Monthly Archives: May 2017

Charles Leaver – WannaCry Ransomware Help From Ziften

Published by:

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO


Answers To Your Questions About WannaCry Ransomware

The WannaCry ransomware attack has infected more than 300,000 computers in 150 nations up until now by making use of vulnerabilities in Microsoft’s Windows os.
In this short video Chief Data Scientist Dr. Al Hartmann and I talk about the nature of the attack, as well as how Ziften can help companies secure themselves from the exploit known as “EternalBlue.”.

As discussed in the video, the issue with this Server Message Block (SMB) file sharing service is that it’s on most Windows operating systems and discovered in the majority of environments. However, we make it simple to determine which systems in your environment have or have not been patched yet. Importantly, Ziften Zenith can likewise from another location disable the SMB file-sharing service entirely, offering organizations important time to guarantee that those computers are correctly patched.

If you want to know more about Ziften Zenith, our 20 minute demo consists of a consultation with our specialists around how we can assist your company prevent the worst digital catastrophe to strike the internet in years.

Charles Leaver – Your 10 Steps For Endpoint Security Service Assessment

Published by:

Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften


The Endpoint Security Purchaser’s Guide

The most common point for an advanced consistent attack or a breach is the end point. And they are certainly the entry point for most ransomware and social engineering attacks. Making use of endpoint security products has long been thought about a best practice for protecting endpoints. Unfortunately, those tools aren’t keeping up with today’s threat environment. Advanced risks, and truth be told, even less advanced threats, are typically more than sufficient for fooling the average staff member into clicking something they should not. So organizations are looking at and examining a huge selection of next generation end point security (NGES) services.

With that in mind, here are 10 tips to consider if you’re looking at NGES solutions.

Pointer 1: Start with the end in mind

Do not let the tail wag the dog. A danger reduction strategy should always start by assessing issues and after that trying to find possible solutions for those issues. But all frequently we get enamored with a “shiny” new innovation (e.g., the current silver bullet) and we wind up aiming to shoehorn that technology into our environments without fully examining if it solves an understood and determined problem. So exactly what issues are you aiming to fix?

– Is your current endpoint protection tool failing to stop hazards?
– Do you require much better visibility into activities at the endpoint?
– Are compliance requirements dictating continuous end point tracking?
– Are you attempting to decrease the time and expense of incident response?

Define the problems to deal with, and after that you’ll have a measuring stick for success.

Tip 2: Understand your audience. Who will be using the tool?

Comprehending the issue that has to be resolved is an essential initial step in understanding who owns the problem and who would (operationally) own the solution. Every practical group has its strengths, weak points, choices and prejudices. Specify who will need to utilize the solution, and others that could take advantage of its use. It could be:

– Security team,
– IT group,
– The governance, risk and compliance (GRC) group,
– Help desk or end user support group,
– And even the server group, or a cloud operations team?

Tip 3: Know what you mean by end point

Another frequently neglected early step in defining the problem is defining the end point. Yes, all of us used to understand what we implied when we said end point however today endpoints come in a lot more ranges than before.

Sure we want to protect desktops and laptop computers however how about mobile devices (e.g. smartphones and tablets), virtual end points, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, of course, can be found in numerous flavors so platform assistance needs to be attended to too (e.g. Windows only, Mac OSX, Linux, etc?). Also, think about assistance for endpoints even when they are working remote, or are working offline. Exactly what are your requirements and what are “great to haves?”

Pointer 4: Start with a foundation of all the time visibility

Continuous visibility is a fundamental ability for dealing with a host of security and functional management problems on the endpoint. The old expression is true – that you cannot manage exactly what you cannot see or determine. Even more, you can’t protect what you cannot appropriately manage. So it must start with constant or all the time visibility.

Visibility is foundational to Management and Security

And think about exactly what visibility means. Enterprises need one source of truth that at a minimum monitors, stores, and examines the following:

– System data – occasions, logs, hardware state, and file system details
– User data – activity logs and behavior patterns
– Application data – characteristics of installed apps and use patterns
– Binary data – characteristics of set up binaries
– Processes data – tracking info and stats
– Network connection data – stats and internal habits of network activity on the host

Idea 5: Keep track of your visibility data

End point visibility data can be saved and examined on the premises, in the cloud, or some combination of both. There are benefits to each. The proper approach varies, but is usually enforced by regulatory requirements, internal privacy policies, the end points being monitored, and the overall expense factors to consider.

Know if your organization requires on-premise data retention

Know whether your company allows for cloud based data retention and analysis or if you are constrained to on premise services only. Within Ziften, 20-30% of our clients keep data on premise just for regulatory reasons. However, if legally an alternative, the cloud can offer expense advantages (to name a few).

Pointer 6: Know what is on your network

Comprehending the issue you are aiming to resolve needs understanding the assets on the network. We have found that as much as 30% of the endpoints we at first find on customers’ networks are unmanaged or unidentified devices. This obviously develops a big blind spot. Minimizing this blind spot is a vital best practice. In fact, SANS Critical Security Controls 1 and 2 are to carry out a stock of licensed and unauthorized devices and software connected to your network. So look for NGES services that can finger print all connected devices, track software inventory and utilization, and perform on-going constant discovery.

Pointer 7: Know where you are vulnerable

After figuring out exactly what devices you have to monitor, you need to make sure they are running in up to date configurations. SANS Critical Security Controls 3 recommends making sure safe setups tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 suggests enabling continuous vulnerability evaluation and remediation of these devices. So, search for NGES solutions that supply constant tracking of the state or posture of each device, and it’s even better if it can assist implement that posture.

Also look for services that provide continuous vulnerability assessment and remediation.

Keeping your overall end point environment hardened and free of important vulnerabilities prevents a huge amount of security issues and gets rid of a great deal of back end pressure on the IT and security operations teams.

Tip 8: Cultivate constant detection and response

A crucial end goal for lots of NGES services is supporting constant device state tracking, to enable reliable hazard or event response. SANS Critical Security Control 19 advises robust event response and management as a best practice.

Try to find NGES solutions that supply all-the-time or constant threat detection, which leverages a network of worldwide danger intelligence, and several detection methods (e.g., signature, behavioral, machine learning, etc). And try to find incident response services that help prioritize identified dangers and/or concerns and provide workflow with contextual system, application, user, and network data. This can assist automate the proper response or next actions. Lastly, understand all the response actions that each solution supports – and try to find a solution that offers remote access that is as close as possible to “sitting at the end point keyboard”.

Pointer 9: Think about forensics data gathering

In addition to event response, companies must be prepared to address the need for forensic or historical data analysis. The SANS Critical Security Control 6 advises the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take numerous types, but a structure of historic end point monitoring data will be essential to any examination. So look for solutions that preserve historical data that allows:

– Forensic jobs include tracing lateral threat movement through the network gradually,
– Pinpointing data exfiltration efforts,
– Determining origin of breaches, and
– Identifying proper remediation actions.

Suggestion 10: Take apart the walls

IBM’s security team, which supports a remarkable community of security partners, estimates that the average business has 135 security tools in situ and is working with 40 security vendors. IBM customers definitely skew to big enterprise however it’s a typical refrain (problem) from organizations of all sizes that security solutions don’t integrate well enough.

And the grievance is not just that security services do not play well with other security products, but also that they don’t constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to think about these (and other) integration points along with the vendor’s desire to share raw data, not just metadata, through an API.

Bonus Tip 11: Prepare for personalizations

Here’s a bonus pointer. Presume that you’ll wish to tailor that shiny brand-new NGES service shortly after you get it. No service will fulfill all of your needs right out of the box, in default configurations. Find out how the service supports:

– Custom data collection,
– Notifying and reporting with custom data,
– Customized scripting, or
– IFTTT (if this then that) performance.

You understand you’ll want new paint or new wheels on that NGES solution soon – so make certain it will support your future personalization projects easy enough.

Try to find support for simple modifications in your NGES service

Follow the bulk of these suggestions and you’ll certainly prevent a lot of the common mistakes that pester others in their assessments of NGES services.

Charles Leaver – Protect Your Business From End To End With Ziften Because We Are The Best

Published by:

Written By Ziften CEO Charles Leaver


Do you wish to manage and protect your endpoints, your network, the cloud and your data center? In that case Ziften has the best service for you. We gather data, and let you associate and use that data to make decisions – and be in control over your business.

The information that we obtain from everybody on the network can make a real world distinction. Think about the inference that the U.S. elections in 2016 were influenced by hackers from another nation. If that holds true, cyber criminals can do practically anything – and the concept that we’ll settle for that as the status quo is just ridiculous.

At Ziften, our company believe the best method to fight those risks is with greater visibility than you have actually ever had. That visibility crosses the whole business, and links all the significant players together. On the back end, that’s real and virtual servers in the data center and the cloud. That’s infrastructure and applications and containers. On the other side, it’s laptops and desktop computers, irrespective of how and where they are connected.

End-to-end – that’s the thinking behind everything at Ziften. From endpoint to cloud, all the way from a browser to a DNS server. We connect all that together, with all the other parts to give your company a total solution.

We also record and keep real-time data for as much as 12 months to let you understand what’s taking place on the network today, and offer historical trend analysis and cautions if something is modified.

That lets you identify IT faults and security concerns right away, and also be able to ferret out the source by recalling in time to see where a fault or breach may have first taken place. Active forensics are a total must in security: After all, where a fault or breach initiated an alarm may not be where the issue started – or where a hacker is running.

Ziften offers your security and IT groups with the visibility to comprehend your present security posture, and identify where enhancements are needed. Non-compliant endpoints? Found. Rogue devices? Found. Off-network penetration? Found. Obsolete firmware? Unpatched applications? All discovered. We’ll not just help you find the issue, we’ll help you fix it, and make certain it stays fixed.

End to end security and IT management. Real time and historical active forensics. In the cloud, offline and onsite. Incident detection, containment and response. We have actually got it all covered. That’s what makes Ziften better.

Charles Leaver – Workload Deployments In The Cloud Are Easily Tracked With NetFlow That Is Enhanced

Published by:

Written by Roark Pollock and Presented by Ziften CEO Charles Leaver


In accordance with Gartner the public cloud services market went beyond $208 billion in 2016. This represented about a 17% increase year over year. Pretty good when you consider the on-going issues most cloud consumers still have relating to data security. Another particularly interesting Gartner finding is the common practice by cloud consumers to contract services to several public cloud companies.

In accordance with Gartner “most organizations are already using a combination of cloud services from various cloud companies”. While the commercial reasoning for making use of several suppliers is sound (e.g., preventing vendor lock in), the practice does create extra intricacy intracking activity across an organization’s significantly dispersed IT landscape.

While some providers support more superior visibility than others (for example, AWS CloudTrail can monitor API calls across the AWS infrastructure) companies have to comprehend and deal with the visibility problems connected with transferring to the cloud irrespective of the cloud supplier or companies they deal with.

Regrettably, the ability to monitor application and user activity, and networking interactions from each VM or endpoint in the cloud is limited.

Irrespective of where computing resources live, organizations must answer the concerns of “Which users, devices, and applications are interacting with each other?” Organizations need visibility throughout the infrastructure so that they can:

  • Quickly identify and prioritize issues
  • Speed root cause analysis and recognition
  • Lower the mean time to fix problems for end users
  • Rapidly identify and eliminate security dangers, minimizing total dwell times.

Conversely, bad visibility or poor access to visibility data can lower the efficiency of current security and management tools.

Businesses that are familiar with the ease, maturity, and relative cheapness of monitoring physical data centers are likely to be disappointed with their public cloud alternatives.

What has been lacking is a basic, common, and classy service like NetFlow for public cloud infrastructure.

NetFlow, naturally, has had 20 years or so to become a de facto standard for network visibility. A common implementation involves the monitoring of traffic and aggregation of flows at network chokepoints, the collection and storage of flow info from numerous collection points, and the analysis of this flow info.

Flows consist of a basic set of destination and source IP addresses and port and protocol info that is usually collected from a switch or router. Netflow data is relatively low-cost and simple to gather and provides almost ubiquitous network visibility and allows for actionable analysis for both network tracking and performance management applications.

A lot of IT staffs, particularly networking and some security teams are extremely comfy with the technology.

But NetFlow was created for fixing exactly what has become a rather restricted problem in the sense that it just collects network data and does so at a minimal number of prospective locations.

To make much better use of NetFlow, 2 crucial changes are essential.

NetFlow to the Edge: First, we have to broaden the useful implementation circumstances for NetFlow. Instead of just gathering NetFlow at network points of choke, let’s expand flow collection to the edge of the network (clients, cloud, and servers). This would greatly expand the overall view that any NetFlow analytics offer.

This would allow companies to augment and take advantage of existing NetFlow analytics tools to remove the growing blind spot of visibility into public cloud activities.

Rich, contextual NetFlow: Secondly, we have to utilize NetFlow for more than easy visibility of the network.

Rather, let’s use an extended version of NetFlow and take account of information on the device, application, user, and binary responsible for each monitored network connection. That would allow us to quickly correlate every network connection back to its source.

In fact, these two changes to NetFlow, are precisely what Ziften has accomplished with ZFlow. ZFlow provides an broadened variation of NetFlow that can be deployed at the network edge, including as part of a container or VM image, and the resulting information collection can be consumed and examined with existing NetFlow analysis tools. As well as standard NetFlow Internet Protocol Flow Info eXport (IPFIX) networking visibility, ZFlow provides extended visibility with the inclusion of info on application, device, user and binary for each network connection.

Ultimately, this permits Ziften ZFlow to deliver end-to-end visibility in between any two endpoints, physical or virtual, getting rid of conventional blind spots like East West traffic in data centers and enterprise cloud deployments.