Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


Diminishing Efficiency of Business Antivirus?

Google Security Expert Labels Antivirus Apps As Ineffective ‘Magic’.

At the current Kiwicon hacking conference in Wellington, New Zealand, Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy. Entrusted with examination of extremely advanced attacks, including the 2009 Operation Aurora project, Bilby lumped business antivirus into a collection of inefficient tools set up to tick a compliance check box, but at the cost of genuine security:

We need to stop buying those things we have revealed do not work… Anti-virus does some beneficial things, but in reality, it is more like a canary in a coal mine. It is even worse than that. It’s like we are loafing around the dead canary stating ‘Thank god it inhaled all the harmful gas.

Google security gurus aren’t the very first to weigh in against organization antivirus, or to draw uncomplimentary examples, in this case to a dead canary.

Another highly competent security group, FireEye Mandiant, compared static defenses such as enterprise antivirus to that infamously stopped working World War II defense, the Maginot Line:

Like the Maginot Line, today’s cyber defenses are fast becoming a relic in today’s hazard landscape. Organizations invest billions of dollars every year on IT security. However cyber attackers are easily outflanking these defenses with smart, fast-moving attacks.

An example of this was offered by a Cisco managed security services executive speaking at a conference in Poland. Their group had spotted anomalous activity on among their enterprise client’s networks, and reported the thought server compromise to the customer. To the Cisco group’s awe, the client simply ran an anti-virus scan on the server, found no detections, and put it back into service. Horrified, the Cisco group conferenced in the customer to their monitoring console and was able to show the assailant conducting a live remote session at that very minute, complete with typing mistakes and reissue of commands to the jeopardized server. Lastly convinced, the customer took the server down and totally re-imaged it – the business antivirus had been a futile distraction – it had actually not served the customer and it had actually not deterred the cyber attack.

So Is It Time to Dispose Of Business Antivirus Already?

I am not yet all set to state an end to the age of enterprise anti-virus. But I understand that organizations have to buy detection and response capabilities to match conventional antivirus. However progressively I wonder who is complementing whom.

Experienced targeted assailants will constantly effectively evade antivirus defenses, so against your greatest cyber risks, organization antivirus is basically worthless. As Darren Bilby specified, it does do some beneficial things, but it does not offer the endpoint defense you need. So, do not let it distract you from the highest concern cyber-security investments, and do not let it distract you from security procedures that do basically assist.

Proven cyber defense procedures include:

Setup hardening of networks and endpoints.

Identity management with strong authentication.

Application controls.

Continuous network and endpoint monitoring, constant watchfulness.

Strong encryption and data security.

Staff training and education.

Continuous risk re-assessment, penetration screening, red/blue teaming.

In contrast to Bilby’s criticism of business anti-virus, none of the above bullets are ‘magic’. They are simply the ongoing effort of appropriate organization cyber-security.

Written By Charles Leaver CEO Ziften


No organization, however small or large, is immune from a cyberattack. Whether the attack is initiated from an outside source or from the inside – no company is fully protected. I have lost count of the variety of times that senior managers from companies have said to me, “why would any person want to attack us?”

Cyber Attacks Can Take Lots of Types

The proliferation of devices that can connect to organization networks (laptops, smart phones and tablets) suggest an increased risk of security vulnerabilities. The aim of a cyberattack is to exploit those vulnerabilities.


One of the most common cyberattack approaches is making use of malware. Malware is code that has a malicious intent and can consist of infections, Trojans and worms. The objective with malware is often to take sensitive data or perhaps destroy computer networks. Malware is often in the type of an executable file that will distribute across your network.

Malware is becoming a lot more advanced, and now there is rogue software that will masquerade itself as legitimate security software that has been created to protect your network.

Phishing Attacks

Phishing attacks are likewise typical. Frequently it’s an e-mail that is sent from an allegedly “trusted authority” requesting that the user supply personal data by clicking a link. Some of these phishing emails look very authentic and they have actually deceived a lot of users. If the link is clicked and data entered the details will be stolen. Today an increasing number of phishing emails can consist of ransomware.

Password Attacks

A password attack is among the most basic kinds of cyber attacks. This is where an unapproved 3rd party will attempt to access to your systems by “breaking” the login password. Software can be utilized here to carry out brute force attacks to guess passwords, and mix of words utilized for passwords can be compared using a dictionary file.

If an attacker gains access to your network through a password attack then they can easily introduce harmful malware and trigger a breach of your delicate data. Password attacks are one of the easiest to avoid, and stringent password policies can offer a very effective barrier. Altering passwords regularly is likewise suggested.

Denial of Service

A Denial of Service (DoS) attack is everything about causing maximum disturbance of the network. Attackers will send very high volumes of traffic through the network and typically make lots of connection demands. The result is an overload of the network and it will shut down.

Multiple computer systems can be used by cyber attackers in DoS attacks that will create extremely high levels of traffic to overload the network. Just recently the biggest DoS attack in history utilized botnets versus Krebs On Security. On a regular basis, endpoint devices connected to the network such as PC’s and laptops can be pirated and will then contribute to the attack. If a DoS attack is experienced, it can have severe consequences for network security.

Man in the Middle

Man in the middle attacks are accomplished by impersonating endpoints of a network during a details exchange. Info can be taken from the end user and even the server that they are interacting with.

How Can You Entirely Prevent Cyber Attacks?

Complete prevention of a cyber attack is not possible with existing technology, but there is a lot that you can do to safeguard your network and your sensitive data. It is necessary not to believe that you can just purchase and install a security software application suite then sit back. The more sophisticated cyber criminals know all the security software application systems in the marketplace, and have created techniques to get around the safeguards that they provide.

Strong and often altered passwords is a policy that you must embrace, and is among the easiest safeguards to put in place. Encrypting your sensitive data is another easy thing to do. Beyond setting up anti-viruses and malware defense suites along with an excellent firewall software program, you must make sure that regular backups remain in place and also you have a data breach incident response/remediation plan in case the worst takes place. Ziften assists organizations continually monitor for risks that may survive their defenses, and do something about it right away to remove the threat totally.

Written By Logan Gilbert And Posted By Charles Leaver Ziften CEO


Worries Over Compliance And Security Prevent Organizations From Cloud Migration

Moving parts of your IT operations to the cloud can seem like a big task, and an unsafe one at that. Security holes, compliance record keeping, the threat of presenting mistakes into your architecture … cloud migration provides a great deal of scary problems to handle.

If you have actually been hesitant about moving, you’re not alone – however aid is on the way.

When Evolve IP surveyed 1,000+ IT professionals earlier this year for their Adoption of Cloud Services North America report, 55% of those polled stated that security is their greatest concern about cloud adoption. For organizations that do not currently have some cloud presence, the number was even greater – 70 percent. The next largest barrier to cloud adoption was compliance, pointed out by 40 percent of participants. (That’s up 11% this year.).

However here’s the bigger issue: If these issues are keeping your company out of the cloud, you can’t take advantage of the performance and cost benefits of cloud services, which becomes a strategic obstacle for your entire business. You require a method to move that also responds to issues about security, compliance, and operations.

Improved Security in Any Environment With Endpoint Visibility.

This is where endpoint visibility wins the day. Being able to see what’s happening with every endpoint offers you the visibility you need to improve security, compliance, and functional efficiency when you move your data center to the cloud.

And I mean any endpoint: desktop, laptop, mobile device, server, VM, or container.

As a long time IT pro, I understand the temptation to believe you have more control over your servers when they’re locked in a closet and you’re the one who holds the keys. Even when you understand that segments of your environment count on kludges, they’re your kludges, and they’re steady. Plus, when you’re running your own data center – unlike when you remain in the cloud – you can use network taps and a whole host of tracking tools to take a look at traffic on the wire, figure out a great deal about who’s speaking to whom, and fix your issues.

But that level of information pales in comparison to endpoint visibility, in the data center or in the cloud. The granularity and control of Ziften’s system provides you much more control than you could ever get with a network tap. You can find malware and other problems anywhere (even off your network), isolate them right away, then track them back to whichever user, application, device, or process was the weak spot in the chain. Ziften offers the capability to carry out look back forensics and to quickly fix problems in much less time.

Eliminating Your Cloud Migration Headaches.

Endpoint visibility makes a huge distinction anytime you’re ready to move a segment of your environment to the cloud. By evaluating endpoint activity, you can establish a baseline stock of your systems, clear out unmanaged assets such as orphaned VMs, and hunt down vulnerabilities. That gets everything safe and secure and stable within your own data center before your move to a cloud service provider like AWS or Azure.

After you’ve migrated to the cloud, continuous visibility into each device, user, and application indicates that you can administer all parts of your infrastructure better. You avoid squandering resources by avoiding VM expansion, plus you have a comprehensive body of data to satisfy the audit requirements for NIST 800-53, HIPAA, and other compliance guidelines.

When you’re ready to transfer to the cloud, you’re not doomed to weak security, insufficient compliance, or functional SNAFUs. Ziften’s method to endpoint security offers you the visibility you need for cloud migration without the nightmares.

Written By Logan Gilbert And Presented By Charles Leaver


Ziften aids with event response, remediation, and investigation, even for endpoints off your network.

When incidents occur, security analysts need to act rapidly and comprehensively.

With telecommuting labor forces and corporate “cloud” infrastructures, remediation and analysis on an endpoint posture a truly challenging job. Below, watch how you can utilize Ziften to act on the endpoint and figure out the source and propagation of a compromise in minutes – no matter where the endpoints are located.

Initially, Ziften notifies you to destructive activities on endpoints and steers you to the reason for the alarm. In seconds, Ziften lets you take remediation actions on the endpoint, whether it’s on the business network, a staff member’s home, or the regional coffee bar. Any remediation action you ‘d typically perform via a direct access to the endpoint, Ziften makes available through its web console.

Simply that rapidly, remediation is looked after. Now you can utilize your security proficiency to go threat searching and do a bit of forensics work. You can right away dive into far more detail about the process that led to the alert; then ask those vital questions to find how prevalent the issue is and where it propagated from. Ziften delivers thorough incident remediation for security experts.

See directly how Ziften can help your security group zero in on risks in your environment with our Thirty Days free trial.

Written by Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Cyber attacks, attributed to the Chinese federal government, had breached delicate personnel databases and taken data of over 22 million present, previous, and prospective U.S. civil servants and members of their family. Stern warnings were neglected from the Office of the Inspector General (OIG) to close down systems without present security authorization.

Presciently, the OIG specifically cautioned that failure to shut down the unapproved systems brought nationwide security ramifications. Like the captain of the Titanic who preserved flank speed through an iceberg field, the OPM reacted,

” We concur that it is necessary to preserve updated and valid ATO’s for all systems however do not believe that this condition rises to the level of a Material Weakness.”

Furthermore the OPM fretted that closing down those systems would indicate a lapse in retirement and worker benefits and incomes. Given a choice in between a security lapse and a functional lapse, the OPM chose to run insecurely and were pwned.

Then director, Katherine Archuleta, resigned her office in July 2015, a day after revealing that the scope of the breach vastly surpassed original damage assessments.

Despite this high value details kept by OPM, the agency cannot focus on cyber security and properly safe and secure high worth data.

What are the Lessons for CISO’s?

Rational CISO’s will want to prevent career immolation in a huge flaming data breach disaster, so let’s rapidly evaluate the crucial lessons from the Congressional report executive summary.

Focus on Cybersecurity Commensurate with Asset Value

Have an efficient organizational management structure to execute risk-appropriate IT security policies. Persistent absence of compliance with security best practices and lagging recommendation implementation timelines are indications of organizational failure and bureaucratic atherosclerosis. Shock the business or prepare your post breach panel appearance before the inquisitors.

Don’t Tolerate a Lax State of Info Security

Have the essential tracking in place to keep critical situational awareness, leave no observation gaps. Don’t fail to understand the scope or extent or gravity of attack indicators. Assume if you determine attack signs, there are other indications you are missing. While OPM was forensically observing one attack avenue, another parallel attack went unnoticed. When OPM did act the attackers understood which attack had actually been found and which attack was still successful, quite important intelligence to the attacker.

Enforce Basic Required Security Tools and Quickly Implement Cutting-Edge Security Tools

OPM was incredibly negligent in executing mandated multi-factor authentication for privileged accounts and didn’t release readily available security technology that might have prevented or mitigated exfiltration of their most important security background examination files.

For restricted data or control access authentication, the expression “password secured” has been an oxymoron for years – passwords are not security, they are an invitation to compromise. In addition to adequate authentication strength, complete network monitoring and visibility is requisite for avoidance of sensitive data exfiltration. The Congressional investigation blamed sloppy cyber protection and inadequate system traffic visibility for the attackers’ relentless existence in OPM networks.

Do Not Fail to Escalate the Alarm When Your Critically Sensitive Data Is Under Attack

In the OPM breach, observed attack activity “must have sounded a high level multi-agency nationwide security alarm that a sophisticated, relentless actor was looking to gain access to OPM’s highest value data.” Rather, absolutely nothing of consequence was done “until after the agency was severely jeopardized, and until after the agency’s most sensitive information was lost to dubious actors.” As a CISO, sound that alarm in time (or rehearse your panel appearance face).

Lastly, don’t let this be said of your business security posture:

The Committee obtained documents and testaments showing OPM’s information security posture was undermined by a woefully unsecured IT environment, internal politics and administration, and misplaced priorities related to the implementation of security tools that slowed essential security choices.

Written By Charles Leaver CEO Ziften


What Concerns Organization CISOs When Migrating To The Cloud

Moving to the cloud offers a number of advantages to business organizations, but there are genuine security issues that make changing over to a cloud environment worrisome. What CISOs want when migrating to the cloud is continuous insight into that cloud environment. They require a way to monitor and measure threat and the confidence that they have the correct security controls in place.

Enhanced Security Risk

Migration to the cloud implies using managed IT services and lots of people think this suggests relinquishing a high level of visibility and control. Although the leading cloud service providers use the latest security technology and file encryption, even the most current systems can stop working and expose your sensitive data to the hackers.

In reality, cloud environments go through similar cyber risks as private enterprise data centers. Nevertheless, the cloud is ending up being a more appealing target due to the substantial amount of data that has been saved on servers in the cloud.

Hackers understand that business are gradually migrating to the cloud, and they are already targeting cloud environments. Alert Logic, a security as a service provider, published a report that concluded that those who make IT choices must not presume that their data that is stored off premise is harder for cyber wrongdoers to get.

The report went on to say that there had actually been a 45% boost in application attacks against implementations in the cloud. There had likewise been an increase in attack frequency on companies that store their infrastructure in the cloud.

The Cloud Is a Jackpot

With the shifting of valuable data, production workloads, and applications to cloud environments these revelations need to not come as a surprise. A declaration from the report stated, “… hackers, like everyone else, have a limited quantity of time to complete their task. They wish to invest their time and resources into attacks that will bear the most fruit: services using cloud environments are mainly thought about as that fruit bearing jackpot.”

The report likewise recommends that there is a misconception within organizations about security. A variety of organization decision makers were under the impression that when a cloud migration had actually happened then the cloud provider would be entirely responsible for the security of their data.

Security in The Cloud Needs To Be A Shared Responsibility

All organizations should take responsibility for the security of their data whether it is hosted on site or in the cloud. This obligation can not be totally abdicated to a cloud business. If your company suffers from a data breach while using cloud management services, it is unlikely that you would have the ability to evade responsibility.

It is important that every organization totally understands the environment and the dangers that are associated with cloud management. There can be a myriad of legal, financial, commercial, and compliance threats. Prior to moving to the cloud make sure to scrutinize agreements so that the provider’s liability is completely understood if a data breach were to take place.

Vice president of Alert Logic Will Semple said, “the key to safeguarding your crucial data is being educated about how and where along the ‘cyber kill chain’ opponents penetrate systems and to employ the right security tools, practices and financial investment to combat them.”

Cloud Visibility Is The Key

Whether you are using cloud management services or are hosting your own infrastructure, you require total visibility within your environment. If you are considering the migration of part – or all – of your environment to the cloud then this is necessary.

After a cloud migration has actually taken place you can rely on this visibility to monitor each user, device, application, and network activity for prospective risks and possible hazards. Thus, the administration of your infrastructure becomes a lot more reliable.

Don’t let your cloud migration result in lesser security and incomplete compliance. Ziften can assist maintain cloud visibility and security for your existing cloud implementations, or future cloud migrations.

Written By Charles Leaver Ziften CEO


Determine and control any device that requires access to your corporate network.

When a company becomes larger so does its asset footprint, and this makes the job of handling the entire set of IT assets a lot more challenging. IT management has altered from the days where IT asset management consisted of recording devices such as printers, accounting for all installed applications and ensuring that antivirus suites were updated.

Today, companies are under continuous threat of cyber attacks and using destructive code to penetrate the business network. Lots of devices now have network access abilities. Gone are the days when only desktop PC’s connected to a business network. Now there is a culture of bring your own device (BYOD) where cell phones, tablets and laptops are all likely to connect to the network.
While this provides flexibility for the businesses with the capability for users to link from another location, it opens up a whole new range of vulnerabilities as these various endpoints make the challenge of corporate IT security a whole lot more complex.

What Is Endpoint Management?

It is necessary that you have actually a policy based approach to the endpoint devices that are connected to your network to lessen the threat of cyber attacks and data breaches. Making use of laptops, tablets, cell phones and other devices may be convenient, but they can expose organizations to a vast selection of security dangers. The main objective of a sound endpoint management strategy should be that network activities are thoroughly kept an eye on and unauthorized devices can not access the network.

Most endpoint management software is likely to inspect that the device has an operating system that has been approved, in addition to antivirus software, and examine the device for updated private virtual network systems.

Endpoint management solutions will determine and manage any device that requires access to the business network. If anyone is attempting to access the business environment from a non certified device they will be rejected. This is important to combat attacks from cyber wrongdoers and breaches from malicious groups.

Any device which does not comply with endpoint management policies are either quarantined or approved limited access. Local administrative rights may be gotten rid of and browsing the Internet restricted.

Organizations Have The Ability To Do More

There are a variety of methods that a business can employ as part of their policy on endpoint management. This can include firewalls (both network and personal), the file encryption of delicate data, more powerful authentication methods which will certainly consist of making use of tough to crack passwords that are routinely changed and device and network level anti-viruses and anti malware defenses.

Endpoint management systems can work as a client and server basis where software is released and centrally managed on a server. The client program will have to be installed on all endpoint devices that are licensed to access the network. It is likewise possible to utilize a software as a service (SaaS) model of endpoint management where the supplier of the service will host and take care of the server and the security applications from another location.

When a client device tries a log in then the server based application will scan the device to see if it adheres to the organization’s endpoint management policy, then it will validate the credentials of the user prior to access to the network can be approved.

The Issue With Endpoint Management Systems

The majority of companies see security software as a “cure all” however it is not that clear cut. Endpoint security software that is acquired as a set and forget solution will never ever be enough. The experienced cyber attackers out there understand about these software services and are establishing malicious code that will evade the defenses that a set and forget application can provide.

There needs to be human intervention and Jon Oltsik, contributor at Network World stated “CISOs need to take ownership of endpoint security and designate a group of professionals who own endpoint security controls as part of a general duty for incident prevention, detection, and response.”

Ziften’s endpoint security solutions supply the continuous monitoring and look-back visibility that a cyber security group requires to identify and act upon to prevent any malicious infiltrations spreading out and stealing the sensitive data of the business.


Written By Michael Vaughn And Presented By Charles Leaver Ziften CEO


All the latest achievements from Splunk

Recently I attended the yearly Splunk conference in the fantastic sunshine state – Florida. The Orlando-based occasion enabled Splunkers from all over the world to acquaint themselves with the most recent and most successful offerings from Splunk. Although there were an array of enjoyable activities throughout the week, it was clear that participants were there to learn. The announcement of Splunk’s security-centric Adaptive Response initiative was popular and just so happens to integrate quite perfectly with Ziften’s endpoint system.

Of particular interest, the “Transforming Security” Keynote Session presented by Monzy Merza, Director of Cyber Research and Chief Security Evangelist for Splunk, Haiyan Song, SVP Security Markets for Splunk, and Mike Stone, CDIO for the UK Ministry of Defense, showed the power of Splunk’s brand-new Adaptive Response user interface to thousands of attendees.

In the clip just below taken from that Keynote, Monzy Merza exemplifies how important data offered by a Ziften agent can also be used to enact bi-directional performance from Splunk by sending instructional logic to the Ziften agent to take immediate actions on a jeopardized endpoint. Monzy had the ability to successfully recognize a jeopardized Linux server and remove it off the operational network for additional forensic investigation. By not only offering critical security data to the Splunk instance, however also permitting the user to remain on the exact same interface to take functional and security actions, the Ziften endpoint agent allows users to bi-directionally use Splunk’s effective structure to take immediate action across all running systems in an exacting way. After the talks our cubicle was swamped with demos and extremely intriguing conversations regarding operations and security.

Have a look at a three minute Monzy highlight from the Keynote:

Over the weekend I was able to process the wide variety of technical conversations I had with numerous fantastic people in our booth at.conf. One of the amusing things I discovered – which nobody would openly confess unless I pulled it out of them – is that most of us are beginner-to-intermediate SPL( Splunk Processing Language) users. I likewise observed the apparent: incident response was the primary focus of this year’s occasion.

However, many individuals use Ziften for Splunk for a variety of things, such as application and operations management, network monitoring, and user behavior modeling. In an attempt to brighten the broad performance of our Splunk App, here’s a taste of exactly what folks at.conf2016 loved most about Ziften for Splunk:

1) It’s fantastic for Enterprise Security.

a. Generalized platform for absorbing real time data and taking instant action
b. Autotomizing removal from a wide scope of indicators of compromise

2) IT Operations love us.

a. Systems Tracking, Hardware Lifecycle, Resource Management
b. Application Management – Compliance, License Rationalization, Vulnerabilities

3) Network Monitoring with ZFlow is a game changer.

a. ZFlow ties netflow with binary, system and user data – in a solitary Splunk SPL entry. Do I have to state more here? This is the best Holy Grail from Indiana Jones, guys!

4) Our User Behavior Modeling goes beyond simply notifications.

a. This could be connected back under IT Operations however it’s becoming its own beast
b. Ziften’s tracking of software use, logins, elevated binaries, timestamps, etc is easily viewable in Splunk
c. Ziften offers a free Security Centric Splunk bundle, but we convert all the data we gather from each endpoint to Splunk CIM language – Not simply our ‘Alerts’.

Ultimately, utilizing a single Splunk Adaptive Response interface to manage a multitude of tools within your environment is what assists construct a strong enterprise fabric for your business – one where operations, security and network teams more fluidly overlap. Make better choices, quicker. Learn for yourself with our free 30 day trial of Ziften for Splunk!

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO


Be Strong or Get Hacked.

Extremely knowledgeable and talented cyber attack groups have actually targeted and are targeting your enterprise. Your large endpoint population is the most common point of entry for experienced attack groups. These enterprise endpoints number in the thousands, are loosely handled, laxly set up, and swarming with vulnerability exposures, and are run by marginally trained, credulous users – the ideal target-rich chance. Mikko Hypponen, chief research officer at F-Secure, frequently remarks at industry seminars: “How many of the Fortune 500 are hacked today? The response: 500.”

And how long did it take to permeate your enterprise? White hat hackers performing penetration testing or red team exercises generally compromise target organizations within the first couple of hours, even though morally and legally restrained in their approaches. Black hat or state sponsored hackers might attain penetration a lot more rapidly and secure their presence indefinitely. Provided average cyber attacker dwell duration’s determined in hundreds of days, the time-to-penetration is negligible, not an impediment.

Exploit Sets

The industrialization of cyber attacks has developed a black market for attack tools, consisting of a range of software for recognizing and exploiting customer endpoint vulnerabilities. These exploitation packages are marketed to cyber opponents on the dark web, with dozens of exploitation set families and vendors. An exploit kit runs by evaluating the software configuration on the endpoint, identifying exposed vulnerabilities, and applying an exploitation to a vulnerability exposure.

A relative handful of commonly deployed endpoint software accounts for the bulk of exploitation kit targeted vulnerabilities. This arises from the unfortunate reality that complex software applications tend to show a consistent flow of vulnerabilities that leave them continually susceptible. Each patch release cycle the exploit kit developers will download the current security patches, reverse engineer them to find the underlying vulnerabilities, and update their exploit packages. This will typically be done quicker than businesses apply patches, with some vulnerabilities staying unpatched and ripe for exploitation even years after a patch is provided.

Adobe Flash

Prior to prevalent adoption of HTML 5, Adobe Flash was the most frequently utilized software for rich Internet material. Even with increasing adoption of HTML 5, legacy Adobe Flash preserves a substantial following, preserving its long-held position as the beloved of exploit kit authors. A recent research study by Digital Shadows, In the Business of Exploitation, is explanatory:

This report analyzes 22 exploitation packages to understand the most often exploited software. We tried to find patterns within the exploitation of vulnerabilities by these 22 sets to reveal what vulnerabilities had actually been exploited most commonly, coupled with how active each exploit set was, in order to inform our evaluation.

The vulnerabilities exploited by all 22 exploit kits showed that Adobe Flash Player was most likely to be the most targeted software application, with twenty seven of the 76 recognized vulnerabilities exploited referring to this software application.

With relative consistency, dozens of fresh vulnerabilities are discovered in Adobe Flash each month. To exploit kit designers, it is the present that keeps giving.

The industry is learning its lesson and moving beyond Flash for rich web material. For instance, a Yahoo senior designer blogging recently in Streaming Media noted:

” Adobe Flash, in the past the de-facto requirement for media playback online, has actually lost favor in the industry due to increasing issues over security and efficiency. At the same time, needing a plugin for video playback in internet browsers is losing favor amongst users also. As a result, the industry is approaching HTML5 for video playback.”

Amit Jain, Sep 21, 2016

Eliminating Adobe Flash

One step enterprises might take today to harden their endpoint configurations is to get rid of Adobe Flash as a matter of enterprise security policy. This will not be an easy task, it may hurt, however it will be helpful in minimizing your organization attack surface. It includes blacklisting Adobe Flash Player and implementing browser security settings disabling Flash content. If done properly, this is exactly what users will see where Flash content appears on a legacy web page:


This message validates two truths:

1. Your system is properly set up to decline Flash content.

Congratulate yourself!

2. This site would jeopardize your security for their convenience.

Ditch this website!

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


The dissolving of the traditional boundary is happening quick. So what happens to the endpoint?

Financial investment in border security, as defined by firewall software, managed gateways and invasion detection/prevention systems (IDS/IPS), is changing. Investments are being questioned, with returns not able to conquer the expenses and complexity to create, keep, and justify these antiquated defenses.

More than that, the paradigm has actually altered – employees are no longer specifically working in the workplace. Lots of people are logging hours from home or while traveling – neither location is under the umbrella of a firewall system. Instead of keeping the cyber criminals out, firewalls typically have the opposite result – they avoid the authorized people from being productive. The paradox? They create a safe haven for attackers to breach and conceal for months, then traverse to vital systems.

So Exactly what Has Changed So Much?

The endpoint has actually become the last line of defense. With the aforementioned failure in border defense and a “mobile all over” workforce, we should now impose trust at the endpoint. Easier said than done, however.

In the endpoint area, identity & access management (IAM) systems are not the perfect answer. Even ingenious businesses like Okta, OneLogin, and cloud proxy suppliers such as Blue Coat and Zscaler can not conquer one simple truth: trust exceeds easy recognition, authentication, and authorization.

File encryption is a second attempt at safeguarding entire libraries and individual assets. In the most recent (2016) Ponemon study on data breaches, encryption only conserved 10% of the cost per breached record (from $158 to $142). This isn’t really the remedy that some make it seem.

The Whole Picture is changing.

Organizations needs to be prepared to embrace new paradigms and attack vectors. While organizations need to provide access to trusted groups and individuals, they have to resolve this in a much better method.

Crucial organization systems are now accessed from anywhere, at any time, not just from desks in business office buildings. And professionals (contingent workforce) are quickly consisting of over half of the total enterprise labor force.

On endpoint devices, the binary is predominantly the issue. Most likely benign events, such as an executable crash, could show something easy – like Windows 10 Desktop Manager (DWM) rebooting. Or it could be a much deeper issue, such as a harmful file or early indicators of an attack.

Trusted access doesn’t fix this vulnerability. According to the Ponemon Institute, in between 70% and 90% of all attacks are brought on by human error, social engineering, or other human aspects. This needs more than easy IAM – it needs behavioral analysis.

Rather than making good better, border and identity access companies made bad much faster.

When and Where Does the Good Part of the Story Start?

Taking a step back, Google (Alphabet Corp) announced a perimeter-less network model in late 2014, and has actually made considerable development. Other enterprises – from corporations to governments – have done this (quietly and less severe), but BeyondCorp has done this and revealed its efforts to the world. The design approach, endpoint plus (public) cloud displacing cloistered enterprise network, is the crucial idea.

This alters the entire discussion about an endpoint – be it a laptop, PC, workstation, or server – as subservient to the corporate/enterprise/private/ company network. The endpoint really is the last line of defense, and needs to be protected – yet also report its activity.

Unlike the standard perimeter security model, BeyondCorp doesn’t gate access to tools and services based on a user’s physical area or the stemming network; instead, access policies are based upon information about a device, its state, and its associated user. BeyondCorp considers both external networks and internal networks to be completely untrusted, and gates access to apps by dynamically asserting and implementing levels, or “tiers,” of access.

By itself, this appears harmless. However the reality is that this is an extreme new model which is imperfect. The access requirements have moved from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, instead of a central model with potential for breaches, hacks, and dangers at the human level (the “soft chewy center”).

The bright side? Breaching the border is very challenging for potential enemies, while making network pivoting next to impossible as soon as they are past the reverse proxy (a common system utilized by attackers today – proving that firewall software do a better job of keeping the bad guys in rather than letting the good guys get out). The inverse design even more applies to Google cloud servers, presumably firmly managed, inside the border, versus client endpoints, who are all just about everywhere.

Google has done some nice improvements on tested security techniques, significantly to 802.1 X and Radius, bundled it as the BeyondCorp architecture, consisting of strong identity and access management (IAM).

Why is this important? What are the gaps?

Ziften believes in this technique because it highlights device trust over network trust. However, Google does not particularly reveal a device security agent or stress any kind of client-side tracking (apart from very rigorous setup control). While there may be reporting and forensics, this is something which every organization ought to be knowledgeable about, given that it’s a question of when – not if – bad things will occur.

Considering that implementing the preliminary phases of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a typical rate of about 3 million daily, totaling over 80 terabytes. Keeping historical data is necessary in permitting us to understand the end-to-end life cycle of a particular device, track and examine fleet-wide trends, and perform security audits and forensic examinations.

This is a costly and data-heavy procedure with 2 imperfections. On ultra-high-speed networks (used by the likes of Google, universities and research study organizations), adequate bandwidth allows for this kind of communication to take place without flooding the pipes. The first problem is that in more pedestrian corporate and government situations, this would trigger high user interruption.

Second, computing devices should have the horse power to constantly collect and send data. While a lot of employees would be delighted to have present developer-class workstations at their disposal, the expenditure of the devices and process of revitalizing them regularly makes this excessive.

A Lack of Lateral Visibility

Very few systems really generate ‘boosted’ netflow, enhancing traditional network visibility with rich, contextual data.

Ziften’s patented ZFlow ™ offers network flow details on data generated from the endpoint, otherwise achieved using brute force (human labor) or pricey network devices.

ZFlow serves as a “connective tissue” of sorts, which extends and finishes the end-to-end network visibility cycle, adding context to on-network, off-network and cloud servers/endpoints, enabling security groups to make quicker and more informed and accurate choices. In essence, purchasing Ziften services result in a labor savings, plus a boost in speed-to-discovery and time-to-remediation due to innovation functioning as an alternative to people resources.

For companies moving/migrating to the cloud (as 56% are planning to do by 2021 according to IDG Enterprise’s 2015 Cloud Study), Ziften provides unrivaled visibility into cloud servers to much better monitor and secure the total infrastructure.

In Google’s environment, just corporate-owned devices (COPE) are permitted, while crowding out bring your own device (BYOD). This works for a business like Google that can give out new devices to all staff – phone, tablet, laptop computer, and so on. Part of the reason is that the vesting of identity in the device itself, plus user authentication as usual. The device should meet Google requirements, having either a TPM or a software application equivalent of a TPM, to hold the X. 509 cert used to confirm device identity and to assist in device-specific traffic encryption. There should be several agents on each endpoint to validate the device validation asserts called out in the access policy, which is where Ziften would need to partner with the systems management agent company, since it is most likely that agent cooperation is necessary to the process.


In summary, Google has developed a first-rate solution, however its applicability and functionality is restricted to companies like Alphabet.

Ziften uses the same level of functional visibility and security protection to the masses, utilizing a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For companies with specialized needs or incumbent tools, Ziften offers both an open REST API and an extension framework (to enhance ingestion of data and activating response actions).

This yields the advantages of the BeyondCorp model to the masses, while protecting network bandwidth and endpoint (machine) computing resources. As organizations will be sluggish to move totally far from the enterprise network, Ziften partners with firewall and SIEM vendors.

Finally, the security landscape is gradually shifting towards managed detection & response (MDR). Managed security service providers (MSSP’s) provide traditional monitoring and management of firewalls, gateways and border intrusion detection, however this is inadequate. They lack the abilities and the technology.

Ziften’s system has actually been tested, integrated, authorized and executed by a number of the emerging MDR’s, highlighting the standardization (capability) and versatility of the Ziften platform to play an essential function in remediation and occurrence response.