Archive for November, 2016

Chuck Leaver – Cyber Attacks Defined And What You Can Do To Prevent Them

Written By Chuck Leaver CEO Ziften

No company, however little or big, is immune from a cyberattack. Whether the attack is started from an external source or from an insider – no business is totally safeguarded. I have lost count of the variety of times that senior managers from organizations have said to me, “why would anyone want to hack us?”

Cyberattacks Can Take Many Types

The proliferation of devices that can link to organization networks (laptop computers, mobile phones and tablets) suggest an increased risk of security vulnerabilities. The aim of a cyber attack is to make use of those vulnerabilities.

Malware

Among the most common cyberattack approaches is the use of malware. Malware is code that has a malicious intent and can include viruses, Trojans and worms. The aim with malware is typically to take delicate data or perhaps damage computer networks. Malware is often in the form of an executable file that will spread across your network.

Malware is ending up being a lot more advanced, and now there is rogue software that will masquerade itself as legitimate security software that has been created to secure your network.

Phishing Attacks

Phishing attacks are likewise common. Most often it’s an email that is sent from an allegedly “trusted authority” requesting that the user supply individual data by clicking a link. Some of these phishing e-mails look very genuine and they have fooled a lot of users. If the link is clicked and data input the information will be stolen. Today an increasing variety of phishing emails can include ransomware.

Password Attacks

A password attack is among the most basic forms of cyber attacks. This is where an unauthorized third party will attempt to get to your systems by “cracking” the login password. Software can be used here to carry out brute force attacks to predict passwords, and combination of words utilized for passwords can be compared using a dictionary file.

If an opponent gains access to your network through a password attack then they can easily introduce destructive malware and trigger a breach of your delicate data. Password attacks are among the simplest to avoid, and rigorous password policies can supply an extremely efficient barrier. Changing passwords regularly is likewise recommended.

Denial of Service

A Denial of Service (DoS) attack is all about triggering maximum interruption of the network. Attackers will send very high amounts of traffic through the network and typically make numerous connection demands. The result is an overload of the network and it will close down.

Multiple computers can be utilized by cyber attackers in DoS attacks that will produce extremely high levels of traffic to overload the network. Just recently the largest DoS attack in history utilized botnets against Krebs On Security. On a regular basis, endpoint devices connected to the network such as PC’s and laptops can be hijacked and will then contribute to the attack. If a DoS attack is experienced, it can have serious repercussions for network security.

Man in the Middle

Man in the middle attacks are attained by impersonating endpoints of a network during a details exchange. Info can be taken from the end user or even the server that they are interacting with.

How Can You Entirely Prevent Cyber Attacks?

Total avoidance of a cyber attack is not possible with current innovation, however there is a lot that you can do to safeguard your network and your delicate data. It is very important not to think that you can just acquire and install a security software application suite then sit back. The more sophisticated cyber wrongdoers are aware of all of the security software services on the market, and have devised approaches to overcome the safeguards that they offer.

Strong and frequently changed passwords is a policy that you need to adopt, and is among the simplest safeguards to put in place. The encryption of your delicate data is another no-brainer. Beyond installing antivirus and malware defense suites in addition to an excellent firewall software program, you ought to make sure that regular backups remain in place and also you have a data breach event response/remediation plan in case the worst takes place. Ziften helps organizations continuously monitor for threats that may get through their defenses, and do something about it immediately to eliminate the risk totally.

Chuck Leaver – If You Are A Security Pro Then Do This Before Cloud Migration

Written By Logan Gilbert And Posted By Chuck Leaver Ziften CEO

Concerns Over Compliance And Security Prevent Companies From Cloud Migration

Migrating segments of your IT operations to the cloud can look like a huge chore, and an unsafe one at that. Security holes, compliance record keeping, the danger of presenting errors into your architecture … cloud migration presents a lot of scary problems to deal with.

If you’ve been leery about moving, you’re not alone – but aid is on the way.

When Evolve IP surveyed 1,000+ IT pros previously this year for their Adoption of Cloud Services North America report, 55 percent of those surveyed stated that security is their biggest issue about cloud adoption. For businesses that don’t already have some cloud presence, the number was even higher – 70%. The next biggest barrier to cloud adoption was compliance, mentioned by 40% of respondents. (That’s up eleven percent this year.).

But here’s the larger issue: If these concerns are keeping your organization from the cloud, you cannot benefit from the performance and cost benefits of cloud services, which becomes a strategic obstacle for your whole organization. You require a method to migrate that likewise responds to concerns about security, compliance, and operations.

Better Security in Any Environment With Endpoint Visibility.

This is where endpoint visibility wins the day. Being able to see exactly what’s happening with every endpoint offers you the visibility you have to enhance security, compliance, and operational effectiveness when you move your data center to the cloud.

And I suggest any endpoint: desktop computer, laptop, mobile phone, server, VM, or container.

As a long period of time IT professional, I understand the temptation to believe you have more control over your servers when they’re locked in a closet and you’re the one who holds the keys. Even when you know that parts of your environment count on kludges, they’re your kludges, and they’re stable. Plus, when you’re running your own data center – unlike when you’re in the cloud – you can use network taps and a whole host of monitoring tools to take a look at traffic on the wire, determine a great deal about who’s talking to whom, and repair your issues.

However that level of info pales in comparison to endpoint visibility, in the cloud or the data center. The granularity and control of Ziften’s system offers you a lot more control than you might ever get with a network tap. You can find malware and other issues anywhere (even off your network), isolate them instantly, then track them back to whichever user, application, device, or process was the weak spot in the chain. Ziften offers the capability to perform look back forensics and to quickly fix concerns in much less time.

Removing Your Cloud Migration Nightmares.

Endpoint visibility makes a huge difference anytime you’re ready to migrate part of your environment to the cloud. By examining endpoint activity, you can establish a baseline inventory of your systems, clean out wildcard assets such as orphaned VMs, and hunt down vulnerabilities. That gets everything safe and steady within your very own data center before your move to a cloud company like AWS or Azure.

After you’ve moved to the cloud, continuous visibility into each user, application and device implies that you can administer all parts of your infrastructure better. You avoid losing resources by preventing VM expansion, plus you have a comprehensive body of data to satisfy the audit requirements for NIST 800-53, HIPAA, and other compliance guidelines.

When you’re ready to transfer to the cloud, you’re not doomed to weak security, incomplete compliance, or operational SNAFUs. Ziften’s technique to endpoint security gives you the visibility you require for cloud migration without the headaches.

Chuck Leaver – Visibility Of Endpoint Security And Remediate Immediately

Written By Logan Gilbert And Presented By Chuck Leaver

 

Ziften aids with incident response, remediation, and examination, even for endpoints off your network.

When events take place, security analysts need to act rapidly and thoroughly.

With telecommuting labor forces and organization “cloud” infrastructures, remediation and analysis on an endpoint present a really challenging task. Below, watch how you can use Ziften to take actions on the endpoint and figure out the source and propagation of a compromise in minutes – no matter where the endpoints reside.

First, Ziften alerts you to harmful activities on endpoints and steers you to the reason for the alarm. In seconds, Ziften lets you take removal actions on the endpoint, whether it’s on the organization network, a staff member’s home, or the local coffee bar. Any remediation action you ‘d typically perform through a direct access to the endpoint, Ziften provides through its web console.

Simply that quickly, removal is taken care of. Now you can use your security knowledge to go risk hunting and conduct a bit of forensics work. You can right away dive into a lot more information about the process that caused the alert; then ask those important questions to discover how widespread the problem is and where it spread from. Ziften provides comprehensive event removal for security analysts.

See firsthand how Ziften can assist your security group zero in on risks in your environment with our Thirty Days totally free trial.

Chuck Leaver – What CISO’s Can Learn From OPM Data Breach Review

Written by Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver

 

Cyber attacks, attributed to the Chinese government, had breached sensitive workers databases and taken data of over twenty two million present, previous, and potential U.S. government employees and family members. Stern cautions were disregarded from the Office of the Inspector General (OIG) to shut down systems without existing security authorization.

Presciently, the OIG particularly cautioned that failure to close down the unauthorized systems brought national security implications. Like the Titanic’s doomed captain who kept flank speed through an iceberg field, the OPM responded,

” We concur that it is necessary to keep up-to-date and legitimate ATO’s for all systems but do not believe that this condition rises to the level of a Material Weakness.”

Additionally the OPM worried that closing down those systems would suggest a lapse in retirement and worker benefits and paychecks. Offered a choice in between a security lapse and an operational lapse, the OPM opted to run insecurely and were pwned.

Then director, Katherine Archuleta, resigned her office in July 2015, a day after revealing that the scope of the breach vastly went beyond original assessments.

Despite this high value information maintained by OPM, the agency cannot focus on cyber security and sufficiently secure high worth data.

Exactly what are the Lessons for CISO’s?

Reasonable CISO’s will wish to prevent professional immolation in an enormous flaming data breach catastrophe, so let’s quickly evaluate the crucial lessons from the Congressional report executive summary.

Focus on Cyber Security Commensurate with Asset Worth

Have an effective organizational management structure to carry out risk appropriate IT security policies. Persistent absence of compliance with security best practices and lagging suggestion implementation timelines are signs of organizational failure and administrative atherosclerosis. Shake up the organization or prepare your post breach panel grilling prior to the inquisitors.

Don’t Tolerate a Complacent State of Information Security

Have the required tracking in place to maintain critical situational awareness, leave no observation gaps. Do not fail to understand the scope or extent or gravity of cyber attack indications. Assume if you determine attack indications, there are other indicators you are missing out on. While OPM was forensically monitoring one attack avenue, another parallel attack went unobserved. When OPM did do something about it the cyber attackers understood which attack had actually been found and which attack was still successful, rather valuable intelligence to the opponent.

Mandate Fundamental Needed Security Tools and Quickly Deploy Cutting Edge Security Tools

OPM was incredibly negligent in deploying mandated multi-factor authentication for privileged accounts and didn’t deploy readily available security technology that might have avoided or mitigated exfiltration of their most valuable security background examination files.

For privileged data or control access authentication, the phrase “password safeguarded” has actually been an oxymoron for years – passwords are not protection, they are an invitation to compromise. In addition to adequate authentication strength, total network tracking and visibility is needed for prevention of sensitive data exfiltration. The Congressional investigation blamed careless cyber hygiene and insufficient system traffic visibility for the enemies’ consistent existence in OPM networks.

Don’t Fail to Escalate the Alarm When Your Critically Delicate Data Is Under Attack

In the OPM breach, observed attack activity “ought to have sounded a high level multi agency national security alarm that an advanced, consistent actor was looking to gain access to OPM’s highest value data.” Instead, nothing of consequence was done “until after the agency was significantly compromised, and until after the agency’s most sensitive info was lost to wicked actors.” As a CISO, sound that alarm in time (or rehearse your panel appearance face).

Finally, do not let this be stated of your organization security posture:

The Committee obtained documentation and testimony showing OPM’s info security posture was undermined by a woefully unsecured IT environment, internal politics and administration, and inappropriate top priorities related to the release of security tools that slowed crucial security choices.

Chuck Leaver – Why Organizations Are Reluctant To Migrate To The Cloud

Written By Chuck Leaver CEO Ziften

What Worries Enterprise CISOs When Migrating To The Cloud

Moving to the cloud provides a variety of benefits to business companies, however there are real security problems that make changing over to a cloud environment worrisome. What CISOs want when migrating to the cloud is continuous insight into that cloud environment. They need a way to monitor and measure risk and the confidence that they have the proper security controls in place.

Increased Security Threat

Migration to the cloud suggests utilizing managed IT services and many believe this means giving up a high level of visibility and control. Although the top cloud service providers utilize the latest security technology and file encryption, even the most current systems can stop working and expose your delicate data to the hackers.

In reality, cloud environments go through comparable cyber hazards as private enterprise data centers. Nevertheless, the cloud is ending up being a more attractive target due to the significant quantity of data that has actually been stored on servers in the cloud.

Cyber attackers understand that business are gradually moving to the cloud, and they are currently targeting cloud environments. Alert Logic, a security as a service provider, released a report that concluded that those who make IT choices ought to not assume that their data that is stored off site is more difficult for cyber bad guys to get.

The report went on to say that there had actually been a 45% boost in application attacks against deployments in the cloud. There had also been a boost in attack frequency on organizations that save their infrastructure in the cloud.

The Cloud Is a Jackpot

With the shifting of valuable data, production workloads, and applications to cloud environments these revelations ought to not come as a surprise. A declaration from the report stated, “… cyber attackers, like everyone else, have a minimal amount of time to finish their job. They wish to invest their time and resources into attacks that will bear the most fruit: companies using cloud environments are largely thought about as that fruit bearing prize.”

The report also recommends that there is a mistaken belief within organizations about security. A number of organization decision makers were under the impression that when a cloud migration had happened then the cloud service provider would be totally responsible for the security of their data.

Security in The Cloud Needs To Be A Shared Obligation

All organizations must take responsibility for the security of their information whether it is hosted on site or in the cloud. This duty can not be completely renounced to a cloud provider. If your company suffers from a data breach while using cloud management services, it is unlikely that you would have the ability to avert obligation.

It is essential that every organization totally comprehends the environment and the risks that are related to cloud management. There can be a myriad of legal, financial, commercial, and compliance risks. Before moving to the cloud make certain to inspect contracts so that the supplier’s liability is fully comprehended if a data breach were to occur.

Vice president of Alert Logic Will Semple said, “the key to protecting your critical data is being well-informed about how and where along the ‘cyber kill chain’ cyber attackers penetrate systems and to employ the ideal security tools, practices and financial investment to combat them.”

Cloud Visibility Is Critical

Whether you are using cloud management services or are hosting your own infrastructure, you require complete visibility within your environment. If you are thinking about the migration of part – or all – of your environment to the cloud then this is important.

After a cloud migration has actually happened you can count on this visibility to monitor each user, device, application, and network activity for potential risks and possible hazards. Thus, the administration of your infrastructure ends up being far more efficient.

Don’t let your cloud migration result in lesser security and incomplete compliance. Ziften can help preserve cloud visibility and security for your existing cloud implementations, or future cloud migrations.

 

Chuck Leaver – If You Want To Prevent Cyber Attacks Pay Attention To Endpoint Management

Written By Chuck Leaver, CEO Ziften

Recognize and manage any device that requires access to your business network.

When a company becomes larger so does its asset footprint, and this makes the job of managing the entire set of IT assets a lot more difficult. IT management has changed from the days where IT asset management consisted of keeping records of devices such as printers, accounting for all installed applications and guaranteeing that anti-virus suites were updated.

Today, companies are under continuous threat of cyber attacks and using harmful code to infiltrate the business network. Numerous devices now have network access abilities. Gone are the days when only desktop PC’s connected to an organization network. Now there is a culture of bring your own device (BYOD) where cell phones, tablets and laptops are all likely to connect to the network.
While this supplies versatility for the organizations with the ability for users to link from another location, it opens an entire brand-new variety of vulnerabilities as these different endpoints make the challenge of corporate IT security a great deal more complex.

What Is Endpoint Management?

It is essential that you have a policy based approach to the endpoint devices that are linked to your network to lessen the danger of cyber attacks and data breaches. Using laptops, tablets, mobile phones and other devices might be convenient, however they can expose organizations to a large selection of security dangers. The primary objective of a sound endpoint management strategy should be that network activities are thoroughly kept an eye on and unapproved devices can not access the network.

A lot of endpoint management software is most likely to inspect that the device has an operating system that has actually been approved, as well as anti-virus software applications, and examine the device for upgraded private virtual network systems.

Endpoint management systems will recognize and control any device that requires access to the business network. If anybody is trying to access the enterprise environment from a non compliant device they will be rejected. This is vital to combat attacks from cyber crooks and breaches from destructive groups.

Any device which does not abide by endpoint management policies are either quarantined or approved minimal access. Local administrative rights might be eliminated and browsing the Web restricted.

Organizations Have The Ability To Do More

There are a number of methods that a business can use as part of their policy on endpoint management. This can consist of firewall programs (both network and individual), the file encryption of delicate data, more powerful authentication methods which will definitely consist of making use of tough to crack passwords that are frequently altered and device and network level anti-viruses and anti malware protection.

Endpoint management systems can work as a client and server basis where software is deployed and centrally managed on a server. The client program will have to be set up on all endpoint devices that are licensed to access the network. It is also possible to utilize a software as a service (SaaS) model of endpoint management where the supplier of the service will host and maintain the server and the security applications from another location.

When a client device attempts a log in then the server based application will scan the device to see if it complies with the company’s endpoint management policy, and then it will confirm the credentials of the user prior to access to the network can be granted.

The Problem With Endpoint Management Systems

Most businesses see security software as a “complete treatment” but it is not that clear cut. Endpoint security software that is acquired as a set and forget service will never ever suffice. The knowledgeable hackers out there understand about these software systems and are developing destructive code that will avert the defenses that a set and forget application can provide.

There has to be human intervention and Jon Oltsik, contributor at Network World said “CISOs need to take ownership of endpoint security and designate a group of experts who own endpoint security controls as part of a general duty for event prevention, detection, and response.”

Ziften’s endpoint security services offer the continuous monitoring and look-back visibility that a cyber security team needs to discover and act upon to prevent any destructive breaches spreading and taking the sensitive data of the business.

Chuck Leaver – A Recap Of Splunk.conf 2016 Adaptive Response Is Critical

Written By Michael Vaughn And Presented By Chuck Leaver Ziften CEO

 

All the current success from Splunk

Recently I participated in the annual Splunk conference in the great sunshine state – Florida. The Orlando-based occasion permitted Splunkers from around the world to acquaint themselves with the current and greatest offerings from Splunk. Although there were an array of enjoyable activities throughout the week, it was clear that guests existed to discover new things. The statement of Splunk’s security-centric Adaptive Response effort was favored and just so happens to integrate quite nicely with Ziften’s endpoint service.

Of particular interest, the “Transforming Security” Keynote Address presented by Monzy Merza, Director of Cyber Research and Chief Security Evangelist for Splunk, Haiyan Song, SVP Security Markets for Splunk, and Mike Stone, CDIO for the UK Ministry of Defense, showed the power of Splunk’s new Adaptive Response user interface to thousands of attendees.

In the clip just below taken from that Keynote, Monzy Merza exhibits how critical data provided by a Ziften agent can likewise be used to enact bi-directional functionality from Splunk by sending instructional logic to the Ziften agent to take immediate actions on a compromised endpoint. Monzy was able to effectively identify a jeopardized Linux server and remove it from the live network for further forensic examination. By not only offering vital security data to the Splunk instance, but likewise allowing the user to stay on the same user interface to take operational and security actions, the Ziften endpoint agent allows users to bi-directionally use Splunk’s powerful framework to take immediate action throughout all operating systems in an exacting way. After the talks our cubicle was overloaded with demonstrations and incredibly intriguing discussions regarding operations and security.

Have a look at a three minute Monzy extract from the Keynote:

Over the weekend I was able to process the wide variety of technical discussions I had with numerous brilliant individuals in our booth at.conf. One of the funny things I found – which no one would freely admit unless I pulled it from them – is that most of us are beginner-to-intermediate SPL( Splunk Processing Language) users. I likewise observed the obvious: incident response was the primary focus of this year’s event.

However, lots of people utilize Ziften for Splunk for a range of things, such as operations and application management, network tracking, and user habits modeling. In an effort to light up the broad performance of our Splunk App, here’s a taste of what folks at.conf2016 enjoyed most about Ziften for Splunk:

1) It’s great for Enterprise Security.

a. Generalized platform for digesting real time data and taking instant action
b. Autotomizing removal from a large scope of indicators of compromise

2) IT Operations love us.

a. Systems Tracking, Hardware Life Cycle, Resource Management
b. Management of Applications – Compliance, License Verification, Susceptibilities

3) Network Monitoring with ZFlow is a game changer.

a. ZFlow ties netflow with binary, user and system data – in a solitary Splunk SPL entry. Do I need to state more here? This is the ideal Holy Grail from Indiana Jones, folks!

4) Our User Behavior Modeling goes beyond simply alerts.

a. This could be tied back under IT Operations but it’s becoming its own monster
b. Ziften’s tracking of software use, logins, elevated binaries, timestamps, etc is readily viewable in Splunk
c. Ziften provides a complimentary Security Centric Splunk bundle, however we transform all of the data we gather from each endpoint to Splunk CIM language – Not simply our ‘Alerts’.

Ultimately, using a single Splunk Adaptive Response interface to handle a wide variety of tools within your environment is what helps build a strong business fabric for your company – one in which operations, security and network teams more fluidly overlap. Make better decisions, much faster. Discover for yourself with our free Thirty Days trial of Ziften for Splunk!

Chuck Leaver – Get Tough On Adobe Flash And Ban It To Prevent Exploits

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

 

Be Strong or Get Attacked.

Extremely experienced and talented cyber attack teams have actually targeted and are targeting your organization. Your large endpoint population is the most typical point of entry for knowledgeable attack organizations. These enterprise endpoints number in the thousands, are loosely handled, laxly configured, and rife with vulnerability exposures, and are run by partially trained, credulous users – the ideal target-rich opportunity. Mikko Hypponen, chief research officer at F-Secure, frequently says at market symposia: “How many of the Fortune 500 are attacked today? The answer: 500.”

And how long did it take to penetrate your enterprise? White hat hackers performing penetration screening or red group workouts typically jeopardize target businesses within the very first few hours, although morally and lawfully limited in their techniques. Black hat or state sponsored hackers might accomplish penetration much more quickly and secure their presence forever. Provided average assailant dwell periods determined in numerous days, the time-to-penetration is negligible, not an impediment.

Exploit Sets

The industrialization of hacking has created a black market for attack tools, consisting of a range of software for determining and making use of customer endpoint vulnerabilities. These exploitation sets are marketed to cyber assailants on the dark web, with dozens of exploitation package families and suppliers. An exploit kit operates by evaluating the software application configuration on the endpoint, determining exposed vulnerabilities, and applying an exploit to a vulnerability exposure.

A relative handful of commonly released endpoint software represent the bulk of exploit set targeted vulnerabilities. This arises from the unfortunate reality that complex software applications have the tendency to show a consistent flow of vulnerabilities that leave them continually susceptible. Each patch release cycle the exploitation set developers will download the latest security patches, reverse engineer them to discover the underlying vulnerabilities, and update their exploit sets. This will frequently be done quicker than businesses use patches, with some vulnerabilities remaining unpatched and ripe for exploitation even years after a patch is provided.

Adobe Flash

Prior to prevalent adoption of HTML 5, Adobe Flash was the most frequently utilized software application for rich Internet material. Even with increasing adoption of HTML 5, legacy Adobe Flash keeps a significant following, preserving its long-held position as the darling of exploitation kit authors. A recent research study by Digital Shadows, In the Business of Exploitation, is useful:

This report examines 22 exploit packages to comprehend the most often exploited software. We tried to find trends within the exploitation of vulnerabilities by these 22 packages to show what vulnerabilities had been exploited most extensively, combined with how active each exploitation set was, in order to inform our assessment.

The vulnerabilities exploited by all 22 exploit sets revealed that Adobe Flash Player was most likely to be the most targeted software, with 27 of the 76 identified vulnerabilities exploited relating to this software.

With relative consistency, dozens of fresh vulnerabilities are revealed in Adobe Flash every month. To exploit package designers, it is the present that keeps on giving.

The market is learning its lesson and moving beyond Flash for abundant web material. For example, a Yahoo senior developer blogging just recently in Streaming Media kept in mind:

” Adobe Flash, once the de-facto standard for media playback online, has actually lost favor in the industry due to increasing issues over security and efficiency. At the same time, requiring a plugin for video playback in internet browsers is losing favor among users too. As a result, the market is approaching HTML5 for video playback.”

Amit Jain, Sep 21, 2016

Banishing Adobe Flash

One action businesses may take now to solidify their endpoint setups is to banish Adobe Flash as a matter of organization security policy. This will not be an easy task, it might be painful, however it will be valuable in reducing your enterprise attack surface. It includes blacklisting Adobe Flash Player and imposing browser security settings disabling Flash content. If done properly, this is exactly what users will see where Flash content appears on a traditional website:

refuse-flash-player-message

This message validates two truths:

1. Your system is appropriately set up to decline Flash material.

Praise yourself!

2. This site would compromise your security for their benefit.

Ditch this website!