormal networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR solution will not just track endpoint networking activity, however likewise filter it against network threat feeds recognizing harmful network targets. Ziften exceeds this with our patent-pending ZFlow technology to enhance network flow data with endpoint context and attribution, so that SOC personnel have crucial choice context to quickly fix network notifications.

Web App Attacks Suggested Controls

Verizon advises multi-factor authentication and monitoring of login activity to avoid compromise of web application servers. A strong EDR solution will monitor login activity and will apply anomaly inspecting to spot uncommon login patterns a sign of jeopardized credentials.

Point-of-Sale Invasions Advised Controls

Verizon advises (and this has actually likewise been highly recommended by FireEye/Mandiant) strong network division of POS devices. Again, a strong EDR solution ought to be tracking network activity (to determine anomalous network contacts). ZFlow in particular is of great worth in providing important choice context for suspect network activity. EDR systems will also deal with Verizon’s suggestion for remote login tracking to POS devices. In addition to this Verizon suggests multi-factor authentication, however a strong EDR ability will augment that with additional login pattern abnormality checking (since even MFA can be defeated with MITM attacks).

Insider and Privilege Misuse Advised Controls

Verizon recommends “monitor the heck out of [staff member] authorized day-to-day activity.” Continuous endpoint monitoring by a strong EDR product naturally provides this capability. In Ziften’s case our product tracks user presence periods of time and user focus activities while present (such as foreground application usage). Anomaly checking can identify unusual variances in activity pattern whether a temporal anomaly (i.e. something has actually modified this user’s typical activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern varies considerably from peer habit patterns).

Verizon also suggests tracking usage of USB storage devices, which solid EDR products offer, because they can function as a “sneaker exfiltration” route.

Miscellaneous Errors Advised Controls

Verizon recommendations in this area concentrate on maintaining a record of past errors to serve as a warning of errors to avoid in the future. Solid EDR products do not forget; they preserve an archival record of endpoint and user activity going back to their first release. These records are searchable at any time, perhaps after some future event has actually discovered an invasion and response groups need to return and “find patient zero” to unravel the incident and determine where errors may have been made.

Physical Theft and Loss Suggested Controls

Verizon suggests (and numerous regulators demand) full disk file encryption, particularly for mobile phones. A strong EDR system will verify that endpoint configurations are compliant with business file encryption policy, and will notify on infractions. Verizon reports that data assets are physically lost one-hundred times more frequently than they are physically stolen, however the effect is essentially the very same to the affected enterprise.

Crimeware Recommended Controls

Once again, Verizon emphasizes vulnerability management and constant extensive patching. As kept in mind above, proper EDR tools identify and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it versus procedure image records from our endpoint monitoring. This reflects a precisely updated vulnerability assessment at any moment.

Verizon also advises catching malware analysis data in your very own enterprise environment. EDR tools do track arrival and execution of brand-new binaries, and Ziften’s product can acquire samples of any binary present on enterprise endpoints and send them for in-depth static and dynamic analysis by our malware research partners.

Cyber-Espionage Recommended Controls

Here Verizon particularly calls out usage of endpoint threat detection and response (ETDR) tools, referring to the security tool sector that Gartner now terms endpoint detection and response (EDR). Verizon likewise recommends a number of endpoint setup solidifying actions that can be compliance-verified by EDR tools.

Verizon likewise advises strong network securities. We have actually currently discussed how Ziften ZFlow can greatly boost standard network flow monitoring with endpoint context and attribution, supplying a combination of network and endpoint security that is truly end-to-end.

Finally, Verizon advises monitoring and logging, which is the first thing third party incident responders demand when they show up on-scene to assist in a breach crisis. This is the prime purpose of EDR tools, because the endpoint is the most frequent entry vector in a major data breach.

Denial-of-Service Attacks Suggested Controls

Verizon suggests handling port access to prevent enterprise assets from being used to take part in a DoS attack. EDR products can track port use by applications and utilize anomaly checks to identify uncommon application port use that might suggest compromise.

Business services moving to cloud providers also require protection from DoS attacks, which the cloud service provider may provide. However, taking a look at network traffic tracking in the cloud – where the business might lack cloud network visibility – alternatives like Ziften ZFlow supply a means for gathering enhanced network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, otherwise enemies will exploit this to fly under your radar.

A Doomsday Movie Cyber Attack Could Happen So Protect Your Organization With Endpoint Security – Charles Leaver

Published by:

A Post By Charles Leaver

Recent proof suggests that the idea of cyber security will be a huge concern for banks and utilities over the next few years. A company that operates in an industry sector where a cyber attack might have a destabilizing impact, which includes the oil and gas and banking markets, really needs to have a strategy on how it will safeguard its servers from such attacks. It might not be thought about as a major hazard yet to the average person but attempts to hack the networks of these companies might destabilize water supplies, power lines and more. The most efficient way for security teams within these companies to prevent their servers from ending up being attacked by cyber bad guys is to deploy modern software along with other security techniques to produce robust defenses.

A current evaluation by the AP News agency showed that cyber attacks on federal networks had actually increased from 30,000 to 50,000 since 2009 which is a 66% increase. A study of specialists by Pew Research center revealed that 60% of them believed that the U.S. would suffer from a major cyber attack by 2025, where the fallout would be ravaging and widespread. Widespread meant a considerable loss of life and property losses totaling billions of dollars. It was felt that these events were likely because the opportunity cost of conducting a cyber war was so low. Cyber crooks can infiltrate the network then hide behind plausible deniability. Although this might seem like a caution for the federal government only, it is likely that any cyber criminal group wishing to attack at the federal level would first practice on private sector servers in order to both test their cyber attacks and to get much needed money and other resources.

What Is The Relationship Between Public And Private Security?

There may be a variety of different reasons that a hacker will target a company in the oil and gas or financing sectors, some resemblances do exist. If the intent was to destabilize the daily lives of residents of the U.S. then either market would be sufficient. This is the factor that cyber security for those institutions is a matter of national concern. Organizations in these sectors need to monitor the national understanding of cyber security so that they can safeguard themselves from the many prospective cyber attacks that might pose a problem for them. They need to comprehend the requirement for cyber security protection such as endpoint threat detection and response software, malware and anti-virus suites, firewall programs and encryption is important for these organizations. In the future the danger from these advanced cyber attacks will increase, and those companies that are not completely prepared to handle these attacks and get breached will need to deal with a public that will be very mad about their data being stolen.

Network security at the essential level involves making certain that constant updates are applied to security systems and executing the most appropriate security systems. The enactment of endpoint threat detection and response software will reduce a number of these problems by placing a human in charge of keeping an eye on data as it flows through the network and supplies user-assisted tools. Network usage will be more quickly noticeable using this software and it will be a lot easier to determine if any services are being misused. Endpoint threat detection software needs to be implemented if a completely featured cyber security system that supplies the highest level of defense is desired.

Charles Leaver – Continuing To Support Adobe Flash Can Mean A Big Security Risk

Published by:


Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

Still Supporting Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?

With Independence day looming a metaphor is required: Flash is a bit like firework lighting. There may be less risky ways to achieve it, however the only sure way is simply to prevent it. And with Flash, you needn’t combat pyromaniac surges to abstain from it, simply handle your endpoint setups.

Why would you want to do this? Well, performing a Google query for “Flash vulnerability” returns 13 million results! Flash is old and spent and ready for retirement, as Adobe put it themselves:

Today [November 30, 2015], open standards such as HTML5 have matured and offer a number of the abilities that Flash ushered in… Looking forward, we encourage content developers to develop with new web standards…

Run a vulnerability scanner throughout your endpoint population. See any Flash mention? Yes, in the typical business, zillions. Your opponents understand that also, they are relying on it. Thanks very much for contributing! Just continue to overlook those pesky security blog writers, like Brian Krebbs:

I would suggest that if you utilize Flash, you must highly consider removing it, or a minimum of hobbling it till and unless you require it.

Ignoring Brian Krebs’ advice raises the possibilities your enterprise’s data breach will be the feature story in one of his future blogs.


Flash Exploits: the Preferred Exploit Set Ingredient

The endless list of Flash vulnerabilities continues to lengthen with each new patch cycle. Country state attackers and the better resourced syndicates can call upon Flash zero days. They aren’t hard to mine – introduce your fuzz tester against the creaking Flash codebase and view them being presented. If an offending cyber team cannot call upon zero days, not to fret, there are a lot of freshly provided Flash Common Vulnerabilities and Exposures (CVE) to draw upon, before business patch cycles catch up. For exploit set authors, Flash is the gift that continues to give.

A current FireEye blog exemplifies this typical Flash vulnerability progression – from virgin zero-day to freshly hatched CVE and prime business exploit:

On May 8, 2016, FireEye detected an attack exploiting a formerly unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the problem to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 simply four days later (Published to FireEye Threat Research Blog on May 13, 2016).

As a quick test then, examine your vulnerability report for that entry, for CVE-2016-4117. It was utilized in targeted cyber attacks as a zero-day even before it ended up being a recognized vulnerability. Now that it is understood, popular exploit sets will locate it. Be sure you are ready.

Start a Flash and QuickTime Removal Project

While we have not discussed QuickTime yet, Apple eliminated support for QuickTime on Windows in April, 2016. This summarily set off a panic in corporations with large numbers of Apple macOS and Windows clients. Do you eliminate all support for QuickTime? Including on macOS? Or simply Windows? How do you find the unsupported variations – when there are numerous drifting around?




By doing nothing, you can flirt with catastrophe, with Flash vulnerability exposures rife throughout your client endpoint population. Otherwise, you can start a Flash and QuickTime eradication project to move towards a Flash-free business. Or, wait, maybe you educate your users not to glibly open e-mail attachments or click on links. User education, that constantly works, right? I do not think so.

One problem is that some of your users work function to open attachments, such as PDF invoices to accounts payable departments, or candidate Microsoft Word resumes to recruiting departments, or legal notifications sent to legal departments.

Let’s take a better look at the Flash exploitation explained by FireEye in the blog post pointed out above:

Attackers had embedded the Flash exploit inside a Microsoft Office document, which was then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the cyber attackers might share their exploitation by means of URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors created this particular attack for a target using Windows and Microsoft Office.

Even if the Flash-adverse business had actually completely purged Flash enablement from all their various browsers, this exploitation would still have actually been successful. To completely eliminate Flash needs purging it from all browsers and disabling its execution in ingrained Flash objects within Microsoft Office or PDF documents. Definitely that is a step that needs to be taken as a minimum for those departments with a task function to open attachments from unsolicited e-mails. And extending outwards from there is a worthwhile configuration solidifying objective for the security conscious business.

Not to mention, we’re all waiting on the very first post about QuickTime vulnerability which devastates a significant enterprise.



Charles Leaver – Take Steps To Protect Your Organization From Ransomware

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is customized to enterprise attack projects has emerged in the wild. This is an apparent advancement of consumer-grade ransomware, driven by the larger bounties which businesses have the ability to pay combined to the sheer scale of the attack surface area (internet facing endpoints and unpatched software applications). To the assailant, your business is an appealing target with a big fat wallet simply asking to be knocked over.

Your Organization is an Attractive Target

Easy Google queries may already have recognized un-patched internet facing servers by the scores across your domain, or your credulous users might already be opening “spear phishing” e-mails crafted just for them presumably authored by individuals they know.

The weaponized invoices are sent to your accounting department, the weaponized legal notices are sent to your legal department, the weaponized resumes go to your human resources department, and the weaponized trade publication short articles are sent to your public relations company. That should cover it, to begin with. Include the watering hole drive-by’s planted on market sites often visited by your staff members, the social media attacks targeted to your crucial executives and their families, the contaminated USB sticks strewn around your centers, and the compromises of your providers, customers, and organization partners.

Enterprise compromise isn’t really an “if” however a “when”– the when is continuous, the who is legion.

Targeted Ransomware Is Here

Malware analysts are now reporting on enterprise-targeted ransomware, a natural advancement in the monetization of business cyber intrusions. Christiaan Beek and Andrew Furtak discuss this in an excerpt from Intel Security Advanced Threat Research study, February 2016:

” Throughout the past few weeks, we have actually gotten information about a new project of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automated execution of ransomware), the hackers gained consistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system, several tools were utilized to find, encrypt, and erase the original files as well as any backups.”

Cautious reading of this citation instantly exposes steps to be taken. Preliminary penetration was by “vulnerability exploitation,” as is frequently the case. A sound vulnerability management program with tracked and implemented direct exposure tolerances (measured in days) is obligatory. Given that the opponents “spread their access to any linked system,” it is likewise requisite to have robust network segmentation and access controls. Think about it as a watertight compartment on a warship to avoid sinking when the hull is breached. Of special note, the cyber attackers “delete the initial files along with any backups,” so there need to be no delete access from a jeopardized system to its backup files – systems must just be able to append to their backups.

Your Backups Are Not Up to Date Are They?

Of course, there must be current backups of any files that must endure a business invasion. Paying the ransom is not a reliable option because any files created by malware are naturally suspicious and must be thought about tainted. Enterprise auditors or regulators can decline files excreted from some malware orifice as lawfully valid, the chain of custody having been entirely broken. Financial data might have been modified with deceitful transactions, configuration data might have been interfered with, viruses might have been planted for later re-entry, or the malware file manipulations might simply have had mistakes or omissions. There would be no way to place any confidence in such data, and accepting it as legitimate could even more compromise all future downstream data reliant upon or originated from it. Treat ransomware data as trash. Either have a robust backup strategy – routinely evaluated and verified – or prepare to suffer your losses.

What is Your Preparation for a Breach?

Even with sound backups privacy of affected data should be assumed to be breached since it was read by malware. Even with detailed network logs, it would be impracticable to prove that no data had been exfiltrated. In a targeted attack the assailants typically take data inventory, evaluating a minimum of samples of the data to evaluate its prospective value – they could be leaving cash on the table otherwise. Data ransom demands might merely be the last money making stage in an enterprise breach after mining all other value from the intrusion because the ransom demand exposes the compromise.

Have a Thorough Removal Strategy

One need to assume that skilled opponents have set up several, cunningly-concealed avenues of re-entry at numerous staggered time points (well after your crisis group has actually stood down and pricey experts flown off to their next gig). Any roaming proof remaining was thoroughly staged to deceive investigators and deflect blame. Expensive re-imaging of systems should be exceptionally extensive, touching every sector of the disk across its entire recording surface and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to jeopardize MBR’s.

Likewise, don’t assume system firmware has not been jeopardized. If you can upgrade the firmware, so can hackers. It isn’t tough for hacking groups to check out firmware hacking options when their business targets standardize system hardware setups, permitting a little laboratory effort to go a long way. The industrialization of cyber crime permits the advancement and sale of firmware hacks on the dark net to a wider criminal market.

Help Is On Offer With Great EDR Tools

After all of this bad news, there is an answer. When it comes to targeted ransomware attacks, taking proactive actions instead of reactive clean-up is far less uncomfortable. A great Endpoint Detection and Response (EDR) tool can help on both ends. EDR tools are good for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best eliminated from the environment (Adobe Flash, for example). EDR tools are likewise proficient at tracking all significant endpoint incidents, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to assist with hiding their actions from security staff, but EDR is there to make it possible for open visibility of notable endpoint incidents that could signal an attack in progress. EDR isn’t restricted to the old anti-virus convict-or-acquit model, that enables freshly remixed attack code to evade AV detection.

Excellent EDR tools are always vigilant, constantly reporting, always tracking, readily available when you require it: now or retroactively. You would not turn a blind eye to business network activity, so do not turn a blind eye to enterprise endpoint activity.


Charles Leaver – Gartner UEBA Report Highlights Behavioral Analytics New Trends

Published by:

Written By Josh Linder And Presented By Ziften CEO Charles Leaver

The marketplace for business behavioral analytics is developing – again – to support the security use case. In the current Gartner User and Entity Behavior (UEBA) Trends Report, Ziften is delighted to be listed as a “Vendor to Watch.” Our company believe that our established relationships with threat intelligence feeds and visualization tools shows our addition within this research study note.

In the UEBA Market Report, Experts Eric Ahlm and Avivah Litan describe that there is a possible convergence in the sophisticated threat and analytics markets. The notion of UEBA – which extends user behavioral analytics to now include companies, business processes, and self-governing devices such as the Internet of Things – requires deep understanding and the ability to respond rapidly and efficiently.

At Ziften our recognized relationships with risk intelligence feeds and visualization tools reflects our addition within this research note. Our platform offers risk detection across different behavior vectors, rather than taking a look at a single-threaded signature feed. With integrations to orchestration and response systems, Ziften distinctively couples signature-based and behavioral analysis, while bridging the gap from protecting the endpoint to securing the entity. Continuous tracking from the endpoint – including network flow – is crucial to understanding the complete risk landscape and important for a holistic security architecture.

We commend Gartner on identifying four areas for security and analytic vendors to focus on: User Behavior, Host/App Habits, Network Behavior, and External Communications Behavior. We are the only endpoint vendor – today – to monitor both network behavior and external interactions habits. Ziften’s ZFLow ™ uses network telemetry to go beyond the basic IPFIX flow data, and augment with Layer 4 and Layer 5 operating system and user behavior. Our threat intelligence integration – with Blue Coat, iSIGHT Partners, AlienVault and the National Vulnerability Database – is second to none. In addition, our special relationship with ReversingLabs offers binary analysis directly within the Ziften administration console.

Ultimately, our constant endpoint visibility system is pivotal in assisting to discover behavioral risks that are hard to correlate without the use of advanced analytics.

Gartner Report

Six extra innovation pattern takeaways which Gartner readers should think about:

– Application of Analytics to Discovering Breaches Varies
– Data Science for Analytics Technologies Still Emerging
– The Need for Extended Telemetry Drives Analytics Market Merging
– Merging Between Analytics-Based Detection Suppliers and Orchestration/Response Vendors Likely
– SIEM Technologies Positioned to Be Central to Consolidation for Analytics Detection
– Advanced Behavioral Analytics Providers Extending Their Reach to Security Purchasers


Gartner does not back any supplier, service or product depicted in its research publications, and does not advise technology users to select just those suppliers with the greatest ratings or other classification. Gartner research study publications consist of the viewpoints of Gartner’s research study organization and must not be interpreted as statements of reality. Gartner disclaims all warranties, expressed or indicated, with respect to this research study, consisting of any guarantees of merchantability or fitness for a particular function.


Charles Leaver – Ask These 6 Questions For Damage Control Before A Cyber Attack

Published by:

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The reality of modern-day life is that if cyber hackers wish to breach your network, then it is just a matter of time before they will be successful. The endpoint is the most typical vector of attack, and individuals are the greatest point of vulnerability in any company. The endpoint device is where they connect with whatever information that a hacker seeks: intellectual property, information, cyber ransom, and so on. There are brand-new Next Generation Endpoint Security (NGES) systems, where Ziften is a leader, that supply the needed visibility and insight to assist minimize or prevent the opportunities or period of an attack. Methods of prevention consist of lowering the attack surface area through removing known vulnerable applications, curtailing version proliferation, eliminating destructive processes, and ensuring compliance with security policies.

However prevention can only go so far. No solution is 100% effective, so it is important to take a proactive, real time methodology to your environment, viewing endpoint habits, identifying when breaches have taken place, and reacting instantly with remediation. Ziften likewise provides these abilities, typically known as Endpoint Detection and Response, and organizations should alter their frame of mind from “How can we avoid attacks?” to “We will be breached, so exactly what do we do then?”

To understand the true breadth or depth of an attack, companies have to be able to rewind the clock and rebuild the conditions surrounding a breach. Security investigators need answers to the following 6 questions, and they need them quickly, given that Incident Response officers are outnumbered and handling restricted time windows to reduce damage.

Where was the cyber attack behavior initially seen?

This is where the capability to look back to the point in time of preliminary infection is critical. In order to do this effectively, organizations have to have the ability to go as far back in history as necessary to determine patient zero. The regrettable state of affairs in accordance with Gartner is that when a cyber breach happens, the typical dwell time prior to a breach is found is a stunning 205 days. In accordance with the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, cyber attackers had the ability to permeate organizations within minutes. That’s why NGES systems that do not continually monitor and record activity but rather periodically poll or scan the endpoint can lose out on the preliminary important penetration. Likewise, DBIR found that 95% of malware types appeared for less than four weeks, and 4 from five didn’t last 7 days. You need the ability to continually monitor endpoint activity and recall in time (however long ago the attack occurred) and reconstruct the preliminary infection.

How did it act?

What happened piece by piece after the preliminary infection? Did malware execute for a second every five minutes? Was it able to obtain escalated privileges? A constant image of what took place at the endpoint behaviorally is critical to get an investigation began.

How and where did the cyber attack disperse after preliminary compromise?

Normally the enemy isn’t after the details readily available at the point of infection, however rather want to utilize it as a preliminary beachhead to pivot through the network to get to the valuable data. Endpoints include the servers that the endpoints are connected to, so it is essential to be able to see a complete image of any lateral motion that occurred after the infiltration to know exactly what assets were jeopardized and potentially likewise contaminated.

How did the infected endpoint(s) behavior(s) change?

Exactly what was going on before and after the contamination? What network connections were being attempted? Just how much network traffic was flowing? What processes were active prior to and after the attack? Immediate answers to these concerns are critical to fast triage.

What user activity took place, and was there any potential insider involvement?

What actions did the user take before and after the infection happened? Was the user present on the device? Was a USB drive inserted? Was the time period outside their normal usage pattern? These and many more artifacts must be offered to paint a complete image.

What mitigation is needed to deal with the cyber attack and prevent another one?

Reimaging the contaminated machine(s) is a lengthy and costly solution however many times this is the only way to know for sure that all hazardous artifacts have been removed (although state-sponsored attacks might embed into system or drive firmware to stay immune even to reimaging). But with a clear picture of all activity that took place, simpler actions such as getting rid of malicious files from all systems affected might suffice. Re-examining security policies will most likely be necessary, and NGES solutions can assist automate future actions should comparable scenarios emerge. Automatable actions consist of sandboxing, cutting off network access from infected devices, eliminating processes, and a lot more.

Don’t wait till after a cyber attack takes place and you need to call in an army of experts and spend your time and cash piecing the realities together. Ensure you are prepared to respond to these six crucial concerns and have all the responses within your grasp in minutes.


Charles Leaver – It Is Believed That The IRS Hack Began With Compromised Endpoints

Published by:

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

Internal Revenue Service Hackers Make Early Returns Due to Previous External Attacks

The Internal Revenue Service breach was the most unique cyber attack of 2015. Timeless attacks today include phishing emails intended to obtain preliminary access to target systems where lateral motion is then carried out till data exfiltration takes place. But the IRS hack was various – much of the data required to perform it was previously obtained. In this case, all the hackers needed to do was walk in the front door and file the returns. How could this take place? Here’s exactly what we understand:

The Internal Revenue Service site has a “Get Transcript” function for users to recover previous income tax return details. As long as the requester can offer the proper details, the system will return past and current W2’s and old tax returns, etc. With anybody’s SSN, Date of Birth and filing status, the attackers could begin the retrieval procedure of past filing year’s info. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit history.

KBA isn’t really fool proof, however. The questions it asks can oftentimes be predicted based on other info already learned the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the following vehicles have you owned?”

After the dust settled, it’s predicted that the hackers tried to collect 660,000 transcripts of previous tax payer details via Get Transcript, where they were successful in 334,000 of those efforts. The unsuccessful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot provide the correct responses. It’s approximated that the attackers got away with over $50 million dollars. So, how did the hackers do it?

Security analysts think that the enemies utilized info from previous attacks such as SSNs, DOBs, addresses and filing statuses to attempt to obtain prior tax return details on its target victims. If they were successful and addressed the KBA questions properly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to obtain a bigger return. As discussed formerly not all attempts were successful, but over 50% of the attempts led to significant losses for the Internal Revenue Service.

Detection and response systems like Ziften are focused on recognizing when there are jeopardized endpoints (such as through phishing attacks). We do this by offering real-time visibility of Indicators of Compromise (IoC’s). If the theories are right and the attackers utilized details gleaned from previous attacks beyond the Internal Revenue Service, the compromised businesses might have benefited from the visibility Ziften supplies and reduced against mass-data exfiltration. Ultimately, the IRS appears to be the vehicle – instead of preliminary victim – of these cyber attacks.


Charles Leaver – Comcast Customers Are At Risk From Shared Hacks And Data Exfiltration

Published by:

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

The Consumers Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Companies

The private details of roughly 200,000 Comcast customers was compromised on November 5th 2015. Comcast was forced to make this announcement when it came to light that a list of 590,000 Comcast consumer emails and passwords could be bought on the dark web for a token $1,000. Comcast maintains that there was no security attack to their network but rather it was through past, shared hacks from other businesses. Comcast further claims that just 200,000 of these 590,000 customers actually still exist in their system.

Less than two months previously, Comcast had currently been slapped with a $22 million fine over its accidental publishing of almost 75,000 clients’ personal information. Somewhat ironically, these customers had actually particularly paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that specified that each client’s information would be kept private.

Comcast instituted a mass-reset of 200,000 client passwords, who might have accessed these accounts before the list was put up for sale. While a basic password reset by Comcast will to some extent secure these accounts moving forward, this doesn’t do anything to secure those consumers who might have recycled the same e-mail and password combination on banking and credit card logins. If the customer accounts were accessed prior to being disclosed it is certainly possible that other individual information – such as automatic payment info and home address – were already obtained.

The bottom line is: Assuming Comcast wasn’t attacked directly, they were the victim of numerous other hacks which contained data connected to their clients. Detection and Response solutions like Ziften can avoid mass data exfiltration and often reduce damage done when these inescapable attacks occur.


Charles Leaver – Trump Hotels Were Breached Because Of Point Of Sale Vulnerabilities That Were Not Visible

Published by:

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels Point-of-Sale Susceptibility Emphasize Need for Faster Detection of Anomalous Activity

Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and contaminated their front desk computers, POS systems, and restaurants. However, in their own words they declare that they “did not discover any evidence that any consumer information was taken from our systems.” While it’s soothing to discover that no evidence was found, if malware exists on POS systems it is most likely there to steal details related to the credit cards that are swiped, or increasingly tapped, inserted, or waved. A lack of evidence does not suggest the lack of a criminal offense, and to Trump Hotel’s credit, they have provided free credit monitoring services. If one is to examine a Point-of-Sale (or POS) system however you’ll discover something in abundance as an administrator: They hardly ever alter, and software applications will be nearly uniform across the implementation environment. This can provide both positives and negatives when considering securing such an environment. Software changes are slow to happen, need extensive screening, and are hard to roll out.

However, since such an environment is so homogeneous, it is also a lot easier to determine Point of Sale vulnerabilities when something brand-new has actually changed.

At Ziften we monitor all executing binaries and network connections that occur within an environment the second they take place. If a single Point of Sale system started to make new network connections, or started running brand-new software, no matter its intent, it would be flagged for further review and examination. Ziften also gathers endless historic data from your environment. If you want to know exactly what took place six to twelve months earlier, this is not an issue. Now dwell times and AV detection rates can be determined using our incorporated threat feeds, along with our binary collection and submission technology. Likewise, we’ll tell you which users initiated which applications at exactly what time across this historic record, so you can learn your preliminary point of infection.

POS issues continue to plague the retail and hospitality industries, which is a shame provided the relatively uncomplicated environment to monitor with detection and response.