Charles Leaver – Incident Response And Forensic Analysis Are Related But Different

Published by:

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver

 

There may be a joke someplace concerning the forensic analyst that was late to the incident response party. There is the seed of a joke in the concept at least but obviously, you have to comprehend the distinctions between incident response and forensic analysis to appreciate the capacity for humor.

Incident response and forensic analysis are related disciplines that can utilize comparable tools and associated data sets but likewise have some crucial differences. There are 4 particularly important differences between forensic analysis and incident response:

– Objectives.
– Data requirements.
– Group abilities.
– Advantages.

The distinction in the goals of forensic analysis and incident response is possibly the most essential. Incident response is focused on determining a quick (i.e., near real time) reaction to an instant danger or issue. For instance, a house is on fire and the firefighters that attend to put that fire out are associated with incident response. Forensic analysis is typically performed as part of an arranged compliance, legal discovery, or law enforcement investigation. For instance, a fire investigator may analyze the remains of that house fire to determine the total damage to the property, the cause of the fire, and whether the origin was such that other houses are likewise at risk. To puts it simply, incident response is focused on containment of a danger or concern, while forensic analysis is concentrated on a full understanding and comprehensive removal of a breach.

A second major difference between the disciplines is the data resources needed to accomplish the objectives. Incident response teams typically only require short term data sources, frequently no more than a month or so, while forensic analysis groups usually need a lot longer lived logs and files. Bear in mind that the average dwell time of an effective attack is somewhere in between 150 and 300 days.

While there is commonality in the workers abilities of incident response and forensic analysis groups, and in fact incident response is typically thought about as a subset of the border forensic discipline, there are very important differences in job requirements. Both types of research study need strong log analysis and malware analysis capabilities. Incident response requires the capability to quickly separate a contaminated device and to establish methods to remediate or quarantine the device. Interactions have the tendency to be with other security and operations employees. Forensic analysis typically needs interactions with a much broader set of departments, consisting of HR, compliance, operations and legal.

Not surprisingly, the perceived benefits of these activities likewise vary.

The capability to get rid of a risk on one machine in near real time is a significant determinate in keeping breaches separated and limited in impact. Incident response, and proactive hazard hunting, is first line of defense in security operations. Forensic analysis is incident responses’ less glamorous relative. Nevertheless, the benefits of this work are undeniable. An extensive forensic investigation permits the remediation of all threats with the mindful analysis of an entire attack chain of events. And that is nothing to laugh about.

Do your endpoint security procedures allow both immediate incident response, and long-lasting historical forensic analysis?

Charles Leaver – Using Edit Difference Is Vital Part 1

Published by:

edit-distance-3

Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften

 

Why are the exact same tricks being utilized by assailants over and over? The easy response is that they are still working today. For instance, Cisco’s 2017 Cybersecurity Report informs us that after years of decline, spam email with malicious attachments is again on the rise. Because conventional attack vector, malware authors normally mask their activities by using a filename just like a common system process.

There is not necessarily a connection with a file’s path name and its contents: anybody who has attempted to conceal sensitive information by giving it a boring name like “taxes”, or changed the extension on a file attachment to circumvent email rules is aware of this idea. Malware creators know this as well, and will typically name their malware to look like typical system procedures. For instance, “explore.exe” is Internet Explorer, however “explorer.exe” with an additional “r” could be anything. It’s simple even for experts to overlook this small difference.

The opposite issue, known.exe files running in uncommon locations, is simple to solve, using string functions and SQL sets.

edit-distance-1

What about the other scenario, finding close matches to the executable name? The majority of people begin their hunt for close string matches by arranging data and visually looking for inconsistencies. This usually works effectively for a small set of data, maybe even a single system. To find these patterns at scale, nevertheless, needs an algorithmic approach. One established strategy for “fuzzy matching” is to utilize Edit Distance.

Exactly what’s the best approach to computing edit distance? For Ziften, our technology stack includes HP Vertica, making this task easy. The web has plenty of data researchers and data engineers singing Vertica’s praises, so it will be adequate to mention that Vertica makes it simple to create customized functions that take full advantage of its power – from C++ power tools, to analytical modeling scalpels in R and Java.

This Git repo is maintained by Vertica lovers operating in industry. It’s not a certified offering, however the Vertica group is definitely familiar with it, and furthermore is thinking everyday about ways to make Vertica better for data researchers – a great space to see. Most importantly, it includes a function to compute edit distance! There are likewise alternative tools for the natural processing of langauge here like word stemmers and tokenizers.

Using edit distance on the top executable paths, we can quickly discover the nearest match to each of our leading hits. This is an intriguing data-set as we can arrange by distance to discover the closest matches over the whole data set, or we can arrange by frequency of the leading path to see exactly what is the closest match to our frequently utilized procedures. This data can likewise emerge on contextual “report card” pages, to show, e.g. the leading five nearest strings for a provided path. Below is a toy example to offer a sense of usage, based on genuine data ZiftenLabs observed in a client environment.

edit-distance-2

Setting an upper limit of 0.2 seems to find excellent results in our experience, however the point is that these can be adapted to fit specific use cases. Did we find any malware? We see that “teamviewer_.exe” (should be simply “teamviewer.exe”), “iexplorer.exe” (needs to be “iexplore.exe”), and “cvshost.exe” (must be svchost.exe, unless possibly you work for CVS drug store…) all look unusual. Given that we’re already in our database, it’s likewise minor to obtain the associated MD5 hashes, Ziften suspicion scores, and other attributes to do a deeper dive.

edit-distance-3

In this specific real life environment, it ended up that teamviewer_.exe and iexplorer.exe were portable applications, not known malware. We helped the customer with additional examination on the user and system where we observed the portable applications given that use of portable apps on a USB drive might be proof of suspicious activity. The more troubling find was cvshost.exe. Ziften’s intelligence feeds indicate that this is a suspicious file. Searching for the md5 hash for this file on VirusTotal validates the Ziften data, indicating that this is a potentially severe Trojan virus that could be a component of a botnet or doing something much more harmful. Once the malware was discovered, nevertheless, it was simple to resolve the problem and make sure it remains solved utilizing Ziften’s ability to eliminate and persistently block procedures by MD5 hash.

Even as we develop sophisticated predictive analytics to spot destructive patterns, it is necessary that we continue to enhance our capabilities to hunt for recognized patterns and old techniques. Even if brand-new hazards emerge does not mean the old ones disappear!

If you liked this post, watch this space for the second part of this series where we will apply this method to hostnames to detect malware droppers and other harmful websites.

Charles Leaver – Defining Endpoints And Protecting Them Will Be More Challenging As Connected Devices Increase

Published by:

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver

 

Just a short time ago everybody understood exactly what you meant if you brought up an endpoint. If someone wished to sell you an endpoint security product, you understood what devices that software was going to safeguard. But when I hear somebody casually talk about endpoints today, The Princess Bride’s Inigo Montoya comes to mind: “You keep using that word. I do not think it means exactly what you think it implies.” Today an endpoint could be nearly any kind of device.

In all honesty, endpoints are so diverse these days that people have taken to calling them “things.” According to Gartner at the end of 2016 there were over six billion “things” connected to the web. The consulting firm predicts that this number will shoot up to twenty one billion by the year 2020. The business uses of these things will be both generic (e.g. connected light bulbs and A/C systems) and market specific (e.g. oil rig security tracking). For IT and security teams charged with connecting and securing endpoints, this is only half of the brand-new obstacle, however. The acceptance of virtualization technology has actually redefined exactly what an endpoint is, even in environments in which these groups have traditionally operated.

The last decade has seen a huge modification in the method end users gain access to information. Physical devices continue to become more mobile with lots of information workers now doing most of their computing and interaction on laptops and smart phones. More importantly, everyone is ending up being an information worker. Today, better instrumentation and monitoring has enabled levels of data collection and analysis that can make the insertion of information technology into almost any job profitable.

At the same time, more conventional IT assets, especially servers, are ending up being virtualized to get rid of some of the traditional restrictions in having those assets connected to physical devices.

These 2 trends together will affect security groups in crucial ways. The totality of “endpoints” will include billions of long-lived and unsecure IoT endpoints in addition to billions of virtual endpoint instances that will be scaled up and down as needed in addition to migrated to various physical places on demand.

Enterprises will have very different worries about these 2 general types of endpoints. Over their life times, IoT devices will have to be secured from a host of risks some of which have yet to be dreamed up. Tracking and safeguarding these devices will need advanced detection capabilities. On the positive side, it will be possible to maintain well-defined log data to enable forensic examination.

Virtual endpoints, on the other hand, present their own crucial concerns. The capability to move their physical location makes it a lot more tough to make sure right security policies are always attached to the endpoint. The practice of reimaging virtual endpoints can make forensic investigation tough, as essential data is usually lost when a new image is applied.

So it doesn’t matter what word or words are utilized to explain your endpoints – endpoint, systems, client device, user device, mobile phone, server, virtual device, container, cloud workload, IoT device, and so on – it is important to understand exactly what someone indicates when they use the term endpoint.

Charles Leaver – Compromise Is Inevitable Detection Is Vital

Published by:

mitre

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften

If Prevention Has Stopped working Then Detection Is Crucial

The final scene in the well known Vietnam War film Platoon depicts a North Vietnamese Army regiment in a surprise night time attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and butchering the startled protectors. The desperate company leader, understanding their dire defensive predicament, orders his air support to strike his own position: “For the record, it’s my call – Dump whatever you have actually got left on my position!” Moments later the battleground is immolated in a napalm hellscape.

Although physical dispute, this shows two aspects of cybersecurity (1) You have to handle inevitable border breaches, and (2) It can be bloody hell if you do not identify early and respond powerfully. MITRE Corporation has actually been leading the call for rebalancing cyber security priorities to position due focus on detecting breaches in the network interior rather than simply focusing on penetration prevention at the network perimeter. Rather than defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crispy shell, soft chewy center. Writing in a MITRE blog, “We could see that it wouldn’t be a question of if your network will be breached however when it will be breached,” explains Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and primary gatekeeper. “Today, companies are asking ‘How long have the hackers been within? How far have they got?'”.

Some call this the “presumed breach” technique to cyber security, or as posted to Twitter by F-Secure’s Chief Research Officer:.

Q: How many of the Fortune 500 are jeopardized – Response: 500.

This is based upon the possibility that any sufficiently intricate cyber environment has an existing compromise, and that Fortune 500 businesses are of magnificently intricate scale.

Shift the Problem of Perfect Execution from the Defenders to the Attackers.

The standard cybersecurity viewpoint, originated from the legacy perimeter defense design, has been that the opponent just has to be right one time, while the protector should be right each time. An adequately resourced and relentless hacker will eventually achieve penetration. And time to effective penetration reduces with increasing size and intricacy of the target business.

A border or prevention-reliant cyber defense design essentially demands the best execution by the defender, while delivering success to any sufficiently continual attack – a plan for particular cyber disaster. For example, a leading cybersecurity red team reports successful enterprise penetration in under 3 hours in more than 90% of their customer engagements – and these white hats are limited to ethical methods. Your business’s black hat hackers are not so constrained.

To be viable, the cyber defense strategy must turn the tables on the assailants, moving to them the unreachable problem of ideal execution. That is the reasoning for a strong detection ability that constantly keeps track of endpoint and network behavior for any uncommon signs or observed assailant footprints inside the boundary. The more sensitive the detection ability, the more care and stealth the opponents need to work out in perpetrating their kill chain sequence, and the more time and labor and talent they must invest. The defenders require but observe a single attacker tramp to uncover their foot tracks and unwind the attack kill chain. Now the protectors become the hunter, the attackers the hunted.

The MITRE ATT&CK Design.

MITRE offers a comprehensive taxonomy of assailant footprints, covering the post compromise sector of the kill chain, known by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project group leader Blake Strom states, “We chose to concentrate on the post-attack period [part of kill chain lined in orange listed below], not just because of the strong probability of a breach and the dearth of actionable information, however also because of the many chances and intervention points readily available for efficient protective action that do not always count on anticipation of adversary tools.”

 

mitre

 

As shown in the MITRE figure above, the ATT&CK model offers extra granularity on the attack kill chain post-compromise phases, breaking these out into 10 strategy classifications as shown. Each tactic category is further detailed into a list of techniques an enemy might employ in carrying out that technique. The January 2017 model upgrade of the ATT&CK matrix lists 127 methods throughout its 10 tactic categories. For example, Computer system registry Run Keys/ Start Folder is a technique in the Perseverance category, Brute Force is a technique in the Qualifications classification, and Command Line Interface is a technique in the Execution classification.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Model.

Endpoint Detection and Response (EDR) products, such as Ziften supplies, offer crucial visibility into opponent use of techniques noted in the ATT&CK design. For instance, PC registry Run Keys/ Start Folder strategy use is reported, as is Command Line Interface use, because these both include easily observable endpoint habits. Strength usage in the Qualifications classification ought to be obstructed by design in each authentication architecture and be viewable from the resulting account lockout. But even here the EDR product can report occasions such as unsuccessful login efforts, where an opponent might have a few guesses to try, while staying under the account lockout attempt limit.

For attentive protectors, any technique usage may be the attack giveaway that unravels the whole kill chain. EDR solutions contend based on their strategy observation, reporting, and informing capabilities, in addition to their analytics capability to carry out more of the attack pattern detection and kill chain reconstruction, in support of safeguarding security experts staffing the business SOC. Here at Ziften we will outline more of EDR product abilities in support of the ATT&CK post-compromise detection design in future blog posts in this series.

 

Charles Leaver – This Year’s RSA Message Is That Customized Security Solutions Are Wanted

Published by:

Written By Michael Vaughan And Presented By Charles Leaver Ziften CEO

 

More customized products are required by security, network and operational groups in 2017

Much of us have gone to security conventions for many years, but none bring the same high
level of excitement as RSA – where security is talked about by the world. Of all the conventions I have actually attended and worked, absolutely nothing comes close the enthusiasm for brand-new innovation people exhibited this previous week in downtown San Francisco.

After taking a couple of days to digest the lots of discussions about the requirements and constraints with present security tech, Ihave actually had the ability to synthesize a singular theme amongstattendees: Individuals want customized solutions that fit their environment and will work across multiple internal groups.

When I describe the term “individuals,” I indicate everyone in attendance regardless of technological sector. Operational professionals, security professionals, network veterans, as well as user behavior analysts often visited the Ziften booth and shared their stories with us.

Everybody appeared more ready than ever to discuss their needs and wants for their environment. These attendees had their own set of goals they wished to attain within their department and they were desperate for answers. Since the Ziften Zenith solution provides such broad visibility on enterprise devices, it’s not surprising that our cubicle remained crowded with people excited for more information about a new, refreshingly simple endpoint security innovation.

Participants came with complaints about myriad enterprise centric security issues and sought much deeper insight into what’s really happening on their network and on devices taking a trip in and out of the office.

End users of old-school security products are on the hunt for a more recent, more pivotal software applications.

If I could select simply one of the frequent concerns I received at RSA to share, it’s this one:

” What exactly is endpoint discovery?”

1) Endpoint discovery: Ziften exposes a historical view of unmanaged devices which have actually been connected to other business endpoints at some point in time. Ziften allows users to discover known
and unidentified entities which are active or have been interactive with known endpoints.

a. Unmanaged Asset Discovery: Ziften utilizes our extension platform to reveal these unknown entities operating on the network.

b. Extensions: These are custom-fit solutions customized to the user’s specific wants and
requirements. The Ziften Zenith agent can execute the assigned extension one time, on a schedule or persistently.

Generally after the above explanation came the real reason they were going to:

People are searching for a wide variety of services for numerous departments, including executives. This is where operating at Ziften makes answering this concern a real treat.

Just a part of the RSA attendees are security specialists. I talked with lots of network, operation, endpoint management, vice presidents, general supervisors and channel partners.

They plainly all utilize and comprehend the requirement for quality security software however
apparently discover the translation to organization value missing out among security suppliers.

NetworkWorld’s Charles Araujo phrased the concern quite well in an article a short article last week:

Organizations should also rationalize security data in a business context and manage it holistically as part of the total IT and organization operating model. A group of suppliers is also attempting to tackle this challenge …

Ziften was amongst only 3 businesses highlighted.

After paying attention to those wants and needs of people from different business-critical backgrounds and discussing to them the capabilities of Ziften’s Extension platform, I typically described how Ziften would modulate an extension to resolve their need, or I provided a short demonstration of an extension that would permit them to overcome a difficulty.

2) Extension Platform: Customized, actionable solutions.

a. SKO Silos: Extensions based upon fit and requirement (operations, network, endpoint, etc).

b. Customized Requests: Require something you do not see? We can repair that for you.

3) Boosted Forensics:

a. Security: Threat management, Threat Assessment, Vulnerabilities, Metadata that is suspicious.

b. Operations: Compliance, License Rationalization, Unmanaged Assets.

c. Network: Ingress/Egress IP movement, Domains, Volume metadata.

4) Visibility within the network– Not just exactly what enters and leaves.

a. ZFlow: Finally see the network traffic inside your enterprise.

Needless to say, everyone I talked to in our cubicle quickly understood the crucial benefit of having a product such as Ziften Zenith running in and across their business.

Forbes writer, Jason Bloomberg, said it very well when he just recently explained the future of enterprise security software applications and how all signs point toward Ziften blazing a trail:

Maybe the broadest interruption: vendors are improving their capability to comprehend how bad actors behave, and can hence take steps to prevent, discover or mitigate their malicious activities. In particular, today’s suppliers comprehend the ‘Cyber Kill Chain’ – the actions a competent, patient hacker (known in the biz as an innovative relentless risk, or APT) will require to attain his/her dubious objectives.

The product of U.S. Defense contractor Lockheed Martin, The Cyber Kill Chain consists of 7 links: reconnaissance, weaponization, shipment, exploitation, setup, establishing command and control, and actions on goals.

Today’s more innovative suppliers target several of these links, with the goal of preventing, discovering or mitigating the attack. Five suppliers at RSA stood out in this classification.

Ziften provides an agent based method to tracking the behavior of users, devices, applications, and
network components, both in real-time along with across historic data.

In real time, experts use Ziften for danger identification and prevention, while they use the historic data to uncover steps in the kill chain for mitigation and forensic functions.

Charles Leaver – How You Can Prevent Operational Issues Becoming Security Problems

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

 

Get Back To Fundamentals With Hygiene And Avoid Serious Problems

When you were a child you will have been taught that brushing your teeth properly and flossing will prevent the need for pricey crowns and root canal procedures. Basic health is way simpler and far cheaper than disregard and disease. This very same lesson is applicable in the realm of enterprise IT – we can run a sound operation with correct endpoint and network hygiene, or we can deal with increasing security issues and disastrous data breaches as lax health extracts its difficult toll.

Operational and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we have created here at Ziften provide analytic insight into system operation across the enterprise endpoint population. They likewise provide endpoint derived network operation insights that substantially broaden on wire visibility alone and extend into cloud and virtual environments. These insights benefit both security and operations groups in significant ways, given the considerable overlap between functional and security concerns:

On the security side, EDR tools supply important situational awareness for incident response. On the operational side, EDR tools offer essential endpoint visibility for functional control. Critical situational awareness requires a baseline understanding of endpoint population operating norms, which understanding facilitates appropriate operational control.

Another method to explain these interdependencies is:

You can’t secure what you do not manage.
You can’t manage what you do not measure.
You cannot measure what you do not monitor.

Managing, measuring, and monitoring has as much to do with the security role as with the operational role, do not attempt to split the infant. Management indicates adherence to policy, that adherence should be determined, and functional measurements constitute a time series that must be tracked. A couple of sparse measurements of crucial dynamic time series does not have interpretive context.

Tight security does not make up for lax management, nor does tight management make up for lazy security. [Check out that once more for emphasis.] Objective execution imbalances here lead to unsustainable inefficiencies and scale difficulties that inevitably cause major security breaches and functional shortages.

Where The Areas Overlap

Substantial overlaps between functional and security issues include:

Configuration hardening and standard images
Group policy
Cloud management and application control
Network segmentation and management
Data security and file encryption
Asset management and device restore
Management of mobile devices
Management of logs
Backups and data restore
Vulnerability and patch management
Identity management
Access management
Worker continuous cyber awareness training

For instance, asset management and device restore in addition to backup and data restore are likely operational team responsibilities, but they become major security problems when ransomware sweeps the network, bricking all devices (not simply the typical endpoints, but any network connected devices such as printers, badge readers, security cams, network routers, medical imaging devices, industrial control systems, and so on). What would your enterprise response time be to reflash and refresh all device images from scratch and restore their data? Or is your contingency strategy to without delay stuff the aggressors’ Bitcoin wallets and hope they haven’t exfiltrated your data for more extortion and money making. And why would you unload your data restore duty to a criminal syndicate, blindly trusting in their perfect data restoration integrity – makes definitely zero sense. Operational control duty rests with the business, not with the enemies, and may not be shirked – shoulder your duty!

For another example, basic image construction using finest practices setup hardening is clearly a joint responsibility of operations and security staff. In contrast to ineffective signature-based endpoint protection platforms (EPP), which all large business breach victims have long had in place, configuration hardening works, so bake it in and constantly revitalize it. Also consider the needs of business personnel whose job function demands opening of unsolicited email attachments, such as resumes, invoices, legal notifications, or other required files. This should be performed in a cloistered virtual sandbox environment, not on your production endpoints. Security staff will make these decisions, but operations personnel will be imaging the endpoints and supporting the staff members. These are shared duties.

Example Of Overlap:

Use a safe environment to detonate. Do not utilize production endpoints for opening unsolicited but necessary email files, like resumes, invoices, legal notices, etc

Focus Limited Security Resources on the Tasks Just They Can Perform

Many large businesses are challenged to successfully staff all their security roles. Left unaddressed, deficiencies in functional effectiveness will stress out security staff so quickly that security roles will always be understaffed. There will not be enough fingers on your security team to jam in the multiplying holes in the security dike that lax or inattentive endpoint or network or database management creates. And it will be less hard to staff operational roles than to staff security roles with gifted experts.

Offload regular formulaic activities to operations personnel. Concentrate restricted security resources on the jobs only they can perform:

Staffing of the Security Operations Center (SOC)
Preventative penetration screening and red teaming
Reactive occurrence response and forensics
Proactive attack hunting (both external and insider).
Security oversight of overlapping functional roles (making sure existing security mindset).
Security policy development and stake holder buy-in.
Security architecture/tools/methodology design, selection, and advancement.

Enforce disciplined operations management and focus minimal security resources on important security roles. Then your business might prevent letting operations issues fester into security issues.

 

Charles Leaver – Security Fabric Is All The Buzz At Conference Fortinet Accelarate 2017

Published by:

Written By Josh Applebaum And Presented By Ziften CEO Charles Leaver

The Fortinet Accelerate 2017 conference was held just recently in Las Vegas. Ziften has sponsored Fortinet’s annual International Partner Conference for the second time, and it was a pleasure to be in attendance! The energy at the show was noticeable, and this was not due to the energy drinks you constantly see individuals carting around in Las Vegas. The buzz and energy was contributed by an essential theme the entire week: the Fortinet Security Fabric.

The theme of Fortinet’s Security Fabric is basic: take the disparate security “point products” that an organization has released, and link them to leverage the deep intelligence each item has in their own security vault to offer a combined end-to-end security blanket over the whole organization. Though Fortinet is generally thought of as a network security business, their method to providing a complete security service spans more than the traditional network to include endpoints, IoT devices, as well as the cloud. By exposing APIs to the Fabric Ready partners along with making it possible for the exchange of actionable threat intelligence, Fortinet is creating a path for a more collective strategy throughout the whole security market.

It is revitalizing to see that Fortinet has the exact same beliefs as we have at Ziften, which is that the only way that we as an industry are going to reach (and go beyond) the hackers is through integration and collaboration throughout all reaches of security, no matter which vendor supplies each part of the overall service. This is not an issue we are going to solve on our own, however rather one that will be fixed through a combined approach like the one set out by Fortinet with their Security Fabric. Ziften is proud to be a founding member of Fortinet’s Fabric Ready Alliance program, combining our unique approach to endpoint security with Fortinet’s “think different” mindset of what it implies to integrate and collaborate.

Throughout the week, Fortinet’s (really enthusiastic) channel partners had the chance to walk the show floor to see the incorporated solutions provided by the numerous innovation partners. Ziften showcased their combinations with Fortinet, containing the integration of our service with Fortinet’s FortiSandbox.

The Ziften service collects unknown files from endpoints (clients or servers running OS X, Linux or Windows) and submits them to the FortiSandbox for detonation and analysis. Outcomes are immediately fed back into Ziften for informing, reporting, and (if possible) automated mitigation actions.

It was interesting to see that the Fortinet channel partners clearly got the value of a Security Fabric approach. It was clear to them, as well as Ziften, that the Security Fabric is not a marketing trick, but rather a real method assembled by, and led by, Fortinet. While this is only the start of Fortinet’s Security Fabric story, Ziften is excited to team up with Fortinet and enjoy the story continue to unfold!

Charles Leaver – Discover Cyber Espionage Strategies That Will Occur In 2017

Published by:

Written By Jesse Sampson And Presented By Ziften CEO Charles Leaver

 

There is a lot of controversy at this time about the hacking hazard from Russia and it would be simple for security experts to be excessively concerned about cyber espionage. Since the goals of any cyber espionage project determine its targets, Ziften Labs can help answer this concern by diving into the reasons states conduct these campaigns.

Very recently, the three significant United States intelligence agencies launched a comprehensive declaration on the activities of Russia related to the 2016 United States elections: Assessing the Activities of Russia and Intentions in Recent United States Elections (Activities and Intents). While some doubters remain skeptical by the new report, the dangers identified by the report that we cover in this post are compelling adequate to demand evaluation and reasonable countermeasures – in spite of the near impossibility of incontrovertibly determining the source of the attack. Obviously, the official Russian position has been winking denial of hacks.

“Typically these type of leaks take place not due to the fact that cyber attackers broke in, however, as any specialist will inform you, since somebody just forgot the password or set the basic password 123456.” German Klimenko, Putin’s leading Web adviser

While agencies get panned for governmental language like “high confidence,” the considered rigor of instructions like Activities and Intentions contrasts with the headline grabbing “1000% certainty” of a mathematically-disinclined media hustler like Julian Assange.

Activities and Intents is most perceptive when it finds the use of hacking and cyber espionage in “diverse” Russian doctrine:

” Moscow’s use of disclosures throughout the United States election was unmatched, however its influence project otherwise followed a time tested Russia messaging strategy that blends covert intelligence operations – like cyber activities – with obvious efforts by Russian Federal government agencies, state funded media, third party intermediaries, and paid social media users or “giants.”

The report is at its weakest when evaluating the intentions behind the doctrine, a.k.a. method. Aside from some incantations about fundamental Russian hostility to the liberal democratic order, it claims that:.

” Putin most likely wished to reject Secretary Clinton because he has actually openly blamed her since 2011 for prompting mass protests against his program in late 2011 and early 2012, and due to the fact that he holds a grudge for remarks he almost certainly viewed as disparaging him.”.

A more nuanced examination of Russian inspiration and their cyber symptoms will help us better plan security strategy in this environment. ZiftenLabs has recognized three major strategic imperatives at work.

First, as Kissinger would say, through history “Russia decided to see itself as a beleaguered station of civilization for which security could be discovered only through exerting its outright will over its neighbors (52)”. United States policy in the Bill Clinton era threatened this imperative to the expansion of NATO and dislocating economic interventions, possibly contributing to a Russian preference for a Trump presidency.

Russia has actually utilized cyber warfare techniques to protect its influence in previous Soviet territories (Estonia, 2007, Georgia, 2008, Ukraine, 2015).

Second, President Putin wants Russia to be an excellent force in geopolitics again. “Above all, we should acknowledge that the collapse of the Soviet Union was a significant geopolitical disaster of the century,” he said in 2005. Hacking identities of prominent people in political, academic, defense, technology, and other institutions that operatives might leak to humiliating or outrageous result is a simple way for Russia to discredit the United States. The perception that Russia can affect election results in the US with a keystroke calls into question the legitimacy of US democracy, and muddles discussion around similar problems in Russia. With other prestige-boosting efforts like leading the ceasefire talks in Syria (after leveling numerous cities), this technique could enhance Russia’s worldwide profile.

Finally, President Putin might have concerns about his the security of his position. In spite of extremely beneficial election results, in accordance with Activities and Objectives, demonstrations in 2011 and 2012 still loom large with him. With a number of regimes altering in his area in the 2000s and 2010s (he called it an “epidemic of disintegration”), some of which came about as a result of intervention by NATO and the US, President Putin is wary of Western interventionists who would not mind a similar result in Russia. A collaborated campaign might help discredit competitors and put the least aggressive prospects in power.

In light of these reasons for Russian hacking, who are the most likely targets?

Due to the overarching goals of discrediting the legitimacy of the US and NATO and assisting non-interventionist prospects where possible, government agencies, especially those with roles in elections are at greatest threat. So too are campaign organizations and other NGOs close to politics like think tanks. These have actually supplied softer targets for cyber criminals to gain access to sensitive information. This suggests that agencies with account information for, or access to, prominent individuals whose details might lead to shame or confusion for US political, organizations, scholastic, and media organizations must be additionally careful.

The next tier of danger consists of vital infrastructure. While recent Washington Post reports of a compromised US electrical grid turned out to be over hyped, Russia actually has hacked power networks and perhaps other parts of physical infrastructure like oil and gas. Beyond critical physical infrastructure, innovation, financing, telecommunications, and media could be targeted as happened in Georgia and Estonia.

Lastly, although the intelligence agencies efforts over the past few months has actually caught some heat for providing “obvious” recommendations, everyone really would benefit from the pointers presented in the Homeland Security/FBI report, and in this post about solidifying your configuration by Ziften’s Dr Hartmann. With significant elections turning up this year in important NATO members France, the Netherlands and Germany, only one thing is certain: it will be a hectic year for Russian hackers and these recs need to be a top priority.

Charles Leaver – Enhance Your Security With Asset Management And Discovery

Published by:

Written By Roark Pollock And Presented By Charles Leaver CEO Ziften

 

Reputable IT asset management and discovery can be a network and security admin’s friend.

I do not have to inform you the apparent; all of us know a good security program begins with an audit of all the devices linked to the network. Nevertheless, preserving a current stock of every linked device utilized by employees and business partners is difficult. A lot more challenging is guaranteeing that there are no linked un-managed assets.

What is an Un-managed Asset?

Networks can have thousands of connected devices. These may consist of the following to name a few:

– User devices such as laptop computers, desktop PC’s, workstations, virtual desktop systems, bring your own devices (BYOD), cellular phones, and tablet devices.

– Cloud and Data center devices such as servers, virtual machines (VM), orphaned VM’s, containers, and storage systems.

– Networking devices such as switches, load balancers, firewalls, switches, and WiFi access points.

– Other devices such as printers, and more just recently – Internet of things (IoT) devices.

Unfortunately, a number of these connected devices might be unknown to IT, or not managed by IT group policies. These unidentified devices and those not handled by IT policies are referred to as “un-managed assets.”

The variety of un-managed assets continues to increase for many companies. Ziften finds that as many as 30% to 50% of all connected devices can be unmanaged assets in today’s business networks.

IT asset management tools are typically enhanced to identify assets such as computers, servers, load balancers, firewalls, and devices for storage utilized to provide enterprise applications to organization. Nevertheless, these management tools generally ignore assets not owned by the organization, such as BYOD endpoints, or user-deployed wireless access points. Even more uncomfortable is that Gartner asserts in “Beyond BYOD to IoT, Your Business Network Access Policy Should Change”, that IoT devices have actually gone beyond workers and visitors as the most significant user of the business network.1.

Gartner goes on to explain a brand-new pattern that will present even more unmanaged assets into the business environment – bring your own things (BYOT).

Essentially, employees bringing products which were designed for the wise home, into the office environment. Examples consist of clever power sockets, wise kettles, wise coffee machines, clever light bulbs, domestic sensors, wireless webcams, plant care sensing units, environmental protections, and eventually, home robots. Much of these things will be brought in by personnel seeking to make their working environment more congenial. These “things” can notice details, can be managed by apps, and can communicate with cloud services.1.

Why is it Crucial to Discover Un-managed Assets?

Quite simply, unmanaged assets produce IT and security blind spots. Mike Hamilton, SVP of Product at Ziften said, “Security begins with knowing what physical and virtual devices are connected to the corporate network. But, BYOD, shadow IT, IoT, and virtualization are making that more challenging.”.

These blind spots not just increase security and compliance danger, they can increase legal danger. Info retention policies developed to limit legal liability are not likely to be applied to digitally kept info included on unauthorized virtual, mobile and cloud assets.

Preserving an up-to-date stock of the assets on your network is vital to great security. It’s common sense; if you do not know it exists, you cannot know if it is secure. In fact, asset visibility is so crucial that it is a fundamental part of most information security frameworks including:

– SANS Critical Security Controls for efficient cyber defense: Developing an inventory of licensed and unapproved devices is number one on the list.

– Council on CyberSecurity Crucial Security Controls: Developing an inventory of authorized and unauthorized devices is the very first control in the prioritized list.

– NIST Details Security Constant Monitoring for Federal Info Systems and Organizations – SP 800-137: Information security constant monitoring is defined as maintaining continuous awareness of information security, vulnerabilities, and threats to support organizational danger management decisions.

– ISO/IEC 27001 Information Management Security System Requirements: The basic needs that all assets be clearly recognized and a stock of all important assets be prepared and kept.

– Ziften’s Adaptive Security Structure: The first pillar includes discovery of all your licensed and unapproved physical and virtual devices.

Factors To Consider in Evaluating Asset Discovery Solutions.

There are several techniques used for asset discovery and network mapping, and each of the methods have benefits and downsides. While examining the myriad tools, keep these two key considerations in mind:.

Continuous versus point-in-time.

Strong info security needs continuous asset identification despite exactly what approach is employed. However, lots of scanning strategies used in asset discovery take time to complete, and are thus carried out periodically. The drawback to point-in-time asset discovery is that transient systems may just be on the network for a quick time. Therefore, it is highly possible that these short-term systems will not be found.

Some discovery strategies can activate security notifications in network firewall software, intrusion detection systems, or infection scanning tools. Because these methods can be disruptive, identification is just carried out at regular, point-in-time periods.

There are, nevertheless, some asset discovery techniques that can be used continually to locate and recognize linked assets. Tools that offer continuous monitoring for un-managed assets can provide better un-managed asset discovery outcomes.

” Because passive detection operates 24 × 7, it will discover temporal assets that might just be periodically and quickly linked to the network and can send notifications when brand-new assets are spotted.”.

Passive versus active.

Asset identification tools offer intelligence on all found assets consisting of IP address, hostname, MAC address, device producer, as well as the device type. This technology helps operations teams rapidly tidy up their environments, getting rid of rogue and unmanaged devices – even VM expansion. Nevertheless, these tools go about this intelligence gathering in a different way.

Tools that utilize active network scanning efficiently penetrate the network to coax actions from devices. These responses offer ideas that assist identify and fingerprint the device. Active scanning periodically takes a look at the network or a sector of the network for devices that are linked to the network at the time of the scan.

Active scanning can generally provide more in-depth analysis of vulnerabilities, malware detection, and setup and compliance auditing. Nevertheless, active scanning is performed occasionally because of its disruptive nature with security infrastructure. Unfortunately, active scanning risks missing out on short-term devices and vulnerabilities that occur between scheduled scans.

Other tools use passive asset identification strategies. Due to the fact that passive detection operates 24 × 7, it will identify temporal assets that may only be sometimes and briefly linked to the network and can send out alerts when brand-new assets are found.

In addition, passive discovery does not disturb delicate devices on the network, such as industrial control systems, and enables visibility of Web and cloud services being accessed from systems on the network. More passive discovery techniques prevent triggering alerts on security tools throughout the network.

Summary.

BYOD, shadow IT, IoT, virtualization, and Gartner’s newly-coined BYOT indicate increasingly more assets on to the corporate network. Unfortunately, many of these assets are unknown or un-managed by IT. These unmanaged assets pose major security holes. Eliminating these un-managed assets from the network – which are even more likely to be “patient zero” – or bringing them up to business security standards greatly minimizes an organization’s attack surface and general risk. The good news is that there are solutions that can provide continuous, passive discovery of unmanaged assets.

Charles Leaver – Enterprise Antivirus Is Losing Its Touch

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

 

Dwindling Effectiveness of Enterprise Anti-virus?

Google Security Master Labels Antivirus Apps As Inadequate ‘Magic’.

At the current Kiwicon hacking conference in Wellington, New Zealand, Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy. Entrusted with investigation of extremely advanced attacks, including the 2009 Operation Aurora project, Bilby lumped business antivirus into a collection of inefficient tools set up to tick a compliance check box, however at the cost of real security:

We have to stop investing in those things we have revealed are not effective… Anti-virus does some helpful things, however in reality, it is more like a canary in a coal mine. It is worse than that. It’s like we are loafing around the dead canary stating ‘Thank god it inhaled all the dangerous gas.

Google security experts aren’t the first to weigh in against organization antivirus, or to draw uncomplimentary examples, in this case to a dead canary.

Another highly proficient security group, FireEye Mandiant, compared static defenses such as business anti-virus to that infamously stopped working World War II defense, the Maginot Line:

Like the Maginot Line, today’s cyber defenses are fast becoming a relic in today’s danger landscape. Organizations invest billions of dollars each year on IT security. But hackers are quickly outflanking these defenses with creative, fast moving attacks.

An example of this was offered by a Cisco managed security services executive speaking at a conference in Poland. Their team had actually identified anomalous activity on one of their business client’s networks, and reported the thought server compromise to the client. To the Cisco group’s awe, the customer just ran an antivirus scan on the server, discovered no detections, and placed it back into service. Horrified, the Cisco group conferenced in the customer to their monitoring console and had the ability to reveal the opponent conducting a live remote session at that very moment, complete with typing mistakes and reissue of commands to the compromised server. Lastly convinced, the client took the server down and completely re-imaged it – the enterprise anti-virus had been an useless interruption – it had actually not served the customer and it had actually not discouraged the opponent.

So Is It Time to Get Rid Of Organization Antivirus Already?

I am not yet ready to declare an end to the age of organization anti-virus. However I understand that organizations need to buy detection and response capabilities to match traditional anti-virus. But progressively I question who is matching whom.

Knowledgeable targeted enemies will always successfully evade anti-virus defenses, so against your biggest cyber threats, enterprise antivirus is basically useless. As Darren Bilby mentioned, it does do some beneficial things, but it does not supply the endpoint defense you require. So, don’t let it distract you from the highest concern cyber-security financial investments, and don’t let it distract you from security measures that do fundamentally assist.

Shown cyber defense procedures include:

Configuration hardening of networks and endpoints.

Identity management with strong authentication.

Application controls.

Constant network and endpoint monitoring, consistent caution.

Strong encryption and data security.

Staff training and education.

Continual risk re-assessment, penetration screening, red/blue teaming.

In contrast to Bilby’s criticism of organization anti-virus, none of the above bullets are ‘magic’. They are merely the continuous hard work of sufficient business cyber-security.