Endpoints Facing A New Era With Illumination – Charles Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

The dissolving of the standard boundary is taking place quickly. So what happens to the endpoint?

Financial investment in border security, as defined by firewall programs, managed gateways and intrusion detection/prevention systems (IDS/IPS), is changing. Investments are being questioned, with returns not able to overcome the costs and complexity to produce, maintain, and validate these antiquated defenses.

More than that, the paradigm has changed – employees are no longer exclusively working in the workplace. Many individuals are logging time from home or while traveling – neither location is under the umbrella of a firewall system. Instead of keeping the bad guys out, firewalls often have the inverse result – they prevent the authorized people from being efficient. The irony? They produce a safe haven for hackers to breach and conceal for many weeks, then traverse to vital systems.

So Exactly what Has Changed A lot?

The endpoint has actually become the last line of defense. With the above mentioned failure in border defense and a “mobile everywhere” workforce, we need to now enforce trust at the endpoint. Easier stated than done, nevertheless.

In the endpoint space, identity & access management (IAM) tools are not the silver bullet. Even innovative companies like Okta, OneLogin, and cloud proxy suppliers such as Blue Coat and Zscaler can not overcome one simple truth: trust goes beyond simple identification, authentication, and authorization.

File encryption is a 2nd effort at safeguarding entire libraries and specific assets. In the most recent (2016) Ponemon study on data breaches, encryption only conserved 10% of the cost per breached record (from $158 to $142). This isn’t the remedy that some make it appear.

Everything is changing.

Organizations needs to be prepared to welcome new paradigms and attack vectors. While organizations need to supply access to trusted groups and people, they have to address this in a better way.

Crucial business systems are now accessed from anywhere, whenever, not just from desks in business office buildings. And professionals (contingent workforce) are quickly making up over half of the overall business workforce.

On endpoint devices, the binary is primarily the issue. Probably benign events, such as an executable crash, could suggest something simple – like Windows 10 Desktop Manager (DWM) rebooting. Or it might be a much deeper issue, such as a destructive file or early signs of an attack.

Trusted access doesn’t solve this vulnerability. In accordance with the Ponemon Institute, between 70% and 90% of all attacks are caused by human error, social engineering, or other human aspects. This needs more than simple IAM – it needs behavioral analysis.

Rather than making good much better, perimeter and identity access companies made bad quicker.

When and Where Does the Good Part of the Story Begin?

Taking a step back, Google (Alphabet Corp) revealed a perimeter-less network design in late 2014, and has made considerable progress. Other enterprises – from corporations to federal governments – have actually done this (in silence and less extremely), but BeyondCorp has done this and shown its solution to the world. The design approach, endpoint plus (public) cloud displacing cloistered business network, is the essential concept.

This alters the entire conversation on an endpoint – be it a laptop, desktop, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint truly is the last line of defense, and needs to be secured – yet likewise report its activity.

Unlike the standard boundary security model, BeyondCorp doesn’t gate access to tools and services based upon a user’s physical place or the stemming network; instead, access policies are based upon information about a device, its state, and its associated user. BeyondCorp considers both external networks and internal networks to be completely untrusted, and gates access to applications by dynamically asserting and implementing levels, or “tiers,” of access.

By itself, this seems innocuous. But the reality is that this is an extreme new design which is imperfect. The access criteria have actually moved from network addresses to device trust levels, and the network is greatly segmented by VLAN’s, instead of a centralized model with potential for breaches, hacking, and hazards at the human level (the “soft chewy center”).

The good part of the story? Breaching the border is very challenging for prospective cyber attackers, while making network pivoting almost impossible when past the reverse proxy (a typical mechanism used by attackers today – proving that firewalls do a better job of keeping the bad guys in rather than letting the good guys go out). The inverse model further applies to Google cloud servers, probably securely managed, inside the perimeter, versus client endpoints, who are all out in the wild.

Google has actually done some good refinements on proven security approaches, especially to 802.1 X and Radius, bundled it as the BeyondCorp architecture, including strong identity and access management (IAM).

Why is this important? What are the gaps?

Ziften believes in this technique due to the fact that it emphasizes device trust over network trust. Nevertheless, Google doesn’t particularly show a device security agent or stress any form of client-side tracking (apart from very strict setup control). While there may be reporting and forensics, this is something which every company should be knowledgeable about, because it’s a matter of when – not if – bad things will happen.

Considering that carrying out the preliminary stages of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a common rate of about three million per day, totaling over 80 terabytes. Keeping historic data is essential in enabling us to comprehend the end-to-end life cycle of a given device, track and examine fleet-wide trends, and perform security audits and forensic investigations.

This is a costly and data-heavy procedure with 2 drawbacks. On ultra-high-speed networks (utilized by organizations such as Google, universities and research companies), ample bandwidth enables this type of communication to occur without flooding the pipes. The very first issue is that in more pedestrian business and government scenarios, this would trigger high user disturbance.

Second, machines must have the horse power to continuously collect and transfer data. While the majority of staff members would be delighted to have existing developer-class workstations at their disposal, the cost of the devices and process of revitalizing them regularly makes this excessive.

An Absence of Lateral Visibility

Very few products actually generate ‘improved’ netflow, enhancing traditional network visibility with abundant, contextual data.

Ziften’s patented ZFlow ™ offers network flow details on data produced from the endpoint, otherwise achieved using brute force (human labor) or expensive network devices.

ZFlow serves as a “connective tissue” of sorts, which extends and completes the end-to-end network visibility cycle, adding context to on-network, off-network and cloud servers/endpoints, allowing security groups to make quicker and more educated and precise decisions. In essence, buying Ziften services result in a labor cost saving, plus a boost in speed-to-discovery and time-to-remediation due to technology functioning as a replacement for human resources.

For companies moving/migrating to the cloud (as 56% are preparing to do by 2021 according to IDG Enterprise’s 2015 Cloud Survey), Ziften uses unequaled visibility into cloud servers to better monitor and secure the complete infrastructure.

In Google’s environment, just corporate-owned devices (COPE) are enabled, while crowding out bring-your-own-device (BYOD). This works for a business like Google that can distribute new devices to all personnel – smart phone, tablet, laptop computer, and so on. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device must satisfy Google requirements, having either a TPM or a software application equivalent of a TPM, to hold the X. 509 cert utilized to validate device identity and to assist in device-specific traffic file encryption. There should be several agents on each endpoint to validate the device validation asserts called out in the access policy, which is where Ziften would need to partner with the systems management agent company, given that it is likely that agent cooperation is vital to the process.


In summary, Google has established a world-class option, however its applicability and usefulness is restricted to organizations like Alphabet.

Ziften uses the same level of operational visibility and security defense to the masses, utilizing a light-weight agent, metadata/network flow monitoring (from the endpoint), and a best-in-class console. For organizations with specialized needs or incumbent tools, Ziften provides both an open REST API and an extension framework (to augment ingestion of data and activating response actions).

This yields the benefits of the BeyondCorp model to the masses, while protecting network bandwidth and endpoint (machine) computing resources. As organizations will be sluggish to move completely away from the business network, Ziften partners with firewall and SIEM suppliers.

Lastly, the security landscape is progressively moving to managed detection & response (MDR). Managed security providers (MSSP’s) offer standard tracking and management of firewall software, gateways and perimeter invasion detection, but this is inadequate. They do not have the skills and the technology.

Ziften’s solution has actually been evaluated, integrated, authorized and executed by a number of the emerging MDR’s, illustrating the standardization (ability) and versatility of the Ziften platform to play a crucial role in removal and event response.

Charles Leaver – Network Security And Adobe Flash Don’t Mix

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

Are you Still Running Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?

With Independence day looming a metaphor is required: Flash is a bit like lighting fireworks. There might be less dangerous methods to achieve it, but the only sure method is just to avoid it. And with Flash, you needn’t combat pyromaniac surges to abstain from it, simply manage your endpoint configurations.


Why would you wish to do this? Well, performing a Google query for “Flash vulnerability” returns thirteen-million results! Flash is old and finished and overdue for retirement, as Adobe stated themselves:

Today [November 30, 2015], open standards like HTML5 have actually matured and offer much of the abilities that Flash ushered in… Looking ahead, we encourage content creators to build with brand-new web standards…

Run a vulnerability scanner throughout your endpoint population. See any Flash indication? Yes, in the typical business, zillions. Your opponents know that likewise, they are relying on it. Thanks very much for your contribution! Just continue to ignore those annoying security bloggers, like Brian Krebbs:

I would recommend that if you utilize Flash, you need to highly think about removing it, or a minimum of hobbling it until and unless you require it.

Neglecting Brian Krebs’ recommendations raises the possibilities your enterprise’s data breach will be the headline story in one of his future blog posts.



Flash Exploits: the Preferred Exploit Set Active ingredient

The unlimited list of Flash vulnerabilities continues to lengthen with each brand-new patch cycle. Nation state cyber attackers and the much better resourced groups can call upon Flash zero days. They aren’t difficult to mine – launch your fuzz tester against the creaking Flash codebase and view them roll out. If an offending cyber team cannot call upon zero days, not to fret, there are plenty of newly provided Flash Common Vulnerabilities and direct Exposures (CVE) to draw upon, prior to enterprise patch cycles are brought up to date. For exploit set authors, Flash is the present that keeps on giving.

A recent FireEye blog exhibits this common Flash vulnerability development – from virgin zero-day to newly hatched CVE and prime enterprise exploit:

On May 8, 2016, FireEye detected an attack exploiting a previously unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the concern to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 simply 4 days later on (Posted to FireEye Threat Research Blog on May 13, 2016).

As a rapid test then, inspect your vulnerability report for that entry, for CVE-2016-4117. It was used in targeted cyber attacks as a zero-day even before it ended up being a known vulnerability. Now that it is understood, popular exploit packages will locate it. Be sure you are ready.

Start a Flash and QuickTime Removal Project

While we haven’t spoken about QuickTime yet, Apple removed support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you remove all support for QuickTime? Including on macOS? Or just Windows? How do you discover the unsupported variations – when there are numerous drifting around?


By not doing anything, you can flirt with catastrophe, with Flash vulnerability direct exposures swarming across your client endpoint environment. Otherwise, you can start a Flash and QuickTime obliteration job to move towards a Flash-free business. Or, wait, possibly you educate your users not to glibly open e-mail attachments or click links. User education, that constantly works, right? I don’t think so.

One issue is that a few of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or candidate Microsoft Word resumes to recruiting departments, or legal notices sent out to legal departments.

Let’s take a more detailed look at the Flash exploit described by FireEye in the blog pointed out above:

Attackers had embedded the Flash exploit inside a Microsoft Office doc, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the doc and payload. With this configuration, the enemies could share their exploitation via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors created this particular attack for a target using Windows and Microsoft Office.


Even if the Flash-adverse enterprise had completely purged Flash enablement from all their various web browsers, this exploitation would still have actually been successful. To fully eradicate Flash needs purging it from all internet browsers and disabling its execution in embedded Flash objects within Microsoft Office or PDF files. Definitely that is a step that should be taken at least for those departments with a task function to open attachments from unsolicited emails. And extending outwards from there is a worthy configuration solidifying goal for the security conscious business.

Not to mention, we’re all awaiting the first post about QuickTime vulnerability which brings down a major business.


Charles Leaver – Your Organization Needs To Be Aware Of The Dangers Of Ransomware

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is customized to business attack projects has actually emerged in the wild. This is an obvious development of consumer-grade ransomware, fueled by the bigger bounties which businesses are able to pay out paired to the sheer scale of the attack surface area (internet facing endpoints and un-patched software applications). To the attacker, your business is an appealing target with a huge fat wallet simply begging to be knocked over.

Your Company is an Attractive Target

Basic Google queries might currently have determined unpatched internet-facing servers by the scores across your domain, or your credulous users may already be opening “spear phishing” e-mails crafted just for them probably authored by individuals they are familiar with.

The weaponized invoices go to your accounting department, the weaponized legal notifications go to your legal department, the weaponized resumes go to your personnels department, and the weaponized trade publication articles go to your public relations firm. That must cover it, for starters. Add the watering hole drive-by’s planted on market websites often visited by your staff members, the social networks attacks targeted to your crucial executives and their families, the contaminated USB sticks strewn around your facilities, and the compromises of your providers, clients, and company partners.

Enterprise compromise isn’t really an “if” however a “when”– the when is consistent, the who is legion.

Targeted Ransomware Is Here

Malware analysts are now reporting on enterprise-targeted ransomware, a natural advancement in the money making of enterprise cyber invasions. Christiaan Beek and Andrew Furtak explain this in an excerpt from Intel Security Advanced Threat Research study, February 2016:

” Throughout the past few weeks, we have gotten info about a brand-new project of targeted ransomware attacks. Instead of the typical modus operandi (phishing attacks or drive-by downloads that result in automatic execution of ransomware), the cyber attackers acquired relentless access to the victim’s network through vulnerability exploitation and spread their access to any linked systems that they could. On each system, numerous tools were used to find, secure, and delete the initial files as well as any backups.”

Mindful reading of this citation immediately exposes actions to be taken. Initial penetration was by “vulnerability exploitation,” as is often the case. A sound vulnerability management program with tracked and imposed exposure tolerances (measured in days) is obligatory. Considering that the cyber attackers “spread their access to any linked system,” it is also requisite to have robust network segmentation and access controls. Think about it as a water tight compartment on a warship to prevent sinking when the hull is breached. Of unique note, the hackers “delete the original files along with any backups,” so there should be no delete access from a jeopardized system to its backup files – systems need to just have the ability to append to their backups.

Your Backups Are Not Up to Date Are They?

Obviously, there should be current backups of any files that should endure an enterprise intrusion. Paying the ransom is not a reliable alternative considering that any files developed by malware are naturally suspicious and should be considered polluted. Business auditors or regulators can decline files excreted from some malware orifice as lawfully legitimate, the chain of custody having been totally broken. Financial data might have been changed with fraudulent transactions, configuration data may have been interfered with, viruses may have been planted for later re-entry, or the malware file controls might merely have actually had errors or omissions. There would be no chance to place any confidence in such data, and accepting it as legitimate might even more jeopardize all future downstream data reliant upon or stemmed from it. Treat ransomware data as garbage. Either have a robust backup strategy – frequently checked and verified – or prepare to suffer your losses.

What is Your Plan For a Breach?

Even with sound backups privacy of affected data need to be presumed to be breached since it was read by malware. Even with detailed network logs, it would be unwise to show that no data had actually been exfiltrated. In a targeted attack the cyber attackers generally take data stock, reviewing a minimum of samples of the data to assess its potential value – they could be leaving cash on the table otherwise. Data ransom demands might simply be the final monetization phase in an enterprise breach after mining all other worth from the invasion since the ransom demand exposes the compromise.

Have a Thorough Remediation Plan

One must assume that qualified enemies have organized several, cunningly-concealed avenues of re-entry at various staggered time points (well after your crisis team has stood down and costly specialists flown off to their next gig). Any roaming proof left behind was thoroughly staged to misinform investigators and deflect blame. Costly re-imaging of systems should be exceedingly extensive, touching every sector of the disk across its entire recording surface and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to jeopardize MBR’s.

Likewise, do not assume system firmware has not been compromised. If you can upgrade the firmware, so can hackers. It isn’t really difficult for hacking groups to explore firmware hacking options when their business targets standardize system hardware configurations, allowing a little lab effort to go a long way. The industrialization of cyber crime enables the development and sale of firmware hacks on the dark web to a wider criminal market.

Help Is Readily available With Good EDR Tools

After all of this negativity, there is an answer. When it comes to targeted ransomware attacks, taking proactive steps instead of reactive clean-up is far less unpleasant. A great Endpoint Detection and Response (EDR) tool can assist on both ends. EDR tools are good for identifying exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best removed from the environment (Adobe Flash, for instance). EDR tools are also good at tracking all substantial endpoint events, so that detectives can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers rely on endpoint opacity to assist with concealment their actions from security staff, but EDR is there to make it possible for open visibility of noteworthy endpoint incidents that could indicate an attack in progress. EDR isn’t really limited to the old antivirus convict-or-acquit design, that enables newly remixed attack code to evade AV detection.

Excellent EDR tools are constantly vigilant, always reporting, constantly tracking, available when you require it: now or retroactively. You wouldn’t turn a blind eye to business network activity, so don’t turn a blind eye to business endpoint activity.


Charles Leaver – The Same Things Highlighted In The New Verizon DBIR Report

Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO

The Data Breach Investigations Report 2016 from Verizon Enterprise has been launched examining 64,199 security incidents leading to 2,260 security breaches. Verizon defines an event as compromising the stability, confidentiality, or availability on an info asset, while a breach is a confirmed disclosure of data to an unauthorized party. Because avoiding breaches is far less agonizing than withstanding them Verizon provides numerous areas of controls to be used by security-conscious enterprises. If you don’t care to check out the full 80-page report, Ziften provides this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled suggested controls:

Vulnerabilities Suggested Controls

A solid EDR tool carries out vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines illustrating vulnerability management efficiency. The direct exposure timelines are important because Verizon stresses a systematic technique that highlights consistency and coverage, versus haphazard expedient patching.

Phishing Advised Controls

Although Verizon advises user training to prevent phishing vulnerability, still their data shows almost a third of phishes being opened, with users clicking the link or attachment more than one time in ten. Bad odds if you have at least 10 users! Provided the inescapable click compromise, Verizon recommends putting effort into detection of unusual networking activity a sign of rotating, C2 traffic, or data exfiltration. A sound EDR system will not just track endpoint networking activity, however likewise filter it against network threat feeds recognizing malicious network targets. Ziften exceeds this with our patent-pending ZFlow innovation to enhance network flow data with endpoint context and attribution, so that SOC personnel have essential choice context to quickly solve network alerts.

Web App Attacks Suggested Controls

Verizon recommends multi-factor authentication and monitoring of login activity to avoid compromise of web application servers. A solid EDR service will monitor login activity and will use anomaly inspecting to discover unusual login patterns a sign of jeopardized credentials.

Point-of-Sale Invasions Advised Controls

Verizon advises (and this has actually also been highly suggested by FireEye/Mandiant) strong network segmentation of Point of Sale devices. Again, a solid EDR solution should be tracking network activity (to identify anomalous network contacts). ZFlow in particular is of excellent worth in supplying important decision context for suspicious network activity. EDR solutions will also address Verizon’s suggestion for remote login tracking to Point of Sale devices. Along with this Verizon advises multi-factor authentication, but a strong EDR capability will enhance that with additional login pattern abnormality monitoring (since even MFA can be beaten with MITM attacks).

Insider and Privilege Abuse Advised Controls

Verizon recommends “monitor the heck out of [employee] authorized everyday activity.” Continuous endpoint monitoring by a solid EDR system naturally offers this capability. In Ziften’s case our software tracks user presence time periods and user focus activities while present (such as foreground application usage). Anomaly monitoring can recognize unusual deviations in activity pattern whether a temporal anomaly (i.e. something has altered this user’s normal activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern differs substantially from peer behavior patterns).

Verizon likewise advises tracking use of USB storage devices, which strong EDR systems provide, given that they can serve as a “sneaker exfiltration” route.

Miscellaneous Errors Advised Controls

Verizon suggestions in this area focus on maintaining a record of past mistakes to serve as a warning of errors to avoid in the future. Strong EDR systems do not forget; they keep an archival record of endpoint and user activity going back to their first deployment. These records are searchable at any time, perhaps after some future occurrence has revealed an intrusion and response groups have to return and “discover patient zero” to unravel the incident and determine where mistakes might have been made.

Physical Theft and Loss Recommended Controls

Verizon recommends (and numerous regulators need) full disk file encryption, specifically for mobile phones. A proper EDR system will confirm that endpoint setups are certified with enterprise file encryption policy, and will inform on violations. Verizon reports that data assets are physically lost one hundred times more often than they are physically stolen, however the effect is essentially the exact same to the impacted business.

Crimeware Suggested Controls

Once again, Verizon stresses vulnerability management and constant thorough patching. As noted above, correct EDR tools recognize and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint monitoring. This reflects a precisely upgraded vulnerability evaluation at any point in time.

Verizon likewise suggests recording malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can get samples of any binary present on enterprise endpoints and send them for in-depth static and dynamic analysis by our malware research study partners.

Cyber-Espionage Recommended Controls

Here Verizon specifically calls out usage of endpoint threat detection and response (ETDR) tools, describing the security tool section that Gartner now terms endpoint detection and response (EDR). Verizon also advises a number of endpoint setup hardening steps that can be compliance-verified by EDR tools.

Verizon likewise recommends strong network defenses. We have currently gone over how Ziften ZFlow can greatly improve conventional network flow monitoring with endpoint context and attribution, providing a blend of network and endpoint security that is really end-to-end.

Finally, Verizon recommends monitoring and logging, which is the first thing third party event responders demand when they get on-scene to assist in a breach catastrophe. This is the prime function of EDR tools, because the endpoint is the most frequent entry vector in a major data breach.

Denial-of-Service Attacks Suggested Controls

Verizon recommends handling port access to prevent business assets from being utilized to participate in a DoS attack. EDR systems can track port usage by applications and utilize anomaly checks to recognize unusual application port use that could show compromise.

Enterprise services migrating to cloud companies likewise require defense from DoS attacks, which the cloud supplier may provide. Nevertheless, taking a look at network traffic tracking in the cloud – where the business may not have cloud network visibility – options like Ziften ZFlow offer a method for collecting improved network flow data directly from cloud virtual servers. Do not let the cloud be your network blind spot, or else cyber attackers will exploit this to fly under your radar.


Charles Leaver – Gartner UEBA Report Indicates Behavioral Analytics New Trends

Written By Josh Linder And Presented By Ziften CEO Charles Leaver

The market for enterprise behavioral analytics is developing – once again – to support the security usage case. In the recent Gartner User and Entity Behavior (UEBA) Trends Report, Ziften is excited to be noted as a “Vendor to Watch.” Our company believe that our recognized relationships with threat intelligence feeds and visualization tools shows our addition within this research note.

In the UEBA Market Report, Analysts Eric Ahlm and Avivah Litan explain that there is a possible merging in the innovative risk and analytics markets. The idea of UEBA – which extends user behavioral analytics to now include organizations, business processes, and autonomous devices such as the Internet of Things – requires deep understanding and the ability to react quickly and efficiently.

At Ziften our recognized relationships with risk intelligence feeds and visualization tools shows our addition within this research note. Our platform offers risk detection across different behavior vectors, rather than looking at a single-threaded signature feed. With integrations to orchestration and response systems, Ziften uniquely couples signature-based and behavioral analysis, while bridging the gap from protecting the endpoint to securing the entity. Continuous monitoring from the endpoint – including network flow – is critical to understanding the complete risk landscape and essential for a holistic security architecture.

We applaud Gartner on identifying four areas for security and analytic vendors to concentrate on: User Behavior, Host/App Behavior, Network Habits, and External Communications Habits. We are the only endpoint supplier – today – to monitor both network behavior and external interactions habits. Ziften’s ZFLow ™ utilizes network telemetry to go beyond the standard IPFIX flow data, and augment with Layer 4 and Layer 5 os and user behavior. Our risk intelligence integration – with Blue Coat, iSIGHT Partners, AlienVault and the National Vulnerability Database – is the best in the field. Additionally, our distinct relationship with ReversingLabs provides binary analysis directly within the Ziften administration console.

Eventually, our continuous endpoint visibility service is pivotal in helping to discover behavioral risks that are difficult to correlate without making use of innovative analytics.

Gartner Report

6 additional technology trend takeaways which Gartner readers need to think about:

– Application of Analytics to Finding Breaches Varies
– Data Science for Analytics Technologies Still Emerging
– The Required for Extended Telemetry Drives Analytics Market Merging
– Merging Between Analytics-Based Detection Suppliers and Orchestration/Response Vendors Likely
– SIEM Technologies Positioned to Be Central to Consolidation for Analytics Detection
– Advanced Behavioral Analytics Providers Extending Their Reach to Security Buyers


Gartner does not back any vendor, service or product portrayed in its research publications, and does not advise technology users to pick just those suppliers with the greatest ratings or other classification. Gartner research study publications include the viewpoints of Gartner’s research study organization and must not be construed as declarations of truth. Gartner disclaims all guarantees, expressed or indicated, with respect to this research study, including any warranties of merchantability or fitness for a particular function.


Charles Leaver – These 6 Questions Will Provide Damage Control Before A Cyber Attack

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The reality of modern life is that if cyber assailants wish to breach your network, then it is simply a matter of time before they will be successful. The endpoint is the most typical vector of cyber attacks, and individuals are the greatest point of vulnerability in any company. The endpoint device is where they interact with whatever info that an enemy wants: intellectual property, credentials, cyber ransom, etc. There are new Next Generation Endpoint Security (NGES) systems, of which Ziften is a leader, that supply the required visibility and insight to help minimize or avoid the possibilities or duration of an attack. Methods of prevention consist of reducing the attack area through getting rid of known vulnerable applications, reducing version expansion, killing malicious procedures, and making sure compliance with security policies.

But avoidance can only go so far. No system is 100% efficient, so it is necessary to take a proactive, real-time approach to your environment, viewing endpoint behavior, detecting when breaches have occurred, and reacting immediately with the necessary action. Ziften also provides these capabilities, normally known as Endpoint Detection and Response, and companies should change their frame of mind from “How can we prevent attacks?” to “We will be breached, so what do we do then?”

To comprehend the true breadth or depth of an attack, companies need to be able to take a look back and rebuild the conditions surrounding a breach. Security investigators need answers to the following six questions, and they require them quick, since Incident Response officers are surpassed and handling restricted time windows to mitigate damage.

Where was the attack activity first seen?

This is where the capability to rewind the clock to the point in time of preliminary infection is vital. In order to do this successfully, companies have to have the ability to go as far back in time as required to recognize patient zero. The unfortunate state of affairs in accordance with Gartner is that when a cyber breach takes place, the typical dwell time prior to a breach is detected is a shocking 205 days. In accordance with the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, assailants had the ability to penetrate organizations within minutes. That’s why NGES services that don’t continually monitor and record activity however rather periodically poll or scan the endpoint can miss out on the initial crucial penetration. Also, DBIR discovered that 95% of malware types showed up for less than four weeks, and four out of 5 didn’t last a week. You need the ability to continually monitor endpoint activity and look back in time (however long ago the attack occurred) and rebuild the initial infection.

How did it behave?

Exactly what occurred piece by piece after the preliminary infection? Did malware execute for a second every 5 minutes? Was it able to get escalated privileges? A constant image of what happened at the endpoint behaviorally is critical to obtain an examination began.

How and where did the cyber attack spread after preliminary compromise?

Normally the attacker isn’t really after the info readily available at the point of infection, but rather wish to utilize it as a preliminary beachhead to pivot through the network to get to the valuable data. Endpoints consist of the servers that the endpoints are connected to, so it is important to be able to see a complete picture of any lateral movement that happened after the infiltration to know what assets were jeopardized and possibly likewise contaminated.

How did the contaminated endpoint(s) behavior(s) change?

What was going on before and after the contamination? What network connections were being attempted? What does it cost? network traffic was flowing? What procedures were active prior to and after the attack? Immediate answers to these questions are crucial to quick triage.

What user activity occurred, and was there any possible insider involvement?

What actions did the user take before and after the infection occurred? Was the user present on the machine? Was a USB drive inserted? Was the time period outside their typical usage pattern? These and many more artifacts must be supplied to paint a full picture.

What mitigation is needed to resolve the cyber attack and prevent the next?

Reimaging the infected device(s) is a time-consuming and costly solution but lot of times this is the only method to understand for sure that all of the hazardous artifacts have actually been gotten rid of (although state-sponsored attacks might embed into system or drive firmware to remain immune even to reimaging). But with a clear image of all activity that occurred, lesser actions such as eliminating harmful files from all systems impacted might be adequate. Re-examining security policies will most likely be in order, and NGES systems can help automate future actions should comparable circumstances develop. Automatable actions consist of sandboxing, cutting off network access from contaminated computers, killing processes, and much more.

Don’t wait until after a breach happens and you need to call in an army of experts and spend time and money piecing the truths together. Ensure you are prepared to address these 6 key questions and have all the responses at your fingertips in minutes.


Charles Leaver – We Are Pretty Certain That Compromised Endpoints Started The IRS Hack

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

IRS Hackers Make Early Returns Because of Previous External Attacks

The Internal Revenue Service breach was the most unique cyber attack of 2015. Classic attacks today involve phishing emails aimed to get preliminary access to target systems where lateral motion is then performed until data exfiltration happens. But the Internal Revenue Service hack was various – much of the data required to execute it was already acquired. In this case, all the attackers had to do was walk in the front door and submit the returns. How could this happen? Here’s exactly what we understand:

The IRS website has a “Get Transcript” function for users to recover previous income tax return information. As long as the requester can supply the proper information, the system will return past and present W2’s and old income tax returns, etc. With anyone’s SSN, birth date and filing status, the hackers could start the retrieval process of previous filing year’s information. The system likewise had a Knowledge Based Authentication (KBA) system, which asked questions based on the requested users credit rating.

KBA isn’t fool proof, though. The questions it asks can many times be predicted based on other details known about the user. The system asks questions such as “Which of the following streets have you resided on?” or “Which of the following automobiles have you owned?”

After the dust settled, it’s predicted that the hackers tried to gather 660,000 transcripts of past tax payer information via Get Transcript, where they succeeded in 334,000 of those attempts. The not successful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot offer the correct responses. It’s approximated that the attackers got away with over $50 million dollars. So, how did the attackers do it?

Security researchers think that the enemies utilized info from previous attacks such as SSNs, DOBs, addresses and submission statuses to try to obtain previous income tax return info on its target victims. If they succeeded and answered the KBA questions correctly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to get a bigger return. As discussed previously not all efforts were successful, however over 50% of the attempts led to significant losses for the Internal Revenue Service.

Detection and response services like Ziften are targeted at recognizing when there are compromised endpoints (like through phishing attacks). We do this by offering real time visibility of Indicators of Compromise (IoC’s). If the theories are right and the assailants used details gleaned from previous attacks beyond the IRS, the jeopardized companies could have taken advantage of the visibility Ziften supplies and mitigated against mass-data exfiltration. Eventually, the Internal Revenue Service seems to be the vehicle – instead of initial victim – of these cyber attacks.


Charles Leaver – Customers Of Comcast Face Shared Hacking And Data Exfiltration Risk And Data Exfiltration

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

The Clients Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Companies

The private info of around 200,000 Comcast clients was jeopardized on November 5th 2015. Comcast was required to make this announcement when it came to light that a list of 590,000 Comcast consumer e-mails and passwords could be purchased on the dark web for a token $1,000. Comcast maintains that there was no security breach to their network however rather it was via past, shared hacks from other companies. Comcast further claims that just 200,000 of these 590,000 customers in fact still exist in their system.

Less than two months previously, Comcast had already been slapped with a $22 million fine over its unintentional publishing of almost 75,000 clients’ individual information. Somewhat paradoxically, these customers had actually particularly paid Comcast for “unlisted voice-over-IP,” a line product on the Comcast bill that stated that each client’s info would be kept confidential.

Comcast instituted a mass-reset of 200,000 consumer passwords, who may have accessed these accounts prior to the list was put up for sale. While a simple password reset by Comcast will to some extent secure these accounts going forward, this does nothing to protect those customers who might have recycled the exact same e-mail and password combination on banking and credit card logins. If the client accounts were accessed before being divulged it is certainly possible that other individual information – such as automated payment info and home address – were already obtained.

The bottom line is: Presuming Comcast wasn’t attacked directly, they were the victim of many other hacks that contained data associated with their clients. Detection and Response services like Ziften can avoid mass data exfiltration and frequently alleviate damage done when these unavoidable attacks happen.


Charles Leaver – Trump Hotels Hack Could Have Been Avoided With Point Of Sale Vulnerabilities Visibility

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels POS Susceptibility Emphasize Need for Quicker Detection of Anomalous Activity

Trump Hotels, suffered a cyber attack, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and contaminated their front desk computer systems, POS systems, and dining establishments. However, in their own words they claim that they “did not find any evidence that any customer information was taken from our systems.” While it’s soothing to find out that no proof was discovered, if malware exists on POS systems it is most likely there to take info related to the charge cards that are swiped, or significantly tapped, placed, or waved. A lack of proof does not imply the lack of a criminal offense, and to Trump Hotel’s credit, they have actually provided totally free credit tracking services. If one is to analyze a Point of Sale (or POS) system however you’ll observe one thing in abundance as an administrator: They seldom alter, and software will be almost uniform across the deployment community. This can present both positives and negatives when thinking about securing such an environment. Software application modifications are sluggish to happen, require rigorous screening, and are difficult to roll out.

However, since such an environment is so uniform, it is also much easier to identify POS vulnerabilities when something brand-new has altered.

At Ziften we monitor all executing binaries and network connections that occur within an environment the second they occur. If a single Point of Sale system started to make new network connections, or started running brand-new software, regardless of its intent, it would be flagged for additional evaluation and examination. Ziften also collects limitless historic data from your environment. If you wish to know what happened 6 to 12 months earlier, this is not a problem. Now dwell times and AV detection rates can be determined utilizing our integrated risk feeds, as well as our binary collection and submission technology. Likewise, we’ll inform you which users executed which applications at what time throughout this historic record, so you can find out your preliminary point of infection.

Point of Sale issues continue to afflict the retail and hospitality markets, which is a shame provided the fairly simple environment to monitor with detection and response.


Charles Leaver – Marriott Could Have Prevented Their POS Breach With Continuous Endpoint Visibility

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

USA retail outlets still appear an attractive target for hackers seeking charge card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting customers at 14 hotels across the country from September 2014 to January 2015. This incident follows White Lodging suffered a similar cyber attack in 2014. The attackers in both cases were supposedly able to jeopardize the Point-of-Sale systems of the Marriott Lounges and Restaurants at several locations run by White Lodging. The opponents were able to get names printed on consumers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. POS systems were likewise the focus of recent breaches at Target, Neiman Marcus, Home Depot, and others.

Traditionally, Point-of-Sale (or POS) systems at many USA retail outlets were “locked down” Windows computers running a minor set of applications geared towards their function – calling the sale and processing a deal with the Payment card merchant or bank. Modern Point of Sale terminals are essentially PC’s that run email applications, web browsers and remote desktop tools in addition to their transaction software. To be fair, they are often deployed behind a firewall, but are still ripe for exploiting. The best defenses can and will be breached if the target is important enough. For instance, push-button control tools utilized for management and updating of the Point of Sale systems are often hijacked by hackers for their gains.

The credit card or payment processing network is a completely different, air-gapped, and encrypted network. So how did hackers manage to take the charge card data? They stole the data while it was in memory on the POS terminal while the payment procedure was being conducted. Even if sellers don’t store charge card details, the data can be in an unencrypted state on the POS device while the payment transaction is verified. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are used by the data burglars to collect the payment card info in its unencrypted state. The data is then normally encrypted and retrieved by the hackers or sent out to the Internet where it’s obtained by the thieves.

Ziften’s system offers continuous endpoint visibility that can find and remediate these kinds of risks. Ziften’s MD5 hash analysis can find new and suspicious processes or.dll files running in the Point of Sale environment. Ziften can likewise kill the process and gather the binary for more action or analysis. It’s likewise possible to spot POS malware by notifying to Command and Control traffic. Ziften’s integrated Threat Intel and Custom Risk Feed options permits clients to alert when Point of Sale malware communicates to C&C nodes. Lastly, Ziften’s historic data enables clients to kick start the forensic assessment of how the malware got in, exactly what it did after it was installed, and executed and other machines are contaminated.

It’s past time for sellers to step up the game and search for new solutions to secure their clients’ credit cards.