Monthly Archives: July 2015

Charles Leaver – We Are Entering The Third Phase Of Cyber Security And It Is People Focussed

Published by:

Written By Kyle Flaherty And Presented By Charles Leaver Ziften CEO

Cyber attack effect on companies is often straightforward to determine, and the vendors of tech services are constantly displaying different stats to show that you need to acquire their most current software (including Ziften). However one fact is extremely shocking:

In The Previous Year Cyber Crime Cost Businesses $445 Billion And Cost 350,000 People Their Employment.

The monetary losses are easy to take on board although the quantity is large. However the second part is worrying for all connected with cyber security. Individuals are losing their employment because of what is happening with cyber security. The circumstances surrounding the job losses for all of these individuals is unidentified, and some could have deserved it if they were negligent. However the most interesting feature of this is that it is well known that there is a lack of gifted individuals who have the capability to fight these cyber attacks.

While individuals are losing their positions there is also a demand that more talented individuals are found to prevent the ever increasing hazard of cyber attacks. There is no argument that more people are required, and they need to be more talented, to win this war. But it is not going to take place today, tomorrow or perhaps this year. And while it would be wonderful if a truce could be negotiated with the cyber hackers until these resources are offered, the reality is that the battle should go on. So how do you fight?

Utilize Technology To Enable, Not Disable

For years now vendors of security tech have been offering technology to “prevent and block” cyber attacks. Then the suppliers would return later on to offer the “next generation” solution for preventing and stopping cyber attacks. And after that a couple of years later they were back once again to offer the latest technology which concentrated on “security analytics”, “risk intelligence” and “operational insight”.

In every circumstance businesses purchased the current technology and then they had to add expert services and even a FTE to run the technology. Of course each time it took a significant amount of time to become up to speed with the brand-new technology; a team that was experiencing high turnover because of the competitive nature of the cyber market. And while all of this was going on the attacks were becoming more consistent, more advanced, and more regular.

It has to do with Individuals Using Technology, Not The Other Way Around

The problem is that all of the CISO’s were focussed on the technology initially. These companies followed the classic design of seeing an issue and creating technology that might plug that hole. If you think about a firewall, it literally builds a wall within technology, utilizing technology. Even the SIEM technology these organizations had installed was focused primarily on all the various connectors from their system into other systems and collecting all that info into one place. However what they had rather was one place since the technology centric minds had forgotten an important component; individuals involved.

Humans are constantly good at innovating when confronted with threat. It’s a biological thing. In cyber security today we are seeing the 3rd phase of innovation, and it is focused on individuals:

Phase 1 Prevent by developing walls
Phase 2 Detect by building walls and moats
Phase 3 View, examine, and react by analyzing user habits

The reason that this needs to be centered on people is not just about skill lacks, but due to the fact that people are actually the problem. People are the cyber hackers as well as the ones putting your organization at risk at the endpoint. The technologies that are going to win this fight, or at least enable survival, are the ones that were developed to not just enhance the capabilities of the person on the other side of that keyboard, however likewise focus on the habits of the users themselves, and not just the technologies themselves.


Charles Leaver – This Webinar Will Demonstrate How Visibility Can Be Provided All The Way To The Endpoint

Published by:

Written By Josh Applebaum And Presented By Charles Leaver CEO Ziften Technologies


Nowadays security hazards and attack vectors are constantly progressing, and companies need to be more vigilant when it concerns monitoring their network infrastructure. The border of the network and the infrastructure security are frequently challenged because of no visibility of endpoint devices.

Visibility Of Endpoint Devices Is Now More vital Than Ever.

In a webinar hosted with our partner Lancope which was called “Extending Network Visibility: Down to the Endpoint.” The goal of this webinar was to reveal to security professionals how additional visibility can be attained and context into network activity, the improvement of current security investments (NetFlow, Firewall program, SIEM, threat intelligence), and improve event response by getting real time and historical data for the endpoint. A mutual customer was featured in the webinar who offered real life insights into how to use security assets so that you can remain in front of external and insider threats.

A great deal of you will not have been able to attend the live event so we have decided to reveal the on demand version here on the Ziften blog. Feedback on this is welcomed and we would be delighted to get in touch with you to go over in more detail.

Client Management Ziften Technical Approach – Charles Leaver

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


There has typically been a lack of visibility on Windows clients of the applications that are running and the resources that are being utilized. There efficient tools in existence to monitor the server infrastructure and the network, however the client has actually constantly been the weakest element. This is why suppliers such as Ziften have originated a new class of solutions that are focused on the management of security and the performance of clients in the enterprise, and this is called enterprise client management. Speaking from a technical standpoint, in order to collect the substantial quantity of information that is readily available within Windows that is required to offer visibility of the client, there were 2 alternative approaches that needed consideration. We could have created custom driver code or utilized the basic API’s in Windows.

The development of driver code is thought as a last resort since there are some well understood concerns:

An in depth understanding of the Windows kernel data structures and coding conventions is required for driver development

Driver incompatibilities can exist even with the smallest of system changes, for instance with the regular monthly patch updates from Microsoft

A devastating system crash can happen if there is a driver code error

Third party driver code causes the majority of the instabilities in Windows

Any service that utilizes low level drivers in their agents don’t utilize basic Windows interfaces and they will “take control” from Windows. This can produce mayhem with the os of the desktops that are under management. If a driver stops working then it can crash the system and there is also a heightened security danger as these drivers perform at kernel level. “Anything a user can do that causes a driver to malfunction in such a way that it causes the system to crash or become unusable is a security defect. When most coders are working on their driver, their focus is on getting the driver to work properly and not whether a destructive intruder will attempt to make use of holes within the system” said Microsoft about driver security.

So Ziften took the approach of developing our solution around basic Windows user interfaces, which has the following advantages:

Greater resilience to Windows updates and modifications that are most likely to need driver changes

Driver conflict vulnerability that can result in system crashes eliminated (Blue Screen of Death).

The probability of coding issues that impacts system efficiency through the kernel interface is minimized.


Charles Leaver – Read This To Prevent BYOD Risks

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

If you are not curious about BYOD then your users, particularly your executive users, most likely will be. Being the most efficient with the least effort is exactly what users want. Using the most convenient, fastest, most familiar and comfortable device to do their work is the main objective. Also the convenience of using one device for both their work and individual activities is desired.

The problem is that security and ease-of-use are diametrically opposed. The IT department would typically choose complete ownership and control over all client endpoints. IT can disable admin rights and the client endpoint can be controlled to a degree, such as just approved applications being installed. Even the hardware can be limited to a specific footprint, making it easier for IT to protect and control.

But the control of their devices is what BYOD proponents are rebelling against. They want to pick their hardware, apps and OS, as well as have the liberty to set up anything they like, whenever they like.

This is challenging enough for the IT security team, but BYOD can likewise significantly increase the quantity of devices accessing the network. Instead of a single desktop, with BYOD a user might have a desktop, laptop, smart phone and tablet. This is an attack surface gone wild! Then there is the issue with smaller sized devices being lost or taken or perhaps left in a bar under a cocktail napkin.

So exactly what do IT specialists do about this? The first thing to do is to develop situational awareness of “trusted” client endpoints. With its minimalist and driverless agent, Ziften can supply visibility into the applications, versions, user activity and security/ compliance software which is really running on the endpoint. You can then restrict by enforceable policy what application, business network and data interaction can be performed on all other (“untrusted”) devices.

Client endpoints will inevitably have security problems develop, like versions of applications that are susceptible to attack, possibly harmful procedures and disabling of endpoint security steps. With the Ziften agent you will be warned of these issues and you can then take restorative action with your existing system management tools.

Your users need to accept the truth that devices that are untrusted and too risky need to not be utilized to gain access to organization networks, data and apps. Client endpoints and users are the source of a lot of harmful exploits. There is no magic with current technology that will make it possible to access crucial corporate assets with a device which is out of control.


Charles Leaver – Get Your IT Endpoint To Tell You Where It Hurts With The Ziften Agent

Published by:

Written by Dr Al Hartmann and presented by Ziften CEO Charles Leaver

It would be fantastic if your IT client endpoints could inform you that they are sick instead of getting undesirable calls from unhappy IT users wouldn’t it? But the reality is that IT clients can not tell you when there is something amiss. Many IT people may disagree with the requirement for situational awareness, but you actually need this with your endpoints. The Ziften service makes this OK by:

With Ziften there is a minimalist driverless agent. This is unlike standard systems management or security agents and the Ziften package is extremely lightweight (around 1-2MB MSI package). But don’t let the small size fool you, it will offer performance management headroom and effectiveness to accomplish more on IT endpoints, which will keep the users delighted and productive. The Ziften agent can be compared to light beer, “Terrific taste, less filling.”

Likewise the Ziften agent monitors and reports on other agents that are implemented if there is excessive disturbance with foreground tasks.

With the Ziften agent you will receive other benefits that an agentless approach can not compare to. It can:

Offer real time response to dynamic events on the endpoint. If an agent is not present then regular polling is required, which means that endpoint events are reported in a cadence after they have actually taken place and not in real time.

The Ziften agent can adaptively throttle interfering processes. As an example, if a backup program is causing extreme disturbance with user efficiency, the backup program can be slowed down in favor of user productivity.

It will alert on the failures of vital services such as anti-viruses, backup, firewall software and systems management. It is true that an agentless method could likewise do this, but it wouldn’t alert in real time so it is not as efficient.

The Ziften Agent will alert on serious security incidents that are identified at the client endpoint in real time.

It will acknowledge activity and user presence. With the Ziften agent, user presence can be identified by viewing keyboard and last mouse use. It will also utilize the window proxy to determine which window is foreground and which remain in the background. With this info, the Ziften agent can identify application licenses actually being utilized across the company.

If no agent exists then it is not possible to monitor and control when the endpoint is off the network. The Ziften agent can monitor off network endpoints and report cached observations when the endpoint reconnects. This eliminates off network blind spots in monitoring coverage. Likewise, the Ziften agent has the ability to impose policy even while disconnected.

Reduction of network traffic load between client endpoints and the management server is possible with the Ziften agent. It accomplishes this by abstracting, filtering, and summing up and encoding time series observations.

So with the Ziften agent your endpoint clients can “tell you where it hurts”.