Author Archives: leavcharl1

Charles Leaver – Your 10 Steps For Endpoint Security Service Assessment

Published by:

Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften


The Endpoint Security Purchaser’s Guide

The most common point for an advanced consistent attack or a breach is the end point. And they are certainly the entry point for most ransomware and social engineering attacks. Making use of endpoint security products has long been thought about a best practice for protecting endpoints. Unfortunately, those tools aren’t keeping up with today’s threat environment. Advanced risks, and truth be told, even less advanced threats, are typically more than sufficient for fooling the average staff member into clicking something they should not. So organizations are looking at and examining a huge selection of next generation end point security (NGES) services.

With that in mind, here are 10 tips to consider if you’re looking at NGES solutions.

Pointer 1: Start with the end in mind

Do not let the tail wag the dog. A danger reduction strategy should always start by assessing issues and after that trying to find possible solutions for those issues. But all frequently we get enamored with a “shiny” new innovation (e.g., the current silver bullet) and we wind up aiming to shoehorn that technology into our environments without fully examining if it solves an understood and determined problem. So exactly what issues are you aiming to fix?

– Is your current endpoint protection tool failing to stop hazards?
– Do you require much better visibility into activities at the endpoint?
– Are compliance requirements dictating continuous end point tracking?
– Are you attempting to decrease the time and expense of incident response?

Define the problems to deal with, and after that you’ll have a measuring stick for success.

Tip 2: Understand your audience. Who will be using the tool?

Comprehending the issue that has to be resolved is an essential initial step in understanding who owns the problem and who would (operationally) own the solution. Every practical group has its strengths, weak points, choices and prejudices. Specify who will need to utilize the solution, and others that could take advantage of its use. It could be:

– Security team,
– IT group,
– The governance, risk and compliance (GRC) group,
– Help desk or end user support group,
– And even the server group, or a cloud operations team?

Tip 3: Know what you mean by end point

Another frequently neglected early step in defining the problem is defining the end point. Yes, all of us used to understand what we implied when we said end point however today endpoints come in a lot more ranges than before.

Sure we want to protect desktops and laptop computers however how about mobile devices (e.g. smartphones and tablets), virtual end points, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, of course, can be found in numerous flavors so platform assistance needs to be attended to too (e.g. Windows only, Mac OSX, Linux, etc?). Also, think about assistance for endpoints even when they are working remote, or are working offline. Exactly what are your requirements and what are “great to haves?”

Pointer 4: Start with a foundation of all the time visibility

Continuous visibility is a fundamental ability for dealing with a host of security and functional management problems on the endpoint. The old expression is true – that you cannot manage exactly what you cannot see or determine. Even more, you can’t protect what you cannot appropriately manage. So it must start with constant or all the time visibility.

Visibility is foundational to Management and Security

And think about exactly what visibility means. Enterprises need one source of truth that at a minimum monitors, stores, and examines the following:

– System data – occasions, logs, hardware state, and file system details
– User data – activity logs and behavior patterns
– Application data – characteristics of installed apps and use patterns
– Binary data – characteristics of set up binaries
– Processes data – tracking info and stats
– Network connection data – stats and internal habits of network activity on the host

Idea 5: Keep track of your visibility data

End point visibility data can be saved and examined on the premises, in the cloud, or some combination of both. There are benefits to each. The proper approach varies, but is usually enforced by regulatory requirements, internal privacy policies, the end points being monitored, and the overall expense factors to consider.

Know if your organization requires on-premise data retention

Know whether your company allows for cloud based data retention and analysis or if you are constrained to on premise services only. Within Ziften, 20-30% of our clients keep data on premise just for regulatory reasons. However, if legally an alternative, the cloud can offer expense advantages (to name a few).

Pointer 6: Know what is on your network

Comprehending the issue you are aiming to resolve needs understanding the assets on the network. We have found that as much as 30% of the endpoints we at first find on customers’ networks are unmanaged or unidentified devices. This obviously develops a big blind spot. Minimizing this blind spot is a vital best practice. In fact, SANS Critical Security Controls 1 and 2 are to carry out a stock of licensed and unauthorized devices and software connected to your network. So look for NGES services that can finger print all connected devices, track software inventory and utilization, and perform on-going constant discovery.

Pointer 7: Know where you are vulnerable

After figuring out exactly what devices you have to monitor, you need to make sure they are running in up to date configurations. SANS Critical Security Controls 3 recommends making sure safe setups tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 suggests enabling continuous vulnerability evaluation and remediation of these devices. So, search for NGES solutions that supply constant tracking of the state or posture of each device, and it’s even better if it can assist implement that posture.

Also look for services that provide continuous vulnerability assessment and remediation.

Keeping your overall end point environment hardened and free of important vulnerabilities prevents a huge amount of security issues and gets rid of a great deal of back end pressure on the IT and security operations teams.

Tip 8: Cultivate constant detection and response

A crucial end goal for lots of NGES services is supporting constant device state tracking, to enable reliable hazard or event response. SANS Critical Security Control 19 advises robust event response and management as a best practice.

Try to find NGES solutions that supply all-the-time or constant threat detection, which leverages a network of worldwide danger intelligence, and several detection methods (e.g., signature, behavioral, machine learning, etc). And try to find incident response services that help prioritize identified dangers and/or concerns and provide workflow with contextual system, application, user, and network data. This can assist automate the proper response or next actions. Lastly, understand all the response actions that each solution supports – and try to find a solution that offers remote access that is as close as possible to “sitting at the end point keyboard”.

Pointer 9: Think about forensics data gathering

In addition to event response, companies must be prepared to address the need for forensic or historical data analysis. The SANS Critical Security Control 6 advises the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take numerous types, but a structure of historic end point monitoring data will be essential to any examination. So look for solutions that preserve historical data that allows:

– Forensic jobs include tracing lateral threat movement through the network gradually,
– Pinpointing data exfiltration efforts,
– Determining origin of breaches, and
– Identifying proper remediation actions.

Suggestion 10: Take apart the walls

IBM’s security team, which supports a remarkable community of security partners, estimates that the average business has 135 security tools in situ and is working with 40 security vendors. IBM customers definitely skew to big enterprise however it’s a typical refrain (problem) from organizations of all sizes that security solutions don’t integrate well enough.

And the grievance is not just that security services do not play well with other security products, but also that they don’t constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to think about these (and other) integration points along with the vendor’s desire to share raw data, not just metadata, through an API.

Bonus Tip 11: Prepare for personalizations

Here’s a bonus pointer. Presume that you’ll wish to tailor that shiny brand-new NGES service shortly after you get it. No service will fulfill all of your needs right out of the box, in default configurations. Find out how the service supports:

– Custom data collection,
– Notifying and reporting with custom data,
– Customized scripting, or
– IFTTT (if this then that) performance.

You understand you’ll want new paint or new wheels on that NGES solution soon – so make certain it will support your future personalization projects easy enough.

Try to find support for simple modifications in your NGES service

Follow the bulk of these suggestions and you’ll certainly prevent a lot of the common mistakes that pester others in their assessments of NGES services.

Charles Leaver – Protect Your Business From End To End With Ziften Because We Are The Best

Published by:

Written By Ziften CEO Charles Leaver


Do you wish to manage and protect your endpoints, your network, the cloud and your data center? In that case Ziften has the best service for you. We gather data, and let you associate and use that data to make decisions – and be in control over your business.

The information that we obtain from everybody on the network can make a real world distinction. Think about the inference that the U.S. elections in 2016 were influenced by hackers from another nation. If that holds true, cyber criminals can do practically anything – and the concept that we’ll settle for that as the status quo is just ridiculous.

At Ziften, our company believe the best method to fight those risks is with greater visibility than you have actually ever had. That visibility crosses the whole business, and links all the significant players together. On the back end, that’s real and virtual servers in the data center and the cloud. That’s infrastructure and applications and containers. On the other side, it’s laptops and desktop computers, irrespective of how and where they are connected.

End-to-end – that’s the thinking behind everything at Ziften. From endpoint to cloud, all the way from a browser to a DNS server. We connect all that together, with all the other parts to give your company a total solution.

We also record and keep real-time data for as much as 12 months to let you understand what’s taking place on the network today, and offer historical trend analysis and cautions if something is modified.

That lets you identify IT faults and security concerns right away, and also be able to ferret out the source by recalling in time to see where a fault or breach may have first taken place. Active forensics are a total must in security: After all, where a fault or breach initiated an alarm may not be where the issue started – or where a hacker is running.

Ziften offers your security and IT groups with the visibility to comprehend your present security posture, and identify where enhancements are needed. Non-compliant endpoints? Found. Rogue devices? Found. Off-network penetration? Found. Obsolete firmware? Unpatched applications? All discovered. We’ll not just help you find the issue, we’ll help you fix it, and make certain it stays fixed.

End to end security and IT management. Real time and historical active forensics. In the cloud, offline and onsite. Incident detection, containment and response. We have actually got it all covered. That’s what makes Ziften better.

Charles Leaver – Workload Deployments In The Cloud Are Easily Tracked With NetFlow That Is Enhanced

Published by:

Written by Roark Pollock and Presented by Ziften CEO Charles Leaver


In accordance with Gartner the public cloud services market went beyond $208 billion in 2016. This represented about a 17% increase year over year. Pretty good when you consider the on-going issues most cloud consumers still have relating to data security. Another particularly interesting Gartner finding is the common practice by cloud consumers to contract services to several public cloud companies.

In accordance with Gartner “most organizations are already using a combination of cloud services from various cloud companies”. While the commercial reasoning for making use of several suppliers is sound (e.g., preventing vendor lock in), the practice does create extra intricacy intracking activity across an organization’s significantly dispersed IT landscape.

While some providers support more superior visibility than others (for example, AWS CloudTrail can monitor API calls across the AWS infrastructure) companies have to comprehend and deal with the visibility problems connected with transferring to the cloud irrespective of the cloud supplier or companies they deal with.

Regrettably, the ability to monitor application and user activity, and networking interactions from each VM or endpoint in the cloud is limited.

Irrespective of where computing resources live, organizations must answer the concerns of “Which users, devices, and applications are interacting with each other?” Organizations need visibility throughout the infrastructure so that they can:

  • Quickly identify and prioritize issues
  • Speed root cause analysis and recognition
  • Lower the mean time to fix problems for end users
  • Rapidly identify and eliminate security dangers, minimizing total dwell times.

Conversely, bad visibility or poor access to visibility data can lower the efficiency of current security and management tools.

Businesses that are familiar with the ease, maturity, and relative cheapness of monitoring physical data centers are likely to be disappointed with their public cloud alternatives.

What has been lacking is a basic, common, and classy service like NetFlow for public cloud infrastructure.

NetFlow, naturally, has had 20 years or so to become a de facto standard for network visibility. A common implementation involves the monitoring of traffic and aggregation of flows at network chokepoints, the collection and storage of flow info from numerous collection points, and the analysis of this flow info.

Flows consist of a basic set of destination and source IP addresses and port and protocol info that is usually collected from a switch or router. Netflow data is relatively low-cost and simple to gather and provides almost ubiquitous network visibility and allows for actionable analysis for both network tracking and performance management applications.

A lot of IT staffs, particularly networking and some security teams are extremely comfy with the technology.

But NetFlow was created for fixing exactly what has become a rather restricted problem in the sense that it just collects network data and does so at a minimal number of prospective locations.

To make much better use of NetFlow, 2 crucial changes are essential.

NetFlow to the Edge: First, we have to broaden the useful implementation circumstances for NetFlow. Instead of just gathering NetFlow at network points of choke, let’s expand flow collection to the edge of the network (clients, cloud, and servers). This would greatly expand the overall view that any NetFlow analytics offer.

This would allow companies to augment and take advantage of existing NetFlow analytics tools to remove the growing blind spot of visibility into public cloud activities.

Rich, contextual NetFlow: Secondly, we have to utilize NetFlow for more than easy visibility of the network.

Rather, let’s use an extended version of NetFlow and take account of information on the device, application, user, and binary responsible for each monitored network connection. That would allow us to quickly correlate every network connection back to its source.

In fact, these two changes to NetFlow, are precisely what Ziften has accomplished with ZFlow. ZFlow provides an broadened variation of NetFlow that can be deployed at the network edge, including as part of a container or VM image, and the resulting information collection can be consumed and examined with existing NetFlow analysis tools. As well as standard NetFlow Internet Protocol Flow Info eXport (IPFIX) networking visibility, ZFlow provides extended visibility with the inclusion of info on application, device, user and binary for each network connection.

Ultimately, this permits Ziften ZFlow to deliver end-to-end visibility in between any two endpoints, physical or virtual, getting rid of conventional blind spots like East West traffic in data centers and enterprise cloud deployments.

Charles Leaver – Using Edit Difference Is Vital Part 2

Published by:

Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften


In the very first about edit distance, we took a look at hunting for harmful executables with edit distance (i.e., the number of character edits it takes to make two matching text strings). Now let’s take a look at how we can use edit distance to search for harmful domains, and how we can develop edit distance features that can be combined with other domain features to pinpoint suspicious activity.

Case Study Background

What are bad actors trying to do with harmful domains? It might be simply utilizing a similar spelling of a typical domain name to fool careless users into looking at advertisements or getting adware. Genuine websites are slowly catching onto this technique, sometimes called typo-squatting.

Other destructive domain names are the product of domain generation algorithms, which can be used to do all types of nefarious things like evade counter measures that obstruct recognized compromised websites, or overwhelm domain servers in a distributed denial of service attack. Older variations use randomly generated strings, while further advanced ones add techniques like injecting typical words, further puzzling protectors.

Edit distance can help with both usage cases: here we will find out how. Initially, we’ll leave out typical domains, since these are normally safe. And, a list of regular domains supplies a baseline for discovering anomalies. One excellent source is Quantcast. For this conversation, we will adhere to domains and prevent subdomains (e.g., not

After data cleaning, we compare each candidate domain name (input data observed in the wild by Ziften) to its possible neighbors in the very same top level domain (the last part of a domain name –,. org, and so on now can be practically anything). The standard job is to find the closest next-door neighbor in terms of edit distance. By discovering domains that are one step away from their closest next-door neighbor, we can easily identify typo-ed domains. By discovering domain names far from their neighbor (the stabilized edit distance we presented in Part 1 is beneficial here), we can likewise find anomalous domain names in the edit distance area.

What were the Outcomes?

Let’s take a look at how these outcomes appear in reality. Be careful when browsing to these domains considering that they could consist of destructive content!

Here are a few possible typos. Typo squatters target popular domains considering that there are more possibilities someone will visit. Several of these are suspect in accordance with our danger feed partners, however there are some false positives as well with cute names like “wikipedal”.


Here are some odd looking domains far from their neighbors.


So now we have created two useful edit distance metrics for searching. Not just that, we have three features to potentially add to a machine learning model: rank of nearest neighbor, distance from next-door neighbor, and edit distance 1 from neighbor, indicating a danger of typo tricks. Other features that might play well with these are other lexical functions like word and n-gram distributions, entropy, and the length of the string – and network features like the total count of failed DNS requests.

Simplified Code that you can Play Around with

Here is a streamlined version of the code to have fun with! Developed on HP Vertica, but this SQL should function with a lot of innovative databases. Note the Vertica editDistance function might vary in other applications (e.g. levenshtein in Postgres or UTL_MATCH. EDIT_DISTANCE in Oracle).


Charles Leaver – Without Proper Management Your Infrastructure Will Not Be Completely Secure And Vice Versa

Published by:

Written by Charles Leaver Ziften CEO


If your business computing environment is not appropriately managed there is no way that it can be absolutely protected. And you can’t effectively manage those complex enterprise systems unless there’s a strong feeling that they are safe and secure.

Some might call this a chicken-and-egg circumstance, where you do not know where to begin. Should you begin with security? Or should you begin with the management of your system? That is the incorrect approach. Consider this instead like Reese’s Peanut Butter Cups: It’s not chocolate initially. It’s not peanut butter initially. Instead, both are blended together – and dealt with as a single tasty treat.

Lots of companies, I would argue too many companies, are structured with an IT management department reporting to a CIO, and with a security management group reporting to a CISO. The CIO group and the CISO group have no idea each other, talk with each other just when absolutely required, have distinct spending plans, certainly have different concerns, read various reports, and make use of various management platforms. On a daily basis, what makes up a job, a problem or an alert for one group flies completely under the other team’s radar.

That’s bad, since both the IT and security teams should make presumptions. The IT group believes that everything is secure, unless somebody notifies them otherwise. For example, they presume that devices and applications have not been jeopardized, users have actually not intensified their privileges, and so-on. Similarly, the security team assumes that the servers, desktops, and mobiles are working properly, operating systems and applications fully updated, patches have actually been used, and so on

Since the CIO and CISO groups aren’t talking to each other, don’t understand each others’ functions and concerns, and aren’t using the same tools, those assumptions may not be correct.

And once again, you can’t have a safe and secure environment unless that environment is effectively managed – and you cannot manage that environment unless it’s safe and secure. Or to put it another way: An unsecure environment makes anything you carry out in the IT group suspect and unimportant, and means that you cannot understand whether the information you are seeing is right or manipulated. It might all be phony news.

Bridging the IT / Security Space

The best ways to bridge that space? It sounds easy but it can be difficult: Guarantee that there is an umbrella covering both the IT and security teams. Both IT and security report to the exact same individual or structure somewhere. It might be the CIO, it might be the CFO, it might be the CEO. For the sake of argument here, let’s state it’s the CFO.

If the business does not have a protected environment, and there’s a breach, the worth of the brand and the business can be reduced to zero. Similarly, if the users, devices, infrastructure, application, and data aren’t managed well, the business cannot work successfully, and the value drops. As we have actually talked about, if it’s not well handled, it can’t be secured, and if it’s not secure, it cannot be well managed.

The fiduciary duty of senior executives (like the CFO) is to secure the worth of company assets, which suggests making sure IT and security speak with each other, comprehend each other’s goals, and if possible, can see the very same reports and data – filtered and displayed to be meaningful to their particular areas of responsibility.

That’s the thinking that we adopted with the design of our Zenith platform. It’s not a security management tool with IT capabilities, and it’s not an IT management tool with security capabilities. No, it’s a Peanut Butter Cup, designed equally around chocolate and peanut butter. To be less confectionery, Zenith is an umbrella that gives IT groups exactly what they require to do their tasks, and provides security teams what they need too – without coverage gaps that could undermine assumptions about the state of business security and IT management.

We need to guarantee that our organization’s IT infrastructure is built on a secure foundation – and that our security is executed on a well-managed base of hardware, infrastructure, software applications and users. We can’t run at peak performance, and with full fiduciary duty, otherwise.

Charles Leaver – Offline Devices Must Not Escape Constant Endpoint Visibility

Published by:

Written By Roark Pollock And Presented By Charles Leaver Ziften CEO


A study recently completed by Gallup found that 43% of US citizens that were in employment worked remotely for a few of their employment time in 2016. Gallup, who has actually been surveying telecommuting trends in the United States for practically a decade, continues to see more workers working outside of standard workplaces and an increasing number of them doing so for more days out of the week. And, obviously the number of connected devices that the typical employee uses has jumped as well, which assists drive the convenience and desire of working away from the workplace.

This mobility undoubtedly makes for happier employees, and one hopes more efficient workers, however the issues that these trends present for both systems and security operations groups must not be overlooked. IT asset discovery, IT systems management, and hazard detection and response functions all gain from real time and historical visibility into user, device, application, and network connection activity. And to be truly effective, endpoint visibility and monitoring must work regardless of where the user and device are operating, be it on the network (regional), off the network but connected (remote), or detached (offline). Current remote working patterns are significantly leaving security and functional groups blind to prospective concerns and hazards.

The mainstreaming of these patterns makes it much more tough for IT and security groups to restrict what was previously considered greater threat user behavior, for example working from a coffee bar. However that ship has actually sailed and today security and systems management teams need to be able to thoroughly monitor device, network activity, user and application, detect abnormalities and inappropriate actions, and enforce appropriate action or fixes no matter whether an endpoint is locally linked, from another location linked, or detached.

Additionally, the fact that many employees now routinely access cloud-based assets and applications, and have back-up network or USB attached storage (NAS) drives at their homes further magnifies the requirement for endpoint visibility. Endpoint controls frequently offer the only record of activity being remotely performed that no longer always ends in the corporate network. Offline activity presents the most severe example of the need for constant endpoint monitoring. Plainly network controls or network monitoring are of little use when a device is operating offline. The setup of an appropriate endpoint agent is important to make sure the capture of all important system and security data.

As an example of the kinds of offline activities that could be identified, a client was just recently able to track, flag, and report uncommon behavior on a business laptop. A high level executive moved large amounts of endpoint data to an unapproved USB drive while the device was offline. Since the endpoint agent was able to collect this behavioral data throughout this offline duration, the client had the ability to see this unusual action and follow-up appropriately. Through the continuous monitoring of the device, applications, and user behaviors even when the endpoint was disconnected, offered the customer visibility they never had in the past.

Does your organization maintain continuous monitoring and visibility when employee endpoints are on an island? If so, how do you do so?

Charles Leaver – Machine Learning Advances Are Good But There Will Be Consequences

Published by:

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


If you study history you will observe lots of examples of severe unexpected consequences when brand-new technology has actually been presented. It typically surprises people that brand-new technologies might have wicked purposes as well as the positive intentions for which they are launched on the market however it takes place on a very regular basis.

For example, Train robbers using dynamite (“You think you used enough Dynamite there, Butch?”) or spammers utilizing email. Just recently using SSL to conceal malware from security controls has actually become more typical just because the genuine use of SSL has actually made this technique more useful.

Since new technology is typically appropriated by bad actors, we have no need to think this will not hold true about the brand-new generation of machine learning tools that have actually reached the market.

To what degree will there be misuse of these tools? There are most likely a couple of ways in which attackers could utilize machine-learning to their benefit. At a minimum, malware authors will check their new malware against the new class of advanced danger defense solutions in a quest to modify their code so that it is less likely to be flagged as destructive. The effectiveness of protective security controls always has a half life because of adversarial learning. An understanding of machine learning defenses will assist assailants become more proactive in reducing the effectiveness of machine learning based defenses. An example would be an enemy flooding a network with fake traffic with the intention of “poisoning” the machine-learning model being constructed from that traffic. The goal of the assailant would be to deceive the defender’s machine learning tool into misclassifying traffic or to develop such a high level of false positives that the defenders would dial back the fidelity of the signals.

Machine learning will likely likewise be utilized as an offensive tool by opponents. For instance, some researchers predict that enemies will use machine learning techniques to refine their social engineering attacks (e.g., spear phishing). The automation of the effort that is required to personalize a social engineering attack is especially unpleasant given the effectiveness of spear phishing. The capability to automate mass modification of these attacks is a powerful financial reward for enemies to adopt the methods.

Anticipate the kind of breaches that provide ransomware payloads to increase greatly in 2017.

The requirement to automate tasks is a major motivation of financial investment choices for both hackers and protectors. Artificial intelligence promises to automate detection and response and increase the functional pace. While the innovation will progressively become a basic element of defense in depth techniques, it is not a magic bullet. It should be comprehended that assailants are actively working on evasion methods around artificial intelligence based detection solutions while likewise using machine learning for their own offensive purposes. This arms race will need protectors to progressively achieve incident response at machine pace, further worsening the need for automated incident response capabilities.

Charles Leaver – Threat Indications Can Be Observed From Command Usage

Published by:

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


The repetition of a theme when it concerns computer system security is never ever a bad thing. As advanced as some cyber attacks can be, you really have to watch for and comprehend the use of typical easily available tools in your environment. These tools are usually utilized by your IT personnel and more than likely would be white listed for use and can be missed out on by security groups mining through all the relevant applications that ‘could’ be carried out on an endpoint.

As soon as someone has penetrated your network, which can be carried out in a range of ways and another blog post for another day, indications of these programs/tools running in your environment ought to be looked at to make sure appropriate usage.

A few tools/commands and their functions:

Netstat – Information on the current connections on the network. This could be utilized to determine other systems within the network.

Powershell – Built-in Windows command line function and can carry out a variety of activities such as getting critical details about the system, eliminating processes, including files or deleting files and so on

WMI – Another powerful built-in Windows function. Can shift files around and gather essential system details.

Route Print – Command to see the local routing table.

Net – Including users/domains/accounts/groups.

RDP (Remote Desktop Protocol) – Program to access systems remotely.

AT – Scheduled tasks.

Trying to find activity from these tools can be time consuming and in some cases be overwhelming, but is needed to get a handle on who might be moving around in your network. And not just exactly what is taking place in real-time, however in the past also to see a path someone may have taken through the network. It’s typically not ‘patient zero’ that is the target, once they get a foothold, they might make use of these tools and commands to begin their reconnaissance and finally migrate to a high value asset. It’s that lateral movement that you wish to find.

You must have the ability to gather the details talked about above and the means to sort through to discover, alert, and examine this data. You can use Windows Events to monitor various changes on a device and after that filter that down.

Taking a look at some screen shots below from our Ziften console, you can see a quick difference in between what our IT group utilized to push out changes in the network, versus somebody running a very comparable command themselves. This could be just like what you discover when somebody did that from a remote location say via an RDP session.





A fascinating side note in these screenshots is that in all of the cases, the Process Status is ‘Terminated’. You wouldn’t see this specific information throughout a live investigation or if you were not constantly collecting the data. However considering that we are collecting all the information continuously, you have this historical data to look at. If in case you were seeing the Status as ‘Running’, this could show that someone is actually on that system right now.

This only scratches the surface of exactly what you must be collecting and ways to evaluate what is right for your network, which naturally will be different than that of others. However it’s a start. Harmful actors with intent to do you damage will usually try to find the path of least resistance. Why try and create new and interesting tools, when a lot of what they require is currently there and prepared to go.

Charles Leaver – Incident Response And Forensic Analysis Are Related But Different

Published by:

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


There may be a joke someplace concerning the forensic analyst that was late to the incident response party. There is the seed of a joke in the concept at least but obviously, you have to comprehend the distinctions between incident response and forensic analysis to appreciate the capacity for humor.

Incident response and forensic analysis are related disciplines that can utilize comparable tools and associated data sets but likewise have some crucial differences. There are 4 particularly important differences between forensic analysis and incident response:

– Objectives.
– Data requirements.
– Group abilities.
– Advantages.

The distinction in the goals of forensic analysis and incident response is possibly the most essential. Incident response is focused on determining a quick (i.e., near real time) reaction to an instant danger or issue. For instance, a house is on fire and the firefighters that attend to put that fire out are associated with incident response. Forensic analysis is typically performed as part of an arranged compliance, legal discovery, or law enforcement investigation. For instance, a fire investigator may analyze the remains of that house fire to determine the total damage to the property, the cause of the fire, and whether the origin was such that other houses are likewise at risk. To puts it simply, incident response is focused on containment of a danger or concern, while forensic analysis is concentrated on a full understanding and comprehensive removal of a breach.

A second major difference between the disciplines is the data resources needed to accomplish the objectives. Incident response teams typically only require short term data sources, frequently no more than a month or so, while forensic analysis groups usually need a lot longer lived logs and files. Bear in mind that the average dwell time of an effective attack is somewhere in between 150 and 300 days.

While there is commonality in the workers abilities of incident response and forensic analysis groups, and in fact incident response is typically thought about as a subset of the border forensic discipline, there are very important differences in job requirements. Both types of research study need strong log analysis and malware analysis capabilities. Incident response requires the capability to quickly separate a contaminated device and to establish methods to remediate or quarantine the device. Interactions have the tendency to be with other security and operations employees. Forensic analysis typically needs interactions with a much broader set of departments, consisting of HR, compliance, operations and legal.

Not surprisingly, the perceived benefits of these activities likewise vary.

The capability to get rid of a risk on one machine in near real time is a significant determinate in keeping breaches separated and limited in impact. Incident response, and proactive hazard hunting, is first line of defense in security operations. Forensic analysis is incident responses’ less glamorous relative. Nevertheless, the benefits of this work are undeniable. An extensive forensic investigation permits the remediation of all threats with the mindful analysis of an entire attack chain of events. And that is nothing to laugh about.

Do your endpoint security procedures allow both immediate incident response, and long-lasting historical forensic analysis?

Charles Leaver – Using Edit Difference Is Vital Part 1

Published by:

Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften


Why are the exact same tricks being utilized by assailants over and over? The easy response is that they are still working today. For instance, Cisco’s 2017 Cybersecurity Report informs us that after years of decline, spam email with malicious attachments is again on the rise. Because conventional attack vector, malware authors normally mask their activities by using a filename just like a common system process.

There is not necessarily a connection with a file’s path name and its contents: anybody who has attempted to conceal sensitive information by giving it a boring name like “taxes”, or changed the extension on a file attachment to circumvent email rules is aware of this idea. Malware creators know this as well, and will typically name their malware to look like typical system procedures. For instance, “explore.exe” is Internet Explorer, however “explorer.exe” with an additional “r” could be anything. It’s simple even for experts to overlook this small difference.

The opposite issue, known.exe files running in uncommon locations, is simple to solve, using string functions and SQL sets.


What about the other scenario, finding close matches to the executable name? The majority of people begin their hunt for close string matches by arranging data and visually looking for inconsistencies. This usually works effectively for a small set of data, maybe even a single system. To find these patterns at scale, nevertheless, needs an algorithmic approach. One established strategy for “fuzzy matching” is to utilize Edit Distance.

Exactly what’s the best approach to computing edit distance? For Ziften, our technology stack includes HP Vertica, making this task easy. The web has plenty of data researchers and data engineers singing Vertica’s praises, so it will be adequate to mention that Vertica makes it simple to create customized functions that take full advantage of its power – from C++ power tools, to analytical modeling scalpels in R and Java.

This Git repo is maintained by Vertica lovers operating in industry. It’s not a certified offering, however the Vertica group is definitely familiar with it, and furthermore is thinking everyday about ways to make Vertica better for data researchers – a great space to see. Most importantly, it includes a function to compute edit distance! There are likewise alternative tools for the natural processing of langauge here like word stemmers and tokenizers.

Using edit distance on the top executable paths, we can quickly discover the nearest match to each of our leading hits. This is an intriguing data-set as we can arrange by distance to discover the closest matches over the whole data set, or we can arrange by frequency of the leading path to see exactly what is the closest match to our frequently utilized procedures. This data can likewise emerge on contextual “report card” pages, to show, e.g. the leading five nearest strings for a provided path. Below is a toy example to offer a sense of usage, based on genuine data ZiftenLabs observed in a client environment.


Setting an upper limit of 0.2 seems to find excellent results in our experience, however the point is that these can be adapted to fit specific use cases. Did we find any malware? We see that “teamviewer_.exe” (should be simply “teamviewer.exe”), “iexplorer.exe” (needs to be “iexplore.exe”), and “cvshost.exe” (must be svchost.exe, unless possibly you work for CVS drug store…) all look unusual. Given that we’re already in our database, it’s likewise minor to obtain the associated MD5 hashes, Ziften suspicion scores, and other attributes to do a deeper dive.


In this specific real life environment, it ended up that teamviewer_.exe and iexplorer.exe were portable applications, not known malware. We helped the customer with additional examination on the user and system where we observed the portable applications given that use of portable apps on a USB drive might be proof of suspicious activity. The more troubling find was cvshost.exe. Ziften’s intelligence feeds indicate that this is a suspicious file. Searching for the md5 hash for this file on VirusTotal validates the Ziften data, indicating that this is a potentially severe Trojan virus that could be a component of a botnet or doing something much more harmful. Once the malware was discovered, nevertheless, it was simple to resolve the problem and make sure it remains solved utilizing Ziften’s ability to eliminate and persistently block procedures by MD5 hash.

Even as we develop sophisticated predictive analytics to spot destructive patterns, it is necessary that we continue to enhance our capabilities to hunt for recognized patterns and old techniques. Even if brand-new hazards emerge does not mean the old ones disappear!

If you liked this post, watch this space for the second part of this series where we will apply this method to hostnames to detect malware droppers and other harmful websites.