Archive for the ‘Attack Detection’ Category

Chuck Leaver – Visibility Of Endpoint Security And Remediate Immediately

Written By Logan Gilbert And Presented By Chuck Leaver


Ziften aids with incident response, remediation, and examination, even for endpoints off your network.

When events take place, security analysts need to act rapidly and thoroughly.

With telecommuting labor forces and organization “cloud” infrastructures, remediation and analysis on an endpoint present a really challenging task. Below, watch how you can use Ziften to take actions on the endpoint and figure out the source and propagation of a compromise in minutes – no matter where the endpoints reside.

First, Ziften alerts you to harmful activities on endpoints and steers you to the reason for the alarm. In seconds, Ziften lets you take removal actions on the endpoint, whether it’s on the organization network, a staff member’s home, or the local coffee bar. Any remediation action you ‘d typically perform through a direct access to the endpoint, Ziften provides through its web console.

Simply that quickly, removal is taken care of. Now you can use your security knowledge to go risk hunting and conduct a bit of forensics work. You can right away dive into a lot more information about the process that caused the alert; then ask those important questions to discover how widespread the problem is and where it spread from. Ziften provides comprehensive event removal for security analysts.

See firsthand how Ziften can assist your security group zero in on risks in your environment with our Thirty Days totally free trial.

Chuck Leaver – If You Want To Prevent Cyber Attacks Pay Attention To Endpoint Management

Written By Chuck Leaver, CEO Ziften

Recognize and manage any device that requires access to your business network.

When a company becomes larger so does its asset footprint, and this makes the job of managing the entire set of IT assets a lot more difficult. IT management has changed from the days where IT asset management consisted of keeping records of devices such as printers, accounting for all installed applications and guaranteeing that anti-virus suites were updated.

Today, companies are under continuous threat of cyber attacks and using harmful code to infiltrate the business network. Numerous devices now have network access abilities. Gone are the days when only desktop PC’s connected to an organization network. Now there is a culture of bring your own device (BYOD) where cell phones, tablets and laptops are all likely to connect to the network.
While this supplies versatility for the organizations with the ability for users to link from another location, it opens an entire brand-new variety of vulnerabilities as these different endpoints make the challenge of corporate IT security a great deal more complex.

What Is Endpoint Management?

It is essential that you have a policy based approach to the endpoint devices that are linked to your network to lessen the danger of cyber attacks and data breaches. Using laptops, tablets, mobile phones and other devices might be convenient, however they can expose organizations to a large selection of security dangers. The primary objective of a sound endpoint management strategy should be that network activities are thoroughly kept an eye on and unapproved devices can not access the network.

A lot of endpoint management software is most likely to inspect that the device has an operating system that has actually been approved, as well as anti-virus software applications, and examine the device for upgraded private virtual network systems.

Endpoint management systems will recognize and control any device that requires access to the business network. If anybody is trying to access the enterprise environment from a non compliant device they will be rejected. This is vital to combat attacks from cyber crooks and breaches from destructive groups.

Any device which does not abide by endpoint management policies are either quarantined or approved minimal access. Local administrative rights might be eliminated and browsing the Web restricted.

Organizations Have The Ability To Do More

There are a number of methods that a business can use as part of their policy on endpoint management. This can consist of firewall programs (both network and individual), the file encryption of delicate data, more powerful authentication methods which will definitely consist of making use of tough to crack passwords that are frequently altered and device and network level anti-viruses and anti malware protection.

Endpoint management systems can work as a client and server basis where software is deployed and centrally managed on a server. The client program will have to be set up on all endpoint devices that are licensed to access the network. It is also possible to utilize a software as a service (SaaS) model of endpoint management where the supplier of the service will host and maintain the server and the security applications from another location.

When a client device attempts a log in then the server based application will scan the device to see if it complies with the company’s endpoint management policy, and then it will confirm the credentials of the user prior to access to the network can be granted.

The Problem With Endpoint Management Systems

Most businesses see security software as a “complete treatment” but it is not that clear cut. Endpoint security software that is acquired as a set and forget service will never ever suffice. The knowledgeable hackers out there understand about these software systems and are developing destructive code that will avert the defenses that a set and forget application can provide.

There has to be human intervention and Jon Oltsik, contributor at Network World said “CISOs need to take ownership of endpoint security and designate a group of experts who own endpoint security controls as part of a general duty for event prevention, detection, and response.”

Ziften’s endpoint security services offer the continuous monitoring and look-back visibility that a cyber security team needs to discover and act upon to prevent any destructive breaches spreading and taking the sensitive data of the business.

Chuck Leaver – Breach Defense Requires Endpoint Threat Detection Investment

Written By Chuck Leaver Ziften CEO



Preventing data breaches is a difficult thing to achieve, but essential to prosper in the present business climate. Because of the large amount of cyber wrongdoers waiting in the wings to take personal details, credit card information, and other important data from consumers, companies need to know the high amount of hazards to info online, and take steps to prevent it. Making use of endpoint threat detection and response software is among the best ways to take care of this issue, as it can allow for a simple way to combat against a variety of various exploits hackers can utilize to obtain access to a company network.

In order to produce a much better, more attack proof system, developing a strong sense of back-end security is necessary. The New York Times’ short article on safeguarding data discusses a couple of, extremely important steps that can make a big difference in keeping client information from falling into the wrong hands. Some of the steps the article discusses consist of using point-of-sale systems for consumer transactions only, committing one computer to all monetary company, and keeping software applications up to date. These are wise pointers due to the fact that they secure against a number of manners in which hackers want to utilize to breach systems. A PoS system that doesn’t link to the Web other than to send data to bank servers is more secure than one that isn’t so limited because it decreases the danger of a virus getting onto the network through the Internet. Making one computer the single access point for monetary transactions and absolutely nothing else can keep viruses or other harmful monitoring software from getting in. In this way, a company can considerably protect its clients while not in fact taking on that many additional expenses.

Make Sure That Security And Safety Come First

Property Casualty 360 has a similar list of suggestions, including automating patches to business systems, utilizing file encryption on all devices, enforcing strong passwords, and keeping an eagle-eyed approach to e-mail. Encrypting information, specifically financial info, is extremely essential. It is possible for a hacker to get monetary details saved as plain text really simply without making use of file encryption measures. Of course, strong endpoint threat response systems ought to be used to handle this danger, but security, like clothing in Fall, is best when layered. Utilizing a number of different strategies simultaneously greatly decreases the possibility of a given organization’s data from being breached, which can, in time, make it a lot easier to secure against any type of damage that could be done.

Lots of breaches take place not when a piece of malware has successfully planted itself on a server, however when an employee’s email account contains an insecure password. Dictionary words, like “cat” or “password,” ought to never ever be used. They are easy to hack and to break in to, and they can lead to whole stores of data being stolen. Likewise, an employee accidentally sending out a list of clients to someone without checking their desired recipients list can wind up sending an entire fleet of details out to the wrong person, easily causing massive data loss. This kind of leakage needs to be prevented by solid training.

In response to the multitude of risks out there presently, the very best method to handle them is to use strong endpoint threat response systems in order to avoid losing crucial data. Utilizing a large variety of various security methods in order to secure against all inbound attacks in a wise way to make sure that your organization is able to weather a variety of knocks. This kind of attitude can keep a company from being sunk by the big amount of attacks presently hitting companies.

Chuck Leaver – Who Is Watching The Watchers In Your Organization?

Written By Charles Leaver CEO Ziften



High level cyber attacks underline how a lack of auditing on existing compliance products can make the worst type of headlines.

In the previous Java attacks into Facebook, Microsoft and Apple along with other giants of the market, didn’t need to dig too much into their playbooks to find a technique to attack. As a matter of fact they used one of, if not the oldest axiom in the book – they utilized a remote vulnerability in massively distributed software and exploited it to install remote access to software application ability. And in this case on an application that (A) wasn’t the latest version and (B) probably didn’t need to be running.

While the hacks themselves have actually been headline news, the methods companies can utilize to prevent or curtail them is quite boring stuff. All of us hear “keep boxes current with patch management software applications” and “ensure harmony with compliance tools”. That is industry standard and old news. However to posture a question: who is “watching the watchers”? Which in this case the watchers being compliance, patch and systems management technologies. I think Facebook and Apple discovered that just because a management system tells you that a software application current doesn’t suggest you must believe it! Here at Ziften our results in the field state as much where we regularly uncover dozens of variations of the SAME significant application running at Fortune 1000 websites – which by the way all are utilizing compliance and systems management products.

When it comes to the exploited Java plug-in, this was a SIGNIFICANT application with large circulation. This is the kind of software that gets tracked by systems management, compliance and patch products. The lesson from this could not be clearer – having some type of check against these products is necessary (just ask any of the organizations that were hacked…). But this only constitutes a part of the issue – this is a major (debatably important) application we are speaking about here. If companies struggle to get their arms around maintaining updates on recognized licensed applications being utilized, then exactly what about all the unknown and unneeded running applications and plug-ins and their vulnerabilities? Simply speaking – if you cannot even understand what you are supposed to know then how on Earth can you understand (and in this case secure) about the important things you do not know or are concerned about?


Chuck Leaver – Ziften Will Help Counter The Threat Of Extraneous Software

Written By Dr Al Hartmann And Presented By Chuck Leaver CEO Ziften

The fact about the PC ecosystem is such that extraneous procedures are all over and go into enterprise computers by every ploy you can possibly imagine. Leading software ISVs and hardware OEMs and IHVs have no ethical qualms with straining enterprise PCs with unneeded and undesirable software applications if they can grab a few royalty bucks on the side at your cost. This one flew up on my screen only today as I handled the recent headline-making Java security vulnerabilities.

Here is the setting – zero-day vulnerabilities were found just recently in Java, a key software element in many business applications. Department of Homeland Security professionals encouraged shutting off Java entirely, however that cuts off Java enterprise apps.

The option for where Java is required (within lots of enterprises) is to update Java, an Oracle software product, to obtain a minimum of the latest partial software application fixes from Oracle. But Oracle defaults installation of unwanted extraneous software through the Ask Toolbar, which many security-conscious however naïve users will assume is useful given the Oracle suggestion (and golly gee there is no charge), although browser add-ons are a notorious security risk.

Just Ziften integrates security awareness with extraneous procedure recognition and remediation abilities to help businesses boost both their security and their performance-driving operating efficiency Don’t choose half-measures that ignore extraneous processes multiplying throughout your business client landscape – employ Ziften to get visibility and control over your client population.


You Can Shine A Light On Security Blindspots With Ziften ZFlow – Chuck Leaver

Written By Andy Wilson And Presented By Chuck Leaver CEO Ziften

Over the past few years, lots of IT organizations have embraced the use of NetFlow telemetry (network connection metadata) to improve their security posture. There are many factors behind this: NetFlow is reasonably inexpensive (vs. full packet capture); it’s relatively easy to collect as most Layer 3 network devices support NetFlow or the IANA standard called IPFIX; and it’s simple to evaluate utilizing freeware or commercially available software applications. NetFlow can assist conquer blind spots in the architecture and can supply much required visibility into what is really going on in the network (both internal and external). Flow data can likewise help in early detection of attacks (DoS and APT/malware) and can be utilized in baselining and anomaly detection techniques.

NetFlow can offer insight where little or no visibility exists. The majority of organizations are gathering flows at the core, WAN and Web layers of their networks. Depending on routing schemas, localized traffic might not be accounted for – LAN-to-LAN activity, local broadcast traffic, and even east-west traffic inside the data center. A lot of organizations are not routing all the way down to the access layer and are hence generally blind to some degree in this segment of the network.


Carrying out full packet capturing in this area is still not 100% possible due to a number of reasons. The solution is to implement endpoint-based NetFlow to bring back visibility and offer essential extra context to the other flows being collected in the network. Ziften ZFlow telemetry stems from the endpoint (desktop, laptop, or server), so it’s not reliant on the network infrastructure to create. ZFlow supplies standard ISO layer 3/4 data such as source and destination IP addresses and ports, but likewise offers additional important Layer 4-7 details such as the executable responsible for the network socket, the MD5 Hash, PID and file path of the executable, the user responsible for kicking off the executable, and whether it remained in the foreground or background. The latter are crucial details that network-based flows just can not supply.

This essential additional contextual data can help considerably minimize events of false positives and supply rich data to analysts, SOC personnel and incident handlers to allow them to quickly investigate the nature of the network traffic and determine if it’s harmful or benign. Used in conjunction with network-based alerts (firewall software, IDS/IPS, web proxies and gateways), ZFlow can significantly reduce the quantity of time it requires to work through a security event. And we know that time to detect harmful behavior is a key factor to how successful an attack ends up being. Dwell times have reduced in recent history however are still at unacceptable levels – presently over 230 days that an attacker can roam undetected through your network harvesting your essential data.

Below is a screenshot that shows a port 80 connection to an Internet destination of Fascinating truths about this connection that network-based tools might miss out on is that this connection was not initiated by a web browser, however rather by Windows Powershell. Another fascinating data point is that this connection was initiated by the ‘System’ account and not the logged-in user. These are both very eye-catching to a security expert as it’s not a false positive and likely would need much deeper examination (at which point, the analyst might pivot into the Ziften console and see deeper into that system’s habits – exactly what actions or binaries were executed prior to and after the connection, procedure history, network activity and more).

Ziften’s ZFlow shines a light on security blindspots and can provide the extra endpoint context of processes, application and user attribution to assist security personnel much better comprehend exactly what is actually occurring in their environment. Integrated with network-based events, ZFlow can assist considerably minimize the time it takes to examine and respond to security alerts and dramatically enhance a company’s security posture.

Chuck Leaver – With The Ziften App For Splunk You Can Detect Superfish

Written By Ryan Hollman And Presented By Chuck Leaver CEO Ziften


Background Details: Lenovo confessed to pre installing the Superfish adware on some client PCs, and dissatisfied clients are now dragging the business to court on the matter stated PCWorld. A proposed class action suit was submitted late the previous week against Lenovo and Superfish, which charges both businesses with “deceptive” business practices and of making Lenovo PCs susceptible from man in the middle attacks by pre installing the adware.

Having problems finding Superfish across your enterprise? With the Ziften App for Splunk, you can discover infected endpoints with a straightforward Splunk search. Just search your Ziften data and filter for the keyword “superfish”. The query is just:

index= ziften superfish




The following image reveals the results you would see in your Ziften App for Splunk if systems were contaminated. In this specific instance, we spotted numerous systems infected with Superfish.





The above results likewise make reference to the binary “VirtualDiscovery.exe”. As it ends up, this is the core process responsible for the infections. Along with the Superfish root certificate and VirtualDiscovery.exe binary, this software application also lays down the following to the system:

A computer system registry entry in:


INI and log files in:

% SystemRoot% SysWOW64VisualDiscovery.ini.
% SystemRoot% SysWOW64VisualDiscoveryOff.ini.
% SystemRoot% System32VisualDiscoveryOff.ini.
% TEMP% VisualDiscoveryr.log.

Manual detection of Superfish can also be done on an endpoint straight from powershell with the following:.

dir cert: -r|where Subject -match “superfish”.

If the system is contaminated with Superfish, you will see results much like the following image. If the system is tidy, you will see no results.



Some analysts have actually specified that you can simply eliminate Superfish by eliminating the root certificate shown above with a powershell command such as:.

dir cert: -r|where subject -match “superfish”|Remove-Item.

This removal procedure does not continue across reboots. Simply getting rid of the root cert does not work as VirtualDiscovery.exe will re-install the root cert after a reboot of the system.

The simplest way to remove Superfish from your system is to update Microsoft’s built in autovirus product Windows Defender. Shortly after the general public became aware of Superfish, Microsoft updated Windows Defender to remediate Superfish.

Other removal methods exist, however upgrading Windows Defender is without a doubt the most basic technique.


Chuck Leaver – Now There Is A Focus On People With The Third Phase Of Cyber Security

Written By Kyle Flaherty And Presented By Chuck Leaver Ziften CEO


Cyber attack effect on organizations is frequently uncomplicated to measure, and the vendors of tech services are always showing off different statistics to reveal that you have to get their latest software (also Ziften). But one fact is extremely stunning:

In The Previous Year Cyber Crime Cost Businesses $445 Billion And Cost 350,000 Individuals Their Jobs.

The monetary losses are easy to take on board despite the fact that the amount is large. However the 2nd part is concerning for all connected with cyber security. People are losing their employment because of what is occurring with cyber security. The circumstances surrounding the job losses for all these individuals is unknown, and some could have deserved it if they were negligent. But the most interesting aspect of this is that it is well understood that there is a shortage of skilled people who have the ability to fight these cyber attacks.

While individuals are losing their jobs there is likewise a need that more skilled people are discovered to prevent the ever increasing danger of cyber attacks. There is no argument that more individuals are needed, and they need to be more skilled, to win this war. However it is not going to take place today, this week or even this year. And while it would be wonderful if a truce could be negotiated with the cyber hackers until these resources are readily available, the reality is that the fight needs to go on. So how do you combat this?

Utilize Technology To Enable, Not Disable

For several years now vendors of security tech have actually been selling technology to “prevent and block” cyber attacks. Then the suppliers would return afterwards to sell the “next generation” solution for preventing and stopping cyber attacks. And after that a few years later they were back again to offer the most recent technology which concentrated on “security analytics”, “danger intelligence” and “operational insight”.

In every scenario companies acquired the latest technology then they needed to add on professional services or perhaps a FTE to operate the technology. Of course each time it took a considerable amount of time to become up to speed with the new technology; a group that was suffering from high turnover because of the competitive nature of the cyber market. And while all this was going on the attacks were becoming more persistent, more sophisticated, and more routine.

It has to do with People Utilizing Technology, Not The Other Way Around

The problem is that all of the CISO’s were focussed on the technology initially. These organizations followed the classic design of seeing a problem and producing technology that might plug that hole. If you think about a firewall, it literally develops a wall within technology, utilizing technology. Even the SIEM technology these organizations had installed was focused mostly on all the various connectors from their system into other systems and collecting all those details into one place. However what they had instead was one place since the technology centric minds had actually forgotten an important component; the people involved.

People are constantly good at innovating when faced with threat. It’s a biological thing. In cyber security today we are seeing the third phase of development, and it is centered on individuals:

Phase 1 Prevent by constructing walls
Phase 2 Detect by constructing walls and moats
Phase 3 View, examine, and respond by examining user habits

The reason that this has to be focused on people is not just about skill lacks, but because individuals are truly the issue. Individuals are the cyber hackers and also the ones putting your company at risk at the endpoint. The technologies that are going to win this fight, or at least enable survival, are the ones that were constructed to not only enhance the abilities of the individual on the other side of that keyboard, however also focus on the behaviors of the users themselves, and not simply the technologies themselves.

Chuck Leaver – Extending Network Visibility Down To The Endpoint Webinar

Written By Josh Applebaum And Presented By Chuck Leaver CEO Ziften Technologies



These days security hazards and attack vectors are continuously evolving, and companies have to be more watchful when it pertains to monitoring their network infrastructure. The boundary of the network and the infrastructure security are often challenged because of no visibility of endpoint devices.

Visibility Of Endpoint Devices Is Now More vital Than Ever.

In a webinar hosted with our partner Lancope which was called “Extending Network Visibility: Down to the Endpoint.” The aim of this webinar was to show to security experts how additional visibility can be accomplished and context into network activity, the enhancement of existing security investments (NetFlow, Firewall software, SIEM, threat intelligence), and improve incident response by getting real time and historic data for the endpoint. A mutual customer was featured in the webinar who offered real life insights into ways to make use of security assets so that you can stay in front of external and insider risks.

A great deal of you will not have had the ability to participate in the live webinar so we have actually decided to show the on demand version here on the Ziften blog. Feedback on this is welcomed and we would be delighted to get in touch with you to discuss in more detail.


Chuck Leaver – Two Thirds Of Organizations Believe That They Are Immune To Cyber Attacks

By Chuck Leaver Ziften Technologies CEO

A large number of organizations have the belief that there is no need for them to pursue assiduous data loss avoidance, they regard cyber attacks as either extremely unlikely to happen or have minimal financial effect if they do take place. There is a boost in the recorded cases of cyber attacks and advanced relentless risks have contributed to this complacency. These destructive attacks have the tendency to avert conventional endpoint security software applications, and while they lack the teeth of denial-of-service attacks, they have the potential to cause significant damage.

Over 67% of organizations declare that they have actually not been the victims of a cyber attack in the last 18 months, or that they had little or no visibility into whether an attack had actually jeopardized their network according to Infosecurity. The planners of the survey were skeptical about the results and highlighted the numerous vulnerable desktop and mobile endpoints that are now typical in businesses.

Security specialist and survey planner Tom Cross said “Any system you link to the Internet is going to be targeted by attackers very quickly afterwards.” “I would assert that if you’re uncertain whether or not your company has had a security incident, the chances are really high that the answer is yes.”

Around 16% stated that they had experienced a DDoS attack over the very same period, and 18% reported malware infestations. Regardless of this, most of the companies examined the repercussions as minor and not validating the installation of new endpoint security and control systems. Around 38% stated that they had not struggled with discovered security breaches, and only 20% did admit to financial losses.

The loss of reputation was more widespread, affecting around 25% of the respondents. Highlighting the potential effect of a cyber attack on finances and reputation, an event at The University of Delaware led to 74,000 individuals having their sensitive data exposed, according to Amy Cherry, WDEL contributor. The hackers targeted the school’s website and scraped information about university identifications and Social Security Numbers, which forced it to supply complimentary credit monitoring of the affected individuals.