Monthly Archives: May 2018

Charles Leaver – Understanding Network Whitelisting

Published by:

Written By Roark Pollock And Presented By Charles Leaver



Similar to any type of security, the world of IT security is one of establishing and implementing a set of allow/disallow guidelines – or more officially titled, security policies. And, simply stated, allow/disallow rules can be expressed as a ‘whitelist’ or a ‘blacklist’.

Back in the good ‘ole days, the majority of guidelines were blacklist in nature. The good ‘ole days were when we relied on almost everyone to behave well, and when they did this, it would be rather simple to determine bad habits or anomalies. So, we would just have to compose a few blacklist rules. For instance, “do not allow anybody into the network coming from an IP address in say, Russia”. That was sort of the exact same thing as your grandparents never ever locking the doors to your home on the farm, considering that they knew everybody within a 20 mile radius.

Then the world changed. Behaving well ended up being an exception, and bad actors/behavior became legion. Naturally, it took place gradually – and in phases – dating to the beginning of the true ‘Web’ back in the early 90’s. Keep in mind script kiddies unlawfully accessing public and private websites, simply to prove to their high school pals that they could?

Fast forward to the contemporary age. Everything is online. And if it has value, somebody in the world is attempting to take or damage it – continuously. And they have a lot of tools that they can use. In 2017, 250,000 brand-new malware variants were introduced – each day. We used to count on desktop and network anti-virus packages to add brand-new blacklist signatures – on a weekly basis – to counter the bad guys using malicious strings of code to do their bidding. However at over 90 million new malware variants each year, blacklist methods alone won’t cut it.

Network whitelisting technologies have been a crucial form of protection for on premises network security – and with the majority of companies rapidly moving their work to the cloud, the same mechanisms will be needed there too.

Let’s take a closer look at both approaches.

What is Blacklisting?

A blacklist lines out known malicious or suspicious “entities” that shouldn’t be enabled access, or rights of execution, in a system or network. Entities consist of bad software applications (malware) consisting of viruses, Trojans, worms, spyware, and keystroke loggers. Entities likewise include any user, application, process, IP address, or organization known to posture a risk to a business.

The essential word above is “known”. With 250,000 new versions appearing each day, the number that are out there we don’t know about – at least until much later in time, which may be days, weeks, or even years?

What is Whitelisting?

So, exactly what is whitelisting? Well, as you may have thought, it is the opposite of blacklisting. Whitelisting begins from a viewpoint that almost all things are bad. And, if that holds true, it should be more efficient just to define and enable “excellent entities” into the network. A simple example would be “all workers in the financial department that are director level or greater are permitted to access our financial reporting application on server X.” By extension, everyone else is denied access.

Whitelisting is typically described as a “zero trust” approach – deny all, and permit only certain entities access based upon a set of ‘excellent’ properties associated with user and device identity, habits, location, time, etc

Whitelisting is commonly accepted for high risk security environments, where rigid guidelines take precedence over user liberty. It is also extremely valued in environments where organizations are bound by rigorous regulative compliance.

Do you go Black, White or mix it up?

First, there are not many that would tell you that blacklisting is totally aged out. Definitely at the endpoint device level, it remains fairly simple to set up and keep and rather reliable – specifically if it is kept up to date by third party risk intelligence service providers. However, on its own, will it suffice?

Second, depending upon your security background or experience, you’re most likely thinking, “Whitelisting would never ever work for us. Our service applications are just too diverse and complicated. The time, effort, and resources needed to put together, monitor, and upgrade whitelists at an enterprise level would be untenable.”

Fortunately, this isn’t actually an either-or option. It’s possible to take a “best of both worlds” approach – blacklisting for malware and invasion detection, operating along with whitelisting for system and network access at large.

Ziften and Cloud Whitelisting

The secret to whitelisting comes down to simplicity of implementation – especially for cloud-based work. And ease of implementation becomes a function of scope. Think about whitelisting in 2 ways – application and network. The former can be a quagmire. The latter is far simpler to execute and preserve – if you have the best visibility within your cloud environment.

This is where Ziften comes in.

With Ziften, it becomes simple to:

– Identify and establish visibility within all cloud servers and virtual machines

– Gain constant visibility into devices and their port usage activity

– See east-west traffic flows, including in-depth tracking into protocols in use over specific port pairs

– Convert ‘seeing’ what’s happening into a discernable array of whitelists, complete with accurate procedure and port mappings

– Set up near real time alerting on any anomalous or suspicious resource or service activations

Charles Leaver – How To Do Advanced Hunting With Windows Defender ATP

Published by:

Written By Josh Harrimen And Presented By Charles Leaver


Following on the heels of our recent collaboration statement with Microsoft, our Ziften Security Research team has actually started leveraging a very fantastic element of the Windows Defender Advanced Threat Protection (Windows Defender ATP) Security Center platform. The Advanced Searching function lets users run inquiries against the data that has actually been sent out by products and tools, such as Ziften, to find interesting behaviors quickly. These queries can be saved and shared among the community of Windows Defender ATP users.

We have included a handful of shared inquiries so far, however the results are rather intriguing, and we enjoy the ease of use of the searching interface. Because Ziften sends endpoint data gathered from macOS and Linux systems to Windows Defender ATP, we are focusing on those operating systems in our query development efforts to display the total protection of the platform.

You can access the Advanced Hunting interface by choosing the database icon on the left-hand side as revealed below.

You can observe the high-level schema on the top left of that page with events such as ProcessCreation, Machineinfo, NetworkCommunication and others. We ran some current malware within our Redlab and produced some inquiries to discover that data and produce the outcomes for examination. One such sample was OceanLotus. We developed a small number of inquiries to find both the files and dropper related to this danger.

After running the inquiries, you get results with which you can connect with.

Upon assessment of the outcomes, we see some systems that have actually shown the looked for behavior. When you choose these systems, you can see the information of the system under examination. From there you can view signals activated and an event timeline. Information from the harmful procedure are revealed below.

Additional behavior based queries can likewise be run. For instance, we carried out another destructive sample which leveraged a few strategies that we queried. The screenshot directly below shows an inquiry we ran when trying to find the Gatekeeper program on a macOS being disabled from the command line. While this action may be an administrative action, it is certainly something you would wish to know is happening within your environment.

From these query results, you can again select the system in question and further investigate the suspicious habits.

This article certainly doesn’t function as a thorough tutorial on utilizing the Advanced Hunting feature within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together quickly to share our passion about how simple it is to utilize this function to perform your own customized danger hunting in a multi-system environment, and across Linux, Windows and macOS systems.

We eagerly anticipate sharing more of our experimentation and research studies utilizing queries constructed utilizing the Advanced Hunting function. We share our successes with everyone here, so check out this blog often.

Charles Leaver – What Happened At RSA 2018

Published by:

Written By Logan Gilbert And Presented By Charles Leaver


After spending a couple of days with the Ziften group at the 2018 RSA Conference, my technology observation was: more of the same, the typical suspects and the typical buzzwords. Buzz words like – “AI”, “machine learning”, “predictive” were splendidly overused. Lots of attention paid to avoidance, everybody’s preferred attack vector – email, and everyone’s preferred vulnerability – ransomware.

The one surprise I encountered was seeing a small number of NetFlow analysis businesses – lots of smaller businesses attempting to make their mark utilizing a very rich, however tough to work with, data set. Extremely cool stuff! Find the little cubicles and you’ll discover tons of innovation. Now, in fairness to the bigger suppliers I understand there are some truly cool technologies therein, but RSA barely lends itself to cutting through the buzzwords to actual value.

RSA Buzz

I may have a biased view given that Ziften has actually been partnering with Microsoft for the last 6+ months, however Microsoft seemed to play a far more popular leadership role at RSA this year. Initially, on Monday, Microsoft announced it’s all new Intelligent Security Association combining their security partnerships “to concentrate on safeguarding clients in a world of increased threats”, and more notably – reinforcing that security through shared security intelligence throughout this ecosystem of partners. Ziften is naturally proud to be an establishing member in the Intelligent Security Association.

In addition, on Tuesday, Microsoft revealed a ground breaking partnership with many in the cyber security industry named the “Cybersecurity Tech Accord.” This accord requires a “digital Geneva Convention” that sets standards of behavior for cyberspace just as the Geneva Conventions set rules for the conduct of war in the physical world.

RSA Attendees

A true point of interest to me though was the different types included of the expo audience itself. As I was likewise an exhibitor at RSA, I noted that of my visitors, I saw more “suits” and less t-shirts.

Ok, maybe not suits as such, however more security Supervisors, Directors, VPs, CISOs, and security leaders than I remember seeing at previous events. I was encouraged to see what I think are the business decision makers checking out security companies first hand, rather than delegating that job to their security group. From this audience I often heard the very same overtones:

– This is overwhelming.
– I can’t discriminate between one innovation and another.

Those who were Absent from RSA

There were certainly less “technology trolls”. What, you might ask, are technology trolls? Well, as a vendor and security engineer, these are the individuals (constantly men) that appear five minutes before the close of the day and drag you into a technical due-diligence workout for an hour, or at least till the happy hour parties start. Their objective – absolutely nothing useful to anyone – and here I’m assuming that the troll in fact works for a company, so nothing helpful for the company that actually paid countless dollars for their attendance. The only thing gained is the troll’s self-affirmation that they have the ability to “beat down the supplier” with their technical expertise. I’m being severe, however I have actually experienced the trolls from both sides of the fence, both as a seller, and as a buyer – and back at the home office nobody is basing buying decisions based on troll recommendations. I can only presume that companies send out tech trolls to RSA and comparable expos since they do not desire them in their workplace.

Holistic Security Conversations

Which brings me back to the kind of people I did see a great deal of at RSA: security savvy (not just tech savvy) security leaders, who understand the corporate argument and choices behind security innovations. Not only are they influencers however in most cases business owners of security for their particular organizations. Now, apart from the aforementioned questions, these security leaders seemed less focused on a technology or specific use case, but rather a focus on a desire for “holistic” security. As we know, excellent security needs a collection of innovations, policy and practice. Security smart customers needed to know how our technology fitted into their holistic service, which is a refreshing change of dialog. As such, the types of concerns I would hear:

– How does your innovation partner with other solutions I currently utilize?
– More notably: Does your business actually buy into that collaboration?

That last concern is critical, basically asking if our partnerships are just fodder for a site, or, if we really have an acknowledgment with our partner that the sum is greater than the parts.

The latter is exactly what security experts are looking for and require.

To Conclude

Overall, RSA 2018 was great from my point of view. After you get past the lingo, much of the buzz focussed on things that matter to customers, our industry, and us as individuals – things like security partner ecosystems that add value, more holistic security through genuine collaboration and significant integrations, and face to face discussions with business security leaders, not technology trolls.

Charles Leaver – You Need To Discover All Of Your Unmanaged Assets

Published by:

Written By Logan Gilbert And Presented By Charles Leaver


All of us relate to the image of the hooded villain hovering over his laptop late at night – accessing a business network, taking valuable data, vanishing without a trace. We personify the attacker as intelligent, persistent, and crafty. But the reality is the large majority of attacks are enabled by simple human carelessness or recklessness – making the task of the cyber criminal an easy one. He’s inspecting all the doors and windows constantly. All it takes is one mistake on your part and hegets in.

What do we do? Well, you already know the answer. We spend a good chunk of our IT budget plan on security defense-in-depth systems – developed to discover, trick, fool, or outright block the bad guys. Let’s park the discourse on whether or not we are winning that war. Because there is a far simpler war underway – the one where the aggressor enters your network, organization critical application, or IP/PPI data through a vector you didn’t even know you had – the unmanaged asset – often referred to as Shadow IT.

Believe this is not your company? A recent study recommends the typical enterprise has 841 cloud apps in use. Surprisingly, most IT executives think the variety of cloud apps in use by their organization is in the order of thirty to forty – indicating they are incorrect by an aspect of 20 times. The very same report highlights that more than 98% of cloud apps are not GDPR ready, and 95% of enterprise class cloud apps are not SOC 2 ready.

Shadow IT/ Unmanaged Assets Defined

Shadow IT is defined as any SaaS application used – by staff members, departments, or entire service groups – without the comprehension or authorization of the business’s IT department. In addition, the advent of ‘everything as a service’ has actually made it even easier for workers to access whatever software application they feel is needed to make them more efficient.

The Effect

Well-intentioned workers typically do not understand they’re breaking business guidelines by activating a brand-new server instance, or downloading unapproved apps or software offerings. However, it takes place. When it does, three problems can develop:

1. Corporate standards within an organization are jeopardized given that unapproved software means each computer system has different abilities.

2. Rogue software applications typically includes security flaws, putting the entire network at risk and making it a lot more hard for IT to manage security threats.

3. Asset blind spots not just increase security and compliance dangers, they can increase legal risk. Information retention policies developed to restrict legal liability are being skirted with details contained on unauthorized cloud assets.

3 Vital Factors To Consider for Dealing With Unmanaged Asset Dangers

1. First, release tools that can offer comprehensive visibility into all cloud assets- managed and unmanaged. Know what brand-new virtual machines have been triggered recently, along with exactly what other devices and applications with which each VM instance is interacting.

2. Second, make certain your tooling can provide continuous inventory of authorized and unapproved virtual devices operating in the cloud. Ensure you can see all IP connections made to each asset.

3. Third, for compliance and/or forensic analysis purposes look for a service that provides a capture of any and all assets (physical and virtual) that have ever existed on the network – not just a service that is limited to active assets – and within a short look back window.

Unmanaged Asset Discovery with Ziften

Ziften makes it simple to quickly discover cloud assets that have been commissioned outside of IT’s purview. And we do it continuously and with deep historic recall at your fingertips – including when each device first linked to the network, when it last appeared, and how frequently it reconnects. And if a virtual device is decommissioned, no problem, we still have all its historical behavior data.

Recognize and secure covert attack vectors coming from shadow IT – prior to a disaster. Know exactly what’s happening in your cloud environment.