Monthly Archives: November 2017

Charles Leaver – Find Out Why You Must Have SysSecOps

Published by:

Written By Alan Zeichick And Presented By Charles Leaver

 

SysSecOps. That’s a new phrase, still not known by many IT and security administrators – but it’s being discussed within the industry, by experts, and at technical conferences. SysSecOps, or Systems & Security Operations, describes the practice of uniting security groups and IT operations groups to be able to make sure the health of enterprise technology – and having the tools to be able to react most effectively when issues happen.

SysSecOps focuses on taking apart the information walls, disrupting the silos, that get in between security groups and IT administrators.

IT operations staff are there to guarantee that end-users can access applications, and also important infrastructure is operating at all times. They wish to maximize access and availability, and need the data required to do that task – like that a brand-new worker needs to be provisioned, or a hard disk drive in a RAID array has failed, that a new partner has to be provisioned with access to a secure file repository, or that an Oracle database is ready to be moved to the cloud. It’s all about innovation to drive the business.

Same Data, Various Use-Cases

While making use of endpoint and network monitoring information and analytics are plainly tailored to fit the diverse requirements of IT and security, it ends up that the underlying raw data is really the exact same. The IT and security teams simply are taking a look at their own domain’s issues and circumstances – and doing something about it based upon those use-cases.

Yet sometimes the IT and security teams need to interact. Like provisioning that brand-new company partner: It needs to touch all the best systems, and be done securely. Or if there is an issue with a remote endpoint, such as a mobile phone or a mechanism on the Industrial Internet of Things, IT and security might need to work together to figure out exactly what’s going on. When IT and security share the very same data sources, and have access to the same tools, this task ends up being a lot easier – and therefore SysSecOps.

Imagine that an IT administrator finds that a server hard disk is nearing full capacity – and this was not expected. Perhaps the network had actually been breached, and the server is now being used to steam pirated films across the Internet. It happens, and finding and fixing that issue is a job for both IT and security. The data collected by endpoint instrumentation, and displayed through a SysSecOps-ready tracking platform, can help both sides working together more effectively than would happen with conventional, unique, IT and security tools.

SysSecOps: It’s a new term, and a brand-new idea, and it’s resonating with both IT and security teams. You can discover more about this in a short nine-minute video, where I speak to several market experts about this topic: “What is SysSecOps?”

Charles Leaver – With Ziften You Can Protect Against Microsoft Word Phishing

Published by:

Written By Josh Harriman And Presented By Charles Leaver

 

An intriguing multifaceted attack has been reported in a recent blog by Cisco’s Talos Intelligence group. I wanted to discuss the infection vector of this attack as it’s quite fascinating and something that Microsoft has promised not to fix, as it is a function and not a bug. Reports are coming in about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is accomplished are reported in this blog from SecureData.

Special Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach an organization. Phishing attacks are among the most typical as opponents are counting on that someone will either open a file sent to them or go to a ‘fabricated’ URL. From there an exploit on a vulnerable piece of software normally provides access to begin their attack.

But in this case, the files didn’t have a destructive item embedded in the Word doc, which is a favorite attack vector, but rather a sly way of utilizing this function that enables the Word program to connect out to obtain the real destructive files. This way they might hope or rely on a better success rate of infection as harmful Word files themselves can be scanned and deleted prior to reaching the recipient.

Searching for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wished to have the ability to alert on this behavior for our clients. Finding conditions that exhibit ‘strange’ behavior such as Microsoft Word generating a shell is fascinating and not expected. Taking it a bit further and trying to find PowerShell operating from that generated shell and it gets ‘extremely’ intriguing. By using our Search API, we can find these habits no matter when they took place. We do not need the system to be on at the time of the search, if they have run a program (in this case Word) that displayed these behaviors, we can discover that system. Ziften is always collecting and sending pertinent procedure details which is why we can find the data without counting on the system state at the time of browsing.

In our Zenith console, I looked for this condition by trying to find the following:

Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process command line contains powershell

This returns the PIDs (Process ID) of the procedures we saw start-up with these conditions. From there we can drill down to see the critical information.

In this very first screenshot, we can see information around the procedure tree (Word spawning CMD with Powershell under that) on the left, and to the right side you can see information like the System name and User, plus start time.

Listed below in the next image, we look at the CMD procedure and get details regarding exactly what was passed to Powershell.

More than likely when the user had to address this Microsoft Word pop up dialog box, that is when the CMD shell utilized Powershell to head out and get some code that was hosted on the Louisiana Gov site. In the Powershell screenshot below we can see more information such as Network Connect details when it was reaching out to the website to pull the fonts.txt file.

That IP address (206.218.181.46) is in truth the Louisiana Gov site. Sometimes we see interesting data within our Network Connect details that may not match exactly what you anticipate.

After developing our Saved Search, we can inform on these conditions as they happen throughout the environment. We can also create extensions that change a GPO policy to not enable DDE or even take more action and go and find these files and remove them from the system if so preferred. Having the ability to discover intriguing mixes of conditions within an environment is very effective and we are very proud to have this feature in our product.

Charles Leaver – Stop Ransomware Attacks And Manage Them With This

Published by:

Written By Alan Zeichick And Presented By Charles Leaver

 

Ransomware is real, and is striking people, companies, schools, medical facilities, local governments – and there’s no sign that ransomware is ending. In fact, it’s most likely increasing. Why? Let’s face it: Ransomware is most likely the single most effective attack that cyber criminals have ever developed. Anyone can create ransomware utilizing readily offered tools; any loan received is most likely in untraceable Bitcoin; and if something goes wrong with decrypting someone’s hard drive, the hacker isn’t impacted.

A business is hit with ransomware every 40 seconds, according to some sources, and sixty percent of malware issues were ransomware. It strikes all sectors. No industry is safe. And with the rise of RaaS (Ransomware-as-a-Service) it’s gon na get worse.

The good news: We can resist. Here’s a four-step fight plan.

Great Standard Hygiene

It starts with training workers the best ways to deal with harmful emails. There are falsified messages from business partners. There’s phishing and target spearphishing. Some will make it through email spam/malware filters; employees have to be taught not to click on links in those messages, or obviously, not to allow for apps or plug-ins to be set up.

However, some malware, like ransomware, will get through, frequently making use of obsolete software or unpatched systems, as in the Equifax breach. That’s where the next step comes in:

Guaranteeing that end points are completely patched and entirely up-to-date with the latest, most safe and secure os, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the end point is healthy, and has the ability to best fight off the infection.

Ransomware isn’t an innovation or security problem. It’s a company issue. And it’s so much more than the ransom that is demanded. That’s nothing compared to loss of efficiency because of downtime, poor public relations, angry consumers if service is disrupted, and the cost of reconstructing lost data. (Which presumes that valuable intellectual property or secured monetary or client health data isn’t really taken.).

Exactly what else can you do? Backup, backup, backup, and safeguard those backups. If you don’t have safe, protected backups, you cannot bring back data and core infrastructure in a timely style. That consists of making day-to-day snapshots of virtual machines, databases, applications, source code, and configuration files.

Services require tools to identify, identify, and avoid malware like ransomware from dispersing. This requires constant visibility and reporting of exactly what’s occurring in the environment – consisting of “zero day” attacks that have not been seen prior to this. Part of that is keeping an eye on endpoints, from the smart phone to the desktop to the server to the cloud, to ensure that all endpoints are updated and safe, which no unexpected changes have actually been made to their underlying configuration. That way, if a device is contaminated by ransomware or other malware, the breach can be discovered rapidly, and the machine separated and closed down pending forensics and recovery. If an endpoint is breached, fast containment is important.

The Four Tactics.

Great user training. Updating systems with patches and repairs. Backing up everything as typically as possible. And utilizing monitoring tools to assist both IT and security groups find issues, and react rapidly to those issues. When it comes to ransomware, those are the four battle tested tactics we need to keep our companies safe.

You can find out more about this in a brief 8 minute video, where I speak with numerous industry professionals about this concern:

Charles Leaver – Enhanced Cyber Protection From Microsoft And Ziften

Published by:

Written By David Shefter And Presented By Charles Leaver

 

This week we revealed a partnership with Microsoft that unites Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) providing a cloud based, “single pane of glass” to detect, see, examine, and respond to sophisticated cyber attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptops, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that makes it possible for enterprise customers to spot, examine, respond and remediate advanced dangers on their networks, off-network, and in the data center and cloud.

Imagine a single option across all the devices in your enterprise, supplying scalable, state of the art security in an economical and simple to use platform. Enabling enterprises throughout the world to protect and handle devices through this ‘single pane of glass’ delivers the promise of lower functional expenses with true enhanced security delivering real time international danger protection with information collected from billions of devices worldwide.

Microsoft and Ziften Architecture

The diagram listed below offers an overview of the service parts and integration struck between Windows Defender ATP and Ziften Zenith.

Endpoint examination capabilities let you drill down into security signals and understand the scope and nature of a prospective breach. You can send files for deep analysis, get the outcomes and take remediation without leaving the Windows Defender ATP console.

Spot and Contain Risks

With the Windows Defender ATP and Ziften Zenith integration, organizations can easily discover and contain threats on Windows, macOS, and Linux systems from an individual console. Windows Defender ATP and Ziften Zenith offer:

Based on behavior, cloud-powered, advanced attack detection. Discover the attacks that get past your other defenses (post breach detection).

Abundant timeline for forensic examination and mitigation. Quickly examine the scope of any breach or presumed habits on any device through an abundant, 6-month device timeline.

Built in special threat intelligence knowledge base. Hazard intelligence to quickly identify attacks based on tracking and data from billions of devices.

The diagram below highlights a lot of the macOS and Linux hazard detection and response capabilities now readily available with Windows Defender ATP.

At the end of the day, if you’re seeking to protect your end points and infrastructure, you need to take a tough look at Windows Defender ATP and Ziften Zenith.