Archive for October, 2016

Chuck Leaver – The Definition Of Illumination And A New Beginning For Endpoints

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver

The dissolving of the conventional boundary is occurring quick. So what happens to the endpoint?

Investment in boundary security, as defined by firewall programs, managed gateways and invasion detection/prevention systems (IDS/IPS), is altering. Investments are being questioned, with returns unable to overcome the expenses and complexity to produce, preserve, and justify these old-fashioned defenses.

More than that, the paradigm has changed – staff members are not solely working in the workplace. Many individuals are logging time from home or while out in the field – neither location is under the umbrella of a firewall system. Instead of keeping the bad guys out, firewall programs typically have the inverse effect – they prevent the good guys from being efficient. The paradox? They develop a safe haven for attackers to breach and hide for months, then pass through to important systems.

So What Has Altered So Much?

The endpoint has actually ended up being the last line of defense. With the aforementioned failure in boundary defense and a “mobile everywhere” labor force, we should now implement trust at the endpoint. Easier said than done, however.

In the endpoint space, identity & access management (IAM) systems are not the silver bullet. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler can not overcome one simple truth: trust surpasses basic identification, authentication, and permission.

File encryption is a second effort at protecting whole libraries and selected assets. In the most recent (2016) Ponemon study on data breaches, file encryption just conserved 10% of the cost per breached record (from $158 to $142). This isn’t really the remedy that some make it appear.

The Whole Picture is changing.

Organizations should be prepared to welcome new paradigms and attack vectors. While companies should offer access to trusted groups and people, they have to resolve this in a better method.

Vital company systems are now accessed from anywhere, whenever, not just from desks in business office buildings. And professionals (contingent labor force) are quickly consisting of over 50% of the general enterprise labor force.

On endpoint devices, the binary is mainly the problem. Most likely benign events, such as an executable crash, might suggest something simple – like Windows 10 Desktop Manager (DWM) rebooting. Or it might be a much deeper issue, such as a harmful file or early indications of an attack.

Trusted access does not resolve this vulnerability. In accordance with the Ponemon Institute, between 70% and 90% of all attacks are triggered by human error, social engineering, or other human elements. This needs more than easy IAM – it needs behavioral analysis.

Instead of making good better, perimeter and identity access companies made bad much faster.

When and Where Does the Good News Start?

Taking a step back, Google (Alphabet Corp) announced a perimeter-less network design in late 2014, and has actually made considerable progress. Other businesses – from corporations to federal governments – have done this (quietly and less severe), but BeyondCorp has done this and shown its efforts to the world. The style approach, endpoint plus (public) cloud displacing cloistered enterprise network, is the key concept.

This alters the whole discussion about an endpoint – be it a laptop, PC, workstation, or server – as subservient to the corporate/enterprise/private/ company network. The endpoint really is the last line of defense, and needs to be secured – yet also report its activity.

Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical area or the originating network; rather, access policies are based on details about a device, its state, and its associated user. BeyondCorp thinks about both internal networks and external networks to be entirely untrusted, and gates access to apps by dynamically asserting and implementing levels, or “tiers,” of access.

By itself, this appears innocuous. But the truth is that this is a radical new design which is imperfect. The access requirements have moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, instead of a centralized model with capacity for data breaches, hacks, and hazards at the human level (the “soft chewy center”).

The bright side? Breaching the border is extremely challenging for potential attackers, while making network pivoting almost impossible as soon as they are past the reverse proxy (a typical system used by enemies today – proving that firewalls do a much better task of keeping the bad guys in rather than letting the genuine users get out). The inverse model further applies to Google cloud servers, most likely securely handled, inside the perimeter, versus client endpoints, who are all out in the wild.

Google has actually done some great refinements on tested security methods, notably to 802.1 X and Radius, bundled it as the BeyondCorp architecture, consisting of strong identity and access management (IAM).

Why is this crucial? What are the gaps?

Ziften believes in this method due to the fact that it emphasizes device trust over network trust. Nevertheless, Google does not particularly reveal a device security agent or highlight any form of client-side monitoring (apart from really rigorous configuration control). While there might be reporting and forensics, this is something which every organization must be familiar with, given that it’s a matter of when – not if – bad things will occur.

Given that carrying out the initial phases of the Device Inventory Service, we have actually consumed billions of deltas from over 15 data sources, at a common rate of about three million each day, amounting to over 80 terabytes. Retaining historical data is essential in allowing us to understand the end-to-end lifecycle of a certain device, track and analyze fleet-wide patterns, and carry out security audits and forensic investigations.

This is a costly and data-heavy procedure with 2 drawbacks. On ultra-high-speed networks (made use of by the likes of Google, universities and research study companies), sufficient bandwidth enables this type of communication to take place without flooding the pipelines. The very first problem is that in more pedestrian corporate and government scenarios, this would cause high user interruption.

Second, machines should have the horse power to constantly collect and transmit data. While the majority of staff members would be delighted to have present developer-class workstations at their disposal, the cost of the devices and procedure of refreshing them regularly makes this prohibitive.

A Lack of Lateral Visibility

Few systems really produce ‘enhanced’ netflow, enhancing traditional network visibility with abundant, contextual data.

Ziften’s trademarked ZFlow ™ supplies network flow details on data generated from the endpoint, otherwise accomplished using brute force (human labor) or costly network devices.

ZFlow functions as a “connective tissue” of sorts, which extends and finishes the end-to-end network visibility cycle, including context to on-network, off-network and cloud servers/endpoints, permitting security teams to make faster and more educated and accurate decisions. In essence, investing in Ziften services result in a labor cost saving, plus an increase in speed-to-discovery and time-to-remediation due to technology functioning as a replacement for people resources.

For companies moving/migrating to the public cloud (as 56% are planning to do by 2021 in accordance with IDG Enterprise’s 2015 Cloud Study), Ziften provides unequaled visibility into cloud servers to much better monitor and secure the complete infrastructure.

In Google’s environment, just corporate owned devices (COPE) are enabled, while crowding out bring-your-own-device (BYOD). This works for a company like Google that can hand out brand-new devices to all staff – smart phone, tablet, laptop computer, and so on. Part of the reason is that the vesting of identity in the device itself, plus user authentication as usual. The device needs to meet Google requirements, having either a TPM or a software equivalent of a TPM, to hold the X. 509 cert utilized to verify device identity and to help with device-specific traffic encryption. There must be a number of agents on each endpoint to validate the device validation asserts called out in the access policy, which is where Ziften would have to partner with the systems management agent supplier, because it is most likely that agent cooperation is necessary to the procedure.


In summary, Google has actually developed a world-class solution, but its applicability and usefulness is limited to organizations like Alphabet.

Ziften uses the very same level of operational visibility and security defense to the masses, utilizing a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For companies with specialized requirements or incumbent tools, Ziften offers both an open REST API and an extension framework (to augment consumption of data and setting off response actions).

This yields the benefits of the BeyondCorp design to the masses, while safeguarding network bandwidth and endpoint (machine) computing resources. As organizations will be slow to move totally far from the business network, Ziften partners with firewall software and SIEM suppliers.

Lastly, the security landscape is gradually moving towards managed detection & response (MDR). Managed security companies (MSSP’s) offer traditional monitoring and management of firewalls, gateways and perimeter invasion detection, however this is not enough. They do not have the skills and the technology.

Ziften’s service has been tested, integrated, approved and executed by a number of the emerging MDR’s, highlighting the standardization (ability) and flexibility of the Ziften platform to play a key role in remediation and occurrence response.

Chuck Leaver – More Of The Same From The Verizon DBIR 2016 Report

Written By Dr Al Hartmann And Presented By Chuck Leaver, Ziften CEO

The Data Breach Investigations Report 2016 from Verizon Enterprise has actually been released evaluating 64,199 security incidents leading to 2,260 security breaches. Verizon specifies an incident as jeopardizing the integrity, privacy, or availability on an info asset, while a breach is a verified disclosure of data to an unapproved party. Given that preventing breaches is far less painful than enduring them Verizon provides a number of sections of recommended controls to be utilized by security-conscious businesses. If you don’t care to read the complete 80-page report, Ziften provides this Verizon DBIR analysis with a focus on Verizon’s EDR-enabled recommended controls:

Vulnerabilities Suggested Controls

A strong EDR tool performs vulnerability scanning and reporting of exposed vulnerabilities, including vulnerability exposure timelines highlighting vulnerability management efficiency. The exposure timelines are very important because Verizon emphasizes a methodical approach that highlights consistency and coverage, versus haphazard practical patching.

Phishing Recommended Controls

Although Verizon suggests user training to prevent phishing susceptibility, still their data indicates nearly a third of phishes being opened, with users clicking on the link or attachment more than 1 time in ten. Not good odds if you have at least 10 users! Provided the unavoidable click compromise, Verizon advises placing effort into detection of abnormal networking activity indicative of pivoting, C2 traffic, or data exfiltration. A sound EDR solution will not only track endpoint networking activity, but likewise filter it against network risk feeds determining harmful network targets. Ziften surpasses this with our patent-pending ZFlow innovation to enhance network flow data with endpoint context and attribution, so that SOC personnel have vital decision context to rapidly solve network notifications.

Web App Attacks Recommended Controls

Verizon advises multi-factor authentication and monitoring of login activity to prevent compromise of web application servers. A solid EDR service will monitor login activity and will use anomaly examining to detect uncommon login patterns a sign of compromised credentials.

Point-of-Sale Intrusions Recommended Controls

Verizon suggests (and this has also been strongly advised by FireEye/Mandiant) strong network division of Point of Sale devices. Once again, a strong EDR service ought to be tracking network activity (to recognize anomalous network contacts). ZFlow in particular is of fantastic worth in supplying important decision context for suspect network activity. EDR systems will likewise address Verizon’s recommendation for remote login tracking to POS devices. Along with this Verizon advises multi-factor authentication, but a strong EDR ability will enhance that with extra login pattern abnormality checking (since even MFA can be defeated with MITM attacks).

Insider and Privilege Abuse Recommended Controls

Verizon advises “monitor the heck out of [worker] licensed everyday activity.” Continuous endpoint monitoring by a solid EDR product naturally supplies this ability. In Ziften’s case our software tracks user existence periods of time and user focus activities while present (such as foreground application use). Abnormality monitoring can determine unusual variances in activity pattern whether a temporal abnormality (i.e. something has actually modified this user’s typical activity pattern) or whether a spatial abnormality (i.e. this user habits pattern differs considerably from peer habit patterns).

Verizon also advises tracking use of USB storage devices, which solid EDR systems offer, considering that they can act as a “sneaker exfiltration” route.

Various Errors Recommended Controls

Verizon suggestions in this area concentrate on keeping a record of past errors to serve as a caution of errors to avoid in the future. Solid EDR systems do not forget; they keep an archival record of endpoint and user activity going back to their first deployment. These records are searchable at any time, possibly after some future incident has actually uncovered an invasion and response teams have to return and “find patient zero” to unwind the incident and recognize where errors may have been made.

Physical Theft and Loss Advised Controls

Verizon advises (and many regulators need) full disk file encryption, specifically for mobile phones. An appropriate EDR system will validate that endpoint setups are certified with business encryption policy, and will inform on offenses. Verizon reports that data assets are physically lost one hundred times more frequently than they are physically stolen, however the effect is basically the exact same to the impacted business.

Crimeware Recommended Controls

Once again, Verizon emphasizes vulnerability management and constant thorough patching. As kept in mind above, appropriate EDR tools determine and track vulnerability exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint monitoring. This shows a properly upgraded vulnerability evaluation at any moment.

Verizon also recommends catching malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s product can acquire samples of any binary present on enterprise endpoints and submit them for in-depth fixed and vibrant analysis by our malware research study partners.

Cyber-Espionage Recommended Controls

Here Verizon particularly calls out use of endpoint threat detection and response (ETDR) tools, describing the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon also suggests a number of endpoint configuration solidifying actions that can be compliance-verified by EDR tools.

Verizon also suggests strong network defenses. We have already discussed how Ziften ZFlow can considerably enhance standard network flow monitoring with endpoint context and attribution, providing a fusion of network and endpoint security that is really end-to-end.

Lastly, Verizon suggests tracking and logging, which is the first thing 3rd party incident responders demand when they arrive on-scene to assist in a breach catastrophe. This is the prime function of EDR tools, since the endpoint is the most regular entry vector in a major data breach.

Denial-of-Service Attacks Suggested Controls

Verizon recommends managing port access to prevent enterprise assets from being used to take part in a DoS attack. EDR systems can track port use by applications and employ anomaly checks to determine unusual application port use that might indicate compromise.

Business services moving to cloud service providers also require defense from DoS attacks, which the cloud service provider might supply. However, looking at network traffic tracking in the cloud – where the business might lack cloud network visibility – options like Ziften ZFlow supply a means for gathering enhanced network flow data straight from cloud virtual servers. Do not let the cloud be your network blind spot, or else cyber attackers will exploit this to fly outside your radar.