Author Archives: leavcharl1

Charles Leaver – To Prevent Data Breaches You Must Invest In Endpoint Threat Detection

Published by:

Written By Charles Leaver Ziften CEO

Defending against data breaches is a hard thing to achieve, but vital to be successful in the existing business climate. Because of the sheer amount of cyber bad guys waiting in the wings to steal individual information, charge card information, and other important data from consumers, businesses have to know the high quantity of risks to info online, and take action to prevent it. Using endpoint threat detection and response software is one of the very best ways to look after this issue, as it can permit a simple way to combat against a range of various exploits hackers can utilize to obtain access to a company network.

In order to create a much better, more attack proof system, developing a strong sense of back-end security is necessary. The New York Times’ article on protecting data discusses a few, very important measures that can make a big difference in keeping client details from ending up in the wrong hands. A few of the procedures the short article discusses include utilizing point-of-sale systems for client transactions only, devoting one computer system to all monetary business, and keeping software applications updated. These are clever pointers due to the fact that they secure against several manners in which hackers want to use to breach systems. A PoS system that doesn’t connect to the Web except to transfer data to bank servers is more secure than one that isn’t really so limited since it decreases the risk of a virus getting onto the network through the Internet. Making one computer the single access point for monetary transactions and absolutely nothing else can keep viruses or other harmful surveillance software from getting in. In this way, a company can greatly safeguard its clients while not actually taking on that many additional expenses.

Make Sure That Security And Safety Come First

Property Casualty 360 has a similar list of recommendations, including automating patches to company systems, utilizing encryption on all devices, implementing strong passwords, and keeping an eagle-eyed approach to email. Encrypting info, especially financial details, is highly crucial. It is possible for a hacker to obtain financial information saved as plain text extremely easily without using file encryption procedures. Naturally, strong endpoint threat response systems must be used to deal with this danger, but security, like clothes in Autumn, is best when layered. Utilizing numerous different strategies simultaneously significantly minimizes the opportunity of a given organization’s data from being leaked, which can, in time, make it a lot easier to safeguard against any sort of damage that might be done.

Numerous breaches occur not when a piece of malware has effectively planted itself on a server, but when a staff member’s e-mail account contains an insecure password. Dictionary words, like “cat” or “password,” should never be utilized. They are simple to hack and to break in to, and they can cause whole stores of data being taken. Similarly, a staff member unintentionally sending a list of clients to somebody without checking their designated receivers list can wind up sending out an entire fleet of info out to the incorrect person, easily causing huge data loss. This sort of leakage needs to be prevented by strong training.

In response to the multitude of risks out there currently, the very best way to handle them is to use strong endpoint threat response software in order to keep from losing important data. Utilizing a big range of various security methods in order to protect against all incoming attacks in a wise way to be certain that your organization is able to weather a range of knocks. This kind of mindset can keep an organization from being sunk by the big amount of attacks presently striking businesses.


Charles Leaver – Be Prepared For Extra Hacker Activity This Holiday Season

Published by:

Written by Ziften CEO Charles Leaver

Throughout the holiday period it is a time of opportunity for the cyber bad guys, syndicates and state-sponsored cyber groups to hack your organization. A minimized variety of IT personnel at work could enhance the chances for unnoticed endpoint compromise, stealthy lateral pivoting, and unnoticed data exfiltration. Experienced attack groups are most likely appointing their top talent for a well-coordinated holiday hackathon. Penetration of your business would likely begin with an endpoint compromise by means of the normal targeted methods of spear phishing, social engineering, watering hole attacks, and so on

With thousands of enterprise client endpoints available, initial infiltration barely poses a difficulty to skilled enemies. Conventional endpoint security suites are there to protect against previously-encountered commodity malware, and are essentially ineffective against the one-off crafted exploits used in targeted attacks. The attack organization will have examined your business and assembled your standard cyber defense systems in their labs for pre-deployment avoidance testing of prepared exploits. This pre-testing might include proper sandbox evasion techniques if your defenses include sandbox detonation safeguards at the enterprise boundary, although this is not always required, for instance with off-VPN laptops visiting compromised industry watering holes.

The ways in which business endpoints may end up being compromised are too numerous to list. In many cases the compromise might just include jeopardized credentials, without any malware needed or present, as validated by industry studies of malicious command and control traffic observed from pristine endpoints. Or the user, and it only takes one among thousands, might be an insider opponent or a disgruntled staff member. In any large business, some incidence of compromise is inescapable and consistent, and the holiday season is ripe for it.

Given incessant attack activity with inevitable endpoint compromise, how can businesses best respond? Endpoint detection and response (EDR) with continuous monitoring and security analytics is a powerful method to recognize and react to anomalous endpoint activity, and to perform it at-scale across lots of enterprise endpoints. It likewise augments and synergizes with business network security, by supplying endpoint context around suspicious network activity. EDR supplies visibility at the endpoint level, equivalent to the visibility that network security offers at the network level. Together this offers the complete picture needed to recognize and react to uncommon and potentially considerable security events across the business.

Some examples of endpoint visibility of potential forensic value are:

  • Tracking of user login activity, particularly remote logins that might be attacker-directed
  • Tracking of user presence and user foreground activity, including common work patterns, activity periods, and so on
  • Monitoring of active procedures, their resource consumption patterns, network connections, procedure hierarchy, etc
  • Collection of executable image metadata, including cryptographic hashes, version information, filepaths, date/times of first appearance, and so on
  • Collection of endpoint log/audit incidents, ideally with optimal logging and auditing setup settings (to optimize forensic worth, decrease noise and overhead).
  • Security analytics to score and rank endpoint activity and bubble considerable operating pattern irregularities to the enterprise SIEM for SOC attention.
  • Support for nimble traversal and drill down of endpoint forensic data for quick analyst vetting of endpoint security anomalies.

Don’t get a lump of coal in your stocking by being caught unawares this Christmas. Arm your business to contend with the hazards arrayed against you.

Happy Christmas!


Charles Leaver – Who Is Responsible For Watching The Watchers In Your Enterprise?

Published by:

Written By Charles Leaver CEO Ziften

High profile hacks highlight how a lack of auditing on existing compliance products can make the worst type of front page news.

In the previous Java attacks into Facebook, Microsoft and Apple along with other giants of the market, didn’t need to dig too deep into their playbooks to discover a technique to attack. As a matter of fact they employed one of, if not the oldest axiom in the book – they used a remote vulnerability in enormously distributed software applications and exploited it to install remote access to software application ability. And in this case on an application that (A) wasn’t the latest version and (B) most likely didn’t have to be running.

While the hacks themselves have actually been headline news, the techniques organizations can utilize to prevent or curtail them is quite dull stuff. All of us hear “keep boxes current with patch management software” and “guarantee uniformity with compliance tools”. That is industry standard and old news. But to position a concern: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management innovations. I think Facebook and Apple learned that just because a management system tells you that a software application current does not suggest you need to think it! Here at Ziften our results in the field say as much where we regularly discover dozens of variations of the SAME significant application running on Fortune 1000 websites – which by the way all are using compliance and systems management products.

In the case of the exploited Java plug-in, this was a MAJOR application with substantial circulation. This is the type of application that gets tracked by systems management, compliance and patch products. The lesson from this could not be clearer – having some kind of check against these applications is vital (just ask any of the companies that were attacked…). However this just makes up a part of the issue – this is a significant (debatably vital) application we are discussing here. If companies struggle to get their arms around maintaining updates on known authorized applications being utilized, then exactly what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Simply speaking – if you cannot even understand exactly what you are expected to understand then how in the world can you understand (and in this case safeguard) about the important things you have no idea about or care about?


Charles Leaver – Extraneous Software Can Cause You Additional Security Headaches

Published by:

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften

The reality about the PC ecosystem is such that extraneous procedures are all over and enter enterprise computers by every ploy you can possibly imagine. Leading software application ISVs and hardware OEMs and IHVs have no ethical qualms with straining business PCs with unnecessary and undesirable software if they can get a few royalty bucks on the side at your cost. This one flew up on my screen just this morning as I handled the recent headline-making Java security vulnerabilities.

Here is the background – zero-day vulnerabilities were discovered just recently in Java, a crucial software element in numerous enterprise applications. Department of Homeland Security professionals encouraged switching off Java completely, however that cuts off Java business apps.

The option for where Java is required (within many businesses) is to upgrade Java, an Oracle software product, to acquire a minimum of the latest partial software patches from Oracle. But Oracle defaults setup of unwanted extraneous software in the form of the Ask Toolbar, which many security-conscious but naïve users will assume is practical given the Oracle suggestion (and golly gee it’s FREE), although internet browser add-ons are a well-known security threat.

Only Ziften combines security awareness with extraneous procedure identification and remediation capabilities to help businesses enhance both their security and their performance-driving operating effectiveness Do not go for half-measures that disregard extraneous procedures multiplying throughout your enterprise client landscape – use Ziften to acquire visibility and control over your endpoint population.


Charles Leaver – Internet Of Things Will Bring Significant Security Risks

Published by:

Written By David Shefter And Presented By Ziften CEO Charles Leaver

We are now living in a brand-new world of the Internet of Things (IoT), and the risk of cyber risks and attacks grow exponentially. As implementations develop, new vulnerabilities are appearing.

Symantec released a report this spring which evaluated 50 smart home devices and claimed “none of the evaluated devices provided mutual authentication between the client and the server.” Earlier this summertime, researchers showed the capability to hack into a Jeep while it was driving on the highway, initially managing the radio, windshield wipers, a/c and lastly cutting the transmission.

Generally, toys, tools, appliance, and vehicle manufacturers have not needed to protect against external dangers. Makers of medical devices, elevators, A/C, electric, and plumbing infrastructure components (all of which are most likely to be connected to the Web in the coming years) have actually not always been security conscious.

As we are all aware, it is hard enough on a daily basis to protect PCs, phones, servers, and even the network, which have been through considerable security monitoring, reviews and evaluations for many years. How can you protect alarms, personal electronics, and house devices that seemingly come out daily?

To begin, one must define and consider where the security platforms will be deployed – hardware, software, network, or all of the above?

Solutions such as Ziften listen to the network (from the device point of view) and use advanced machine-type learning to recognize patterns and scan for abnormalities. Ziften presently provides an international danger analytics platform (the Ziften KnowledgeCloud), which has feeds from a range of sources that enables review of 10s of millions of endpoint, binary, MD5, etc data today.

It will be a challenge to deploy software onto all IoT devices, a lot of which utilize FPGA and ASIC designs as the control platform(s). They are normally integrated into anything from drones to cars to industrial and scada control systems. A large number of these devices work on solid-state chips without a running operating system or x86 type processor. With inadequate memory to support advanced software, many merely can not support contemporary security software. In the realm of IoT, additional customization produces risk and a vacuum that strains even the most robust systems.

Solutions for the IoT space need a multi-pronged method at the endpoint, which includes desktops, laptop computers, and servers currently integrated with the network. At Ziften, we currently deliver collectors for Windows, Linux, and OS X, supporting the core desktop, server, and network infrastructure that contains the intellectual property and assets that the assailants seek to obtain access to. After all, the bad guys don’t actually want any details from the company fridge, however merely want to use it as a conduit to where the important data lives.

Nevertheless, there is an additional technique that we deliver that can help ease lots of present issues: scanning for anomalies at the network level. It’s believed that normally 30% of devices linked to a corporate network are unknown IP’s. IoT patterns will likely double that number in the next 10 years. This is among the reasons why connecting is not always an obvious choice.

As more devices are linked to the Internet, more attack surface areas will emerge, leading to breaches that are much more destructive than those of e-mail, financial, retail, and insurance – things that could even pose a danger to our way of living. Protecting the IoT needs to make use of lessons learned from conventional enterprise IT security – and offer multiple layers, integrated to provide end-to-end robustness, capable of avoiding and identifying dangers at every level of the emerging IoT value chain. Ziften can help from a multitude of angles today and in the future.


Shine A Light On Your Security Blindspots With Ziften ZFlow – Charles Leaver

Published by:

Written By Andy Wilson And Presented By Charles Leaver CEO Ziften


Over the past number of years, numerous IT companies have embraced the use of NetFlow telemetry (network connection metadata) to improve their security position. There are numerous factors behind this: NetFlow is reasonably affordable (vs. full packet capture); it’s relatively simple to gather as many Layer 3 network devices support NetFlow or the IANA requirement called IPFIX; and it’s easy to examine using freeware or commercially supplied software. NetFlow can help conquer blind spots in the architecture and can offer much required visibility into exactly what is actually going on in the network (both internal and external). Flow data can also help in early detection of attacks (DoS and APT/malware) and can be used in baselining and anomaly detection methods.

NetFlow can supply insight where little or no visibility exists. A lot of organizations are collecting flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be represented – LAN-to-LAN activity, local broadcast traffic, as well as east-west traffic inside the datacenter. The majority of organizations are not routing all the way to the access layer and are hence generally blind to some degree in this part of the network.


Performing complete packet capturing in this area is still not 100% practical due to a variety of reasons. The solution is to execute endpoint-based NetFlow to restore visibility and provide crucial extra context to the other flows being gathered in the network. Ziften ZFlow telemetry originates from the endpoint (desktop, laptop computer, or server), so it’s not reliant on the network infrastructure to produce. ZFlow supplies standard ISO layer 3/4 data such as source and destination IP addresses and ports, however also offers additional important Layer 4-7 info such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for launching the executable, and whether it was in the foreground or background. The latter are crucial information that network-based flows just can not offer.



This essential additional contextual data can help significantly minimize events of false positives and supply abundant data to experts, SOC workers and incident handlers to enable them to quickly examine the nature of the network traffic and determine if it’s harmful or benign. Used in conjunction with network-based notifications (firewall software, IDS/IPS, web proxies and gateways), ZFlow can dramatically decrease the quantity of time it requires to resolve a security event. And we know that time to detect destructive behavior is a crucial determinant to how effective an attack becomes. Dwell times have actually decreased in recent history but are still at unacceptable levels – currently over 230 days that an assailant can roam unnoticed through your network collecting your most important data.

Below is a screenshot that reveals a port 80 connection to a Web location of Interesting realities about this connection that network-based tools may miss is that this connection was not initiated by a web browser, however rather by Windows Powershell. Another intriguing data point is that this connection was started by the ‘System’ account and not the logged-in user. These are both very attention-grabbing to a security expert as it’s not a false positive and likely would need much deeper examination (at which point, the expert could pivot into the Ziften console and see much deeper into that system’s behavior – exactly what actions or binaries were initiated before and after the connection, procedure history, network activity and more).



Ziften’s ZFlow shines a light on security blindspots and can supply the additional endpoint context of procedures, application and user attribution to help security workers much better comprehend what is truly happening in their environment. Combined with network-based occasions, ZFlow can help significantly lower the time it takes to examine and react to security notifications and considerably enhance a company’s security posture.


Charles Leaver – Here Is The New Path To Endpoint Security As Prevention And Blocking Are Not Enough

Published by:

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO

Conventional endpoint security services, a few of which have been around for over 20 years, rely greatly on the exact same security techniques every year. Although there is always innovation and strides to improve, the underlying issue still exists. Dangers will always find a path into your organization. And most of the time, you will have to wait till your implemented system finally detects the threat before you even can start to examine the damage and maybe prevent it from occurring once again (when you get all of the appropriate details to make that informed decision, naturally). Another downside to these systems is that they frequently create a substantial efficiency problem on the real device they are protecting. This in turn leads to unhappy end-users and other problems such as management and reliability.

But this blog is not about abandoning your current solution, but rather augmenting and empowering your overall security posture. Organizations need to move towards and accept those services that offer constant tracking and complete visibility of all activity taking place on their endpoint population. Stopping or preventing recognized malware from running is certainly essential, but lacks the overall defense required in today’s risk landscape. The ability to run much deeper forensics from present or sometimes more importantly, past events, can truly only be done by services that provide continuous monitoring. This information is very important in examining the damage and comprehending the scope of the infection within your company.

This, naturally, has to be done effectively and with a restricted quantity of system overhead.

Just as there are many systems in the traditional endpoint security space, a new league of vendors is popping up in this crucial action of the evolution. The majority of these businesses have workers from the ‘old guard’ and comprehend that a new vision is needed as the hazard landscape continues to alter. Simply reporting and alerting on only bad things is completely missing the point. You MUST look at everything, everybody and all habits and actions in order to offer yourself the best possibility of reacting rapidly and thoroughly to risks within your organization.

By making use of systems that fall into this “New Path of Endpoint Security” realm, Security Ops or Incident Responders within the organization will have the much required visibility they have been craving. We hear this continuously from our customers and potential customers and are doing our best to provide the services that assist protect everybody.


Charles Leaver – Using The Ziften App For Splunk Will Find Instances Of Superfish

Published by:

Written By Ryan Hollman And Presented By Charles Leaver CEO Ziften

Background Information: Lenovo admitted to pre loading the Superfish adware on some customer PCs, and unhappy clients are now dragging the business to court on the matter said PCWorld. A proposed class action suit was filed late the previous week against Lenovo and Superfish, which charges both businesses with “deceptive” commercial practices and of making Lenovo PCs vulnerable from man in the middle attacks by pre loading the adware.

Having problems finding Superfish throughout your business? With the Ziften App for Splunk, you can find infected endpoints with an uncomplicated Splunk search. Merely search your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish




The following image reveals the outcomes you would see in your Ziften App for Splunk if systems were contaminated. In this particular circumstance, we identified several systems contaminated with Superfish.



The above results likewise make reference to the binary “VirtualDiscovery.exe”. As it turns out, this is the core procedure responsible for the infections. Together with the Superfish root certificate and VirtualDiscovery.exe binary, this software likewise sets the following to the system:

A pc registry entry in:


INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be achieved on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see outcomes just like the following image. If the system is clean, you will see no results.




Some analysts have stated that you can merely get rid of Superfish by getting rid of the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This elimination procedure does not persist throughout reboots. Just getting rid of the root cert does not work as VirtualDiscovery.exe will reinstall the root cert after a system reboot.

The simplest way to remove Superfish from your system is to update Microsoft’s built in auto-virus product Windows Defender. Quickly after the public became aware of Superfish, Microsoft upgraded Windows Defender to remediate Superfish.

Other remediation methods exist, however upgrading Windows Defender is by far the simplest technique.


Charles Leaver – You Need To Be On The Alert For These Top 5 Suspect User Endpoint Activities

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Conventional security software is unlikely to detect attacks that are targeted to a specific company. The attack code will most likely be remixed to avert recognized malware signatures, while fresh command and control infrastructure will be stood up to evade recognized blacklisted network contacts. Defending against these fresh, targeted attacks requires protectors to identify more generic attack attributes than can be found in endless lists of known Indicators of Compromise (IoC’s) from formerly evaluated attacks.

Unless you have a time device to retrieve IoC’s from the future, understood IoC’s will not aid with fresh attacks. For that, you have to be alert to suspicious habits of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing habits will not be as conclusive as a malware signature match or IP blacklist hit, so they will need analyst triage to verify. Insisting upon conviction certainty prior to raising alerts implies that new attacks will effectively evade your automatic defenses. It would be equivalent to a mom or dad ignoring suspicious kid habits without question up until they get a call from the authorities. You don’t desire that call from the FBI that your enterprise has actually been breached when due expert attention to suspicious behaviors would have provided early detection.

Security analytics of observed user and endpoint behaviors looks to identify attributes of prospective attack activity. Here we highlight a few of those suspect habits by way of basic description. These suspect behaviors function as cyber attack tripwires, alerting defenders to possible attacks in progress.

Anomalous Login Activity

Users and organizational systems show learnable login activity patterns that can be evaluated for anomalous departures. Abnormalities can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be examined for remote IP address and geolocation, and login entropy can be measured and compared. Non-administrative users logging into multiple systems can be observed and reported, as it deviates from anticipated patterns.

Anomalous Work Practices

Working outside typical work hours or outside established patterns of work activity can be suspicious or indicative of insider threat activity or compromised credentials. Again, abnormalities might be either spatial or temporal in nature. The work active process mix can also be analyzed for adherence to developed workgroup activity patterns. Workloads may vary a bit, but have the tendency to be fairly constant across engineering departments or accounting departments or marketing departments, and so on. Work activity patterns can be machine learned and statistical divergence tests applied to spot behavioral abnormalities.

Anomalous Application Attributes

Typical applications show reasonably consistent characteristics in their image metadata and in their active process profiles. Considerable departures from these observed activity norms can be indicative of application compromise, such as code injection. Whitelisted applications may be used by malware scripts in unlikely methods, such as ransomware utilizing system tools to remove volume shadow copies to stymie recovery, or malware staging thieved data to disk, prior to exfiltration, with considerable disk resource need.

Anomalous Network Activity

Common applications show relatively consistent network activity patterns that can be learned and defined. Uncommon levels of network activity by uncommon applications are suspect because of that alone, as is uncommon port activity or port scanning. Network activity at unusual times or with unusual consistency (perhaps beaconing) or unusual resource demand are also worthy of attention. Ignored network activity (user not present) must constantly have a possible description or be reported, especially if observed in significant volume.

Anomalous System Fault Habits

Anomalous fault habits could be indicative of a susceptible or unwrapped system or of malware that is consistently reattempting some malfunctioning operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are likewise worth keeping in mind, such as not running mandated security or backup agents, or constant faulting by those agents (leading to a fault-restart-fault cycle).

When trying to find Endpoint Detection and Response services, don’t have a feeling of complacency just because you have a big library of recognized IOCs. The most effective solutions will cover these leading five generic attack characteristics plus a whole lot more.


We Are So Proud At Ziften To Be A Red Herring Award Winner – Charles Leaver

Published by:

Written By Rachel Munsch And Presented By Charles Leaver CEO Ziften

There is some amazing news to share: For 2015 Ziften has actually been picked as a Top 100 North America award winner. There were around 1200 businesses from the USA and Canada evaluated in the yearly competition and our Endpoint Detection and Response solution was able to raise us into the leading 100.

It is well known that the Red Herring 100 Awards are extensively understood to be among the industry’s more distinguished acknowledgments. Those that reach the finals have to go through an extensive selection procedure which is based upon over 20 criteria that includes technological innovation, addressable market, business model, client footprint and level of specialty. Alex Vieux, CEO and Red Herring Publisher, felt that the competition was very strong this year and the procedure of choice was difficult:

“But after much thought, rigorous reflection and discussion, we narrowed our list down from large numbers of prospects from across North America to the North America winners. Our company believe Ziften embodies the vision, drive and innovation that define an effective entrepreneurial endeavor. Ziften should be proud of its achievement, as the competition was extremely strong.”

Here at Ziften we are really proud to be selected as a Red Herring award winner. It’s always gratifying to have our work confirmed and be acknowledged, specifically when you think about the prestigious list of finalists. Our dedication to helping organizations secure themselves from the sophisticated risks that exist today stays strong, and this award will act as an inspiration moving on as we continue to make every effort to be the leader in endpoint security and protection.