Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


There may be a joke somewhere concerning the forensic expert that was late to the incident response celebration. There is the seed of a joke in the concept at least however of course, you need to comprehend the differences between forensic analysis and incident response to value the potential for humor.

Forensic analysis and incident response are related disciplines that can leverage similar tools and associated data sets however also have some important distinctions. There are four particularly essential distinctions between forensic analysis and incident response:

– Goals.
– Data requirements.
– Group skills.
– Advantages.

The difference in the goals of forensic analysis and incident response is possibly the most essential. Incident response is concentrated on determining a quick (i.e., near real-time) reaction to an instant hazard or concern. For instance, a house is on fire and the firemen that show up to put that fire out are associated with incident response. Forensic analysis is usually performed as part of an arranged compliance, legal discovery, or law enforcement investigation. For example, a fire detective may examine the remains of that home fire to figure out the overall damage to the house, the cause of the fire, and whether the origin was such that other houses are also facing the same risk. To puts it simply, incident response is concentrated on containment of a danger or concern, while forensic analysis is concentrated on a complete understanding and extensive remediation of a breach.

A second significant distinction between the disciplines is the data resources required to attain the goals. Incident response groups normally just require short-term data sources, frequently no greater than a month or so, while forensic analysis teams usually need a lot longer lived logs and files. Keep in mind that the typical dwell time of an effective attack is somewhere in between 150 and 300 days.

While there is commonness in the personnel skills of incident response and forensic analysis groups, and in fact incident response is typically considered a subset of the border forensic discipline, there are important distinctions in job requirements. Both kinds of research require strong log analysis and malware analysis abilities. Incident response requires the capability to quickly separate a contaminated device and to establish ways to remediate or quarantine the device. Interactions have the tendency to be with other security and operations team members. Forensic analysis generally requires interactions with a much broader set of departments, including legal, compliance, operations and HR.

Not remarkably, the viewed benefits of these activities likewise differ.

The capability to get rid of a risk on one machine in near real-time is a significant determinate in keeping breaches separated and limited in effect. Incident response, and proactive danger hunting, is first line of defense in security operations. Forensic analysis is incident responses’ less attractive relative. However, the benefits of this work are undeniable. A comprehensive forensic examination enables the removal of all hazards with the mindful analysis of an entire attack chain of events. Which is no laughing matter.

Do your endpoint security processes allow both instant incident response, and long term historical forensic analysis?

Written By Jesse Sampson And Presented By Charles Leaver CEO Ziften


Why are the same tricks being utilized by opponents all of the time? The simple response is that they are still working today. For example, Cisco’s 2017 Cybersecurity Report informs us that after years of decline, spam email with harmful attachments is once again on the rise. Because conventional attack vector, malware authors generally mask their activities using a filename similar to a common system procedure.

There is not necessarily a connection with a file’s path name and its contents: anyone who has attempted to hide sensitive details by giving it a boring name like “taxes”, or altered the extension on a file attachment to circumvent e-mail guidelines knows this principle. Malware creators understand this too, and will typically name their malware to resemble common system processes. For instance, “explore.exe” is Internet Explorer, however “explorer.exe” with an additional “r” may be anything. It’s easy even for professionals to overlook this small distinction.

The opposite issue, known.exe files running in unusual places, is simple to solve, using string functions and SQL sets.


What about the other case, discovering close matches to the executable name? The majority of people begin their search for near string matches by sorting data and visually looking for discrepancies. This normally works effectively for a little set of data, maybe even a single system. To find these patterns at scale, however, requires an algorithmic approach. One established method for “fuzzy matching” is to use Edit Distance.

What’s the best approach to determining edit distance? For Ziften, our technology stack includes HP Vertica, making this job easy. The internet has lots of data scientists and data engineers singing Vertica’s praises, so it will be enough to discuss that Vertica makes it easy to develop custom-made functions that make the most of its power – from C++ power tools, to statistical modeling scalpels in R and Java.

This Git repo is preserved by Vertica lovers operating in industry. It’s not an official offering, but the Vertica team is certainly familiar with it, and moreover is believing everyday about the best ways to make Vertica better for data scientists – a good space to see. Best of all, it includes a function to determine edit distance! There are also alternative tools for natural language processing here like word tokenizers and stemmers.

By using edit distance on the top executable paths, we can quickly find the closest match to each of our top hits. This is an intriguing dataset as we can arrange by distance to find the closest matches over the whole data set, or we can sort by frequency of the top path to see what is the nearest match to our frequently utilized processes. This data can likewise surface on contextual “report card” pages, to reveal, e.g. the leading 5 closest strings for a given path. Below is an example to give a sense of usage, based on real data ZiftenLabs observed in a client environment.


Setting a threshold of 0.2 appears to discover great results in our experience, but the take away is that these can be edited to fit specific use cases. Did we discover any malware? We notice that “teamviewer_.exe” (ought to be just “teamviewer.exe”), “iexplorer.exe” (should be “iexplore.exe”), and “cvshost.exe” (needs to be svchost.exe, unless possibly you work for CVS pharmacy…) all look strange. Considering that we’re already in our database, it’s likewise insignificant to obtain the associated MD5 hashes, Ziften suspicion scores, and other attributes to do a deeper dive.


In this particular real-life environment, it ended up that teamviewer_.exe and iexplorer.exe were portable applications, not familiar malware. We helped the customer with further investigation on the user and system where we observed the portable applications since use of portable apps on a USB drive could be proof of suspicious activity. The more disturbing find was cvshost.exe. Ziften’s intelligence feeds suggest that this is a suspicious file. Searching for the md5 hash for this file on VirusTotal confirms the Ziften data, suggesting that this is a potentially serious Trojan infection that could be part of a botnet or doing something a lot more harmful. As soon as the malware was found, however, it was easy to fix the problem and ensure it stays resolved using Ziften’s capability to kill and persistently block processes by MD5 hash.

Even as we establish sophisticated predictive analytics to detect harmful patterns, it is important that we continue to enhance our capabilities to hunt for known patterns and old tricks. Even if brand-new hazards emerge doesn’t suggest the old ones disappear!

If you liked this post, keep looking here for part 2 of this series where we will use this approach to hostnames to identify malware droppers and other malicious websites.

Written By Roark Pollock And Presented By Ziften CEO Charles Leaver


In the very recent past everybody understood exactly what you implied if you raised the issue of an endpoint. If someone wanted to sell you an endpoint security product, you understood exactly what devices that software application was going to protect. However when I hear somebody casually discuss endpoints today, The Princess Bride’s Inigo Montoya comes to mind: “You keep utilizing that word. I don’t believe it means exactly what you believe it implies.” Today an endpoint could be practically any kind of device.

In truth, endpoints are so diverse these days that people have actually taken to calling them “things.” In accordance with Gartner at the close of 2016 there were more than six billion “things” connected to the internet. The consulting company forecasts that this number will shoot up to twenty one billion by the year 2020. The business utilization of these things will be both generic (e.g. linked light bulbs and Heating and Cooling systems) and industry particular (e.g. oil rig security tracking). For IT and security groups charged with connecting and securing endpoints, this is just half of the new difficulty, nevertheless. The welcoming of virtualization innovation has redefined what an endpoint is, even in environments where these groups have traditionally operated.

The last decade has seen a huge change in the way end users gain access to details. Physical devices continue to be more mobile with many information employees now doing the majority of their computing and interaction on laptops and mobile phones. More importantly, everyone is becoming an info worker. Today, much better instrumentation and tracking has enabled levels of data collection and analysis that can make the insertion of information technology into practically any job rewarding.

At the same time, more standard IT assets, particularly servers, are becoming virtualized to eliminate a few of the conventional restrictions in actually having those assets tied to physical devices.

These 2 trends together will impact security groups in important ways. The universe of “endpoints” will include billions of long-lived and unsecure IoT endpoints in addition to billions of virtual endpoint instances that will be scaled up and down as needed along with moved to various physical locations on demand.

Organizations will have very different worries about these 2 basic types of endpoints. Over their life times, IoT devices will need to be safeguarded from a host of hazards a few of which have yet to be thought up. Tracking and protecting these devices will require sophisticated detection capabilities. On the positive side, it will be possible to keep distinct log data to make it possible for forensic examination.

Virtual endpoints, on the other hand, provide their own important concerns. The ability to move their physical location makes it much more hard to make sure proper security policies are constantly attached to the endpoint. The practice of re-imaging virtual endpoints can make forensic investigation tough, as important data is typically lost when a new image is applied.

So it is irrelevant what word or phrases are utilized to explain your endpoints – endpoint, user device, systems, client device, mobile phone, server, virtual device, container, cloud workload, IoT device, and so on – it is essential to comprehend precisely what someone indicates when they utilize the term endpoint.

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften


If Prevention Has Failed Then Detection Is Crucial

The last scene in the well known Vietnam War movie Platoon depicts a North Vietnamese Army regiment in a surprise night attack breaching the concertina wire perimeter of an American Army battalion, overrunning it, and slaughtering the startled defenders. The desperate company leader, grasping their dire protective problem, orders his air assistance to strike his own position: “For the record, it’s my call – Dump whatever you have actually got left on my position!” Minutes later the battleground is immolated in a napalm hellscape.

Although physical dispute, this shows two elements of cybersecurity (1) You have to handle inevitable border breaches, and (2) It can be bloody hell if you don’t detect early and respond forcefully. MITRE Corporation has actually been leading the call for rebalancing cyber security priorities to place due focus on detecting breaches in the network interior rather than merely concentrating on penetration prevention at the network border. Instead of defense in depth, the latter produces a flawed “tootsie pop” defense – hard, crunchy shell, soft chewy center. Writing in a MITRE blog post, “We could see that it wouldn’t be a question of if your network would be breached but when it will be breached,” describes Gary Gagnon, MITRE’s senior vice president, director of cybersecurity, and chief security officer. “Today, organizations are asking ‘For how long have the intruders been inside? How far have they got?'”.

Some call this the “presumed breach” method to cyber security, or as posted to Twitter by F-Secure’s Chief Research study Officer:.

Q: How many of the Fortune 500 are compromised – Response: 500.

This is based upon the possibility that any sufficiently intricate cyber environment has an existing compromise, and that Fortune 500 businesses are of magnificently complicated scale.

Shift the Burden of Perfect Execution from the Protectors to the Attackers.

The conventional cybersecurity viewpoint, originated from the tradition boundary defense design, has been that the enemy just needs to be right once, while the protector must be right each time. A sufficiently resourced and consistent hacker will eventually achieve penetration. And time to effective penetration reduces with increasing size and intricacy of the target enterprise.

A boundary or prevention-reliant cyber-defense model basically demands perfect execution by the defender, while delivering success to any adequately continual attack – a plan for specific cyber disaster. For instance, a leading cyber security red group reports effective enterprise penetration in under three hours in more than 90% of their customer engagements – and these white hats are restricted to ethical ways. Your enterprise’s black hat assailants are not so constrained.

To be practical, the cyber defense strategy must turn the tables on the assailants, moving to them the unreachable problem of perfect execution. That is the rationale for a strong detection capability that continuously monitors endpoint and network behavior for any unusual indications or observed opponent footprints inside the perimeter. The more sensitive the detection capability, the more care and stealth the attackers must exercise in perpetrating their kill chain sequence, and the more time and labor and talent they must invest. The protectors require but observe a single attacker footfall to discover their foot tracks and relax the attack kill chain. Now the defenders end up being the hunter, the attackers the hunted.

The MITRE ATT&CK Design.

MITRE supplies a detailed taxonomy of opponent footprints, covering the post-compromise segment of the kill chain, known by the acronym ATT&CK, for Adversarial Tactics, Techniques, and Common Knowledge. ATT&CK project team leader Blake Strom says, “We decided to concentrate on the post-attack duration [portion of kill chain lined in orange listed below], not just because of the strong probability of a breach and the scarcity of actionable details, but also because of the many chances and intervention points available for effective protective action that do not always depend on prior knowledge of enemy tools.”




As displayed in the MITRE figure above, the ATT&CK model supplies extra granularity on the attack kill chain post-compromise phases, breaking these out into 10 strategy categories as shown. Each strategy classification is additionally detailed into a list of methods an attacker may use in carrying out that strategy. The January 2017 design upgrade of the ATT&CK matrix lists 127 strategies throughout its ten tactic categories. For example, Computer system registry Run Keys/ Start Folder is a method in the Perseverance classification, Brute Force is a technique in the Qualifications classification, and Command-Line Interface is a method in the Execution classification.

Leveraging Endpoint Detection and Response (EDR) in the ATT&CK Model.

Endpoint Detection and Response (EDR) solutions, such as Ziften provides, offer crucial visibility into assailant usage of methods noted in the ATT&CK model. For example, Registry Run Keys/ Start Folder technique usage is reported, as is Command Line Interface usage, because these both include readily observable endpoint habits. Strength use in the Qualifications classification should be obstructed by design in each authentication architecture and be observable from the resulting account lockout. But even here the EDR product can report occasions such as unsuccessful login attempts, where a hacker may have a few guesses to try, while staying under the account lockout attempt limit.

For mindful defenders, any technique usage may be the attack giveaway that deciphers the entire kill chain. EDR products contend based upon their strategy observation, reporting, and informing abilities, in addition to their analytics capability to perform more of the attack pattern detection and kill chain reconstruction, in support of protecting security analysts staffing the enterprise SOC. Here at Ziften we will detail more of EDR product abilities in support of the ATT&CK post compromise detection design in future blogs in this series.

Written By Michael Vaughan And Presented By Charles Leaver Ziften CEO


More customized products are needed by security, network and functional groups in 2017

A lot of us have actually gone to security conventions throughout the years, but none bring the same high
level of enjoyment as RSA – where security is talked about by the world. Of all the conventions I have actually gone to and worked, nothing comes close the enthusiasm for brand-new technology individuals exhibited this past week in downtown San Francisco.

After taking a couple of days to digest the dozens of conversations about the requirements and limitations with present security solutions, Ihave actually had the ability to synthesize a singular theme amongstparticipants: People want customized services that fit their environment and will work throughout several internal teams.

When I refer to the term “people,” I indicate everybody in attendance no matter technological sector. Functional specialists, security professionals, network veterans, as well as user behavior experts often
visited the Ziften booth and shared their experiences.

Everybody appeared more prepared than ever to discuss their needs and wants for their environment. These participants had their own set of objectives they wanted to attain within their department and they were desperate for answers. Because the Ziften Zenith solution supplies such broad visibility on enterprise devices, it’s not unexpected that our cubicle stayed crowded with individuals excited to learn more about a new, refreshingly easy endpoint security innovation.

Attendees came with complaints about myriad enterprise-centric security issues and sought deeper insight into exactly what’s really taking place on their network and on devices taking a trip in and out of the office.

End users of old-school security solutions are on the look out for a newer, more essential software applications.

If I could select simply one of the frequent concerns I got at RSA to share, it’s this one:

” Just what is endpoint discovery?”

1) Endpoint discovery: Ziften reveals a historical view of unmanaged devices which have actually been connected to other business endpoints at some point in time. Ziften allows users to discover known
and unidentified entities which are active or have been interactive with recognized endpoints.

a. Unmanaged Asset Discovery: Ziften utilizes our extension platform to expose these unknown entities operating on the network.

b. Extensions: These are custom fit options customized to the user’s particular desires and
requirements. The Ziften Zenith agent can execute the assigned extension one time, on a schedule or on a continuous basis.

Almost always after the above explanation came the genuine factor they were attending:

Individuals are searching for a large range of services for numerous departments, which includes executives. This is where operating at Ziften makes addressing this question a treat.

Only a part of the RSA participants are security specialists. I consulted with dozens of network, operation, endpoint management, vice presidents, general supervisors and channel partners.

They plainly all use and comprehend the requirement for quality security software applications however
seemingly discover the translation to organization value missing among security vendors.

NetworkWorld’s Charles Araujo phrased the issue rather well in an article a short article last week:

Enterprises must also rationalize security data in a company context and handle it holistically as part of the general IT and business operating model. A group of vendors is also attempting to tackle this obstacle …

Ziften was amongst only 3 companies mentioned.

After listening to those needs and wants of people from various business-critical backgrounds and discussing to them the capabilities of Ziften’s Extension platform, I generally explained how Ziften would modulate an extension to resolve their need, or I provided a brief demo of an extension that would permit them to overcome an obstacle.

2) Extension Platform: Tailored, actionable solutions.

a. SKO Silos: Extensions based upon fit and requirement (operations, network, endpoint, etc).

b. Customized Requests: Need something you can’t see? We can repair that for you.

3) Enhanced Forensics:

a. Security: Danger management, Risk Evaluation, Vulnerabilities, Suspicious metadata.

b. Operations: Compliance, License Rationalization, Unmanaged Assets.

c. Network: Ingress/Egress IP movement, Domains, Volume metadata.

4) Visibility within the network– Not just exactly what goes in and goes out.

a. ZFlow: Lastly see the network traffic inside your business.

Needless to say, everyone I spoke with in our cubicle rapidly comprehended the vital value of having a tool such as Ziften Zenith running in and across their enterprise.

Forbes writer, Jason Bloomberg, stated it best when he just recently described the future of enterprise security software applications and how all signs point towards Ziften leading the way:

Possibly the broadest interruption: vendors are enhancing their capability to understand how bad actors behave, and can thus take actions to prevent, spot or alleviate their destructive activities. In particular, today’s vendors comprehend the ‘Cyber Kill Chain’ – the actions a skilled, patient hacker (known in the biz as a sophisticated persistent danger, or APT) will require to accomplish his or her wicked objectives.

The product of U.S. Defense professional Lockheed Martin, The Cyber Kill Chain contains seven links: reconnaissance, weaponization, shipment, exploitation, setup, establishing command and control, and actions on objectives.

Today’s more innovative vendors target one or more of these links, with the goal of avoiding, discovering or reducing the attack. Five suppliers at RSA stood out in this category.

Ziften offers an agent based  technique to tracking the behavior of users, devices, applications, and
network elements, both in real-time as well as throughout historic data.

In real time, analysts utilize Ziften for danger recognition and avoidance, while they utilize the historic data to discover steps in the kill chain for mitigation and forensic functions.

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Get Back To Essentials With Health And Avoid Serious Problems

When you were a child you will have been taught that brushing your teeth appropriately and flossing will avoid the requirement for expensive crowns and root canal treatments. Fundamental health is way simpler and far more affordable than overlook and illness. This same lesson applies in the realm of enterprise IT – we can run a sound operation with appropriate endpoint and network health, or we can face increasing security problems and disastrous data breaches as lax hygiene extracts its burdensome toll.

Functional and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we develop here at Ziften offer analytic insight into system operation across the business endpoint population. They also offer endpoint-derived network operation insights that substantially broaden on wire visibility alone and extend into cloud and virtual environments. These insights benefit both security and operations teams in considerable ways, given the considerable overlap between operational and security issues:

On the security side, EDR tools provide vital situational awareness for incident response. On the operational side, EDR tools provide important endpoint visibility for operational control. Critical situational awareness demands a baseline comprehension of endpoint population operating norms, which understanding facilitates correct functional control.

Another method to explain these interdependencies is:

You cannot protect what you don’t manage.
You cannot control what you do not measure.
You cannot measure what you don’t track.

Managing, measuring, and tracking has as much to do with the security function as with the functional role, don’t aim to split the baby. Management suggests adherence to policy, that adherence should be measured, and operational measurements make up a time series that should be tracked. A few sporadic measurements of important dynamic time series lacks interpretive context.

Tight security does not make up for lazy management, nor does tight management make up for lazy security. [Read that once more for emphasis.] Objective execution imbalances here result in unsustainable inefficiencies and scale difficulties that undoubtedly lead to major security breaches and operational shortages.

Where The Areas Overlap

Significant overlaps between functional and security concerns consist of:

Configuration hardening and standard images
Group policy
Application control and cloud management
Management of the network including segmentation
Data security and encryption
Management of assets and device restoration
Mobile device management
Log management
Backups and data restoration
Patch and vulnerability management
Identity management
Access management
Staff member continual cyber awareness training

For instance, asset management and device restore as well as backup and data restore are most likely operational team obligations, however they become significant security problems when ransomware sweeps the enterprise, bricking all devices (not simply the normal endpoints, but any network connected devices such as printers, badge readers, security cams, network routers, medical imaging devices, commercial control systems, and so on). What would your business response time be to reflash and refresh all device images from scratch and restore their data? Or is your contingency strategy to quickly pack the opponents’ Bitcoin wallets and hope they have not exfiltrated your data for additional extortion and money making. And why would you offload your data restoration obligation to a criminal syndicate, blindly relying on their perfect data restoration stability – makes definitely no sense. Operational control duty rests with the enterprise, not with the enemies, and may not be shirked – shoulder your responsibility!

For another example, basic image building using finest practices setup hardening is plainly a joint responsibility of operations and security personnel. In contrast to inefficient signature based endpoint protection platforms (EPP), which all big enterprise breach victims have long had in place, configuration hardening works, so bake it in and continually refresh it. Likewise think about the requirements of business personnel whose job function demands opening of unsolicited email attachments, such as resumes, billings, legal notices, or other required files. This must be performed in a cloistered virtual sandbox environment, not on your production endpoints. Security staff will make these decisions, but operations staff will be imaging the endpoints and supporting the workers. These are shared duties.

Example Of Overlap:

Detonate in a safe environment. Don’t utilize production endpoints for opening unsolicited however needed email files, like resumes, billings, legal notifications, etc

Focus Limited Security Resources on the Jobs Just They Can Carry out

Most big enterprises are challenged to efficiently staff all their security roles. Left unaddressed, deficiencies in functional efficiency will stress out security staff so rapidly that security functions will constantly be understaffed. There won’t be enough fingers on your security group to jam in the multiplying holes in the security dike that lax or inattentive endpoint or network or database management develops. And it will be less hard to staff operational roles than to staff security roles with gifted analysts.

Offload routine formulaic activities to operations personnel. Concentrate minimal security resources on the jobs only they can carry out:

Security Operations Center (SOC) staffing
Preventative penetration testing and red teaming
Reactive incident response and forensics
Proactive attack hunting (both insider and external).
Security oversight of overlapping functional roles (guarantees current security frame of mind).
Security policy development and stake holder buy-in.
Security architecture/tools/methodology design, choice, and advancement.

Impose disciplined operations management and focus restricted security resources on important security functions. Then your enterprise might prevent letting operations concerns fester into security problems.


Written By Jesse Sampson And Presented By Ziften CEO Charles Leaver

The Fortinet Accelerate 2017 conference was held just recently in Las Vegas. Ziften has sponsored Fortinet’s yearly Worldwide Partner Conference for the second time, and it was a pleasure to be there! The energy at the program was palpable, and this was not due to the energy beverages you constantly see people carrying around in Las Vegas. The buzz and energy was contributed by a key theme throughout the week: the Fortinet Security Fabric.

The theme of Fortinet’s Security Fabric is easy: take the diverse security “point items” that a company has actually deployed, and link them to utilize the deep intelligence each product has in their own security vault to supply a combined end-to-end security blanket over the entire company. Though Fortinet is normally considered a network security business, their method to providing a complete security solution spans more than the conventional network to include endpoints, IoT devices, in addition to the cloud. By exposing APIs to the Fabric-Ready partners along with allowing the exchange of actionable threat intelligence, Fortinet is opening the door for a more collaborative technique across the entire security industry.

It is revitalizing to see that Fortinet has the same beliefs as we have at Ziften, which is that the only manner in which we as an industry are going to catch up to (and exceed) the enemies is through integration and collaboration throughout all reaches of security, regardless of which vendor supplies each element of the overall service. This is not an issue we are going to resolve on our own, but rather one that will be fixed through a combined method like the one set out by Fortinet with their Security Fabric. Ziften is proud to be a founding member of Fortinet’s Fabric Ready Alliance program, integrating our special technique to endpoint security with Fortinet’s “believe different” mindset of exactly what it means to incorporate and work together.

Throughout the week, Fortinet’s (extremely enthusiastic) channel partners had the opportunity to walk the program floor to see the integrated services provided by the different innovation partners. Ziften showcased their combinations with Fortinet, containing the integration of our service with Fortinet’s FortiSandbox.

The Ziften solution collects unidentified files from endpoints (clients or servers running OS X, Linux or Windows) and sends them to the FortiSandbox for analysis and detonation. Outcomes are immediately fed back into Ziften for informing, reporting, and (if allowed) automated mitigation actions.

It was interesting to see that the Fortinet channel partners plainly got the value of a Security Fabric method. It was clear to them, in addition to Ziften, that the Security Fabric is not a marketing trick, but rather a genuine method put together by, and led by, Fortinet. While this is just the beginning of Fortinet’s Security Fabric story, Ziften is excited to work together with Fortinet and watch the story continue to develop!

Written By Jesse Sampson And Presented By Ziften CEO Charles Leaver


There is a great deal of debate at this time about the hacking risk from Russia and it would be easy for security professionals to be excessively worried about cyber espionage. Considering that the objectives of any cyber espionage campaign dictate its targets, ZiftenLabs can assist answer this concern by diving into the reasons why states perform these projects.

Last week, the 3 significant United States intelligence agencies launched a comprehensive declaration on the activities of Russia related to the 2016 US elections: Assessing the Activities of Russia and Intentions in Current US Elections (Activities and Objectives). While some skeptics remain skeptical by the brand-new report, the risks recognized by the report that we cover in this post are engaging sufficient to require assessment and sensible countermeasures – in spite of the near impossibility of incontrovertibly recognizing an attack’s source. Naturally, the official Russian position has been winking rejection of hacks.

“Typically these type of leakages take place not due to the fact that hackers broke in, but, as any professional will inform you, due to the fact that somebody simply forgot the password or set the simple password 123456.” German Klimenko, Putin’s top Internet advisor

While agencies get criticized for bureaucratic language like “high confidence,” the considered rigor of rundowns like Activities and Intents contrasts with the headline-friendly “1000% certainty” of a mathematically disinclined hustler of the media such as Julian Assange.

Activities and Intentions is most observant when it locates using hacking and cyber espionage in “multifaceted” Russian teaching:

” Moscow’s use of disclosures throughout the United States election was unmatched, however its influence project otherwise followed a time tested Russia messaging technique that mixes concealed intelligence operations – such as cyber activity – with obvious efforts by Russian Government agencies, state funded media, third party intermediaries, and paid social networks users or “giants.”

The report is weakest when examining the motives behind the doctrine, or the method. Apart from some incantations about intrinsic Russian hostility to the liberal democratic order, it claims that:.

” Putin most likely wished to challenge Secretary Clinton due to the fact that he has openly blamed her since 2011 for inciting mass protests against his routine in late 2011 and early 2012, and since he holds a grudge for remarks he likely viewed as disparaging him.”.

A more nuanced evaluation of Russian motivations and their cyber symptoms will assist us much better determine security strategy in this environment. Ziften Labs has actually recognized three significant tactical imperatives at work.

First, as Kissinger would say, through history “Russia decided to see itself as a beleaguered outpost of civilization for which security could be discovered just through applying its absolute will over its neighbors (52)”. US policy in the William Clinton age threatened this imperative to the expansion of NATO and dislocating financial interventions, maybe contributing to a Russian choice for a Trump presidency.

Russia has actually used cyberwarfare strategies to protect its impact in previous Soviet territories (Estonia, 2007, Georgia, 2008, Ukraine, 2015).

Second, President Putin wants Russia to be a fantastic force in geopolitics once again. “Above all, we need to acknowledge that the collapse of the Soviet Union was a significant geopolitical disaster of the century,” he stated in 2005. Hacking identities of popular people in political, academic, defense, innovation, and other institutions that operatives might expose to awkward or scandalous result is an easy method for Russia to reject the US. The perception that Russia can influence election results in the United States with keystrokes calls into question the legitimacy of US democracy, and muddles discussion around similar problems in Russia. With other prestige boosting efforts like pioneering the ceasefire talks in Syria (after leveling many cities), this method could improve Russia’s worldwide profile.

Finally, President Putin may have issues about his job security. In spite of incredibly beneficial election results, in accordance with Activities and Objectives, protests in 2011 and 2012 still loom large in his mind. With several regimes altering in his area in the 2000s and 2010s (he said it was an “epidemic of disintegration”), some of which came about as a result of intervention by NATO and the US, President Putin watches out for Western interventionists who would not mind a similar outcome in Russia. A coordinated campaign could help reject rivals and put the least aggressive prospects in power.

Because of these factors for Russian hacking, who are the likely targets?

Due to the overarching goals of discrediting the authenticity of the United States and NATO and helping non-interventionist candidates where possible, federal government agencies, especially those with functions in elections are at greatest danger. So too are campaign organizations and other NGOs close to politics like think tanks. These have actually supplied softer targets for hackers to access to sensitive details. This implies that organizations with account information for, or access to, popular individuals whose info could lead to embarrassment or confusion for US political, business, academic, and media organizations need to be extra careful.

The next tier of risk consists of critical infrastructure. While current Washington Post reports of a jeopardized United States electrical grid turned out to be over hyped, Russia truly has hacked power grids and perhaps other parts of physical infrastructure like oil and gas. Beyond crucial physical infrastructure, innovation, financing, telecommunications, and media could be targeted as occurred in Georgia and Estonia.

Lastly, although the intelligence agencies efforts over the past weeks has captured some heat for presenting “obvious” recommendations, everybody really would gain from the tips presented in the Homeland Security/FBI report, and in this blog about solidifying your configuration by Ziften’s Dr. Al. With significant elections coming up this year in crucial NATO members France, the Netherlands and Germany, only one thing is guaranteed: it will be a busy year for Russian cyber operators and these recs need to be a leading priority.

Written By Roark Pollock And Presented By Charles Leaver CEO Ziften


Trustworthy IT asset management and discovery can be a network and security admin’s best friend.

I do not need to inform you the apparent; we all understand an excellent security program starts with an inventory of all the devices connected to the network. Nevertheless, preserving an existing inventory of every linked device utilized by staff members and organisation partners is challenging. A lot more difficult is ensuring that there are no linked unmanaged assets.

What is an Unmanaged Asset?

Networks can have countless connected devices. These may consist of the following to name a few:

– User devices such as laptop computers, desktops, workstations, virtual desktop systems, bring your own devices (BYOD), mobile phones, and tablet devices.

– Data center and cloud devices such as servers, virtual machines (VM), orphaned VM’s, containers, and storage systems.

– Networking devices such as routers, switches, firewalls, load balancers, and WiFi access points.

– Other devices such as printers, and more just recently – Internet of things (IoT) devices.

Unfortunately, much of these connected devices may be unknown to IT, or not handled by IT group policies. These unknown devices and those not managed by IT policies are referred to as “unmanaged assets.”

The variety of un-managed assets continues to rise for lots of companies. Ziften discovers that as many as 30% to 50% of all connected devices can be unmanaged assets in today’s business networks.

IT asset management tools are normally enhanced to spot assets such as computers, servers, load balancers, firewalls, and devices for storage utilized to provide enterprise applications to organization. However, these management tools typically neglect assets not owned by the organization, such as BYOD endpoints, or user-deployed wireless access points. A lot more unpleasant is that Gartner asserts in “Beyond BYOD to IoT, Your Business Network Access Policy Need to Change”, that IoT devices have gone beyond staff members and guests as the biggest user of the business network.1.

Gartner goes on to describe a new trend that will present even more unmanaged assets into the organization environment – bring your own things (BYOT).

Essentially, staff members bringing items which were designed for the clever home, into the workplace environment. Examples consist of clever power sockets, wise kettles, clever coffee machines, smart light bulbs, domestic sensing units, wireless webcams, plant care sensors, environmental protections, and ultimately, home robots. Much of these things will be brought in by personnel seeking to make their working environment more congenial. These “things” can pick up info, can be controlled by apps, and can interact with cloud services.1.

Why is it Essential to Identify Unmanaged Assets?

Quite simply, unmanaged assets create IT and security blind spots. Mike Hamilton, SVP of Product at Ziften stated, “Security starts with knowing exactly what physical and virtual devices are linked to the corporate network. But, BYOD, shadow IT, IoT, and virtualization are making that more tough.”.

These blind spots not just increase security and compliance risk, they can increase legal risk. Info retention policies designed to limit legal liability are not likely to be applied to electronically stored info contained on unauthorized virtual, mobile and cloud assets.

Maintaining a current inventory of the assets on your network is vital to excellent security. It’s common sense; if you do not know it exists, you can’t understand if it is secure. In fact, asset visibility is so crucial that it is a fundamental part of many info security infrastructures consisting of:

– SANS Crucial Security Controls for reliable cyber defense: Developing an inventory of licensed and unapproved devices is top on the list.

– Council on CyberSecurity Critical Security Controls: Developing an inventory of authorized and unapproved devices is the very first control in the focused list.

– NIST Details Security Constant Tracking for Federal Info Systems and Organizations – SP 800-137: Info security continuous monitoring is specified as preserving ongoing awareness of info security, vulnerabilities, and risks to support organizational risk management decisions.

– ISO/IEC 27001 Information Management Security System Requirements: The standard needs that assets be plainly identified and a stock of very important assets be prepared and preserved.

– Ziften’s Adaptive Security Framework: The first pillar consists of discovery of all your authorized and unauthorized physical and virtual devices.

Considerations in Evaluating Asset Discovery Solutions.

There are multiple strategies utilized for asset identification and network mapping, and each of the techniques have advantages and drawbacks. While assessing the myriad tools, keep these 2 essential considerations in mind:.

Constant versus point-in-time.

Strong info security requires continuous asset identification no matter exactly what approach is employed. Nevertheless, numerous scanning strategies used in asset identification take time to finish, and are thus performed occasionally. The drawback to point-in-time asset identification is that short-term systems might just be on the network for a short time. Therefore, it is extremely possible that these short-term systems will not be discovered.

Some discovery methods can activate security notifications in network firewalls, intrusion detection systems, or infection scanning tools. Because these techniques can be disruptive, identification is just performed at regular, point-in-time periods.

There are, however, some asset discovery techniques that can be used continually to locate and recognize linked assets. Tools that offer constant monitoring for un-managed assets can deliver much better un-managed asset discovery outcomes.

” Since passive detection runs 24 × 7, it will discover temporal assets that might just be periodically and briefly linked to the network and can send alerts when new assets are found.”.

Passive versus active.

Asset identification tools offer intelligence on all found assets consisting of IP address, hostname, MAC address, device manufacturer, as well as the device type. This technology helps operations groups quickly tidy up their environments, removing rogue and un-managed devices – even VM expansion. Nevertheless, these tools go about this intelligence gathering in a different way.

Tools that utilize active network scanning efficiently probe the network to coax actions from devices. These reactions offer ideas that help determine and finger print the device. Active scanning occasionally analyzes the network or a segment of the network for devices that are linked to the network at the time of the scan.

Active scanning can typically offer more extensive analysis of vulnerabilities, detection of malware, and setup and compliance auditing. However, active scanning is performed occasionally because of its disruptive nature with security infrastructure. Regrettably, active scanning dangers missing short-term devices and vulnerabilities that arise between scheduled scans.

Other tools utilize passive asset discovery strategies. Because passive detection runs 24 × 7, it will spot transitory assets that might just be periodically and briefly connected to the network and can send notifications when brand-new assets are discovered.

Furthermore, passive discovery does not disrupt sensitive devices on the network, such as industrial control systems, and enables visibility of Web and cloud services being accessed from systems on the network. Additional passive discovery strategies prevent triggering alerts on security tools throughout the network.

In Summary.

BYOD, shadow IT, IoT, virtualization, and Gartner’s newly-coined BYOT mean more and more assets on to the organization network. Regrettably, a number of these assets are unidentified or un-managed by IT. These un-managed assets pose severe security holes. Eliminating these un-managed assets from the network – which are much more likely to be “patient zero” – or bringing them up to corporate security standards considerably minimizes a company’s attack surface and total risk. The bright side is that there are options that can offer continuous, passive discovery of un-managed assets.

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


Diminishing Efficiency of Business Antivirus?

Google Security Expert Labels Antivirus Apps As Ineffective ‘Magic’.

At the current Kiwicon hacking conference in Wellington, New Zealand, Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy. Entrusted with examination of extremely advanced attacks, including the 2009 Operation Aurora project, Bilby lumped business antivirus into a collection of inefficient tools set up to tick a compliance check box, but at the cost of genuine security:

We need to stop buying those things we have revealed do not work… Anti-virus does some beneficial things, but in reality, it is more like a canary in a coal mine. It is even worse than that. It’s like we are loafing around the dead canary stating ‘Thank god it inhaled all the harmful gas.

Google security gurus aren’t the very first to weigh in against organization antivirus, or to draw uncomplimentary examples, in this case to a dead canary.

Another highly competent security group, FireEye Mandiant, compared static defenses such as enterprise antivirus to that infamously stopped working World War II defense, the Maginot Line:

Like the Maginot Line, today’s cyber defenses are fast becoming a relic in today’s hazard landscape. Organizations invest billions of dollars every year on IT security. However cyber attackers are easily outflanking these defenses with smart, fast-moving attacks.

An example of this was offered by a Cisco managed security services executive speaking at a conference in Poland. Their group had spotted anomalous activity on among their enterprise client’s networks, and reported the thought server compromise to the customer. To the Cisco group’s awe, the client simply ran an anti-virus scan on the server, found no detections, and put it back into service. Horrified, the Cisco group conferenced in the customer to their monitoring console and was able to show the assailant conducting a live remote session at that very minute, complete with typing mistakes and reissue of commands to the jeopardized server. Lastly convinced, the customer took the server down and totally re-imaged it – the business antivirus had been a futile distraction – it had actually not served the customer and it had actually not deterred the cyber attack.

So Is It Time to Dispose Of Business Antivirus Already?

I am not yet all set to state an end to the age of enterprise anti-virus. But I understand that organizations have to buy detection and response capabilities to match conventional antivirus. However progressively I wonder who is complementing whom.

Experienced targeted assailants will constantly effectively evade antivirus defenses, so against your greatest cyber risks, organization antivirus is basically worthless. As Darren Bilby specified, it does do some beneficial things, but it does not offer the endpoint defense you need. So, do not let it distract you from the highest concern cyber-security investments, and do not let it distract you from security procedures that do basically assist.

Proven cyber defense procedures include:

Setup hardening of networks and endpoints.

Identity management with strong authentication.

Application controls.

Continuous network and endpoint monitoring, constant watchfulness.

Strong encryption and data security.

Staff training and education.

Continuous risk re-assessment, penetration screening, red/blue teaming.

In contrast to Bilby’s criticism of business anti-virus, none of the above bullets are ‘magic’. They are simply the ongoing effort of appropriate organization cyber-security.