Charles Leaver – Follow These Guidelines For Security And Risk Management

Written By Roark Pollock And Presented By Charles Leaver Ziften CEO


Threat management and security management have actually long been handled as different functions often performed by separate functional groups within an organization. The acknowledgment of the requirement for continuous visibility and control throughout all assets has actually increased interest in searching for common ground in between these disciplines and the schedule of a new generation of tools is enabling this effort. This discussion is extremely current offered the ongoing difficulty a lot of business organizations experience in attracting and keeping qualified security workers to manage and protect IT infrastructure. An unification of activity can help to better leverage these crucial personnel, minimize costs, and help automate response.

Historically, danger management has been deemed an offensive mandate, and is typically the field of play for IT operations groups. In some cases described as “systems management”, IT operations teams actively perform device state posture monitoring and policy enforcement, and vulnerability management. The objective is to proactively reduce possible threats. Activities that enhance risk reduction and that are carried out by IT operations include:

Offensive Risk Mitigation – Systems Management

Asset discovery, inventory, and refresh

Software discovery, usage tracking, and license justification

Mergers and acquisition (M&A) threat assessments

Cloud workload migration, tracking, and enforcement

Vulnerability evaluations and patch installs

Proactive helpdesk or systems analysis and issue response/ repair work

On the other side of the field, security management is deemed a protective game, and is typically the field of play for security operations teams. These security operations groups are generally responsible for threat detection, incident response, and remediation. The objective is to react to a risk or a breach as quickly as possible in order to reduce impacts to the organization. Activities that fall squarely under security management which are carried out by security operations consist of:

Defensive Security Management – Detection and Response

Threat detection and/or danger searching

User behavior tracking / insider danger detection and/or searching

Malware analysis and sandboxing

Incident response and hazard containment/ removal

Lookback forensic examinations and origin determination

Tracing lateral danger motions, and even more threat removal

Data exfiltration determination

Successful businesses, obviously, have to play both offense AND defense similarly well. This need is driving organizations to acknowledge that IT operations and security operations need to be as aligned as possible. Therefore, as much as possible, it helps if these 2 teams are playing utilizing the very same playbook, or a minimum of dealing with the same data or single source of reality. This implies both groups should aim to use some of the same analytic and data collection tools and approaches when it pertains to handling and protecting their endpoint systems. And if companies rely on the very same workers for both tasks, it certainly assists if those individuals can pivot in between both tasks within the same tools, leveraging a single data set.

Each of these offending and protective tasks is important to securing an organization’s intellectual property, track record, and brand name. In fact, handling and prioritizing these jobs is what typically keeps CIOs and CISOs up during the night. Organizations should recognize chances to align and consolidate teams, technologies, and policies as much as possible to ensure they are focused on the most immediate requirement along the existing danger and security management spectrum.

When it comes to managing endpoint systems, it is clear that companies are moving toward an “all the time” visibility and control design that permits constant threat assessments, continuous risk tracking, and even constant performance management.

Therefore, companies need to look for these 3 key abilities when assessing brand-new endpoint security investments:

Solutions that supply “all the time” visibility and control for both IT operations teams and security operations teams.

Solutions that offer a single source of fact that can be used both offensively for threat management, and defensively for security detection and response.

Architectures that quickly integrate into existing systems management and security tool communities to provide even greater value for both IT and security groups.

Charles Leaver – The Ziften Experience Of Blackhat And Defcon 2017

Written by Michael Vaughn And Presented By Ziften CEO Charles Leaver


These are my experiences from Black Hat 2017. There is a slight addition in approaching 2017’s summary. It is really in part because of the style of the opening presentation given by Facebook’s Chief Security Officer, Alex Stamos. Stamos projected the importance of re-focusing the security neighborhood’s efforts in working better together and diversifying security services.

“Working better together” is seemingly an oxymoron when taking a look at the mass competition among hundreds of security businesses striving for clients throughout Black Hat. Based off Stamos’s messaging during the opening keynote this year, I felt it crucial to include a few of my experiences from Defcon too. Defcon has actually historically been an occasion for learning and consists of independent hackers and security experts. Last week’s Black Hat style concentrated on the social aspect of how businesses should get along and really assist others and each other, which has actually constantly been the overlying message of Defcon.

Individuals checked in from around the world last week:

Jeff Moss, aka ‘Dark Tangent’, the founder of Black Hat and Defcon, also wishes that to be the theme: Where you planning to help people get knowledge and learn from others. Moss desires participants to remain ‘great’ and ‘helpful’ throughout the conference. That is on par with exactly what Alex Stamos from Facebook conveyed in his presentation about security businesses. Stamos asked that we all share in the responsibility of helping those that can not help themselves. He also raised another valid point: Are we doing enough in the security market to really help people instead of just doing it to make money? Can we accomplish the goal of truly helping people? As such is the juxtaposition of the 2 events. The main distinctions in between Black Hat and Defcon is the more business consistency of Black Hat (from supplier hall to the talks) to the true hacker neighborhood at Defcon, which showcases the creative side of exactly what is possible.

The organization I work for, Ziften, supplies Systems and Security Operations software – offering IT and security groups visibility and control across all endpoints, on or off a business network. We likewise have a quite sweet sock game!

Many attendees displayed their Ziften assistance by decorating previous year Ziften sock designs. Looking excellent, feeling good!

The concept of signing up with forces to fight versus the corrupt is something most attendees from around the world accept, and we are not any different. Here at Ziften, we strive to genuinely help our customers and the neighborhood with our options. Why provide or depend on an option which is restricted to just exactly what’s inside package? One that provides a single or handful of specific functions? Our software is a platform for combination and offers modular, individualistic security and operational options. The entire Ziften team takes the creativity from Defcon, and we motivate ourselves to attempt and build brand-new, custom functions and forensic tools in which standard security businesses would shy away from or simply stay taken in by everyday jobs.

Delivering continuous visibility and control for any asset, anywhere is among Ziften’s primary focuses. Our merged systems and security operations (SysSecOps) platform empowers IT and security operations groups to rapidly fix end point problems, reduce total risk posture, speed risk response, and boost operations performance. Ziften’s protected architecture provides constant, streaming endpoint tracking and historic data collection for businesses, federal governments, and managed security providers. And remaining with 2017’s Black Hat theme of interacting, Ziften’s partner integrations extend the worth of incumbent tools and fill the gaps between siloed systems.

The press is not permitted to take photos of the Defcon crowd, but I am not the press and this was prior to entering a badge needed area:P The Defcon masses and jerks (Defcon mega-bosses using red t-shirts) were at a standstill for a solid twenty minutes waiting for initial access to the 4 enormous Track conference rooms on opening day.

The Voting Machine Hacking Village gained a lot of attention at the event. It was fascinating but absolutely nothing brand-new for veteran attendees. I suppose it takes something notable to gather attention around specific vulnerabilities.? All vulnerabilities for the majority of the talks and specifically this village have actually currently been disclosed to the correct authorities before the event. Let us understand if you require help locking down one of these (looking at you federal government folks).

Increasingly more individual data is appearing to the public. For instance, Google & Twitter APIs are easily and publicly offered to query user data metrics. This data is making it easier for hackers to social engineer concentrated attacks on people and specifically individuals of power and rank, like judges and executives. This presentation entitled, Dark Data, showed how a basic yet fantastic de-anonymization algorithm and some data made it possible for these 2 white hats to determine people with severe precision and reveal really personal information about them. This should make you hesitate about what you have set up on your systems and individuals in your office. The majority of the above raw metadata was collected through a popular browser add-on. The fine tuning accompanied the algothrim and public APIs. Do you understand exactly what browser add-ons are operating in your environment? If the response is no, then Ziften can assist.

This discussion was plainly about making use of Point-of-Sale systems. Although rather funny, it was a little scary at the quickness at which one of the most typically used POS systems could be hacked. This particular POS hardware is most commonly utilized when paying in a taxi. The base os is Linux and although on an ARM architecture and safeguarded by sturdy firmware, why would a company risk leaving the security of client charge card details solely up to the hardware supplier? If you look for extra protection on your POS systems, then don’t look beyond Ziften. We secure the most frequently used business operating systems. If you wish to do the fun thing and install the video game Doom on one, I can send you the slide pack.

This person’s slides were off the charts outstanding. What wasn’t excellent was how exploitable the MacOS is during the installation procedure of typical applications. Basically each time you set up an application on a Mac, it requires the entry of your escalated opportunities. But what if something were to a little modify code a moment prior to you entering your Administrator credentials? Well, most of the time, most likely something bad. Worried about your Mac’s running malware clever sufficient to find and change code on common susceptible applications prior to you or your user base entering credentials? If so, we at Ziften Technologies can assist.

We help you by not replacing all of your toolset, although we frequently discover ourselves doing just that. Our aim is to utilize the suggestions and existing tools that work from numerous vendors, ensure they are running and installed, ensure the perscribed hardening is indeed intact, and guarantee your operations and security groups work more effectively together to achieve a tighter security matrix throughout your environment.

Key Takeaways from Black Hat & Defcon 2017:

1) More powerful together

– Alex Stamos’s keynote
– Jeff Moss’s message
– Visitors from around the world interacting
– Black Hat must preserve a friendly neighborhood spirit

2) Stronger together with Ziften

– Ziften plays great with other software application suppliers

3) Popular current vulnerabilities Ziften can help avoid and fix

– Point-of-Sale accessing
– Voting machine tampering
– Escalating MacOS privileges
– Targeted specific attacks

Charles Leaver – Can You Believe Hackers Can Get Into Your Device Via Your Movie Subtitles Package?

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Do you like watching motion pictures with popular apps like Kodi, SmartTV or VLC on your devices? How about needing or desiring subtitles with those movies and just getting the current pack from OpenSubtitles. No problem, sounds like a good evening in your home. Issue is, in accordance with a research study by Check Point, you could be in for a nasty surprise.

For the cyber criminals to take control of your ‘world’, they require a vector or some method to get entry to your system. There are some typical ways that takes place nowadays, such as clever (and not so smart) social engineering tricks. Getting e-mails that appear to come from buddies or co-workers which were spoofed and you opened an attachment, or went to some website and if the stars lined up, you were pwned. Usually the star alignment part is not that hard, only that you have some susceptible software application running that can be accessed.

Because the technique is getting users to cooperate, the target market can in some cases be tough to find. But with this latest research published, many of the significant media players have a special vulnerability when it pertains to accessing and translating subtitle plans. The 4 main media players listed in the post are fixed to date, but as we have actually seen in the past (just take a look at the recent SMB v1 vulnerability problem) just because a repair is offered, doesn’t suggest that users are updating. The research has actually also omitted to reveal the technical details around the vulnerability as to allow other vendors time to patch. That is a great sign and the proper technique I believe scientists must take. Inform the vendor so they can fix the issue in addition to reveal it publicly so ‘we the people’ are notified and know exactly what to look out for.

It’s hard to keep up with the multiple methods you can get infected, however at least we have researchers who relentlessly try and ‘break’ things to discover those vulnerabilities. By conducting the correct disclosure techniques, they help everyone take pleasure in a safer experience with their devices, and in this scenario, a fantastic night in viewing motion pictures.

Charles Leaver – No Integration Worries About Your Existing Security Infrastructure And Ziften Endpoint Products

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


Security professionals are by nature a careful bunch. Cautiousness is a characteristic most folks likely have coming into this market given its mission, however it’s likewise surely a quality that is picked up in time. Paradoxically this is true even when it comes to adding extra security controls into an already established security architecture. While one may assume that more security is better security, experience teaches us that’s not always the case. There are in fact various concerns connected with deploying a brand-new security product. One that usually appears near the top of the list is how well a brand-new product integrates with existing products.

Integration issues can be found in a number of flavors. Most importantly, a brand-new security control should not break anything. But additionally, new security services need to willingly share risk intelligence and act on risk intelligence collected across a company’s whole security infrastructure. To put it simply, the brand-new security tools ought to work together with the existing community of tools in place such that “1 + 1 = 3”. The last thing that most security and IT operations groups require is more siloed services/ tools.

At Ziften, this is why we have actually always concentrated on developing and providing an entirely open visibility architecture. We believe that any brand-new systems and security operations tools have to be produced with enhanced visibility and info sharing as essential design requirements. However this isn’t really a one-way street. Creating simple integrations requires innovation partnerships between industry vendors. We consider it our duty to work with other technology companies to equally integrate our services, therefore making it easy on customers. Regrettably, lots of vendors still think that integration of security products, specifically new endpoint security services is extremely tough. I hear the concern continuously in client discussions. However info is now appearing showing this isn’t really always the case.

Current survey work by NSS Labs on “sophisticated endpoint” services, they report that International 2000 consumers based in the United States and Canada have been happily shocked with how well these kinds of services integrate into their already established security architectures. According to the NSS research study titled “Advanced Endpoint Protection – Market Analysis and Survey Results CY2016”, which NSS consequently provided in the BrightTalk webinar below, participants that had actually currently released advanced endpoint products were much more positive regarding their capability to integrate into existing security architectures than were participants that were still in the planning stages of purchasing these products.

Specifically, for respondents that have currently released advanced endpoint products: they rank integration with already established security architectures as follows:

● Excellent 5.3 %
● Good 50.0 %
● Average 31.6 %
● Poor 13.2 %
● (Awful) 0.0 %

Compare that to the more conservative reactions from folks still in the planning stage:

● Excellent 0.0 %
● Good 39.3 %
● Average 42.9 %
● Poor 14.3 %
● (Dreadful) 3.6 %

These responses are motivating. Yes, as kept in mind, security folks have the tendency to be pessimists, but in spite of low expectations respondents are reporting positive outcomes with respect to integration experiences. In fact, Ziften clients generally display the same preliminary low expectations when we initially talk about the integration of Ziften services into their existing community of products. However in the end, customers are wowed by how easy it is to share information with Ziften products and their existing infrastructure.

These survey results will hopefully help ease issues as newer product adopters might read and count on peer recommendations prior to making purchase decisions. Early traditional adopters are clearly having success releasing these services which will hopefully assist to decrease the natural cautiousness of the true mainstream.

Certainly, there is substantial differentiation between products in the space, and organizations ought to continue to perform appropriate due diligence in comprehending how and where services integrate into their more comprehensive security architectures. But, fortunately is that there are products not only satisfying the needs of clients, however really out performing their preliminary expectations.

Charles Leaver – The Petya Variant Flaw Does Not Cause Ziften Customers Any Trouble

Written By Josh Harriman And Presented By Charles Leaver Ziften CEO


Another infestation, another headache for those who were not prepared. While this most current attack is similar to the earlier WannaCry risk, there are some differences in this latest malware which is an alternative or brand-new strain much like Petya. Named, NotPetya by some, this strain has a lot of issues for anybody who encounters it. It might encrypt your data, or make the system totally unusable. And now the e-mail address that you would be required to contact to ‘maybe’ unencrypt your files, has actually been taken down so you’re out of luck getting your files back.

Lots of information to the actions of this hazard are openly offered, however I wanted to touch on that Ziften consumers are safeguarded from both the EternalBlue threat, which is one system used for its proliferation, and even much better still, an inoculation based upon a possible flaw or its own type of debug check that removes the danger from ever operating on your system. It might still spread however in the environment, but our security would currently be rolled out to all existing systems to halt the damage.

Our Ziften extension platform allows our consumers to have security in place versus specific vulnerabilities and destructive actions for this risk and others like Petya. Besides the particular actions taken against this specific variation, we have actually taken a holistic approach to stop specific strains of malware that conduct different ‘checks’ against the system prior to executing.

We can likewise utilize our Browse capability to try to find residues of the other proliferation strategies utilized by this danger. Reports reveal WMIC and PsExec being used. We can look for those programs and their command lines and usage. Despite the fact that they are genuine processes, their use is generally unusual and can be alerted.

With WannaCry, and now NotPetya, we anticipate to see a continued increase of these kinds of attacks. With the release of the current NSA exploits, it has actually given ambitious cyber criminals the tools needed to push out their items. And though ransomware dangers can be a high commodity vehicle, more harmful risks could be launched. It has always been ‘how’ to obtain the hazards to spread out (worm-like, or social engineering) which is most difficult to them.

Charles Leaver – Attack On UK Parliament Email System Highlights Insecurities

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


In the online world the sheep get shorn, chumps get chewed, dupes get duped, and pawns get pwned. We’ve seen another terrific example of this in the current attack on the United Kingdom Parliament email system.

Rather than admit to an e-mail system that was not secure by design, the main statement read:

Parliament has strong procedures in place to secure all our accounts and systems.

Yeah, right. The one protective measure we did see in action was blame deflection – the Russians did it, that constantly works, while implicating the victims for their policy infractions. While details of the attack are limited, combing various sources does assist to assemble at least the gross scenario. If these accounts are reasonably close, the UK Parliament email system failings are atrocious.

What failed in this scenario?

Rely on single element authentication

“Password security” is an oxymoron – anything password protected alone is insecure, period, irrespective of the strength of the password. Please, no 2FA here, may hinder attacks.

Do not impose any limit on unsuccessful login efforts

Facilitated by single factor authentication, this enables basic brute force attacks, no ability required. However when violated, blame elite state-sponsored hackers – nobody can verify.

Do not carry out brute force violation detection

Allow opponents to perform (otherwise trivially detectable) brute force violations for extended periods (12 hours against the United Kingdom Parliament system), to maximize account compromise scope.

Do not enforce policy, treat it as merely recommendations

Integrated with single element authentication, no limit on failed logins, and no brute force violation detection, do not impose any password strength recognition. Supply attackers with very low hanging fruit.

Count on anonymous, unencrypted email for delicate interactions

If assailants do succeed in compromising email accounts or sniffing your network traffic, provide lots of opportunity for them to score high value message material completely without obstruction. This also conditions constituents to trust easily spoofable e-mail from Parliament, developing a perfect constituent phishing environment.

Lessons discovered

In addition to adding “Sound judgment for Dummies” to their summertime reading lists, the UK Parliament e-mail system administrators may want to take further actions. Strengthening weak authentication practices, enforcing policies, enhancing network and endpoint visibility with constant monitoring and anomaly detection, and completely reassessing secure messaging are advised actions. Penetration testing would have revealed these foundational weaknesses while remaining far from media attention.

Even a few sharp high schoolers with a complimentary weekend might have replicated this violation. And lastly, stop blaming Russia for your own security failings. Assume that any weaknesses in your security architecture and policy framework will be probed and exploited by some cyber criminals somewhere throughout the global internet. All the more incentive to discover and fix those weaknesses prior to the opponents do, so get started immediately. Then if your defenders don’t cannot see the attacks in progress, upgrade your monitoring and analytics.

Charles Leaver – Closer Working Of IT And Security Using SysSecOps

Written By Charles Leaver Ziften CEO


It was nailed by Scott Raynovich. Having actually dealt with numerous companies he recognized that one of the biggest challenges is that security and operations are two different departments – with drastically varying goals, different tools, and varying management structures.

Scott and his analyst company, Futuriom, recently completed a research study, “Endpoint Security and SysSecOps: The Growing Trend to Build a More Secure Business”, where one of the essential findings was that contrasting IT and security objectives hamper professionals – on both groups – from attaining their objectives.

That’s exactly what our company believe at Ziften, and the term that Scott produced to talk about the convergence of IT and security in this domain – SysSecOps – describes perfectly exactly what we’ve been discussing. Security teams and the IT teams should get on the very same page. That indicates sharing the exact same goals, and in some cases, sharing the very same tools.

Consider the tools that IT people use. The tools are designed to ensure the infrastructure and end devices are working appropriately, when something fails, helps them repair it. On the end point side, those tools help make sure that devices that are allowed onto the network, are set up appropriately, have software that’s authorized and appropriately updated/patched, and have not registered any faults.

Think of the tools that security folks use. They work to impose security policies on devices, infrastructure, and security apparatus (like firewall programs). This might include active tracking events, scanning for abnormal behavior, taking a look at files to ensure they don’t include malware, adopting the current risk intelligence, matching versus recently discovered zero-days, and carrying out analysis on log files.

Finding fires, battling fires

Those are two varying worlds. The security groups are fire spotters: They can see that something bad is occurring, can work quickly to separate the problem, and figure out if damage took place (like data exfiltration). The IT groups are on the ground firefighters: They jump into action when an event strikes to ensure that the systems are secure and revived into operation.

Sounds excellent, doesn’t it? Unfortunately, all too often, they do not talk to each other – it resembles having the fire spotters and fire fighters utilizing different radios, different jargon, and dissimilar city maps. Worse, the teams can’t share the exact same data directly.

Our technique to SysSecOps is to supply both the IT and security groups with the exact same resources – and that indicates the exact same reports, presented in the suitable ways to experts. It’s not a dumbing down, it’s working smarter.

It’s ludicrous to operate in any other way. Take the WannaCry infection, for instance. On one hand, Microsoft provided a patch back in March 2017 that attended to the underlying SMB defect. IT operations groups didn’t set up the patch, due to the fact that they didn’t believe this was a big deal and didn’t talk with security. Security teams didn’t know if the patch was set up, due to the fact that they don’t talk with operations. SysSecOps would have had everyone on the exact same page – and might have potentially prevented this problem.

Missing out on data means waste and danger

The inefficient space in between IT operations and security exposes organizations to threats. Preventable threats. Unneeded risk. It’s just unacceptable!

If your organization’s IT and security groups aren’t on the same page, you are sustaining dangers and costs that you shouldn’t have to. It’s waste. Organizational waste. It’s wasteful because you have many tools that are providing partial data that have gaps, and each of your teams only sees part of the picture.

As Scott concluded in his report, “Collaborated SysSecOps visibility has actually already proven its worth in assisting companies examine, analyze, and avoid considerable threats to the IT systems and endpoints. If these goals are pursued, the security and management risks to an IT system can be considerably diminished.”

If your teams are collaborating in a SysSecOps kind of way, if they can see the same data at the same time, you not only have better security and more effective operations – however likewise lower threat and lower expenses. Our Zenith software can help you accomplish that performance, not only working with your existing IT and security tools, however also filling in the spaces to make sure everyone has the ideal data at the right time.

Charles Leaver – Ziften And Splunk Are All You Need To Detect And Respond To WannaCry

Written by Joel Ebrahami and presented by Charles Leaver


WannaCry has actually generated a lot of media attention. It might not have the huge infection rates that we have seen with a lot of the previous worms, however in today’s security world the amount of systems it was able to contaminate in a single day was still rather shocking. The objective of this blog is NOT to offer a detailed analysis of the exploit, but rather to look how the threat acts on a technical level with Ziften’s Zenith platform and the combination we have with our innovation partner Splunk.

Visibility of WannaCry in Ziften Zenith

My first action was to connect to Ziften Labs threat research study team to see what details they could supply to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, directs our research group and notified me that they had samples of WannaCry presently running in our ‘Red Lab’ to look at the habits of the danger and perform further analysis. Josh sent me over the details of exactly what he had actually discovered when examining the WannaCry samples in the Ziften Zenith console. He delivered over those information, which I provide herein.

The Red Laboratory has systems covering all the most typical operating systems with different services and configurations. There were currently systems in the laboratory that were purposefully susceptible to the WannaCry threat. Our international threat intelligence feeds used in the Zenith platform are updated in real time, and had no trouble finding the virus in our lab environment (see Figure 1).

Two lab systems have actually been recognized running the malicious WannaCry sample. While it is great to see our worldwide hazard intelligence feeds upgraded so quickly and determining the ransomware samples, there were other behaviors that we found that would have determined the ransomware danger even if there had actually not been a hazard signature.

Zenith agents gather a large amount of information on what’s happening on each host. From this visibility data, we create non-signature based detection methods to take a look at typically malicious or anomalous habits. In Figure 2 shown below, we show the behavioral detection of the WannaCry infection.

Investigating the Breadth of WannaCry Infections

Once spotted either through signature or behavioral approaches, it is really easy to see which other systems have likewise been infected or are showing similar habits.

Detecting WannaCry with Ziften and Splunk

After examining this information, I decided to run the WannaCry sample in my own environment on a vulnerable system. I had one susceptible system running the Zenith agent, and in this example my Zenith server was currently set up to integrate with Splunk. This allowed me to take a look at the exact same data inside Splunk. Let me explain about the integration that exists with Splunk.

We have two Splunk apps for Zenith. The first is our technology add-on (TA): its function is to consume and index ALL the raw information from the Zenith server that the Ziften agents generate. As this information arrives it is massaged into Splunk’s Common Information Model (CIM) so that it can be stabilized and simply browsed in addition to used by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA also includes Adaptive Response abilities for acting from actions that are rendered in Splunk ES. The second app is a dashboard for displaying our info with all the charts and graphs offered in Splunk to facilitate absorbing the data a lot easier.

Given that I already had the details on how the WannaCry exploit acted in our research lab, I had the advantage of knowing exactly what to search for in Splunk utilizing the Zenith data. In this case I was able to see a signature alert by using the VirusTotal integration with our Splunk app (see Figure 4).

Threat Hunting for WannaCry Ransomware in Ziften and Splunk

However I wished to put on my “event responder hat” and examine this in Splunk using the Zenith agent data. My first idea was to browse the systems in my laboratory for ones running SMB, because that was the preliminary vector for the WannaCry attack. The Zenith data is encapsulated in different message types, and I knew that I would most likely discover SMB data in the running process message type, nevertheless, I utilized Splunk’s * regex with the Zenith sourcetype so I might search all Zenith data. The resulting search looked like ‘sourcetype= ziften: zenith: * smb’. As I anticipated I received one result back for the system that was running SMB (see Figure 5).

My next step was to use the very same behavioral search we have in Zenith that tries to find common CryptoWare and see if I could get results back. Once again this was extremely easy to do from the Splunk search panel. I used the very same wildcard sourcetype as previously so I might search throughout all Zenith data and this time I added the ‘delete shadows’ string search to see if this behavior was ever released at the command line. My search looked like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned results, shown in Figure 6, that revealed me in detail the procedure that was developed and the complete command line that was performed.

Having all this information inside of Splunk made it extremely easy to determine which systems were susceptible and which systems had currently been jeopardized.

WannaCry Removal Using Splunk and Ziften

Among the next steps in any kind of breach is to remove the compromise as fast as possible to prevent additional damage and to act to prevent other systems from being compromised. Ziften is among the Splunk initial Adaptive Response members and there are a variety of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to mitigate these risks through extensions on Zenith.

When it comes to WannaCry we actually could have utilized nearly any of the Adaptive Response actions presently readily available by Zenith. When aiming to minimize the effect and avoid WannaCry in the first place, one action that can occur is to close down SMB on any systems running the Zenith agent where the variation of SMB running is known vulnerable. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the susceptible systems where we wished to stop the SMB service, hence avoiding the exploit from ever taking place and enabling the IT Operations team to get those systems patched prior to starting the SMB service once again.

Avoiding Ransomware from Spreading or Exfiltrating Data

Now in the case that we have actually already been compromised, it is crucial to prevent more exploitation and stop the possible exfiltration of sensitive information or business intellectual property. There are truly 3 actions we could take. The very first two are similar where we could kill the harmful process by either PID (process ID) or by its hash. This works, but given that often times malware will just spawn under a new procedure, or be polymorphic and have a different hash, we can apply an action that is ensured to prevent any incoming or outbound traffic from those infected systems: network quarantine. This is another example of an Adaptive Response action readily available from Ziften’s integration with Splunk ES.

WannaCry is currently reducing, however hopefully this technical blog post reveals the value of the Ziften and Splunk integration in dealing with ransomware threats against the endpoint.

Charles Leaver – Now Is The Time For Security Paranoia As HVAC Breach Shows

Written By Charles Leaver Ziften CEO


Whatever you do not ignore cyber security criminals. Even the most paranoid “regular” individual would not worry about a source of data breaches being stolen qualifications from its heating, ventilation and air conditioning (A/C) professional. Yet that’s what occurred at Target in November 2013. Hackers got into Target’s network utilizing qualifications provided to the contractor, probably so they could monitor the heating, ventilation and air conditioning system. (For a great analysis, see Krebs on Security). And after that hackers had the ability to leverage the breach to inject malware into point of sale (POS) systems, and then offload payment card details.

A number of ludicrous errors were made here. Why was the A/C contractor provided access to the business network? Why wasn’t the A/C system on a separate, entirely isolated network? Why wasn’t the POS system on a separate network? And so on.

The point here is that in a really intricate network, there are uncounted potential vulnerabilities that could be made use of through carelessness, unpatched software, default passwords, social engineering, spear phishing, or insider actions. You understand.

Whose job is it to discover and fix those vulnerabilities? The security team. The CISO’s office. Security experts aren’t “typical” individuals. They are hired to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to prepare for the worst and prepare accordingly.

I can’t talk to the Target HEATING AND COOLING breach particularly, however there is one overwhelming reason that breaches like this happen: A lack of financial priority for cybersecurity. I’m not exactly sure how frequently businesses fail to fund security merely since they’re cheap and would rather do a share buy-back. Or possibly the CISO is too timid to request what’s needed, or has been told that she gets a 5% boost, no matter the need. Perhaps the CEO is worried that disclosures of large allowances for security will alarm shareholders. Perhaps the CEO is simply naïve enough to believe that the enterprise won’t be targeted by hackers. The problem: Every organization is targeted by hackers.

There are big competitions over budget plans. The IT department wishes to fund upgrades and improvements, and attack the stockpile of demand for brand-new and enhanced applications. On the flip side, you have line-of-business leaders who see IT projects as directly helping the bottom line. They are optimists, and have lots of CEO attention.

By contrast, the security department too often needs to defend crumbs. They are seen as a cost center. Security lowers organization risk in a manner that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who care about compliance and track records. These green-eyeshade people consider the worst case circumstances. That doesn’t make pals, and budget plan dollars are designated reluctantly at a lot of companies (until the company gets burned).

Call it naivety, call it established hostility, however it’s a genuine difficulty. You cannot have IT given excellent tools to drive the business forward, while security is starved and using second best.

Worse, you don’t wish to wind up in circumstances where the rightfully paranoid security groups are dealing with tools that don’t fit together well with their IT equivalent’s tools.

If IT and security tools do not fit together well, IT may not be able to quickly act to react to dangerous situations that the security teams are keeping an eye on or are concerned about – things like reports from risk intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that indicate dangerous or suspicious activity.

One idea: Find tools for both departments that are created with both IT and security in mind, right from the beginning, rather than IT tools that are patched to offer some very little security capability. One spending plan item (take it out of IT, they have more money), however 2 workflows, one designed for the IT expert, one for the CISO group. Everybody wins – and next time someone wishes to offer the HEATING AND COOLING specialist access to the network, possibly security will observe what IT is doing, and head that disaster off at the pass.

Charles Leaver – Don’t Struggle With The WannaCry Ransomware Issue Ziften Can Help

Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO


Answers To Your Concerns About WannaCry Ransomware

The WannaCry ransomware attack has infected more than 300,000 computer systems in 150 nations up until now by making use of vulnerabilities in Microsoft’s Windows operating system.
In this brief video Chief Data Scientist Dr. Al Hartmann and I talk about the nature of the attack, as well as how Ziften can assist organizations safeguard themselves from the vulnerability known as “EternalBlue.”.

As discussed in the video, the problem with this Server Message Block (SMB) file-sharing service is that it’s on many Windows operating systems and discovered in many environments. However, we make it simple to determine which systems in your environment have actually or haven’t been patched yet. Importantly, Ziften Zenith can also remotely disable the SMB file-sharing service totally, offering companies important time to make sure that those machines are effectively patched.

If you wonder about Ziften Zenith, our 20 minute demo consists of an assessment with our specialists around how we can help your organization avoid the worst digital disaster to strike the internet in years.