Author Archives: leavcharl1

Even The Most Prestigious Hackers Require Vulnerability Monitoring – Charles Leaver

Published by:

Written By Josh Harriman And Presented By Ziften CEO Charles Leaver

Hacking Team Impacted By Absence Of Real Time Vulnerability Tracking

These days cyber attacks and data breaches remain in the news all of the time – and not just for those in the high value industries such as healthcare, financing, energy and retail. One especially intriguing incident was the breach against the Italian business Hacking Team. For those who don’t remember Hacking Team (HT) is a business that specializes in surveillance software catering to government and police agencies that want to conduct concealed operations. The programs created by HT are not your run-of-the-mill push-button control software application or malware-type recording devices. One of their crucial products, code-named Galileo – better called RCS (Remote Control System)– claimed to be able to do pretty much whatever you needed in regards to “controlling” your target.

Yet as skilled as they were in developing these programs, they were not able to keep others from entering into their systems, or find such vulnerabilities at the endpoint through vulnerability monitoring. In one of the most prominent breaches of 2015, HT were hacked, and the material taken and consequently launched to the general public was huge – 400 GB in size. More notably, the material included very destructive info such as emails, client lists (and prices) that included countries blacklisted by the UN, and the crown jewels: Source code. There was likewise in-depth paperwork that included a couple of very effective 0-day exploits against Adobe and Flash. Those 0-days were used soon after in cyber attacks against some Japanese businesses and United States federal government agencies.

The big concern is: How could this happen to a company whose sole presence is to make a software application that is undetectable and finding or producing 0-day exploits for others to use? One would believe a breach here would be next to impossible. Undoubtedly, that was not the case. Currently there is not a lot to go on in regards to how this breach took place. We do know however that someone has actually declared responsibility and that individual (or team) is not new to getting into places similar to HT. In August 2014, another security company was hacked and delicate files were released, similar to HT. This consisted of client lists, prices, code, etc. This was against Gamma International and their software was called FinFisher or FinSpy. A user by the name of “PhineasFisher” released on Reddit 40 GB worth data and revealed that he/she was responsible. A post in July this year on their twitter handle discussed they likewise attacked HT. It seems that their message and function of these breaches and theft where to make people familiar with how these companies run and who they sell to – a hacktivist attack. He did upload some information to his approaches and some of these techniques were most likely used against HT.

A final question is: How did they break in and exactly what safety measures could HT have implemented to prevent the breach? We did understand from the released documents that the users within HT had extremely weak passwords such as like “P4ssword” or “wolverine.” In addition, one of the main employee systems where the theft might have happened made use of the program TrueCrypt. Nevertheless, when you are logged in and using the system, those concealed volumes are accessible. No information has been launched as of yet as to how the network was breached or how they accessed the users systems in order to download the files. It is apparent, though, that companies need to have a service such as Ziften’s Constant Endpoint Visibility running in their environment. By monitoring all user and system activity alerts might have been generated when an activity falls beyond regular behavior. Examples are 400 GB of files being uploaded externally, or understanding when vulnerable software is operating on exposed servers within the network. When an organization is making and selling advanced monitoring software – and possessing unknown vulnerabilities in business products – a better plan must have been in place to minimize the damage.


Charles Leaver – Prevention Of The Anthem Healthcare Data Leak Could Have Been Possible With Endpoint Visibility

Published by:

Written By Justin Tefertiller And Presented By Charles Leaver Ziften CEO

Continuous Endpoint Visibility Would Have Improved Healthcare Data Leak Avoidance


Anthem Inc discovered a big scale cyber attack on January 29, 2015 against their data and IT systems. The health care data leakage was believed to have taken place over a numerous week period beginning around early December 2014 and targeted individual data on Anthem’s database infrastructure as well as endpoint systems. The stolen information included dates of birth, complete names, health care identification numbers and even social security reference numbers of consumers and Anthem staff members. The specific number of people impacted by the breach is unknown but it is approximated that almost 80 million records were stolen. healthcare data has the tendency to be among the most rewarding sources of income for hackers selling records on the dark market.

Forbes and others report that opponents used a process-based backdoor on clients linked to Anthem databases in addition to compromised admin accounts and passwords to slowlysteal the data. The actions taken by the hackers presenting and running as administrators are exactly what eventually brought the breach to the attention of security and IT teams at Anthem.

This kind of attack illustrates the need for continuous endpoint visibility, as endpoint systems are a constant infection vector and an avenue to delicate data saved on any network they might link to. Easy things like never ever before seen procedures, new user accounts, weird network connections, and unapproved administrative activity are typical calling cards of the onset of a breach and can be quickly recognized and notified on given the ideal monitoring tool. When notified to these conditions in real time, Incident Responders can catch the intrusion, discover patient zero, and ideally alleviate the damage rather than permitting attackers to roam around the network unnoticed for weeks.


Charles Leaver – Data Breach At PF Chang Affected 30 Restaurants Over 8 Months

Published by:

Written By Charles Leaver Ziften CEO

The PF Chang dining establishment chain just recently released new information about the security breach of its credit card systems across the country. The restaurant chain announced that the breach impacted more than 30 locations in 17 states and went on for 8 months before being detected.

While the investigation is still continuing, in a declaration PF Chang’s reported that the breach has been contained and customer monetary data has been processed securely by the dining establishment since June 11. The compromised systems used by the chain were decommissioned until it was clear that their security could be guaranteed, and in the meantime credit cards were processed by hand.

Rick Federico, CEO stated in a declaration “The potentially taken credit and debit card data consists of the card number and in many cases likewise the cardholder’s name and/or the card’s expiration date.” “However, we have not identified that any particular cardholder’s credit or debit card data was stolen by the hacker.”

PF Chang’s was notified of the breach, which they referred to as a “extremely advanced criminal operation,” in June when they were contacted by the Secret Service about cyber security concerns. When alerted, the restaurant worked with third-party forensic private investigators to find how the breach was able to happen, at which time they discovered that destructive actors had the ability to exploit the chain’s charge card processing systems and potentially gain access to customer credit card details.

Organizations worried about similar data breaches impacting point-of-sale terminals should implement endpoint threat detection to keep critical systems protected. Endpoint protection involves monitoring delicate access points – like POS systems, bar code readers and employee mobile phones – and alleviating risks that appear. Continuous endpoint visibility is essential to determine hazards before they jeopardize networks and ensure business security.


Charles Leaver – To Prevent Data Breaches You Must Invest In Endpoint Threat Detection

Published by:

Written By Charles Leaver Ziften CEO

Defending against data breaches is a hard thing to achieve, but vital to be successful in the existing business climate. Because of the sheer amount of cyber bad guys waiting in the wings to steal individual information, charge card information, and other important data from consumers, businesses have to know the high quantity of risks to info online, and take action to prevent it. Using endpoint threat detection and response software is one of the very best ways to look after this issue, as it can permit a simple way to combat against a range of various exploits hackers can utilize to obtain access to a company network.

In order to create a much better, more attack proof system, developing a strong sense of back-end security is necessary. The New York Times’ article on protecting data discusses a few, very important measures that can make a big difference in keeping client details from ending up in the wrong hands. A few of the procedures the short article discusses include utilizing point-of-sale systems for client transactions only, devoting one computer system to all monetary business, and keeping software applications updated. These are clever pointers due to the fact that they secure against several manners in which hackers want to use to breach systems. A PoS system that doesn’t connect to the Web except to transfer data to bank servers is more secure than one that isn’t really so limited since it decreases the risk of a virus getting onto the network through the Internet. Making one computer the single access point for monetary transactions and absolutely nothing else can keep viruses or other harmful surveillance software from getting in. In this way, a company can greatly safeguard its clients while not actually taking on that many additional expenses.

Make Sure That Security And Safety Come First

Property Casualty 360 has a similar list of recommendations, including automating patches to company systems, utilizing encryption on all devices, implementing strong passwords, and keeping an eagle-eyed approach to email. Encrypting info, especially financial details, is highly crucial. It is possible for a hacker to obtain financial information saved as plain text extremely easily without using file encryption procedures. Naturally, strong endpoint threat response systems must be used to deal with this danger, but security, like clothes in Autumn, is best when layered. Utilizing numerous different strategies simultaneously significantly minimizes the opportunity of a given organization’s data from being leaked, which can, in time, make it a lot easier to safeguard against any sort of damage that might be done.

Numerous breaches occur not when a piece of malware has effectively planted itself on a server, but when a staff member’s e-mail account contains an insecure password. Dictionary words, like “cat” or “password,” should never be utilized. They are simple to hack and to break in to, and they can cause whole stores of data being taken. Similarly, a staff member unintentionally sending a list of clients to somebody without checking their designated receivers list can wind up sending out an entire fleet of info out to the incorrect person, easily causing huge data loss. This sort of leakage needs to be prevented by strong training.

In response to the multitude of risks out there currently, the very best way to handle them is to use strong endpoint threat response software in order to keep from losing important data. Utilizing a big range of various security methods in order to protect against all incoming attacks in a wise way to be certain that your organization is able to weather a range of knocks. This kind of mindset can keep an organization from being sunk by the big amount of attacks presently striking businesses.


Charles Leaver – Be Prepared For Extra Hacker Activity This Holiday Season

Published by:

Written by Ziften CEO Charles Leaver

Throughout the holiday period it is a time of opportunity for the cyber bad guys, syndicates and state-sponsored cyber groups to hack your organization. A minimized variety of IT personnel at work could enhance the chances for unnoticed endpoint compromise, stealthy lateral pivoting, and unnoticed data exfiltration. Experienced attack groups are most likely appointing their top talent for a well-coordinated holiday hackathon. Penetration of your business would likely begin with an endpoint compromise by means of the normal targeted methods of spear phishing, social engineering, watering hole attacks, and so on

With thousands of enterprise client endpoints available, initial infiltration barely poses a difficulty to skilled enemies. Conventional endpoint security suites are there to protect against previously-encountered commodity malware, and are essentially ineffective against the one-off crafted exploits used in targeted attacks. The attack organization will have examined your business and assembled your standard cyber defense systems in their labs for pre-deployment avoidance testing of prepared exploits. This pre-testing might include proper sandbox evasion techniques if your defenses include sandbox detonation safeguards at the enterprise boundary, although this is not always required, for instance with off-VPN laptops visiting compromised industry watering holes.

The ways in which business endpoints may end up being compromised are too numerous to list. In many cases the compromise might just include jeopardized credentials, without any malware needed or present, as validated by industry studies of malicious command and control traffic observed from pristine endpoints. Or the user, and it only takes one among thousands, might be an insider opponent or a disgruntled staff member. In any large business, some incidence of compromise is inescapable and consistent, and the holiday season is ripe for it.

Given incessant attack activity with inevitable endpoint compromise, how can businesses best respond? Endpoint detection and response (EDR) with continuous monitoring and security analytics is a powerful method to recognize and react to anomalous endpoint activity, and to perform it at-scale across lots of enterprise endpoints. It likewise augments and synergizes with business network security, by supplying endpoint context around suspicious network activity. EDR supplies visibility at the endpoint level, equivalent to the visibility that network security offers at the network level. Together this offers the complete picture needed to recognize and react to uncommon and potentially considerable security events across the business.

Some examples of endpoint visibility of potential forensic value are:

  • Tracking of user login activity, particularly remote logins that might be attacker-directed
  • Tracking of user presence and user foreground activity, including common work patterns, activity periods, and so on
  • Monitoring of active procedures, their resource consumption patterns, network connections, procedure hierarchy, etc
  • Collection of executable image metadata, including cryptographic hashes, version information, filepaths, date/times of first appearance, and so on
  • Collection of endpoint log/audit incidents, ideally with optimal logging and auditing setup settings (to optimize forensic worth, decrease noise and overhead).
  • Security analytics to score and rank endpoint activity and bubble considerable operating pattern irregularities to the enterprise SIEM for SOC attention.
  • Support for nimble traversal and drill down of endpoint forensic data for quick analyst vetting of endpoint security anomalies.

Don’t get a lump of coal in your stocking by being caught unawares this Christmas. Arm your business to contend with the hazards arrayed against you.

Happy Christmas!


Charles Leaver – Who Is Responsible For Watching The Watchers In Your Enterprise?

Published by:

Written By Charles Leaver CEO Ziften

High profile hacks highlight how a lack of auditing on existing compliance products can make the worst type of front page news.

In the previous Java attacks into Facebook, Microsoft and Apple along with other giants of the market, didn’t need to dig too deep into their playbooks to discover a technique to attack. As a matter of fact they employed one of, if not the oldest axiom in the book – they used a remote vulnerability in enormously distributed software applications and exploited it to install remote access to software application ability. And in this case on an application that (A) wasn’t the latest version and (B) most likely didn’t have to be running.

While the hacks themselves have actually been headline news, the techniques organizations can utilize to prevent or curtail them is quite dull stuff. All of us hear “keep boxes current with patch management software” and “guarantee uniformity with compliance tools”. That is industry standard and old news. But to position a concern: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management innovations. I think Facebook and Apple learned that just because a management system tells you that a software application current does not suggest you need to think it! Here at Ziften our results in the field say as much where we regularly discover dozens of variations of the SAME significant application running on Fortune 1000 websites – which by the way all are using compliance and systems management products.

In the case of the exploited Java plug-in, this was a MAJOR application with substantial circulation. This is the type of application that gets tracked by systems management, compliance and patch products. The lesson from this could not be clearer – having some kind of check against these applications is vital (just ask any of the companies that were attacked…). However this just makes up a part of the issue – this is a significant (debatably vital) application we are discussing here. If companies struggle to get their arms around maintaining updates on known authorized applications being utilized, then exactly what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Simply speaking – if you cannot even understand exactly what you are expected to understand then how in the world can you understand (and in this case safeguard) about the important things you have no idea about or care about?


Charles Leaver – Extraneous Software Can Cause You Additional Security Headaches

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften

The reality about the PC ecosystem is such that extraneous procedures are all over and enter enterprise computers by every ploy you can possibly imagine. Leading software application ISVs and hardware OEMs and IHVs have no ethical qualms with straining business PCs with unnecessary and undesirable software if they can get a few royalty bucks on the side at your cost. This one flew up on my screen just this morning as I handled the recent headline-making Java security vulnerabilities.

Here is the background – zero-day vulnerabilities were discovered just recently in Java, a crucial software element in numerous enterprise applications. Department of Homeland Security professionals encouraged switching off Java completely, however that cuts off Java business apps.

The option for where Java is required (within many businesses) is to upgrade Java, an Oracle software product, to acquire a minimum of the latest partial software patches from Oracle. But Oracle defaults setup of unwanted extraneous software in the form of the Ask Toolbar, which many security-conscious but naïve users will assume is practical given the Oracle suggestion (and golly gee it’s FREE), although internet browser add-ons are a well-known security threat.

Only Ziften combines security awareness with extraneous procedure identification and remediation capabilities to help businesses enhance both their security and their performance-driving operating effectiveness Do not go for half-measures that disregard extraneous procedures multiplying throughout your enterprise client landscape – use Ziften to acquire visibility and control over your endpoint population.


Charles Leaver – Internet Of Things Will Bring Significant Security Risks

Published by:

Written By David Shefter And Presented By Ziften CEO Charles Leaver

We are now living in a brand-new world of the Internet of Things (IoT), and the risk of cyber risks and attacks grow exponentially. As implementations develop, new vulnerabilities are appearing.

Symantec released a report this spring which evaluated 50 smart home devices and claimed “none of the evaluated devices provided mutual authentication between the client and the server.” Earlier this summertime, researchers showed the capability to hack into a Jeep while it was driving on the highway, initially managing the radio, windshield wipers, a/c and lastly cutting the transmission.

Generally, toys, tools, appliance, and vehicle manufacturers have not needed to protect against external dangers. Makers of medical devices, elevators, A/C, electric, and plumbing infrastructure components (all of which are most likely to be connected to the Web in the coming years) have actually not always been security conscious.

As we are all aware, it is hard enough on a daily basis to protect PCs, phones, servers, and even the network, which have been through considerable security monitoring, reviews and evaluations for many years. How can you protect alarms, personal electronics, and house devices that seemingly come out daily?

To begin, one must define and consider where the security platforms will be deployed – hardware, software, network, or all of the above?

Solutions such as Ziften listen to the network (from the device point of view) and use advanced machine-type learning to recognize patterns and scan for abnormalities. Ziften presently provides an international danger analytics platform (the Ziften KnowledgeCloud), which has feeds from a range of sources that enables review of 10s of millions of endpoint, binary, MD5, etc data today.

It will be a challenge to deploy software onto all IoT devices, a lot of which utilize FPGA and ASIC designs as the control platform(s). They are normally integrated into anything from drones to cars to industrial and scada control systems. A large number of these devices work on solid-state chips without a running operating system or x86 type processor. With inadequate memory to support advanced software, many merely can not support contemporary security software. In the realm of IoT, additional customization produces risk and a vacuum that strains even the most robust systems.

Solutions for the IoT space need a multi-pronged method at the endpoint, which includes desktops, laptop computers, and servers currently integrated with the network. At Ziften, we currently deliver collectors for Windows, Linux, and OS X, supporting the core desktop, server, and network infrastructure that contains the intellectual property and assets that the assailants seek to obtain access to. After all, the bad guys don’t actually want any details from the company fridge, however merely want to use it as a conduit to where the important data lives.

Nevertheless, there is an additional technique that we deliver that can help ease lots of present issues: scanning for anomalies at the network level. It’s believed that normally 30% of devices linked to a corporate network are unknown IP’s. IoT patterns will likely double that number in the next 10 years. This is among the reasons why connecting is not always an obvious choice.

As more devices are linked to the Internet, more attack surface areas will emerge, leading to breaches that are much more destructive than those of e-mail, financial, retail, and insurance – things that could even pose a danger to our way of living. Protecting the IoT needs to make use of lessons learned from conventional enterprise IT security – and offer multiple layers, integrated to provide end-to-end robustness, capable of avoiding and identifying dangers at every level of the emerging IoT value chain. Ziften can help from a multitude of angles today and in the future.


Shine A Light On Your Security Blindspots With Ziften ZFlow – Charles Leaver

Published by:

Written By Andy Wilson And Presented By Charles Leaver CEO Ziften


Over the past number of years, numerous IT companies have embraced the use of NetFlow telemetry (network connection metadata) to improve their security position. There are numerous factors behind this: NetFlow is reasonably affordable (vs. full packet capture); it’s relatively simple to gather as many Layer 3 network devices support NetFlow or the IANA requirement called IPFIX; and it’s easy to examine using freeware or commercially supplied software. NetFlow can help conquer blind spots in the architecture and can offer much required visibility into exactly what is actually going on in the network (both internal and external). Flow data can also help in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection methods.

NetFlow can supply insight where little or no visibility exists. A lot of organizations are collecting flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be represented – LAN-to-LAN activity, local broadcast traffic, as well as east-west traffic inside the datacenter. The majority of organizations are not routing all the way to the access layer and are hence generally blind to some degree in this part of the network.


Performing complete packet capturing in this area is still not 100% practical due to a variety of reasons. The solution is to execute endpoint-based NetFlow to restore visibility and provide crucial extra context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop computer, or server), so it’s not reliant on the network infrastructure to produce. ZFlow supplies standard ISO layer 3/4 data such as source and destination IP addresses and ports, however also offers additional important Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for launching the executable, and whether it was in the foreground or background. The latter are crucial information that network-based flows just can not offer.



This essential additional contextual data can help significantly minimize events of false positives and supply abundant data to experts, SOC workers and incident handlers to enable them to quickly examine the nature of the network traffic and determine if it’s harmful or benign. Used in conjunction with network-based notifications (firewall software, IDS/IPS, web proxies and gateways), ZFlow can dramatically decrease the quantity of time it requires to resolve a security event. And we know that time to detect destructive behavior is a crucial determinant to how effective an attack becomes. Dwell times have actually decreased in recent history but are still at unacceptable levels – currently over 230 days that an assailant can roam unnoticed through your network collecting your most important data.

Below is a screenshot that reveals a port 80 connection to a Web location of Interesting realities about this connection that network-based tools may miss is that this connection was not initiated by a web browser, however rather by Windows Powershell. Another intriguing data point is that this connection was started by the ‘System’ account and not the logged-in user. These are both very attention-grabbing to a security expert as it’s not a false positive and likely would need much deeper examination (at which point, the expert could pivot into the Ziften console and see much deeper into that system’s behavior – exactly what actions or binaries were initiated before and after the connection, procedure history, network activity and more).



Ziften’s ZFlow shines a light on security blindspots and can supply the additional endpoint context of procedures, application and user attribution to help security workers much better comprehend what is truly happening in their environment. Combined with network-based occasions, ZFlow can help significantly lower the time it takes to examine and react to security notifications and considerably enhance a company’s security posture.


Charles Leaver – Here Is The New Path To Endpoint Security As Prevention And Blocking Are Not Enough

Published by:

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO

Conventional endpoint security services, a few of which have been around for over 20 years, rely greatly on the exact same security techniques every year. Although there is always innovation and strides to improve, the underlying issue still exists. Dangers will always find a path into your organization. And most of the time, you will have to wait till your implemented system finally detects the threat before you even can start to examine the damage and maybe prevent it from occurring once again (when you get all of the appropriate details to make that informed decision, naturally). Another downside to these systems is that they frequently create a substantial efficiency problem on the real device they are protecting. This in turn leads to unhappy end-users and other problems such as management and reliability.

But this blog is not about abandoning your current solution, but rather augmenting and empowering your overall security posture. Organizations need to move towards and accept those services that offer constant tracking and complete visibility of all activity taking place on their endpoint population. Stopping or preventing recognized malware from running is certainly essential, but lacks the overall defense required in today’s risk landscape. The ability to run much deeper forensics from present or sometimes more importantly, past events, can truly only be done by services that provide continuous monitoring. This information is very important in examining the damage and comprehending the scope of the infection within your company.

This, naturally, has to be done effectively and with a restricted quantity of system overhead.

Just as there are many systems in the traditional endpoint security space, a new league of vendors is popping up in this crucial action of the evolution. The majority of these businesses have workers from the ‘old guard’ and comprehend that a new vision is needed as the hazard landscape continues to alter. Simply reporting and alerting on only bad things is completely missing the point. You MUST look at everything, everybody and all habits and actions in order to offer yourself the best possibility of reacting rapidly and thoroughly to risks within your organization.

By making use of systems that fall into this “New Path of Endpoint Security” realm, Security Ops or Incident Responders within the organization will have the much required visibility they have been craving. We hear this continuously from our customers and potential customers and are doing our best to provide the services that assist protect everybody.