Ziften Technologies are based in Austin, Texas, and Charles Leaver is the CEO.

This video from the Commonwealth Club features Steve Blank and he discusses how it is possible to build a great business step by step.

There is no doubt that Steve is an intelligent guy and his funny bone is good. His business insights are highly valued and there are numerous points that he made that I agree with:

He stated in the video that “there is absolutely nothing that you can learn inside your own office so you need to leave it!” Steve claimed that this was a lesson that business in Silicon Valley had to learn the hard way. Now at Ziften we make certain that we visit our prospects and clients on a weekly basis. Our company is young however the crucial execs and I understand that we have to understand and be realistic about the market and reflect this in our business model. When we understand what the marketplace needs we can truly add value.

We constantly put our customers first and continue to listen to them. In the video Steve mentions how hard it is for business owners to pay attention to their clients instead of attempting to enforce their viewpoint on the marketplace. What we also do at Ziften is to motivate our people to listen before speaking. When we are talking with our potential customers and clients we have to comprehend that they care a lot more about how we can resolve their problems rather than pay attention to how clever we are.

Steve makes another good point in the video when he speaks about how innovation is perceived in America compared to the remainder of the world. The thinking in the USA is right when it comes to our mindsets to failing. Any person is motivated to gain from failure, and these will turn these individuals into skilled executives who can really affect and add a great deal of worth to a new business. It is very important that there need to be no fear of failure due to the fact that this will stifle innovation.

I always persuade the people that work for us to take risks with no fear of a reprisal. I totally believe that this is forging us closer to our goal of closing the gap between business client security and security innovation and we are arriving quickly. This is a substantial change and we are really near to our goal.


Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

Still Supporting Apple QuickTime and Adobe Flash for Windows? Didn’t You Get the Memorandum?

With Independence day looming a metaphor is needed: Flash is a bit like firework lighting. There may be less risky ways to achieve it, but the only sure method is just to prevent it. And with Flash, you need not fight pyromaniac rises to avoid it, just handle your endpoint setups.




Why would you want to do this? Well, querying Google for “Flash vulnerability” returns 13 million hits! Flash is old and finished and ready for retirement, as Adobe stated themselves:

Today [November 30, 2015], open standards like HTML5 have actually grown and offer a number of the abilities that Flash ushered in… Looking forward, we encourage content creators to develop with new web standards…

Run a vulnerability scanner throughout your endpoint population. See any Flash mention? Yes, in the typical enterprise, zillions. Your cyber attackers know that also, they are depending on it. Thank you for your contribution! Just continue to ignore those bothersome security blog writers, like Brian Krebbs:

I would suggest that if you use Flash, you should strongly think about removing it, or a minimum of hobbling it until and unless you need it.

Disregarding Brian Krebs’ recommendations raises the chances your enterprise’s data breach will be the feature story in one of his future posts.




Flash Exploits: the Preferred Exploit Set Component

The limitless list of Flash vulnerabilities continues to lengthen with each brand-new patch cycle. Nation state cyber attackers and the better resourced groups can call upon Flash zero days. They aren’t tough to mine – launch your fuzz tester against the creaking Flash codebase and view them roll out. If an offensive cyber group can’t call upon zero days, not to fret, there are plenty of freshly released Flash Common Vulnerabilities and direct Exposures (CVE) to bring into play, before enterprise patch cycles catch up. For exploit package authors, Flash is the gift that continues to give.

A current FireEye blog post exhibits this common Flash vulnerability development – from virgin zero-day to newly hatched CVE and prime enterprise exploit:

On May 8, 2016, FireEye detected an attack making use of a formerly unidentified vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe launched a patch for the vulnerability in APSB16-15 just four days later (Posted to FireEye Threat Research Blog on May 13, 2016).

As a rapid test then, check your vulnerability report for that entry, for CVE-2016-4117. It was used in targeted attacks as a zero day even before it ended up being a known vulnerability. Now that it is understood, popular exploit kits will pick it up. Be sure you are ready.

Start a Flash and QuickTime Eradication Campaign

While we have not discussed QuickTime yet, Apple got rid of support for QuickTime on Windows in April, 2016. This summarily triggered a panic in corporations with great deals of Apple macOS and Windows clients. Do you get rid of all support for QuickTime? Including on macOS? Or simply Windows? How do you discover the unsupported versions – when there are numerous drifting around?



By not doing anything, you can flirt with catastrophe, with Flash vulnerability direct exposures swarming across your client endpoint environment. Otherwise, you can begin a Flash and QuickTime eradication project to move to a Flash-free business. Or, wait, possibly you inform your users not to glibly open e-mail attachments or click links. User education, that constantly works, right? I do not believe so.

One issue is that a few of your users have a job function to open attachments, such as PDF invoices to accounts payable departments, or applicant Microsoft Word resumes to recruiting departments, or legal notices sent out to legal departments.

Let’s take a closer look at the Flash exploitation explained by FireEye in the blog post mentioned above:

Attackers had embedded the Flash exploitation inside a Microsoft Office document, which was then hosted on their web server, and utilized a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the opponents could disseminate their exploitation by means of URL or email attachment. Although this vulnerability resides within Adobe Flash Player, risk actors designed this particular attack for a target operating Windows and Microsoft Office.




Even if the Flash-adverse business had actually thoroughly purged Flash enablement from all their various browsers, this exploitation would still have been successful. To completely get rid of Flash requires purging it from all browsers and disabling its execution in embedded Flash objects within Office or PDF files. Certainly that is a step that needs to be taken at least for those departments with a task function to open attachments from unsolicited emails. And extending outwards from there is a deserving configuration solidifying objective for the security conscious business.

Not to mention, we’re all awaiting the first post about QuickTime vulnerability which brings down a significant enterprise.



Written By Dr Al Hartmann And Presented By Charles Leaver, Ziften CEO

The Data Breach Investigations Report 2016 from Verizon Enterprise has actually been launched reviewing 64,199 security occurrences leading to 2,260 security breaches. Verizon defines an incident as jeopardizing the integrity, confidentiality, or availability on an information asset, while a breach is a validated disclosure of data to an unauthorized party. Given that preventing breaches is far less agonizing than withstanding them Verizon suggests numerous sections of recommended controls to be utilized by security-conscious businesses. If you don’t care to check out the full 80-page report, Ziften provides this Verizon DBIR analysis with a spotlight on Verizon’s EDR-enabled suggested controls:

Vulnerabilities Suggested Controls

A solid EDR tool performs vulnerability scanning and reporting of exposed vulnerabilities, consisting of vulnerability exposure timelines highlighting vulnerability management efficiency. The direct exposure timelines are necessary since Verizon emphasizes a methodical method that highlights consistency and coverage, versus haphazard convenient patching.

Phishing Suggested Controls

Although Verizon suggests user training to avoid phishing vulnerability, still their data shows nearly a 3rd of phishes being opened, with users clicking the link or attachment more than 1 time in 10. Not good odds if you have at least 10 users! Provided the inescapable click compromise, Verizon suggests placing effort into detection of unusual networking activity indicative of rotating, C2 traffic, or data exfiltration. A sound EDR system will not only track endpoint networking activity, however also filter it against network risk feeds recognizing destructive network targets. Ziften goes beyond this with our patent-pending ZFlow innovation to enhance network flow data with endpoint context and attribution, so that SOC personnel have vital decision context to rapidly fix network alerts.

Web App Attacks Recommended Controls

Verizon advises multi-factor authentication and monitoring of login activity to avoid compromise of web application servers. A strong EDR solution will monitor login activity and will use anomaly examining to spot unusual login patterns a sign of jeopardized credentials.

Point-of-Sale Invasions Advised Controls

Verizon suggests (and this has actually also been highly suggested by FireEye/Mandiant) strong network segmentation of Point of Sale devices. Once again, a strong EDR service ought to be tracking network activity (to recognize anomalous network contacts). ZFlow in particular is of terrific value in supplying vital choice context for suspect network activity. EDR services will likewise deal with Verizon’s recommendation for remote login tracking to POS devices. Together with this Verizon recommends multi-factor authentication, however a strong EDR ability will enhance that with additional login pattern anomaly monitoring (since even MFA can be beaten with MITM attacks).

Insider and Privilege Misuse Advised Controls

Verizon suggests “monitor the heck out of [employee] licensed everyday activity.” Continuous endpoint monitoring by a solid EDR product naturally supplies this capability. In Ziften’s case our software tracks user presence periods of time and user focus activities while present (such as foreground application use). Anomaly checking can identify unusual deviations in activity pattern whether a temporal abnormality (i.e. something has actually changed this user’s regular activity pattern) or whether a spatial anomaly (i.e. this user behavior pattern varies considerably from peer habit patterns).

Verizon also suggests tracking usage of USB storage devices, which solid EDR systems provide, considering that they can work as a “sneaker exfiltration” path.

Various Errors Advised Controls

Verizon recommendations in this area concentrate on keeping a record of previous errors to serve as a warning of mistakes to not repeat in the future. Solid EDR products do not forget; they maintain an archival record of endpoint and user activity going back to their very first release. These records are searchable at any time, perhaps after some future occurrence has revealed an intrusion and response groups need to return and “find patient zero” to unravel the incident and recognize where errors might have been made.

Physical Theft and Loss Suggested Controls

Verizon suggests (and lots of regulators demand) complete disk file encryption, specifically for mobile devices. A strong EDR system will confirm that endpoint configurations are compliant with business file encryption policy, and will notify on infractions. Verizon reports that data assets are physically lost one-hundred times more often than they are physically taken, however the impact is basically the same to the impacted business.

Crimeware Suggested Controls

Once again, Verizon emphasizes vulnerability management and consistent comprehensive patching. As noted above, correct EDR tools determine and track vulnerability direct exposures. In Ziften’s case, this keys off the National Vulnerability Database (NVD), filtering it against process image records from our endpoint tracking. This reflects an accurately upgraded vulnerability evaluation at any point in time.

Verizon likewise suggests capturing malware analysis data in your own business environment. EDR tools do track arrival and execution of new binaries, and Ziften’s system can get samples of any binary present on enterprise endpoints and send them for comprehensive static and vibrant analysis by our malware research partners.

Cyber-Espionage Advised Controls

Here Verizon particularly calls out usage of endpoint threat detection and response (ETDR) tools, describing the security tool segment that Gartner now terms endpoint detection and response (EDR). Verizon also suggests a variety of endpoint configuration solidifying steps that can be compliance-verified by EDR tools.

Verizon likewise advises strong network protections. We have currently talked about how Ziften ZFlow can considerably enhance conventional network flow tracking with endpoint context and attribution, providing a blend of network and endpoint security that is genuinely end-to-end.

Finally, Verizon advises tracking and logging, which is the first thing 3rd party incident responders request when they arrive on-scene to assist in a breach crisis. This is the prime purpose of EDR tools, given that the endpoint is the most frequent entry vector in a significant data breach.

Denial-of-Service Attacks Suggested Controls

Verizon recommends handling port access to prevent enterprise assets from being used to take part in a DoS attack. EDR products can track port use by applications and use anomaly checks to identify uncommon application port use that could suggest compromise.

Business services moving to cloud providers also need defense from DoS attacks, which the cloud supplier might provide. However, taking a look at network traffic tracking in the cloud – where the enterprise might lack cloud network visibility – options like Ziften ZFlow provide a method for collecting enhanced network flow data straight from cloud virtual servers. Do not let the cloud be your network blind spot, otherwise assailants will exploit this to fly under your radar.