Archive for July, 2015

Chuck Leaver – Now There Is A Focus On People With The Third Phase Of Cyber Security

Written By Kyle Flaherty And Presented By Chuck Leaver Ziften CEO


Cyber attack effect on organizations is frequently uncomplicated to measure, and the vendors of tech services are always showing off different statistics to reveal that you have to get their latest software (also Ziften). But one fact is extremely stunning:

In The Previous Year Cyber Crime Cost Businesses $445 Billion And Cost 350,000 Individuals Their Jobs.

The monetary losses are easy to take on board despite the fact that the amount is large. However the 2nd part is concerning for all connected with cyber security. People are losing their employment because of what is occurring with cyber security. The circumstances surrounding the job losses for all these individuals is unknown, and some could have deserved it if they were negligent. But the most interesting aspect of this is that it is well understood that there is a shortage of skilled people who have the ability to fight these cyber attacks.

While individuals are losing their jobs there is likewise a need that more skilled people are discovered to prevent the ever increasing danger of cyber attacks. There is no argument that more individuals are needed, and they need to be more skilled, to win this war. However it is not going to take place today, this week or even this year. And while it would be wonderful if a truce could be negotiated with the cyber hackers until these resources are readily available, the reality is that the fight needs to go on. So how do you combat this?

Utilize Technology To Enable, Not Disable

For several years now vendors of security tech have actually been selling technology to “prevent and block” cyber attacks. Then the suppliers would return afterwards to sell the “next generation” solution for preventing and stopping cyber attacks. And after that a few years later they were back again to offer the most recent technology which concentrated on “security analytics”, “danger intelligence” and “operational insight”.

In every scenario companies acquired the latest technology then they needed to add on professional services or perhaps a FTE to operate the technology. Of course each time it took a considerable amount of time to become up to speed with the new technology; a group that was suffering from high turnover because of the competitive nature of the cyber market. And while all this was going on the attacks were becoming more persistent, more sophisticated, and more routine.

It has to do with People Utilizing Technology, Not The Other Way Around

The problem is that all of the CISO’s were focussed on the technology initially. These organizations followed the classic design of seeing a problem and producing technology that might plug that hole. If you think about a firewall, it literally develops a wall within technology, utilizing technology. Even the SIEM technology these organizations had installed was focused mostly on all the various connectors from their system into other systems and collecting all those details into one place. However what they had instead was one place since the technology centric minds had actually forgotten an important component; the people involved.

People are constantly good at innovating when faced with threat. It’s a biological thing. In cyber security today we are seeing the third phase of development, and it is centered on individuals:

Phase 1 Prevent by constructing walls
Phase 2 Detect by constructing walls and moats
Phase 3 View, examine, and respond by examining user habits

The reason that this has to be focused on people is not just about skill lacks, but because individuals are truly the issue. Individuals are the cyber hackers and also the ones putting your company at risk at the endpoint. The technologies that are going to win this fight, or at least enable survival, are the ones that were constructed to not only enhance the abilities of the individual on the other side of that keyboard, however also focus on the behaviors of the users themselves, and not simply the technologies themselves.

Chuck Leaver – Extending Network Visibility Down To The Endpoint Webinar

Written By Josh Applebaum And Presented By Chuck Leaver CEO Ziften Technologies



These days security hazards and attack vectors are continuously evolving, and companies have to be more watchful when it pertains to monitoring their network infrastructure. The boundary of the network and the infrastructure security are often challenged because of no visibility of endpoint devices.

Visibility Of Endpoint Devices Is Now More vital Than Ever.

In a webinar hosted with our partner Lancope which was called “Extending Network Visibility: Down to the Endpoint.” The aim of this webinar was to show to security experts how additional visibility can be accomplished and context into network activity, the enhancement of existing security investments (NetFlow, Firewall software, SIEM, threat intelligence), and improve incident response by getting real time and historic data for the endpoint. A mutual customer was featured in the webinar who offered real life insights into ways to make use of security assets so that you can stay in front of external and insider risks.

A great deal of you will not have had the ability to participate in the live webinar so we have actually decided to show the on demand version here on the Ziften blog. Feedback on this is welcomed and we would be delighted to get in touch with you to discuss in more detail.


The Ziften Technical Approach For Client Management – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO


There has traditionally been a lack of visibility on Windows clients of the applications that are running and the resources that are being utilized. There are good tools around to monitor the server infrastructure and the network, however the client has actually always been the weakest element. This is why vendors such as Ziften have actually originated a new class of solutions that are focused on the management of security and the performance of clients in the enterprise, and this is referred to as enterprise client management. Speaking from a technical standpoint, in order to collect the substantial amount of info that is offered within Windows that is needed to supply visibility of the client, there were 2 alternative methods that required consideration. We might have created custom driver code or utilized the basic API’s in Windows.

The development of driver code is considered as a last option because there are some well known concerns:

An in depth understanding of the Windows kernel data structures and coding conventions is required for driver development

Driver incompatibilities can exist even with the smallest of system changes, for example with the month-to-month patch updates from Microsoft

A devastating system crash can occur if there is a driver code issue

3rd party driver code triggers the majority of the instabilities in Windows

Any solution that uses low level drivers in their agents don’t use basic Windows interfaces and they will “take control” from Windows. This can produce havoc with the os of the desktops that are under management. If a driver stops working then it can crash the system and there is likewise a heightened security danger as these drivers perform at kernel level. “Anything a user can do that causes a driver to breakdown in such a way that it causes the system to crash or become unusable is a security defect. When most developers are working on their driver, their focus is on getting the driver to work properly and not whether a destructive hacker will attempt to make use of holes within the system” stated Microsoft about driver security.

So Ziften took the approach of developing our solution around standard Windows user interfaces, which has the following advantages:

Greater resilience to Windows updates and modifications that are likely to need driver changes

Driver conflict susceptibility that can result in system crashes eradicated (Blue Screen of Death).

The probability of coding issues that affects system performance through the kernel user interface is decreased.


Chuck Leaver – Are You Curious About BYOD?

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

If you are not curious about BYOD then your users, particularly your executive users, probably will be. Being the most efficient with the least effort is what users desire. Using the most convenient, fastest, most familiar and comfortable device to do their work is the main objective. Also the convenience of using one device for both their work and individual activities is desired.

The problem is that security and ease-of-use are diametrically opposed. The IT department would normally choose complete ownership and control over all client endpoints. IT can disable admin rights and the client endpoint can be managed to a degree, such as only authorized applications being installed. Even the hardware can be limited to a specific footprint, making it easier for IT to protect and control.

However the control of their devices is exactly what BYOD advocates are rebelling against. They wish to choose their hardware, apps and OS, and also have the flexibility to install anything they like, whenever they like.

This is difficult enough for the IT security group, however BYOD can also significantly increase the amount of devices accessing the network. Instead of a single desktop, with BYOD a user might have a desktop, laptop, cell phone and tablet. This is an attack surface gone wild! Then there is the issue with smaller sized devices being lost or taken and even left in a bar under a cocktail napkin.

So exactly what do IT professionals do about this? The first thing to do is to develop situational awareness of “trusted” client endpoints. With its minimalist and driverless agent, Ziften can offer visibility into the applications, versions, user activity and security/ compliance software which is really running on the endpoint. You can then limit by enforceable policy what application, enterprise network and data interaction can be carried out on all other (“untrusted”) devices.

Client endpoints will inevitably have security issues develop, like versions of applications that are susceptible to attack, possibly hazardous processes and disabling of endpoint security measures. With the Ziften agent you will be warned of these problems and you can then take corrective action with your existing system management tools.

Your users have to accept the truth that devices that are untrusted and too dangerous need to not be used to gain access to company networks, data and apps. Client endpoints and users are the source of a lot of harmful exploits. There is no magic with present technology that will make it possible to access critical corporate assets with a device which is out of control.


Chuck Leaver – Can Your IT Endpoint Tell You Where It Hurts?

Written by Dr Al Hartmann and presented by Ziften CEO Chuck Leaver

It would be great if your IT client endpoints could inform you that they are sick instead of receiving undesirable calls from unhappy IT users wouldn’t it? But the truth is that IT clients can not tell you when there is something amiss. Lots of IT people may disagree with the need for situational awareness, but you really need this with your endpoints. The Ziften service makes this OKAY by:

With Ziften there is a minimalist driverless agent. This is unlike standard systems management or security agents and the Ziften package is extremely light-weight (around 1-2MB MSI package). However don’t let the little size fool you, it will supply performance management headroom and efficiency to attain more on IT endpoints, which will keep the users pleased and working. The Ziften agent can be compared to light beer, “Excellent taste, less filling.”

Likewise the Ziften agent monitors and reports on other agents that are implemented if there is extreme interference with foreground tasks.

With the Ziften agent you will receive other benefits that an agentless approach can not compare with. It can:

Supply real time response to dynamic events on the endpoint. If an agent is not present then regular polling is required, which implies that endpoint events are reported in a cadence after they have actually happened and not in real time.

The Ziften agent can adaptively throttle interfering procedures. As an example, if a backup program is causing extreme disturbance with user productivity, the backup program can be slowed down in favor of user efficiency.

It will alert on the failures of critical services such as anti-viruses, backup, firewall software and systems management. It is true that an agentless technique might likewise do this, but it would not alert in real time so it is not as effective.

The Ziften Agent will alert on severe security incidents that are detected at the client endpoint in real time.

It will recognize activity and user existence. With the Ziften agent, user presence can be found by viewing keyboard and last mouse usage. It will also use the window proxy to figure out which window is foreground and which remain in the background. With this information, the Ziften agent can identify application licenses really being used across the company.

If no agent exists then it is impossible to monitor and control when the endpoint is off the network. The Ziften agent can monitor off network endpoints and report cached observations when the endpoint reconnects. This removes off network blind spots in monitoring coverage. Also, the Ziften agent has the ability to implement policy even while disconnected.

Minimization of network traffic load between client endpoints and the management server is possible with the Ziften agent. It accomplishes this by abstracting, filtering, and summing up and encoding time series observations.

So with the Ziften agent your endpoint clients can “inform you where it hurts”.