Chuck Leaver – Now Integrating Advanced Endpoint Products Into Existing Security Architectures Is Possible

Written By Roark Pollock And Presented By Ziften CEO Chuck Leaver


Security practitioners are by nature a careful lot. Cautiousness is a quality most folks likely have entering into this market given its mission, however it’s also undoubtedly a characteristic that is learned gradually. Ironically this holds true even when it pertains to adding additional security controls into an existing security architecture. While one might presume that more security is better security, experience teaches us that’s not always the case. There are actually many issues connected with releasing a brand-new security service. One that often shows up near the top of the list is how well a brand-new product integrates with other incumbent products.

Integration concerns can be found in numerous tastes. Most importantly, a new security control shouldn’t break anything. But additionally, brand-new security services need to willingly share risk intelligence and act on hazard intelligence gathered across a company’s entire security infrastructure. To put it simply, the brand-new security tools need to collaborate with the existing ecosystem of tools in place such that “1 + 1 = 3”. The last thing that many IT and security operations teams require is more siloed products/ tools.

At Ziften, this is why we’ve constantly focused on building and providing a completely open visibility architecture. Our company believe that any brand-new systems and security operations tools have to be developed with improved visibility and information sharing as key design requirements. However this isn’t a one-way street. Producing easy integrations requires innovation partnerships with market suppliers. We consider it our duty to deal with other innovation businesses to mutually integrate our products, thus making it easy on customers. Unfortunately, many suppliers still think that integration of security services, specifically brand-new endpoint security services is incredibly difficult. I hear the issue continuously in consumer discussions. But information is now appearing revealing this isn’t necessarily the case.

Current survey work by NSS Labs on “sophisticated endpoint” products, they report that Global 2000 clients based in the United States and Canada have been happily shocked with how well these types of services integrate into their existing security architectures. In accordance with the NSS research study titled “Advanced Endpoint Protection – Market Analysis and Survey Results CY2016”, which NSS subsequently presented in the BrightTalk webinar below, respondents that had actually already deployed advanced endpoint products were a lot more positive concerning their capability to integrate into already established security architectures than were participants that were still in the planning stages of acquiring these products.

Specifically, for participants that have currently released advanced endpoint services: they rank integration with existing security architectures as follows:

● Excellent 5.3 %
● Good 50.0 %
● Average 31.6 %
● Poor 13.2 %
● (Horrible) 0.0 %

Compare that to the more conservative responses from folks still in the planning stage:

● Excellent 0.0 %
● Good 39.3 %
● Average 42.9 %
● Poor 14.3 %
● (Horrible) 3.6 %

These reactions are motivating. Yes, as kept in mind, security folks tend to be pessimists, but in spite of low expectations respondents are reporting positive results when it comes to integration experiences. In fact, Ziften customers generally show the same initial low expectations when we initially talk about integrating Ziften products into their existing environment of products. But in the end, consumers are wowed by how simple it is to share info with Ziften services and their already established infrastructure.

These survey results will hopefully help reduce issues as newer product adopters might check out and depend on peer suggestions before making purchase choices. Early mainstream adopters are clearly having success releasing these products which will ideally help to reduce the natural cautiousness of the real mainstream.

Definitely, there is considerable distinction with services in the space, and companies must continue to carry out proper due diligence in comprehending how and where services integrate into their wider security architectures. But, fortunately is that there are products not just satisfying the needs of customers, however really out performing their initial expectations.


Chuck Leaver – Ziften Clients Are Protected From The Flaw In Petya Variant

Written By Josh Harriman And Presented By Chuck Leaver Ziften CEO


Another outbreak, another problem for those who were not prepared. While this most current attack is similar to the earlier WannaCry danger, there are some differences in this most current malware which is a variant or new strain just like Petya. Dubbed, NotPetya by some, this strain has a great deal of problems for anybody who experiences it. It may encrypt your data, or make the system entirely unusable. And now the email address that you would be needed to call to ‘maybe’ unencrypt your files, has been removed so you’re out of luck getting your files back.

Plenty of details to the actions of this threat are openly offered, however I wanted to touch on that Ziften consumers are secured from both the EternalBlue threat, which is one mechanism used for its propagation, and even better still, an inoculation based upon a possible defect or its own type of debug check that removes the risk from ever executing on your system. It could still spread out nevertheless in the environment, but our security would already be presented to all existing systems to halt the damage.

Our Ziften extension platform enables our consumers to have protection in place against specific vulnerabilities and harmful actions for this threat and others like Petya. Besides the particular actions taken versus this particular version, we have taken a holistic approach to stop particular strains of malware that perform different ‘checks’ against the system before performing.

We can likewise utilize our Search capability to try to find residues of the other proliferation strategies utilized by this risk. Reports show WMIC and PsExec being utilized. We can search for those programs and their command lines and usage. Although they are legitimate procedures, their usage is normally rare and can be notified.

With WannaCry, and now NotPetya, we expect to see a continued rise of these kinds of attacks. With the release of the recent NSA exploits, it has provided ambitious cyber criminals the tools required to push out their wares. And though ransomware risks can be a high commodity vehicle, more damaging threats could be launched. It has actually constantly been ‘how’ to get the risks to spread (worm-like, or social engineering) which is most tough to them.

Chuck Leaver – UK Email Attack Highlights Insecurities

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


In cyberspace the sheep get shorn, chumps get munched, dupes get duped, and pawns get pwned. We have actually seen another terrific example of this in the recent attack on the UK Parliament e-mail system.

Instead of admitting to an e-mail system that was insecure by design, the official statement read:

Parliament has robust procedures in place to secure all our accounts and systems.

Yeah, right. The one protective step we did see in action was blame deflection – the Russians did it, that constantly works, while accusing the victims for their policy offenses. While details of the attack are limited, combing various sources does help to put together a minimum of the gross outlines. If these accounts are fairly close, the UK Parliament email system failings are atrocious.

What went wrong in this scenario?

Count on single factor authentication

“Password security” is an oxymoron – anything password protected alone is insecure, period, no matter the password strength. Please, no 2FA here, might impede attacks.

Do not impose any limit on unsuccessful login efforts

Helped by single element authentication, this enables easy brute force attacks, no skill required. But when violated, blame elite state sponsored hackers – nobody can verify.

Do not carry out brute force attack detection

Allow opponents to perform (otherwise trivially detectable) brute force attacks for prolonged durations (12 hours versus the UK Parliament system), to take full advantage of account compromise scope.

Do not impose policy, treat it as merely tips

Integrated with single element authentication, no limitation on failed logins, and no brute force attack detection, do not impose any password strength recognition. Supply assailants with very low hanging fruit.

Count on anonymous, unencrypted e-mail for delicate communications

If hackers do succeed in compromising email accounts or sniffing your network traffic, supply plenty of chance for them to score high worth message material entirely in the clear. This also conditions constituents to rely on easily spoofable email from Parliament, producing an ideal constituent phishing environment.

Lessons found out

In addition to adding “Good sense for Dummies” to their summer reading lists, the UK Parliament email system admin might wish to take more actions. Enhancing weak authentication practices, implementing policies, enhancing network and end point visibility with continuous tracking and anomaly detection, and completely reconsidering safe messaging are suggested steps. Penetration testing would have discovered these fundamental weak points while staying outside the news headlines.

Even a few clever high schoolers with a complimentary weekend might have duplicated this attack. And lastly, stop blaming the Russians for your very own security failings. Presume that any weaknesses in your security architecture and policy structure will be probed and made use of by some cyber criminals someplace across the international web. Even more incentive to find and fix those weaknesses prior to the hackers do, so get started immediately. And after that if your defenders don’t cannot see the attacks in progress, update your monitoring and analytics.

Chuck Leaver – Use SysSecOps To Bring IT And Security Together

Written By Chuck Leaver Ziften CEO


It was nailed by Scott Raynovich. Having actually dealt with hundreds of organizations he realized that one of the most significant challenges is that security and operations are 2 different departments – with drastically different goals, varying tools, and different management structures.

Scott and his analyst firm, Futuriom, recently completed a study, “Endpoint Security and SysSecOps: The Growing Trend to Develop a More Secure Business”, where one of the key findings was that clashing IT and security goals prevent experts – on both groups – from achieving their objectives.

That’s exactly what we believe at Ziften, and the term that Scott produced to talk about the convergence of IT and security in this domain – SysSecOps – explains completely what we’ve been speaking about. Security teams and the IT teams need to get on the very same page. That suggests sharing the very same objectives, and sometimes, sharing the same tools.

Consider the tools that IT individuals utilize. The tools are designed to ensure the infrastructure and end devices are working properly, when something goes wrong, helps them repair it. On the endpoint side, those tools help guarantee that devices that are enabled onto the network, are configured properly, have software applications that are authorized and effectively updated/patched, and have not registered any faults.

Think about the tools that security individuals utilize. They work to enforce security policies on devices, infrastructure, and security devices (like firewall programs). This may include active monitoring incidents, scanning for abnormal habits, examining files to ensure they do not include malware, embracing the current threat intelligence, matching against newly found zero-days, and carrying out analysis on log files.

Discovering fires, battling fires

Those are two different worlds. The security groups are fire spotters: They can see that something bad is taking place, can work rapidly to isolate the problem, and figure out if damage occurred (like data exfiltration). The IT groups are on the ground firefighters: They jump into action when an incident strikes to make sure that the systems are made safe and revived into operation.

Sounds excellent, doesn’t it? Sadly, all too often, they do not speak to each other – it’s like having the fire spotters and fire fighters utilizing dissimilar radios, different lingo, and different city maps. Worse, the groups can’t share the exact same data directly.

Our method to SysSecOps is to provide both the IT and security teams with the exact same resources – and that means the exact same reports, provided in the proper methods to professionals. It’s not a dumbing down, it’s working smarter.

It’s ridiculous to operate in any other way. Take the WannaCry virus, for example. On one hand, Microsoft provided a patch back in March 2017 that addressed the underlying SMB flaw. IT operations groups didn’t install the patch, due to the fact that they didn’t think this was a big deal and didn’t talk with security. Security groups didn’t know if the patch was set up, because they do not speak to operations. SysSecOps would have had everyone on the very same page – and could have potentially avoided this issue.

Missing out on data indicates waste and risk

The inefficient gap between IT operations and security exposes companies to risk. Preventable threats. Unneeded risk. It’s just undesirable!

If your company’s IT and security teams aren’t on the exact same page, you are incurring risks and costs that you should not need to. It’s waste. Organizational waste. It’s wasteful because you have so many tools that are offering partial data that have spaces, and each of your teams just sees part of the picture.

As Scott concluded in his report, “Coordinated SysSecOps visibility has currently shown its worth in assisting companies evaluate, analyze, and prevent considerable dangers to the IT systems and endpoints. If these goals are pursued, the security and management risks to an IT system can be greatly diminished.”

If your teams are working together in a SysSecOps sort of way, if they can see the exact same data at the same time, you not only have much better security and more effective operations – but also lower danger and lower costs. Our Zenith software application can help you achieve that effectiveness, not only working with your existing IT and security tools, but likewise filling in the gaps to make sure everyone has the best data at the right time.

Chuck Leaver – Detect And Respond To WannaCry With Ziften And Splunk

Written by Joel Ebrahami and presented by Chuck Leaver

WannaCry has actually produced a great deal of media attention. It may not have the huge infection rates that we have seen with many of the previous worms, however in the current security world the quantity of systems it was able to infect in one day was still somewhat shocking. The objective of this blog is NOT to offer a detailed analysis of the exploit, but rather to look how the threat acts on a technical level with Ziften’s Zenith platform and the integration we have with our technology partner Splunk.

Visibility of WannaCry in Ziften Zenith

My very first action was to connect to Ziften Labs threat research group to see exactly what details they could provide to me about WannaCry. Josh Harriman, VP of Cyber Security Intelligence, heads up our research group and notified me that they had samples of WannaCry currently running in our ‘Red Laboratory’ to look at the behavior of the risk and carry out more analysis. Josh sent me over the information of what he had found when examining the WannaCry samples in the Ziften Zenith console. He sent over those information, which I provide in this post.

The Red Lab has systems covering all the most popular typical operating systems with various services and setups. There were currently systems in the lab that were purposefully vulnerable to the WannaCry threat. Our international risk intelligence feeds utilized in the Zenith platform are upgraded in real-time, and had no trouble spotting the infection in our laboratory environment (see Figure 1).

2 lab systems have been recognized running the harmful WannaCry sample. While it is terrific to see our international risk intelligence feeds updated so rapidly and recognizing the ransomware samples, there were other behaviors that we detected that would have determined the ransomware danger even if there had not been a risk signature.

Zenith agents gather a large quantity of data on what’s occurring on each host. From this visibility info, we create non-signature based detection techniques to take a look at usually harmful or anomalous habits. In Figure 2 below, we show the behavioral detection of the WannaCry infection.

Investigating the Scope of WannaCry Infections

When detected either through signature or behavioral approaches, it is really easy to see which other systems have likewise been infected or are displaying similar habits.

Detecting WannaCry with Ziften and Splunk

After evaluating this info, I decided to run the WannaCry sample in my own environment on a vulnerable system. I had one susceptible system running the Zenith agent, and in this example my Zenith server was currently set up to integrate with Splunk. This permitted me to take a look at the exact same info inside Splunk. Let me explain about the integration we have with Splunk.

We have two Splunk apps for Zenith. The first is our technology add on (TA): its function is to ingest and index ALL the raw data from the Zenith server that the Ziften agents create. As this info populates it is massaged into Splunk’s Common Information Model (CIM) so that it can be normalized and simply searched along with utilized by other apps such as the Splunk App for Enterprise Security (Splunk ES). The Ziften TA also consists of Adaptive Response capabilities for acting from events that are rendered in Splunk ES. The 2nd app is a dashboard for displaying our information with all the charts and graphs available in Splunk to make absorbing the data much easier.

Because I currently had the details on how the WannaCry threat acted in our research laboratory, I had the advantage of understanding exactly what to find in Splunk using the Zenith data. In this case I had the ability to see a signature alert by using the VirusTotal integration with our Splunk app (see Figure 4).

Danger Hunting for WannaCry Ransomware in Ziften and Splunk

But I wanted to put on my “event responder hat” and investigate this in Splunk utilizing the Zenith agent information. My first thought was to browse the systems in my laboratory for ones running SMB, because that was the initial vector for the WannaCry attack. The Zenith data is encapsulated in various message types, and I understood that I would most likely find SMB data in the running process message type, however, I used Splunk’s * regex with the Zenith sourcetype so I might search all Zenith data. The resulting search appeared like ‘sourcetype= ziften: zenith: * smb’. As I expected I got one result back for the system that was running SMB (see Figure 5).

My next action was to utilize the very same behavioral search we have in Zenith that looks for typical CryptoWare and see if I could get outcomes back. Once again this was extremely easy to do from the Splunk search panel. I utilized the same wildcard sourcetype as in the past so I could search throughout all Zenith data and this time I included the ‘delete shadows’ string search to see if this habit was ever released at the command line. My search looked like ‘sourcetype= ziften: zenith: * delete shadows’. This search returned outcomes, displayed in Figure 6, that revealed me in detail the procedure that was developed and the complete command line that was performed.

Having all this detail within Splunk made it really simple to identify which systems were vulnerable and which systems had actually already been jeopardized.

WannaCry Removal Utilizing Splunk and Ziften

One of the next steps in any type of breach is to remediate the compromise as fast as possible to prevent further destruction and to act to prevent any other systems from being jeopardized. Ziften is one of the Splunk founding Adaptive Response members and there are a number of actions (see Figure 7) that can be taken through Spunk’s Adaptive Response to reduce these threats through extensions on Zenith.

When it comes to WannaCry we really could have utilized nearly any of the Adaptive Response actions presently readily available by Zenith. When trying to lessen the effect and avoid WannaCry initially, one action that can take place is to shut down SMB on any systems running the Zenith agent where the variation of SMB running is known vulnerable. With a single action Splunk can pass to Zenith the agent ID’s or the IP Address of all the susceptible systems where we wanted to stop the SMB service, thus avoiding the exploit from ever happening and allowing the IT Operations group to get those systems patched prior to starting the SMB service again.

Preventing Ransomware from Spreading or Exfiltrating Data

Now in the event that we have already been jeopardized, it is crucial to prevent further exploitation and stop the possible exfiltration of sensitive information or company intellectual property. There are really three actions we could take. The very first 2 are similar where we might kill the harmful process by either PID (process ID) or by its hash. This is effective, however because oftentimes malware will just generate under a brand-new process, or be polymorphic and have a different hash, we can apply an action that is guaranteed to prevent any inbound or outgoing traffic from those contaminated systems: network quarantine. This is another example of an Adaptive Response action offered from Ziften’s integration with Splunk ES.

WannaCry is already diminishing, however ideally this technical blog reveals the worth of the Ziften and Splunk integration in dealing with ransomware hazards against the end point.


Chuck Leaver – It’s Time To Get Paranoid About Your Security

Written By Chuck Leaver Ziften CEO

Whatever you do don’t ignore cyber security hackers. Even the most paranoid “normal” person would not stress over a source of data breaches being stolen qualifications from its heating, ventilation and a/c (A/C) professional. Yet that’s exactly what occurred at Target in November 2013. Hackers got into Target’s network using qualifications given to the contractor, probably so they might track the heating, ventilation and a/c system. (For a great analysis, see Krebs on Security). And then hackers had the ability to utilize the breach to spread malware into point-of-sale (POS) systems, then unload payment card details.

A number of ludicrous mistakes were made here. Why was the HEATING AND COOLING contractor provided access to the enterprise network? Why wasn’t the A/C system on a separate, entirely isolated network? Why wasn’t the POS system on a different network? Et cetera, et cetera.

The point here is that in a very intricate network, there are uncounted potential vulnerabilities that could be exploited through carelessness, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You get the point.

Whose task is it to discover and repair those vulnerabilities? The security team. The CISO’s team. Security experts aren’t “regular” individuals. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to expect the worst and prepare appropriately.

I cannot speak with the Target A/C breach specifically, however there is one frustrating reason that breaches like this happen: A lack of financial concern for cybersecurity. I’m unsure how frequently businesses cannot fund security merely since they’re inexpensive and would rather do a share buy-back. Or possibly the CISO is too timid to request for exactly what’s required, or has been told that he gets a 5% boost, irrespective of the requirement. Perhaps the CEO is worried that disclosures of big allocations for security will startle investors. Perhaps the CEO is merely naïve enough to believe that the business won’t be targeted by hackers. The problem: Every business is targeted by cyber criminals.

There are substantial competitions over spending plans. The IT department wants to finance upgrades and enhancements, and attack the backlog of demand for new and better applications. On the flip side, you have line-of-business leaders who see IT tasks as directly helping the bottom line. They are optimists, and have great deals of CEO attention.

By contrast, the security department frequently needs to fight for crumbs. They are viewed as an expense center. Security reduces company danger in such a way that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who appreciate compliance and track records. These green-eyeshade individuals think about the worst case scenarios. That does not make good friends, and budget dollars are designated grudgingly at a lot of companies (up until the company gets burned).

Call it naivety, call it established hostility, but it’s a genuine obstacle. You cannot have IT offered great tools to move the enterprise forward, while security is starved and making do with second-best.

Worse, you don’t wish to wind up in scenarios where the rightfully paranoid security teams are working with tools that do not fit together well with their IT counterpart’s tools.

If IT and security tools do not mesh well, IT might not have the ability to quickly act to react to dangerous situations that the security teams are monitoring or are worried about – things like reports from threat intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user behaviors that indicate dangerous or suspicious activity.

One suggestion: Find tools for both departments that are designed with both IT and security in mind, right from the start, instead of IT tools that are patched to offer some minimal security capability. One spending plan item (take it out of IT, they have more money), but two workflows, one created for the IT professional, one for the CISO team. Everyone wins – and next time someone wants to give the HEATING AND COOLING specialist access to the network, maybe security will observe what IT is doing, and head that catastrophe off at the pass.


Chuck Leaver – At Ziften We Can Assist You With The WannCry Ransomware Problem

Written By Michael Vaughn And Presented By Chuck Leaver Ziften CEO


Answers To Your Concerns About WannaCry Ransomware

The WannaCry ransomware attack has infected more than 300,000 computers in 150 countries up until now by making use of vulnerabilities in Microsoft’s Windows operating system.
In this brief video Chief Data Scientist Dr. Al Hartmann and I talk about the nature of the attack, as well as how Ziften can assist companies safeguard themselves from the vulnerability known as “EternalBlue.”.

As pointed out in the video, the problem with this Server Message Block (SMB) file sharing service is that it’s on many Windows operating systems and discovered in most environments. However, we make it easy to determine which systems in your environment have actually or have not been patched yet. Notably, Ziften Zenith can also from another location disable the SMB file-sharing service totally, giving companies important time to ensure that those machines are effectively patched.

If you want to know more about Ziften Zenith, our 20 minute demo includes an assessment with our professionals around how we can help your company avoid the worst digital catastrophe to strike the internet in years.

Chuck Leaver – How To Evaluate Next Gen Endpoint Security Services

Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften


The End Point Security Buyer’s Guide

The most common point for a sophisticated consistent attack or a breach is the end point. And they are certainly the entry point for many ransomware and social engineering attacks. Making use of endpoint protection products has actually long been thought about a best practice for protecting endpoints. Regrettably, those tools aren’t keeping up with today’s danger environment. Advanced threats, and truth be told, even less advanced dangers, are often more than sufficient for deceiving the average worker into clicking something they should not. So organizations are looking at and examining a wide variety of next-gen endpoint security (NGES) services.

With this in mind, here are ten suggestions to think about if you’re looking at NGES solutions.

Suggestion 1: Begin with the end in mind

Do not let the tail wag the dog. A risk decrease method should always begin by assessing issues and then trying to find possible solutions for those problems. But all frequently we get fascinated with a “shiny” new innovation (e.g., the most recent silver bullet) and we wind up attempting to shoehorn that technology into our environments without completely evaluating if it fixes a comprehended and identified issue. So exactly what problems are you attempting to resolve?

– Is your existing end point security tool failing to stop risks?
– Do you require better visibility into activity on the endpoint?
– Are compliance requirements mandating constant endpoint monitoring?
– Are you trying to decrease the time and expense of incident response?

Specify the problems to attend to, and then you’ll have a measuring stick for success.

Idea 2: Know your audience. Exactly who will be using the tool?

Comprehending the issue that needs to be resolved is a crucial primary step in understanding who owns the issue and who would (operationally) own the service. Every functional team has its strengths, weaknesses, choices and prejudices. Specify who will need to use the solution, and others that might benefit from its use. Maybe it’s:

– Security group,
– IT operations,
– The governance, risk and compliance (GRC) group,
– Help desk or end user assistance team,
– Or perhaps the server group, or a cloud operations group?

Idea 3: Know what you mean by end point

Another often ignored early step in specifying the problem is defining the endpoint. Yes, all of us used to understand what we meant when we stated endpoint but today end points are available in a lot more varieties than before.

Sure we wish to safeguard desktops and laptops however how about mobile devices (e.g. phones and tablets), virtual endpoints, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, are available in multiple flavors so platform support needs to be resolved also (e.g. Windows only, Mac OSX, Linux, etc?). Also, think about assistance for endpoints even when they are working remote, or are working offline. Exactly what are your needs and what are “great to haves?”

Suggestion 4: Start with a structure of constant visibility

Constant visibility is a fundamental capability for attending to a host of security and operational management problems on the endpoint. The old saying holds true – that you cannot manage what you cannot see or determine. Even more, you cannot protect what you can’t appropriately manage. So it needs to begin with constant or all-the-time visibility.

Visibility is fundamental to Management and Security

And think about what visibility means. Enterprises require one source of reality that at a minimum monitors, stores, and evaluates the following:

– System data – events, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – characteristics of installed apps and usage patterns
– Binary data – attributes of set up binaries
– Procedures data – tracking details and data
– Network connection data – stats and internal behavior of network activity on the host

Pointer 5: Keep track of your visibility data

End point visibility data can be kept and evaluated on premise, in the cloud, or some combination of both. There are advantages to each. The proper method differs, but is usually driven by regulative requirements, internal privacy policies, the end points being monitored, and the total expense considerations.

Know if your organization needs on-premise data retention

Know whether your company enables cloud based data retention and analysis or if you are constrained to on premise solutions only. Within Ziften, 20-30% of our customers keep data on premise just for regulatory factors. However, if lawfully a choice, the cloud can provide cost advantages (among others).

Pointer 6: Know what is on your network

Comprehending the problem you are aiming to solve needs comprehending the assets on the network. We find that as many as 30% of the end points we initially discover on clients’ networks are un-managed or unidentified devices. This clearly creates a huge blind spot. Decreasing this blind spot is an important best practice. In fact, SANS Critical Security Controls 1 and 2 are to carry out a stock of licensed and unauthorized devices and software applications attached to your network. So try to find NGES solutions that can fingerprint all connected devices, track software stock and usage, and perform on-going continuous discovery.

Tip 7: Know where you are exposed

After figuring out what devices you have to monitor, you have to make certain they are running in up to date setups. SANS Critical Security Controls 3 advises guaranteeing safe and secure configurations tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 advises enabling continuous vulnerability assessment and remediation of these devices. So, look for NGES services that supply all the time tracking of the state or posture of each device, and it’s even of more benefit if it can help implement that posture.

Likewise look for services that provide continuous vulnerability assessment and removal.

Keeping your total end point environment solidified and free of crucial vulnerabilities prevents a substantial amount of security problems and gets rid of a great deal of backend pressure on the IT and security operations teams.

Pointer 8: Cultivate continuous detection and response

An important end goal for lots of NGES services is supporting constant device state monitoring, to make it possible for efficient risk or event response. SANS Critical Security Control 19 suggests robust incident response and management as a best practice.

Look for NGES services that provide all-the-time or constant danger detection, which leverages a network of worldwide threat intelligence, and multiple detection methods (e.g., signature, behavioral, machine learning, etc). And search for event response services that assist focus on identified risks and/or concerns and provide workflow with contextual system, application, user, and network data. This can assist automate the suitable response or next actions. Lastly, understand all the response actions that each service supports – and search for a solution that supplies remote access that is as close as possible to “sitting at the end point keyboard”.

Idea 9: Consider forensics data collection

In addition to event response, organizations should be prepared to deal with the requirement for forensic or historical data analysis. The SANS Critical Security Control 6 recommends the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take lots of forms, but a structure of historic endpoint tracking data will be essential to any examination. So try to find solutions that preserve historical data that permits:

– Forensic tasks consist of tracing lateral danger motion through the network gradually,
– Pinpointing data exfiltration efforts,
– Determining origin of breaches, and
– Determining appropriate remediation actions.

Pointer 10: Tear down the walls

IBM’s security group, which supports an impressive community of security partners, estimates that the average business has 135 security tools in situ and is dealing with 40 security suppliers. IBM clients certainly skew to big enterprise however it’s a typical refrain (complaint) from organizations of all sizes that security solutions do not integrate properly.

And the complaint is not simply that security services don’t play well with other security services, but also that they do not constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to consider these (and other) integration points along with the supplier’s willingness to share raw data, not just metadata, through an API.

Bonus Tip 11: Plan for customizations

Here’s a bonus tip. Presume that you’ll wish to personalize that shiny brand-new NGES service soon after you get it. No solution will satisfy all of your requirements right out of the box, in default setups. Find out how the solution supports:

– Customized data collection,
– Notifying and reporting with customized data,
– Customized scripting, or
– IFTTT (if this then that) functionality.

You understand you’ll desire new paint or brand-new wheels on that NGES service quickly – so make certain it will support your future modification jobs easy enough.

Look for assistance for easy modifications in your NGES solution

Follow the bulk of these tips and you’ll certainly prevent a lot of the typical mistakes that pester others in their assessments of NGES solutions.

Chuck Leaver – Nobody Will Protect Everything End To End Better Than Ziften

Written By Ziften CEO Chuck Leaver


Do you wish to handle and safeguard your end points, your data center, your network and the cloud? Well Ziften can provide the ideal solution for you. We gather data, and allow you to correlate and use that data to make choices – and remain in control over your enterprise.

The details that we obtain from everyone on the network can make a real world difference. Think about the inference that the 2016 U.S. elections were influenced by cyber criminals in another country. If that’s the case, cyber criminals can do just about anything – and the idea that we’ll settle for that as the status quo is simply ridiculous.

At Ziften, we believe the best method to combat those hazards is with higher visibility than you’ve ever had. That visibility goes across the entire business, and connects all the major players together. On the back end, that’s genuine and virtual servers in the data center and the cloud. That’s infrastructure and applications and containers. On the other side, it’s notebooks and desktop computers, irrespective of how and where they are linked.

End-to-end – that’s the believing behind everything at Ziften. From end point to the cloud, right the way from a web browser to a DNS server. We tie all that together, with all the other parts to offer your company a total solution.

We likewise capture and store real time data for as much as 12 months to let you understand what’s occurring on the network right now, and supply historical trend analysis and warnings if something changes.

That lets you discover IT faults and security concerns immediately, as well as be able to ferret out the origin by looking back in time to uncover where a breach or fault might have initially occurred. Active forensics are a total requirement in this business: After all, where a breach or fault triggered an alarm may not be where the problem started – or where a hacker is operating.

Ziften supplies your IT and security teams with the visibility to understand your present security posture, and determine where improvements are needed. Non-compliant endpoints? Found. Rogue devices? These will be discovered. Penetration off-network? This will be detected. Obsolete firmware? Unpatched applications? All found. We’ll not just help you discover the problem, we’ll help you repair it, and make certain it stays repaired.

End-to-end IT and security management. Real time and historic active forensics. In the cloud, offline and onsite. Incident detection, containment and response. We’ve got it all covered. That’s what makes Ziften much better.


Chuck Leaver – Monitoring Cloud Activity With Enhanced NetFlow

Written by Roark Pollock and Presented by Ziften CEO Chuck Leaver


According to Gartner public cloud services market went beyond $208 billion in 2016. This represented about a 17% increase year over year. Not bad when you consider the ongoing issues most cloud customers still have relating to data security. Another especially interesting Gartner finding is the common practice by cloud clients to contract services to numerous public cloud service providers.

According to Gartner “most companies are currently utilizing a combination of cloud services from different cloud providers”. While the commercial reasoning for the use of numerous suppliers is sound (e.g., avoiding vendor lock in), the practice does develop additional intricacy inmonitoring activity across an organization’s increasingly dispersed IT landscape.

While some companies support more superior visibility than others (for example, AWS CloudTrail can monitor API calls throughout the AWS infrastructure) organizations need to understand and resolve the visibility problems related to moving to the cloud regardless of the cloud service provider or companies they work with.

Sadly, the ability to monitor application and user activity, and networking communications from each VM or endpoint in the cloud is limited.

Irrespective of where computing resources reside, companies must respond to the questions of “Which users, machines, and applications are interacting with each other?” Organizations require visibility across the infrastructure in order to:

  • Quickly identify and prioritize problems
  • Speed source analysis and identification
  • Lower the mean-time to fix issues for end users
  • Quickly determine and get rid of security hazards, reducing total dwell times.

Conversely, poor visibility or bad access to visibility data can lower the efficiency of current management and security tools.

Companies that are familiar with the maturity, ease, and relative low cost of monitoring physical data centers are going to be disappointed with their public cloud options.

What has been lacking is an easy, common, and elegant service like NetFlow for public cloud infrastructure.

NetFlow, of course, has had 20 years approximately to become a de facto requirement for network visibility. A normal implementation involves the tracking of traffic and aggregation of flows where the network chokes, the retrieval and storage of flow info from multiple collection points, and the analysis of this flow information.

Flows include a basic set of source and destination IP addresses and port and protocol info that is typically collected from a router or switch. Netflow data is reasonably low-cost and easy to collect and offers almost common network visibility and enables actionable analysis for both network tracking and
performance management applications.

Many IT staffs, specifically networking and some security groups are exceptionally comfortable with the technology.

But NetFlow was developed for fixing exactly what has actually ended up being a rather restricted problem in the sense that it just gathers network data and does so at a limited number of possible locations.

To make much better use of NetFlow, 2 crucial changes are needed.

NetFlow at the Edge: First, we need to expand the helpful implementation circumstances for NetFlow. Instead of only gathering NetFlow at network points of choke, let’s broaden flow collection to the network edge (cloud, servers and clients). This would greatly expand the overall view that any NetFlow analytics provide.

This would enable organizations to augment and leverage existing NetFlow analytics tools to eliminate the growing blind spot of visibility into public cloud activity.

Rich, contextual NetFlow: Second, we need to utilize NetFlow for more than basic network visibility.

Instead, let’s use an extended version of NetFlow and take account of data on the application, user, device, and binary responsible for each monitored network connection. That would enable us to quickly correlate every network connection back to its source.

In fact, these two modifications to NetFlow, are exactly what Ziften has actually achieved with ZFlow. ZFlow provides an broadened version of NetFlow that can be released at the network edge, including as part of a VM or container image, and the resulting info collection can be consumed and analyzed with existing NetFlow tools for analysis. Over and above standard NetFlow Internet Protocol Flow Info eXport (IPFIX) networking visibility, ZFlow supplies extended visibility with the inclusion of info on user, device, application and binary for every network connection.

Ultimately, this enables Ziften ZFlow to deliver end-to-end visibility in between any 2 endpoints, physical or virtual, eliminating standard blind spots like east-west traffic in data centers and enterprise cloud implementations.