Monthly Archives: January 2018

Charles Leaver – SysSecOps And Flexibility Is The Only Way Forward

Published by:

Written By Charles Leaver

 

You will find that endpoints are everywhere. The device you’re reading this on is an endpoint, whether it’s a desktop, laptop, tablet, or phone. The HEATING AND COOLING controller for your building is an endpoint, assuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the linked automobile. So are the Web servers, storage servers, and Active Directory site servers in the data center. So are your IaaS/PaaS services in the cloud, where you are in control of bare-metal servers, VMware virtual machines, or containers operating on Windows and/or Linux.

They’re all endpoints, and all are necessary to handle.

They need to be handled from the IT side (from IT administrators, who ideally have proper IT-level visibility of each connected thing like those security electronic cameras). That management suggests making certain they’re linked to the right network zones or VLANs, that their software applications and configurations the current version, that they’re not flooding the network with bad packets due to electrical faults and so-on.

Those endpoints likewise need to be handled from the security point of view by CISO teams. Every endpoint is a prospective entrance into the enterprise network, which suggests the devices need to be locked down – default passwords never used, all security patches applied, no unapproved software set up on the device’s ingrained web server. (Kreb’s outlines how, in 2014, hackers broke into Target’s network through its HVAC system.).

Systems and Security Operations.

Systems Security Operations, or SysSecOps, brings those two worlds together. With the right kind of SysSecOps state of mind, and tools that support the proper workflows, IT and security workers get the same data and can collaborate together. Sure, they each have various tasks, and react differently to trouble alerts, however they’re all handling the exact same endpoints, whether in the pocket, on the desk, in the energy closet, in the data center, or in the cloud.

Ziften Zenith Test Report.

We were thrilled when the recently published Broadband-Testing report praised Zenith, Ziften’s flagship end-point security and management platform, as being perfect for this type of circumstance. To quote from the recent report, “With its Zenith platform, Ziften has a solution that ticks all the SysSecOps boxes and more. Since its definition of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it is true blanket coverage.”.

Broadband-Testing is an independent testing center and service based in Andorra. They describe themselves as, “Broadband-Testing engages with vendors, media, financial investment groups and VCs, analysts and consultancies alike. Evaluating covers all elements of networking hardware and software, from ease of use and efficiency, through to significantly important elements such as device power consumption measurement.”

Back to versatility. With endpoints all over (once again, on the desk, in the utility closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system need to go everywhere and do anything, at scale. Broadband-Testing composed:

“The configuration/deployment alternatives and architecture of Ziften Zenith allow for a really versatile deployment, on or off-premise, or hybrid. Agent deployment is simplicity itself with zero user requirements and no endpoint intrusion. Agent footprint is likewise minimal, unlike lots of endpoint security solutions. Scalability also seems outstanding – the greatest customer release to this day remains in excess of 110,000 endpoints.”

We cannot help but be proud of our product Zenith, and exactly what Broadband-Testing concluded:

“The development of SysSecOps – integrating systems and security operations – is an uncommon moment in IT; a hype-free, common sense technique to refocusing on how systems and security are managed inside a company.

Secret to Ziften’s endpoint approach in this classification is overall visibility – after all, how can you secure exactly what you can’t see or don’t know is there in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Deployment is easy, specifically in a cloud-based situation as evaluated. Scalability likewise seems excellent – the greatest client deployment to date is in excess of 110,000 endpoints.

Data analysis alternatives are extensive with a huge amount of information readily available from the Ziften console – a single view of the whole endpoint infrastructure. Any item can be evaluated – e.g. Binaries, applications, systems – and, from a procedure, an action can be defined as an automated function, such as quarantining a system in the event of a potentially harmful binary being discovered. Multiple reports are predefined covering all areas of analysis. Alerts can be set for any event. Additionally, Ziften supplies the idea of extensions for customized data collection, beyond the reach of the majority of vendors.

And with its External API performance, Ziften-gathered endpoint data can be shared with many 3rd party applications, therefore adding further value to a client’s existing security and analytics infrastructure investment.

In general, Ziften has a very competitive offering in exactly what is a very worthy and emerging IT classification in the form of SysSecOps that is very deserving of assessment.”.

We hope you’ll consider an evaluation of Zenith, and will concur that when it pertains to SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket protection that both your IT and CISO groups have actually been looking for.

Charles Leaver – Understand About Meltdown And Spectre And How Ziften Can Assist You

Published by:

Written By Josh Harriman And Presented By Charles Leaver

 

Ziften is aware of the current exploits impacting almost everybody who works on a computer or digital device. While this is a very large statement, we at Ziften are working diligently helping our consumers discover susceptible assets, repairing those vulnerable systems, and keeping an eye on systems after the fix for possible efficiency concerns.

This is an ongoing investigation by our group in Ziften Labs, where we keep up-to-date on the current malicious attacks as they develop. Right now, most of the conversations are around PoC code (Proof of Concept) and what can theoretically occur. This will soon alter as hackers benefit from these chances. The exploits I’m speaking, obviously, are Meltdown and Spectre.

Much has been blogged about how these exploits were discovered and exactly what is being done by the industry to find workarounds to these hardware concerns. To find out more, I feel it’s appropriate to go right to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Assist?

A crucial area that Ziften assists with in case of an attack by either method is monitoring for data exfiltration. Considering that these attacks are essentially taking data they shouldn’t have access to, we believe the first and most convenient techniques to safeguard yourself is to take this personal data off these systems. This data might be passwords, login credentials or even security secrets for SSH or VPN access.

Ziften checks and notifies when procedures that generally do not make network connections start exhibiting this uncommon habit. From these notifications, users can quarantine systems from the network and / or eliminate processes connected with these scenarios. Ziften Labs is monitoring the advancement of the attacks that are most likely to become offered in the wild related to these vulnerabilities, so we can better secure our clients.

Find – How am I Vulnerable?

Let’s look at areas we can examine for susceptible systems. Zenith, Ziften’s flagship item, can simply and rapidly find OS’s that have to be patched. Despite the fact that these exploits are in the CPU chips themselves (Intel, AMD and ARM), the fixes that will be readily available will be upgraded to the OS, and in other cases, the internet browser you use too.

In Figure 1 below, you can see one example of how we report on the available patches by name, and what systems have effectively set up each patch, and which have yet to install. We can likewise track patch installs that stopped working. The example shown below is not for Meltdown or Spectre, but the KB and / or patch number for the environment could be occupied on this report to reveal the susceptible systems.

The exact same is true for internet browser updates. Zenith keeps track of for software application variations running in the environment. That data can be used to understand if all browsers the current version once the fixes appear.

Mentioning browsers, one area that has actually currently picked up steam in the attack scenarios is utilizing Javascript. A working copy is revealed here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge browsers do not utilize Javascript any longer and mitigations are available for other web browsers. Firefox has a fix readily available here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome fix is coming out this week.

Fix – What Can I Do Now?

As soon as you have actually identified vulnerable systems in your environment you definitely need to patch and repair them very quickly. Some safeguards you have to take into consideration are reports of certain Anti-Virus products causing stability concerns when the patches are applied. Information about these concerns are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith also has the ability to help patch systems. We can monitor for systems that require patches, and direct our solution to apply those patches for you and then report success / failure and the status of those still needing patching.

Since the Zenith backend is cloud based, we can even monitor your endpoint systems and use the needed patches when and if they are not connected to your business network.

Monitor – How is it all Running?

Lastly, there may be some systems that display performance degradation after the OS fixes are used. These issues appear to be restricted to high load (IO and network) systems. The Zenith platform assists both security and operational groups within your environment. Exactly what we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can help discover issues such as hangs or crashes of applications, and system crashes. Plus, we monitor system usage for Memory and CPU gradually. This data can be utilized to monitor and notify on systems that begin to display high usage compared to the period prior to the patch was used. An example of this monitoring is displayed in Figure 2 below (system names purposefully removed).

These ‘defects’ are still brand-new to the public, and a lot more will be discussed and found for days / weeks / months to come. Here at Ziften, we continue to monitor the situation and how we can best inform and safeguard our customers and partners.