With The Advances In Illumination Endpoints Are Changing – Charles Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

The dissolving of the conventional boundary is occurring quickly. So what about the endpoint?

Investment in boundary security, as defined by firewall software, managed gateways and invasion detection/prevention systems (IDS/IPS), is altering. Investments are being questioned, with returns unable to get rid of the costs and intricacy to develop, preserve, and validate these antiquated defenses.

Not only that, the paradigm has altered – workers are not solely operating in the office. Many people are logging time from home or while out in the field – neither location is under the umbrella of a firewall system. Instead of keeping the bad guys out, firewall programs frequently have the opposite effect – they avoid the good guys from being productive. The paradox? They develop a safe haven for opponents to breach and hide for months, then pass through to vital systems.

So What Has Altered So Much?

The endpoint has ended up being the last line of defense. With the above mentioned failure in perimeter defense and a “mobile everywhere” workforce, we should now impose trust at the endpoint. Easier said than done, however.

In the endpoint area, identity & access management (IAM) systems are not the perfect answer. Even ingenious companies like Okta, OneLogin, and cloud proxy suppliers such as Blue Coat and Zscaler can not conquer one simple truth: trust exceeds basic identification, authentication, and authorization.

File encryption is a second attempt at protecting entire libraries and specific assets. In the most current (2016) Ponemon research study on data breaches, encryption just conserved 10% of the cost per breached record (from $158 to $142). This isn’t really the remedy that some make it seem.

The Whole Picture is changing.

Organizations needs to be prepared to embrace brand-new paradigms and attack vectors. While companies need to offer access to trusted groups and individuals, they have to address this in a better method.

Critical business systems are now accessed from anywhere, at any time, not simply from desks in business office buildings. And contractors (contingent workforce) are rapidly consisting of over half of the general business workforce.

On endpoint devices, the binary is primarily the problem. Presumably benign occurrences, such as an executable crash, could suggest something basic – like Windows 10 Desktop Manager (DWM) restarting. Or it could be a much deeper issue, such as a malicious file or early indicators of an attack.

Trusted access doesn’t resolve this vulnerability. According to the Ponemon Institute, between 70% and 90% of all attacks are caused by human error, social engineering, or other human elements. This requires more than simple IAM – it requires behavioral analysis.

Instead of making good better, perimeter and identity access companies made bad faster.

When and Where Does the Bright Side Begin?

Going back a little, Google (Alphabet Corp) announced a perimeter-less network design in late 2014, and has made considerable development. Other businesses – from corporations to federal governments – have actually done this (in silence and less severe), but BeyondCorp has done this and revealed its efforts to the world. The style approach, endpoint plus (public) cloud displacing cloistered business network, is the key concept.

This changes the entire discussion on an endpoint – be it a laptop, PC, workstation, or server – as subservient to the corporate/enterprise/private/ organization network. The endpoint really is the last line of defense, and must be protected – yet also report its activity.

Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to tools and services based upon a user’s physical location or the stemming network; rather, access policies are based on information about a device, its state, and its associated user. BeyondCorp thinks about both external networks and internal networks to be totally untrusted, and gates access to applications by dynamically asserting and imposing levels, or “tiers,” of access.

By itself, this appears harmless. But the truth is that this is a radical brand-new model which is imperfect. The access criteria have shifted from network addresses to device trust levels, and the network is heavily segmented by VLAN’s, instead of a central design with capacity for data breaches, hacking, and dangers at the human level (the “soft chewy center”).

The good news? Breaching the boundary is very challenging for would-be attackers, while making network pivoting next to impossible when past the reverse proxy (a common mechanism utilized by enemies today – proving that firewalls do a better job of keeping the cyber criminals in rather than letting the good guys get out). The opposite design further applies to Google cloud servers, probably tightly managed, inside the boundary, versus client endpoints, who are all just about everywhere.

Google has actually done some nice improvements on proven security approaches, notably to 802.1 X and Radius, bundled it as the BeyondCorp architecture, consisting of strong identity and access management (IAM).

Why is this important? What are the gaps?

Ziften believes in this approach since it emphasizes device trust over network trust. However, Google doesn’t specifically reveal a device security agent or highlight any kind of client-side monitoring (apart from extremely strict setup control). While there may be reporting and forensics, this is something which every company should be knowledgeable about, given that it’s a matter of when – not if – bad things will occur.

Because carrying out the preliminary phases of the Device Inventory Service, we’ve consumed billions of deltas from over 15 data sources, at a typical rate of about three million daily, totaling over 80 terabytes. Retaining historical data is important in allowing us to comprehend the end-to-end lifecycle of a particular device, track and evaluate fleet-wide patterns, and perform security audits and forensic examinations.

This is an expensive and data-heavy process with 2 shortcomings. On ultra-high-speed networks (utilized by organizations such as Google, universities and research companies), adequate bandwidth permits this type of communication to occur without flooding the pipes. The first concern is that in more pedestrian corporate and government circumstances, this would trigger high user disruption.

Second, computing devices should have the horsepower to constantly collect and send data. While most workers would be delighted to have existing developer-class workstations at their disposal, the cost of the devices and procedure of refreshing them regularly makes this over the top.

An Absence of Lateral Visibility

Few systems really produce ‘enhanced’ netflow, augmenting standard network visibility with rich, contextual data.

Ziften’s trademarked ZFlow ™ offers network flow information on data generated from the endpoint, otherwise accomplished using brute force (human labor) or costly network devices.

ZFlow serves as a “connective tissue” of sorts, which extends and completes the end-to-end network visibility cycle, adding context to on-network, off-network and cloud servers/endpoints, permitting security groups to make quicker and more educated and precise choices. In essence, purchasing Ziften services result in a labor cost saving, plus a boost in speed-to-discovery and time-to-remediation due to innovation serving as an alternative to human resources.

For organizations moving/migrating to the public cloud (as 56% are planning to do by 2021 according to IDG Enterprise’s 2015 Cloud Survey), Ziften uses unequaled visibility into cloud servers to better monitor and secure the total infrastructure.

In Google’s environment, only corporate owned devices (COPE) are permitted, while crowding out bring your own device (BYOD). This works for a company like Google that can hand out brand-new devices to all staff – smart phone, tablet, laptop, and so on. Part of the reason for that is the vesting of identity in the device itself, plus user authentication as usual. The device should meet Google requirements, having either a TPM or a software equivalent of a TPM, to hold the X. 509 cert used to confirm device identity and to facilitate device-specific traffic file encryption. There should be numerous agents on each endpoint to verify the device recognition asserts called out in the access policy, which is where Ziften would have to partner with the systems management agent service provider, given that it is likely that agent cooperation is necessary to the process.


In summary, Google has developed a world-class option, but its applicability and functionality is limited to organizations like Alphabet.

Ziften provides the exact same level of functional visibility and security protection to the masses, utilizing a light-weight agent, metadata/network flow tracking (from the endpoint), and a best-in-class console. For organizations with specialized needs or incumbent tools, Ziften provides both an open REST API and an extension framework (to enhance consumption of data and activating response actions).

This yields the benefits of the BeyondCorp design to the masses, while securing network bandwidth and endpoint (machine) computing resources. As companies will be slow to move entirely far from the enterprise network, Ziften partners with firewall and SIEM vendors.

Lastly, the security landscape is steadily shifting towards managed detection & response (MDR). Managed security companies (MSSP’s) offer traditional monitoring and management of firewall programs, gateways and border invasion detection, however this is inadequate. They lack the skills and the technology.

Ziften’s system has actually been evaluated, integrated, approved and executed by a number of the emerging MDR’s, highlighting the standardization (ability) and versatility of the Ziften platform to play a key function in removal and event response.

Your Organization Could Be Under Threat From Ransomware So Be Prepared – Charles Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is tailored to business attack campaigns has actually emerged in the wild. This is an obvious advancement of consumer-grade ransomware, fueled by the larger bounties which enterprises are able to pay out paired to the sheer scale of the attack area (internet-facing endpoints and unpatched software). To the hacker, your enterprise is a tempting target with a huge fat wallet simply begging to be overturned.

Your Company is an Enticing Target

Easy Google inquiries may already have actually identified unpatched internet facing servers by the scores across your domain, or your credulous users may already be opening “spear phishing” emails crafted just for them presumably authored by individuals they know.

The weaponized invoices go to your accounting department, the weaponized legal notifications go to your legal department, the weaponized resumes are sent to your personnels department, and the weaponized trade publication short articles go to your public relations firm. That must cover it, to begin with. Include the watering hole drive-by’s planted on market sites frequented by your employees, the social networks attacks targeted to your crucial executives and their family members, the infected USB sticks scattered around your facilities, and the compromises of your providers, clients, and organization partners.

Business compromise isn’t really an “if” but a “when”– the when is continual, the who is legion.

Targeted Ransomware Has Arrived

Malware analysts are now reporting on enterprise-targeted ransomware, a natural development in the monetization of business cyber intrusions. Christiaan Beek and Andrew Furtak describe this in an excerpt from Intel Security Advanced Threat Research, February 2016:

” Throughout the past couple of weeks, we have received info about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that result in automatic execution of ransomware), the attackers gained consistent access to the victim’s network through vulnerability exploitation and spread their access to any linked systems that they could. On each system, numerous tools were utilized to find, secure, and erase the original files as well as any backups.”

Mindful reading of this citation immediately reveals steps to be taken. Initial penetration was by “vulnerability exploitation,” as is typically the case. A sound vulnerability management program with tracked and imposed exposure tolerances (measured in days) is mandatory. Given that the cyber attackers “spread their access to any linked system,” it is likewise requisite to have robust network division and access controls. Consider it as a leak-proof compartment on a warship to avoid sinking when the hull is breached. Of special note, the enemies “delete the original files in addition to any backups,” so there need to be no delete access from a compromised system to its backup files – systems should just have the ability to append to their backups.

Your Backups Are Not Current Are They?

Naturally, there should be current backups of any files that must survive a business intrusion. Paying the ransom is not an efficient choice considering that any files produced by malware are inherently suspicious and should be thought about polluted. Enterprise auditors or regulators can decline files excreted from some malware orifice as lawfully legitimate, the chain of custody having actually been entirely broken. Financial data may have been altered with fraudulent transactions, configuration data may have been interfered with, viruses might have been planted for later re-entry, or the malware file controls may just have had errors or omissions. There would be no chance to invest any confidence in such data, and accepting it as valid could even more jeopardize all future downstream data reliant upon or stemmed from it. Treat ransomware data as trash. Either have a robust backup strategy – regularly evaluated and validated – or prepare to suffer your losses.

Exactly what is Your Plan For a Breach?

Even with sound backups privacy of affected data must be assumed to be breached since it was read by malware. Even with comprehensive network logs, it would be unwise to prove that no data had been exfiltrated. In a targeted attack the enemies normally take data stock, reviewing at least samples of the data to evaluate its potential worth – they could be leaving money on the table otherwise. Data ransom demands may just be the final monetization stage in an enterprise breach after mining all other worth from the invasion since the ransom demand exposes the compromise.

Have a Thorough Remediation Plan

One must assume that qualified enemies have actually set up multiple, cunningly-concealed opportunities of re-entry at numerous staggered time points (well after your crisis group has stood down and expensive consultants flown off to their next gig). Any roaming evidence left behind was carefully staged to deceive detectives and deflect blame. Pricey re-imaging of systems need to be extremely extensive, touching every sector of the disk throughout its whole recording surface area and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to jeopardize MBR’s.

Also, don’t presume system firmware has actually not been compromised. If you can upgrade the firmware, so can hackers. It isn’t really hard for hacking groups to check out firmware hacking options when their enterprise targets standardize system hardware configurations, allowing a little laboratory effort to go a long way. The industrialization of cyber crime allows for the development and sale of firmware hacks on the dark net to a wider criminal market.

Assistance Is Readily available With Great EDR Tools

After all of this negativity, there is an answer. When it concerns targeted ransomware attacks, taking proactive steps instead of reactive cleanup is far less unpleasant. A great Endpoint Detection and Response (EDR) tool can assist on both ends. EDR tools are good for determining exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best removed from the environment (Adobe Flash, for instance). EDR tools are likewise proficient at tracking all substantial endpoint incidents, so that investigators can determine a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers count on endpoint opacity to assist with hiding their actions from security staff, however EDR is there to enable open visibility of significant endpoint events that might indicate an attack in progress. EDR isn’t limited to the old anti-virus convict-or-acquit design, that permits freshly remixed attack code to avert AV detection.

Great EDR tools are always alert, constantly reporting, always tracking, readily available when you require it: now or retroactively. You would not disregard enterprise network activity, so don’t disregard enterprise endpoint activity.

New Trends In Behavioral Analytics Discovered In Gartner Study – Charles Leaver

Written By Josh Linder And Presented By Ziften CEO Charles Leaver

The marketplace for enterprise behavioral analytics is developing – once again – to support the security use case. In the current Gartner User and Entity Behavior (UEBA) Trends Report, Ziften is thrilled to be listed as a “Vendor to Watch.” Our company believe that our recognized relationships with risk intelligence feeds and visualization tools shows our addition within this research study note.

In the UEBA Market Report, Analysts Eric Ahlm and Avivah Litan describe that there is a prospective convergence in the advanced threat and analytics markets. The idea of UEBA – which extends user behavioral analytics to now include companies, business processes, and autonomous devices such as the Internet of Things – needs deep understanding and the capability to react rapidly and efficiently.

At Ziften our recognized relationships with threat intelligence feeds and visualization tools reflects our inclusion within this research study note. Our platform provides threat detection across different behavior vectors, rather than taking a look at a single-threaded signature feed. With integrations to orchestration and response systems, Ziften uniquely couples signature-based and behavioral analysis, while bridging the gap from securing the endpoint to safeguarding the entity. Constant tracking from the endpoint – consisting of network flow – is crucial to understanding the complete risk landscape and important for a holistic security architecture.

We applaud Gartner on identifying four areas for security and analytic vendors to concentrate on: User Behavior, Host/App Habits, Network Behavior, and External Communications Habits. We are the only endpoint supplier – today – to monitor both network habits and external interactions habits. Ziften’s ZFLow ™ utilizes network telemetry to surpass the basic IPFIX flow data, and augment with Layer 4 and Layer 5 operating system and user behavior. Our threat intelligence integration – with Blue Coat, iSIGHT Partners, AlienVault and the National Vulnerability Database – is second to none. Furthermore, our unique relationship with ReversingLabs supplies binary analysis directly within the Ziften administration console.

Eventually, our continuous endpoint visibility service is pivotal in assisting to discover behavioral risks that are hard to correlate without making use of innovative analytics.

Gartner Report

6 extra technology trend takeaways which Gartner readers should think about:

– Application of Analytics to Finding Breaches Differs
– Data Science for Analytics Technologies Still Emerging
– The Required for Extended Telemetry Drives Analytics Market Convergence
– Merging Between Analytics-Based Detection Suppliers and Orchestration/Response Vendors Likely
– SIEM Technologies Positioned to Be Central to Consolidation for Analytics Detection
– Advanced Behavioral Analytics Providers Extending Their Reach to Security Buyers


Gartner does not back any supplier, product or service illustrated in its research publications, and does not encourage technology users to pick just those suppliers with the greatest rankings or other classification. Gartner research study publications consist of the viewpoints of Gartner’s research company and should not be interpreted as declarations of fact. Gartner disclaims all guarantees, revealed or indicated, with respect to this research study, consisting of any warranties of merchantability or fitness for a particular purpose.

Before A Breach Occurs Use These 6 Questions For Damage Control – Charles Leaver

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The real truth of contemporary life is that if cyber attackers wish to breach your network, then it is simply a matter of time before they will do it. The endpoint is the most typical vector of cyber attacks, and individuals are the greatest point of vulnerability in any company. The endpoint device is where they interact with whatever info that an opponent seeks: intellectual property, information, cyber ransom, and so on. There are brand-new Next Generation Endpoint Security (NGES) services, of which Ziften is a leader, that offer the needed visibility and insight to assist lower or avoid the possibilities or period of an attack. Approaches of prevention consist of decreasing the attack surface area through eliminating recognized vulnerable applications, cutting version proliferation, eliminating harmful processes, and making sure compliance with security policies.

But prevention can just go so far. No solution is 100% reliable, so it is important to take a proactive, real time methodology to your environment, viewing endpoint habits, detecting when breaches have happened, and reacting right away with remediation. Ziften likewise offers these capabilities, generally called Endpoint Detection and Response, and organizations should alter their frame of mind from “How can we avoid attacks?” to “We are going to be breached, so what do we do then?”

To understand the true ramifications of an attack, organizations need to be able to rewind the clock and rebuild the conditions surrounding a breach. Security detectives need answers to the following six questions, and they need them quickly, since Incident Response personnel are surpassed and handling limited time windows to alleviate damage.

Where was the cyber attack activity first seen?

This is where the capability to look back to the point in time of preliminary infection is crucial. In order to do this efficiently, organizations need to have the ability to go as far back in time as necessary to recognize patient zero. The regrettable state of affairs according to Gartner is that when a cyber breach occurs, the typical dwell time before a breach is identified is a shocking 205 days. According to the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, assailants were able to permeate organizations within minutes. That’s why NGES services that do not continuously monitor and record activity however rather regularly poll or scan the endpoint can miss out on the initial vital penetration. Also, DBIR discovered that 95% of malware types showed up for less than four weeks, and four from 5 didn’t last 7 days. You need the capability to constantly monitor endpoint activity and recall in time (however long ago the attack occurred) and rebuild the preliminary infection.

How did it behave?

What happened step by step after the preliminary infection? Did malware execute for a second every 5 minutes? Was it able to obtain escalated privileges? A constant picture of what happened at the endpoint behaviorally is vital to get an examination started.

How and where did the cyber attack spread after preliminary compromise?

Usually the attacker isn’t after the info available at the point of infection, but rather want to utilize it as an initial beachhead to pivot through the network to find its way to the valuable data. Endpoints consist of the servers that the endpoints are linked to, so it is very important to be able to see a total picture of any lateral movement that happened after the infection to know what assets were jeopardized and possibly likewise infected.

How did the infected endpoint(s) behavior(s) change?

What was going on prior to and after the contamination? What network connections were being attempted? Just how much network traffic was flowing? What procedures were active before and after the attack? Immediate answers to these questions are vital to quick triage.

What user activity took place, and was there any potential insider participation?

What actions did the user take previously and after the infection took place? Was the user present on the device? Was a USB drive inserted? Was the time period outside their typical usage pattern? These and many more artifacts must be supplied to paint a full image.

What mitigation is needed to resolve the cyber attack and avoid the next?

Reimaging the contaminated machine(s) is a lengthy and pricey solution however often times this is the only way to know for sure that all damaging artifacts have actually been eliminated (although state-sponsored attacks might embed into system or drive firmware to remain immune even to reimaging). However with a clear image of all activity that took place, lesser actions such as removing harmful files from all systems impacted may be enough. Re-examining security policies will probably be necessary, and NGES solutions can assist automate actions in the future should comparable circumstances occur. Automatable actions consist of sandboxing, cutting off network access from contaminated machines, killing processes, and far more.

Do not wait till after a cyber attack happens and you need to hire an army of specialists and spend valuable time and money piecing the truths together. Ensure you are prepared to respond to these six crucial concerns and have all the answers at your fingertips in minutes.

Why Compromised Endpoints Are The Likely Starting Point For The IRS Hack – Charles Leaver

Written By Michael Steward And Presented By Charles Leaver CEO Ziften

IRS Hackers Make Early Returns Because of Previous External Attacks

The Internal Revenue Service breach was the most special cyber attack of 2015. Timeless attacks today include phishing e-mails aimed to get initial access to target systems where lateral motion is then carried out up until data exfiltration happens. However the Internal Revenue Service hack was various – much of the data needed to perform it was already obtained. In this case, all the attackers had to do was walk in the front door and file the returns. How could this occur? Here’s exactly what we know:

The Internal Revenue Service website has a “Get Transcript” feature for users to recover previous income tax return information. As long as the requester can offer the appropriate information, the system will return past and present W2’s and old income tax returns, and so on. With anybody’s SSN, Date of Birth and submitting status, the hackers might begin the retrieval process of past filing year’s details. The system also had a Knowledge Based Authentication (KBA) system, which asked questions based upon the asked for users credit report.

KBA isn’t really fool proof, though. The questions it asks can many times be guessed based upon other information already known about the user. The system asks questions such as “Which of the following streets have you lived on?” or “Which of the list of cars have you owned?”

After the dust settled, it’s estimated that the hackers tried to gather 660,000 transcripts of previous tax payer information by means of Get Transcript, where they succeeded in 334,000 of those efforts. The not successful attempts appear to have actually gotten as far as the KBA questions where the hackers cannot offer the correct responses. It’s estimated that the hackers made away with over $50 million dollars. So, how did they do it?

Security researchers theorize that the hackers utilized info from previous attacks such as SSNs, DOBs, addresses and filing statuses to try to get prior income tax return info on its target victims. If they succeeded and answered the KBA questions correctly, they submitted a claim for the 2015 calendar year, oftentimes increasing the withholdings quantity on the income tax return form to get a larger return. As pointed out previously not all attempts succeeded, however over 50% of the attempts resulted in significant losses for the Internal Revenue Service.

Detection and response systems like Ziften are focused on recognizing when there are jeopardized endpoints (such as through phishing attacks). We do this by offering real-time visibility of Indicators of Compromise (IoC’s). If the theories are correct and the cyber attackers utilized info gleaned from previous attacks outside of the Internal Revenue Service, the compromised businesses might have benefited from the visibility Ziften offers and reduced against mass-data exfiltration. Ultimately, the Internal Revenue Service seems to be the vehicle – rather than preliminary victim – of these cyber attacks.

Here Is Why Customers Of Comcast Are At Risk From Data Exfiltration And Shared Hacking – Charles Leaver

Written By Michael Pawloski And Presented By Ziften CEO Charles Leaver

The Clients Of Comcast Are Victims Of Data Exfiltration and Shared Hacks Via Other Companies

The personal info of approximately 200,000 Comcast consumers was jeopardized on November 5th 2015. Comcast was forced to make this announcement when it emerged that a list of 590,000 Comcast customer e-mails and passwords could be bought on the dark web for a mere $1,000. Comcast maintains that there was no security attack to their network however rather it was through past, shared hacks from other companies. Comcast further claims that just 200,000 of these 590,000 consumers actually still exist in their system.

Less than 2 months previously, Comcast had actually already been slapped with a $22 million penalty over its unintentional publishing of nearly 75,000 consumers’ personal details. Somewhat ironically, these consumers had actually specifically paid Comcast for “unlisted voice-over-IP,” a line item on the Comcast bill that specified that each consumer’s details would be kept private.

Comcast instituted a mass-reset of 200,000 client passwords, who may have accessed these accounts prior to the list was offered. While a basic password reset by Comcast will to some extent secure these accounts going forward, this does nothing to secure those customers who might have recycled the same e-mail and password combination on banking and payment card logins. If the client accounts were accessed prior to being divulged it is definitely possible that other individual information – such as automatic payment info and home address – were currently obtained.

The conclusion to this: Presuming Comcast wasn’t hacked directly, they were the victim of numerous other hacks which contained data connected to their consumers. Detection and Response systems like Ziften can avoid mass data exfiltration and frequently alleviate damage done when these inevitable attacks occur.

If Trump Hotels Had Visibility Of Point Of Sale Vulnerabilities They Would Probably Have Avoided A Breach – Charles Leaver

Written By Matthew Fullard Presented By Charles Leaver CEO Ziften

Trump Hotels Point of Sale Susceptibility Emphasize Need for Faster Detection of Anomalous Activity

Trump Hotels, suffered a data breach, between May 19th 2014 and June 2, 2015. The point of infection utilized was malware, and infected their front desk computer systems, POS systems, and dining establishments. However, in their own words they claim that they “did not discover any evidence that any customer information was taken from our systems.” While it’s soothing to learn that no evidence was discovered, if malware is present on POS systems it is most likely there to take information related to the credit cards that are swiped, or increasingly tapped, placed, or waved. An absence of proof does not suggest the lack of criminal activity, and to Trump Hotel’s credit, they have actually offered totally free credit tracking services. If one is to examine a Point-of-Sale (or POS) system nevertheless you’ll discover something in abundance as an administrator: They hardly ever alter, and software applications will be nearly uniform throughout the implementation ecosystem. This can provide both positives and negatives when thinking about protecting such an environment. Software modifications are sluggish to happen, need extensive testing, and are tough to roll out.

Nevertheless, because such an environment is so homogeneous, it is likewise a lot easier to recognize Point of Sale vulnerabilities when something brand-new has changed.

At Ziften we monitor all executing binaries and network connections that happen within an ecosystem the second they take place. If a single POS system began to make new network connections, or began running new software applications, despite its intent, it would be flagged for further review and assessment. Ziften also collects limitless historic data from your environment. If you need to know exactly what occurred 6 to twelve months earlier, this is not an issue. Now dwell times and antivirus detection rates can be determined using our integrated threat feeds, along with our binary collection and submission technology. Likewise, we’ll inform you which users initiated which applications at what time across this historical record, so you can learn your initial point of infection.

POS problems continue to afflict the retail and hospitality industries, which is a pity provided the fairly straightforward environment to monitor with detection and response.

If Only Marriot Had Used Continuous Endpoint Visibility Then Their Point Of Sale Attack Could Have Been Prevented – Charles Leaver

Written By Andy Wilson And Presented By Ziften CEO Charles Leaver

USA retail outlets still appear an appealing target for hackers seeking payment card data as Marriott franchisee White Lodging Services Corp announced a data breach in the Spring of 2015, impacting clients at 14 hotels throughout the nation from September 2014 to January 2015. This breach comes after White Lodging suffered a comparable breach in 2014. The cyber criminals in both cases were supposedly able to jeopardize the Point-of-Sale systems of the Marriott Lounges and Restaurants at several locations run by White Lodging. The assailants had the ability to obtain names printed on clients’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. Point-of-Sale systems were also the focus of recent breaches at Target, Neiman Marcus, Home Depot, and others.

Generally, Point-of-Sale (or POS) systems at many US retail outlets were “locked down” Windows devices running a minor set of applications geared towards their function – phoning the sale and processing a deal with the Credit Card merchant or bank. Modern Point of Sale terminals are essentially PC’s that run email applications, internet browsers and remote desktop tools in addition to their transaction software applications. To be fair, they are often released behind a firewall, but are still ripe for exploiting. The best defenses can and will be breached if the target is valuable enough. For instance, push-button control tools used for management and upgrading of the Point of Sale systems are frequently hijacked by hackers for their purposes.

The charge card or payment processing network is a totally different, air-gapped, and encrypted network. So how did cyber attackers manage to steal the credit card data? They took the data while it remained in memory on the Point of Sale terminal while the payment procedure was being conducted. Even if sellers don’t store credit card info, the data can be in an unencrypted state on the POS device while the payment transaction is verified. Memory-scraping POS malware such as PoSeidon, FindPOS, FighterPOS, and PunKey are utilized by the data burglars to harvest the payment card info in its unencrypted state. The data is then typically encrypted and obtained by the hackers or sent to the Internet where it’s retrieved by the burglars.

Ziften’s system provides continuous endpoint visibility that can discover and remediate these types of hazards. Ziften’s MD5 hash analysis can discover brand-new and suspicious procedures or.dll files running in the Point of Sale environment. Ziften can also kill the process and gather the binary for additional action or analysis. It’s likewise possible to detect Point of Sale malware by notifying to Command and Control traffic. Ziften’s integrated Risk Intel and Custom-made Threat Feed alternatives enables clients to notify when POS malware talks to C&C nodes. Lastly, Ziften’s historic data allows clients to begin the forensic evaluation of how the malware got in, what it did after it was installed, and executed and other machines are contaminated.

It’s past time for retailers to step up the game and look for new services to protect their clients’ charge cards.

The Use Of Continuous Monitoring Is The Best Way For Experian To Learn From Past Mistakes – Charles Leaver

Written By Josh Applebaum And Presented By Charles Leaver Ziften CEO

Experian Have to Learn from Mistakes Of The Past And Implement A Continuous Monitoring Service

Working in the security sector, I have actually constantly felt my work was hard to explain to the average individual. Over the last few years, that has actually altered. Regrettably, we are seeing a new data breach revealed every few weeks, with many more that are kept private. These breaches are getting front page headlines, and I can now discuss to my friends what I do without losing them after a few sentences. However, I still question what it is we’re learning from all of this. As it ends up, numerous companies are not learning from their own errors.

Experian, the global credit reporting company, is a company with a lot to learn. Several months ago Experian announced it had discovered its servers had actually been breached and consumer data had been taken. When Experian revealed the breach they reassured clients that “our consumer credit database was not accessed in this event, and no credit card or banking info was taken.” Although Experian took the time in their announcement to assure their customers that their financial information had not been stolen, they further elaborated on what data in fact was taken: consumers’ names, addresses, Social Security numbers, birth dates, driver’s license numbers, military ID numbers, passport numbers, and additional information used in T- Mobile’s own credit assessment. This is scary for two reasons: the first is the type of data that was taken; the 2nd is the fact that this isn’t really the first time this has actually happened to Experian.

Although the cyber criminals didn’t walk away with “payment card or banking details” they did walk away with personal data that could be exploited to open brand-new charge card, banking, and other monetary accounts. This in itself is a reason the T-Mobile clients included need to be nervous. However, all Experian customers ought to be a little anxious.

As it ends up, this isn’t really the very first time the Experian servers have actually been jeopardized by hackers. In early 2014, T-Mobile had announced that a “relatively small” number of their customers had their personal details taken when Experian’s servers were breached. Brian Krebs has a very well-written blog post about how the hackers breached the Experian servers the very first time, so we will not enter into too much information here. In the first breach of Experian’s servers, hackers had exploited a vulnerability in the organization’s support ticket system that was left exposed without initially needing a user to confirm before using it. Now to the scary part: although it has actually ended up being widely understood that the cyber attackers made use of a vulnerability in the organization’s support ticket system to get access, it wasn’t until soon after the second hack that their support ticket system was closed down.

It would be difficult to imagine that it was a coincidence that Experian chose to take down their support ticket system just weeks after they revealed they had actually been breached. If this wasn’t a coincidence, then let’s ask: exactly what did Experian find out from the very first breach where consumers got away with delicate customer data? Companies who save their customers’ delicate details must be held accountable to not just protect their consumers’ data, but if likewise to make sure that if breached they patch the holes that are found while investigating the attack.

When companies are examining a breach (or possible breach) it is imperative that they have access to historical data so those investigating can aim to piece back together the puzzle of how the cyber attack unfolded. At Ziften, we offer a service that enables our clients to have a continuous, real time view of the whole picture that takes place in their environment. In addition to providing real-time visibility for finding attacks as they take place, our constant monitoring solution records all historical data to enable clients to “rewind the tape” and piece together what had actually occurred in their environment, no matter how far back they have to look. With this brand-new visibility, it is now possible to not only discover that a breach took place, but to also find out why a breach occurred, and hopefully learn from past errors to keep them from occurring once again.

The UCLA Health Data Breach Just Proves That Organizations Haven’t Learned – Charles Leaver

Written By Craig Hand And Presented By Ziften CEO Charles Leaver

UCLA Health Data Breach Probably Down To Poor Security

UCLA Health announced on July 17th 2015 that it was the victim of a health data breach impacting as much as 4.5 million healthcare customers from the four health centers it runs in the Southern California area. According to UCLA Health authorities, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed however no evidence yet suggests that the data was stolen. This data went as far back as 1990. The officials likewise mentioned that there was no evidence at this time, that any charge card or monetary data was accessed.

“At this time” is key here. The information accessed (or potentially taken, its certainly difficult to know at this moment) is virtually great for the life of that individual and potentially still useful past the death of that person. The details readily available to the perpetrators consisted of: Names, Addresses, Contact numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical treatments performed, and test outcomes.

Little is understood about this cyber attack like so many others we find out about but never hear any genuine details on. UCLA Health discovered uncommon activity in sections of their network in October of 2014 (although access potentially started one month earlier), and instantly called the FBI. Finally, by May 2015 – a full 7 months later on – investigators stated that a data breach had occurred. Again, officials claim that the opponents are probably highly advanced, and not in the United States. Finally, we the general public get to find out about a breach a complete 2 months later on July 17, 2015.

It’s been stated lots of times before that we as security professionals have to be correct 100% of the time, while the bad guys only need to discover that 1% that we may not be able to correct. Based upon our research about the breach, the bottom line is UCLA Health had inferior security practices. One reason is based upon the basic truth that the accessed data was not encrypted. We have had HIPAA now for a while, UCLA is a well-regarded bastion of Higher Education, yet still they failed to secure data in the most basic methods. The claim that these were highly advanced individuals is likewise suspect, as so far no genuine proof has actually been produced. After all, when is the last time that an organization that has been breached declared it wasn’t from an “sophisticated” cyber attack? Even if they claim they have such evidence, as members of the public we will not see it in order to verify it appropriately.

Because there isn’t really enough disclosed information about the breach, its difficult to identify if any solution would have assisted in finding the breach earlier rather than later. Nevertheless, if the breach started with malware being delivered to and launched by a UCLA Health network user, the possibility that Ziften could have helped in discovering the malware and potentially stopping it would have been fairly high. Ziften could have likewise notified on suspicious, unknown, or understood malware as well as any interactions the malware might have made in order to spread out internally or to exfiltrate data to an external host.

When are we going to learn? As we all know, it’s not a matter of if, however when, organizations will be breached. Smart organizations are getting ready for the inescapable with detection and response solutions that reduce damage.