Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO
Diminishing Effectiveness of Business Antivirus?
Google Security Guru Labels Antivirus Apps As Inefficient ‘Magic’.
At the current Kiwicon hacking conference in Wellington, New Zealand, Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy. Tasked with investigation of highly sophisticated attacks, consisting of the 2009 Operation Aurora project, Bilby lumped enterprise anti-virus into a collection of ineffective tools set up to tick a compliance check box, however at the cost of real security:
We need to stop buying those things we have actually revealed are not effective… Anti-virus does some useful things, however in reality, it is more like a canary in a coal mine. It is even worse than that. It’s like we are standing around the dead canary saying ‘Thank god it breathed in all the dangerous gas.
Google security gurus aren’t the very first to weigh in against enterprise anti-virus, or to draw uncomplimentary analogies, in this case to a dead canary.
Another extremely skilled security group, FireEye Mandiant, compared fixed defenses such as business antivirus to that notoriously failed World War II defense, the Maginot Line:
Like the Maginot Line, today’s cyber defenses are quick ending up being an antique in today’s hazard landscape. Organizations spend billions of dollars each year on IT security. However assailants are easily outflanking these defenses with clever, fast moving attacks.
An example of this was given by a Cisco managed security services executive speaking at a conference in Poland. Their team had actually found anomalous activity on one of their enterprise client’s networks, and reported the presumed server compromise to the customer. To the Cisco team’s awe, the client merely ran an anti-virus scan on the server, discovered no detections, and placed it back into service. Frightened, the Cisco team conferenced in the client to their tracking console and had the ability to show the cyber attacker conducting a live remote session at that very minute, complete with typing errors and reissue of commands to the jeopardized server. Finally convinced, the customer took the server down and completely re-imaged it – the enterprise anti-virus had been a futile diversion – it had actually not served the customer and it had actually not prevented the enemy.
So Is It Time to Dispose Of Business Antivirus Now?
I am not yet prepared to declare an end to the age of organization antivirus. However I understand that companies have to buy detection and response abilities to match traditional anti-virus. However increasingly I question who is complementing whom.
Competent targeted hackers will constantly effectively evade antivirus defenses, so versus your biggest cyber hazards, business anti-virus is essentially ineffective. As Darren Bilby stated, it does do some useful things, but it does not provide the endpoint defense you need. So, do not let it sidetrack you from the highest concern cyber-security financial investments, and don’t let it distract you from security procedures that do basically assist.
Shown cyber defense steps include:
Configuration hardening of networks and endpoints.
Identity management with strong authentication.
Continuous network and endpoint monitoring, constant watchfulness.
Strong encryption and data security.
Personnel education and training.
Continual risk re-assessment, penetration screening, red/blue teaming.
In contrast to Bilby’s criticism of business antivirus, none of the above bullets are ‘magic’. They are simply the continuous hard work of adequate organization cyber-security.
Written By Charles Leaver CEO Ziften
No company, however small or large, is resistant from a cyber attack. Whether the attack is started from an external source or from the inside – no company is fully secure. I have lost count of the number of times that senior managers from businesses have stated to me, “why would anyone wish to hack us?”
Cyberattacks Can Take Numerous Types
The expansion of devices that can link to enterprise networks (laptop computers, mobile phones and tablets) suggest an increased danger of security vulnerabilities. The aim of a cyberattack is to exploit those vulnerabilities.
Among the most common cyber attack methods is the use of malware. Malware is code that has a destructive intent and can include viruses, Trojans and worms. The aim with malware is often to take sensitive data or even damage computer networks. Malware is often in the form of an executable file that will distribute across your network.
Malware is becoming a lot more advanced, and now there is rogue software that will masquerade itself as genuine security software that has actually been developed to protect your network.
Phishing attacks are also common. Frequently it’s an e-mail that is sent from an apparently “trustworthy authority” asking that the user supply individual data by clicking a link. Some of these phishing emails look extremely genuine and they have deceived a great deal of users. If the link is clicked and data input the info will be taken. Today an increasing variety of phishing e-mails can consist of ransomware.
A password attack is one of the easiest forms of cyber attacks. This is where an unauthorized 3rd party will try to access to your systems by “breaking” the login password. Software applications can be employed here to conduct brute force attacks to guess passwords, and combination of words utilized for passwords can be compared utilizing a dictionary file.
If an attacker gains access to your network through a password attack then they can quickly introduce malicious malware and cause a breach of your delicate data. Password attacks are one of the easiest to prevent, and strict password policies can supply a really reliable barrier. Changing passwords routinely is likewise advised.
Denial of Service
A Denial of Service (DoS) attack is everything about causing maximum interruption of the network. Attackers will send out really high volumes of traffic through the network and normally make lots of connection requests. The outcome is an overload of the network and it will shut down.
Several computer systems can be used by hackers in DoS attacks that will create extremely significant levels of traffic to overload the network. Just recently the largest DoS attack in history utilized botnets versus Krebs On Security. On a regular basis, endpoint devices linked to the network such as PC’s and laptop computers can be pirated and will then add to the attack. If a DoS attack is experienced, it can have serious consequences for network security.
Man in the Middle
Man in the middle attacks are accomplished by impersonating endpoints of a network during an info exchange. Info can be stolen from the end user or even the server that they are interacting with.
How Can You Completely Prevent Cyber Attacks?
Complete prevention of a cyber attack is not possible with current innovation, but there is a lot that you can do to secure your network and your delicate data. It is essential not to think that you can just acquire and implement a security software suite then sit back. The more advanced cyber lawbreakers know all of the security software application services in the marketplace, and have actually devised techniques to overcome the safeguards that they provide.
Strong and frequently changed passwords is a policy that you should adopt, and is among the easiest safeguards to put in place. Encrypting your sensitive data is another no-brainer. Beyond installing anti-viruses and malware protection suites along with a great firewall program, you need to guarantee that regular backups remain in place and that you have a data breach occurrence response/remediation plan in case the worst takes place. Ziften helps businesses constantly monitor for risks that may survive their defenses, and do something about it instantly to eliminate the risk completely.
Written By Logan Gilbert And Posted By Charles Leaver Ziften CEO
Fears Over Compliance And Security Prevent Companies From Cloud Migration
Migrating segments of your IT operations to the cloud can seem like a huge task, and a harmful one at that. Security holes, compliance record keeping, the danger of presenting errors into your architecture … cloud migration provides a lot of hairy problems to handle.
If you have actually been wary about moving, you’re not alone – but aid is on the way.
When Evolve IP surveyed 1,000+ IT professionals previously this year for their Adoption of Cloud Services North America report, 55% of those surveyed stated that security is their greatest issue about cloud adoption. For companies that don’t currently have some cloud existence, the number was even greater – 70%. The next biggest barrier to cloud adoption was compliance, cited by 40% of respondents. (That’s up eleven percent this year.).
But here’s the bigger problem: If these concerns are keeping your company from the cloud, you cannot benefit from the performance and cost advantages of cloud services, which becomes a strategic impediment for your whole business. You require a method to migrate that also answers concerns about security, compliance, and operations.
Improved Security in Any Environment With Endpoint Visibility.
This is where endpoint visibility wins the day. Being able to see exactly what’s going on with every endpoint gives you the visibility you need to enhance security, compliance, and functional performance when you move your data center to the cloud.
And I mean any endpoint: desktop computer, laptop, mobile phone, server, VM, or container.
As a very long time IT professional, I comprehend the temptation to think you have more control over your servers when they’re locked in a closet and you’re the one who holds the keys. Even when you understand that segments of your environment count on kludges, they’re your kludges, and they’re stable. Plus, when you’re running your very own data center – unlike when you’re in the cloud – you can use network taps and an entire host of tracking tools to look at traffic on the wire, figure out a great deal about who’s speaking with whom, and fix your problems.
However that level of info fades in comparison to endpoint visibility, in the data center or in the cloud. The granularity and control of Ziften’s solution gives you much more control than you could ever get with a network tap. You can detect malware and other issues anywhere (even off your network), isolate them instantly, then track them back to whichever user, application, device, or procedure was the weak spot in the chain. Ziften provides the capability to carry out lookback forensics and to rapidly fix concerns in much less time.
Eliminating Your Cloud Migration Headaches.
Endpoint visibility makes a huge distinction anytime you’re ready to move a segment of your environment to the cloud. By evaluating endpoint activity, you can develop a baseline stock of your systems, clear out unmanaged assets such as orphaned VMs, and search out vulnerabilities. That gets everything safe and steady within your own data center prior to your relocate to a cloud company like AWS or Azure.
After you’ve moved to the cloud, ongoing visibility into each device, user, and application suggests that you can administer all parts of your infrastructure better. You avoid losing resources by preventing VM expansion, plus you have a detailed body of data to satisfy the audit requirements for NIST 800-53, HIPAA, and other compliance guidelines.
When you’re ready to relocate to the cloud, you’re not destined to weak security, incomplete compliance, or functional SNAFUs. Ziften’s method to endpoint security provides you the visibility you need for cloud migration without the headaches.
Written By Logan Gilbert And Presented By Charles Leaver
Ziften helps with incident response, remediation, and investigation, even for endpoints that are not connected to your network.
When incidents occur, security analysts have to act quickly and comprehensively.
With telecommuting workforces and business “cloud” infrastructures, removal and analysis on an endpoint pose a truly challenging job. Below, view how you can utilize Ziften to take actions on the endpoint and identify the origin and propagation of a compromise in minutes – no matter where the endpoints reside.
Initially, Ziften notifies you to malicious activities on endpoints and directs you to the reason for the alert. In seconds, Ziften lets you take remediation actions on the endpoint, whether it’s on the organization network, a worker’s home, or the local cafe. Any remediation action you ‘d normally perform by means of a direct access to the endpoint, Ziften makes available through its web console.
Simply that quickly, removal is taken care of. Now you can use your security competence to go risk searching and do a bit of forensics work. You can immediately dive into much more information about the procedure that resulted in the alert; and then ask those vital questions to find how extensive the issue is and where it spread from. Ziften provides thorough incident remediation for security analysts.
See firsthand how Ziften can help your security team zero in on threats in your environment with our Thirty Days totally free trial.
Written by Dr Al Hartmann And Presented By Ziften CEO Charles Leaver
Cyber attacks, attributed to the Chinese federal government, had breached sensitive workers databases and stolen data of over 22 million existing, previous, and potential U.S. civil servants and members of their family. Stern cautions were overlooked from the Office of the Inspector General (OIG) to close down systems without existing security authorization.
Presciently, the OIG specifically alerted that failure to shut down the unauthorized systems brought nationwide security ramifications. Like the captain of the Titanic who preserved flank speed through an iceberg field, the OPM reacted,
” We concur that it is very important to keep current and legitimate ATO’s for all systems but do not think that this condition rises to the level of a Material Weak point.”
Furthermore the OPM worried that shutting down those systems would suggest a lapse in retirement and worker benefits and paychecks. Provided an option in between a security lapse and an operational lapse, the OPM decided to run insecurely and were pwned.
Then director, Katherine Archuleta, resigned her office in July 2015, a day after revealing that the scope of the breach significantly surpassed original damage assessments.
Despite this high value details preserved by OPM, the agency cannot focus on cybersecurity and properly safe high worth data.
Exactly what are the Lessons for CISO’s?
Logical CISO’s will want to prevent professional immolation in an enormous flaming data breach catastrophe, so let’s rapidly review the essential lessons from the Congressional report executive summary.
Focus on Cyber Security Commensurate with Asset Value
Have a reliable organizational management structure to implement risk-appropriate IT security policies. Chronic absence of compliance with security best practices and lagging recommendation implementation timelines are signs of organizational failure and bureaucratic atherosclerosis. Shock the organization or prepare your post breach panel grilling prior to the inquisitors.
Don’t Tolerate a Lax State of Information Security
Have the necessary tracking in place to keep important situational awareness, leave no observation gaps. Do not fail to comprehend the scope or level or gravity of attack signs. Assume if you determine attack indicators, there are other indicators you are missing. While OPM was forensically observing one attack channel, another parallel attack went unseen. When OPM did do something about it the hackers understood which attack had been discovered and which attack was still effective, quite valuable intelligence to the enemy.
Mandate Basic Needed Security Tools and Expeditiously Deploy State Of The Art Security Tools
OPM was incredibly negligent in implementing mandated multi-factor authentication for privileged accounts and failed to deploy available security technology that might have prevented or mitigated exfiltration of their most important security background investigation files.
For restricted data or control access authentication, the phrase “password secured” has been an oxymoron for years – passwords are not security, they are an invite to compromise. In addition to appropriate authentication strength, complete network monitoring and visibility is requisite for avoidance of delicate data exfiltration. The Congressional investigation blamed careless cyber protection and inadequate system traffic visibility for the assailants’ consistent presence in OPM networks.
Do Not Fail to Intensify the Alarm When Your Most Important Delicate Data Is Being Attacked
In the OPM breach, observed attack activity “ought to have sounded a high level multi agency national security alarm that a sophisticated, persistent actor was looking to gain access to OPM’s highest-value data.” Instead, absolutely nothing of consequence was done “up until after the agency was severely compromised, and up until after the agency’s most delicate information was lost to dubious actors.” As a CISO, sound that alarm in time (or rehearse your panel appearance face).
Lastly, don’t let this be said of your business security posture:
The Committee received documentation and testimony showing OPM’s info security posture was undermined by a woefully unsecured IT environment, internal politics and bureaucracy, and inappropriate top priorities related to the deployment of security tools that slowed important security choices.
Written By Charles Leaver CEO Ziften
What Worries Enterprise CISOs When Migrating To The Cloud
Moving to the cloud provides a number of benefits to enterprise companies, however there are real security concerns that make changing over to a cloud environment worrisome. What CISOs desire when moving to the cloud is constant insight into that cloud environment. They require a method to monitor and determine danger and the confidence that they have the proper security controls in place.
Increased Security Risk
Migration to the cloud implies using managed IT services and many believe this implies relinquishing a high level of visibility and control. Although the leading cloud service providers use the current security technology and file encryption, even the most up to date systems can stop working and expose your delicate data to the hackers.
In reality, cloud environments are subject to similar cyber hazards as private enterprise data centers. Nevertheless, the cloud is ending up being a more attractive target due to the substantial quantity of data that has been stored on servers in the cloud.
Cyber attackers understand that enterprises are gradually migrating to the cloud, and they are already targeting cloud environments. Alert Logic, a security as a service provider, published a report that concluded that those who make IT choices ought to not assume that their data that is saved off site is more difficult for cyber wrongdoers to get.
The report went on to mention that there had been a 45% increase in application attacks against implementations in the cloud. There had actually also been an increase in attack frequency on companies that store their infrastructure in the cloud.
The Cloud Is a Glittering Prize
With the moving of valuable data, production workloads, and software applications to cloud environments these discoveries must not come as a surprise. A statement from the report stated, “… cyber attackers, like everyone else, have a minimal quantity of time to complete their job. They want to invest their time and resources into attacks that will bear the most fruit: businesses using cloud environments are mainly considered that fruit bearing prize.”
The report likewise recommends that there is a misunderstanding within organizations about security. A variety of enterprise decision makers were under the impression that as soon as a cloud migration had taken place then the cloud service provider would be totally responsible for the security of their data.
Security in The Cloud Needs To Be A Shared Obligation
All businesses must take responsibility for the security of their data whether it is hosted in house or in the cloud. This duty can not be entirely relinquished to a cloud business. If your business experiences a data breach while utilizing cloud management services, it is not likely that you would have the ability to evade obligation.
It is essential that every organization totally comprehends the environment and the threats that are related to cloud management. There can be a myriad of legal, monetary, commercial, and compliance threats. Prior to moving to the cloud be sure to scrutinize contracts so that the supplier’s liability is completely comprehended if a data breach were to occur.
Vice president of Alert Logic Will Semple said, “the key to securing your critical data is being educated about how and where along the ‘cyber kill chain’ hackers penetrate systems and to utilize the right security tools, practices and financial investment to fight them.”
Cloud Visibility Is The Key
Whether you are utilizing cloud management services or are hosting your own infrastructure, you need complete visibility within your environment. If you are considering the migration of part – or all – of your environment to the cloud then this is essential.
After a cloud migration has taken place you can count on this visibility to monitor each user, device, application, and network activity for potential threats and possible hazards. Thus, the administration of your infrastructure ends up being far more efficient.
Do not let your cloud migration result in weakened security and insufficient compliance. Ziften can help maintain cloud visibility and security for your existing cloud implementations, or planned cloud migrations.
Written By Charles Leaver Ziften CEO
Recognize and control any device that requires access to your organization’s network.
When an organization becomes larger so does its asset footprint, and this makes the job of managing the whole set of IT assets a lot more challenging. IT management has actually changed from the days where IT asset management included recording devices such as printers, making an inventory of all set up applications and guaranteeing that antivirus suites were updated.
Today, companies are under continuous threat of cyber attacks and using malicious code to infiltrate the business network. Numerous devices now have network access capabilities. Gone are the days when just desktop PC’s linked to an organization network. Now there is a culture of bring your own device (BYOD) where cell phones, tablets and laptops are all likely to link to the network.
While this offers versatility for the organizations with the capability for users to connect from another location, it opens up an entire new variety of vulnerabilities as these various endpoints make the issue of corporate IT security a lot more complex.
What Exactly Is Endpoint Management?
It is necessary that you have a policy based method to the endpoint devices that are connected to your network to reduce the threat of cyber attacks and data breaches. Making use of laptop computers, tablets, smart phones and other devices might be convenient, however they can expose companies to a huge selection of security dangers. The main goal of a sound endpoint management technique need to be that network activities are thoroughly kept an eye on and unauthorized devices can not access the network.
Many endpoint management software is most likely to examine that the device has an os that has been authorized, as well as anti-virus software applications, and examine the device for upgraded private virtual network systems.
Endpoint management solutions will identify and control any device that requires access to the corporate network. If anybody is attempting to access the enterprise environment from a non certified device they will be denied access. This is vital to combat attacks from cyber criminals and infiltrations from harmful groups.
Any device which does not abide by endpoint management policies are either quarantined or granted restricted access. Local administrative rights might be eliminated and searching the Internet restricted.
Organizations Can Always Do More
There are a number of techniques that an organization can use as part of their policy on endpoint management. This can consist of firewalls (both network and individual), the file encryption of sensitive data, more powerful authentication approaches which will certainly consist of the use of challenging to crack passwords that are regularly changed and device and network level anti-viruses and anti malware security.
Endpoint management systems can work as a client and server basis where a software application is released and centrally handled on a server. The client program will need to be set up on all endpoint devices that are licensed to access the network. It is likewise possible to use a software as a service (SaaS) model of endpoint management where the supplier of the service will host and maintain the server and the security applications remotely.
When a client device tries a log in then the server based application will scan the device to see if it abides by the company’s endpoint management policy, and then it will verify the credentials of the user prior to access to the network can be approved.
The Problem With Endpoint Management Systems
Most companies see security software as a “total remedy” however it is not that clear cut. Endpoint security software that is bought as a set and forget system will never suffice. The skilled hackers out there learn about these software systems and are developing malicious code that will avert the defenses that a set and forget application can provide.
There has to be human intervention and Jon Oltsik, contributor at Network World said “CISOs must take ownership of endpoint security and designate a group of experts who own endpoint security controls as part of an overall obligation for incident prevention, detection, and response.”
Ziften’s endpoint security systems provide the continuous monitoring and look-back visibility that a cyber security group needs to discover and act upon to prevent any harmful breaches spreading out and taking the sensitive data of the company.
Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO
All the current success from Splunk
Recently I went to the annual Splunk conference in the excellent sunshine state – Florida. The Orlando-based occasion permitted Splunkers from worldwide to familiarize themselves with the current and most successful offerings from Splunk. Although there were a variety of enjoyable activities throughout the week, it was clear that participants were there to find out new stuff. The announcement of Splunk’s security-centric Adaptive Response initiative was favored and so happens to integrate quite nicely with Ziften’s endpoint service.
Of particular interest, the “Transforming Security” Keynote Presentation presented by Monzy Merza, Director of Cyber Research and Chief Security Evangelist for Splunk, Haiyan Song, SVP Security Markets for Splunk, and Mike Stone, CDIO for the UK Ministry of Defense, showed the power of Splunk’s new Adaptive Response interface to countless participants.
In the clip just below taken from that Keynote, Monzy Merza exemplifies how crucial data provided by a Ziften agent can also be used to enact bi-directional performance from Splunk by sending out instructional logic back to the Ziften agent to take instant actions on a compromised endpoint. Monzy had the ability to successfully determine a jeopardized Linux server and remove it from the operational network for additional forensic investigation. By not only offering critical security data to the Splunk instance, however also allowing the user to stay on the same interface to take operational and security actions, the Ziften endpoint agent makes it possible for users to bi-directionally utilize Splunk’s effective framework to take immediate action across all operating systems in an exacting way. After the talks our cubicle was swamped with demonstrations and extremely fascinating discussions concerning operations and security.
Take a look at a three minute Monzy highlight from the Keynote:
Over the weekend I was able to process the large variety of technical discussions I had with hundreds of fantastic people in our booth at.conf. Among the amusing things I discovered – which nobody would openly admit unless I pulled it from them – is that the majority of us are beginner-to-intermediate SPL( Splunk Processing Language) users. I also observed the obvious: incident response was the primary focus of this year’s event.
Nevertheless, many people use Ziften for Splunk for a range of things, such as application and operations management, network monitoring, and user behavior modeling. In an effort to light up the broad functionality of our Splunk App, here’s a taste of what folks at.conf2016 liked most about Ziften for Splunk:
1) It’s fantastic for Enterprise Security.
a. Generalized platform for absorbing real time data and taking instant action
b. Autotomizing remediation from a wide scope of signs of compromise
2) IT Operations adore us.
a. Tracking of Systems, Hardware Life Cycle, Resource Management
b. Management of Applications – Compliance, License Verification, Vulnerabilities
3) Network Monitoring with ZFlow is a game changer.
a. ZFlow ties netflow with binary, system and user data – in a single Splunk SPL entry. Do I need to say more here? This is the right Holy Grail from Indiana Jones, people!
4) Our User Behavior Modeling surpasses just notifications.
a. This could be connected back under IT Operations but it’s becoming its own beast
b. Ziften’s tracking of software application use, logins, elevated binaries, timestamps, etc is readily viewable in Splunk
c. Ziften offers a complimentary Security Centric Splunk package, however we transform all of the data we collect from each endpoint to Splunk CIM language – Not simply our ‘Alerts’.
Ultimately, utilizing a single Splunk Adaptive Response user interface to handle a wide variety of tools within your environment is exactly what helps construct a strong enterprise fabric for your business – one in which operations, security and network teams more fluidly overlap. Make better decisions, quicker. Find out for yourself with our totally free 30 day trial of Ziften for Splunk!
Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO
Be Strong or Get Attacked.
Extremely knowledgeable and talented cyber attack groups have targeted and are targeting your organization. Your large endpoint population is the most common point of entry for proficient attack organizations. These business endpoints number in the thousands, are loosely managed, laxly set up, and rife with vulnerability exposures, and are operated by partially trained, credulous users – the perfect target-rich opportunity. Mikko Hypponen, chief research officer at F-Secure, often remarks at industry symposia: “How many of the Fortune 500 are attacked right now? The response: 500.”
And for how long did it take to permeate your organization? White hat hackers performing penetration testing or red team exercises usually jeopardize target enterprises within the first few hours, despite the fact that ethically and lawfully limited in their methods. Black hat or state sponsored hackers may achieve penetration much more rapidly and protect their presence indefinitely. Provided typical hacker dwell duration’s determined in numerous days, the time-to-penetration is minimal, not an impediment.
The industrialization of hacking has actually developed a black market for attack tools, consisting of a variety of software applications for recognizing and making use of client endpoint vulnerabilities. These exploitation packages are marketed to cyber opponents on the dark web, with dozens of exploit set families and vendors. An exploitation kit operates by assessing the software setup on the endpoint, recognizing exposed vulnerabilities, and using an exploitation to a vulnerability exposure.
A relative handful of commonly released endpoint software represent the bulk of exploit package targeted vulnerabilities. This results from the sad reality that complex software applications have the tendency to exhibit a continual flow of vulnerabilities that leave them continually susceptible. Each patch release cycle the exploit kit developers will download the most recent security patches, reverse engineer them to find the underlying vulnerabilities, and upgrade their exploit sets. This will frequently be done faster than organizations use patches, with some vulnerabilities remaining unpatched and ripe for exploitation even years after a patch is provided.
Prior to extensive adoption of HTML 5, Adobe Flash was the most frequently utilized software for rich Internet material. Even with increasing adoption of HTML 5, legacy Adobe Flash keeps a substantial following, keeping its long-held position as the darling of exploitation package authors. A recent research study by Digital Shadows, In the Business of Exploitation, is instructional:
This report analyzes 22 exploit kits to understand the most frequently exploited software applications. We tried to find trends within the exploitation of vulnerabilities by these 22 sets to show exactly what vulnerabilities had been exploited most extensively, coupled with how active each exploitation set was, in order to notify our evaluation.
The vulnerabilities exploited by all twenty two exploitation kits showed that Adobe Flash Player was most likely to be the most targeted software application, with twenty seven of the seventy six determined vulnerabilities exploited relating to this software.
With relative consistency, dozens of fresh vulnerabilities are discovered in Adobe Flash monthly. To exploitation set designers, it is the present that continues giving.
The market is learning its lesson and moving beyond Flash for abundant web content. For instance, a Yahoo senior developer blogging recently in Streaming Media kept in mind:
” Adobe Flash, in the past the de-facto standard for media playback online, has lost favor in the industry due to increasing issues over security and performance. At the same time, requiring a plugin for video playback in browsers is losing favor among users as well. As a result, the industry is approaching HTML5 for video playback.”
Amit Jain, Sep 21, 2016
Eradicating Adobe Flash
One action enterprises might take today to solidify their endpoint setups is to get rid of Adobe Flash as a matter of organization security policy. This will not be convenient, it might hurt, however it will be handy in minimizing your organization attack surface area. It involves blacklisting Adobe Flash Player and imposing web browser security settings disabling Flash content. If done properly, this is what users will see where Flash material appears on a legacy website:
This message validates 2 realities:
1. Your system is properly configured to refuse Flash material.
2. This website would jeopardize your security for their convenience.
Ditch this website!
Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver
The dissolving of the standard boundary is taking place quickly. So what happens to the endpoint?
Financial investment in border security, as defined by firewall programs, managed gateways and intrusion detection/prevention systems (IDS/IPS), is changing. Investments are being questioned, with returns not able to overcome the costs and complexity to produce, maintain, and validate these antiquated defenses.
More than that, the paradigm has changed – employees are no longer exclusively working in the workplace. Many individuals are logging time from home or while traveling – neither location is under the umbrella of a firewall system. Instead of keeping the bad guys out, firewalls often have the inverse result – they prevent the authorized people from being efficient. The irony? They produce a safe haven for hackers to breach and conceal for many weeks, then traverse to vital systems.
So Exactly what Has Changed A lot?
The endpoint has actually become the last line of defense. With the above mentioned failure in border defense and a “mobile everywhere” workforce, we need to now enforce trust at the endpoint. Easier stated than done, nevertheless.
In the endpoint space, identity & access management (IAM) tools are not the silver bullet. Even innovative companies like Okta, OneLogin, and cloud proxy suppliers such as Blue Coat and Zscaler can not overcome one simple truth: trust goes beyond simple identification, authentication, and authorization.
File encryption is a 2nd effort at safeguarding entire libraries and specific assets. In the most recent (2016) Ponemon study on data breaches, encryption only conserved 10% of the cost per breached record (from $158 to $142). This isn’t the remedy that some make it appear.
Everything is changing.
Organizations needs to be prepared to welcome new paradigms and attack vectors. While organizations need to supply access to trusted groups and people, they have to address this in a better way.
Crucial business systems are now accessed from anywhere, whenever, not just from desks in business office buildings. And professionals (contingent workforce) are quickly making up over half of the overall business workforce.
On endpoint devices, the binary is primarily the issue. Probably benign events, such as an executable crash, could suggest something simple – like Windows 10 Desktop Manager (DWM) rebooting. Or it might be a much deeper issue, such as a destructive file or early signs of an attack.
Trusted access doesn’t solve this vulnerability. In accordance with the Ponemon Institute, between 70% and 90% of all attacks are caused by human error, social engineering, or other human aspects. This needs more than simple IAM – it needs behavioral analysis.
Rather than making good much better, perimeter and identity access companies made bad quicker.
When and Where Does the Good Part of the Story Begin?
Taking a step back, Google (Alphabet Corp) revealed a perimeter-less network design in late 2014, and has made considerable progress. Other enterprises – from corporations to federal governments – have actually done this (in silence and less extremely), but BeyondCorp has done this and shown its solution to the world. The design approach, endpoint plus (public) cloud displacing cloistered business network, is the essential concept.
This alters the entire conversation on an endpoint – be it a laptop, desktop, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint truly is the last line of defense, and needs to be secured – yet likewise report its activity.
Unlike the standard boundary security model, BeyondCorp doesn’t gate access to tools and services based upon a user’s physical place or the stemming network; instead, access policies are based upon information about a device, its state, and its associated user. BeyondCorp considers both external networks and internal networks to be completely untrusted, and gates access to applications by dynamically asserting and implementing levels, or “tiers,” of access.
By itself, this seems innocuous. But the reality is that this is an extreme new design which is imperfect. The access criteria have actually moved from network addresses to device trust levels, and the network is greatly segmented by VLAN’s, instead of a centralized model with potential for breaches, hacking, and hazards at the human level (the “soft chewy center”).
The good part of the story? Breaching the border is very challenging for prospective cyber attackers, while making network pivoting almost impossible when past the reverse proxy (a typical mechanism used by attackers today – proving that firewalls do a better job of keeping the bad guys in rather than letting the good guys go out). The inverse model further applies to Google cloud servers, probably securely managed, inside the perimeter, versus client endpoints, who are all out in the wild.
Google has actually done some good refinements on proven security approaches, especially to 802.1 X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).
Why is this important? What are the gaps?
Ziften believes in this technique due to the fact that it emphasizes device trust over network trust. Nevertheless, Google doesn’t particularly show a device security agent or stress any form of client-side tracking (apart from very strict setup control). While there may be reporting and forensics, this is something which every company should be knowledgeable about, because it’s a matter of when – not if – bad things will happen.
Considering that carrying out the preliminary stages of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a common rate of about three million per day, totaling over 80 terabytes. Keeping historic data is essential in enabling us to comprehend the end-to-end life cycle of a given device, track and examine fleet-wide trends, and perform security audits and forensic investigations.
This is a costly and data-heavy procedure with 2 drawbacks. On ultra-high-speed networks (utilized by organizations such as Google, universities and research companies), ample bandwidth enables this type of communication to occur without flooding the pipes. The very first issue is that in more pedestrian business and government scenarios, this would trigger high user disturbance.
Second, machines must have the horse power to continuously collect and transfer data. While the majority of staff members would be delighted to have existing developer-class workstations at their disposal, the cost of the devices and process of revitalizing them regularly makes this excessive.
An Absence of Lateral Visibility
Very few products actually generate ‘improved’ netflow, enhancing traditional network visibility with abundant, contextual data.
Ziften’s patented ZFlow ™ offers network flow details on data produced from the endpoint, otherwise achieved using brute force (human labor) or expensive network devices.
ZFlow serves as a “connective tissue” of sorts, which extends and completes the end-to-end network visibility cycle, adding context to on-network, off-network and cloud servers/endpoints, allowing security groups to make quicker and more educated and precise decisions. In essence, buying Ziften services result in a labor cost saving, plus a boost in speed-to-discovery and time-to-remediation due to technology functioning as a replacement for human resources.
For companies moving/migrating to the cloud (as 56% are preparing to do by 2021 according to IDG Enterprise’s 2015 Cloud Survey), Ziften uses unequaled visibility into cloud servers to better monitor and secure the complete infrastructure.
In Google’s environment, just corporate-owned devices (COPE) are enabled, while crowding out bring-your-own-device (BYOD). This works for a business like Google that can distribute new devices to all personnel – smart phone, tablet, laptop computer, and so on. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device must satisfy Google requirements, having either a TPM or a software application equivalent of a TPM, to hold the X. 509 cert utilized to validate device identity and to assist in device-specific traffic file encryption. There should be several agents on each endpoint to validate the device validation asserts called out in the access policy, which is where Ziften would need to partner with the systems management agent company, given that it is likely that agent cooperation is vital to the process.
In summary, Google has established a world-class option, however its applicability and usefulness is restricted to organizations like Alphabet.
Ziften uses the same level of operational visibility and security defense to the masses, utilizing a light-weight agent, metadata/network flow monitoring (from the endpoint), and a best-in-class console. For organizations with specialized needs or incumbent tools, Ziften provides both an open REST API and an extension framework (to augment ingestion of data and activating response actions).
This yields the benefits of the BeyondCorp model to the masses, while protecting network bandwidth and endpoint (machine) computing resources. As organizations will be sluggish to move completely away from the business network, Ziften partners with firewall and SIEM suppliers.
Lastly, the security landscape is progressively moving to managed detection & response (MDR). Managed security providers (MSSP’s) offer standard tracking and management of firewall software, gateways and perimeter invasion detection, but this is inadequate. They do not have the skills and the technology.
Ziften’s solution has actually been evaluated, integrated, authorized and executed by a number of the emerging MDR’s, illustrating the standardization (ability) and versatility of the Ziften platform to play a crucial role in removal and event response.