Archive for November, 2017

Chuck Leaver – Why You Need SysSecOps

Written By Alan Zeichick And Presented By Chuck Leaver


SysSecOps. That’s a new phrase, still unseen by many IT and security administrators – however it’s being discussed within the market, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, describes the practice of combining security groups and IT operations groups to be able to make sure the health of enterprise technology – and having the tools to be able to respond most effectively when issues happen.

SysSecOps concentrates on taking down the info walls, disrupting the silos, that get between security groups and IT administrators.

IT operations personnel are there to make sure that end-users can access applications, and that important infrastructure is running at all times. They want to optimize access and availability, and require the data required to do that job – like that a new employee needs to be provisioned, or a hard disk drive in a RAID array has actually stopped working, that a new partner needs to be provisioned with access to a secure document repository, or that an Oracle database is ready to be moved to the cloud. It’s everything about innovation to drive business.

Very Same Data, Various Use-Cases

While using endpoint and network monitoring details and analytics are clearly customized to fit the diverse needs of IT and security, it ends up that the underlying raw data is in fact the exact same. The IT and security groups simply are looking at their own domain’s issues and scenarios – and doing something about it based upon those use-cases.

Yet in some cases the IT and security groups have to interact. Like provisioning that brand-new organization partner: It must touch all the ideal systems, and be done securely. Or if there is a problem with a remote endpoint, such as a mobile phone or a mechanism on the Industrial Internet of Things, IT and security might have to work together to identify exactly what’s going on. When IT and security share the exact same data sources, and have access to the very same tools, this job becomes a lot easier – and hence SysSecOps.

Envision that an IT administrator spots that a server hard drive is nearing full capacity – and this was not anticipated. Perhaps the network had actually been breached, and the server is now being utilized to steam pirated films throughout the Web. It happens, and finding and resolving that issue is a task for both IT and security. The data gathered by endpoint instrumentation, and showed through a SysSecOps-ready tracking platform, can assist both sides working together more effectively than would happen with conventional, distinct, IT and security tools.

SysSecOps: It’s a brand-new term, and a brand-new idea, and it’s resonating with both IT and security groups. You can discover more about this in a brief 9 minute video, where I talk with numerous market specialists about this subject: “Exactly what is SysSecOps?”

Chuck Leaver – Be Careful Of This Microsoft Word Feature And Phishing Attacks

Written By Josh Harriman And Presented By Chuck Leaver


An intriguing multifaceted attack has been reported in a current blog by Cisco’s Talos
Intelligence group. I wanted to speak about the infection vector of this attack as it’s quite
fascinating and something that Microsoft has actually pledged not to repair, as it is a feature
and not a bug. Reports are can be found about attacks in the wild which are making use of a
feature in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is
accomplished are reported in this blog from SecureData.

Special Phishing Attack with Microsoft Word

Attackers constantly search for brand-new methods to breach a company. Phishing attacks are one
of the most typical as assailants are relying on that someone will either open a document sent
out to them or go to a ‘faked’ URL. From there an exploit on a susceptible piece of software
usually provides access to begin their attack.

However in this case, the documents didn’t have a malicious item embedded in the Word doc,
which is a preferred attack vector, but rather a sly way of utilizing this function that
permits the Word program to connect out to obtain the real malicious files. By doing this they
could hope or rely on a better success rate of infection as harmful Word files themselves can
be scanned and erased prior to reaching the recipient.

Hunting for Suspicious Behaviors with Ziften Zenith

Here at Ziften, we wanted to have the ability to alert on this behavior for our clients.
Finding conditions that show ‘odd’ habits such as Microsoft Word spawning a shell is
fascinating and not expected. Taking it further on and trying to find PowerShell running from
that spawned shell and it gets ‘extremely’ intriguing. Through our Search API, we can discover
these behaviors anytime they happened. We do not need the system to be switched on at the time
of the search, if they have actually run a program (in this case Word) that exhibited these
behaviors, we can discover that system. Ziften is constantly gathering and sending appropriate
procedure info which is why we can discover the data without depending on the system state at
the time of searching.

In our Zenith console, I looked for this condition by looking for the following:

Process → Filepath includes word.exe, Child Process Filepath includes cmd.exe, Child Process
commandline includes powershell

This returns the PIDs (Process ID) of the processes we saw startup with these conditions. After
this we can drill down to see the critical information.

In this very first image, we can see details around the procedure tree (Word spawning CMD with
Powershell under that) on the left, and to the right side you can see details like the System
name and User, plus start time.

Below in the next image, we take a look at the CMD procedure and get details regarding what was
passed to Powershell.

Most likely when the user had to answer this Microsoft Word pop up dialog box, that is when the
CMD shell used Powershell to head out and obtain some code that was hosted on the Louisiana Gov
website. In the Powershell image below we can see more details such as Network Connect info
when it was reaching out to the website to pull the fonts.txt file.

That IP address ( is in fact the Louisiana Gov website. Often we see fascinating
data within our Network Connect information that might not match exactly what you expect.

After developing our Saved Search, we can inform on these conditions as they occur throughout
the environment. We can likewise develop extensions that alter a GPO policy to not allow DDE or
even take additional action and go and discover these files and remove them from the system if
so wanted. Having the ability to find fascinating mixes of conditions within an environment is
extremely effective and we are delighted to have this function in our offering.

Chuck Leaver – Prevent And Manage Ransomware Withy These 4 Steps

Written By Alan Zeichick And Presented By Chuck Leaver


Ransomware is genuine, and is threatening individuals, services, schools, medical facilities, governments – and there’s no indication that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s be honest: Ransomware is probably the single most efficient attack that hackers have ever created. Anybody can develop ransomware utilizing easily available tools; any cash received is likely in untraceable Bitcoin; and if something goes wrong with decrypting someone’s disk drive, the hacker isn’t impacted.

A business is hit with ransomware every 40 seconds, according to some sources, and 60% of malware issues were ransomware. It strikes all sectors. No industry is safe. And with the increase of RaaS (Ransomware-as-a-Service) it’s going to get worse.

Fortunately: We can fight back. Here’s a 4 step fight plan.

Good Fundamental Hygiene

It begins with training employees ways to handle destructive e-mails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will survive email spam/malware filters; workers need to be taught not to click links in those messages, or naturally, not to give permission for plugins or apps to be installed.

However, some malware, like ransomware, will get through, typically making use of obsolete software applications or unpatched systems, just like in the Equifax breach. That’s where the next step can be found in:

Guaranteeing that end points are completely patched and completely updated with the current, most safe os, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the end point is healthy, and has the ability to best battle the infection.

Ransomware isn’t really a technology or security problem. It’s an organization problem. And it’s a lot more than the ransom that is demanded. That’s peanuts compared to loss of efficiency because of downtime, bad public relations, angry clients if service is interfered with, and the expense of rebuilding lost data. (And that assumes that valuable intellectual property or protected financial or consumer health data isn’t really stolen.).

Exactly what else can you do? Backup, backup, backup, and safeguard those backups. If you do not have safe, protected backups, you cannot restore data and core infrastructure in a timely fashion. That includes making day-to-day snapshots of virtual machines, databases, applications, source code, and configuration files.

Businesses need tools to discover, determine, and avoid malware like ransomware from dispersing. This needs continuous visibility and reporting of what’s taking place in the environment – consisting of “zero day” attacks that have not been seen before. Part of that is keeping an eye on end points, from the smart phone to the PC to the server to the cloud, to make sure that endpoints are up-to-date and secure, which no unexpected changes have been made to their underlying configuration. That way, if a machine is contaminated by ransomware or other malware, the breach can be discovered quickly, and the device separated and closed down pending forensics and healing. If an end point is breached, quick containment is critical.

The 4 Tactics.

Excellent user training. Upgrading systems with patches and repairs. Supporting everything as typically as possible. And using monitoring tools to assist both IT and security teams spot problems, and react rapidly to those problems. When it pertains to ransomware, those are the four battle-tested tactics we have to keep our organizations safe.

You can find out more about this in a short 8 minute video, where I speak to numerous industry experts about this concern:

Chuck Leaver – Collaboration With Microsoft To Defend You Against Attacks

Written By David Shefter And Presented By Chuck Leaver


Recently we announced a partnership with Microsoft that combines Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) delivering a cloud-based, “single pane of glass” to find, see, examine, and respond to innovative cyber attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptop computers, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that enables business clients to spot, investigate, respond and remediate sophisticated hazards on their networks, off-network, and in the data center and cloud.

Imagine a single solution throughout all the devices in your business, offering scalable, cutting-edge security in a cost-effective and simple to use platform. Making it possible for enterprises across the globe to protect and handle devices through this ‘single pane of glass’ provides the pledge of lower operational expenses with real improved security providing real time worldwide threat security with information collected from billions of devices worldwide.

The Architecture Of Microsoft And Ziften

The diagram listed below provides an introduction of the service parts and integration between Windows Defender ATP and Ziften Zenith.

Endpoint investigation capabilities let you drill down into security notifications and understand the scope and nature of a potential breach. You can submit files for deep analysis, get the results and take remediation without leaving the Windows Defender ATP console.

Discover and Contain Hazards

With the Windows Defender ATP and Ziften Zenith integration, companies can readily detect and contain dangers on Windows, macOS, and Linux systems from an individual console. Windows Defender ATP and Ziften Zenith offer:

Behavior-based, cloud-powered, sophisticated attack detection. Discover the attacks that make it past all other defenses (after a breach has been detected).

Abundant timeline for forensic investigation and mitigation. Quickly examine the scope of any breach or believed behaviors on any device through a rich, 6-month machine timeline.

Built in unique danger intelligence knowledge base. Hazard intelligence to quickly identify attacks based upon tracking and data from millions of devices.

The image below shows many of the macOS and Linux threat detection and response capabilities now available with Windows Defender ATP.

At the end of the day, if you’re seeking to secure your endpoints and infrastructure, you have to take a tough look at Windows Defender ATP and Ziften Zenith.