Archive for October, 2015

Chuck Leaver – Is The Internet Of Things The Newest Cyber Security Threat

Written By David Shefter And Presented By Ziften CEO Charles Leaver



We are now living in a new world of the Internet of Things (IoT), and the threat of cyber threats and attacks grow greatly. As deployments progress, new vulnerabilities are emerging.

Symantec launched a report this spring which evaluated 50 smart home devices and declared “none of the evaluated devices offered mutual authentication between the client and the server.” Previously this summertime, analysts showed the capability to hack into a Jeep while it was driving on the highway, initially managing the radio, windshield wipers, a/c and lastly cutting the transmission.

Typically, toys, tools, home appliance, and car makers have actually not had to secure against external dangers. Producers of medical devices, elevators, HVAC, electric, and plumbing infrastructure elements (all of which are most likely to be linked to the Web in the coming years) have not always been security conscious.

As we are all mindful, it is tough enough daily to secure PCs, cell phones, servers, and even the network, which have actually been through substantial security monitoring, evaluations and assessments for years. How can you secure alarms, individual electronic devices, and house devices that apparently come out daily?

To start, one must define and think of where the security platforms will be deployed – hardware, software, network, or all the above?

Solutions such as Ziften pay attention to the network (from the device point of view) and utilize innovative machine-type learning to determine patterns and scan for abnormalities. Ziften presently offers a worldwide danger analytics platform (the Ziften KnowledgeCloud), which has feeds from a variety of sources that makes it possible for review of 10s of millions of endpoint, binary, MD5, etc data today.

It will be a challenge to release software onto all IoT devices, a number of which make use of FPGA and ASIC designs as the control platform(s). They are typically incorporated into anything from drones to vehicles to commercial and scada control systems. A large number of these devices run on solid-state chips without a running os or x86 type processor. With inadequate memory to support advanced software, many merely can’t support contemporary security software. In the realm of IoT, additional customization develops risk and a vacuum that strains even the most robust systems.

Solutions for the IoT space need a multi-pronged technique at the endpoint, which encompasses desktops, laptop computers, and servers presently combined with the network. At Ziften, we presently provide collectors for Windows, Linux, and OS X, supporting the core desktop, server, and network infrastructure that contains the intellectual property and assets that the opponents look for to obtain access to. After all, the bad guys do not truly want any info from the company refrigerator, however simply want to use it as a conduit to where the important data resides.

Nevertheless, there is an extra method that we deliver that can help minimize many present concerns: scanning for abnormalities at the network level. It’s thought that generally 30% of devices connected to a corporate network are unknown IP’s. IoT trends will likely double that number in the next ten years. This is one of the reasons connecting is not always an obvious choice.

As more devices are linked to the Web, more attack surfaces will emerge, resulting in breaches that are much more damaging than those of email, financial, retail, and insurance – things that might even position a risk to our lifestyle. Protecting the IoT needs to make use of lessons learned from traditional enterprise IT security – and offer several layers, integrated to supply end-to-end robustness, capable of preventing and detecting risks at every level of the emerging IoT value chain. Ziften can help from a wide range of angles today and in the future.

You Can Shine A Light On Security Blindspots With Ziften ZFlow – Chuck Leaver

Written By Andy Wilson And Presented By Chuck Leaver CEO Ziften

Over the past few years, lots of IT organizations have embraced the use of NetFlow telemetry (network connection metadata) to improve their security posture. There are many factors behind this: NetFlow is reasonably inexpensive (vs. full packet capture); it’s relatively easy to collect as most Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s simple to evaluate utilizing freeware or commercially available software applications. NetFlow can assist conquer blind spots in the architecture and can supply much required visibility into what is really going on in the network (both internal and external). Flow data can likewise help in early detection of attacks (DoS and APT/malware) and can be utilized in baselining and anomaly detection techniques.

NetFlow can offer insight where little or no visibility exists. The majority of organizations are gathering flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the data center. A lot of organizations are not routing all the way down to the access layer and are hence generally blind to some degree in this segment of the network.


Carrying out full packet capturing in this area is still not 100% possible due to a number of reasons. The solution is to implement endpoint-based NetFlow to bring back visibility and offer essential extra context to the other flows being collected in the network. Ziften ZFlow telemetry stems from the endpoint (desktop, laptop, or server), so it’s not reliant on the network infrastructure to create. ZFlow supplies standard ISO layer 3/4 data such as source and destination IP addresses and ports, but likewise offers additional important Layer 4-7 details such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it remained in the foreground or background. The latter are crucial details that network-based flows just can not supply.

This essential additional contextual data can help considerably minimize events of false positives and supply rich data to analysts, SOC personnel and incident handlers to allow them to quickly investigate the nature of the network traffic and determine if it’s harmful or benign. Used in conjunction with network-based alerts (firewall software, IDS/IPS, web proxies and gateways), ZFlow can significantly reduce the quantity of time it requires to work through a security event. And we know that time to detect harmful behavior is a key factor to how successful an attack ends up being. Dwell times have reduced in recent history however are still at unacceptable levels – presently over 230 days that an attacker can roam undetected through your network harvesting your essential data.

Below is a screenshot that shows a port 80 connection to an Internet destination of Fascinating truths about this connection that network-based tools might miss out on is that this connection was not initiated by a web browser, however rather by Windows Powershell. Another fascinating data point is that this connection was initiated by the ‘System’ account and not the logged-in user. These are both very eye-catching to a security expert as it’s not a false positive and likely would need much deeper examination (at which point, the analyst might pivot into the Ziften console and see deeper into that system’s habits – exactly what actions or binaries were executed prior to and after the connection, procedure history, network activity and more).

Ziften’s ZFlow shines a light on security blindspots and can provide the extra endpoint context of processes, application and user attribution to assist security personnel much better comprehend exactly what is actually occurring in their environment. Integrated with network-based events, ZFlow can assist considerably minimize the time it takes to examine and respond to security alerts and dramatically enhance a company’s security posture.

Chuck Leaver – Blocking And Prevention Is Not Enough So A New Path For Endpoint Security Is Needed

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Conventional endpoint security services, a few of which have actually been around for over 20 years, rely heavily on the very same defense approaches every year. And even though there is always development and strides to enhance, the underlying issue still exists. Dangers will constantly discover a way into your company. And in many cases, you will have to wait until your deployed service finally identifies the threat before you even can begin to evaluate the damage and perhaps avoid it from taking place again (once you get all of the relevant information to make that informed decision, of course). Another disadvantage to these technologies is that they often create a substantial efficiency problem on the actual device they are safeguarding. This in turn results in unhappy end-users and other problems such as management and dependability.

However this blog site is not about abandoning your present service, but rather enhancing and empowering your total security posture. Organizations have to move towards and accept those services that use constant tracking and complete visibility of all activity occurring on their endpoint population. Stopping or avoiding known malware from running is obviously important, but does not have the general security needed in today’s hazard landscape. The capability to run much deeper forensics from present or often more significantly, past events, can really only be done by services that offer continuous monitoring. This info is vital in evaluating the damage and understanding the scope of the infection within your company.

This, of course, has to be done effectively and with a limited amount of system overhead.

Just as there are many solutions in the standard endpoint security space, a new league of vendors is appearing in this essential step of the development. Most of these businesses have employees from the ‘old guard’ and comprehend that a brand-new vision is needed as the hazard landscape continues to alter. Just reporting and alerting on just bad things is completely missing the point. You MUST take a look at everything, everyone and all behaviors and actions in order to provide yourself the very best chance of reacting quickly and thoroughly to hazards within your company.

By utilizing systems that fall into this “New Path of Endpoint Security” world, Security Ops or Incident Responders within the organization will have the much needed visibility they have been yearning. We hear this continuously from our customers and potential customers and are doing our utmost to offer the services that help protect everyone.

Chuck Leaver – With The Ziften App For Splunk You Can Detect Superfish

Written By Ryan Hollman And Presented By Chuck Leaver CEO Ziften


Background Details: Lenovo confessed to pre installing the Superfish adware on some client PCs, and dissatisfied clients are now dragging the business to court on the matter stated PCWorld. A proposed class action suit was submitted late the previous week against Lenovo and Superfish, which charges both businesses with “deceptive” business practices and of making Lenovo PCs susceptible from man in the middle attacks by pre installing the adware.

Having problems finding Superfish across your enterprise? With the Ziften App for Splunk, you can discover infected endpoints with a straightforward Splunk search. Just search your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish




The following image reveals the results you would see in your Ziften App for Splunk if systems were contaminated. In this specific instance, we spotted numerous systems infected with Superfish.





The above results likewise make reference to the binary “VirtualDiscovery.exe”. As it ends up, this is the core process responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software application also lays down the following to the system:

A computer system registry entry in:


INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be done on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see results much like the following image. If the system is tidy, you will see no results.



Some analysts have actually specified that you can simply eliminate Superfish by eliminating the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal procedure does not continue across reboots. Simply getting rid of the root cert does not work as VirtualDiscovery.exe will re-install the root cert after a reboot of the system.

The simplest way to remove Superfish from your system is to update Microsoft’s built in autovirus product Windows Defender. Shortly after the general public became aware of Superfish, Microsoft updated Windows Defender to remediate Superfish.

Other removal methods exist, however upgrading Windows Defender is without a doubt the most basic technique.


Chuck Leaver – The Top 5 Suspicious Endpoint Behaviours To Watch For

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Conventional security software applications are unlikely to detect attacks that are targeted to a specific organization. The attack code will more than likely be remixed to evade recognized malware signatures, while fresh command and control infrastructure will be stood up to evade recognized blacklisted network contacts. Preventing these fresh, specific attacks needs protectors to identify more generic attack characteristics than can be found in endless lists of known Indicators of Compromise (IoC’s) from previously evaluated attacks.

Unless you have a time machine to obtain IoC’s from the future, understood IoC’s won’t aid with new attacks. For that, you have to be alert to suspicious habits of users or endpoints that could be indicative of ongoing attack activity. These suspicion-arousing habits won’t be as definitive as a malware signature match or IP blacklist hit, so they will need analyst triage to verify. Insisting upon conviction certainty prior to raising notifications implies that fresh attacks will successfully evade your automated defenses. It would be equivalent to a parent overlooking suspicious child behavior without question till they get a call from the cops. You do not desire that call from the FBI that your enterprise has been breached when due expert attention to suspect behaviors would have supplied early detection.

Security analytics of observed user and endpoint habits seeks to recognize attributes of possible attack activity. Here we highlight a few of those suspect behaviors by way of general description. These suspect behaviors function as cyber attack tripwires, informing defenders to prospective attacks in progress.

Anomalous Login Activity

Users and organizational units display learnable login activity patterns that can be examined for anomalous departures. Abnormalities can be either spatial, i.e. anomalous with respect to peers, or temporal, i.e. anomalous with respect to that user/endpoint’s earlier login pattern. Remote logins can be examined for remote IP address and geolocation, and login entropy can be measured and compared. Non-administrative users logging into numerous systems can be observed and reported, as it differs from anticipated patterns.

Anomalous Work Routines

Working outside typical work hours or outside established patterns of work activity can be suspect or indicative of insider risk activity or jeopardized credentials. Again, abnormalities may be either spatial or temporal in nature. The work active process mix can also be evaluated for adherence to developed workgroup activity patterns. Workloads might vary somewhat, but tend to be relatively constant across engineering departments or accounting departments or marketing departments, and so on. Workload activity patterns can be machine learned and analytical divergence tests applied to spot behavioral abnormalities.

Anomalous Application Attributes

Common applications display relatively constant attributes in their image metadata and in their active procedure profiles. Significant departures from these observed activity norms can be indicative of application compromise, such as code injection. Whitelisted applications may be utilized by malware scripts in unusual methods, such as ransomware employing system tools to eliminate volume shadow copies to stymie healing, or malware staging thieved data to disk, prior to exfiltration, with considerable disk resource demand.

Anomalous Network Activity

Common applications show fairly constant network activity patterns that can be learned and identified. Unusual levels of network activity by uncommon applications are suspect because of that alone, as is unusual port activity or port scanning. Network activity at uncommon times or with uncommon consistency (perhaps beaconing) or unusual resource demand are also worthy of attention. Ignored network activity (user not present) ought to always have a possible description or be reported, specifically if observed in considerable volume.

Anomalous System Fault Behavior

Anomalous fault habits could be a sign of a vulnerable or unveiled system or of malware that is repeatedly reattempting some malfunctioning operation. This could be observed as applications crashing or hanging, as service failures, or as system crashes. Compliance faults are likewise worth noting, such as not running mandated security or backup agents, or consistent faulting by those agents (causing a fault-restart-fault cycle).

When trying to find Endpoint Detection and Response services, do not have a feeling of complacency even if you have a big library of recognized IOCs. The most efficient solutions will cover these top five generic attack qualities plus a whole lot more.