8 Principles And 8 Keys For The OMB 30 Day Cyber Security Sprint – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

After suffering a massive data breach at the Office of Management and Budget (OMB), agencies were ordered by Tony Scott, Federal Chief Information Officer, to take instant and specific actions over the next 4 weeks to additionally enhance the security of their data and systems. For this big organization it was a bold step, but the lessons gained from software development proved that acting quick or sprinting can make a great deal of headway when approaching an issue in a small amount of time. For big organizations this can be particularly true and the OMB is definitely big.

There were 8 principles that were focussed on. We have broken these down and provided insight on how each concept could be more effective in the timeframe to assist the government make significant inroads in just a month. As you would anticipate we are taking a look at things from the endpoint, and by reading the eight concepts you will find how endpoint visibility would have been crucial to an effective sprint.

1. Securing data: Better protect data at rest and in transit.

This is a great start, and rightly priority number one, but we would certainly recommend to OMB to add the endpoint here. Lots of data protection systems forget the endpoint, however it is where data can be most susceptible whether at rest or in transit. The group ought to check to see if they have the capability to evaluate endpoint software and hardware configuration, consisting of the presence of any data protection and system protection agents, not forgetting Microsoft BitLocker configuration checking. And that is just the start; compliance checking of mandated agents need not be forgotten and it must be performed continually, permitting the audit reporting of percentage coverage for each agent.

2. Improving situational awareness: Enhance indication and warning.

Situational awareness is similar to visibility; can you see what is in fact taking place and where and why? And obviously this has to be in real time. While the sprint is taking place it need to be verified that identity and tracking of logged-in users,, user focus activities, user existence indicators, active processes, network contacts with process-level attribution, system stress levels, noteworthy log events and a myriad of other activity signs throughout numerous thousands of endpoints hosting huge oceans of procedures is possible. THIS is situational awareness for both warning and indication.

3. Increasing cyber security proficiency: Guarantee a robust capability to recruit and keep cyber security personnel.

This is a difficulty for any security program. Finding fantastic skill is difficult and retaining it even more so. When you want to attract this type of skillset then persuade them by offering the latest tools for cyber war. Ensure that they have a system that provides total visibility of what is occurring at the endpoint and the entire environment. As part of the sprint the OMB must analyse the tools that are in place and check whether each tool changes the security team from the hunted to the hunter. If not then replace that tool.

4. Increase awareness: Enhance overall threat awareness by all users.

Threat awareness starts with effective threat scoring, and luckily this is something that can be attained dynamically all the way to the endpoint and assist with the education of every user. The education of users is a difficulty that is never ever complete, as confirmed by the high success of social engineering attacks. But when security teams have endpoint risk scoring they have concrete products to show to users to show where and how they are vulnerable. This real life situational awareness (see # 2) improves user knowledge, in addition to supplying the security group with exact information on say, understood software vulnerabilities, cases of jeopardized credentials and insider opponents, along with constantly monitoring system, user, and application activity and network points of contact, in order to apply security analytics to highlight elevated threats leading to security staff triage.

5. Standardizing and automating procedures: Reduce time required to manage configurations and patch vulnerabilities.

More protection must be required from security services, and that they are immediately deployable without tedious preparation, network standup or substantial staff training. Did the solutions in place take longer than a couple of days to implement and demand another full-time employee (FTE) or even 1/2 a FTE? If so you have to reconsider those solutions since they are most likely hard to use (see # 3) and aren’t doing the job that you require so you will need to enhance the existing tools. Also, try to find endpoint services that not just report software and hardware configurations and active services and processes, but uses the National Vulnerability Database to report on actual running exposed vulnerabilities and then associates an overall vulnerability score for each endpoint to facilitate patching prioritization by over worked support staff.

6. Controlling, containing and recuperating from events: Contain malware expansion, privilege escalation, and lateral motion. Rapidly recognize and solve events and incidents.

The fast recognition and response to issues is the main objective in the brand-new world of cyber security. During their Thirty Days sprint, OMB must evaluate their solutions and make sure to find technologies that can not just monitor the endpoint, however track every process that runs and all of its network contacts including user login efforts, to assist in tracking of harmful software expansion and lateral network motion. The data originated from endpoint command and control (C2) accesses connected with major data breaches suggests that about half of compromised endpoints do not host identifiable malware, heightening the relevance of login and contact activity. Appropriate endpoint security will monitor OMB data for long term analysis, considering that lots of indicators of compromise become available just after the event, or even long afterwards, while relentless attackers might quietly lurk or stay dormant for long periods of time. Attack code that can be sandbox detonated and recognized within minutes is not a sign of advanced attackers. This ability to maintain clues and connect the dots throughout both spatial and temporal dimensions is essential to complete identification and total non-recidivist resolution.

7. Strengthening systems lifecycle security: Boost intrinsic security of platforms by buying more secure systems and retiring legacy systems in a prompt way.

This is a credible objective to have, and an enormous challenge at a big organization such as OMB. This is another place where proper endpoint visibility can instantly determine and report endpoint software and hardware configurations, operating system SKUs and patch levels, system stress levels, endpoint mishaps (such as application crashes or hangs, service failures, or system crashes), and other indicators of endpoints outlasting their beneficial or protected life span. Now you have a full stock list that you can focus on for retirement and replacement.

8. Minimizing attack surfaces: Reduce the complexity and quantity of things defenders need to safeguard.

If numbers 1 through 7 are completed, and the endpoint is considered effectively, this will be a substantial step in decreasing the attack threat. However, in addition, endpoint security can also actually supply a visual of the actual attack surface. Consider the capability to measure attack surface area, based upon a variety of unique binary images exposed throughout the whole endpoint population. For instance, our ‘Ziften Pareto analysis’ of binary image frequency stats produces a common “ski slope” distribution, with a long slim distribution tail suggesting vast varieties of very uncommon binary images (present on less than 0.1% of overall endpoints). Ziften identifies attack surface area bloat elements, consisting of application sprawl and version proliferation (which also exacerbates vulnerability lifecycle management). Data from numerous customer deployments exposes outright bloat aspects of 5-10X, compared with a tightly handled and disciplined endpoint population. Such lax endpoint management and bloated attack surface areas develops a target-rich hackers’ paradise.

The OMB sprint is an excellent pointer to us all that good things can be achieved rapidly, but that it takes vision, not to mention visibility. Visibility, to the endpoint, will be a crucial piece for OMB to think about as part of their 30-day sprint.

With Data Breach Costs Up Again The Third Reason For This Will Surprise You – Charles Leaver

Written By Patrcik Kilgore And Presented By Charles Leaver

Just recently two major reports were released that celebrated big anniversaries. On the one hand, we saw the Mary Meeker 20th yearly Internet study. Some of the initial industry analysis on the Internet was led by Meeker several years back and this report saw her mark Twenty Years of influencing viewpoints on the Internet. And 10 years after Meeker’s first observations on the Internet there was the very first research study of data breach costs by the Ponemon Institute.

Just 10 years after the creation of the Internet it was exposed that there is an ugly disadvantage to the service that supplies significant advantages to our businesses and our lives. Today there are more annual research studies released about data breaches than the Internet itself. Just recently we invested hours evaluating and absorbing 2 of the greatest data breach reports in the market, the currently mentioned Ponemon report and the now extremely influential Verizon DBIR (the report is essential enough simply to utilize an acronym).

There were intersections between the two reports, however the Verizon report should be given credit due to the fact that if you’ve had the ability to do anything in security for 10 years, you must be doing something right. There are many fascinating stats in the report but the factors for the total costs of data breaches skyrocketing were of the most interest to us.

The Ponemon research studies have actually exposed 3 drivers behind the increased cost of a breach. The first is that cyber attacks have increased in number and this has correlated in greater costs to remediate these attacks. An increased per capita expense from $159 to $170 year on year has been mentioned. That’s a 5% jump from 42% to 47% of the overall root causes of a breach. Likewise, lost profits as a result of a data breach have increased. In the aggregate, this increased from $1.33 M to $1.57 M in 2015. The reasons are because of the unusual client turnover, the increased acquisition activity, and loss of goodwill that results from being the target of a malicious attack. However, the most intriguing reason provided is that data breach expenses connected with detection and escalation have increased.

These expenses include investigations and forensics, crisis group management and audits and evaluations. Now the trend appears to be gathering speed at just shy of a massive $1Billion. Organizations are just now beginning to implement the solutions required to constantly monitor the endpoint and offer a clear picture of the origin and complete effect of a breach.

Organizations not just need to monitor the increase of devices in a BYOD world, however likewise look to enhance the security resources they have actually already invested in to decrease the expenses of these examinations. Risks need to be stopped in real time, rather than recognized retrospectively.

“Avoidance may not be possible in the world we live in.” With harmful threats becoming more and more common, organizations will have to evolve their M.O. beyond traditional AV solutions and look to the endpoint for total defense,” said Larry Ponemon in his webcast with IBM.


Charles Leaver – Increased Data Loss Risk For Organizations Due To BYOD Passwords And Employee Sharing

Written By Charles Leaver Ziften CEO


If your organization has implemented a bring your own device (BYOD) policy then you will be putting yourself at increased risk of cyber crime and the loss of your data, since the devices will normally have inadequate control and endpoint security in place. With mobile devices, staff members often access customer cloud services and make use of password practices that are not secure enough, and this accounts for a large chunk of the dangers associated with BYOD. Making use of endpoint software that provides visibility into precisely exactly what is running on a device can help IT departments to comprehend and address their vulnerabilities.

BYOD is a common technique for executives and employees to access sensitive business data on their individual tablets, laptop computers and smart phones. Nearly 9 from ten companies in Australia had approved a number of their senior IT team member’s access to critical business information through their own BYOD devices, and 57% asserted that they had offered it to at least 80% of their leadership, revealed by a ZDNet Survey. With less privileged staff and those that were new the numbers provided BYOD access was still up at 64%. These workers were not granted access to monetary details though.

With the number of BYOD devices growing, a lot of organizations have not carried out the correct endpoint management strategies to make their increasing mobile workflows protected. Almost 50% of the respondents stated that their organizations had no BYOD policies, and just 17% verified that their practices were ISO 27001 certified.

Safe BYOD Is Most likely At Most Risk From Passwords

Those organizations that had taken actions to protect BYOD the application of password and acceptable use policies were the most typical. However passwords may represent a critical and special vulnerability in the implementation of BYOD, due to the fact that users typically use the very same passwords once again and they are not strong enough. While companies that have a BYOD policy will definitely increase the threat of a hacker attack, there may be an even greater threat which is internal said former Federal Trade Commission executive Paul Luehr, in an interview with CIO Magazine’s Tom Kaneshige.

Luehr told Kaneshige “the most typical way BYOD policies affect data security and breaches is in the cross-pollination of passwords.” “An individual is most likely utilizing the same or extremely similar password as the one they use on their home devices.”

Luehr noted that prime threats for organizations that permit BYOD are disgruntled staff members who will typically expose important data once they have actually been released, are prime threats for businesses that have actually allowed BYOD. Because of BYOD the distinction between work and home is vanishing, and dangerous behavior such as utilizing social networks on corporate networks is being practiced by some workers, and this can be a prelude to finally sharing delicate details either wilfully or carelessly using cloud services. The productivity gains that are made with BYOD have to be preserved with the implementation of comprehensive endpoint security.

Organizations Face The Possibility Of Data Attacks Now More Than Ever So Data Loss Prevention Strategies Must Be Pursued – Charles Leaver

By Ziften CEO Charles Leaver

For United States companies the occurrence of a major cyber attack and consequential data leakage is looking more like “when” instead of “if”, because of the brand-new dangers that are presenting themselves with fragmented endpoint techniques, cloud computing and data intensive applications. All too frequently organizations are disregarding or improperly resolving vulnerabilities that are understood to them, and with aging IT assets that are not properly protected the cyber lawbreakers begin to take notice.

The variety of data breaches that are taking place is very troubling. In a report from the Verizon Risk Team there were 855 substantial breaches which led to 174 million records being lost back in 2011. The stakes are really high for companies that handle personally identifiable info (PII), since if staff members are not educated on compliance and inadequate endpoint data protection measures are in place then expensive legal action is most likely to happen.

” The probability of a data breach or privacy problem happening in any business has become a virtual certainty,” Jeffrey Vagle, legal expert writing for Mondaq stated. He advised that record keepers have to reassess their approach to network and device security, worker data access controls and the administration of PII info. The increase in the use of cloud services can make the prevention of data breaches more of a challenge, as these services allow the enormous exchange of details every time. It would only take one event and millions of files could be lost.

Understood Vulnerabilities Require Focus

A lot of IT departments fret constantly about zero day attacks that will cause a data breach and catch them off guard. As an example of this, Dirk Smith of Network World discussed an Adobe Acrobat exploit that opened the door for hackers to conduct advanced monitoring. A great deal of IT vulnerabilities can come when software is not patched up to date, and a great deal of zero day threats can happen from weak points in legacy code which includes a bug in Windows which targeted features that were first introduced Twenty Years earlier.

Security professional, Jim Kennedy wrote in a Continuity Central post “something that I have discovered is that much of the breaches and intrusions which prospered did so by attacking known vulnerabilities that had been determined and had actually been around for many years: not from some sophisticated ‘zero-day’ attack which was unidentified and unknown until only the other day by the security community at large.” “And, much more troubling, social engineering continues to be a most effective way to begin and/precipitate an attack.”

Now the cyber criminal fraternity has access to a comprehensive range of pre packaged malware. These tools have the ability to carry out network and computer system analytics that are complicated in nature then advise the ideal attack technique. Another risk is a human one, where workers are not trained properly to screen out calls or messages from people who lie about belonging to the technical support team of an external security service provider.

It is certainly very important to proactively resist zero day attacks with robust endpoint protection software applications, but also organizations need to integrate reliable training and processes with the software and hardware solutions. While many organizations will have a number of security policies in place there is normally a problem with enforcing them. This can lead to risky variations in the motion of data and network traffic that should be reviewed by security personnel being neglected and not being addressed.


Cyber Attackers Are Now Targeting Endpoints For Widespread Damage – Charles Leaver

Charles Leaver CEO Ziften

With the introduction of bring your own device (BYOD) techniques and cloud computing the protecting of particular endpoints has actually ended up being more difficult, as administrators could be making ease of data access of higher importance over security. The risks are there however, because the majority of the present generation of endpoint security software have not been customized to protect from aggressive hacking and harmful cyber attack techniques that target individual endpoints as the launch pad for attacks that are commonly distributed.

There was a really famous endpoint attack that took place in recent times where a malware family named Comfoo was used to jeopardize the networks of many multinational organizations back in 2010. The Comfoo malware included a number of custom developed backdoor Trojans and exploits that might continually distribute malware. A more major consequence was that this malware could cause damaging data leaks by scraping account and network info and monitor all user input, according to CRN contributor Robert Westervelt. It is believed that the Comfoo malware might have been a part of a sophisticated cyber espionage campaign, because of the method that was used and the evasion of conventional endpoint monitoring.

Using e-mail phishing and social engineering the malware had the ability to compromise targeted gadgets, which highlights how ripe endpoints have ended up being for malware infestation, so says Jason O’Reilly, security executive. When he was talking to ITWeb, O’Reilly stated that conventional endpoint software does not sufficiently account for access from places beyond the IT department most of the time, and it does not limit data exposure to authorized individuals through making use of access controls.

O’Reilly mentioned that “endpoint security services must offer layered protection that goes beyond signature-based detection just to include heuristic-based detection and polymorphic-based detection.” “Today’s networks are exposed to hazards from various sources.”

Real Time Hazard Catching And Report Creation

The high stakes for control techniques and endpoint security were recognized by business consulting company Frost & Sullivan, as they felt both of these areas were under pressure from both external attackers and the pressing demand from employees for gadget choice versatility.

Chris Rodriguez, Frost & Sullivan analyst specified “enterprise IT organizations now face significant pressure to make it possible for employees to access the corporate network and files from their own personal gadgets.” “Considering their apparently universal nature, fast data connections, and powerful hardware and operating systems, these devices represent prime targets for hackers.”

When asked exactly what organizations can do to tighten up on the unique weaknesses of mobile hardware, O’Reilly recommended that any solutions need to supply clear and extensive visibility into exactly what is happening on each endpoint so that action can be taken quickly when any threats are identified.


Why Do Two Thirds Of Organizations Believe That They Have Immunity From Cyber Attacks? Charles Leaver

By Charles Leaver Ziften Technologies CEO


A a great deal of organizations have the belief that there is no need for them to pursue assiduous data loss prevention, they concern cyber attacks as either extremely not likely to occur or have minimal financial impact if they do take place. There is a boost in the recorded cases of cyber attacks and advanced persistent threats have actually contributed to this complacency. These destructive attacks tend to evade conventional endpoint security software, and while they lack the teeth of denial-of-service attacks, they have the potential to cause considerable damage.

Over 67% of organizations declare that they have actually not been the victims of a cyber attack in the last 18 months, or that they had little or no visibility into whether an attack had jeopardized their network according to Infosecurity. The planners of the survey were skeptical about the outcomes and highlighted the many vulnerable desktop and mobile endpoints that are now typical in businesses.

Security specialist and study organizer Tom Cross said “Any system you link to the Web is going to be targeted by attackers extremely rapidly thereafter.” “I would assert that if you’re unsure whether your organization has had a security incident, the possibilities are extremely high that the answer is yes.”

Around 16% stated that they had actually experienced a DDoS attack over the very same duration, and 18% reported malware infestations. Regardless of this, most of the organizations evaluated the consequences as minor and not justifying the application of new endpoint security and control systems. Approximately 38% said that they had actually not experienced found security breaches, and just 20% were able to admit to financial losses.

The loss of reputation was more extensive, impacting around 25% of the respondents. Highlighting the possible impact of a cyber attack on finances and reputation, an event at The University of Delaware resulted in 74,000 individuals having their sensitive data exposed, according to Amy Cherry, WDEL contributor. The hackers targeted the school’s site and scraped information about university identifications and Social Security Numbers, which made it provide free credit monitoring of the impacted parties.

Charles Leaver – RSA President Keynote Speech Confirms Cyber Security Dark Ages Must Be Moved Away From

Written By Dr Al Hartmann And Presented By Charles Leaver CEO Ziften Technologies


A 5 Point Plan For A New Security Strategy Proposed By Amit Yoran

Amit Yoran’s, RSA President provided an exceptional keynote speech at the RSA Conference which reinforced the Ziften philosophy. Ziften is intently focused on continuous endpoint monitoring, silo-busting Ziften Open Visibility ™, risk-focused security analytics, and to provide robust defenses in a brand-new period of advanced cyber attacks. Current organization security techniques were slammed as being bogged down in the Dark Ages of cyber moats and castle walls by Yoran, it was described as an “impressive fail”, and he detailed his vision for the future with five bottom lines, and commentary from Ziften’s viewpoint has been included.

Stop Believing That Even Advanced Protections Suffice

” No matter how high or smart the walls, focused adversaries will find methods over, under, around, and through.”

A great deal of the previous, more sophisticated attacks did not employ malware as the main technique. Standard endpoint antivirus, firewalls and standard IPS were criticized by Yoran as examples of the Dark Ages. He stated that these traditional defenses could be easily scaled by experienced hackers and that they were largely inefficient. A signature based anti-virus system can only protect against formerly seen hazards, however hidden hazards are the most threatening to a company (considering that they are the most typical targeted attacks). Targeted cyber wrongdoers make use of malware only 50% of the time, perhaps just briefly, at the start of the attack. The attack artifacts are easily altered and not utilized ever again in targeted campaigns. The accumulation of short-term indicators of compromise and malware signatures in the billions in huge antivirus signature databases is a pointless defensive technique.

Embrace a Deep and Prevalent Level of Real Visibility Everywhere – from the Endpoint to the Cloud

“We require pervasive and true visibility into our business environments. You merely cannot do security today without the visibility of both constant complete packet capture and endpoint compromise evaluation visibility.”

This indicates continuous endpoint monitoring throughout the enterprise endpoint population for generic indicators of compromise (not stale attack artifacts) that show timeless methods, not fleeting hex string happenstance. And any company executing consistent complete packet capture (relatively expensive) can easily pay for endpoint threat assessment visibility (relatively inexpensive). The logging and auditing of endpoint process activity supplies a wealth of security insight using only elementary analytics methods. A targeted hacker counts on the relative opacity of endpoint user and system activity to cloak and hide any attacks – while real visibility provides a bright light.

Identity and Authentication Matter More than Ever

” In a world with no border and with less security anchor points, identity and authentication matter even more … At some point in [any effective attack] campaign, the abuse of identity is a stepping stone the opponents use to enforce their will.”

Making use of more powerful authentication fine, but it only produces bigger walls that are still not impenetrable. What the hacker does when they get over the wall is the most important thing. The tracking of user endpoint logins (both local and remote), and the engagement of applications for signs of abnormal user activity (insider attack or potential compromised credentials). Any activity that is observed that is different from normal patterns is potentially suspicious. One departure from normality does not make a case, however security analytics that triangulates several normality departures focuses security attention on the highest danger abnormalities for triage.

External Threat Intelligence Is A Core Capability

” There are incredible sources for the ideal threat intelligence … [which] must be machine-readable and automated for increased speed and leverage. It must be operationalized into your security program and tailored to your organization’s assets and interests so that analysts can quickly resolve the risks that pose the most risk.”

Many targeted attacks typically do not use readily signatured artifacts once again or recycle network addresses and C2 domains, but there is still value in risk intelligence feeds that aggregate prompt discoveries from millions of endpoint and network threat sensors. Here at Ziften we incorporate 3rd party risk feeds via the Ziften Knowledge Cloud, plus the exposure of Ziften discoveries into SIEM and other enterprise security and operations infrastructure through our Open Visibility ™ architecture. With the evolving of more machine-readable threat intelligence (MRTI) feeds, this ability will effectively grow.

Understand What Matters Most To Your Company And Exactly what Is Mission Critical

” You need to comprehend what matters to your organization and what is mission critical. You need to … defend exactly what’s important and protect it with everything you have.”

This is the case for risk driven analytics and instrumentation that focuses security attention and action on areas of highest business threat exposure. Yoran advocates that asset worth prioritization is only one side of business risk analysis, and that this goes much deeper, both pragmatically and academically. Security analytics that focus security staff attention on the most prominent dynamic risks (for instance by filtering, correlating and scoring SIEM alert streams for security triage) must be well-grounded in all sides of enterprise threat analysis.

At Ziften we commend Amit Yoran’s messages in his RSA 2015 keynote address as the cyber security market evolves beyond the current Dark Ages of facile targeted attacks and established exploitations.

Target Had To Endure Months Of Recovery Time And Financial Losses After Data Breach – Charles Leaver

By Charles Leaver CEO Ziften

After Target was breached it took several months for the business to recover and be offered a clean bill of health.

Constant Recovery Effort And Reports Of Financial Loss

It was a significant story when Target experienced its data breach. Like all significant news stories it faded into the background as far as being covered nationally, however as far as the store is concerned it was still a significant priority. The store lowered its revenue forecasts for 2014 once again, which implies that the company had actually underestimated the effect of the malicious attack that they were exposed to, according CNN Money.

The decrease in profits was truly significant and the company ended up stating 62% less earnings. In addition to this they had to pay out $111 million as a direct outcome of the breach in the 2nd financial quarter and all of this amounts to a business that was at one time robust now looking a shadow of its previous self because of a cyber attack.

As the fallout continued, the scale of the cyber attack started to emerge. Info for around 110 million individuals was compromised, and stolen charge card data was experienced by 40 million of those individuals. As news ventured out about the breach, the business made some significant changes that included the execution of more strict cyber security procedures and the change out of the system admin. Long standing CEO, Gregg Steinhafel, also resigned. However it is not deemed enough to reduce the effect of the attack. The stakeholders of Target are absorbing the unfavorable results of the attack as much as the company itself according to Brian Sozzi of Belus Capital.

In an email to CNN Money Sozzi stated “Target just dropped an epic complete year earnings warning onto the heads of its remaining investors.” “Target has provided financiers NO reason to be encouraged that a global turn-around is secretly emerging.”

Target Supplies A Lesson For All Organizations About Improved Pre-emptive Measures

No matter how proactive an organization is to a cyber attack, there is no guarantee that the recovery time will be quicker. The bottom line is that a data breach is bad news for any company no matter how you call it or aim to fix it. Preventative steps are the very best way forward and you need to take steps to make sure an attack does not happen to your company in the first place. Making use of endpoint threat detection software can have a considerable role in preserving strong defenses for any organization that opts to implement it.

Charles Leaver – If You Deploy Continuous Endpoint Monitoring You Can Protect Your Organization From Russian Hackers That Stole A Massive Amount Of Data

Charles Leaver Ziften CEO


It is thought that the biggest recognized cyber attack in the history of data breaches has actually been found by an American cyber security business. It is thought by the company that a team of cyber wrongdoers from Russia that they have actually been examining for numerous months is accountable for stealing passwords in the billions and other delicate personal data. It is declared that the Russian group took 4.5 billion credentials, although a lot were duplicated, and the final outcome was 1.2 billion unique data profiles being stolen. The group took the info from 420,000 websites of varying sizes, from large brand name sites to smaller sized mom and pop shops.

The New York Times stated that the cyber criminals consisted of about 12 individuals. Starting with small scale spamming approaches in 2011 they acquired the majority of the data by purchasing stolen databases.

In an interview with PCMag, the creator of the business that found the breach, Alex Holden, stated “the gang begun by simply purchasing the databases that were available online.” The group used to purchase at fire sales and were described as “bottom feeders”. As time went by they started the purchase of higher quality databases. It’s sort of like graduating from taking bikes to stealing costly cars.”

A Progression From Spamming To Using Botnets


The cyber criminal group began to change their habits. Botnets were employed by the team to collect the stolen data on a much larger scale. Through using the botnets the group had the ability to automate the process of determining websites that were vulnerable and this enabled them to work 24/7. Anytime that a contaminated user would go to a website, the bot would check to see if the vulnerability would be subject to an SQL injection automatically. Utilizing these injections, which is a typically utilized hacking tool, the database of the site would be forced to display its contents through the entering of a basic query. The botnets would flag those websites that were susceptible and the hackers returned later to extract the information from the website. Using the bot was the supreme failure of the group as they were found by the security company utilizing it.

It is believed by the security business that the billions of pieces of information that were taken were not taken at the same time, and that the majority of the records were most likely purchased from other cyber wrongdoers. According to the Times, very few of the records that were taken have actually been offered online, instead the hacking team have decided to utilize the info for the sending of spam messages on social networks for other groups so that they can generate income. Different cyber security specialists are asserting that the magnitude of this breach signifies a trend of cyber lawbreakers stockpiling big quantities of individual profiles over time and saving them for usage later on, according to the Wall Street Journal.

Security expert at the research study firm Gartner, Avivah Litan, stated “companies that depend on user names and passwords have to establish a sense of urgency about changing this.” “Up until they do, lawbreakers will simply keep stockpiling individuals’s credentials.”

Cyber attacks and breaches on this scale underline the need for companies to safeguard themselves with the latest cyber security defenses. Systems that use endpoint threat detection and response will assist organizations to develop a clearer picture of the hazards facing their networks and receive info that is actionable on how best to prevent attacks. Today, when substantial data breaches are going to take place increasingly more, the use of continuous endpoint visibility is crucial for the security of an organization. If the network of the company is constantly monitored, threats can be recognized in real time, and this will reduce the damage that a data breach can cause on the reputation and bottom line of a company.

Why Did Ziften And Splunk Create The Active Response Framework? – Charles Leaver

Written By Charles Leaver CEO Ziften

We were the sponsor in Las Vegas for an excellent Splunk.conf2014 show, we returned stimulated and chomping at the bit to push on even further forward with our servicen here at Ziften. A talk that was of particular interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Utilizing Splunk to Automatically Mitigate Risks” was the name of his presentation. If you wish to see his slides and a recording of the presentation then please go to http://conf.splunk.com/sessions/2014

Using Splunk to help with mitigation, or as I like to describe it as “Active Response” is a great concept. Having all your intelligence data streaming into Splunk is really powerful, and it can be endpoint data, outside risk feeds etc, and then you will be able to act on this data really completes the loop. At Ziften we have our effective continuous monitoring on the endpoint system, and being married to Splunk is something that we are really extremely proud of. It is a really strong move in the right direction to have real time data analysis combined with the ability to react and act against incidents.

Ziften have actually created a mitigation action which utilizes the available Active Response code. There is a demo video included in this blog below. Here we were able to develop a mitigation action within our Ziften App for Splunk as proof of concept. After the action is created, results within Splunk ES (Enterprise Security) can be observed and tracked. This really is a major addition and now users will have the ability to monitor and track mitigations within Splunk ES, which offers you with the major advantage of being able to complete the loop and develop a history of your actions.

The fact that Splunk is driving such an effort thrills us, this is most likely to progress and we are committed to continuously support it and make additional development with it. It is extremely exciting at the moment in the Endpoint Detection and Response area and the Active Response Framework integrated into Splunk being added will definitely promote a high degree of interest in my opinion.

For any concerns concerning the Ziften App for Splunk, please send an e-mail to sales@ziften.com