Archive for January, 2015

Chuck Leaver – A Lightweight Endpoint Detection And Response Solution

Chuck Leaver Ziften CEO Presents A post By CTO David Shefter


If you are an organization with 5000 or more staff members, it is likely that your IT Security and Operations groups are overwhelmed with the degree of data they need to sift through for simply a small amount of visibility about exactly what their users are doing on a repetitive basis. Antivirus suites have actually been implemented and they have shut down USB ports as well as imposed user access constraints, however the danger of cyber attacks and malware problems still exists. What action do you take?

Up to 72% of advance malware and cyber criminal invasions occur in the endpoint environment, so says a Verizon Data Breach Report. Your company has to ask itself how crucial its reputation is first. If you take Target as an example, it cost them over $ 6 Billion in market cap loss because of a malware attack. Unfortunately the modern-day world places us continuously under attack from disgruntled or rogue workers, anarchists and other cyber crooks. This scenario is only likely worsen.

Your network is safeguarded by firewall software etc however you are unable to see what is occurring past the network switch port. The only genuine method to resolve this danger is by enacting a solution that works well with and compliments existing network based solutions that are in place. Ziften (which is Dutch for “To Sift”) can provide this solution which provides “Open Visibility” with a light-weight approach. You need to manage the entire environment that includes servers, the network, desktops and so on. But you do not want to place extra overheads and stress on your network. A substantial Ziften commitment is that the solution will not have a negative influence on your environment, but it will provide a deeply impactful visibility and security solution.

The revolutionary software application from Ziften totally comprehends machine behavior and irregularities, allowing experts to zoom in on advanced dangers quicker to reduce dwell time to a minimum. Ziften’s solution will continually monitor activity at the endpoint, resource consumption, IP connections, user interactions and so on. With the Ziften solution your company will have the ability to figure out faster the root cause of any intrusion and repair the problem.

It is a lightweight solution that is not kernel or driver based, very little memory usage, there is little to no overhead at the system level and almost no network traffic.

For driver and kernel based solutions there are extreme accreditation requirements that can take longer than 9 months. By the time the new software application is developed and baked, the operating system could be at the next version of release. This is a time consuming, non-supportable and cumbersome process.

The Ziften method is a real differentiator in the market. The execution of a very light weight and non intrusive agent and also implementing this as a system service, it overcomes the stresses that the majority of brand-new software solutions present at the endpoint. Ease of application leads to faster times to market, easy support, scalability, and simple solutions that do not hinder the user environment.

To sum up, with the existing level of cyber risks and the dangers of a cyber attack increasing daily that can significantly taint your reputation, you have to install constant monitoring of all your endpoint devices 24/7 to ensure that you have clear visibility of any endpoint security threats, gaps, or instabilities and Ziften can deliver this to you.


Your 5 Item Cyber Readiness Checklist – Chuck Leaver

Presented by Chuck Leaver, Chief Executive Officer Ziften Technologies, Written By Dr Al Hartmann

1. Security Operations Center (SOC).

You have a Security Operations Center established that has 24/7 coverage either in company or outsourced or both. You do not want any spaces in cover that could leave you open to infiltration. Handovers have to be formalized by watch supervisors, and suitable handover reports supplied. The manager will provide a summary each day, which provides information about any attack detections and defense countermeasures. If possible the cyber wrongdoers must be determined and separated by C2 infrastructure, attack methodology etc and codenames given to these. You are not attempting to attribute attacks here as this would be too challenging, but just keeping in mind any attack activity patterns that associate with different cyber lawbreakers. It is necessary that your SOC familiarizes themselves with these patterns and have the ability to differentiate hackers or perhaps spot new assailants.

2. Security Vendor Assistance Readiness.

It is not possible for your security staff members to know about all elements of cyber security, nor have visibility of attacks on other organizations in the same industry. You have to have external security support teams on standby which could consist of the following:.

( i) Emergency response team assistance: This is a short list of suppliers that will respond to the most severe of cyber attacks that are headline material. You need to ensure that one of these suppliers is ready for a major risk, and they should receive your cyber security reports on a regular basis. They should have legal forensic capabilities and have working relationships with law enforcement.

( ii) Cyber hazard intelligence support: This is a vendor that is gathering cyber hazard intelligence in your vertical, so that you can take the lead when it concerns hazards that are emerging in your sector. This group ought to be plugged into the dark net looking for any indications of you organizational IP being discussed or talks between hackers discussing your organization.

( iii) IoC and Blacklist assistance: Since this involves numerous areas you will need multiple suppliers. This consists of domain blacklists, SHA1 or MD5 blacklists, IP blacklists, and signs of compromise (suspect configuration settings, registry keys and file paths, etc). It is possible that a few of your implemented security services for network or endpoint security can offer these, or you can appoint a third party specialist.

( iv) Support for reverse engineering: A supplier that specializes in the analysis of binary samples and offers in-depth reports of content and any possible hazard and also the family of malware. Your current security suppliers may provide this service and concentrate on reverse engineering.

( v) Public relations and legal assistance: If you were to suffer a major breach then you have to make sure that public relations and legal assistance remain in place so that your CEO, CIO and CISO do not end up being a case study for students at Harvard Business School to discover how not to handle a major cyber attack.

3. Inventory of your assets, category and preparedness for defense.

You have to make sure that of your cyber assets go through an inventory, their relative worth classified, and implemented worth proper cyber defences have actually been enacted for each asset classification. Do not rely completely on the assets that are known by the IT team, employ a business unit sponsor for asset identification specifically those concealed in the public cloud. Also guarantee crucial management procedures are in place.

4. Attack detection and diversion readiness.

For each one of the major asset categories you can produce reproductions utilizing honeypot servers to lure cyber wrongdoers to infiltrate them and divulge their attack methods. When Sony was infiltrated the hackers found a domain server that had a file named ‘passwords.xlsx’ which contained cleartext passwords for the servers of the business. This was a great ruse and you should use these techniques in tempting places and alarm them so that when they are accessed alarms will sound immediately meaning that you have an immediate attack intelligence system in place. Modify these lures typically so that they appear active and it doesn’t appear like an apparent trap. As many servers are virtual, hackers will not be as prepared with sandbox evasion methods, as they would with client endpoints, so you may be lucky and in fact see the attack occurring.

5. Monitoring preparedness and constant visibilities.

Network and endpoint activity need to be monitored continuously and be made visible to the SOC group. Because a great deal of client endpoints are mobile and therefore beyond the organization firewall software, activity at these endpoints must also be monitored. The monitoring of endpoints is the only certain approach to perform process attribution for monitored network traffic, because protocol fingerprinting at the network level can not always be relied upon (it can be spoofed by cyber criminals). Data that has been monitored must be conserved and archived for future reference, as a variety of attacks can not be recognized in real time. There will be a need to rely upon metadata more often than on the capture of complete packets, because that enforces a substantial collection overhead. Nevertheless, a variety of dynamic risk based monitoring controls can afford a low collection overhead, as well as react to significant hazards with more granular observations.