Archive for May, 2018

Chuck Leaver – Should You Whitelist Or Blacklist?

Written By Roark Pollock And Presented By Chuck Leaver

 

Intro

Similar to any form of security, the world of IT security is one of establishing and imposing a set of allow/disallow guidelines – or more formally titled, security policies. And, simply stated, allow/disallow guidelines can be expressed as a ‘whitelist’ or a ‘blacklist’.

In the distant past, many guidelines were blacklist in nature. The good ‘ole days were when we trusted practically everyone to act well, and when they did this, it would be quite simple to identify bad behavior or anomalies. So, we would just need to compose a couple of blacklist rules. For instance, “don’t enable anybody into the network coming from an IP address in say, Russia”. That was kind of the same thing as your grandparents never locking the doors to your home on the farm, considering that they were aware of everybody within a twenty mile radius.

Then the world altered. Good behavior became an exception, and bad actors/behavior became legion. Naturally, it took place slowly – and in stages – dating to the beginning of the true ‘Internet’ back in the early 1990’s. Remember script kiddies unlawfully accessing public and secure sites, simply to show to their high school pals that they could?

Fast forward to the modern age. Everything is on-line. And if it has value, somebody on the planet is aiming to steal or damage it – constantly. And they have lots of tools at their disposal. In 2017, 250,000 brand-new malware versions were presented – per day. We used to count on desktop and network anti-virus solutions to include brand-new blacklist signatures – every week – to counter the bad guys utilizing harmful code for their bidding. But at over 90 million brand-new malware variations each year, blacklist strategies alone will not cut it.

Network whitelisting technologies have been an essential line of defense for on premises network security – and with a lot of companies rapidly moving their work to the cloud, the same systems will be needed there also.

Let’s take a more detailed look at both approaches.

Blacklisting

A blacklist lines out understood destructive or suspicious “entities” that should not be permitted access, or execution rights, in a network or system. Entities consist of bad software applications (malware) including infections, Trojans, worms, spyware, and keystroke loggers. Entities also consist of any user, application, procedure, IP address, or organization understood to position a threat to a business.

The critical word above is “known”. With 250,000 new variants appearing each day, the number that are out there we have no idea about – at least until much later in time, which could be days, weeks, or perhaps years?

Whitelisting

So, exactly what is whitelisting? Well, as you might have thought, it is the reverse of blacklisting. Whitelisting begins from a point of view that nearly everything is bad. And, if that is true, it ought to be more effective just to specify and allow “excellent entities” into the network. An easy example would be “all employees in the finance department that are director level or higher are enabled to access our financial reporting application on server X.” By extension, everybody else is denied access.

Whitelisting is frequently described as a “zero trust” method – reject all, and allow just select entities access based on a set of ‘excellent’ characteristics related to user and device identity, behavior, location, time, etc

Whitelisting is commonly accepted for high-risk security environments, where strict rules take precedence over user flexibility. It is likewise highly valued in environments where companies are bound by rigorous regulative compliance.

Black, White, or Both?

First, there are not many that would suggest blacklisting is totally aged out. Definitely at the endpoint device level, it remains reasonably simple to install and preserve and rather reliable – especially if it is kept up to date by third party danger intelligence companies. But, in and of itself, is it enough?

Second, depending upon your security background or experience, you’re likely thinking, “Whitelisting could never work for us. Our business applications are just too varied and complicated. The time, effort, and resources required to compile, monitor, and update whitelists at a business level would be untenable.”

Thankfully, this isn’t actually an either-or choice. It’s possible to take a “finest of both worlds” stance – blacklisting for malware and invasion detection, operating alongside whitelisting for system and network access at large.

Ziften and Cloud Whitelisting

The key to whitelisting boils down to ease of execution – specifically for cloud-based work. And ease of execution becomes a function of scope. Think about whitelisting in two ways – application and network. The previous can be a quagmire. The latter is far simpler to execute and maintain – if you have the best visibility within your cloud environment.

This is where Ziften comes in.

With Ziften, it ends up being easy to:

– Identify and establish visibility within all cloud servers and virtual machines

– Gain constant visibility into devices and their port usage activity

– See east-west traffic flows, consisting of comprehensive tracking into protocols in use over particular port sets

– Convert ‘seeing’ what’s taking place into a discernable variety of whitelists, finished off with accurate protocol and port mappings

– Establish near real time notifications on any anomalous or suspicious resource or service activations

Chuck Leaver – Using Powerful Hunting In Windows Defender ATP

Written By Josh Harrimen And Presented By Chuck Leaver

 

Following on the heels of our recent partnership announcement with Microsoft, our Ziften Security Research group has actually begun leveraging a very cool part of the Windows Defender Advanced Threat Protection (Windows Defender ATP) platform from their Security Center. The Advanced Searching feature lets users run queries in line with the information that has actually been sent out by products and tools, for example Ziften, to discover interesting behaviors rapidly. These queries can be kept and shared amongst the user base of Windows Defender ATP users.

We have included a handful of shared inquiries up until now, but the outcomes are rather intriguing, and we like the ease of use of the searching interface. Considering that Ziften sends endpoint data collected from macOS and Linux systems to Windows Defender ATP, we are focusing on those operating systems in our query development efforts to display the total coverage of the platform.

You can access the Advanced Searching user interface by choosing the database icon on the left hand side as revealed in the image below.

You can observe the top-level schema on the top left of that page with occasions such as Machineinfo, ProcessCreation, NetworkCommunication and some others. We ran some current malware within our Redlab and produced some inquiries to find that data and produce the outcomes for examination. An example of this was OceanLotus. We developed a few queries to discover both the dropper and files connected with this risk.

After running the queries, you get outcomes with which you can interact with.

Upon evaluation of the results, we see some systems that have exhibited the looked for habits. When you pick these systems, you can see the information of the system under examination. From there you can see alerts set off and an event timeline. Information from the destructive process are revealed in the image below.

Additional behavior based queries can likewise be run. For instance, we executed another malicious sample which leveraged a small number of methods that we queried. The screenshot directly below shows an inquiry we ran when looking for the Gatekeeper program on a macOS being disabled from the command line. While this action could be an administrative action, it is definitely something you would want to know is taking place within your environment.

From these query outcomes, you can once again choose the system under examination and further examine the suspicious behaviors.

This blog definitely does not work as an in-depth tutorial on using the Advanced Searching function within the Windows Defender Advanced Threat Protection platform. However we wanted to put something together quickly to share our passion about how simple it is to leverage this feature to perform your own custom danger hunting in a multi-system environment, and throughout Windows, macOS and Linux systems.

We look forward to sharing more of our experimentation and research studies using queries built utilizing the Advanced Hunting feature. We share our successes with everybody here, so check out this blog often.

Chuck Leaver – Good News About RSA 2018

Written By Logan Gilbert And Presented By Chuck Leaver

 

After investing a couple of days with the Ziften team at the 2018 RSA Conference, my innovation observation was: more of the very same, the typical suspects and the typical buzzwords. Buzz words like – “AI”, “machine learning”, “predictive” were incredibly worn out. Lots of attention paid to avoidance, everybody’s favorite attack vector – email, and everybody’s preferred vulnerability – ransomware.

The only surprise to me was seeing a smattering of NetFlow analysis companies – great deals of smaller companies attempting to make their mark using a very rich, but tough to work with, data set. Really cool stuff! Discover the little cubicles and you’ll discover tons of innovation. Now, in fairness to the larger suppliers I know there are some genuinely cool technologies therein, but RSA barely positions itself to cutting through the buzzwords to actual value.

RSA Buzz

I may have a biased view because Ziften has been partnering with Microsoft for the last six plus months, however Microsoft appeared to play a lot more prominent leading role at RSA this year. Initially, on Monday, Microsoft revealed it’s all new Intelligent Security Association uniting their security collaborations “to concentrate on defending clients in a world of increased dangers”, and more importantly – strengthening that defense through the sharing of security intelligence across this community of partners. Ziften is obviously proud to be a founding member in the Intelligent Security Association.

In addition, on Tuesday, Microsoft revealed a ground breaking collaboration with numerous players in the cybersecurity industry named the “Cybersecurity Tech Accord.” This accord requires a “digital Geneva Convention” that sets standards of habits for the online world just as the Geneva Conventions set rules for the conduct of war in the physical world.

People who Attended the RSA

A real interesting point to me though was the makeup of the exhibition attendees. As I was likewise an exhibitor at RSA, I noted that of my visitors, I saw more “suits” and less t-shirts.

Ok, possibly not suits per se, however more security Supervisors, Directors, VPs, CISOs, and security leaders than I remember seeing at previous events. I was encouraged to see what I believe are business decision makers taking a look at security businesses first hand, as opposed to doling that task to their security group. From this audience I frequently heard the same overtones:

– This is frustrating.
– I can’t tell the difference in between one technology and another.

Those who were Absent from RSA

What I saw less of were “technology trolls”. What, you might ask, are technology trolls? Well, as a vendor and security engineer, these are the guys (constantly guys) that show up five minutes prior to the close of the day and drag you into a technical due-diligence exercise for an hour, or a minimum of up until the happy hour celebrations begin. Their goal – definitely nothing helpful to anyone – and here I’m presuming that the troll in fact works for a company, so nothing useful for the company that actually paid thousands of dollars for their participation. The only thing acquired is the troll’s self affirmation that they are able to “beat down the supplier” with their technical prowess. I’m being severe, however I have actually experienced the trolls from both sides of the fence, both as a vendor, and as a buyer – and back at the office nobody is basing purchasing decisions based on troll recommendations. I can just assume that businesses send tech trolls to RSA and comparable expos due to the fact that they do not desire them in their workplace.

Discussions about Holistic Security

Which brings me back to the type of individuals I did see a great deal of at RSA: security savvy (not just tech savvy) security leaders, who understand the corporate argument and choices behind security technologies. Not just are they influencers however in a lot of cases the business owners of security for their particular companies. Now, aside from the previously mentioned concerns, these security leaders appeared less concentrated on an innovation or specific usage case, but rather an emphasis on a desire for “holistic” security. As we understand, excellent security requires a collection of technologies, practice and policy. Security savvy clients wanted to know how our innovation fitted into their holistic solution, which is a rejuvenating change of dialog. As such, the types of questions I would hear:

– How does your innovation partner with other products I already use?
– More notably: Does your business really buy into that partnership?

That last question is important, basically asking if our partnerships are just fodder for a site, or, if we truly have an acknowledgment with our partner that the whole is greater than the parts.

The latter is exactly what security specialists are searching for and require.

To Conclude

In general, RSA 2018 was terrific from my point of view. After you get past the jargon, much of the buzz centered on things that matter to clients, our industry, and us as people – things like security partner ecosystems that include worth, more holistic security through real partnership and significant integrations, and face to face conversations with company security leaders, not technology trolls.

Chuck Leaver – Guarding Against Cloud Unmanaged Assets

Written By Logan Gilbert And Presented By Chuck Leaver

 

We all relate to the vision of the masked villain hovering over his laptop late in the evening – accessing a business network, stealing important data, disappearing without a trace. We personify the assailant as smart, determined, and crafty. But the reality is the huge bulk of attacks are enabled by easy human negligence or recklessness – making the job of the cyber criminal a simple one. He’s checking all the doors and windows continuously. All it takes is one error on your part and hegets in.

Exactly what do we do? Well, you know the answer. We invest a hefty piece of our IT spending plan on security defense-in-depth layers – created to discover, trick, fool, or outright obstruct the bad guys. Let’s ignore the discussion on whether or not we are winning that war. Because there is a far much easier war underway – the one where the assailant enters into your network, business crucial application, or IP/PPI data through a vector you didn’t even know you had – the unmanaged asset – often described as Shadow IT.

Believe this is not your business? A current study suggests the average business has 841 cloud apps in use. Surprisingly, most IT executives think the variety of cloud apps in use by their company is in the order of thirty to forty – meaning they are off by a factor of 20X. The same report discloses that more than 98% of cloud apps are not GDPR prepared, and 95% of enterprise-class cloud apps are not SOC 2 compliant.

Defining Unmanaged Assets/Shadow IT

Shadow IT is specified as any SaaS application used – by staff members, departments, or whole organization groups – without the comprehension or approval of the business’s IT department. In addition, the development of ‘everything as a service’ has made it even easier for workers to gain access to whatever software application they feel is required to make them more productive.

The Effect

Well-intentioned employees generally don’t understand they’re breaking corporate guidelines by activating a brand-new server instance, or downloading unauthorized apps or software application offerings. But, it happens. When it does, three problems can occur:

1. Business requirements within an organization are compromised considering that unauthorized software suggests each computer has different abilities.

2. Rogue software applications frequently includes security defects, putting the whole network at risk and making it much more hard for IT to handle security dangers.

3. Asset blind spots not just drive up security and compliance threats, they can increase legal dangers. Info retention policies designed to restrict legal liability are being compromised with info contained on unapproved cloud assets.

Three Essential Considerations for Attending To Unmanaged Asset Dangers

1. First, deploy tools that can offer thorough visibility into all cloud assets- managed and unmanaged. Know what brand-new virtual machines have actually been activated this week, in addition to exactly what other devices and applications with which each VM instance is interacting.

2. Second, make certain your tooling can offer continuous inventory of licensed and unauthorized virtual devices running in the cloud. Ensure you can see all IP connections made to each asset.

3. Third, for compliance and/or forensic analysis functions try to find a service that supplies a capture of any and all assets (physical and virtual) that have actually ever been on the network – not just a solution that is limited to active assets – and within a brief look back window.

Unmanaged Asset Discovery with Ziften

Ziften makes it simple to rapidly find cloud assets that have actually been commissioned beyond IT’s purview. And we do it continually and with deep historic recall at your fingertips – including when each device initially linked to the network, when it last appeared, and how typically it reconnects. And if a virtual device is decommissioned, no problem, we still have all its historical behavior data.

Identify and secure hidden attack vectors stemming from shadow IT – before a disaster. Know what’s going on in your cloud environment.