You Can Implement Your Gartner SOC Nuclear Triad With Ziften – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

Anton Chuvakin, VP and security analyst at Gartner Research published about the three important Security Operations Center (SOC) tools required to offer efficient cyber attack visibility. Chuvakin compared them to the cold war’s “nuclear triad” concept of siloed, air-borne, and nuclear submarine abilities needed to guarantee survival in an overall nuclear exchange. Likewise, the SOC visibility triad is essential to ensuring the survival of a cyber attack, “your SOC triad seeks to substantially lower the opportunity that the attacker will operate on your network long enough to achieve their goals” as Chuvakin wrote in his post.

Now we will look at the Gartner designated basics of the SOC triad and how Ziften supports each ability.

SIEM (Security Information and Event Management) – Ziften Open Visibility ™ extends existing security, event monitoring tools and system management by delivering essential open intelligence of any enterprise endpoint. Ziften’s Open Visibility platform now consists of integration with Splunk, ArcSight, and QRadar, in addition to any SIEM supporting Common Event Format (CEF) notifications. Unlike competing product integrations that only supply summary data, Ziften Open Visibility exposes all Ziften collected endpoint data for complete featured integration exploitation.

NFT (Network Forensics Tools)– Ziften ZFlow ™ extends network flow based security tools with vital endpoint context and attribution, significantly boosting visibility to network events. This brand-new standards based technology extends network visibility down within the endpoint, collecting vital context that cannot be observed over the wire. Ziften has an existing product integration with Lancope, and additionally has the capability to rapidly integrate with other network flow collectors utilizing Ziften Open Visibility architecture.

EDR (Endpoint Detection and Response)– The Ziften Endpoint Detection and Response solution continually examines user and device habits and highlights abnormalities in real time, permitting security analysts to focus on advanced risks quicker and lessen Time To Resolution (TTR). Ziften EDR permits companies to more quickly determine the root cause of a breach and decide on the required corrective actions.

While other security tools play supporting roles, these are the 3 essentials that Gartner asserts do constitute the core protector visibility into hacker actions within the targeted organization. Arm up your SOC triad with Ziften. For a no obligation totally free trial, see: to get more information.

Charles Leaver – By Enabling Visibility You Will Drastically Reduce Incident Response Costs

Written By Kyle Flaherty And Presented By Ziften CEO Charles Leaver

It was quite a day on July 9 2015 in the world of cyber security. The first thing to happen was the grounding of flights by United Airlines due to a technical glitch, this was followed just afterwards by the New York Stock Exchange (NYSE) announcing they had to stop trading. This report originated from the Wall Street Journal as you would anticipate, and they went offline soon after.

This led to total panic on the Internet! There was a massive buzz on Twitter and there were a great deal of rumors that a well collaborated cyber attack was occurring. Individuals were jumping off the virtual bridge and stating a virtual Armageddon.

There was general chaos until the 3 organizations stated in public that the problems were not associated with cyber attacks but the feared unidentified “technical glitch”.

Visibility Is The Problem For Attacks Or Glitches

In today’s world it is presumed that “glitch” indicates “attack” and it is true to say that an excellent team of hackers can make them look the same. There are still no information about the occurrences on that day and there most likely never will (although there are rumors about network resiliency issues with one of the largest ISPs). At the end of the day, when an occurrence like this takes place all companies require to know why.

Statistics recommend that each hour of incident response may cost thousands of dollars an hour, and when it comes to businesses such as United and NYSE, downtime has not been taken into consideration. The board of directors at these businesses do not wish to hear that something like this will take hours, and they might not even care how it occurred, they just desire it dealt with rapidly.

This is why visibility is constantly in the spotlight. It is very important when emergencies strike that a company knows all the endpoints in their environment and the contextual habits behind those endpoints. It might be a desktop, a server, a laptop computer and it might be offline or online. In this modern-day age of security, where the concept of “avoid & block” is not a suitable technique, our ability to “quickly identify & respond” has become increasingly more important.

So how are you making the shift to this new age of cyber security? How do you minimize the time in figuring out whether it was an attack or a glitch, and exactly what to do about it?

The Record Pace Of Investment Into Cyber Security Companies Keeps Growing At Record Levels – Charles Leaver

Written By Patrick Kilgore And Presented By Charles Leaver Ziften CEO

A report was released called “Financiers pour billions in to cyber security companies” by CEO of Cybersecurity Ventures, Steve Morgan. This is not conjecture. The previous year alone, venture backed cyber security organizations raised nearly $2 billion dollars. With this increase of capital, you would be forgiven for thinking that things have hit their peak. But you would be incorrect …

At the midpoint of 2015, start ups in cyber security had already raised $1.2 billion in funding. There appears to be no end in sight when it pertains to cyber security as Morgan suggests. Top companies like Allegis Capital have actually even raised funds (to the tune of $100M) to back cyber security innovation, exclusively.

The typical suspects are not there on the list of names. Morgan’s post mentions that most of the funding statements are for fast growing companies like ours. Ziften remains in good company amongst innovators who are keeping up with the demands of modern-day cyber security. While we lead the pack in continuous endpoint visibility – others businesses have actually taken special approaches, like applying artificial intelligence to the battle against cyber attacks or simplifying crucial lookups to bring public key encryption to the masses. They are all tackling a various pieces of the puzzle.

And it definitely is a puzzle. Since numerous solutions are extremely specialized, collaboration is going to be critical. The requirement for incorporating the different components in the market for an advanced view of the issue set is clear. That’s why we developed Ziften Open Visibility ™ – to supply APIs, connectors, and alerts to incorporate endpoint context and attribution data with existing financial investments.

Market Vision That Is 20/20

It may appear like market saturation to the layperson however it is simply the tip of the cyber security iceberg. Every day, cyber attacks end up being more sophisticated, discovering brand-new ways to ravage customers and organizations. This list of endorsed companies is a testimony to the concept that legacy endpoint and network security is falling short. The notion of prevention is a good one, but security specialists now realize that a two pronged strategy is needed that includes detection and response.

You can have a 20/20 view of your security landscape, or you can keep your existing blind spots. Which one do you think will help you to sleep during the night?

The Good News About The Cisco 2015 Midyear Security Report – Charles Leaver

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

Taking a look through the Cisco 2015 Midyear Security Report, the consensus was that “the bad guys are innovating faster than the security community.” This is not an unique declaration and can be found in a great deal of cyber security reports, due to the fact that they are reactive studies to past cyber attacks.

If all you do is concentrate on unfavorable results and losses then any report is going to look negative. The reality is that the suppliers that are releasing these reports have a lot to gain from organizations that wish to purchase more cyber security solutions.

If you look thoroughly within these reports you will discover excellent pieces of guidance that might substantially enhance the security arrangements of your organization. So why do these reports not start with this information? Well it’s all about selling solutions isn’t it?

One anecdote stood apart after reading the report from Cisco that would be simple for organization security groups to attend to. The increasing vulnerabilities and exploits of Adobe Flash were detailed, and they are being integrated frequently into exploit kits such as Angler and Nuclear. The Flash Player is regularly updated by Adobe, but a variety of users are sluggish to use these updates that would supply them with the defense that they need. This indicates that hackers are benefiting from the gap between the vulnerability being found and the update patch being applied.

Vulnerability Management Is Not Fixing The Problem

You would be forgiven for thinking that because there are an entire range of services in the marketplace which scan endpoints for vulnerabilities that are understood, it would be very basic to ensure that endpoints were upgraded with the latest patches. All that is required is for a scan to be run, the endpoints that need updating identified, run the updates and job done right? The problem here is that scans are just run from time to time, patches fail, users will introduce susceptible apps unintentionally, and the company is now wide open until the next scan. Furthermore, scans will report on applications that are installed however not used, which leads to considerable varieties of vulnerabilities that make it difficult for an expert to prioritize and manage.

What Is So Easy To Address Then?

The scans need to be run constantly and all endpoints monitored so that as soon as a system is not compliant you will learn about it and can react immediately. Continuous visibility that supplies real time alerting and comprehensive reporting is the brand-new mandate as endpoint security is redefined and people understand the age of prevention – first is over. Leveraging the National Vulnerabilities Database (NVD), each application that is in fact running a recognized vulnerability can instantly be acknowledged, security personnel informed, and the patch applied. Further, solutions can try to find suspicious activity from vulnerable applications, like abrupt application crashes, which is a possible sign of an exploit attempt. Finally, they can likewise find when a user’s system has actually not been rebooted since the last security patch was available.

There Certainly Is Hope

Fortunately about real-time endpoint visibility is that it deals with any susceptible application (not only Adobe Flash) because, hackers will move from app to app to evolve their methods. There are simple solutions to huge issues. Security groups just need to be warned that there is a better method of managing and securing their endpoints. It simply takes the correct endpoint detection and response solution.

You Must Accept That Hackers Are Human To Win The Cyber Security War – Charles leaver

Written By Patrick Kilgore And Presented By Charles Leaver CEO Ziften

When you are at the Black Hat annual conference there are discussions going on all over about hacking and cyber security and it can make you paranoid. For a lot of people this is just an appetiser for the DEF CON hacking program.

Some time ago a story was released by the Daily Dot which was called “The art of hacking humans” which discussed the Social Engineering “Capture the Flag” contest that has been running since 2010. In it, individuals use the best tool a hacker has at their disposal – their intelligence – and take advantage of flight of fancies and social subterfuge to encourage unsuspecting victims to supply sensitive information in exchange for points. A couple of slip ups here, a remark about applications there, and a bang! You’re hacked and on the front page of the New York Times.

For the businesses being “Targeted” (such as big box merchants who will stay nameless …), the contest was originally viewed as a nuisance. In the years since its beginning however, the Capture the Flag contest has gotten the thumbs up from lots of a corporate security professionals. Its contestants engage annually to test their mettle and assist possible hacking victims understand their vulnerabilities. It’s a white hat education in what not to do and has actually made strides for business awareness.

Human Hacking Starts With … Humans (duh).

As we understand, most destructive attacks start at the endpoint, since that is where the people in your business live. All it takes is access from a nebulous place to do severe damage. But rather than think about hacks as something to react to or a simple process to be killed, we have to remind ourselves that behind every attack there is a person. And ultimately, that’s who we need to equip ourselves against. How do we do that?

Since companies operate in the real world, we should all accept that there are those who would do us harm. Instead of attempting to avoid hacks from happening, we have to re-wire our brains on the matter. The key is recognizing harmful user habits as it is taking place so that you can react accordingly. The brand-new period of endpoint security is concentrated on this capability to picture user behavior, inspect and evaluate it rapidly, and then respond quickly. At Black Hat we are revealing folks how they can constantly monitor the fringes of their network so that when (not if) breaches take place, they can be promptly dealt with.

As a wise man once said, “You can’t protect what you cannot manage and you cannot manage what you cannot see.” The result significantly minimizes time to identify and time to respond (TTR). And that’s no lie.

Charles Leaver – People Up Against Each Other Is The Key To Cyber Security

Written By Michael Bunyard And Presented By Charles Leaver CEO Ziften

Cyber security is all about people vs. people. Every day that we sort through the latest attack news (like the current Planned Parenthood breach) it ends up being increasingly more obvious that not only are people the problem, in numerous respects, however individuals are likewise the solution. The enemies come in numerous classifications from insiders to hackers to organized crime and State sponsored terrorists, however at the end of the day, it’s individuals that are directing the attacks on companies and are for that reason the issue. And it’s people that are the primary targets exploited in the cyber attack, usually at the endpoint, where people access their connected corporate and individual worlds.

The endpoint (laptop computer, desktop, mobile phone, tablet) is the device that individuals utilize throughout their day to get their tasks done. Consider how frequently you are attached to your endpoint( s). It’s a lot, right? Not only are these endpoints susceptible (see the Stagefright Android vuln for a good example), individuals at the endpoint are frequently the weak spot in the chain that offers the opening for the opponents to exploit. All it takes is a single person to open the incorrect email, click to the wrong website or open the incorrect file and it’s game on. Regardless of all the security awareness in the world, people will make mistakes. When talking about the Planned Parenthood breach my associate Mike Hamilton, who directs the product vision here at Ziften, provided an actually interesting insight:

” Every organization will have people against it, and now those individuals have the methods and objective to interrupt them or steal their data. Leveraging existing blind spots, cyber criminals or perhaps hackers have simple access through vulnerable endpoints and utilize them as a point of entry to conceal their activities, avert detection, exploit the network and victimize the targeted organization. It is now more crucial than ever for companies to be able to see suspicious behavior beyond the network, and definitely beyond merely their web server.”

People Powered Security

It makes sense that cyber security services need to be purpose built for the people that are safeguarding our networks, and keeping an eye on the habits of individuals as they utilize their endpoints. But generally this hasn’t held true. In fact, the endpoint has been a virtual black box when it comes to having continuous visibility of user habits. This has actually caused a scarcity of information about what is truly happening on the endpoint – the most vulnerable element in the security stacks. And cyber security solutions certainly don’t appear to have individuals safeguarding the network in mind when silos of diverse pieces of info flood the SIEM with a lot of incorrect positive signals that they can’t see the genuine dangers from the benign.

Individual powered security enables seeing, examining, and responding by evaluating endpoint user habits. This needs to be done in a manner that is painless and fast due to the fact that there is a big lack of abilities in organizations today. The very best technology will enable a level one responder to deal with most suspected dangers by delivering easy and concise info to their fingertips.

My security guru coworker (yeah, I’m fortunate that on one corridor I can speak with all these folks) Dr. Al Hartmann says “Human-Directed Attacks require Human Directed Response”. In a recent blog, he nailed this:

” Human intelligence is more flexible and innovative than machine intelligence and will always eventually adjust and beat an automatic defense. This is the cyber-security versio of the Turing test, where a machine defense is attempting to rise to the intellectual level of a skilled human hacker. At least here in the 21st Century, expert systems and artificial intelligence are not up to the task of totally automating cyber defense, the cyber aggressor inevitably wins, while the victims lament and count their losses. Just in sci-fi do thinking machines overpower people and take control of the world. Do not subscribe to the cyber fiction that some autonomous security software application will outsmart a human hacker enemy and save your organization.”

People powered security empowers well informed dynamic response by the people aiming to thwart the opponents. With any other method we are just kidding ourselves that we can keep up with opponents.

Focussing On People Rather Than Technology Is The Third Phase Of Cyber Security – Charles Leaver

Written By Kyle Flaherty And Presented By Charles Leaver Ziften CEO

Cyber attack impact on companies is often uncomplicated to measure, and the suppliers of tech services are always flaunting various data to reveal that you need to get their latest software application (also Ziften). But one statistic is very stunning:

In The Previous Year Cyber Crime Cost Organizations $445 Billion And Cost 350,000 Individuals Their Jobs.

The monetary losses are simple to take on board even though the quantity is large. However the 2nd part is worrying for all involved with cyber security. People are losing their employment because of what is happening with cyber security. The scenarios surrounding the job losses for all these people is unidentified, and some could have deserved it if they were negligent. But the most intriguing feature of this is that it is well understood that there is a lack of gifted individuals who have the capability to combat these cyber attacks.

While people are losing their positions there is also a need that more talented people are discovered to prevent the ever increasing threat of cyber attacks. There is no argument that more individuals are required, and they have to be more gifted, to win this war. But it is not going to occur today, tomorrow or perhaps this year. And while it would be great if a truce could be worked out with the cyber attackers until these resources are offered, the truth is that the fight should go on. So how do you combat this?

Utilize Technology To Enable, Not Disable

For several years now vendors of security tech have actually been selling technology to “prevent and block” cyber attacks. Then the vendors would return afterwards to offer the “next generation” solution for preventing and stopping cyber attacks. And after that a few years later they were back again to offer the latest technology which focussed on “security analytics”, “hazard intelligence” and “operational insight”.

In every circumstance businesses acquired the latest technology and then they had to add on expert services or perhaps a FTE to operate the technology. Of course every time it took a considerable amount of time to become up to speed with the new technology; a group that was experiencing high turnover because of the competitive nature of the cyber market. And while all of this was going on the attacks were ending up being more persistent, more advanced, and more routine.

It has to do with People Using Technology, Not The Other Way Around

The issue is that all of the CISO’s were focussed on the technology first. These organizations followed the timeless model of seeing a problem and producing technology that might plug that hole. If you consider a firewall program, it actually constructs a wall within technology, utilizing technology. Even the SIEM technology these companies had implemented was focused mostly on all the various connectors from their system into other systems and gathering all those details into one place. However exactly what they had instead was one place since the technology centric minds had actually forgotten a critical component; individuals involved.

Humans are constantly good at innovating when faced with risk. It’s a biological thing. In cyber security today we are seeing the third phase of development, and it is centered on people:

Phase 1 Prevent by building walls
Phase 2 Detect by constructing walls and moats
Phase 3 View, inspect, and react by examining user habits

The reason that this has to be centered on people is not just about talent scarcities, but because individuals are actually the issue. People are the cyber aggressors and also the ones putting your company at risk at the endpoint. The technologies that are going to win this battle, or at least allow for survival, are the ones that were developed to not just boost the capabilities of the person on the other side of that keyboard, but likewise focus on the habits of the users themselves, and not merely the technologies themselves.

Endpoint Visibility Is Possible As This Webinar Reveals – Charles Leaver

Written By Josh Applebaum And Presented By Charles Leaver CEO Ziften Technologies


These days security threats and attack vectors are continuously evolving, and organizations need to be more vigilant when it concerns monitoring their network infrastructure. The boundary of the network and the infrastructure security are frequently challenged because of no visibility of endpoint devices.

Visibility Of Endpoint Devices Is Now More crucial Than Ever.

In a webinar hosted with our partner Lancope which was called “Extending Network Visibility: Down to the Endpoint.” The goal of this webinar was to reveal to security specialists how additional visibility can be accomplished and context into network activity, the enhancement of existing security investments (NetFlow, Firewall software, SIEM, risk intelligence), and improve incident response by getting real time and historical data for the endpoint. A shared client was featured in the webinar who offered real world insights into the best ways to use security assets so that you can remain in front of external and insider hazards.

A lot of you will not have actually been able to participate in the live webinar so we have actually decided to show the on demand version here on the Ziften blog. Feedback on this is welcomed and we would be delighted to connect with you to discuss in more detail.

Charles Leaver – A Technical Approach To Client Management From Ziften

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

There has typically been an absence of visibility on Windows clients of the applications that are running and the resources that are being consumed. There efficient tools out there to monitor the server infrastructure and the network, but the client has actually always been the weakest aspect. This is why suppliers such as Ziften have actually pioneered a new class of solutions that are aimed at the management of security and the performance of clients in the enterprise, and this is known as enterprise client management. Speaking from a technical standpoint, in order to collect the huge amount of information that is readily available within Windows that is needed to offer visibility of the client, there were 2 alternative methods that required consideration. We could have developed customized driver code or used the standard API’s in Windows.

The development of driver code is thought as a last option since there are some well known issues:

An in depth understanding of the Windows kernel data structures and coding conventions is required for driver development

Driver incompatibilities can exist even with the tiniest of system modifications, for example with the monthly patch updates from Microsoft

A disastrous system crash can happen if there is a driver code error

Third party driver code triggers the majority of the instabilities in Windows

Any solution that makes use of low level drivers in their agents do not utilize basic Windows interfaces and they will “take control” from Windows. This can produce havoc with the operating systems of the desktops that are under management. If a driver stops working then it can crash the system and there is likewise an increased security threat as these drivers perform at kernel level. “Anything a user can do that causes a driver to malfunction in such a way that it causes the system to crash or end up being unusable is a security defect. When most coders are working on their driver, their focus is on getting the driver to work properly and not whether a malicious intruder will attempt to make use of holes within the system” said Microsoft about driver security.

So Ziften took the approach of building our solution around standard Windows user interfaces, which has the following benefits:

Greater resilience to Windows updates and modifications that are most likely to need driver modifications

Driver conflict vulnerability that can result in system crashes eliminated (Blue Screen of Death).

The probability of coding errors that impacts system efficiency through the kernel interface is minimized.

BYOD Can Be A Serious Security Risk So Do This – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver Ziften CEO

If you are not curious about BYOD then your users, specifically your executive users, probably will be. Being the most efficient with the least effort is exactly what users want. Using the most convenient, fastest, most familiar and comfortable device to do their work is the primary aim. Also the convenience of using one device for both their work and individual activities is preferred.

The problem is that security and ease-of-use are diametrically opposed. The IT department would typically prefer total ownership and control over all client endpoints. IT can disable admin rights and the client endpoint can be managed to a degree, such as only authorized applications being installed. Even the hardware can be restricted to a particular footprint, making it much easier for IT to secure and manage.

But the control of their devices is what BYOD supporters are fighting against. They want to pick their hardware, apps and OS, as well as have the flexibility to install anything they like, whenever they like.

This is hard enough for the IT security group, but BYOD can likewise considerably increase the amount of devices accessing the network. Instead of a single desktop, with BYOD a user may have a desktop, laptop computer, cell phone and tablet. This is an attack surface gone wild! Then there is the issue with smaller sized devices being lost or stolen or perhaps left in a bar under a cocktail napkin.

So what do IT specialists do about this? The first thing to do is to establish situational awareness of “trusted” client endpoints. With its minimalist and driverless agent, Ziften can provide visibility into the applications, versions, user activity and security/ compliance software which is in fact running on the endpoint. You can then restrict by enforceable policy what application, enterprise network and data interaction can be performed on all other (“untrusted”) devices.

Client endpoints will invariably have security problems develop, like versions of applications that are susceptible to attack, potentially hazardous procedures and disabling of endpoint security steps. With the Ziften agent you will be warned of these issues and you can then take corrective action with your existing system management tools.

Your users have to accept the reality that devices that are untrusted and too risky should not be utilized to gain access to organization networks, data and apps. Client endpoints and users are the source of the majority of destructive exploits. There is no magic with existing technology that will make it possible to access important business assets with a device which is out of control.