Charles Leaver – People Not Technology Is the Clear Focus In The Third Stage Of Cyber Security

Written By Kyle Flaherty And Presented By Charles Leaver Ziften CEO

Cyber attack effect on organizations is frequently simple to determine, and the suppliers of tech solutions are constantly flaunting different data to show that you have to obtain their newest software application (also Ziften). But one figure is really stunning:

In The Previous Year Cyber Crime Cost Businesses $445 Billion And Cost 350,000 Individuals Their Employment.

The monetary losses are easy to take on board although the quantity is large. But the second part is concerning for all involved with cyber security. People are losing their jobs because of what is occurring with cyber security. The scenarios surrounding the job losses for all of these individuals is unidentified, and some might have deserved it if they were negligent. But the most fascinating aspect of this is that it is well understood that there is a shortage of skilled individuals who have the capability to combat these cyber attacks.

While individuals are losing their positions there is also a need that more talented people are discovered to prevent the ever increasing hazard of cyber attacks. There is no argument that more individuals are required, and they need to be more skilled, to win this war. But it is not going to take place today, tomorrow and even this year. And while it would be wonderful if a truce could be worked out with the cyber hackers until these resources are readily available, the truth is that the fight must go on. So how do you fight?

Utilize Technology To Enable, Not Disable

For many years now suppliers of security tech have actually been selling technology to “prevent and block” cyber attacks. Then the vendors would return afterwards to sell the “next generation” solution for preventing and stopping cyber attacks. And after that a couple of years later they were back again to sell the most recent technology which concentrated on “security analytics”, “risk intelligence” and “operational insight”.

In every situation businesses purchased the latest technology and after that they needed to add on professional services or perhaps a FTE to run the technology. Obviously each time it took a significant quantity of time to become up to speed with the new technology; a team that was experiencing high turnover because of the competitive nature of the cyber market. And while all this was going on the attacks were ending up being more persistent, more advanced, and more routine.

It has to do with Individuals Using Technology, Not The Other Way Around

The issue is that all of the CISO’s were focussed on the technology initially. These companies followed the traditional model of seeing a problem and creating technology that could plug that hole. If you consider a firewall program, it literally constructs a wall within technology, utilizing technology. Even the SIEM technology these organizations had implemented was focused mainly on all the different connectors from their system into other systems and gathering all that info into one place. However what they had rather was one place because the technology centric minds had actually forgotten a critical aspect; the people involved.

Human beings are constantly good at innovating when faced with threat. It’s a biological thing. In cyber security today we are seeing the 3rd phase of development, and it is centered on people:

Phase 1 Prevent by constructing walls
Phase 2 Detect by developing walls and moats
Phase 3 View, check, and respond by analyzing user behavior

The reason that this has to be centered on people is not just about skill lacks, but because individuals are actually the issue. People are the cyber aggressors and also the ones putting your company at risk at the endpoint. The technologies that are going to win this fight, or at least enable survival, are the ones that were built to not just improve the abilities of the individual on the other side of that keyboard, but also concentrate on the habits of the users themselves, and not just the technologies themselves.


Charles Leaver – With The Right Tools You Can Get Visibility Of The Endpoint As This Webinar Demonstrates

Written By Josh Applebaum And Presented By Charles Leaver CEO Ziften Technologies



Nowadays security threats and attack vectors are constantly progressing, and organizations need to be more vigilant when it pertains to monitoring their network infrastructure. The border of the network and the infrastructure security are frequently challenged because of no visibility of endpoint devices.

Visibility Of Endpoint Devices Is Now More crucial Than Ever.

In a webinar hosted with our partner Lancope which was called “Extending Network Visibility: Down to the Endpoint.” The goal of this webinar was to reveal to security experts how extra visibility can be accomplished and context into network activity, the enhancement of current security systems (NetFlow, Firewall software, SIEM, threat intelligence), and enhance incident response by getting real time and historical data for the endpoint. A shared client was featured in the webinar who offered real world insights into the best ways to use security assets so that you can remain in front of external and insider threats.

A lot of you will not have actually been able to participate in the live webinar so we have decided to show the on demand version here on the Ziften blog site. Feedback on this is welcomed and we would be delighted to connect with you to talk about in more detail.

Why Ziften’s Client Management Technical Approach Is Right – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

There has typically been a lack of visibility on Windows clients of the applications that are running and the resources that are being consumed. There efficient tools in existence to monitor the server infrastructure and the network, but the client has actually constantly been the weakest component. This is why vendors such as Ziften have actually pioneered a new class of solutions that are aimed at the management of security and the efficiency of clients in the enterprise, and this is called enterprise client management. Speaking from a technical standpoint, in order to gather the huge quantity of information that is available within Windows that is needed to offer visibility of the client, there were two alternative methods that required consideration. We might have developed customized driver code or made use of the basic API’s in Windows.

The development of driver code is considered as a last resort since there are some well known concerns:

An in depth understanding of the Windows kernel data structures and coding conventions is required for driver development

Driver incompatibilities can exist even with the smallest of system changes, for instance with the monthly patch updates from Microsoft

A devastating system crash can occur if there is a driver code error

Third party driver code causes the majority of the instabilities in Windows

Any solution that uses low level drivers in their agents do not utilize basic Windows user interfaces and they will “take control” from Windows. This can produce mayhem with the os of the desktops that are under management. If a driver malfunctions then it can crash the system and there is also an increased security threat as these drivers perform at kernel level. “Anything a user can do that causes a driver to breakdown in such a way that it causes the system to crash or end up being unusable is a security flaw. When most coders are working on their driver, their focus is on getting the driver to work correctly and not whether a harmful hacker will attempt to exploit holes within the system” said Microsoft about driver security.

So Ziften took the approach of developing our service around standard Windows user interfaces, which has the following benefits:

Greater resilience to Windows updates and changes that are likely to need driver changes

Driver conflict vulnerability that can lead to system crashes eliminated (Blue Screen of Death).

The probability of coding errors that impacts system performance through the kernel interface is reduced.


Charles Leaver – Minimize Security Risks With BYOD By Doing This

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

If you are not curious about BYOD then your users, especially your executive users, most likely will be. Being the most efficient with the least effort is exactly what users want. Utilizing the simplest, fastest, most familiar and comfortable device to do their work is the main aim. Also the benefit of using one device for both their work and personal activities is preferred.

The problem is that security and ease-of-use are diametrically opposed. The IT department would typically choose total ownership and control over all client endpoints. IT can disable admin rights and the client endpoint can be controlled to a degree, such as just approved applications being installed. Even the hardware can be limited to a particular footprint, making it easier for IT to protect and control.

However the control of their devices is what BYOD supporters are rebelling against. They want to pick their hardware, apps and OS, and also have the freedom to install anything they like, whenever they like.

This is challenging enough for the IT security group, however BYOD can likewise considerably increase the quantity of devices accessing the network. Instead of a single desktop, with BYOD a user might have a desktop, laptop, mobile phone and tablet. This is an attack surface gone crazy! Then there is the problem with smaller devices being lost or stolen and even left in a bar under a cocktail napkin.

So exactly what do IT specialists do about this? The first thing to do is to develop situational awareness of “trusted” client endpoints. With its minimalist and driverless agent, Ziften can offer visibility into the applications, versions, user activity and security/ compliance software which is actually running on the endpoint. You can then limit by enforceable policy what application, enterprise network and data interaction can be carried out on all other (“untrusted”) devices.

Client endpoints will usually have security problems develop, like versions of applications that are vulnerable to attack, possibly damaging procedures and disabling of endpoint security measures. With the Ziften agent you will be made aware of these problems and you can then take restorative action with your existing system management tools.

Your users need to accept the truth that devices that are untrusted and too dangerous should not be used to gain access to company networks, data and apps. Client endpoints and users are the source of most malicious exploits. There is no magic with existing technology that will make it possible to access important business assets with a device which is out of control.


Charles Leaver – The Ziften Agent Is Very Light Weight And It Will Tell You Where The IT Endpoint Is Hurting

Written by Dr Al Hartmann and presented by Ziften CEO Charles Leaver

It would be fantastic if your IT client endpoints could inform you that they are sick instead of receiving undesirable calls from dissatisfied IT users wouldn’t it? But the truth is that IT clients can not tell you when there is something wrong. Lots of IT people may disagree with the requirement for situational awareness, however you truly need this with your endpoints. The Ziften service makes this OK by:

With Ziften there is a minimalist driverless agent. This is unlike conventional systems management or security agents and the Ziften package is really light-weight (around 1-2MB MSI package). However do not let the small size fool you, it will offer performance management headroom and efficiency to accomplish more on IT endpoints, which will keep the users happy and productive. The Ziften agent can be compared to light beer, “Great taste, less filling.”

Also the Ziften agent monitors and reports on other agents that are deployed if there is excessive interference with foreground tasks.

With the Ziften agent you will get other advantages that an agentless approach can not compare to. It can:

Offer real time response to dynamic events on the endpoint. If an agent is not present then regular polling is required, which implies that endpoint events are reported in a cadence after they have happened and not in real time.

The Ziften agent can adaptively throttle interfering procedures. As an example, if a backup program is causing extreme disturbance with user efficiency, the backup program can be slowed up in favor of user efficiency.

It will alert on the failures of crucial services such as antivirus, backup, firewall software and systems management. It holds true that an agentless technique could also do this, however it would not alert in real time so it is not as effective.

The Ziften Agent will alert on severe security incidents that are identified at the client endpoint in real time.

It will recognize activity and user existence. With the Ziften agent, user presence can be detected by viewing keyboard and last mouse use. It will likewise utilize the window proxy to determine which window is foreground and which are in background. With this information, the Ziften agent can figure out application licenses actually being used throughout the company.

If no agent is present then it is not possible to monitor and control when the endpoint is off the network. The Ziften agent can monitor off network endpoints and report cached observations when the endpoint reconnects. This eliminates off network blind spots in monitoring coverage. Likewise, the Ziften agent has the ability to enforce policy even while disconnected.

Minimization of network traffic load between client endpoints and the management server is possible with the Ziften agent. It attains this by abstracting, filtering, and summing up and encoding time series observations.

So with the Ziften agent your endpoint clients can “inform you where it hurts”.