Category Archives: Network Security

Charles Leaver – Ziften And Splunk Active Response Framework What Are The Advantages?

Published by:

Written By Charles Leaver CEO Ziften



We were the sponsor in Las Vegas for a great Splunk.conf2014 show, we returned stimulated and raring to go to push on even further forward with our solution here at Ziften. A talk that was of specific interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Using Splunk to Automatically Reduce Risks” was the name of his talk. If you want to see his slides and a recording of the talk then please go to

Making use of Splunk to assist with mitigation, or as I want to describe it as “Active Response” is an excellent idea. Having all your intelligence data flowing into Splunk is extremely effective, and it can be endpoint data, outside risk feeds etc, then you will have the ability to take action on this data truly completes the loop. At Ziften we have our effective continuous monitoring on the endpoint solution, and being married to Splunk is something that we are really extremely proud of. It is a truly strong move in the right direction to have real time data analysis coupled with the ability to respond and act against incidents.

Ziften have actually developed a mitigation action which utilizes the readily available Active Response code. There is a demo video included in this blog below. Here we were able to develop a mitigation action within our Ziften App for Splunk as proof of concept. After the action is created, results within Splunk ES (Enterprise Security) can be observed and tracked. This actually is a significant addition and now users will be able to monitor and track mitigations within Splunk ES, which offers you with the major advantage of being able to complete the loop and establish a history of your actions.

That Splunk is driving such an effort thrills us, this is most likely to progress and we are dedicated to constantly support it and make more progress with it. It is really exciting at the moment in the Endpoint Detection and Response area and the Active Response Framework built into Splunk being added will certainly promote a high degree of interest in my opinion.

For any questions concerning the Ziften App for Splunk, please send out an e-mail to




Charles Leaver – A Reliable Endpoint Monitoring System Needs More Than Narrow Indicators Of Compromise

Published by:

Presented By Charles Leaver And Written By Dr Al Hartmann Of Ziften Inc.


The Breadth Of The Indicator – Broad Versus Narrow

An extensive report of a cyber attack will typically offer details of indicators of compromise. Often these are slim in their scope, referencing a specific attack group as viewed in a particular attack on an organization for a limited period of time. Typically these narrow indicators are specific artifacts of an observed attack that could constitute particular evidence of compromise by themselves. For the attack it implies that they have high uniqueness, however often at the cost of low sensitivity to comparable attacks with different artifacts.

Essentially, slim indicators offer extremely restricted scope, and it is the factor that they exist by the billions in massive databases that are continually expanding of malware signatures, network addresses that are suspicious, malicious pc registry keys, file and packet content snippets, filepaths and intrusion detection guidelines and so on. The continuous endpoint monitoring solution provided by Ziften aggregates a few of these third party databases and threat feeds into the Ziften Knowledge Cloud, to take advantage of understood artifact detection. These detection elements can be used in real time in addition to retrospectively. Retrospective application is essential because of the short-term characteristics of these artifacts as hackers constantly render conceal the info about their cyber attacks to annoy this narrow IoC detection approach. This is the factor that a continuous monitoring solution must archive monitoring results for a long time (in relation to industry reported common attacker dwell times), to provide an enough lookback horizon.

Slim IoC’s have significant detection worth however they are mostly inefficient in the detection of brand-new cyber attacks by knowledgeable hackers. New attack code can be pre tested against common enterprise security solutions in laboratory environments to confirm non-reuse of artifacts that are detectable. Security solutions that operate merely as black/white classifiers suffer from this weak point, i.e. by supplying an explicit decision of destructive or benign. This approach is really easily averted. The defended organization is most likely to be completely attacked for months or years prior to any noticeable artifacts can be recognized (after extensive investigation) for the particular attack circumstances.

In contrast to the simplicity with which cyber attack artifacts can be obscured by normal hacker toolkits, the particular techniques and strategies – the modus operandi – used by attackers have been sustained over several decades. Typical strategies such as weaponized websites and docs, brand-new service installation, vulnerability exploitation, module injection, sensitive directory and registry area adjustment, new arranged tasks, memory and drive corruption, credentials compromise, malicious scripting and numerous others are broadly typical. The proper use of system logging and monitoring can detect a lot of this particular attack activity, when appropriately paired with security analytics to focus on the greatest threat observations. This entirely eliminates the opportunity for hackers to pre test the evasiveness of their destructive code, because the quantification of dangers is not black and white, but nuanced shades of gray. In particular, all endpoint danger is differing and relative, throughout any network/ user environment and time period, and that environment (and its temporal characteristics) can not be duplicated in any lab environment. The basic attacker concealment approach is foiled.

In future posts we will analyze Ziften endpoint risk analysis in more detail, along with the vital relationship between endpoint security and endpoint management. “You can’t protect what you don’t manage, you can’t manage what you do not measure, you can’t measure what you don’t track.” Organizations get breached due to the fact that they have less oversight and control of their endpoint environment than the cyber attackers have. Look out for future posts…


The Ziften Continuous Endpoint Monitoring Advantage Carbanak Case Study Part 3 – Charles Leaver

Published by:

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 3 in a 3 part series


Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with discussions their discovery by the Ziften continuous endpoint monitoring solution. The Ziften system has a concentrates on generic indicators of compromise that have been consistent for years of hacker attacks and cyber security experience. IoC’s can be recognized for any os such as Linux, OS X and Windows. Specific indicators of compromise also exist that suggest C2 infrastructure or particular attack code instances, however these are not utilized long term and not normally made use of once again in fresh attacks. There are billions of these artifacts in the security world with thousands being included every day. Generic IoC’s are ingrained for the supported operating systems by the Ziften security analytics, and the specific IoC’s are employed by the Ziften Knowledge Cloud from subscriptions to a number of industry threat feeds and watch lists that aggregate these. These both have value and will help in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases used spear phishing emails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Remark: Not actually a IoC, critical exposed vulnerabilities are a major hacker exploit and is a large warning that increases the threat rating (and the SIEM priority) for the end point, particularly if other indications are also present. These vulnerabilities are indicators of lazy patch management and vulnerability lifecycle management which causes a weakened cyber defense position.

2. Locations That Are Suspect

Excerpt: Command and Control (C2) servers situated in China have been determined in this project.

Comment: The geolocation of endpoint network touches and scoring by location both add to the risk score that drives up the SIEM priority. There are valid reasons for having contact with Chinese servers, and some organizations might have installations situated in China, but this should be validated with spatial and temporal checking of abnormalities. IP address and domain information must be added with a resulting SIEM alarm so that SOC triage can be conducted rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is effectively exploited, it installs Carbanak on the victim’s system.

Comment: Any brand-new binaries are always suspicious, but not all them must raise alarms. The metadata of images should be evaluated to see if there is a pattern, for example a new app or a brand-new variation of an existing app from an existing supplier on a most likely file path for that supplier etc. Hackers will try to spoof apps that are whitelisted, so signing data can be compared as well as size, size of the file and filepath etc to filter out apparent instances.

4. Uncommon Or Sensitive Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, concealed and read-only.

Comment: Any writing into the System32 filepath is suspicious as it is a sensitive system folder, so it is subject to examination by checking anomalies immediately. A classic abnormality would be svchost.exe, which is a vital system procedure image, in the unusual location the com subdirectory.

5. New Autostarts Or Services

Excerpt: To ensure that Carbanak has autorun privileges the malware produces a new service.

Remark: Any autostart or new service is common with malware and is constantly examined by the analytics. Anything low prevalence would be suspicious. If inspecting the image hash against industry watchlists results in an unknown quantity to the majority of anti-virus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Folder

Excerpt: Carbanak develops a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be executed.

Remark: This is a classic example of “one of these things is not like the other” that is simple for the security analytics to examine (continuous monitoring environment). And this IoC is absolutely generic, has definitely nothing to do with which filename or which directory is created. Despite the fact that the technical security report notes it as a specific IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the current Carbanak samples are digitally signed

Comment: Any suspect signer will be treated as suspicious. One case was where a signer provides a suspect anonymous gmail e-mail address, which does not inspire confidence, and the risk score will rise for this image. In other cases no e-mail address is supplied. Signers can be easily noted and a Pareto analysis performed, to determine the more versus less trusted signers. If a less trusted signer is found in a more sensitive directory then this is very suspicious.

8. Remote Administration Tools

Excerpt: There seems a preference for the Ammyy Admin remote administration tool for remote control thought that the hackers utilized this remote administration tool due to the fact that it is frequently whitelisted in the victims’ environments as a result of being utilized regularly by administrators.

Comment: Remote admin tools (RAT) constantly raise suspicions, even if they are whitelisted by the organization. Checking of anomalies would happen to identify whether temporally or spatially each new remote admin tool is consistent. RAT’s are subject to abuse. Hackers will always prefer to utilize the RAT’s of an organization so that they can avoid detection, so they need to not be given access each time even if they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools suggest that they were accessed from 2 dissimilar IPs, most likely utilized by the attackers, and located in Ukraine and France.

Remark: Always suspect remote logins, because all hackers are presumed to be remote. They are likewise used a lot with insider attacks, as the insider does not want to be recognized by the system. Remote addresses and time pattern anomalies would be examined, and this ought to expose low prevalence usage (relative to peer systems) plus any suspect locations.

10. Atypical IT Tools

Excerpt: We have actually also discovered traces of various tools utilized by the hackers inside the victim ´ s network to gain control of extra systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools ought to always be examined for abnormalities, due to the fact that numerous hackers overturn them for harmful purposes. It is possible that Metasploit could be utilized by a penetration tester or vulnerability researcher, but instances of this would be uncommon. This is a prime example where an uncommon observation report for the vetting of security staff would result in restorative action. It likewise highlights the problem where blanket whitelisting does not help in the identification of suspicious activity.


Charles Leaver – Carbanak Case Study Part Two Explains Why Continuous Endpoint Monitoring Is SO Efficient

Published by:

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Extremely Efficient


Convicting and obstructing malicious scripts before it is able to jeopardize an endpoint is great. But this approach is mainly inefficient in the defense of cyber attacks that have been pre tested to evade this sort of approach to security. The genuine issue is that these hidden attacks are conducted by knowledgeable human hackers, while conventional defense of the endpoint is an automated procedure by endpoint security systems that rely mainly on standard antivirus innovation. The intelligence of human beings is more imaginative and versatile than the intelligence of machines and will constantly be superior to automatic machine defenses. This highlights the findings of the Turing test, where automated defenses are trying to adapt to the intellectual level of a skilled human hacker. At the current time, artificial intelligence and machine learning are not advanced enough to fully automate cyber defense, the human hacker is going to win, while those attacked are left counting their losses. We are not residing in a sci-fi world where machines can out think human beings so you must not think that a security software application suite will automatically take care of all of your issues and prevent all attacks and information loss.

The only genuine way to prevent an undaunted human hacker is with a resolute human cyber defender. In order to engage your IT Security Operations Center (SOC) personnel to do this, they must have complete visibility of network and endpoint operations. This type of visibility will not be accomplished with standard endpoint antivirus solutions, instead they are developed to remain silent unless implementing a capture and quarantining malware. This traditional method renders the endpoints opaque to security personnel, and the hackers use this endpoint opacity to hide their attacks. This opacity extends backwards and forwards in time – your security workers do not know exactly what was running across your endpoint population in the past, or at this moment, or exactly what can be expected in the future. If diligent security personnel discover clues that require a forensic look back to discover hacker traits, your antivirus suite will be unable to help. It would not have acted at the time so no events will have been recorded.

In contrast, continuous endpoint monitoring is always working – providing real time visibility into endpoint operations, offering forensic look back’s to take action against new evidence of attacks that is emerging and find indications earlier, and providing a standard for normal patterns of operation so that it understands exactly what to expect and notify any abnormalities in the future. Supplying not only visibility, continuous endpoint monitoring offers informed visibility, with the application of behavioral analytics to spot operations that appear irregular. Irregularities will be continually analyzed and aggregated by the analytics and reported to SOC staff, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious abnormalities for security personnel interest and action. Continuous endpoint monitoring will amplify and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A child can play this game. It is simplified due to the fact that a lot of items (referred to as high prevalence) look like each other, but one or a small amount (called low prevalence) are different and stand apart. These different actions taken by cyber bad guys have actually been quite consistent in hacking for decades. The Carbanak technical reports that noted the indicators of compromise ready examples of this and will be discussed below. When continuous endpoint monitoring security analytics are enacted and show these patterns, it is easy to acknowledge something suspicious or unusual. Cyber security personnel will be able to perform fast triage on these unusual patterns, and rapidly figure out a yes/no/maybe response that will identify uncommon but known to be good activities from malicious activities or from activities that require extra tracking and more insightful forensics examinations to confirm.

There is no way that a hacker can pre test their attacks when this defense application is in place. Continuous endpoint monitoring security has a non-deterministic risk analytics component (that notifies suspect activity) along with a non-deterministic human aspect (that performs alert triage). Depending on the present activities, endpoint population mix and the experience of the cyber security workers, developing attack activity might or may not be uncovered. This is the nature of cyber warfare and there are no warranties. However if your cyber security fighters are geared up with continuous endpoint monitoring analytics and visibility they will have an unreasonable advantage.


Charles Leaver – First Part Of Carbanak Case Study And The Benefits Of Continuous Endpoint Monitoring

Published by:

Presented By Charles Leaver And Written By Dr Al Hartmann


Part 1 in a 3 part series



Carbanak APT Background Particulars

A billion dollar bank raid, which is targeting more than a hundred banks across the world by a group of unknown cyber wrongdoers, has actually remained in the news. The attacks on the banks began in early 2014 and they have been expanding around the world. The majority of the victims suffered dreadful breaches for a variety of months throughout numerous endpoints prior to experiencing monetary loss. Most of the victims had actually implemented security steps which included the implementation of network and endpoint security software, but this did not provide a great deal of warning or defense against these cyber attacks.

A number of security companies have actually produced technical reports about the incidents, and they have been codenamed either Carbanak or Anunak and these reports noted signs of compromise that were observed. The companies consist of:

Fox-IT from Holland
Group-IB from Russia
Kaspersky Laboratory of Russia

This post will serve as a case study for the cyber attacks and address:

1. The factor that the endpoint security and the standard network security was unable to spot and resist the attacks?
2. Why continuous endpoint monitoring (as supplied by the Ziften solution) would have warned early about endpoint attacks then triggered a reaction to prevent data loss?

Standard Endpoint Security And Network Security Is Inefficient

Based upon the legacy security design that relies too much on obstructing and prevention, traditional endpoint and network security does not offer a well balanced strategy of blocking, prevention, detection and response. It would not be difficult for any cyber criminal to pre test their attacks on a limited number of standard endpoint security and network security products so that they could be sure an attack would not be detected. A number of the hackers have actually looked into the security products that were in place at the victim organizations then became competent in breaking through undetected. The cyber criminals knew that most of these security services just respond after the occasion but otherwise will do nothing. Exactly what this means is that the typical endpoint operation remains generally opaque to IT security workers, which suggests that malicious activity becomes masked (this has actually already been checked by the hackers to avoid detection). After a preliminary breach has actually taken place, the malicious software can extend to reach users with higher privileges and the more delicate endpoints. This can be quickly attained by the theft of credentials, where no malware is required, and conventional IT tools (which have been white listed by the victim organization) can be used by cyber criminal created scripts. This means that the existence of malware that can be identified at endpoints is not utilized and there will be no alarms raised. Conventional endpoint security software application is too over reliant on looking for malware.

Traditional network security can be controlled in a comparable way. Hackers test their network activities first to avoid being found by commonly distributed IDS/IPS guidelines, and they carefully monitor regular endpoint operation (on endpoints that have actually been compromised) to hide their activities on a network within regular transaction durations and normal network traffic patterns. A new command and control infrastructure is produced that is not registered on network address blacklists, either at the IP or domain levels. There is very little to give the hackers away here. Nevertheless, more astute network behavioral assessment, specifically when associated with the endpoint context which will be talked about later on in this series of posts, can be a lot more effective.

It is not time to give up hope. Would continuous endpoint monitoring (as supplied by Ziften) have offered an early warning of the endpoint hacking to begin the procedure of stopping the attacks and avoid data loss? Find out more in part 2.

Tax Season Is Coming So Defend Your Environment Form A Rise In Cyber Attacks – Charles Leaver

Published by:

Written By Ziften CEO Charles Leaver

There are lots of business seasons each year and it is necessary that leaders of companies comprehend what those time periods mean for their for their cyber security defenses. In the retail sector the Christmas shopping season represents a spike in consumer expenditure, however it also represents a great time for cyber bad guys to attempt and steal customer data. When tax season shows up, organizations are busy preparing what is required for federal government agencies and accountancy firms and this can be a vulnerable time for cyber attacks.

Tax Season Represents An Opportunity For Cyber Criminals

With income tax returns now gone digital there is no requirement for United States citizens to mail their tax returns by the due date as all can be done using the Internet. This is certainly faster and more convenient but it can introduce security threats that organizations need to know. When there are large quantities of data on the move a golden opportunity exists for hackers to access information that belongs to the company.

There have been a variety of cyber security attacks throughout tax season before, and this has actually raised concerns that the hackers will be ready and waiting again. The latest Anthem breach has led market experts to anticipate a boost in tax fraud hacking in the future. In this breach that impacted 80 million people, there was a huge amount of personal data such as social security numbers stolen according to Kelly Phillips Erb who is a Forbes contributor.

In Connecticut, locals have been prompted by the Department of Revenue Services to submit their income tax returns early, and act ahead of the cyber lawbreakers so that their data is not discovered and their identity stolen.

Deceitful Activity Spotted By Tax Software

To make matters worse, there have been some security concerns with one of the country’s most popular tax software application brand names. USA Today revealed that TurboTax representatives discovered a boost in cyber criminality related to their software. A variety of unauthorized users had been utilizing stolen individual data to submit phony tax returns with state governments. The company took the precaution of momentarily stopping all users from filing state taxes until an examination internally was completed.

This cyber criminal offense was consequently proved to be inapplicable to the TurboTax software application, but the event shows what a challenge it is for cyber security experts to stop instances of tax fraud today. Even if the TurboTax software application was flawed, it most likely wouldn’t affect organizations much, given that they utilize accounting firms to manage their income tax returns. Accounting firms also have to do exactly what they can to prevent a cyber attack, which is why organizations must be proactive and safeguard their sensitive data.

Staying Secure At The Business Level

When it is time for large companies to prepare their tax returns they will use a great deal of accountancy personnel and the services of external companies in all likelihood to collate their financial info. When this is taking place, more attack verticals are open to cyber bad guys and they might infiltrate a company undiscovered. If they have the ability to do this then they will have access to many files relating to company files, monetary data and staff member records.

If you wish to secure your company in the coming tax season, focus on best practices of cyber security and implement protective steps that totally cover enterprise environments. Traditional tools like firewall programs and antivirus programs are an excellent place to start, but more advanced options will be needed for those cyber attacks that can occur undetected. Endpoint threat detection and response is important here, as it makes it possible for company security groups to find suspicious activity rapidly that could have gone undiscovered. If such an attack was to infiltrate the network then this could be the start of a large scale security attack.

Cyber security measures are constantly developing and try to keep pace with the methods that hackers utilize. Basic network level defenses may catch a great deal of cyber attacks but they will not be able to prevent all of the attacks. This is where high quality endpoint threat detection and response is required. It will provide visibility throughout all of the endpoints of a company, and can accurately discern between malicious activity and something spurious. This will enable security groups to better secure the data of the company.


Charles Leaver – More And More Advanced Malware Attacks Are Occurring So Protect Your Network

Published by:

Written By Charles Leaver CEO Ziften

If you are in doubt about malware hazards increasing then please check out the rest of this post. Over the past couple of years there have been a variety of cyber security research studies that have revealed that there are countless brand-new malware hazards being developed each year. With limited security resources to cope with the variety of malware dangers this is a real concern. All organizations have to look carefully at their cyber security processes and search for areas of improvement to resolve this genuine threat to data security.

Not all malware is the same. A few of the malware strains are more destructive than others, and security personnel need to understand the malware threats that can cause genuine damage on their company. It was noted that some malware could be categorized as more irritating than threatening according to George Tubin who is a security intelligence contributor. Yes they can inflict issues with the efficiency of computers and need removal by tech support workers, however they will not trigger the same level of problems as the malware that impacted Target and Sony with their cyber attacks.

Advanced malware attacks need to be the focus of security teams discussed Tubin. These malicious strains, which are small in number compared to common malware strains, can cause significant damage if they are enabled to penetrate an organization’s network.

Tubin stated “due to the fact that the majority of malware detection software is created to find standard, known malware – and since standard, recognized malware represents the vast majority of enterprise malware – most companies incorrectly think they are discovering and eliminating practically all malware dangers.” “This is exactly what the advanced malware hackers desire them to believe. While many organizations are satisfied with their malware detection stats, this small sliver of innovative malware goes unnoticed and remains in position to trigger terrible damage.”

The Integrity Of Data Is Under Serious Risk From Advanced Malware

There are zero day malware threats, and these can infiltrate the defenses at the boundary of the network without being detected and can stay active within the environment for months without being seen. This means that cyber lawbreakers have a lot of time to gain access to delicate data and steal essential information. To combat advanced malware and keep the organization environment safe, security personnel ought to enact advanced endpoint threat detection and response systems.

It is vital that organizations can monitor all of their endpoints and guarantee that they can determine malware hazards quickly and eliminate the hazard. Cyber crooks have a number of alternatives to make the most of when they target an organization, and this is even more of a problem as organizations become more complex. Individual laptop computers can be a genuine gateway for cyber wrongdoers to infiltrate the network states Tubin. When a laptop links to a point that is unsecure outside of the environment, there is a likelihood that it can be jeopardized.

This is a genuine factor underlining why security groups need to truthfully examine where the greatest weaknesses are and take restorative action to repair the problem. Endpoint security systems that continually monitor endpoints can offer immense benefits to companies who are concerned about their network defenses. At the end of the day, an organization should execute cyber security processes that match their requirements and resources.


Charles Leaver

Charles Leaver – Don’t Stress Your Environment. Use A Lightweight Solution For Endpoint Security

Published by:

Charles Leaver Ziften CEO Presents A Post By CTO David Shefter

If you are an organization with 5000 or more employees, it is likely that your IT Security and Operations groups are overwhelmed with the degree of data they need to sift through for just a small percentage of visibility about what their users are doing on a recurring basis. Antivirus suites have been installed and they have actually shut off USB ports and even enforced user access restrictions, but the risk of cyber attacks and malware problems still remains. What action do you take?

Up to 72% of advance malware and cyber criminal invasions take place in the endpoint environment, so says a Verizon Data Breach Report. Your business needs to ask itself how essential its reputation is first. If you take Target as an example, it cost them over $ 6 Billion in market cap loss because of a malware attack. Sadly the modern world positions us constantly under attack from unhappy or rogue staff members, anarchists and other cyber bad guys. This circumstance is only likely worsen.

Your network is secured by a firewall program etc but you are not able to see what is occurring past the network switch port. The only real method to resolve this threat is by implementing a solution that works well with and compliments existing network based solutions that are in place. Ziften (which is Dutch for “To Sift”) can provide this solution which offers “Open Visibility” with a lightweight technique. You need to manage the whole environment which includes servers, the network, desktops etc. However you do not wish to add extra overheads and tension on your network. A significant Ziften commitment is that the solution will not have a negative influence on your environment, however it will offer a deeply impactful visibility and security solution.

The groundbreaking software application from Ziften completely understands machine behavior and abnormalities, allowing analysts to zoom in on sophisticated hazards faster to lower dwell time to a minimum. Ziften’s solution will continuously monitor activity at the endpoint, resource consumption, IP connections, user interactions and so on. With the Ziften solution your organization will be able to determine faster the root cause of any intrusion and fix the problem.

It is a lightweight solution that is not kernel or driver based, minimal memory use, there is little to no overhead at the system level and almost zero network traffic.

For driver and kernel based solutions there are extreme accreditation requirements that can take longer than 9 months. By the time the new software application is developed and baked, the OS could be at the next version of release. This is a time consuming, non-supportable and troublesome process.

The Ziften approach is a genuine differentiator in the marketplace. The application of a really light weight and non invasive agent and also executing this as a system service, it conquers the stresses that the majority of brand-new software solutions introduce at the endpoint. Ease of application leads to faster times to market, easy support, scalability, and simple solutions that do not restrain the user environment.

To sum up, with the existing level of cyber threats and the dangers of a cyber attack increasing daily that can significantly taint your reputation, you have to implement constant monitoring of all your endpoint gadgets 24/7 to make sure that you have clear visibility of any endpoint security dangers, gaps, or instabilities and Ziften can deliver this to you.


Cyber Readiness Is Critical To Prevent Attacks So Enact These Five Items – Charles Leaver

Published by:

Presented by Charles Leaver, Chief Executive Officer Ziften Technologies – Written By Dr Al Hartmann

1. Security Operations Center (SOC).

You have a Security Operations Center implemented that has 24/7 coverage either in house or outsourced or a mix. You do not desire any spaces in cover that might leave you open to intrusion. Handovers need to be formalized by watch managers, and suitable handover reports offered. The supervisor will provide a summary each day, which provides information about any attack detections and defense countermeasures. If possible the cyber bad guys must be identified and differentiated by C2 infrastructure, attack method etc and codenames given to these. You are not attempting to attribute attacks here as this would be too difficult, but simply noting any attack activity patterns that correlate with various cyber bad guys. It is necessary that your SOC familiarizes themselves with these patterns and have the ability to distinguish attackers or even spot brand-new hackers.

2. Security Vendor Support Readiness.

It is not possible for your security workers to learn about all elements of cyber security, nor have visibility of attacks on other companies in the same market. You have to have external security support groups on standby which might include the following:.

( i) Emergency situation response group support: This is a short list of suppliers that will respond to the most severe of cyber attacks that are headline material. You ought to ensure that one of these vendors is ready for a significant risk, and they must get your cyber security reports on a regular basis. They should have legal forensic capabilities and have working relationships with law enforcement.

( ii) Cyber risk intelligence assistance: This is a supplier that is gathering cyber threat intelligence in your vertical, so that you can take the lead when it concerns risks that are emerging in your vertical. This team needs to be plugged in to the dark net trying to find any indications of you organizational IP being discussed or chats between hackers discussing your company.

( iii) IoC and Blacklist support: Due to the fact that this involves numerous areas you will require several vendors. This includes domain blacklists, SHA1 or MD5 blacklists, IP blacklists, and signs of compromise (suspect config settings, registry keys and file paths, etc). It is possible that some of your installed security services for network or endpoint security can supply these, or you can select a third party professional.

( iv) Support for reverse engineering: A supplier that focuses on the analysis of binary samples and offers comprehensive reports of content and any prospective risk and also the family of malware. Your present security vendors may provide this service and specialize in reverse engineering.

( v) Public relations and legal support: If you were to suffer a significant breach then you want to ensure that public relations and legal support remain in place so that your CEO, CIO and CISO do not become a case study for students at Harvard Business School to learn about how not to handle a significant cyber attack.

3. Inventory of your assets, category and readiness for security.

You have to guarantee that of your cyber assets undergo an inventory, their relative values categorized, and implemented worth proper cyber defences have actually been enacted for each asset category. Do not rely totally on the assets that are known by the IT team, employ a business system sponsor for asset recognition particularly those hidden in the public cloud. Also make sure crucial management procedures are in place.

4. Attack detection and diversion readiness.

For each one of the significant asset classifications you can create reproductions using honeypot servers to draw cyber crooks to infiltrate them and divulge their attack techniques. When Sony was attacked the hackers found a domain server that had actually a file called ‘passwords.xlsx’ which consisted of cleartext passwords for the servers of the business. This was a good ruse and you ought to utilize these tactics in tempting places and alarm them so that when they are accessed alarms will sound instantly meaning that you have an immediate attack intelligence system in place. Modify these lures often so that they appear active and it doesn’t appear like an apparent trap. As the majority of servers are virtual, hackers will not be as prepared with sandbox evasion approaches, as they would with client endpoints, so you might be fortunate and really see the attack occurring.

5. Monitoring preparedness and continuous visibilities.

Network and endpoint activity should be kept track of continuously and be made visible to the SOC group. Because a lot of client endpoints are mobile and for that reason outside of the organization firewall software, activity at these endpoints should likewise be monitored. The tracking of endpoints is the only particular method to perform process attribution for monitored network traffic, because protocol fingerprinting at the network level can not constantly be trusted (it can be spoofed by cyber bad guys). Data that has actually been kept track of needs to be conserved and archived for future referral, as a number of attacks can not be determined in real time. There will be a need to trust metadata more often than on the capture of full packets, since that enforces a substantial collection overhead. However, a variety of dynamic threat based monitoring controls can lead to a low collection overhead, and also react to major hazards with more granular observations.

Charles Leaver – The City Of Chicago Is More Prone To Data Breaches Than Any Other City

Published by:

From the desk of Charles Leaver CEO Ziften Technologies

If you live in Chicago or run a business or work there, you should focus on a report that divulges that Chicago is one of the most susceptible cities in the U.S.A for cyber attacks. The National Consumers League, who are Washington D.C. based group who focus on consumer assistance, published the report as specified by The Chicago Sun-Times. The report exposed some worrying findings and among these was the discovery that 43% of the city’s population reported that their information was stolen and that their information was utilized to make purchases on the Internet. This supposes that cyber lawbreakers are being more forward thinking when it concerns taking individual data.

So if you suffer a cyber attack on your business you should expect the stolen data to be used for harmful functions. The National Consumers League vice president of public policy, John Breyault, said “Chicago residents who get a data-breach alert needs to pay specific focus on purchases made online (in their name).”.

The residents of Chicago are not being inactive and just dismissing this important report. The Illinois state Attorney General Lisa Madigan, is leading the efforts to develop a federal group who will have the duty of examining data security events, so state CBS Chicago. Madigan’s office are examining the attacks on Neiman Marcus and Target as well as others and Madigan feels that with the current severity of attacks the government needs to take responsibility and deal with the problem.

Madigan stated “It simply makes sense that someone has to take the responsibility in this day and age for putting in place security standards for our personal monetary info, because otherwise you have disturbance and a significant effect, potentially, to the general market.” The time frame for establishing this group is unclear at present. Making things occur at the federal level can be extremely slow.

Endpoint Threat Detection And Response System Will Offer Protection.

If you run a company in Chicago (or elsewhere) then there is no requirement for you to wait on this federal group to be established to protect your company’s network. It is recommended that you enact endpoint detection and response software because this will provide significant security for your network and make it essentially cyber attack proof. If you fail to make the most of robust endpoint threat and detection systems then you are leaving the door wide open for cyber bad guys to enter your network and cause you a lot of trouble.