Archive for the ‘Breaches Of Security’ Category

Chuck Leaver – Go Extensible Not Generic

Written By Chuck Leaver Ziften CEO


Whether you call them extensions, or call them modifications – no matter what you call it, the very best technology platforms can be tailored to fit an organization’s specific service requirements. Generic operations tools are great at carrying out generic operations tasks. Generic security tools are great at attending to generic security difficulties. Generic can only take you so far, though, and that’s where extensibility takes over.

Extensibility comes up frequently when I’m talking to clients and potential clients, and I’m proud that a Global 10 business chose Ziften over everyone else in the marketplace mainly on that basis. For that client, and lots of others, the ability to deeply personalize platforms is a necessity.

This isn’t about merely developing custom reports or customized signals. Let’s be truthful – the ability to create reports are baseline capability of numerous IT operations and security management tools. Real extensibility goes deep into the solution to provide it capabilities that resolve real problems for the company.

One client used great deals of mobile IoT devices, and had to have our Zenith real-time visibility and control system be able to access (and monitor) the memory of those devices. That’s not a basic feature provided by Zenith, due to the fact that our low-footprint agent doesn’t hook into the os kernel or operate through basic device drivers. However, we worked with the client to tailor Zenith with that capability – and it ended up being simpler than anybody thought.

Another client looked at the standard set of endpoint data that the agent collects, and wished to add extra data fields. They also wanted to setup the administrative console with customized actions utilizing those data fields, and press those actions back out to those end points. No other endpoint tracking and security service could provide the facilities for including that functionality aside from Ziften.

What’s more, the customer developed those extensions themselves … and owns the code and IP. It becomes part of their own secret sauce, their own organization differentiator, and unique to their organization. They could not be happier. And neither could we.

With lots of other IT operations and security systems, if clients desire additional functions or capabilities, the only alternative is to send that as a future function request, and hope that it appears in an upcoming version of the product. Till then, regrettable.

That’s not how we developed our flagship solutions, Zenith and ZFlow. Since our end point agent isn’t really based upon device drivers or kernel hooks, we can allow for remarkable extensibility, and open up that extensibility for clients to gain access to directly.

Similarly, with our administrative consoles and back end monitoring systems; anything is customizable. This was built in right from the beginning.

Another area of modification is that our real time and historical visibility database can integrate into your other IT operations and security platforms, including SIEM tools, threat intelligence, IT ticketing system, job orchestration systems, and data analytics. With Zenith and ZFlow, there are no more silos. Ever.

When it comes to endpoint monitoring and management, extensions are significantly where it’s at. IT operations and business security groups need the ability to personalize their tools platforms to fit their exact requirements for monitoring and handling IoT, traditional endpoints, the data center, and the cloud. In many customer discussions, our integrated extensibility has actually caused eyes to light up, and won us trials and deployments. Inform us about your custom requirements, and let’s see what we can do.

Chuck Leaver – Our Endpoint Security Architecture Exposed

Written By Mike Hamilton And Presented By Ziften CEO Chuck Leaver


End Point security is all the rage nowadays. And there are great deals of different suppliers out there touting their wares in this market. But it’s sometimes challenging to comprehend what exactly each supplier provides. What’s much more tough is to comprehend how each supplier option is architected to provide their services.

I think that the back-end architecture of whatever you pick can have a profound impact on the future scalability of your application. And it can produce lots of unanticipated work and costs if you’re not mindful.

So, in the spirit of openness, and because we believe our architecture is different, special and powerful, we invite all endpoint security vendors to “reveal to us your architecture”.

I’ll kick this off in the video below where I show you the Ziften architecture, and a number of exactly what I consider legacy architectures for contrast. Specifically, I’ll talk about:

– Ziften’s architecture developed using next-gen cloud concepts.
– One company’s peer-to-peer “mish-mash” architecture.
– Tradition hub-spoke-hub architectures.

I have actually shown you the power of our really cloud based platform. Now it’s my competitor’s turn. Come on folks – reveal to us your architectures!

Chuck Leaver – The Best Way To Manage Security And Risk

Written By Roark Pollock And Presented By Chuck Leaver Ziften CEO


Danger management and security management have long been dealt with as separate functions frequently performed by different practical teams within an organization. The recognition of the need for constant visibility and control throughout all assets has actually increased interest in searching for commonalities in between these disciplines and the schedule of a new generation of tools is enabling this effort. This discussion is extremely timely given the continued trouble most business companies experience in attracting and retaining qualified security workers to handle and safeguard IT infrastructure. A marriage of activity can help to better leverage these vital workers, minimize costs, and assist automate response.

Historically, risk management has actually been deemed an offensive mandate, and is normally the field of play for IT operations groups. Sometimes described as “systems management”, IT operations teams actively perform device state posture tracking and policy enforcement, and vulnerability management. The goal is to proactively mitigate possible threats. Activities that enhance risk reduction and that are carried out by IT operations include:

Offending Danger Mitigation – Systems Management

Asset discovery, inventory, and refresh

Software application discovery, usage tracking, and license justification

Mergers and acquisition (M&A) threat assessments

Cloud workload migration, monitoring, and enforcement

Vulnerability assessments and patch installs

Proactive help desk or systems analysis and concern response/ repair

On the other side of the field, security management is deemed a defensive strategy, and is typically the field of play for security operations groups. These security operations groups are typically responsible for hazard detection, incident response, and remediation. The objective is to react to a risk or a breach as rapidly as possible in order to minimize effects to the company. Activities that fall directly under security management which are carried out by security operations consist of:

Defensive Security Management – Detection and Response

Hazard detection and/or risk hunting

User habits monitoring / insider danger detection and/or hunting

Malware analysis and sandboxing

Incident response and risk containment/ removal

Lookback forensic examinations and origin determination

Tracing lateral hazard motions, and further threat elimination

Data exfiltration determination

Successful companies, obviously, have to play both offense AND defense equally well. This need is driving companies to acknowledge that IT operations and security operations have to be as aligned as possible. Therefore, as much as possible, it assists if these 2 groups are playing utilizing the very same playbook, or at least dealing with the same data or single source of fact. This implies both groups must aim to utilize some of the exact same analytic and data collection tools and approaches when it concerns handling and protecting their endpoint systems. And if companies rely on the exact same personnel for both jobs, it definitely assists if those people can pivot between both tasks within the very same tools, leveraging a single data set.

Each of these offending and defensive jobs is crucial to securing a company’s intellectual property, track record, and brand name. In fact, handling and focusing on these tasks is what often keeps CIOs and CISOs up at night. Organizations should acknowledge opportunities to align and combine teams, innovations, and policies as much as possible to guarantee they are focused on the most urgent requirement along the current danger and security management spectrum.

When it pertains to handling endpoint systems, it is clear that organizations are approaching an “all the time” visibility and control design that permits continuous danger evaluations, constant risk monitoring, and even continuous efficiency management.

Therefore, organizations need to try to find these 3 key capabilities when assessing brand-new endpoint security investments:

Solutions that supply “all the time” visibility and control for both IT operations groups and security operations groups.

Solutions that provide a single source of truth that can be utilized both offensively for danger management, and defensively for security detection and response.

Architectures that easily integrate into existing systems management and security tool environments to deliver even higher worth for both IT and security groups.

Chuck Leaver – Our Experiences From Black Hat And Defcon 2017

Written by Michael Vaughn And Presented By Ziften CEO Chuck Leaver


Here are my experiences from Black Hat 2017. There is a small addition in approaching this year’s synopsis. It is really in part because of the style of the opening presentation offered by Facebook’s Chief Security Officer, Alex Stamos. Stamos projected the significance of re focusing the security community’s efforts in working much better together and diversifying security services.

“Working much better together” is relatively an oxymoron when taking a look at the mass competitiveness amongst hundreds of security businesses fighting for customers during Black Hat. Based off Stamos’s messaging during the opening presentation this year, I felt it important to include some of my experiences from Defcon as well. Defcon has traditionally been an occasion for learning and includes independent hackers and security professionals. Last week’s Black Hat style concentrated on the social aspect of how companies need to get along and truly help others and each other, which has actually constantly been the overlying message of Defcon.

Individuals checked in from all over the world last week:

Jeff Moss, aka ‘Dark Tangent’, the creator of Black Hat and Defcon, likewise wishes that to be the theme: Where you aim to assist people get understanding and gain from others. Moss wants guests to stay ‘excellent’ and ‘practical’ throughout the conference. That is on par with exactly what Alex Stamos from Facebook conveyed in his keynote about security businesses. Stamos asked that all of us share in the duty of helping those that can not assist themselves. He likewise raised another valid point: Are we doing enough in the security market to truly help individuals as opposed to simply doing it to make money? Can we attain the goal of actually helping people? As such is the juxtaposition of the two occasions. The main distinctions in between Black Hat and Defcon is the more corporate consistency of Black Hat (from supplier hall to the talks) to the true hacker community at Defcon, which showcases the innovative side of what is possible.

The business I work for, Ziften, provides Systems and Security Operations software – giving IT and security teams visibility and control across all end points, on or off a business network. We also have a pretty sweet sock game!

Numerous attendees displayed their Ziften support by decorating prior year Ziften sock designs. Looking good, feeling great!

The concept of joining forces to fight versus the corrupt is something most participants from all over the world welcome, and we are no different. Here at Ziften, we make every effort to really help our clients and the neighborhood with our options. Why provide or count on a service which is limited to only what’s inside package? One that provides a single or handful of specific functions? Our software application is a platform for combination and offers modular, individualistic security and operational solutions. The whole Ziften group takes the imagination from Defcon, and we motivate ourselves to attempt and develop new, customized features and forensic tools in which conventional security companies would shy away from or merely stay consumed by daily tasks.

Delivering all-the-time visibility and control for any asset, anywhere is among Ziften’s primary focuses. Our unified systems and security operations (SysSecOps) platform empowers IT and security operations teams to quickly fix endpoint concerns, reduce overall risk posture, speed hazard response, and enhance operations efficiency. Ziften’s safe and secure architecture provides continuous, streaming end point monitoring and historical data collection for enterprises, federal governments, and managed security providers. And remaining with 2017’s Black Hat theme of collaborating, Ziften’s partner integrations extend the value of incumbent tools and fill the gaps in between siloed systems.

Journalists are not allowed to take pictures of the Defcon crowd, however I am not the press and this was prior to entering a badge required area:P The Defcon hoards and hooligans (Defcon mega-bosses using red shirts) were at a standstill for a solid twenty minutes awaiting preliminary access to the 4 massive Track conference rooms on opening day.

The Voting Machine Hacking Village gained a lot of attention at the event. It was intriguing however absolutely nothing brand-new for veteran guests. I expect it takes something noteworthy to garner attention around specific vulnerabilities.? All vulnerabilities for most of the talks and especially this village have currently been divulged to the appropriate authorities before the event. Let us know if you need aid locking down any of these (looking at you federal government folks).

Increasingly more individual data is becoming available to the general public. For example, Google & Twitter APIs are freely and publicly readily available to query user data metrics. This data is making it easier for hackers to social engineer concentrated attacks on individuals and particularly individuals of power and rank, like judges and executives. This discussion entitled, Dark Data, showed how a simple yet brilliant de-anonymization algorithm and some data allowed these 2 white hats to recognize individuals with extreme accuracy and reveal extremely personal info about them. This need to make you hesitate about what you have set up on your systems and individuals in your office. The majority of the above raw metadata was gathered through a popular browser add-on. The fine tuning accompanied the algothrim and public APIs. Do you know what web browser add-ons are operating in your environment? If the response is no, then Ziften can help.

This discussion was clearly about exploiting Point-of-Sale systems. Although quite amusing, it was a little bit frightening at the quickness at which one of the most commonly used POS systems could be hacked. This specific POS hardware is most commonly used when leaving payment in a taxi. The base os is Linux and although on an ARM architecture and safeguarded by tough firmware, why would a company risk leaving the security of client charge card information entirely in the hands of the hardware supplier? If you look for additional security on your POS systems, then don’t look beyond Ziften. We secure the most frequently utilized enterprise operating systems. If you wish to do the enjoyable thing and install the video game Doom on one, I can send you the slide pack.

This man’s slides were off the charts excellent. Exactly what wasn’t outstanding was how exploitable the MacOS is throughout the installation process of very common applications. Generally each time you set up an application on a Mac, it requires the entry of your intensified opportunities. However what if something were to slightly change code a moment prior to you entering your Administrator qualifications? Well, the majority of the time, most likely something bad. Concerned about your Mac’s running malware wise adequate to identify and alter code on common vulnerable applications prior to you or your user base entering qualifications? If so, we at Ziften Technologies can assist.

We help you by not changing all of your toolset, although we often discover ourselves doing just that. Our objective is to utilize the guidance and present tools that work from numerous suppliers, guarantee they are running and installed, make sure the perscribed hardening is certainly undamaged, and guarantee your operations and security teams work more effectively together to attain a tighter security matrix throughout your environment.

Secret Takeaways from Black Hat & Defcon 2017:

1) Stronger together

– Alex Stamos’s keynote
– Jeff Moss’s message
– Visitors from around the world interacting
– Black Hat should preserve a friendly neighborhood spirit

2) Stronger together with Ziften

– Ziften plays nice with other software application suppliers

3) Popular current vulnerabilities Ziften can help avoid and solve

– Point-of-Sale accessing
– Voting machine tampering
– Escalating MacOS benefits
– Targeted individual attacks

Chuck Leaver – Even Movie Subtitles Can Be A Threat To Your Security

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Do you like viewing motion pictures with all the rage apps like Kodi, SmartTV or VLC on your devices? How about requiring or desiring subtitles with those movies and simply getting the current pack from OpenSubtitles. No problem, seems like a great night in the house. Problem is, in accordance with a research study by Check Point, you could be in for a nasty surprise.

For the bad guys to take control of your ‘realm’, they require a vector or some method to gain entry to your system. There are some common methods that takes place these days, such as creative (and not so smart) social engineering techniques. Getting e-mails that appear to come from good friends or co-workers which were spoofed and you opened an attachment, or went to some site and if the stars lined up, you were pwned. Usually the star alignment part is not that difficult, only that you have some vulnerable software running that can be accessed.

Since the technique is getting users to cooperate, the target audience can often be tough to find. But with this latest research posted, many of the significant media players have a special vulnerability when it comes to accessing and deciphering subtitle plans. The 4 primary media players noted in the short article are fixed to date, but as we have actually seen in the past (just look at the current SMB v1 vulnerability problem) even if a fix is readily available, does not indicate that users are updating. The research study has likewise omitted to reveal the technical information around the exploit to permit other suppliers time to patch. That is a good indication and the proper technique I believe scientists must take. Notify the vendor so they can repair the problem in addition to announce it openly so ‘we the people’ are notified and understand exactly what to watch out for.

It’s difficult to stay up to date with the multiple methods you can get infected, but at least we have scientists who tirelessly try and ‘break’ things to find those vulnerabilities. By performing the proper disclosure methods, they help everyone take pleasure in a more secure experience with their devices, and in this scenario, a terrific night in viewing motion pictures.

Chuck Leaver – Now Integrating Advanced Endpoint Products Into Existing Security Architectures Is Possible

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


Security practitioners are by nature a careful lot. Cautiousness is a quality most folks likely have entering into this market given its mission, however it’s also undoubtedly a characteristic that is learned gradually. Ironically this holds true even when it pertains to adding additional security controls into an existing security architecture. While one might presume that more security is better security, experience teaches us that’s not always the case. There are actually many issues connected with releasing a brand-new security service. One that often shows up near the top of the list is how well a brand-new product integrates with other incumbent products.

Integration concerns can be found in numerous tastes. Most importantly, a new security control shouldn’t break anything. But additionally, brand-new security services need to willingly share risk intelligence and act on hazard intelligence gathered across a company’s entire security infrastructure. To put it simply, the brand-new security tools need to collaborate with the existing ecosystem of tools in place such that “1 + 1 = 3”. The last thing that many IT and security operations teams require is more siloed products/ tools.

At Ziften, this is why we’ve constantly focused on building and providing a completely open visibility architecture. Our company believe that any brand-new systems and security operations tools have to be developed with improved visibility and information sharing as key design requirements. However this isn’t a one-way street. Producing easy integrations requires innovation partnerships with market suppliers. We consider it our duty to deal with other innovation businesses to mutually integrate our products, thus making it easy on customers. Unfortunately, many suppliers still think that integration of security services, specifically brand-new endpoint security services is incredibly difficult. I hear the issue continuously in consumer discussions. But information is now appearing revealing this isn’t necessarily the case.

Current survey work by NSS Labs on “sophisticated endpoint” products, they report that Global 2000 clients based in the United States and Canada have been happily shocked with how well these types of services integrate into their existing security architectures. In accordance with the NSS research study titled “Advanced Endpoint Protection – Market Analysis and Survey Results CY2016”, which NSS subsequently presented in the BrightTalk webinar below, respondents that had actually already deployed advanced endpoint products were a lot more positive concerning their capability to integrate into already established security architectures than were participants that were still in the planning stages of acquiring these products.

Specifically, for participants that have currently released advanced endpoint services: they rank integration with existing security architectures as follows:

● Excellent 5.3 %
● Good 50.0 %
● Average 31.6 %
● Poor 13.2 %
● (Horrible) 0.0 %

Compare that to the more conservative responses from folks still in the planning stage:

● Excellent 0.0 %
● Good 39.3 %
● Average 42.9 %
● Poor 14.3 %
● (Horrible) 3.6 %

These reactions are motivating. Yes, as kept in mind, security folks tend to be pessimists, but in spite of low expectations respondents are reporting positive results when it comes to integration experiences. In fact, Ziften customers generally show the same initial low expectations when we initially talk about integrating Ziften products into their existing environment of products. But in the end, consumers are wowed by how simple it is to share info with Ziften services and their already established infrastructure.

These survey results will hopefully help reduce issues as newer product adopters might check out and depend on peer suggestions before making purchase choices. Early mainstream adopters are clearly having success releasing these products which will ideally help to reduce the natural cautiousness of the real mainstream.

Definitely, there is considerable distinction with services in the space, and companies must continue to carry out proper due diligence in comprehending how and where services integrate into their wider security architectures. But, fortunately is that there are products not just satisfying the needs of customers, however really out performing their initial expectations.


Chuck Leaver – UK Email Attack Highlights Insecurities

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


In cyberspace the sheep get shorn, chumps get munched, dupes get duped, and pawns get pwned. We have actually seen another terrific example of this in the recent attack on the UK Parliament e-mail system.

Instead of admitting to an e-mail system that was insecure by design, the official statement read:

Parliament has robust procedures in place to secure all our accounts and systems.

Yeah, right. The one protective step we did see in action was blame deflection – the Russians did it, that constantly works, while accusing the victims for their policy offenses. While details of the attack are limited, combing various sources does help to put together a minimum of the gross outlines. If these accounts are fairly close, the UK Parliament email system failings are atrocious.

What went wrong in this scenario?

Count on single factor authentication

“Password security” is an oxymoron – anything password protected alone is insecure, period, no matter the password strength. Please, no 2FA here, might impede attacks.

Do not impose any limit on unsuccessful login efforts

Helped by single element authentication, this enables easy brute force attacks, no skill required. But when violated, blame elite state sponsored hackers – nobody can verify.

Do not carry out brute force attack detection

Allow opponents to perform (otherwise trivially detectable) brute force attacks for prolonged durations (12 hours versus the UK Parliament system), to take full advantage of account compromise scope.

Do not impose policy, treat it as merely tips

Integrated with single element authentication, no limitation on failed logins, and no brute force attack detection, do not impose any password strength recognition. Supply assailants with very low hanging fruit.

Count on anonymous, unencrypted e-mail for delicate communications

If hackers do succeed in compromising email accounts or sniffing your network traffic, supply plenty of chance for them to score high worth message material entirely in the clear. This also conditions constituents to rely on easily spoofable email from Parliament, producing an ideal constituent phishing environment.

Lessons found out

In addition to adding “Good sense for Dummies” to their summer reading lists, the UK Parliament email system admin might wish to take more actions. Enhancing weak authentication practices, implementing policies, enhancing network and end point visibility with continuous tracking and anomaly detection, and completely reconsidering safe messaging are suggested steps. Penetration testing would have discovered these fundamental weak points while staying outside the news headlines.

Even a few clever high schoolers with a complimentary weekend might have duplicated this attack. And lastly, stop blaming the Russians for your very own security failings. Presume that any weaknesses in your security architecture and policy structure will be probed and made use of by some cyber criminals someplace across the international web. Even more incentive to find and fix those weaknesses prior to the hackers do, so get started immediately. And after that if your defenders don’t cannot see the attacks in progress, update your monitoring and analytics.

Chuck Leaver – It’s Time To Get Paranoid About Your Security

Written By Chuck Leaver Ziften CEO

Whatever you do don’t ignore cyber security hackers. Even the most paranoid “normal” person would not stress over a source of data breaches being stolen qualifications from its heating, ventilation and a/c (A/C) professional. Yet that’s exactly what occurred at Target in November 2013. Hackers got into Target’s network using qualifications given to the contractor, probably so they might track the heating, ventilation and a/c system. (For a great analysis, see Krebs on Security). And then hackers had the ability to utilize the breach to spread malware into point-of-sale (POS) systems, then unload payment card details.

A number of ludicrous mistakes were made here. Why was the HEATING AND COOLING contractor provided access to the enterprise network? Why wasn’t the A/C system on a separate, entirely isolated network? Why wasn’t the POS system on a different network? Et cetera, et cetera.

The point here is that in a very intricate network, there are uncounted potential vulnerabilities that could be exploited through carelessness, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You get the point.

Whose task is it to discover and repair those vulnerabilities? The security team. The CISO’s team. Security experts aren’t “regular” individuals. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to expect the worst and prepare appropriately.

I cannot speak with the Target A/C breach specifically, however there is one frustrating reason that breaches like this happen: A lack of financial concern for cybersecurity. I’m unsure how frequently businesses cannot fund security merely since they’re inexpensive and would rather do a share buy-back. Or possibly the CISO is too timid to request for exactly what’s required, or has been told that he gets a 5% boost, irrespective of the requirement. Perhaps the CEO is worried that disclosures of big allocations for security will startle investors. Perhaps the CEO is merely naïve enough to believe that the business won’t be targeted by hackers. The problem: Every business is targeted by cyber criminals.

There are substantial competitions over spending plans. The IT department wants to finance upgrades and enhancements, and attack the backlog of demand for new and better applications. On the flip side, you have line-of-business leaders who see IT tasks as directly helping the bottom line. They are optimists, and have great deals of CEO attention.

By contrast, the security department frequently needs to fight for crumbs. They are viewed as an expense center. Security reduces company danger in such a way that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who appreciate compliance and track records. These green-eyeshade individuals think about the worst case scenarios. That does not make good friends, and budget dollars are designated grudgingly at a lot of companies (up until the company gets burned).

Call it naivety, call it established hostility, but it’s a genuine obstacle. You cannot have IT offered great tools to move the enterprise forward, while security is starved and making do with second-best.

Worse, you don’t wish to wind up in scenarios where the rightfully paranoid security teams are working with tools that do not fit together well with their IT counterpart’s tools.

If IT and security tools do not mesh well, IT might not have the ability to quickly act to react to dangerous situations that the security teams are monitoring or are worried about – things like reports from threat intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user behaviors that indicate dangerous or suspicious activity.

One suggestion: Find tools for both departments that are designed with both IT and security in mind, right from the start, instead of IT tools that are patched to offer some minimal security capability. One spending plan item (take it out of IT, they have more money), but two workflows, one created for the IT professional, one for the CISO team. Everyone wins – and next time someone wants to give the HEATING AND COOLING specialist access to the network, maybe security will observe what IT is doing, and head that catastrophe off at the pass.


Chuck Leaver – At Ziften We Can Assist You With The WannCry Ransomware Problem

Written By Michael Vaughn And Presented By Chuck Leaver Ziften CEO


Answers To Your Concerns About WannaCry Ransomware

The WannaCry ransomware attack has infected more than 300,000 computers in 150 countries up until now by making use of vulnerabilities in Microsoft’s Windows operating system.
In this brief video Chief Data Scientist Dr. Al Hartmann and I talk about the nature of the attack, as well as how Ziften can assist companies safeguard themselves from the vulnerability known as “EternalBlue.”.

As pointed out in the video, the problem with this Server Message Block (SMB) file sharing service is that it’s on many Windows operating systems and discovered in most environments. However, we make it easy to determine which systems in your environment have actually or have not been patched yet. Notably, Ziften Zenith can also from another location disable the SMB file-sharing service totally, giving companies important time to ensure that those machines are effectively patched.

If you want to know more about Ziften Zenith, our 20 minute demo includes an assessment with our professionals around how we can help your company avoid the worst digital catastrophe to strike the internet in years.

Chuck Leaver – How To Evaluate Next Gen Endpoint Security Services

Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften


The End Point Security Buyer’s Guide

The most common point for a sophisticated consistent attack or a breach is the end point. And they are certainly the entry point for many ransomware and social engineering attacks. Making use of endpoint protection products has actually long been thought about a best practice for protecting endpoints. Regrettably, those tools aren’t keeping up with today’s danger environment. Advanced threats, and truth be told, even less advanced dangers, are often more than sufficient for deceiving the average worker into clicking something they should not. So organizations are looking at and examining a wide variety of next-gen endpoint security (NGES) services.

With this in mind, here are ten suggestions to think about if you’re looking at NGES solutions.

Suggestion 1: Begin with the end in mind

Do not let the tail wag the dog. A risk decrease method should always begin by assessing issues and then trying to find possible solutions for those problems. But all frequently we get fascinated with a “shiny” new innovation (e.g., the most recent silver bullet) and we wind up attempting to shoehorn that technology into our environments without completely evaluating if it fixes a comprehended and identified issue. So exactly what problems are you attempting to resolve?

– Is your existing end point security tool failing to stop risks?
– Do you require better visibility into activity on the endpoint?
– Are compliance requirements mandating constant endpoint monitoring?
– Are you trying to decrease the time and expense of incident response?

Specify the problems to attend to, and then you’ll have a measuring stick for success.

Idea 2: Know your audience. Exactly who will be using the tool?

Comprehending the issue that needs to be resolved is a crucial primary step in understanding who owns the issue and who would (operationally) own the service. Every functional team has its strengths, weaknesses, choices and prejudices. Specify who will need to use the solution, and others that might benefit from its use. Maybe it’s:

– Security group,
– IT operations,
– The governance, risk and compliance (GRC) group,
– Help desk or end user assistance team,
– Or perhaps the server group, or a cloud operations group?

Idea 3: Know what you mean by end point

Another often ignored early step in specifying the problem is defining the endpoint. Yes, all of us used to understand what we meant when we stated endpoint but today end points are available in a lot more varieties than before.

Sure we wish to safeguard desktops and laptops however how about mobile devices (e.g. phones and tablets), virtual endpoints, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, are available in multiple flavors so platform support needs to be resolved also (e.g. Windows only, Mac OSX, Linux, etc?). Also, think about assistance for endpoints even when they are working remote, or are working offline. Exactly what are your needs and what are “great to haves?”

Suggestion 4: Start with a structure of constant visibility

Constant visibility is a fundamental capability for attending to a host of security and operational management problems on the endpoint. The old saying holds true – that you cannot manage what you cannot see or determine. Even more, you cannot protect what you can’t appropriately manage. So it needs to begin with constant or all-the-time visibility.

Visibility is fundamental to Management and Security

And think about what visibility means. Enterprises require one source of reality that at a minimum monitors, stores, and evaluates the following:

– System data – events, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – characteristics of installed apps and usage patterns
– Binary data – attributes of set up binaries
– Procedures data – tracking details and data
– Network connection data – stats and internal behavior of network activity on the host

Pointer 5: Keep track of your visibility data

End point visibility data can be kept and evaluated on premise, in the cloud, or some combination of both. There are advantages to each. The proper method differs, but is usually driven by regulative requirements, internal privacy policies, the end points being monitored, and the total expense considerations.

Know if your organization needs on-premise data retention

Know whether your company enables cloud based data retention and analysis or if you are constrained to on premise solutions only. Within Ziften, 20-30% of our customers keep data on premise just for regulatory factors. However, if lawfully a choice, the cloud can provide cost advantages (among others).

Pointer 6: Know what is on your network

Comprehending the problem you are aiming to solve needs comprehending the assets on the network. We find that as many as 30% of the end points we initially discover on clients’ networks are un-managed or unidentified devices. This clearly creates a huge blind spot. Decreasing this blind spot is an important best practice. In fact, SANS Critical Security Controls 1 and 2 are to carry out a stock of licensed and unauthorized devices and software applications attached to your network. So try to find NGES solutions that can fingerprint all connected devices, track software stock and usage, and perform on-going continuous discovery.

Tip 7: Know where you are exposed

After figuring out what devices you have to monitor, you have to make certain they are running in up to date setups. SANS Critical Security Controls 3 advises guaranteeing safe and secure configurations tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 advises enabling continuous vulnerability assessment and remediation of these devices. So, look for NGES services that supply all the time tracking of the state or posture of each device, and it’s even of more benefit if it can help implement that posture.

Likewise look for services that provide continuous vulnerability assessment and removal.

Keeping your total end point environment solidified and free of crucial vulnerabilities prevents a substantial amount of security problems and gets rid of a great deal of backend pressure on the IT and security operations teams.

Pointer 8: Cultivate continuous detection and response

An important end goal for lots of NGES services is supporting constant device state monitoring, to make it possible for efficient risk or event response. SANS Critical Security Control 19 suggests robust incident response and management as a best practice.

Look for NGES services that provide all-the-time or constant danger detection, which leverages a network of worldwide threat intelligence, and multiple detection methods (e.g., signature, behavioral, machine learning, etc). And search for event response services that assist focus on identified risks and/or concerns and provide workflow with contextual system, application, user, and network data. This can assist automate the suitable response or next actions. Lastly, understand all the response actions that each service supports – and search for a solution that supplies remote access that is as close as possible to “sitting at the end point keyboard”.

Idea 9: Consider forensics data collection

In addition to event response, organizations should be prepared to deal with the requirement for forensic or historical data analysis. The SANS Critical Security Control 6 recommends the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take lots of forms, but a structure of historic endpoint tracking data will be essential to any examination. So try to find solutions that preserve historical data that permits:

– Forensic tasks consist of tracing lateral danger motion through the network gradually,
– Pinpointing data exfiltration efforts,
– Determining origin of breaches, and
– Determining appropriate remediation actions.

Pointer 10: Tear down the walls

IBM’s security group, which supports an impressive community of security partners, estimates that the average business has 135 security tools in situ and is dealing with 40 security suppliers. IBM clients certainly skew to big enterprise however it’s a typical refrain (complaint) from organizations of all sizes that security solutions do not integrate properly.

And the complaint is not simply that security services don’t play well with other security services, but also that they do not constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to consider these (and other) integration points along with the supplier’s willingness to share raw data, not just metadata, through an API.

Bonus Tip 11: Plan for customizations

Here’s a bonus tip. Presume that you’ll wish to personalize that shiny brand-new NGES service soon after you get it. No solution will satisfy all of your requirements right out of the box, in default setups. Find out how the solution supports:

– Customized data collection,
– Notifying and reporting with customized data,
– Customized scripting, or
– IFTTT (if this then that) functionality.

You understand you’ll desire new paint or brand-new wheels on that NGES service quickly – so make certain it will support your future modification jobs easy enough.

Look for assistance for easy modifications in your NGES solution

Follow the bulk of these tips and you’ll certainly prevent a lot of the typical mistakes that pester others in their assessments of NGES solutions.