Charles Leaver – For The 8 Principles Of The OMB 30 Day Cyber Security Sprint Here Are 8 Keys

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


After suffering an enormous data breach at the Office of Management and Budget (OMB), agencies were commissioned by Tony Scott, Federal Chief Information Officer, to take instant and specific actions over the next 4 weeks to additionally enhance the security of their data and systems. For this big organization it was a vibrant step, but the lessons learned from software development showed that acting quick or sprinting can make a lot of headway when approaching an issue in a small amount of time. For big organizations this can be especially real and the OMB is certainly big.

There were 8 principles that were concentrated on. We have broken these down and provided insight on how each concept could be more efficient in the timeframe to assist the government make considerable inroads in just a month. As you would anticipate we are looking at things from the endpoint, and by checking out the 8 concepts you will find how endpoint visibility would have been key to a successful sprint.

1. Safeguarding data: Better secure data at rest and in transit.

This is an excellent start, and rightly priority one, but we would certainly encourage OMB to add the endpoint here. Lots of data protection services forget the endpoint, but it is where data can be most susceptible whether at rest or on the move. The group must examine to see if they have the ability to evaluate endpoint software and hardware setup, including the presence of any data defense and system security agents, not forgetting Microsoft BitLocker configuration checking. And that is simply the start; compliance checking of mandated agents must not be forgotten and it needs to be carried out continually, enabling the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Enhance indication and warning.

Situational awareness is similar to visibility; can you see what is actually taking place and where and why? And obviously this has to be in real time. While the sprint is occurring it should be confirmed that identity and tracking of logged-in users,, user focus activities, user existence indications, active processes, network contacts with process-level attribution, system stress levels, significant log events and a myriad of other activity signs throughout many thousands of endpoints hosting vast oceans of processes is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security proficiency: Guarantee a robust capacity to recruit and retain cyber security personnel.

This is an obstacle for any security program. Finding excellent skill is difficult and retaining it even more so. When you wish to attract this sort of skillset then persuade them by offering the latest tools for cyber war. Make certain that they have a system that supplies complete visibility of exactly what is happening at the endpoint and the whole environment. As part of the sprint the OMB must analyse the tools that are in place and check whether each tool switches the security team from the hunted to the hunter. If not then replace that tool.

4. Increase awareness: Improve total threat awareness by all users.

Threat awareness starts with efficient threat scoring, and fortunately this is something that can be achieved dynamically all the way to the endpoint and help with the education of every user. The education of users is a problem that is never complete, as evidenced by the high success of social engineering attacks. However when security groups have endpoint risk scoring they have concrete items to show to users to demonstrate where and how they are vulnerable. This reality situational awareness (see # 2) improves user understanding, in addition to providing the security group with accurate info on say, understood software application vulnerabilities, cases of jeopardized credentials and insider enemies, in addition to constantly keeping track of system, user, and application activity and network points of contact, in order to apply security analytics to highlight elevated threats resulting in security personnel triage.

5. Standardizing and automating procedures: Reduce time needed to handle setups and patch vulnerabilities.

More protection needs to be required from security services, and that they are immediately deployable without laborious preparation, network standup or substantial personnel training. Did the services in place take longer than a few days to execute and demand another full-time employee (FTE) or perhaps 1/2 a FTE? If so you need to reconsider those services due to the fact that they are probably hard to use (see # 3) and aren’t getting the job done that you need so you will need to enhance the existing tools. Also, try to find endpoint services that not only report software and hardware configurations and active services and processes, but applies the National Vulnerability Database to report on actual running exposed vulnerabilities then associates a general vulnerability rating for each endpoint to help with patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from incidents: Contain malware proliferation, privilege escalation, and lateral movement. Rapidly identify and solve events and occurrences.

The quick recognition and response to problems is the primary objective in the brand-new world of cyber security. During their 1 Month sprint, OMB should evaluate their services and make certain to discover technologies that can not just monitor the endpoint, however track every process that runs and all of its network contacts including user login attempts, to assist in tracking of destructive software expansion and lateral network movement. The data derived from endpoint command and control (C2) accesses related to major data breaches suggests that about half of compromised endpoints do not host recognizable malware, increasing the relevance of login and contact activity. The right endpoint security will monitor OMB data for long term analysis, considering that lots of indicators of compromise become available only after the event, or perhaps long afterwards, while relentless attackers may quietly lurk or stay inactive for long periods of time. Attack code that can be sandbox detonated and recognized within minutes is not a sign of advanced attackers. This capability to maintain clues and connect the dots throughout both spatial and temporal dimensions is important to complete identification and total non-recidivist resolution.

7. Strengthening systems lifecycle security: Boost intrinsic security of platforms by buying more secure systems and retiring traditional systems in a prompt way.

This is a trustworthy goal to have, and an enormous challenge at a big organization such as OMB. This is another place where proper endpoint visibility can instantly determine and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint mishaps (such as application crashes or hangs, service failures, or system crashes), and other indicators of endpoints outliving their beneficial or protected life span. Now you have a full inventory list that you can prioritize for retirement and replacement.

8. Reducing attack surfaces: Reduce the complexity and amount of things defenders need to protect.

If numbers 1 through 7 are completed, and the endpoint is considered properly, this will be a huge step in decreasing the attack threat. But, in addition, endpoint security can also actually provide a visual of the actual attack surface. Think about the ability to measure attack surface area, based upon a variety of distinct binary images exposed throughout the entire endpoint population. For example, our ‘Ziften Pareto analysis’ of binary image frequency stats produces a common “ski slope” distribution, with a long slim distribution tail showing huge numbers of really uncommon binary images (present on fewer than 0.1% of total endpoints). Ziften identifies attack surface area bloat factors, consisting of application sprawl and version proliferation (which also worsens vulnerability lifecycle management). Data from numerous client deployments exposes egregious bloat aspects of 5-10X, compared to a tightly managed and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas creates a target-rich attackers’ paradise.

The OMB sprint is a terrific pointer to us all that good things can be achieved rapidly, but that it takes vision, not to mention visibility. Visibility, to the endpoint, will be an important piece for OMB to consider as part of their 30-day sprint.


Charles Leaver – With Data Breach Costs Up Again The Third Reason For The Increase May Cause A Surprise

Written by Patrick Kilgore presented by Charles Leaver CEO Ziften.


Just recently two major reports were released that celebrated big anniversaries. On the one hand, we saw the Mary Meeker 20th annual Internet study. Some of the original industry analysis on the Internet was led by Meeker many years ago and this report saw her mark Twenty Years of influencing opinions on the Internet. And 10 years after Meeker’s first observations on the Internet there was the very first research study of data breach expenses by the Ponemon Institute.

Just ten years after the creation of the Internet it was revealed that there is an ugly drawback to the service that offers major advantages to our organizations and our lives. Today there are more yearly research studies released about data breaches than the Internet itself. Just recently we spent hours evaluating and absorbing 2 of the most significant data breach reports in the market, the already mentioned Ponemon report and the now really influential Verizon DBIR (the report is essential enough just to use an acronym).

There were intersections between the two reports, but the Verizon report is worthy of credit due to the fact that if you’ve had the ability to do anything in security for ten years, you should be doing something right. There are many fascinating statistics in the report but the reasons for the total costs of data breaches skyrocketing were of the most interest to us.

The Ponemon research studies have actually revealed three drivers behind the increased cost of a breach. The very first is that cyber attacks have actually increased in number and this has actually correlated in greater expenses to remediate these attacks. An increased per capita cost from $159 to $170 year on year has actually been pointed out. That’s a 5% jump from 42% to 47% of the overall root causes of a breach. Also, lost incomes as a result of a data breach have increased. In the aggregate, this increased from $1.33 M to $1.57 M in 2015. The reasons are because of the irregular consumer turnover, the increased acquisition activity, and loss of goodwill that arises from being the target of a malicious attack. However, the most interesting reason supplied is that data breach costs related to detection and escalation have increased.

These expenses consist of investigations and forensics, crisis group management and audits and evaluations. Now the pattern appears to be gathering speed at just shy of a whopping $1Billion. Organizations are just now beginning to deploy the systems needed to continuously monitor the endpoint and offer a clear picture of the origin and complete effect of a breach.

Organizations not only need to monitor the proliferation of gadgets in a BYOD world, but likewise aim to enhance the security resources they have actually currently invested in to minimize the expenses of these examinations. Risks have to be halted in real time, rather than recognized retrospectively.

“Prevention might not be possible in the world we live in.” With harmful risks ending up being increasingly more typical, organizations will need to evolve their M.O. beyond standard AV services and look to the endpoint for total defense,” stated Larry Ponemon in his webcast with IBM.


BYOD Employee Sharing And Passwords Are Increasing The Risk Of Data Loss For Organizations – Charles Leaver

Written By Ziften Technologies CEO Charles Leaver

If your company has implemented a bring your own device (BYOD) policy then you will be putting yourself at increased risk of cyber crime and the loss of your data, since the devices will usually have inadequate control and endpoint security in place. With mobile devices, workers frequently access consumer cloud services and use password practices that are not secure enough, and this accounts for a big portion of the risks related to BYOD. Using endpoint software applications that provides visibility into exactly what is running on a device can assist IT departments to understand and address their vulnerabilities.

BYOD is a common method for executives and employees to access sensitive business data on their personal tablets, laptop computers and smart phones. Nearly nine out of ten companies in Australia had actually given a number of their senior IT staff member’s access to vital business information by means of their own BYOD devices, and 57% asserted that they had actually supplied it to at least 80% of their leadership, exposed by a ZDNet Survey. With less privileged personnel and those that were new the numbers supplied BYOD access was still up at 64%. These employees were not given access to financial details though.

With the number of BYOD devices growing, a lot of organizations have not executed the right endpoint management strategies to make their increasing mobile workflows secure. Almost 50% of the respondents said that their organizations had no BYOD policies, and just 17% confirmed that their practices were ISO 27001 certified.

Safe BYOD Is Most likely At Most Risk From Passwords

Those organizations that had actually taken steps to secure BYOD the application of password and acceptable use policies were the most common. However passwords may represent a critical and distinct vulnerability in the application of BYOD, because users frequently utilize the exact same passwords once again and they are not complex enough. While companies that have a BYOD policy will certainly increase the danger of a hacker attack, there might be an even higher threat which is internal said previous Federal Trade Commission executive Paul Luehr, in an interview with CIO Magazine’s Tom Kaneshige.

Luehr told Kaneshige “the most common method BYOD policies impact data security and breaches is in the cross-pollination of passwords.” “An individual is most likely utilizing the same or extremely comparable password as the one they use on their home devices.”

Luehr noted that prime threats for companies that allow BYOD are disgruntled employees who will typically leak crucial data once they have actually been let go, are prime threats for companies that have actually allowed BYOD. Because of BYOD the distinction between work and home is disappearing, and risky behavior such as utilizing social networks on business networks is being practiced by some staff members, and this can be a prelude to eventually sharing delicate info either wilfully or thoughtlessly utilizing cloud services. The performance gains that are made with BYOD need to be preserved with the implementation of comprehensive endpoint security.