Archive for December, 2016

Chuck Leaver – Good Security Begins With IT Asset Management And Discovery

Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften


Reputable IT asset management and discovery can be a network and security admin’s best friend.

I do not have to tell you the obvious; we all understand a great security program begins with an inventory of all the devices connected to the network. Nevertheless, keeping a current inventory of every linked device utilized by employees and business partners is challenging. Even more difficult is ensuring that there are no connected un-managed assets.

Exactly what is an Unmanaged Asset?

Networks can have countless connected devices. These might include the following to name a few:

– User devices such as laptops, desktops, workstations, virtual desktop systems, bring your own devices (BYOD), cellular phones, and tablet devices.

– Cloud and Data center devices such as servers, virtual machines (VM), orphaned VM’s, containers, and storage systems.

– Networking devices such as switches, load balancers, firewalls, switches, and WiFi access points.

– Other devices such as printers, and more recently – Internet of things (IoT) devices.

Unfortunately, a number of these connected devices might be unknown to IT, or not handled by IT group policies. These unknown devices and those not managed by IT policies are described as “unmanaged assets.”

The variety of unmanaged assets continues to rise for numerous businesses. Ziften discovers that as many as 30% to 50% of all connected devices can be un-managed assets in today’s enterprise networks.

IT asset management tools are generally optimized to identify assets such as computers, servers, load balancers, firewalls, and storage devices used to deliver enterprise applications to organization. However, these management tools generally neglect assets not owned by the business, such as BYOD endpoints, or user-deployed wireless access points. A lot more uncomfortable is that Gartner asserts in “Beyond BYOD to IoT, Your Enterprise Network Access Policy Should Change”, that IoT devices have exceeded employees and visitors as the most significant user of the business network.1.

Gartner goes on to explain a new pattern that will introduce much more un-managed assets into the business environment – bring your own things (BYOT).

Basically, employees bringing items which were developed for the wise home, into the workplace environment. Examples consist of clever power sockets, clever kettles, wise coffee machines, wise light bulbs, domestic sensors, wireless webcams, plant care sensors, environmental protections, and eventually, home robotics. Much of these items will be brought in by personnel seeking to make their working environment more congenial. These “things” can notice information, can be managed by apps, and can interact with cloud services.1.

Why is it Essential to Discover Unmanaged Assets?

Quite simply, unmanaged assets create IT and security blind spots. Mike Hamilton, SVP of Product at Ziften said, “Security begins with understanding exactly what physical and virtual devices are connected to the business network. However, BYOD, shadow IT, IoT, and virtualization are making that more tough.”.

These blind spots not only increase security and compliance risk, they can increase legal threats. Information retention policies designed to limit legal liability are not likely to be applied to digitally stored details contained on unauthorized cloud, mobile, and virtual assets.

Preserving a current inventory of the assets on your network is critical to great security. It’s common sense; if you do not know it exists, you can’t understand if it is safe and secure. In fact, asset visibility is so essential that it is a foundational part of many information security infrastructures consisting of:

– SANS Important Security Controls for efficient cyber defense: Developing a stock of licensed and unauthorized devices is number one on the list.

– Council on CyberSecurity Important Security Controls: Developing an inventory of authorized and unapproved devices is the very first control in the focused list.

– NIST Information Security Constant Monitoring for Federal Info Systems and Organizations – SP 800-137: Information security continuous monitoring is specified as preserving ongoing awareness of info security, vulnerabilities, and hazards to support organizational danger management decisions.

– ISO/IEC 27001 Information Management Security System Requirements: The standard requires that all assets be plainly recognized and an inventory of all important assets be drawn up and maintained.

– Ziften’s Adaptive Security Framework: The very first pillar includes discovery of all your licensed and unapproved physical and virtual devices.

Considerations in Evaluating Asset Discovery Solutions.

There are numerous strategies used for asset identification and network mapping, and each of the approaches have advantages and disadvantages. While examining the myriad tools, keep these 2 essential factors to consider in mind:.

Constant versus point-in-time.

Strong information security requires constant asset discovery regardless of what approach is used. However, many scanning strategies utilized in asset discovery require time to finish, and are hence performed periodically. The drawback to point-in-time asset discovery is that short-term systems may only be on the network for a quick time. For that reason, it is highly possible that these short-term systems will not be found.

Some discovery strategies can activate security alerts in network firewall programs, invasion detection systems, or virus scanning tools. Because these techniques can be disruptive, discovery is only executed at routine, point-in-time intervals.

There are, nevertheless, some asset discovery methods that can be utilized continuously to find and identify connected assets. Tools that offer continuous monitoring for un-managed assets can deliver better un-managed asset identification results.

” Because passive detection operates 24 × 7, it will identify transitory assets that may just be sometimes and briefly linked to the network and can send out notifications when brand-new assets are found.”.

Passive versus active.

Asset identification tools supply intelligence on all found assets including IP address, hostname, MAC address, device producer, and even the device type. This innovation assists operations teams quickly tidy up their environments, removing rogue and unmanaged devices – even VM proliferation. Nevertheless, these tools set about this intelligence gathering in a different way.

Tools that employ active network scanning successfully probe the network to coax responses from devices. These responses offer ideas that assist identify and finger print the device. Active scanning regularly analyzes the network or a sector of the network for devices that are connected to the network at the time of the scan.

Active scanning can generally offer more in-depth analysis of vulnerabilities, detection of malware, and configuration and compliance auditing. However, active scanning is carried out regularly because of its disruptive nature with security infrastructure. Regrettably, active scanning threats missing short-term devices and vulnerabilities that occur between scheduled scans.

Other tools utilize passive asset discovery techniques. Since passive detection operates 24 × 7, it will find temporal assets that may only be periodically and quickly connected to the network and can send alerts when new assets are detected.

In addition, passive discovery does not disrupt delicate devices on the network, such as commercial control systems, and allows visibility of Web and cloud services being accessed from systems on the network. Further passive discovery strategies avoid triggering notifications on security tools throughout the network.

In Summary.

BYOD, shadow IT, IoT, virtualization, and Gartner’s newly-coined BYOT indicate more and more assets on to the corporate network. Unfortunately, many of these assets are unknown or un-managed by IT. These unmanaged assets pose major security holes. Getting rid of these unmanaged assets from the network – which are far more likely to be “patient zero” – or bringing them in line with business security requirements considerably lowers an organization’s attack surface and general risk. The good news is that there are services that can offer continuous, passive discovery of unmanaged assets.

Chuck Leaver – Is It Time To Ditch Enterprise Antivirus?

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO

Decreasing Efficiency of Enterprise Antivirus?

Google Security Master Labels Anti-virus Apps As Inadequate ‘Magic’.

At the current Kiwicon hacking conference in Wellington, New Zealand, Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy. Tasked with investigation of extremely sophisticated attacks, consisting of the 2009 Operation Aurora campaign, Bilby lumped organization antivirus into a collection of inadequate tools set up to tick a compliance check box, but at the cost of genuine security:

We need to stop purchasing those things we have actually shown are not effective… Antivirus does some useful things, however in reality, it is more like a canary in a coal mine. It is worse than that. It’s like we are loafing around the dead canary stating ‘Thank god it breathed in all the poisonous gas.

Google security masters aren’t the very first to weigh in against organization anti-virus, or to draw unflattering analogies, in this case to a dead canary.

Another highly knowledgeable security team, FireEye Mandiant, likened static defenses such as enterprise antivirus to that infamously failed The second world war defense, the Maginot Line:

Like the Maginot Line, today’s cyber defenses are quick becoming an antique in today’s hazard landscape. Organizations invest billions of dollars every year on IT security. However attackers are easily outflanking these defenses with creative, fast-moving attacks.

An example of this was given by a Cisco managed security services executive presented at a conference in Poland. Their team had found anomalous activity on one of their enterprise client’s networks, and reported the thought server compromise to the client. To the Cisco group’s amazement, the customer just ran an antivirus scan on the server, discovered no detections, and positioned it back into service. Horrified, the Cisco team conferenced in the customer to their tracking console and was able to reveal the enemy performing a live remote session at that very minute, total with typing errors and reissue of commands to the compromised server. Finally persuaded, the client took the server down and fully re-imaged it – the organization antivirus had actually been an useless interruption – it had actually not served the client and it had actually not discouraged the hacker.

So Is It Time to Get Rid Of Enterprise Anti-virus Already?

I am not yet ready to declare an end to the age of business anti-virus. But I understand that companies have to purchase detection and response capabilities to match conventional antivirus. But significantly I question who is complementing whom.

Proficient targeted attackers will constantly effectively avert anti-virus defenses, so versus your biggest cyber threats, enterprise antivirus is essentially useless. As Darren Bilby specified, it does do some useful things, but it does not supply the endpoint defense you require. So, do not let it distract you from the highest concern cyber-security financial investments, and don’t let it distract you from security steps that do basically help.

Proven cyber defense steps consist of:

Configuration hardening of networks and endpoints.

Identity management with strong authentication.

Application controls.

Constant network and endpoint tracking, consistent watchfulness.

Strong encryption and data security.

Personnel education and training.

Continuous threat re-assessment, penetration testing, red/blue teaming.

In contrast to Bilby’s criticism of organization antivirus, none of the above bullets are ‘magic’. They are just the ongoing effort of sufficient enterprise cyber-security.