Chuck Leaver – The Definition Of Illumination And A New Beginning For Endpoints

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver

The dissolving of the conventional boundary is occurring quick. So what happens to the endpoint?

Investment in boundary security, as defined by firewall programs, managed gateways and invasion detection/prevention systems (IDS/IPS), is altering. Investments are being questioned, with returns unable to overcome the expenses and complexity to produce, preserve, and justify these old-fashioned defenses.

More than that, the paradigm has changed – staff members are not solely working in the workplace. Many individuals are logging time from home or while out in the field – neither location is under the umbrella of a firewall system. Instead of keeping the bad guys out, firewall programs typically have the inverse effect – they prevent the good guys from being efficient. The paradox? They develop a safe haven for attackers to breach and hide for months, then pass through to important systems.

So What Has Altered So Much?

The endpoint has actually ended up being the last line of defense. With the aforementioned failure in boundary defense and a “mobile everywhere” labor force, we should now implement trust at the endpoint. Easier said than done, however.

In the endpoint space, identity & access management (IAM) systems are not the silver bullet. Even innovative companies like Okta, OneLogin, and cloud proxy vendors such as Blue Coat and Zscaler can not overcome one simple truth: trust surpasses basic identification, authentication, and permission.

File encryption is a second effort at protecting whole libraries and selected assets. In the most recent (2016) Ponemon study on data breaches, file encryption just conserved 10% of the cost per breached record (from $158 to $142). This isn’t really the remedy that some make it appear.

The Whole Picture is changing.

Organizations should be prepared to welcome new paradigms and attack vectors. While companies should offer access to trusted groups and people, they have to resolve this in a better method.

Vital company systems are now accessed from anywhere, whenever, not just from desks in business office buildings. And professionals (contingent labor force) are quickly consisting of over 50% of the general enterprise labor force.

On endpoint devices, the binary is mainly the problem. Most likely benign events, such as an executable crash, might suggest something simple – like Windows 10 Desktop Manager (DWM) rebooting. Or it might be a much deeper issue, such as a harmful file or early indications of an attack.

Trusted access does not resolve this vulnerability. In accordance with the Ponemon Institute, between 70% and 90% of all attacks are triggered by human error, social engineering, or other human elements. This needs more than easy IAM – it needs behavioral analysis.

Instead of making good better, perimeter and identity access companies made bad much faster.

When and Where Does the Good News Start?

Taking a step back, Google (Alphabet Corp) announced a perimeter-less network design in late 2014, and has actually made considerable progress. Other businesses – from corporations to federal governments – have done this (quietly and less severe), but BeyondCorp has done this and shown its efforts to the world. The style approach, endpoint plus (public) cloud displacing cloistered enterprise network, is the key concept.

This alters the whole discussion about an endpoint – be it a laptop, PC, workstation, or server – as subservient to the corporate/enterprise/private/ company network. The endpoint really is the last line of defense, and needs to be secured – yet also report its activity.

Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical area or the originating network; rather, access policies are based on details about a device, its state, and its associated user. BeyondCorp thinks about both internal networks and external networks to be entirely untrusted, and gates access to apps by dynamically asserting and implementing levels, or “tiers,” of access.

By itself, this appears innocuous. But the truth is that this is a radical new design which is imperfect. The access requirements have moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, instead of a centralized model with capacity for data breaches, hacks, and hazards at the human level (the “soft chewy center”).

The bright side? Breaching the border is extremely challenging for potential attackers, while making network pivoting almost impossible as soon as they are past the reverse proxy (a typical system used by enemies today – proving that firewalls do a much better task of keeping the bad guys in rather than letting the genuine users get out). The inverse model further applies to Google cloud servers, most likely securely handled, inside the perimeter, versus client endpoints, who are all out in the wild.

Google has actually done some great refinements on tested security methods, notably to 802.1 X and Radius, bundled it as the BeyondCorp architecture, consisting of strong identity and access management (IAM).

Why is this crucial? What are the gaps?

Ziften believes in this method due to the fact that it emphasizes device trust over network trust. Nevertheless, Google does not particularly reveal a device security agent or highlight any form of client-side monitoring (apart from really rigorous configuration control). While there might be reporting and forensics, this is something which every organization must be familiar with, given that it’s a matter of when – not if – bad things will occur.

Given that carrying out the initial phases of the Device Inventory Service, we have actually consumed billions of deltas from over 15 data sources, at a common rate of about three million each day, amounting to over 80 terabytes. Retaining historical data is essential in allowing us to understand the end-to-end lifecycle of a certain device, track and analyze fleet-wide patterns, and carry out security audits and forensic investigations.

This is a costly and data-heavy procedure with 2 drawbacks. On ultra-high-speed networks (made use of by the likes of Google, universities and research study companies), sufficient bandwidth enables this type of communication to take place without flooding the pipelines. The very first problem is that in more pedestrian corporate and government scenarios, this would cause high user interruption.

Second, machines should have the horse power to constantly collect and transmit data. While the majority of staff members would be delighted to have present developer-class workstations at their disposal, the cost of the devices and procedure of refreshing them regularly makes this prohibitive.

A Lack of Lateral Visibility

Few systems really produce ‘enhanced’ netflow, enhancing traditional network visibility with abundant, contextual data.

Ziften’s trademarked ZFlow ™ supplies network flow details on data generated from the endpoint, otherwise accomplished using brute force (human labor) or costly network devices.

ZFlow functions as a “connective tissue” of sorts, which extends and finishes the end-to-end network visibility cycle, including context to on-network, off-network and cloud servers/endpoints, permitting security teams to make faster and more educated and accurate decisions. In essence, investing in Ziften services result in a labor cost saving, plus an increase in speed-to-discovery and time-to-remediation due to technology functioning as a replacement for people resources.

For companies moving/migrating to the public cloud (as 56% are planning to do by 2021 in accordance with IDG Enterprise’s 2015 Cloud Study), Ziften provides unequaled visibility into cloud servers to much better monitor and secure the complete infrastructure.

In Google’s environment, just corporate owned devices (COPE) are enabled, while crowding out bring-your-own-device (BYOD). This works for a company like Google that can hand out brand-new devices to all staff – smart phone, tablet, laptop computer, and so on. Part of the reason is that the vesting of identity in the device itself, plus user authentication as usual. The device needs to meet Google requirements, having either a TPM or a software equivalent of a TPM, to hold the X. 509 cert utilized to verify device identity and to help with device-specific traffic encryption. There must be a number of agents on each endpoint to validate the device validation asserts called out in the access policy, which is where Ziften would have to partner with the systems management agent supplier, because it is most likely that agent cooperation is necessary to the procedure.


In summary, Google has actually developed a world-class solution, but its applicability and usefulness is limited to organizations like Alphabet.

Ziften uses the very same level of operational visibility and security defense to the masses, utilizing a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For companies with specialized requirements or incumbent tools, Ziften offers both an open REST API and an extension framework (to augment consumption of data and setting off response actions).

This yields the benefits of the BeyondCorp design to the masses, while safeguarding network bandwidth and endpoint (machine) computing resources. As organizations will be slow to move totally far from the business network, Ziften partners with firewall software and SIEM suppliers.

Lastly, the security landscape is gradually moving towards managed detection & response (MDR). Managed security companies (MSSP’s) offer traditional monitoring and management of firewalls, gateways and perimeter invasion detection, however this is not enough. They do not have the skills and the technology.

Ziften’s service has been tested, integrated, approved and executed by a number of the emerging MDR’s, highlighting the standardization (ability) and flexibility of the Ziften platform to play a key role in remediation and occurrence response.


No Responses Yet to “Chuck Leaver – The Definition Of Illumination And A New Beginning For Endpoints”

Leave a Reply