Monthly Archives: October 2015

Charles Leaver – Internet Of Things Will Bring Significant Security Risks

Published by:

Written By David Shefter And Presented By Ziften CEO Charles Leaver

We are now living in a brand-new world of the Internet of Things (IoT), and the risk of cyber risks and attacks grow exponentially. As implementations develop, new vulnerabilities are appearing.

Symantec released a report this spring which evaluated 50 smart home devices and claimed “none of the evaluated devices provided mutual authentication between the client and the server.” Earlier this summertime, researchers showed the capability to hack into a Jeep while it was driving on the highway, initially managing the radio, windshield wipers, a/c and lastly cutting the transmission.

Generally, toys, tools, appliance, and vehicle manufacturers have not needed to protect against external dangers. Makers of medical devices, elevators, A/C, electric, and plumbing infrastructure components (all of which are most likely to be connected to the Web in the coming years) have actually not always been security conscious.

As we are all aware, it is hard enough on a daily basis to protect PCs, phones, servers, and even the network, which have been through considerable security monitoring, reviews and evaluations for many years. How can you protect alarms, personal electronics, and house devices that seemingly come out daily?

To begin, one must define and consider where the security platforms will be deployed – hardware, software, network, or all of the above?

Solutions such as Ziften listen to the network (from the device point of view) and use advanced machine-type learning to recognize patterns and scan for abnormalities. Ziften presently provides an international danger analytics platform (the Ziften KnowledgeCloud), which has feeds from a range of sources that enables review of 10s of millions of endpoint, binary, MD5, etc data today.

It will be a challenge to deploy software onto all IoT devices, a lot of which utilize FPGA and ASIC designs as the control platform(s). They are normally integrated into anything from drones to cars to industrial and scada control systems. A large number of these devices work on solid-state chips without a running operating system or x86 type processor. With inadequate memory to support advanced software, many merely can not support contemporary security software. In the realm of IoT, additional customization produces risk and a vacuum that strains even the most robust systems.

Solutions for the IoT space need a multi-pronged method at the endpoint, which includes desktops, laptop computers, and servers currently integrated with the network. At Ziften, we currently deliver collectors for Windows, Linux, and OS X, supporting the core desktop, server, and network infrastructure that contains the intellectual property and assets that the assailants seek to obtain access to. After all, the bad guys don’t actually want any details from the company fridge, however merely want to use it as a conduit to where the important data lives.

Nevertheless, there is an additional technique that we deliver that can help ease lots of present issues: scanning for anomalies at the network level. It’s believed that normally 30% of devices linked to a corporate network are unknown IP’s. IoT patterns will likely double that number in the next 10 years. This is among the reasons why connecting is not always an obvious choice.

As more devices are linked to the Internet, more attack surface areas will emerge, leading to breaches that are much more destructive than those of e-mail, financial, retail, and insurance – things that could even pose a danger to our way of living. Protecting the IoT needs to make use of lessons learned from conventional enterprise IT security – and offer multiple layers, integrated to provide end-to-end robustness, capable of avoiding and identifying dangers at every level of the emerging IoT value chain. Ziften can help from a multitude of angles today and in the future.


Shine A Light On Your Security Blindspots With Ziften ZFlow – Charles Leaver

Published by:

Written By Andy Wilson And Presented By Charles Leaver CEO Ziften


Over the past number of years, numerous IT companies have embraced the use of NetFlow telemetry (network connection metadata) to improve their security position. There are numerous factors behind this: NetFlow is reasonably affordable (vs. full packet capture); it’s relatively simple to gather as many Layer 3 network devices support NetFlow or the IANA requirement called IPFIX; and it’s easy to examine using freeware or commercially supplied software. NetFlow can help conquer blind spots in the architecture and can offer much required visibility into exactly what is actually going on in the network (both internal and external). Flow data can also help in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection methods.

NetFlow can supply insight where little or no visibility exists. A lot of organizations are collecting flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be represented – LAN-to-LAN activity, local broadcast traffic, as well as east-west traffic inside the datacenter. The majority of organizations are not routing all the way to the access layer and are hence generally blind to some degree in this part of the network.


Performing complete packet capturing in this area is still not 100% practical due to a variety of reasons. The solution is to execute endpoint-based NetFlow to restore visibility and provide crucial extra context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop computer, or server), so it’s not reliant on the network infrastructure to produce. ZFlow supplies standard ISO layer 3/4 data such as source and destination IP addresses and ports, however also offers additional important Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for launching the executable, and whether it was in the foreground or background. The latter are crucial information that network-based flows just can not offer.



This essential additional contextual data can help significantly minimize events of false positives and supply abundant data to experts, SOC workers and incident handlers to enable them to quickly examine the nature of the network traffic and determine if it’s harmful or benign. Used in conjunction with network-based notifications (firewall software, IDS/IPS, web proxies and gateways), ZFlow can dramatically decrease the quantity of time it requires to resolve a security event. And we know that time to detect destructive behavior is a crucial determinant to how effective an attack becomes. Dwell times have actually decreased in recent history but are still at unacceptable levels – currently over 230 days that an assailant can roam unnoticed through your network collecting your most important data.

Below is a screenshot that reveals a port 80 connection to a Web location of Interesting realities about this connection that network-based tools may miss is that this connection was not initiated by a web browser, however rather by Windows Powershell. Another intriguing data point is that this connection was started by the ‘System’ account and not the logged-in user. These are both very attention-grabbing to a security expert as it’s not a false positive and likely would need much deeper examination (at which point, the expert could pivot into the Ziften console and see much deeper into that system’s behavior – exactly what actions or binaries were initiated before and after the connection, procedure history, network activity and more).



Ziften’s ZFlow shines a light on security blindspots and can supply the additional endpoint context of procedures, application and user attribution to help security workers much better comprehend what is truly happening in their environment. Combined with network-based occasions, ZFlow can help significantly lower the time it takes to examine and react to security notifications and considerably enhance a company’s security posture.


Charles Leaver – Here Is The New Path To Endpoint Security As Prevention And Blocking Are Not Enough

Published by:

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO

Conventional endpoint security services, a few of which have been around for over 20 years, rely greatly on the exact same security techniques every year. Although there is always innovation and strides to improve, the underlying issue still exists. Dangers will always find a path into your organization. And most of the time, you will have to wait till your implemented system finally detects the threat before you even can start to examine the damage and maybe prevent it from occurring once again (when you get all of the appropriate details to make that informed decision, naturally). Another downside to these systems is that they frequently create a substantial efficiency problem on the real device they are protecting. This in turn leads to unhappy end-users and other problems such as management and reliability.

But this blog is not about abandoning your current solution, but rather augmenting and empowering your overall security posture. Organizations need to move towards and accept those services that offer constant tracking and complete visibility of all activity taking place on their endpoint population. Stopping or preventing recognized malware from running is certainly essential, but lacks the overall defense required in today’s risk landscape. The ability to run much deeper forensics from present or sometimes more importantly, past events, can truly only be done by services that provide continuous monitoring. This information is very important in examining the damage and comprehending the scope of the infection within your company.

This, naturally, has to be done effectively and with a restricted quantity of system overhead.

Just as there are many systems in the traditional endpoint security space, a new league of vendors is popping up in this crucial action of the evolution. The majority of these businesses have workers from the ‘old guard’ and comprehend that a new vision is needed as the hazard landscape continues to alter. Simply reporting and alerting on only bad things is completely missing the point. You MUST look at everything, everybody and all habits and actions in order to offer yourself the best possibility of reacting rapidly and thoroughly to risks within your organization.

By making use of systems that fall into this “New Path of Endpoint Security” realm, Security Ops or Incident Responders within the organization will have the much required visibility they have been craving. We hear this continuously from our customers and potential customers and are doing our best to provide the services that assist protect everybody.


Charles Leaver – Using The Ziften App For Splunk Will Find Instances Of Superfish

Published by:

Written By Ryan Hollman And Presented By Charles Leaver CEO Ziften

Background Information: Lenovo admitted to pre loading the Superfish adware on some customer PCs, and unhappy clients are now dragging the business to court on the matter said PCWorld. A proposed class action suit was filed late the previous week against Lenovo and Superfish, which charges both businesses with “deceptive” commercial practices and of making Lenovo PCs vulnerable from man in the middle attacks by pre loading the adware.

Having problems finding Superfish throughout your business? With the Ziften App for Splunk, you can find infected endpoints with an uncomplicated Splunk search. Merely search your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish




The following image reveals the outcomes you would see in your Ziften App for Splunk if systems were contaminated. In this particular circumstance, we identified several systems contaminated with Superfish.



The above results likewise make reference to the binary “VirtualDiscovery.exe”. As it turns out, this is the core procedure responsible for the infections. Together with the Superfish root certificate and VirtualDiscovery.exe binary, this software likewise sets the following to the system:

A pc registry entry in:


INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be achieved on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see outcomes just like the following image. If the system is clean, you will see no results.




Some analysts have stated that you can merely get rid of Superfish by getting rid of the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This elimination procedure does not persist throughout reboots. Just getting rid of the root cert does not work as VirtualDiscovery.exe will reinstall the root cert after a system reboot.

The simplest way to remove Superfish from your system is to update Microsoft’s built in auto-virus product Windows Defender. Quickly after the public became aware of Superfish, Microsoft upgraded Windows Defender to remediate Superfish.

Other remediation methods exist, however upgrading Windows Defender is by far the simplest technique.


Charles Leaver – You Need To Be On The Alert For These Top 5 Suspect User Endpoint Activities

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Conventional security software is unlikely to detect attacks that are targeted to a specific company. The attack code will most likely be remixed to avert recognized malware signatures, while fresh command and control infrastructure will be stood up to evade recognized blacklisted network contacts. Defending against these fresh, targeted attacks requires protectors to identify more generic attack attributes than can be found in endless lists of known Indicators of Compromise (IoC’s) from formerly evaluated attacks.

Unless you have a time device to retrieve IoC’s from the future, understood IoC’s will not aid with fresh attacks. For that, you have to be alert to suspicious habits of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing habits will not be as conclusive as a malware signature match or IP blacklist hit, so they will need analyst triage to verify. Insisting upon conviction certainty prior to raising alerts implies that new attacks will effectively evade your automatic defenses. It would be equivalent to a mom or dad ignoring suspicious kid habits without question up until they get a call from the authorities. You don’t desire that call from the FBI that your enterprise has actually been breached when due expert attention to suspicious behaviors would have provided early detection.

Security analytics of observed user and endpoint behaviors looks to identify attributes of prospective attack activity. Here we highlight a few of those suspect habits by way of basic description. These suspect behaviors function as cyber attack tripwires, alerting defenders to possible attacks in progress.

Anomalous Login Activity

Users and organizational systems show learnable login activity patterns that can be evaluated for anomalous departures. Abnormalities can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be examined for remote IP address and geolocation, and login entropy can be measured and compared. Non-administrative users logging into multiple systems can be observed and reported, as it deviates from anticipated patterns.

Anomalous Work Practices

Working outside typical work hours or outside established patterns of work activity can be suspicious or indicative of insider threat activity or compromised credentials. Again, abnormalities might be either spatial or temporal in nature. The work active process mix can also be analyzed for adherence to developed workgroup activity patterns. Workloads may vary a bit, but have the tendency to be fairly constant across engineering departments or accounting departments or marketing departments, and so on. Work activity patterns can be machine learned and statistical divergence tests applied to spot behavioral abnormalities.

Anomalous Application Attributes

Typical applications show reasonably consistent characteristics in their image metadata and in their active process profiles. Considerable departures from these observed activity norms can be indicative of application compromise, such as code injection. Whitelisted applications may be used by malware scripts in unlikely methods, such as ransomware utilizing system tools to remove volume shadow copies to stymie recovery, or malware staging thieved data to disk, prior to exfiltration, with considerable disk resource need.

Anomalous Network Activity

Common applications show relatively consistent network activity patterns that can be learned and defined. Uncommon levels of network activity by uncommon applications are suspect because of that alone, as is uncommon port activity or port scanning. Network activity at unusual times or with unusual consistency (perhaps beaconing) or unusual resource demand are also worthy of attention. Ignored network activity (user not present) must constantly have a possible description or be reported, especially if observed in significant volume.

Anomalous System Fault Habits

Anomalous fault habits could be indicative of a susceptible or unwrapped system or of malware that is consistently reattempting some malfunctioning operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are likewise worth keeping in mind, such as not running mandated security or backup agents, or constant faulting by those agents (leading to a fault-restart-fault cycle).

When trying to find Endpoint Detection and Response services, don’t have a feeling of complacency just because you have a big library of recognized IOCs. The most effective solutions will cover these leading five generic attack characteristics plus a whole lot more.