Archive for July, 2017

Chuck Leaver – Now Integrating Advanced Endpoint Products Into Existing Security Architectures Is Possible

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


Security practitioners are by nature a careful lot. Cautiousness is a quality most folks likely have entering into this market given its mission, however it’s also undoubtedly a characteristic that is learned gradually. Ironically this holds true even when it pertains to adding additional security controls into an existing security architecture. While one might presume that more security is better security, experience teaches us that’s not always the case. There are actually many issues connected with releasing a brand-new security service. One that often shows up near the top of the list is how well a brand-new product integrates with other incumbent products.

Integration concerns can be found in numerous tastes. Most importantly, a new security control shouldn’t break anything. But additionally, brand-new security services need to willingly share risk intelligence and act on hazard intelligence gathered across a company’s entire security infrastructure. To put it simply, the brand-new security tools need to collaborate with the existing ecosystem of tools in place such that “1 + 1 = 3”. The last thing that many IT and security operations teams require is more siloed products/ tools.

At Ziften, this is why we’ve constantly focused on building and providing a completely open visibility architecture. Our company believe that any brand-new systems and security operations tools have to be developed with improved visibility and information sharing as key design requirements. However this isn’t a one-way street. Producing easy integrations requires innovation partnerships with market suppliers. We consider it our duty to deal with other innovation businesses to mutually integrate our products, thus making it easy on customers. Unfortunately, many suppliers still think that integration of security services, specifically brand-new endpoint security services is incredibly difficult. I hear the issue continuously in consumer discussions. But information is now appearing revealing this isn’t necessarily the case.

Current survey work by NSS Labs on “sophisticated endpoint” products, they report that Global 2000 clients based in the United States and Canada have been happily shocked with how well these types of services integrate into their existing security architectures. In accordance with the NSS research study titled “Advanced Endpoint Protection – Market Analysis and Survey Results CY2016”, which NSS subsequently presented in the BrightTalk webinar below, respondents that had actually already deployed advanced endpoint products were a lot more positive concerning their capability to integrate into already established security architectures than were participants that were still in the planning stages of acquiring these products.

Specifically, for participants that have currently released advanced endpoint services: they rank integration with existing security architectures as follows:

● Excellent 5.3 %
● Good 50.0 %
● Average 31.6 %
● Poor 13.2 %
● (Horrible) 0.0 %

Compare that to the more conservative responses from folks still in the planning stage:

● Excellent 0.0 %
● Good 39.3 %
● Average 42.9 %
● Poor 14.3 %
● (Horrible) 3.6 %

These reactions are motivating. Yes, as kept in mind, security folks tend to be pessimists, but in spite of low expectations respondents are reporting positive results when it comes to integration experiences. In fact, Ziften customers generally show the same initial low expectations when we initially talk about integrating Ziften products into their existing environment of products. But in the end, consumers are wowed by how simple it is to share info with Ziften services and their already established infrastructure.

These survey results will hopefully help reduce issues as newer product adopters might check out and depend on peer suggestions before making purchase choices. Early mainstream adopters are clearly having success releasing these products which will ideally help to reduce the natural cautiousness of the real mainstream.

Definitely, there is considerable distinction with services in the space, and companies must continue to carry out proper due diligence in comprehending how and where services integrate into their wider security architectures. But, fortunately is that there are products not just satisfying the needs of customers, however really out performing their initial expectations.


Chuck Leaver – Ziften Clients Are Protected From The Flaw In Petya Variant

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Another outbreak, another problem for those who were not prepared. While this most current attack is similar to the earlier WannaCry danger, there are some differences in this most current malware which is a variant or new strain just like Petya. Dubbed, NotPetya by some, this strain has a great deal of problems for anybody who experiences it. It may encrypt your data, or make the system entirely unusable. And now the email address that you would be needed to call to ‘maybe’ unencrypt your files, has been removed so you’re out of luck getting your files back.

Plenty of details to the actions of this threat are openly offered, however I wanted to touch on that Ziften consumers are secured from both the EternalBlue threat, which is one mechanism used for its propagation, and even better still, an inoculation based upon a possible defect or its own type of debug check that removes the risk from ever executing on your system. It could still spread out nevertheless in the environment, but our security would already be presented to all existing systems to halt the damage.

Our Ziften extension platform enables our consumers to have protection in place against specific vulnerabilities and harmful actions for this threat and others like Petya. Besides the particular actions taken versus this particular version, we have taken a holistic approach to stop particular strains of malware that perform different ‘checks’ against the system before performing.

We can likewise utilize our Search capability to try to find residues of the other proliferation strategies utilized by this risk. Reports show WMIC and PsExec being utilized. We can search for those programs and their command lines and usage. Although they are legitimate procedures, their usage is normally rare and can be notified.

With WannaCry, and now NotPetya, we expect to see a continued rise of these kinds of attacks. With the release of the recent NSA exploits, it has provided ambitious cyber criminals the tools required to push out their wares. And though ransomware risks can be a high commodity vehicle, more damaging threats could be launched. It has actually constantly been ‘how’ to get the risks to spread (worm-like, or social engineering) which is most tough to them.

Chuck Leaver – UK Email Attack Highlights Insecurities

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


In cyberspace the sheep get shorn, chumps get munched, dupes get duped, and pawns get pwned. We have actually seen another terrific example of this in the recent attack on the UK Parliament e-mail system.

Instead of admitting to an e-mail system that was insecure by design, the official statement read:

Parliament has robust procedures in place to secure all our accounts and systems.

Yeah, right. The one protective step we did see in action was blame deflection – the Russians did it, that constantly works, while accusing the victims for their policy offenses. While details of the attack are limited, combing various sources does help to put together a minimum of the gross outlines. If these accounts are fairly close, the UK Parliament email system failings are atrocious.

What went wrong in this scenario?

Count on single factor authentication

“Password security” is an oxymoron – anything password protected alone is insecure, period, no matter the password strength. Please, no 2FA here, might impede attacks.

Do not impose any limit on unsuccessful login efforts

Helped by single element authentication, this enables easy brute force attacks, no skill required. But when violated, blame elite state sponsored hackers – nobody can verify.

Do not carry out brute force attack detection

Allow opponents to perform (otherwise trivially detectable) brute force attacks for prolonged durations (12 hours versus the UK Parliament system), to take full advantage of account compromise scope.

Do not impose policy, treat it as merely tips

Integrated with single element authentication, no limitation on failed logins, and no brute force attack detection, do not impose any password strength recognition. Supply assailants with very low hanging fruit.

Count on anonymous, unencrypted e-mail for delicate communications

If hackers do succeed in compromising email accounts or sniffing your network traffic, supply plenty of chance for them to score high worth message material entirely in the clear. This also conditions constituents to rely on easily spoofable email from Parliament, producing an ideal constituent phishing environment.

Lessons found out

In addition to adding “Good sense for Dummies” to their summer reading lists, the UK Parliament email system admin might wish to take more actions. Enhancing weak authentication practices, implementing policies, enhancing network and end point visibility with continuous tracking and anomaly detection, and completely reconsidering safe messaging are suggested steps. Penetration testing would have discovered these fundamental weak points while staying outside the news headlines.

Even a few clever high schoolers with a complimentary weekend might have duplicated this attack. And lastly, stop blaming the Russians for your very own security failings. Presume that any weaknesses in your security architecture and policy structure will be probed and made use of by some cyber criminals someplace across the international web. Even more incentive to find and fix those weaknesses prior to the hackers do, so get started immediately. And after that if your defenders don’t cannot see the attacks in progress, update your monitoring and analytics.

Chuck Leaver – Use SysSecOps To Bring IT And Security Together

Written By Chuck Leaver Ziften CEO


It was nailed by Scott Raynovich. Having actually dealt with hundreds of organizations he realized that one of the most significant challenges is that security and operations are 2 different departments – with drastically different goals, varying tools, and different management structures.

Scott and his analyst firm, Futuriom, recently completed a study, “Endpoint Security and SysSecOps: The Growing Trend to Develop a More Secure Business”, where one of the key findings was that clashing IT and security goals prevent experts – on both groups – from achieving their objectives.

That’s exactly what we believe at Ziften, and the term that Scott produced to talk about the convergence of IT and security in this domain – SysSecOps – explains completely what we’ve been speaking about. Security teams and the IT teams need to get on the very same page. That suggests sharing the very same objectives, and sometimes, sharing the same tools.

Consider the tools that IT individuals utilize. The tools are designed to ensure the infrastructure and end devices are working properly, when something goes wrong, helps them repair it. On the endpoint side, those tools help guarantee that devices that are enabled onto the network, are configured properly, have software applications that are authorized and effectively updated/patched, and have not registered any faults.

Think about the tools that security individuals utilize. They work to enforce security policies on devices, infrastructure, and security devices (like firewall programs). This may include active monitoring incidents, scanning for abnormal habits, examining files to ensure they do not include malware, embracing the current threat intelligence, matching against newly found zero-days, and carrying out analysis on log files.

Discovering fires, battling fires

Those are two different worlds. The security groups are fire spotters: They can see that something bad is taking place, can work rapidly to isolate the problem, and figure out if damage occurred (like data exfiltration). The IT groups are on the ground firefighters: They jump into action when an incident strikes to make sure that the systems are made safe and revived into operation.

Sounds excellent, doesn’t it? Sadly, all too often, they do not speak to each other – it’s like having the fire spotters and fire fighters utilizing dissimilar radios, different lingo, and different city maps. Worse, the groups can’t share the exact same data directly.

Our method to SysSecOps is to provide both the IT and security teams with the exact same resources – and that means the exact same reports, provided in the proper methods to professionals. It’s not a dumbing down, it’s working smarter.

It’s ridiculous to operate in any other way. Take the WannaCry virus, for example. On one hand, Microsoft provided a patch back in March 2017 that addressed the underlying SMB flaw. IT operations groups didn’t install the patch, due to the fact that they didn’t think this was a big deal and didn’t talk with security. Security groups didn’t know if the patch was set up, because they do not speak to operations. SysSecOps would have had everyone on the very same page – and could have potentially avoided this issue.

Missing out on data indicates waste and risk

The inefficient gap between IT operations and security exposes companies to risk. Preventable threats. Unneeded risk. It’s just undesirable!

If your company’s IT and security teams aren’t on the exact same page, you are incurring risks and costs that you should not need to. It’s waste. Organizational waste. It’s wasteful because you have so many tools that are offering partial data that have spaces, and each of your teams just sees part of the picture.

As Scott concluded in his report, “Coordinated SysSecOps visibility has currently shown its worth in assisting companies evaluate, analyze, and prevent considerable dangers to the IT systems and endpoints. If these goals are pursued, the security and management risks to an IT system can be greatly diminished.”

If your teams are working together in a SysSecOps sort of way, if they can see the exact same data at the same time, you not only have much better security and more effective operations – but also lower danger and lower costs. Our Zenith software application can help you achieve that effectiveness, not only working with your existing IT and security tools, but likewise filling in the gaps to make sure everyone has the best data at the right time.