Charles Leaver – Risk And Security Require Proper Management

Published by:

Written By Roark Pollock And Presented By Charles Leaver Ziften CEO


Danger management and security management have long been dealt with as separate functions frequently carried out by different practical teams within a company. The acknowledgment of the requirement for constant visibility and control across all assets has actually increased interest in trying to find commonalities in between these disciplines and the schedule of a brand-new generation of tools is allowing this effort. This conversation is very current provided the continued trouble most business companies experience in attracting and keeping qualified security personnel to handle and safeguard IT infrastructure. An unification of activity can assist to much better utilize these important personnel, minimize expenses, and assist automate response.

Historically, risk management has actually been viewed as an attack mandate, and is generally the field of play for IT operations groups. Often described as “systems management”, IT operations groups actively carry out device state posture monitoring and policy enforcement, and vulnerability management. The objective is to proactively reduce potential threats. Activities that further risk reduction and that are performed by IT operations consist of:

Offensive Threat Mitigation – Systems Management

Asset discovery, inventory, and revitalize

Software discovery, usage tracking, and license justification

Mergers and acquisition (M&A) threat evaluations

Cloud workload migration, monitoring, and enforcement

Vulnerability evaluations and patch installs

Proactive help desk or systems analysis and problem response/ repair work

On the other side of the field, security management is viewed as a defensive strategy, and is normally the field of play for security operations teams. These security operations teams are normally responsible for threat detection, event response, and remediation. The goal is to respond to a danger or a breach as quickly as possible in order to minimize effects to the organization. Activities that fall directly under security management which are performed by security operations include:

Defensive Security Management – Detection and Response

Threat detection and/or hazard searching

User habits monitoring / insider threat detection and/or searching

Malware analysis and sandboxing

Incident response and hazard containment/ removal

Lookback forensic investigations and root cause determination

Tracing lateral risk movements, and further threat removal

Data exfiltration determination

Successful businesses, naturally, need to play both offense AND defense equally well. This requirement is pressing organizations to acknowledge that IT operations and security operations have to be as lined up as possible. Thus, as much as possible, it assists if these 2 teams are playing using the very same playbook, or at least working with the very same data or single source of truth. This indicates both teams ought to make every effort to utilize a few of the same analytic and data collection tools and methods when it concerns managing and securing their endpoint systems. And if organizations rely on the same personnel for both tasks, it definitely assists if those people can pivot between both jobs within the same tools, leveraging a single data set.

Each of these offensive and defensive tasks is vital to securing a company’s copyright, credibility, and brand name. In fact, managing and focusing on these tasks is what frequently keeps CIOs and CISOs up at night. Organizations must recognize chances to line up and consolidate groups, innovations, and policies as much as possible to ensure they are focused on the most immediate need along the current risk and security management spectrum.

When it concerns handling endpoint systems, it is clear that organizations are approaching an “all the time” visibility and control design that enables continuous danger assessments, constant threat monitoring, as well as constant performance management.

Thus, organizations need to look for these 3 essential abilities when examining brand-new endpoint security systems:

Solutions that offer “all the time” visibility and control for both IT operations teams and security operations groups.

Solutions that offer a single source of truth that can be used both offensively for danger management, and defensively for security detection and response.

Architectures that quickly integrate into current systems management and security tool environments to deliver even greater value for both IT and security teams.

Charles Leaver – What Happened At Black Hat And Defcon 2017

Published by:

Written by Michael Vaughn And Presented By Ziften CEO Chuck Leaver


Here are my experiences from Black Hat 2017. There is a slight addition in approaching this year’s summary. It is really in part because of the theme of the opening presentation given by Facebook’s Chief Security Officer, Alex Stamos. Stamos predicted the value of re-focusing the security neighborhood’s efforts in working much better together and diversifying security solutions.

“Working better together” is relatively an oxymoron when analyzing the mass competitiveness amongst numerous security businesses fighting for customers throughout Black Hat. Based off Stamos’s messaging throughout the opening presentation this year, I felt it important to add a few of my experiences from Defcon too. Defcon has traditionally been an event for finding out and includes independent hackers and security specialists. Last week’s Black Hat theme concentrated on the social element of how companies ought to get along and genuinely assist others and one another, which has actually always been the overlying message of Defcon.

Individuals arrived from all over the world this time:

Jeff Moss, aka ‘Dark Tangent’, the founder of Black Hat and Defcon, likewise wishes that to be the style: Where you seek to assist individuals get knowledge and learn from others. Moss wants guests to remain ‘great’ and ‘helpful’ throughout the conference. That is on par with what Alex Stamos from Facebook conveyed in his keynote about security companies. Stamos asked that all of us share in the duty of assisting those that can not help themselves. He likewise raised another valid point: Are we doing enough in the security industry to really assist individuals instead of simply doing it to make a profit? Can we accomplish the goal of truly helping people? As such is the juxtaposition of the 2 occasions. The main differences in between Black Hat and Defcon is the more business consistency of Black Hat (from vendor hall to the presentations) to the true hacker community at Defcon, which showcases the innovative side of what is possible.

The company I work for, Ziften, supplies Systems and Security Operations software – giving IT and security groups visibility and control across all endpoints, on or off a corporate network. We likewise have a pretty sweet sock video game!

Lots of attendees showed off their Ziften assistance by adorning previous year Ziften sock styles. Looking great, feeling excellent!

The concept of joining forces to fight against the corrupt is something most attendees from around the world welcome, and we are not any different. Here at Ziften, we aim to really assist our consumers and the community with our solutions. Why offer or count on a solution which is limited to just exactly what’s inside package? One that offers a single or handful of particular functions? Our software application is a platform for integration and supplies modular, individualistic security and functional options. The entire Ziften group takes the imagination from Defcon, and we motivate ourselves to try and build new, custom features and forensic tools where traditional security businesses would shy away from or simply stay consumed by day-to-day jobs.

Delivering all the time visibility and control for any asset, anywhere is one of Ziften’s primary focuses. Our unified systems and security operations (SysSecOps) platform empowers IT and security operations teams to quickly fix endpoint problems, minimize total danger posture, speed hazard response, and increase operations productivity. Ziften’s protected architecture delivers continuous, streaming endpoint tracking and historic data collection for enterprises, federal governments, and managed security companies. And sticking with 2017’s Black Hat style of collaborating, Ziften’s partner integrations extend the worth of incumbent tools and fill the spaces in between siloed systems.

The press is not allowed to take images of the Defcon crowd, but I am not the press and this was prior to going into a badge required area:P The Defcon masses and hooligans (Defcon mega-bosses wearing red shirts) were at a dead stop for a strong twenty minutes awaiting initial access to the four huge Track meeting rooms on opening day.

The Voting Machine Hacking Village got a great deal of attention at the event. It was intriguing but nothing brand-new for veteran participants. I suppose it takes something noteworthy to amass attention around specific vulnerabilities.? All vulnerabilities for most of the talks and specifically this town have already been divulged to the correct authorities prior to the occasion. Let us know if you require help locking down any of these (looking at you government folks).

More and more personal data is appearing to the public. For example, Google & Twitter APIs are easily and openly available to query user data metrics. This data is making it much easier for hackers to social engineer focused attacks on individuals and particularly persons of power and rank, like judges and executives. This discussion titled, Dark Data, showed how a simple yet brilliant de-anonymization algorithm and some data made it possible for these 2 white hats to identify people with extreme precision and discover extremely personal details about them. This must make you think twice about what you have actually set up on your systems and individuals in your work environment. The majority of the above raw metadata was collected through a popular browser add-on. The fine tuning occurred with the algothrim and public APIs. Do you know what internet browser add-ons are running in your environment? If the response is no, then Ziften can assist.

This discussion was clearly about exploiting Point-of-Sale systems. Although rather humorous, it was a little frightening at the speed at which one of the most commonly used POS systems can be hacked. This specific POS hardware is most commonly used when leaving payment in a taxi. The base operating system is Linux and although on an ARM architecture and protected by tough firmware, why would a business risk leaving the security of client charge card details solely in the hands of the hardware vendor? If you look for additional defense on your POS systems, then don’t look beyond Ziften. We secure the most frequently used enterprise operating systems. If you want to do the fun thing and set up the computer game Doom on one, I can send you the slide deck.

This man’s slides were off the charts exceptional. What wasn’t excellent was how exploitable the MacOS is during the installation process of typical applications. Generally each time you set up an application on a Mac, it needs the entry of your escalated privileges. But what if something were to somewhat modify code a moment prior to you entering your Administrator credentials? Well, most of the time, most likely something bad. Worried about your Mac’s running malware clever enough to detect and alter code on typical susceptible applications prior to you or your user base entering credentials? If so, we at Ziften Technologies can help.

We help you by not replacing all of your toolset, although we typically discover ourselves doing simply that. Our objective is to use the guidance and existing tools that work from numerous suppliers, guarantee they are running and installed, ensure the perscribed hardening is undoubtedly undamaged, and ensure your operations and security teams work more efficiently together to attain a tighter security matrix throughout your environment.

Secret Takeaways from Black Hat & Defcon 2017:

1) Stronger together

– Alex Stamos’s keynote
– Jeff Moss’s message
– Visitors from all over the world interacting
– Black Hat ought to keep a friendly community spirit

2) Stronger together with Ziften

– Ziften plays great with other software application vendors

3) Popular current vulnerabilities Ziften can assist prevent and solve

– Point-of-Sale accessing
– Voting machine tampering
– Escalating MacOS privileges
– Targeted private attacks

Charles Leaver – Who Would Have Thought That Watching A Movie With Subtitles On Your Device Would Be A Security Risk?

Published by:

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


Do you like seeing motion pictures with trendy apps like VLC or Kodi on your devices or SmartTV? How about requiring or wanting subtitles with those films and simply getting the latest pack from OpenSubtitles. No problem, seems like an excellent night at home. Problem is, in accordance with a research study by Check Point, there could be a nasty surprise waiting for you.

For the hackers to take control of your ‘world’, they require a vector or some method to acquire entry to your system. There are some typical ways that takes place nowadays, such as creative (and not so creative) social engineering techniques. Getting e-mails that appear to come from buddies or co-workers which were spoofed and you opened an attachment, or went to some site and if the stars lined up, you were pwned. Normally the star alignment part is not that difficult, only that you have some vulnerable software application running that can be accessed.

Since the trick is getting users to cooperate, the target audience can sometimes be tough to find. However with this most current research posted, several of the significant media players have an unique vulnerability when it concerns accessing and decoding subtitle plans. The 4 main media giants noted in the post are fixed to date, but as we have seen in the past (simply take a look at the current SMB v1 vulnerability concern) even if a repair is offered, doesn’t suggest that users are updating. The research has likewise omitted to reveal the technical information around the vulnerability as to enable other vendors time to patch. That is a great sign and the correct approach I believe researchers ought to take. Notify the supplier so they can fix the problem in addition to announce it publicly so ‘we the people’ are notified and know exactly what to look out for.

It’s tough to stay up to date with the several ways you can get contaminated, but at least we have researchers who tirelessly attempt to ‘break’ things to find those vulnerabilities. By carrying out the proper disclosure approaches, they help everyone delight in a much safer experience with their devices, and in this case, an excellent night in watching films.

Charles Leaver – Worried About Endpoint Products Integrating With Your Security Architecture? Not With Ziften

Published by:

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


Security professionals are by nature a careful bunch. Being cautious is a characteristic most folks likely have entering this market given its mission, however it’s also certainly a characteristic that is acquired gradually. Ironically this holds true even when it concerns including extra security precautions into an already established security architecture. While one might assume that more security is better security, experience teaches us that’s not necessarily the case. There are in fact numerous concerns connected with deploying a new security product. One that generally appears near the top of the list is how well a brand-new product integrates with other incumbent products.

Integration concerns are available in a number of tastes. First and foremost, a new security control should not break anything. However in addition, new security services need to willingly share threat intelligence and act upon hazard intelligence collected throughout an organization’s entire security infrastructure. In other words, the new security tools must work together with the existing ecosystem of tools in place such that “1 + 1 = 3”. The last thing that most IT and security operations teams need is more siloed products/ tools.

At Ziften, this is why we have actually always concentrated on building and providing an entirely open visibility architecture. Our company believe that any new systems and security operations tools have to be created with improved visibility and information sharing as essential design requirements. However this isn’t a one-way street. Developing basic integrations requires technology collaborations with market vendors. We consider it our duty to deal with other technology companies to equally integrate our services, hence making it easy on customers. Unfortunately, many suppliers still think that integration of security services, especially brand-new endpoint security services is incredibly difficult. I hear the concern constantly in consumer conversations. However information is now appearing revealing this isn’t always the case.

Current study work by NSS Labs on “advanced endpoint” services, they report that Worldwide 2000 customers based in North America have actually been happily amazed with how well these types of products integrate into their already established security architectures. According to the NSS research study titled “Advanced Endpoint Protection – Market Analysis and Survey Results CY2016”, which NSS consequently presented in the BrightTalk webinar listed below, participants that had currently released advanced endpoint items were far more positive regarding their ability to integrate into existing security architectures than were participants that were still in the planning stages of purchasing these products.

Specifically, for participants that have actually already released sophisticated endpoint products: they rate integration with already established security architectures as follows:

● Excellent 5.3 %
● Good 50.0 %
● Average 31.6 %
● Poor 13.2 %
● (Terrible) 0.0 %

Compare that to the more conservative responses from people still in the planning phase:

● Excellent 0.0 %
● Good 39.3 %
● Average 42.9 %
● Poor 14.3 %
● (Dreadful) 3.6 %

These responses are encouraging. Yes, as noted, security people tend to be pessimists, but in spite of low expectations participants are reporting favorable results when it comes to integration experiences. In fact, Ziften consumers usually display the very same preliminary low expectations when we initially go over integrating Ziften products into their already established ecosystem of services. However in the end, clients are wowed by how easy it is to share information with Ziften products and their existing infrastructure.

These survey results will hopefully help ease issues as newer service adopters might check out and rely on peer suggestions prior to making purchase choices. Early mainstream adopters are plainly having success deploying these services and that will ideally help to reduce the natural cautiousness of the real mainstream.

Definitely, there is significant differentiation between products in the space, and organizations ought to continue to perform proper due diligence in comprehending how and where services integrate into their broader security architectures. But, fortunately is that there are services not only meeting the needs of clients, however actually out performing their initial expectations.

Charles Leaver – Flaw In Petya Variant Wreaks Havoc But Customers Of Ziften Protected

Published by:

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


Another outbreak, another headache for those who were not prepared. While this newest attack resembles the earlier WannaCry danger, there are some differences in this latest malware which is a variant or brand-new strain much like Petya. Called, NotPetya by some, this strain has a lot of problems for anybody who encounters it. It may encrypt your data, or make the system entirely unusable. And now the email address that you would be required to contact to ‘perhaps’ unencrypt your files, has actually been taken down so you run out luck retrieving your files.

Lots of information to the actions of this threat are publicly available, but I wished to discuss that Ziften clients are safeguarded from both the EternalBlue exploit, which is one mechanism used for its propagation, and even better still, a shot based upon a possible flaw or its own kind of debug check that eliminates the hazard from ever performing on your system. It could still spread nevertheless in the environment, but our defense would currently be presented to all existing systems to stop the damage.

Our Ziften extension platform enables our consumers to have security in place versus certain vulnerabilities and harmful actions for this hazard and others like Petya. Besides the particular actions taken versus this specific variant, we have actually taken a holistic approach to stop particular strains of malware that perform numerous ‘checks’ against the system prior to operating.

We can likewise utilize our Search ability to search for remnants of the other proliferation techniques utilized by this danger. Reports reveal WMIC and PsExec being used. We can search for those programs and their command lines and usage. Even though they are legitimate procedures, their use is generally uncommon and can be alerted.

With WannaCry, and now NotPetya, we anticipate to see an ongoing increase of these types of attacks. With the release of the recent NSA exploits, it has given ambitious hackers the tools needed to push out their wares. And though ransomware threats can be a high commodity vehicle, more harmful risks could be launched. It has constantly been ‘how’ to get the hazards to spread out (worm-like, or social engineering) which is most challenging to them.

Charles Leaver – UK Parliament Play The Blame Game Instead Of Fixing Insecurities

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


In cyberspace the sheep get shorn, chumps get chewed, dupes get deceived, and pawns get pwned. We’ve seen another great example of this in the current attack on the UK Parliament email system.

Rather than admit to an e-mail system that was not secure by design, the main statement read:

Parliament has strong measures in place to safeguard all of our accounts and systems.

Tell us another one. The one protective measure we did see at work was blame deflection – pin it on the Russians, that always works, while implicating the victims for their policy infractions. While details of the attack are scarce, combing different sources does help to assemble at least the gross outlines. If these stories are reasonably close, the United Kingdom Parliament e-mail system failings are scandalous.

What went wrong in this case?

Count on single aspect authentication

“Password security” is an oxymoron – anything password secured alone is insecure, that’s it, irrespective of the strength of the password. Please, no 2FA here, may hinder attacks.

Do not enforce any limitation on failed login efforts

Facilitated by single element authentication, this permits easy brute force attacks, no skill required. However when attacked, blame elite state sponsored hackers – no one can validate.

Do not carry out brute force attack detection

Permit hackers to conduct (otherwise trivially noticeable) brute force violations for extended periods (12 hours versus the UK Parliament system), to maximize account compromise scope.

Do not impose policy, treat it as simply recommendations

Combined with single factor authentication, no limitation on failed logins, and no brute force attack detection, do not impose any password strength validation. Supply assailants with extremely low hanging fruit.

Count on anonymous, unencrypted e-mail for delicate communications

If enemies do prosper in compromising email accounts or sniffing your network traffic, supply a lot of chance for them to score high value message content entirely in the clear. This also conditions constituents to trust easily spoofable e-mail from Parliament, developing an ideal constituent phishing environment.

Lessons learned

In addition to including “Good sense for Dummies” to their summertime reading lists, the United Kingdom Parliament e-mail system administrators may wish to take further actions. Reinforcing weak authentication practices, implementing policies, improving network and endpoint visibility with constant monitoring and anomaly detection, and completely reassessing secure messaging are suggested actions. Penetration testing would have discovered these fundamental weaknesses while staying outside the news headlines.

Even a couple of clever high schoolers with a complimentary weekend could have duplicated this attack. And lastly, stop blaming the Russians for your own security failings. Presume that any weaknesses in your security architecture and policy framework will be probed and exploited by some party somewhere throughout the international internet. All the more incentive to discover and fix those weak points prior to the enemies do, so turn those pen testers loose. And after that if your protectors don’t cannot see the attacks in progress, update your tracking and analytics.

Charles Leaver – IT And Security Working Closer Together With SysSecOps

Published by:

Written By Charles Leaver Ziften CEO


It was nailed by Scott Raynovich. Having worked with numerous organizations he understood that one of the biggest obstacles is that security and operations are 2 different departments – with significantly varying goals, different tools, and different management structures.

Scott and his analyst firm, Futuriom, just completed a study, “Endpoint Security and SysSecOps: The Growing Pattern to Develop a More Secure Business”, where one of the essential findings was that clashing IT and security objectives prevent experts – on both groups – from attaining their goals.

That’s precisely what we believe at Ziften, and the term that Scott produced to talk about the convergence of IT and security in this domain – SysSecOps – describes perfectly what we have actually been discussing. Security groups and the IT teams should get on the very same page. That suggests sharing the very same objectives, and in some cases, sharing the very same tools.

Think about the tools that IT individuals utilize. The tools are created to make sure the infrastructure and end devices are working properly, and when something fails, helps them repair it. On the endpoint side, those tools will guarantee that devices that are allowed onto the network, are set up effectively, have software that’s authorized and properly updated/patched, and haven’t recorded any faults.

Think of the tools that security individuals use. They work to impose security policies on devices, infrastructure, and security devices (like firewalls). This may include active monitoring incidents, scanning for abnormal behavior, taking a look at files to ensure they don’t consist of malware, embracing the current risk intelligence, matching against recently discovered zero-days, and performing analysis on log files.

Finding fires, fighting fires

Those are two different worlds. The security teams are fire spotters: They can see that something bad is taking place, can work rapidly to isolate the issue, and identify if harm happened (like data exfiltration). The IT teams are on the ground firefighters: They leap into action when an event strikes to guarantee that the systems are secure and revived into operation.

Sounds great, doesn’t it? Unfortunately, all too often, they don’t speak with each other – it resembles having the fire spotters and fire fighters using dissimilar radios, dissimilar jargon, and different city maps. Worse, the groups can’t share the exact same data directly.

Our technique to SysSecOps is to provide both the IT and security teams with the very same resources – which implies the exact same reports, provided in the proper ways to professionals. It’s not a dumbing down, it’s working smarter.

It’s ludicrous to operate in any other way. Take the WannaCry infection, for instance. On one hand, Microsoft released a patch back in March 2017 that dealt with the underlying SMB flaw. IT operations teams didn’t set up the patch, since they didn’t think this was a big deal and didn’t speak with security. Security groups didn’t know if the patch was installed, due to the fact that they don’t talk to operations. SysSecOps would have had everyone on the very same page – and could have possibly prevented this problem.

Missing data means waste and danger

The dysfunctional gap in between IT operations and security exposes companies to risk. Avoidable danger. Unnecessary risk. It’s just unacceptable!

If your organization’s IT and security groups aren’t on the very same page, you are sustaining risks and costs that you should not have to. It’s waste. Organizational waste. It’s wasteful because you have so many tools that are offering partial data that have spaces, and each of your groups just sees part of the picture.

As Scott concluded in his report, “Coordinated SysSecOps visibility has actually currently shown its worth in assisting organizations examine, analyze, and avoid substantial dangers to the IT systems and endpoints. If these objectives are pursued, the security and management risks to an IT system can be considerably lessened.”

If your teams are interacting in a SysSecOps kind of method, if they can see the same data at the same time, you not only have much better security and more efficient operations – however likewise lower danger and lower expenses. Our Zenith software application can help you accomplish that performance, not just dealing with your existing IT and security tools, but also filling in the gaps to make sure everybody has the ideal data at the correct time.

Charles Leaver – WannaCry Detection And Response With Ziften And Splunk

Published by:

Written by Joel Ebrahami and presented by Charles Leaver


WannaCry has created a great deal of media attention. It may not have the massive infection rates that we have seen with a lot of the previous worms, however in the current security world the amount of systems it had the ability to infect in a single day was still rather incredible. The objective of this blog post is NOT to provide a detailed analysis of the threat, however rather to look how the threat behaves on a technical level with Ziften’s Zenith platform and the combination we have with our innovation partner Splunk.

Visibility of WannaCry in Ziften Zenith

My very first action was to reach out to Ziften Labs threat research study group to see exactly what info they might provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, directs our research group and informed me that they had samples of WannaCry currently running in our ‘Red Lab’ to take a look at the behavior of the risk and carry out further analysis. Josh sent me over the details of exactly what he had found when examining the WannaCry samples in the Ziften Zenith console. He sent over those details, which I provide here.

The Red Laboratory has systems covering all the most popular typical os with various services and configurations. There were already systems in the laboratory that were purposefully susceptible to the WannaCry exploit. Our worldwide threat intelligence feeds used in the Zenith platform are upgraded in real-time, and had no trouble spotting the virus in our lab environment (see Figure 1).

2 laboratory systems have actually been recognized running the destructive WannaCry sample. While it is excellent to see our global risk intelligence feeds upgraded so quickly and identifying the ransomware samples, there were other habits that we found that would have recognized the ransomware threat even if there had actually not been a danger signature.

Zenith agents collect a huge quantity of data on what’s taking place on each host. From this visibility information, we produce non-signature based detection strategies to take a look at typically malicious or anomalous behaviors. In Figure 2 shown below, we reveal the behavioral detection of the WannaCry ransomware.

Investigating the Scope of WannaCry Infections

As soon as it has been identified either through signature or behavioral approaches, it is very simple to see which other systems have actually also been infected or are showing similar behaviors.

WannaCry Detections with Ziften and Splunk

After examining this details, I decided to run the WannaCry sample in my own environment on a susceptible system. I had one susceptible system running the Zenith agent, and in this case my Zenith server was already configured to integrate with Splunk. This allowed me to look at the same data inside Splunk. Let me make it clear about the integration that exists with Splunk.

We have two Splunk apps for Zenith. The first is our technology add on (TA): its role is to consume and index ALL the raw information from the Zenith server that the Ziften agents create. As this info populates it is massaged into Splunk’s Common Info Model (CIM) so that it can be stabilized and easily searched as well as utilized by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA likewise consists of Adaptive Response capabilities for taking actions from actions that are rendered in Splunk ES. The second app is a dashboard for showing our information with all the charts and graphs available in Splunk to allow digesting the data much easier.

Given that I currently had the details on how the WannaCry exploit acted in our research lab, I had the advantage of knowing what to look for in Splunk utilizing the Zenith data. In this case I was able to see a signature alert by using the VirusTotal integration with our Splunk app (see Figure 4).

Risk Hunting for WannaCry Ransomware in Ziften and Splunk

But I wished to wear my “event responder hat” and investigate this in Splunk using the Zenith agent data. My first thought was to search the systems in my laboratory for ones running SMB, because that was the initial vector for the WannaCry attack. The Zenith data is encapsulated in various message types, and I knew that I would most likely find SMB data in the running process message type, nevertheless, I used Splunk’s * regex with the Zenith sourcetype so I could search all Zenith data. The resulting search appeared like ‘sourcetype= ziften: zenith: * smb’. As I anticipated I received 1 result back for the system that was running SMB (see Figure 5).

My next step was to use the same behavioral search we have in Zenith that tries to find normal CryptoWare and see if I could get outcomes back. Once again this was extremely easy to do from the Splunk search panel. I utilized the very same wildcard sourcetype as previously so I might search throughout all Zenith data and this time I included the ‘delete shadows’ string search to see if this behavior was ever released at the command line. My search appeared like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned outcomes, displayed in Figure 6, that revealed me in detail the process that was produced and the full command line that was performed.

Having all this detail inside of Splunk made it very easy to determine which systems were vulnerable and which systems had actually already been compromised.

WannaCry Removal Utilizing Splunk and Ziften

Among the next steps in any type of breach is to remediate the compromise as quick as possible to prevent further damage and to act to prevent other systems from being jeopardized. Ziften is one of the Splunk initial Adaptive Response members and there are a variety of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to mitigate these risks through extensions on Zenith.

When it comes to WannaCry we really could have used practically any of the Adaptive Response actions currently readily available by Zenith. When aiming to minimize the impact and avoid WannaCry initially, one action that can happen is to shut down SMB on any systems running the Zenith agent where the variation of SMB running is known vulnerable. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the susceptible systems where we wanted to stop the SMB service, therefore preventing the threat from ever taking place and enabling the IT Operations team to get those systems patched prior to beginning the SMB service once again.

Avoiding Ransomware from Spreading or Exfiltrating Data

Now in the case that we have already been jeopardized, it is vital to prevent additional exploitation and stop the possible exfiltration of delicate info or company intellectual property. There are really 3 actions we could take. The very first 2 are comparable where we could kill the malicious procedure by either PID (process ID) or by its hash. This works, however given that many times malware will just generate under a brand-new process, or be polymorphic and have a various hash, we can use an action that is guaranteed to prevent any incoming or outbound traffic from those contaminated systems: network quarantine. This is another example of an Adaptive Response action offered from Ziften’s integration with Splunk ES.

WannaCry is already diminishing, but hopefully this technical blog post shows the value of the Ziften and Splunk integration in handling ransomware dangers against the end point.

Charles Leaver – A Breach Out Of Nowhere Get Paranoid About Your Company Security

Published by:

Written By Charles Leaver Ziften CEO


Whatever you do don’t undervalue cybersecurity hackers. Even the most paranoid “regular” person wouldn’t worry about a source of data breaches being taken qualifications from its heating, ventilation and a/c (A/C) specialist. Yet that’s exactly what took place at Target in November 2013. Hackers got into Target’s network utilizing credentials offered to the professional, most likely so they might monitor the heating, ventilation and air conditioning system. (For a great analysis, see Krebs on Security). And then hackers had the ability to leverage the breach to spread malware into point of sale (POS) systems, then unload payment card details.

A number of ludicrous errors were made here. Why was the A/C contractor given access to the business network? Why wasn’t the HVAC system on a different, completely separated network? Why wasn’t the POS system on a different network? And so on.

The point here is that in a really complicated network, there are uncounted potential vulnerabilities that could be exploited through recklessness, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You get the point.

Whose job is it to discover and fix those vulnerabilities? The security group. The CISO’s office. Security specialists aren’t “normal” people. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was exploited, this was a CISO failure to prepare for the worst and prepare accordingly.

I cannot talk to the Target HEATING AND COOLING breach particularly, but there is one frustrating reason that breaches like this occur: An absence of financial priority for cybersecurity. I’m not sure how frequently businesses fail to fund security merely since they’re inexpensive and would rather do a share buy-back. Or maybe the CISO is too timid to request for what’s needed, or has been told that he gets a 5% increase, no matter the requirement. Possibly the CEO is worried that disclosures of big allowances for security will scare shareholders. Maybe the CEO is merely naïve enough to believe that the business won’t be targeted by hackers. The problem: Every enterprise is targeted by hackers.

There are substantial competitions over budget plans. The IT department wishes to finance upgrades and improvements, and attack the stockpile of demand for new and enhanced applications. On the other side, you have operational leaders who see IT jobs as directly assisting the bottom line. They are optimists, and have great deals of CEO attention.

By contrast, the security department frequently needs to fight for crumbs. They are viewed as a cost center. Security reduces business danger in a manner that matters to the CFO, the CRO (chief risk officer, if there is one), the basic counsel, and other pessimists who care about compliance and track records. These green-eyeshade people think of the worst case situations. That does not make friends, and budget plan dollars are allocated grudgingly at too many companies (till the company gets burned).

Call it naivety, call it entrenched hostility, but it’s a real difficulty. You cannot have IT given fantastic tools to move the enterprise forward, while security is starved and using second-best.

Worse, you do not wish to end up in situations where the rightfully paranoid security teams are working with tools that do not mesh well with their IT counterpart’s tools.

If IT and security tools don’t fit together well, IT may not be able to quickly act to respond to risky situations that the security groups are keeping track of or are worried about – things like reports from hazard intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that indicate dangerous or suspicious activity.

One recommendation: Find tools for both departments that are created with both IT and security in mind, right from the beginning, rather than IT tools that are patched to offer some very little security ability. One budget plan item (take it out of IT, they have more money), however two workflows, one created for the IT professional, one for the CISO group. Everybody wins – and next time somebody wants to provide the A/C professional access to the network, maybe security will notice what IT is doing, and head that disaster off at the pass.

Charles Leaver – WannaCry Ransomware Help From Ziften

Published by:

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO


Answers To Your Questions About WannaCry Ransomware

The WannaCry ransomware attack has infected more than 300,000 computers in 150 nations up until now by making use of vulnerabilities in Microsoft’s Windows os.
In this short video Chief Data Scientist Dr. Al Hartmann and I talk about the nature of the attack, as well as how Ziften can help companies secure themselves from the exploit known as “EternalBlue.”.

As discussed in the video, the issue with this Server Message Block (SMB) file sharing service is that it’s on most Windows operating systems and discovered in the majority of environments. However, we make it simple to determine which systems in your environment have or have not been patched yet. Importantly, Ziften Zenith can likewise from another location disable the SMB file-sharing service entirely, offering organizations important time to guarantee that those computers are correctly patched.

If you want to know more about Ziften Zenith, our 20 minute demo consists of a consultation with our specialists around how we can assist your company prevent the worst digital catastrophe to strike the internet in years.