Monthly Archives: June 2015

Charles Leaver – 30 Days To The OMB Cyber Security Sprint With 8 Principles And 8 Keys

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


After suffering an enormous data breach at the Office of Management and Budget (OMB), agencies were commissioned by Tony Scott, Federal Chief Information Officer, to take immediate and specific actions over the next four weeks to further improve the security of their data and systems. For this large organization it was a bold action, but the lessons learned from software application development proved that acting quick or sprinting can make a lot of headway when approaching an issue in a small amount of time. For large organizations this can be especially true and the OMB is certainly large.

There were 8 principles that were focussed on. We have actually broken these down and supplied insight on how each concept could be more efficient in the timeframe to assist the government make significant inroads in just a month. As you would anticipate we are taking a look at things from the endpoint, and by checking out the 8 concepts you will discover how endpoint visibility would have been crucial to a successful sprint.

1. Protecting data: Better safeguard data at rest and in transit.

This is a good start, and appropriately priority one, however we would certainly encourage OMB to include the endpoint here. Lots of data defense services forget the endpoint, however it is where data can be most vulnerable whether at rest or on the move. The team needs to inspect to see if they have the ability to evaluate endpoint software and hardware setup, consisting of the presence of any data security and system security agents, not forgetting Microsoft BitLocker configuration checking. And that is simply the start; compliance checking of mandated agents should not be forgotten and it should be performed continually, enabling the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Enhance indication and warning.

Situational awareness resembles visibility; can you see what is really taking place and where and why? And obviously this has to be in real time. While the sprint is occurring it need to be validated that identity and tracking of logged-in users,, user focus activities, user presence indicators, active processes, network contacts with process-level attribution, system stress levels, noteworthy log events and a myriad of other activity indicators throughout numerous thousands of endpoints hosting huge oceans of processes is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security proficiency: Make sure a robust capacity to hire and retain cyber security workers.

This is a difficulty for any security program. Discovering excellent skill is tough and retaining it a lot more so. When you wish to attract this type of skillset then persuade them by offering the latest tools for cyber battle. Make certain that they have a system that supplies total visibility of exactly what is taking place at the endpoint and the whole environment. As part of the sprint the OMB need to analyse the tools that are in place and check whether each tool switches the security group from the hunted to the hunter. If not then change that tool.

4. Increase awareness: Enhance overall threat awareness by all users.

Risk awareness starts with effective threat scoring, and thankfully this is something that can be achieved dynamically all the way to the endpoint and help with the education of every user. The education of users is a difficulty that is never ever finished, as evidenced by the high success of social engineering attacks. But when security groups have endpoint risk scoring they have concrete products to reveal to users to show where and how they are susceptible. This real life situational awareness (see # 2) increases user knowledge, in addition to providing the security team with accurate details on say, understood software application vulnerabilities, cases of jeopardized credentials and insider opponents, in addition to continually keeping track of system, user, and application activity and network points of contact, in order to use security analytics to highlight heightened risks causing security staff triage.

5. Standardizing and automating procedures: Reduce time needed to handle configurations and patch vulnerabilities.

More protection ought to be required from security services, and that they are instantly deployable without tedious preparation, infrastructure standup or extensive staff training. Did the solutions in place take longer than a couple of days to execute and demand another full time employee (FTE) or even 1/2 a FTE? If so you have to rethink those solutions due to the fact that they are probably hard to use (see # 3) and aren’t doing the job that you require so you will have to improve the present tools. Likewise, look for endpoint solutions that not only report software and hardware configurations and active services and processes, but applies the National Vulnerability Database to report on actual running exposed vulnerabilities then associates an overall vulnerability score for each endpoint to assist in patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from incidents: Contain malware proliferation, privilege escalation, and lateral movement. Quickly determine and deal with events and occurrences.

The quick recognition and response to issues is the primary goal in the brand-new world of cyber security. During their 30 day sprint, OMB should assess their services and make sure to discover innovations that can not just monitor the endpoint, however track every process that runs and all of its network contacts including user login attempts, to facilitate tracking of harmful software proliferation and lateral network movement. The data stemmed from endpoint command and control (C2) accesses associated with major data breaches shows that about half of jeopardized endpoints do not host recognizable malware, heightening the relevance of login and contact activity. Appropriate endpoint security will monitor OMB data for long term analysis, given that lots of indicators of compromise become available just after the event, or perhaps long afterwards, while relentless hackers might quietly lurk or remain dormant for extended periods of time. Attack code that can be sandbox detonated and recognized within minutes is not indicative of advanced hackers. This ability to keep clues and connect the dots across both spatial and temporal dimensions is vital to full identification and complete non-recidivist resolution.

7. Reinforcing systems lifecycle security: Boost intrinsic security of platforms by buying more secure systems and retiring traditional systems in a prompt manner.

This is a reputable objective to have, and a massive difficulty at a big organization such as OMB. This is another place where appropriate endpoint visibility can instantly determine and report endpoint software and hardware setups, operating system SKUs and patch levels, system stress levels, endpoint mishaps (such as application crashes or hangs, service failures, or system crashes), and other indicators of endpoints outliving their useful or secure service lives. Now you have a full inventory list that you can focus on for retirement and replacement.

8. Decreasing attack surfaces: Decrease the complexity and quantity of things defenders need to secure.

If numbers 1 through 7 are implemented, and the endpoint is considered properly, this will be a substantial step in lowering the attack risk. However, in addition, endpoint security can also in fact supply a visual of the actual attack surface. Think about the ability to quantify attack surface area, based upon a number of distinct binary images exposed throughout the entire endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image prevalence statistics produces a common “ski slope” distribution, with a long skinny distribution tail showing vast varieties of very rare binary images (present on fewer than 0.1% of total endpoints). Ziften identifies attack surface area bloat aspects, including application sprawl and version proliferation (which likewise exacerbates vulnerability lifecycle management). Data from numerous consumer deployments exposes egregious bloat elements of 5-10X, compared to a securely handled and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas develops a target-rich attackers’ paradise.

The OMB sprint is a terrific pointer to us all that good things can be achieved quickly, but that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a crucial piece for OMB to consider as part of their 30-day sprint.


Charles Leaver – It’s Official Data Breach Costs Are Up And The Third Reason Why May Surprise You

Published by:

Written by Patrick Kilgore presented by Charles Leaver CEO Ziften.

Just recently 2 major reports were published that celebrated big anniversaries. On the one hand, we saw the Mary Meeker 20th annual Internet study. A part of the initial market analysis on the Internet was led by Meeker several years back and this report saw her mark 20 years of influencing opinions on the Internet. And 10 years after Meeker’s very first observations on the Internet there was the first study of data breach costs by the Ponemon Institute.

Just ten years after the inception of the Internet it was revealed that there is an unsightly downside to the service that provides significant benefits to our organizations and our lives. Today there are more yearly research studies released about data breaches than the Internet itself. Just recently we invested hours analyzing and digesting two of the most significant data breach reports in the market, the currently cited Ponemon report and the now extremely influential Verizon DBIR (the report is essential enough simply to utilize an acronym).

There were intersections between the two reports, but the Verizon report is worthy of credit because if you have actually had the ability to do anything in security for 10 years, you should be doing something right. There are lots of intriguing stats in the report however the reasons for the overall expenses of data breaches skyrocketing were of the most interest to us.

The Ponemon studies have actually exposed three drivers behind the increased cost of a breach. The very first is that cyber attacks have increased in number and this has actually correlated in greater costs to remediate these attacks. An increased per capita expense from $159 to $170 year on year has been mentioned. That’s a 5% jump from 42% to 47% of the overall root causes of a breach. Also, lost incomes as a result of a data breach have increased. In the aggregate, this increased from $1.33 M to $1.57 M in 2015. The reasons are because of the unusual consumer turnover, the increased acquisition activity, and loss of goodwill that results from being the target of a malicious attack. Nevertheless, the most intriguing reason provided is that data breach costs connected with detection and escalation have increased.

These costs consist of investigations and forensics, crisis team management and audits and assessments. Now the pattern appears to be gathering pace at just shy of an incredible $1Billion. Organizations are just now beginning to implement the solutions needed to continually monitor the endpoint and provide a clear picture of the origin and full effect of a breach.

Organizations not only need to monitor the proliferation of devices in a BYOD world, but likewise look to enhance the security resources they have actually currently invested in to decrease the costs of these investigations. Risks have to be halted in real time, rather than identified retrospectively.

“Avoidance may not be possible in the world we live in.” With destructive risks ending up being increasingly more common, organizations will need to evolve their M.O. beyond standard AV services and look to the endpoint for complete security,” said Larry Ponemon in his webcast with IBM.


More Organizations Are Encouraging BYOD And They Are Putting Themselves At Risk Through Passwords And Employee Sharing – Charles Leaver

Published by:

Written By Ziften Technologies CEO Charles Leaver

If your company has actually executed a bring your own device (BYOD) policy then you will be putting yourself at increased risk of cyber criminal activity and the loss of your data, due to the fact that the devices will normally have insufficient control and endpoint security in place. With mobile phones, workers typically access customer cloud services and make use of password practices that are not secure, and this represents a large chunk of the risks connected to BYOD. Using endpoint software applications that offers visibility into exactly what is running on a device can assist IT departments to comprehend and address their vulnerabilities.

BYOD is a typical method for executives and workers to gain access to sensitive corporate data on their personal tablets, laptop computers and cell phones. Almost nine out of 10 companies in Australia had actually given a number of their senior IT staff member’s access to critical business information through their own BYOD devices, and 57% declared that they had actually provided it to a minimum of 80% of their leadership, exposed by a ZDNet Survey. With less privileged personnel and those that were new the numbers provided BYOD access was still up at 64%. These workers were not given access to monetary info though.

With the variety of BYOD devices growing, a lot of companies have not executed the right endpoint management methods to make their increasing mobile workflows secure. Practically 50% of the respondents said that their companies had no BYOD policies, and just 17% validated that their practices were ISO 27001 certified.

Safe BYOD Are Most likely At Most Risk From Passwords

Those companies that had taken steps to protect BYOD the execution of password and acceptable use policies were the most typical. However passwords may represent an important and special vulnerability in the execution of BYOD, since users often use the exact same passwords once again and they are not strong enough. While companies that have a BYOD policy will certainly increase the danger of a hacker attack, there may be an even greater risk which is internal stated previous Federal Trade Commission executive Paul Luehr, in an interview with CIO Magazine’s Tom Kaneshige.

Luehr informed Kaneshige “the most common way BYOD policies impact data security and breaches remains in the cross-pollination of passwords.” “An individual is most likely using the same or extremely similar password as the one they utilize on their home devices.”

Luehr noted that prime risks for companies that allow BYOD are disgruntled employees who will often leak crucial data once they have actually been released, are prime threats for companies that have permitted BYOD. Because of BYOD the difference between work and home is vanishing, and risky behavior such as using social media on corporate networks is being practiced by some workers, and this can be a start to finally sharing delicate info either wilfully or thoughtlessly utilizing cloud services. The productivity gains that are made with BYOD have to be protected with the implementation of extensive endpoint security.