Charles Leaver – Enterprise Antivirus Is Losing Its Touch

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


Dwindling Effectiveness of Enterprise Anti-virus?

Google Security Master Labels Antivirus Apps As Inadequate ‘Magic’.

At the current Kiwicon hacking conference in Wellington, New Zealand, Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy. Entrusted with investigation of extremely advanced attacks, including the 2009 Operation Aurora project, Bilby lumped business antivirus into a collection of inefficient tools set up to tick a compliance check box, however at the cost of real security:

We have to stop investing in those things we have revealed are not effective… Anti-virus does some helpful things, however in reality, it is more like a canary in a coal mine. It is worse than that. It’s like we are loafing around the dead canary stating ‘Thank god it inhaled all the dangerous gas.

Google security experts aren’t the first to weigh in against organization antivirus, or to draw uncomplimentary examples, in this case to a dead canary.

Another highly proficient security group, FireEye Mandiant, compared static defenses such as business anti-virus to that infamously stopped working World War II defense, the Maginot Line:

Like the Maginot Line, today’s cyber defenses are fast becoming a relic in today’s danger landscape. Organizations invest billions of dollars each year on IT security. But hackers are quickly outflanking these defenses with creative, fast moving attacks.

An example of this was offered by a Cisco managed security services executive speaking at a conference in Poland. Their team had actually identified anomalous activity on one of their business client’s networks, and reported the thought server compromise to the client. To the Cisco group’s awe, the customer just ran an antivirus scan on the server, discovered no detections, and placed it back into service. Horrified, the Cisco group conferenced in the customer to their monitoring console and had the ability to reveal the opponent conducting a live remote session at that very moment, complete with typing mistakes and reissue of commands to the compromised server. Lastly convinced, the client took the server down and completely re-imaged it – the enterprise anti-virus had been an useless interruption – it had actually not served the customer and it had actually not discouraged the opponent.

So Is It Time to Get Rid Of Organization Antivirus Already?

I am not yet ready to declare an end to the age of organization anti-virus. However I understand that organizations need to buy detection and response capabilities to match traditional anti-virus. But progressively I question who is matching whom.

Knowledgeable targeted enemies will always successfully evade anti-virus defenses, so against your biggest cyber threats, enterprise antivirus is basically useless. As Darren Bilby mentioned, it does do some beneficial things, but it does not supply the endpoint defense you require. So, don’t let it distract you from the highest concern cyber-security financial investments, and don’t let it distract you from security measures that do fundamentally assist.

Shown cyber defense procedures include:

Configuration hardening of networks and endpoints.

Identity management with strong authentication.

Application controls.

Constant network and endpoint monitoring, consistent caution.

Strong encryption and data security.

Staff training and education.

Continual risk re-assessment, penetration screening, red/blue teaming.

In contrast to Bilby’s criticism of organization anti-virus, none of the above bullets are ‘magic’. They are merely the continuous hard work of sufficient business cyber-security.

Charles Leaver – Learn About Cyber Attacks And Their Prevention

Published by:

Written By Charles Leaver CEO Ziften


No business, however little or large, is resistant from a cyberattack. Whether the attack is started from an outside source or from the inside – no organization is fully safeguarded. I have lost count of the number of times that executives from companies have stated to me, “why would anyone want to attack us?”

Cyberattacks Can Take Numerous Types

The proliferation of devices that can link to organization networks (laptop computers, cell phones and tablets) indicate an increased risk of security vulnerabilities. The objective of a cyber attack is to make use of those vulnerabilities.


One of the most common cyberattack approaches is the use of malware. Malware is code that has a harmful intent and can include infections, Trojans and worms. The goal with malware is frequently to steal sensitive data and even damage computer networks. Malware is often in the form of an executable file that will spread across your network.

Malware is becoming a lot more advanced, and now there is rogue malware that will masquerade itself as genuine security software that has been developed to protect your network.

Phishing Attacks

Phishing attacks are likewise common. Usually it’s an e-mail that is sent from an apparently “trusted authority” requesting that the user supply personal data by clicking on a link. A few of these phishing emails look really genuine and they have deceived a lot of users. If the link is clicked and data input the information will be taken. Today an increasing number of phishing emails can consist of ransomware.

Password Attacks

A password attack is one of the most basic types of cyberattacks. This is where an unapproved 3rd party will attempt to access to your systems by “cracking” the login password. Software applications can be used here to conduct brute force attacks to predict passwords, and mix of words utilized for passwords can be compared using a dictionary file.

If an attacker gains access to your network through a password attack then they can quickly release harmful malware and trigger a breach of your delicate data. Password attacks are among the simplest to prevent, and strict password policies can offer an extremely efficient barrier. Altering passwords regularly is also suggested.

Denial of Service

A Denial of Service (DoS) attack is everything about causing maximum interruption of the network. Attackers will send really high amounts of traffic through the network and typically make numerous connection demands. The result is an overload of the network and it will close down.

Several computers can be utilized by hackers in DoS attacks that will produce very significant levels of traffic to overload the network. Just recently the largest DoS attack in history utilized botnets versus Krebs On Security. Quite often, endpoint devices linked to the network such as PC’s and laptops can be pirated and will then add to the attack. If a DoS attack is experienced, it can have serious effects for network security.

Man in the Middle

Man in the middle attacks are attained by impersonating endpoints of a network throughout a details exchange. Details can be taken from the end user or even the server that they are communicating with.

How Can You Entirely Prevent Cyber Attacks?

Complete prevention of a cyber attack is not possible with present technology, but there is a lot that you can do to safeguard your network and your delicate data. It is very important not to think that you can simply buy and install a security software application suite and then sit back. The more advanced cyber bad guys know all of the security software services in the marketplace, and have developed techniques to overcome the safeguards that they offer.

Strong and regularly altered passwords is a policy that you should adopt, and is one of the simplest safeguards to implement. Encrypting your delicate data is another easy thing to do. Beyond setting up antivirus and malware security suites in addition to an excellent firewall program, you should make sure that regular backups remain in place and that you have a data breach event response/remediation strategy in case the worst occurs. Ziften helps businesses constantly monitor for dangers that might make it through their defenses, and take action right away to eliminate the danger completely.

Charles Leaver – Calling All Security Pros – You Can Migrate To The Cloud With Endpoint Visibility

Published by:

Written By Logan Gilbert And Posted By Charles Leaver Ziften CEO


Concerns Over Compliance And Security Keep Organizations From Cloud Migration

Migrating segments of your IT operations to the cloud can look like a huge task, and a harmful one at that. Security holes, compliance record keeping, the threat of introducing errors into your architecture … cloud migration provides a great deal of hairy concerns to handle.

If you have actually been leery about moving, you’re not alone – but aid is on the way.

When Evolve IP surveyed 1,000+ IT pros previously this year for their Adoption of Cloud Services North America report, 55% of those surveyed stated that security is their biggest fear about cloud adoption. For companies that do not currently have some cloud existence, the number was even higher – 70%. The next largest barrier to cloud adoption was compliance, pointed out by 40 percent of respondents. (That’s up eleven percent this year.).

However here’s the larger problem: If these issues are keeping your company out of the cloud, you can’t benefit from the efficiency and expense advantages of cloud services, which becomes a strategic obstacle for your whole organization. You need a method to move that also responds to issues about security, compliance, and operations.

Improved Security in Any Environment With Endpoint Visibility.

This is where endpoint visibility comes in. Having the ability to see exactly what’s happening with every endpoint provides you the visibility you have to enhance security, compliance, and functional performance when you move your data center to the cloud.

And I suggest any endpoint: desktop computer, laptop, mobile device, server, VM, or container.

As a long period of time IT professional, I understand the temptation to think you have more control over your servers when they’re locked in a closet and you’re the one who holds the keys. Even when you understand that segments of your environment count on kludges, they’re your kludges, and they’re stable. Plus, when you’re running your very own data center – unlike when you’re in the cloud – you can utilize network taps and an entire host of monitoring tools to take a look at traffic on the wire, determine a good deal about who’s speaking to whom, and fix your problems.

But that level of information fades in comparison to endpoint visibility, in the data center or in the cloud. The granularity and control of Ziften’s system offers you far more control than you could ever get with a network tap. You can spot malware and other problems anywhere (even off your network), separate them immediately, then track them back to whichever user, application, device, or process was the weak link in the chain. Ziften supplies the ability to perform lookback forensics and to rapidly fix issues in much less time.

Eliminating Your Cloud Migration Headaches.

Endpoint visibility makes a big distinction anytime you’re ready to move a segment of your environment to the cloud. By examining endpoint activity, you can establish a baseline stock of your systems, clear out unmanaged assets such as orphaned VMs, and hunt down vulnerabilities. That gets all assets safe and secure and steady within your very own data center before your relocate to a cloud provider like AWS or Azure.

After you’ve migrated to the cloud, ongoing visibility into each device, user, and application suggests that you can administer all parts of your infrastructure more effectively. You avoid wasting resources by preventing VM proliferation, plus you have a detailed body of data to please the audit requirements for NIST 800-53, HIPAA, and other compliance policies.

When you’re ready to relocate to the cloud, you’re not doomed to weak security, incomplete compliance, or functional SNAFUs. Ziften’s method to endpoint security gives you the visibility you require for cloud migration without the headaches.

Charles Leaver – Endpoint Security Visibility And Tools For Remedial Action

Published by:

Written By Logan Gilbert And Presented By Charles Leaver


Ziften helps with incident response, remediation, and examination, even for endpoints that are not connected to your network.

When incidents happen, security analysts need to act quickly and comprehensively.

With telecommuting labor forces and business “cloud” infrastructures, removal and analysis on an endpoint posture a really difficult task. Below, view how you can use Ziften to act on the endpoint and determine the source and proliferation of a compromise in minutes – no matter where the endpoints are located.

First, Ziften alerts you to destructive activities on endpoints and steers you to the reason for the alarm. In seconds, Ziften lets you take removal actions on the endpoint, whether it’s on the corporate network, a worker’s home, or the regional coffee bar. Any remediation action you ‘d normally perform via a direct access to the endpoint, Ziften provides through its web console.

Just that quickly, removal is looked after. Now you can use your security expertise to go risk searching and do a bit of forensics work. You can instantly dive into far more detail about the procedure that caused the alert; then ask those important questions to find how prevalent the issue is and where it spread from. Ziften provides detailed event remediation for security analysts.

See directly how Ziften can help your security team zero in on threats in your environment with our Thirty Days free trial.

Charles Leaver – CISO’s Take Note Of The OPM Data Breach Review

Published by:

Written by Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Cyber attacks, attributed to the Chinese federal government, had breached sensitive workers databases and stolen data of over 22 million existing, former, and potential U.S. civil servants and members of their family. Stern warnings were disregarded from the Office of the Inspector General (OIG) to close down systems without current security authorization.

Presciently, the OIG particularly cautioned that failure to close down the unauthorized systems carried national security implications. Like the Titanic’s doomed captain who preserved flank speed through an iceberg field, the OPM reacted,

” We concur that it is important to maintain updated and valid ATO’s for all systems however do not believe that this condition rises to the level of a Material Weakness.”

In addition the OPM stressed that closing down those systems would imply a lapse in retirement and worker benefits and incomes. Given a choice in between a security lapse and an operational lapse, the OPM opted to operate insecurely and were pwned.

Then director, Katherine Archuleta, resigned her office in July 2015, a day after exposing that the scope of the breach significantly exceeded initial damage assessments.

Regardless of this high value info maintained by OPM, the agency failed to prioritize cybersecurity and properly safe and secure high value data.

Exactly what are the Lessons for CISO’s?

Reasonable CISO’s will want to avoid career immolation in a massive flaming data breach disaster, so let’s quickly evaluate the essential lessons from the Congressional report executive summary.

Prioritize Cyber Security Commensurate with Asset Worth

Have an effective organizational management structure to carry out risk-appropriate IT security policies. Chronic absence of compliance with security best practices and lagging suggestion implementation timelines are indications of organizational failure and bureaucratic atherosclerosis. Shake up the business or make preparations for your post-breach panel appearance prior to the inquisitors.

Don’t Endure a Complacent State of Info Security

Have the essential tracking in place to keep critical situational awareness, leave no visibility gaps. Do not fail to understand the scope or extent or gravity of attack indicators. Presume if you recognize attack signs, there are other indicators you are missing. While OPM was forensically monitoring one attack channel, another parallel attack went unseen. When OPM did do something about it the cyber attackers knew which attack had been spotted and which attack was still effective, quite valuable intelligence to the attacker.

Mandate Basic Needed Security Tools and Quickly Deploy State Of The Art Security Tools

OPM was incredibly negligent in executing mandated multi-factor authentication for privileged accounts and didn’t deploy readily available security technology that could have prevented or reduced exfiltration of their most important security background examination files.

For restricted data or control access authentication, the expression “password safeguarded” has actually been an oxymoron for many years – passwords are not security, they are an invitation to jeopardize. In addition to sufficient authentication strength, complete network monitoring and visibility is needed for avoidance of sensitive data exfiltration. The Congressional investigation blamed sloppy cyber hygiene and insufficient system traffic visibility for the hackers’ relentless existence in OPM networks.

Don’t Fail to Intensify the Alarm When Your Critically Delicate Data Is Being Attacked

In the OPM breach, observed attack activity “ought to have sounded a high level multi-agency national security alarm that a sophisticated, persistent actor was looking to access OPM’s highest value data.” Instead, absolutely nothing of consequence was done “until after the agency was significantly compromised, and up until after the agency’s most sensitive info was lost to nefarious actors.” As a CISO, activate that alarm in good time (or practice your panel appearance face).

Finally, don’t let this be said of your enterprise security posture:

The Committee received documents and testaments proving OPM’s information security posture was undermined by an incredibly unsecured IT environment, internal politics and bureaucracy, and inappropriate top priorities related to the deployment of security tools that slowed essential security choices.

Charles Leaver – If You Plan To Migrate To The Cloud Make Sure You Have Visibility

Published by:

Written By Charles Leaver CEO Ziften


What Concerns Business CISOs When Migrating To The Cloud

Moving to the cloud offers a variety of advantages to enterprise companies, but there are real security concerns that make switching over to a cloud environment worrisome. What CISOs desire when moving to the cloud is constant insight into that cloud environment. They require a way to monitor and measure threat and the self-confidence that they have the correct security controls in place.

Enhanced Security Risk

Migration to the cloud indicates using managed IT services and lots of people believe this indicates relinquishing a high level of visibility and control. Although the leading cloud companies utilize the most recent security technology and file encryption, even the most current systems can stop working and expose your delicate data to the hackers.

In reality, cloud environments are subject to comparable cyber dangers as private enterprise data centers. However, the cloud is becoming a more appealing target due to the considerable amount of data that has actually been stored on servers in the cloud.

Attackers understand that enterprises are gradually moving to the cloud, and they are currently targeting cloud environments. Alert Logic, a security as a service provider, released a report that concluded that those who make IT decisions should not presume that their data that is stored off site is harder for cyber bad guys to obtain.

The report went on to state that there had actually been a 45% boost in application attacks against deployments in the cloud. There had actually also been a boost in attack frequency on organizations that store their infrastructure in the cloud.

The Cloud Is a Jackpot

With the shifting of important data, production workloads, and applications to cloud environments these discoveries should not come as a surprise. A statement from the report stated, “… hackers, like everyone else, have a limited amount of time to complete their task. They want to invest their time and resources into attacks that will bear the most fruit: businesses utilizing cloud environments are mainly considered that fruit bearing jackpot.”

The report also recommends that there is a mistaken belief within organizations about security. A variety of organization decision makers were under the impression that as soon as a cloud migration had actually happened then the cloud provider would be completely accountable for the security of their data.

Security in The Cloud Has to Be A Shared Responsibility

All organizations should take responsibility for the security of their data whether it is hosted on site or in the cloud. This responsibility can not be totally relinquished to a cloud business. If your company suffers from a data breach while utilizing cloud management services, it is not likely that you would be able to avert obligation.

It is vital that every organization totally understands the environment and the threats that are associated with cloud management. There can be a myriad of legal, monetary, commercial, and compliance threats. Prior to moving to the cloud make sure to inspect agreements so that the supplier’s liability is totally comprehended if a data breach were to take place.

Vice president of Alert Logic Will Semple said, “the secret to safeguarding your vital data is being knowledgeable about how and where along the ‘cyber kill chain’ assailants infiltrate systems and to use the best security tools, practices and financial investment to combat them.”

Cloud Visibility Is The Key

Whether you are utilizing cloud management services or are hosting your own infrastructure, you require complete visibility within your environment. If you are thinking about the migration of part – or all – of your environment to the cloud then this is necessary.

After a cloud migration has actually taken place you can depend on this visibility to monitor each user, device, application, and network activity for possible risks and possible hazards. Therefore, the administration of your infrastructure ends up being a lot more efficient.

Don’t let your cloud migration result in lesser security and incomplete compliance. Ziften can help maintain cloud visibility and security for your existing cloud deployments, or future cloud migrations.

Charles Leaver – Cyber Attack Prevention Is Best Achieved With The Right Endpoint Management

Published by:

Written By Charles Leaver, CEO Ziften


Determine and control any device that requires access to your business network.

When a company becomes larger so does its asset footprint, and this makes the task of managing the entire set of IT assets a lot more challenging. IT management has altered from the days where IT asset management consisted of recording devices such as printers, accounting for all installed applications and guaranteeing that anti-virus suites were updated.

Today, companies are under consistent threat of cyber attacks and using malicious code to penetrate the business network. Many devices now have network access capabilities. Gone are the days when only desktop PC’s connected to an enterprise network. Now there is a culture of bring your own device (BYOD) where cell phones, tablets and laptops are all encouraged to connect to the network.
While this provides versatility for the companies with the ability for users to connect from another location, it opens an entire brand-new range of vulnerabilities as these different endpoints make the issue of business IT security a whole lot more complex.

What Is Endpoint Management?

It is vital that you have actually a policy based technique to the endpoint devices that are linked to your network to minimize the danger of cyber attacks and data breaches. Making use of laptops, tablets, cell phones and other devices may be convenient, however they can expose companies to a vast array of security dangers. The main goal of a sound endpoint management method need to be that network activities are thoroughly monitored and unapproved devices can not access the network.

Most endpoint management software is likely to inspect that the device has an operating system that has been authorized, along with antivirus software, and analyze the device for updated private virtual network systems.

Endpoint management systems will determine and control any device that needs access to the corporate network. If anyone is attempting to access the business environment from a non certified device they will be denied access. This is necessary to fight attacks from cyber criminals and breaches from malicious groups.

Any device which does not comply with endpoint management policies are either quarantined or approved restricted access. Local administrative rights may be eliminated and searching the Internet limited.

Organizations Can Always Do More

There are a number of strategies that a business can utilize as part of their policy on endpoint management. This can consist of firewalls (both network and individual), the file encryption of delicate data, more powerful authentication techniques which will definitely include making use of difficult to crack passwords that are frequently changed and device and network level antivirus and anti malware protection.

Endpoint management systems can work as a client and server basis where software is released and centrally handled on a server. The client program will need to be installed on all endpoint devices that are licensed to access the network. It is also possible to use a software as a service (SaaS) model of endpoint management where the supplier of the service will host and take care of the server and the security applications remotely.

When a client device attempts a log in then the server based application will scan the device to see if it abides by the organization’s endpoint management policy, then it will verify the credentials of the user prior to access to the network can be approved.

The Issue With Endpoint Management Systems

A lot of organizations see security software applications as a “complete treatment” but it is not that clear cut. Endpoint security software that is bought as a set and forget solution will never suffice. The experienced cyber attackers out there understand about these software solutions and are developing destructive code that will evade the defenses that a set and forget application can provide.

There needs to be human intervention and Jon Oltsik, contributor at Network World stated “CISOs should take ownership of endpoint security and designate a group of experts who own endpoint security controls as part of a general obligation for event prevention, detection, and response.”

Ziften’s endpoint security services provide the constant monitoring and forensic look back visibility that a cyber security group requires to find and act on to prevent any harmful infiltrations spreading and taking the delicate data of the organization.

Charles Leaver – Splunk.conf 2016 Showed Why Adaptive Response Is The Way To Go

Published by:

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO

All the latest achievements from Splunk

Last week I went to the yearly Splunk conference in the excellent sunshine state – Florida. The Orlando-based occasion enabled Splunkers from all over the world to acquaint themselves with the latest and most successful offerings from Splunk. Although there were a variety of fun activities throughout the week, it was clear that guests were there to discover new things. The announcement of Splunk’s security-centric Adaptive Response effort was popular and so happens to integrate rather nicely with Ziften’s endpoint service.

Of particular interest, the “Transforming Security” Keynote Address put on by Monzy Merza, Director of Cyber Research and Chief Security Evangelist for Splunk, Haiyan Song, SVP Security Markets for Splunk, and Mike Stone, CDIO for the UK Ministry of Defense, showed the power of Splunk’s new Adaptive Response interface to thousands of guests.

In the clip just below extracted from that Keynote, Monzy Merza exhibits how vital data supplied by a Ziften agent can also be used to enact bi-directional performance from Splunk by sending out instructional logic back to the Ziften agent to take immediate actions on a jeopardized endpoint. Monzy had the ability to effectively determine a jeopardized Linux server and remove it off the operational network for additional forensic examination. By not only supplying vital security data to the Splunk instance, however also permitting the user to stay on the exact same interface to take operational and security actions, the Ziften endpoint agent makes it possible for users to bi-directionally make use of Splunk’s effective structure to take immediate action across all operating systems in an exacting way. After the talks our cubicle was overloaded with demonstrations and extremely fascinating conversations relating to operations and security.

Take a look at a 3 minute Monzy extract from the Keynote:

Over the weekend I had the ability to process the large selection of technical conversations I had with numerous fantastic individuals in our cubicle at.conf. One of the funny things I discovered – which nobody would openly admit unless I pulled it out of them – is that most of us are beginner-to-intermediate SPL( Splunk Processing Language) users. I likewise observed the apparent: incident response was the main focus of this year’s occasion.

However, many individuals use Ziften for Splunk for a variety of things, such as operations and application management, network tracking, and user behavior modeling. In an effort to illuminate the broad functionality of our Splunk App, here’s a taste of what folks at.conf2016 loved most about Ziften for Splunk:

1) It’s fantastic for Business Security.

a. Generalized platform for absorbing real time data and taking immediate action
b. Autotomizing removal from a wide scope of signs of compromise

2) IT Operations love us.

a. Tracking of Systems, Hardware Life Cycle, Resource Management
b. Management of Applications – Compliance, License Verification, Vulnerabilities

3) Network Tracking with ZFlow is a game changer.

a. ZFlow ties netflow with binary, system and user data – in a single Splunk SPL entry. Do I need to say more here? This is the right Holy Grail from Indiana Jones, guys!

4) Our User Behavior Modeling exceeds simply notifications.

a. This could be tied back under IT Operations however it’s becoming its own monster
b. Ziften’s tracking of software use, logins, raised binaries, timestamps, etc is readily viewable in Splunk
c. Ziften offers a totally free Security Centric Splunk bundle, but we transform all of the data we collect from each endpoint to Splunk CIM language – Not just our ‘Notifications’.

Ultimately, using a single Splunk Adaptive Response interface to manage a multitude of tools within your environment is what assists develop a strong enterprise fabric for your business – one in which operations, security and network groups more fluidly overlap. Make better decisions, much faster. Discover for yourself with our totally free Thirty Days trial of Ziften for Splunk!

Charles Leaver – Protect Your Organization From Hackers By Banning Adobe Flash

Published by:


Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

Be Strong or Get Attacked.

Highly experienced and skilled cyber attack groups have actually targeted and are targeting your organization. Your large endpoint population is the most typical point of entry for proficient attack organizations. These business endpoints number in the thousands, are loosely handled, laxly configured, and rife with vulnerability direct exposures, and are operated by partially trained, credulous users – the best target-rich opportunity. Mikko Hypponen, chief research officer at F-Secure, typically mentions at market symposia: “How many of the Fortune 500 are attacked today? The response: 500.”

And how long did it take to permeate your enterprise? White hat hackers performing penetration testing or red team exercises normally jeopardize target enterprises within the very first few hours, even though ethically and legally limited in their approaches. Black hat or state sponsored hackers might attain penetration much more quickly and protect their presence forever. Provided typical assailant dwell duration’s determined in numerous days, the time-to-penetration is minimal, not an obstacle.

Exploitation Packages

The industrialization of cyber attacks has developed a black market for attack tools, including a range of software applications for determining and exploiting customer endpoint vulnerabilities. These exploitation sets are marketed to cyber hackers on the dark web, with dozens of exploit set families and vendors. An exploitation set operates by evaluating the software setup on the endpoint, identifying exposed vulnerabilities, and using an exploitation to a vulnerability direct exposure.

A relative handful of typically deployed endpoint software applications accounts for the bulk of exploit kit targeted vulnerabilities. This results from the unfortunate truth that complex software applications tend to display a continual flow of susceptibilities that leave them constantly susceptible. Each patch release cycle the exploit package developers will download the current security patches, reverse engineer them to discover the underlying vulnerabilities, and upgrade their exploitation packages. This will typically be done more quickly than enterprises use patches, with some vulnerabilities remaining unpatched and ripe for exploitation even years after a patch is released.

Adobe Flash

Prior to extensive adoption of HTML 5, Adobe Flash was the most commonly used software application for abundant Web material. Even with increasing adoption of HTML 5, legacy Adobe Flash keeps a significant following, keeping its long-held position as the darling of exploit set authors. A current study by Digital Shadows, In the Business of Exploitation, is instructional:

This report analyzes 22 exploit packages to comprehend the most frequently exploited software. We looked for patterns within the exploitation of vulnerabilities by these 22 kits to reveal exactly what vulnerabilities had been exploited most extensively, coupled with how active each exploit kit was, in order to inform our assessment.

The vulnerabilities exploited by all 22 exploitation packages showed that Adobe Flash Player was most likely to be the most targeted software application, with twenty seven of the 76 identified vulnerabilities exploited pertaining to this software application.

With relative consistency, dozens of fresh vulnerabilities are uncovered in Adobe Flash each month. To exploitation kit designers, it is the present that keeps on giving.

The market is discovering its lesson and moving beyond Flash for rich web material. For example, a Yahoo senior designer blogging recently in Streaming Media kept in mind:

” Adobe Flash, for a long time the de-facto requirement for media playback on the internet, has actually lost favor in the market due to increasing concerns over security and efficiency. At the same time, needing a plugin for video playback in browsers is losing favor amongst users too. As a result, the industry is moving toward HTML5 for video playback.”

Amit Jain, Sep 21, 2016

Banishing Adobe Flash

One action businesses may take now to harden their endpoint configurations is to eradicate Adobe Flash as a matter of organization security policy. This will not be convenient, it may hurt, however it will be handy in reducing your enterprise attack surface. It includes blacklisting Adobe Flash Player and implementing internet browser security settings disabling Flash content. If done properly, this is exactly what users will see where Flash material appears on a traditional website:


This message validates two truths:

1. Your system is properly set up to refuse Flash content.

Praise yourself!

2. This site would compromise your security for their benefit.

Ditch this website!

Charles Leaver – Changes For Endpoints With The Advent Of Illumination

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

The dissolving of the standard boundary is taking place quick. So what happens to the endpoint?

Investment in boundary security, as specified by firewalls, managed gateways and invasion detection/prevention systems (IDS/IPS), is changing. Investments are being questioned, with returns unable to conquer the costs and intricacy to develop, preserve, and validate these old defenses.

More than that, the paradigm has changed – workers are no longer specifically working in the workplace. Many individuals are logging hours from home or while traveling – neither area is under the umbrella of a firewall program. Instead of keeping the cyber criminals out, firewall software frequently have the opposite impact – they avoid the authorized people from being efficient. The paradox? They develop a safe house for hackers to breach and hide for many weeks, then traverse to vital systems.

So Exactly what Has Altered A lot?

The endpoint has actually become the last line of defense. With the aforementioned failure in perimeter defense and a “mobile everywhere” labor force, we should now enforce trust at the endpoint. Easier stated than done, nevertheless.

In the endpoint area, identity & access management (IAM) systems are not the perfect answer. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler can not conquer one simple truth: trust goes beyond basic identification, authentication, and permission.

File encryption is a second attempt at securing whole libraries and selected assets. In the most recent (2016) Ponemon study on data breaches, file encryption just saved 10% of the expense per breached record (from $158 to $142). This isn’t the panacea that some make it seem.

The Whole Picture is altering.

Organizations must be prepared to accept brand-new paradigms and attack vectors. While companies must supply access to trusted groups and individuals, they have to address this in a better way.

Critical company systems are now accessed from anywhere, any time, not simply from desks in business office complexes. And professionals (contingent labor force) are quickly consisting of over 50% of the total business workforce.

On endpoint devices, the binary is mainly the issue. Most likely benign occurrences, such as an executable crash, might indicate something basic – like Windows 10 Desktop Manager (DWM) restarting. Or it could be a much deeper issue, such as a malicious file or early indications of an attack.

Trusted access doesn’t resolve this vulnerability. According to the Ponemon Institute, between 70% and 90% of all attacks are brought on by human error, social engineering, or other human factors. This requires more than simple IAM – it needs behavioral analysis.

Rather than making good much better, boundary and identity access companies made bad quicker.

When and Where Does the Good News Begin?

Taking a step back, Google (Alphabet Corp) announced a perimeter-less network design in late 2014, and has made substantial development. Other businesses – from corporations to governments – have actually done this (quietly and less severe), but BeyondCorp has done this and shown its solution to the world. The style viewpoint, endpoint plus (public) cloud displacing cloistered enterprise network, is the crucial principle.

This changes the entire discussion on an endpoint – be it a laptop, PC, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint truly is the last line of defense, and must be secured – yet also report its activity.

Unlike the traditional perimeter security model, BeyondCorp does not gate access to tools and services based upon a user’s physical location or the originating network; instead, access policies are based on info about a device, its state, and its associated user. BeyondCorp thinks about both internal networks and external networks to be entirely untrusted, and gates access to apps by dynamically asserting and enforcing levels, or “tiers,” of access.

By itself, this seems harmless. However the truth is that this is an extreme brand-new design which is imperfect. The access requirements have actually moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, rather than a central model with capacity for breaches, hacks, and hazards at the human level (the “soft chewy center”).

The bright side? Breaching the perimeter is very challenging for would-be assailants, while making network pivoting next to impossible once past the reverse proxy (a typical system utilized by assailants today – proving that firewall programs do a better job of keeping the cyber criminals in rather than letting the good guys go out). The inverse design even more applies to Google cloud servers, probably tightly handled, inside the boundary, versus client endpoints, who are all out in the wild.

Google has actually done some great improvements on tested security methods, especially to 802.1 X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).

Why is this essential? Exactly what are the gaps?

Ziften believes in this approach due to the fact that it highlights device trust over network trust. Nevertheless, Google does not particularly show a device security agent or emphasize any kind of client-side monitoring (apart from extremely rigorous configuration control). While there might be reporting and forensics, this is something which every company needs to be knowledgeable about, since it’s a question of when – not if – bad things will occur.

Because executing the initial phases of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a normal rate of about three million each day, amounting to over 80 terabytes. Keeping historical data is important in enabling us to understand the end-to-end lifecycle of a given device, track and evaluate fleet-wide patterns, and carry out security audits and forensic examinations.

This is an expensive and data-heavy procedure with two shortcomings. On ultra-high-speed networks (used by organizations such as Google, universities and research study companies), adequate bandwidth enables this type of communication to take place without flooding the pipes. The first concern is that in more pedestrian corporate and federal government scenarios, this would cause great user disturbance.

Second, computing devices need to have the horse power to continuously gather and transfer data. While many staff members would be delighted to have present developer-class workstations at their disposal, the cost of the devices and procedure of refreshing them regularly makes this excessive.

A Lack of Lateral Visibility

Few products really create ‘enhanced’ netflow, augmenting standard network visibility with abundant, contextual data.

Ziften’s patented ZFlow ™ offers network flow information on data created from the endpoint, otherwise achieved utilizing brute force (human labor) or pricey network devices.

ZFlow serves as a “connective tissue” of sorts, which extends and finishes the end-to-end network visibility cycle, including context to on-network, off-network and cloud servers/endpoints, enabling security teams to make quicker and more educated and precise decisions. In essence, investing in Ziften services result in a labor savings, plus a boost in speed-to-discovery and time-to-remediation due to innovation serving as an alternative to people resources.

For companies moving/migrating to the cloud (as 56% are planning to do by 2021 in accordance with IDG Enterprise’s 2015 Cloud Study), Ziften offers unrivaled visibility into cloud servers to better monitor and protect the complete infrastructure.

In Google’s environment, just corporate-owned devices (COPE) are enabled, while crowding out bring your own device (BYOD). This works for a business like Google that can hand out new devices to all staff – phone, tablet, laptop computer, etc. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device should satisfy Google requirements, having either a TPM or a software application equivalent of a TPM, to hold the X. 509 cert utilized to confirm device identity and to help with device-specific traffic encryption. There needs to be numerous agents on each endpoint to validate the device validation predicates called out in the access policy, which is where Ziften would have to partner with the systems management agent provider, because it is likely that agent cooperation is necessary to the procedure.


In summary, Google has actually developed a world-class service, but its applicability and usefulness is limited to companies like Alphabet.

Ziften offers the very same level of functional visibility and security protection to the masses, using a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For companies with specialized requirements or incumbent tools, Ziften supplies both an open REST API and an extension framework (to augment consumption of data and setting off response actions).

This yields the advantages of the BeyondCorp design to the masses, while securing network bandwidth and endpoint (machine) computing resources. As companies will be slow to move totally away from the enterprise network, Ziften partners with firewall and SIEM suppliers.

Lastly, the security landscape is progressively shifting to managed detection & response (MDR). Managed security service providers (MSSP’s) provide traditional tracking and management of firewall software, gateways and border invasion detection, however this is insufficient. They do not have the skills and the technology.

Ziften’s solution has been tested, integrated, authorized and executed by a variety of the emerging MDR’s, showing the standardization (capability) and flexibility of the Ziften platform to play a crucial role in remediation and occurrence response.