Prevent A Security Risk To Your Enterprise By Checking Macs – Charles Leaver

Written By Roark Pollock And Presented By Charles Leaver

 

Got Macs? Great. I also own one. Have you locked your Macs down? If not, your business has a possibly serious security weakness.

It’s a fallacy to believe that Macintosh computer systems are naturally protected and don’t have to be safeguarded against hacking or malware. People think Macs are certainly arguably more safe and secure than Windows desktops and notebooks, due to the style of the Unix-oriented kernel. Certainly, we see fewer security patches issued for macOS from Apple, compared to security patches for Windows from Microsoft.

Less security problems is not zero defects. And safer doesn’t imply complete safety.

Examples of Mac Vulnerabilities

Take, for example, the macOS 10.13.3 update, issued on January 23, 2018, for the present versions of the Mac’s os. Like a lot of current computer systems running Intel processors, the Mac was vulnerable to the Meltdown flaw, which implied that harmful applications may be able to read kernel memory.

Apple had to patch this defect – as well as numerous others.

For example, another defect might permit destructive audio files to execute arbitrary code, which could violate the system’s security integrity. Apple needed to patch it.

A kernel defect indicated that a harmful application may be able to execute arbitrary code with kernel privileges, offering hackers access to anything on the device. Apple had to patch the kernel.

A defect in the WebKit library implied that processing maliciously crafted web material might cause random code execution. Apple had to patch WebKit.

Another defect implied that processing a harmful text message may lead to application denial of service, locking up the system. Whoops. Apple had to patch that flaw as well.

Don’t Make The Exact Same Mistakes as Consumers

Many customers, believing all the discussions about how terrific macOS is, decide to run without protection, relying on the macOS and its integrated application firewall software to obstruct all manner of bad code. Problem: There’s no built-in anti virus or anti malware, and the firewall software can just do so much. And many enterprises wish to ignore macOS when it concerns visibility for posture tracking and hardening, and risk detection/ danger hunting.

Customers often make these assumptions due to the fact that they have no idea any better. IT and Security specialists ought to never ever make the very same errors – we should know much better.

If a Mac user installs bad software applications, or includes a malicious browser extension, or opens a bad email attachment, or clicks on a phishing link or a nasty advertisement, their device is corrupted – just like a Windows computer. However within the enterprise, we need to be prepared to handle these concerns, even with Mac computers.

So What Do You Do?

What do you need to do?

– Install anti-virus and anti malware on corporate Mac computers – or any Mac that has access to your company’s material, servers, or networks.
– Track the state of Mac computers, much like you do with Windows computers.
– Be proactive in applying fixes and patches to Macs, once again, similar to with Windows.

You ought to also get rid of Mac computers from your corporate environment which are too old to run the current variation of macOS. That’s a great deal of them, since Apple is respectable at keeping hardware that is older. Here is Apple’s list of Mac designs that can run macOS 10.13:

– MacBook (Late 2009 or more recent).
– MacBook Pro (Mid 2010 or newer).
– MacBook Air (Late 2010 or more recent).
– Mac mini (Mid 2010 or more recent).
– iMac (Late 2009 or newer).
– Mac Pro (Mid 2010 or newer).

When the next variation of macOS comes out, a few of your older computers may drop off the list. They need to fall off your inventory as well.

Ziften’s Perspective.

At Ziften, with our Zenith security platform, we work hard to preserve visibility and security function parity in between Windows systems, macOS systems, and Linux-based systems.

In fact, we’ve partnered with Microsoft to integrate our Zenith security platform with Microsoft Windows Defender Advanced Threat Protection (ATP) for macOS and Linux monitoring and threat detection and response coverage. The integration allows consumers to identify, see, examine, and react to innovative cyber attacks on macOS computers (as well as Windows and Linux-based endpoints) straight within the Microsoft WDATP Management Console.

From our viewpoint, it has actually constantly been important to offer your security groups confidence that every desktop/ notebook endpoint is secured – and therefore, the enterprise is protected.

It can be hard to believe, 91% of businesses say they have a number of Macs. If those Macs aren’t protected, and also properly integrated into your endpoint security systems, the enterprise is not protected. It’s just that basic.

Security Problems Need Resolving Through Strategic Alliances – Charles Leaver

Written By Charles Leaver

 

Nobody can fix cybersecurity alone. No single solution business, no single company, nobody can take on the entire thing. To deal with security requires cooperation between different players.

Often, those companies are at different levels of the solution stack – some set up on endpoints, some within applications, others within network routers, others at the telco or the cloud.

Often, those players each have a particular best of breed piece of the puzzle: one player concentrates on e-mail, others in crypto, others in disrupting the kill chain.

From the business customer’s perspective, efficient security needs assembling a set of tools and services into a working whole. Speaking from the vendors’ viewpoint, effective security requires tactical alliances. Sure, each vendor, whether making hardware, composing software applications, or providing services, has its own solutions and intellectual property. Nevertheless, we all work much better when we work together, to enable integrations and make life simple for our resellers, our integrators- and that end consumer.

Paradoxically, not just can vendors make more cash through tactical alliances, but end customers will conserve cash at the same time. Why? A number of factors.

Clients do not waste their cash (and time) with products which have overlapping capabilities. Customers don’t have to waste profits (and time) creating customized integrations. And clients won’t waste cash (and time) attempting to debug systems that fight each other, such as by causing extra notifications or hard to find incompatibilities.

It’s the Trifecta – Products, Solutions, and Channels

All three work together to satisfy the requirements of the business customer, and also benefit the suppliers, who can focus on doing what they do best, relying on tactical alliances to produce complete services out of jigsaw puzzle pieces.

Generally speaking, those services require more than easy APIs – which is where strategic alliances are so important.

Think about the integration in between solutions (like a network risk scanner or Ziften’s endpoint visibility solutions) and analytics options. End customers don’t want to operate a whole load of various dashboards, and they don’t wish to by hand correlate anomaly findings from a dozen various security tools. Strategic alliances between solution vendors and analytics solutions – whether on-site or in the cloud – make good sense for everyone. That includes for the channel, who can provide and support complete options that are currently dialed in, already debugged, currently recorded, and will deal with the least difficulty possible.

Or think about the integration of solutions and managed security services providers (MSSPs). They wish to offer prospective clients pre-packaged options, preferably which can run in their multi-tenant clouds. That implies that the items need to be scalable, with synergistic license terms. They should be well-integrated with the MSSP’s existing dashboards and administrative control systems. And obviously, they have to feed into predictive analytics and occurrence response programs. The very best way to do that? Through strategic alliances, both horizontally with other solution vendors, and with significant MSSPs as well.

What about significant value-added resellers (VAR)? VARs require products that are easy to understand, easy to support, and easy to include into existing security implementations. This makes brand-new products more attractive, more economical, easier to set up, much easier to support – and strengthen the VAR’s consumer relationships.

What do they search for when adding to their solution portfolio? New solutions that have tactical alliances with their existing solution offerings. If you do not fit in to the VAR’s portfolio partners, well, you probably don’t fit in.

Two Examples: Fortinet and Microsoft

Nobody can fix cybersecurity alone, and that includes giants like Fortinet and Microsoft.

Consider the Fortinet Fabric-Ready Partner Program, where innovation alliance partners integrate with the Fortinet Security Fabric via Fabric APIs and have the ability to actively collect and share info to improve danger intelligence, boost overall risk awareness, and widen threat response from end to end. As Fortinet discusses in their Fortinet Fabric-Ready Partner Program Overview, “partner addition in the program signals to clients and the market as a whole that the partner has collaborated with Fortinet and leveraged the Fortinet Fabric APIs to develop confirmed, end-to-end security services.”

Similarly, Microsoft is pursuing a similar method with the Windows Defender Advanced Threat Protection program. Microsoft just recently picked only a few key partners into this security program, saying, “We have actually heard from our customers that they desire defense and visibility into prospective risks on all of their device platforms and we have actually relied on partners to help resolve this need. Windows Defender ATP provides security groups a single pane of glass for their endpoint security and now by working together with these partners, our consumers can extend their ATP service to their entire set up base.”

We’re the first to admit: Ziften can’t fix security alone. Nobody can. The very best way forward for the security market is to move on together, through strategic alliances uniting item vendors, service providers, and the channel. That way, we all win, suppliers, service providers, channel partners, and enterprise clients alike.

How Flexible Is Your SysSecOps? – Charles Leaver

Written By Charles Leaver

 

You will find that endpoints are all over. The device you’re reading this on is an endpoint, whether it’s a desktop, notebook, tablet, or phone. The A/C controller for your structure is an endpoint, presuming it’s linked to a network, and the WiFi access points and the security electronic cameras too. So is the linked automobile. So are the Web servers, storage servers, and Active Directory servers in the data center. So are your IaaS/PaaS services in the cloud, where you have control of bare-metal servers, VMware virtual machines, or containers running on Windows and/or Linux.

All of them are endpoints, and every one is necessary to manage.

They need to be managed from the IT side (from IT administrators, who ideally have proper IT-level visibility of each linked thing like those security electronic cameras). That management suggests ensuring they’re connected to the ideal network zones or VLANs, that their software and configurations are up to date, that they’re not creating a flood on the network with bad packets because of electrical faults etc.

Those endpoints also have to be managed from the security perspective by CISO teams. Every endpoint is a potential front door into the business network, which suggests the devices must be locked down – no default passwords, all security patches applied, no unauthorized software applications set up on the device’s ingrained web server. (Kreb’s outlines how, in 2014, hackers got into Target’s network by means of its HEATING AND COOLING system.).

Systems and Security Operations.

Systems Security Operations, or SysSecOps, brings those 2 worlds together. With the ideal type of SysSecOps frame of mind, and tools that support the correct workflows, IT and security employees get the exact same data and can team up together. Sure, they each have various tasks, and respond in a different way to difficulty alerts, but they’re all handling the same endpoints, whether in the pocket, on the desk, in the energy closet, in the data center, or in the cloud.

Ziften Zenith Test Report.

We were delighted when the just recently released Broadband-Testing report praised Zenith, Ziften’s flagship end-point security and management platform, as being ideal for this type of circumstance. To quote from the current report, “With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more. Considering that its meaning of ‘endpoints’ extends into the Data Centre (DC) and the world of virtualisation, it is true blanket coverage.”.

Broadband-Testing is an independent testing center and service based in Andorra. They describe themselves as, “Broadband-Testing interacts with vendors, media, investment groups and VCs, experts and consultancies alike. Evaluating covers all aspects of networking software and hardware, from ease of use and performance, through to increasingly essential aspects such as device power consumption measurement.”

Back to flexibility. With endpoints everywhere (again, on the desk, in the utility closet, in the data center, or in the cloud), a SysSecOps-based endpoint security and management system need to go all over and do anything, at scale. Broadband-Testing wrote:

“The configuration/deployment options and architecture of Ziften Zenith allow for a very flexible release, on or off-premise, or hybrid. Agent implementation is simpleness itself with absolutely no user requirements and no endpoint intrusion. Agent footprint is also very little, unlike numerous endpoint security services. Scalability likewise seems excellent – the most significant client implementation to this day remains in excess of 110,000 endpoints.”

We can’t help but be proud of our product Zenith, and exactly what Broadband-Testing concluded:

“The emergence of SysSecOps – integrating systems and security operations – is an uncommon milestone in IT; a hype-free, good sense approach to refocusing on how systems and security are managed inside a business.

Key to Ziften’s endpoint approach in this category is overall visibility – after all, how can you secure what you cannot see or have no idea is there in the first place? With its Zenith platform, Ziften has a product that ticks all the SysSecOps boxes and more.

Release is simple, specifically in a cloud-based circumstance as evaluated. Scalability also looks to be excellent – the most significant consumer deployment to this day is in excess of 110,000 endpoints.

Data analysis choices are extensive with a huge amount of info available from the Ziften console – a single view of the entire endpoint infrastructure. Any object can be analysed – e.g. Binaries, applications, systems – and, from a procedure, an action can be specified as an automated function, such as quarantining a system in case of a potentially destructive binary being discovered. Multiple reports are pre-defined covering all areas of analysis. Alerts can be set for any occurrence. In addition, Ziften supplies the concept of extensions for custom data collection, beyond the reach of the majority of suppliers.

And with its External API performance, Ziften-gathered endpoint data can be shared with most 3rd party applications, consequently adding additional value to a consumer’s existing security and analytics infrastructure financial investment.

In general, Ziften has a very competitive offering in what is an extremely worthwhile and emerging IT category through SysSecOps that is very worthy of examination.”.

We hope you’ll consider an assessment of Zenith, and will concur that when it concerns SysSecOps and endpoint security and management, we do tick all the boxes with the true blanket coverage that both your IT and CISO groups have been searching for.

Spectre And Meltdown Are Here And This Is How Ziften Helps You – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver

 

Ziften knows the current exploits affecting practically everyone who deals with a computer or digital device. While this is a huge statement, we at Ziften are working diligently helping our customers discover susceptible assets, repairing those vulnerable systems, and keeping track of systems after the repair for possible performance issues.

This is a continuous investigation by our team in Ziften Labs, where we keep up-to-date on the most recent harmful attacks as they develop. Right now, the majority of the conversations are around PoC code (Proof of Concept) and what can theoretically take place. This will soon change as enemies make the most of these opportunities. The exploits I’m speaking, obviously, are Meltdown and Spectre.

Much has actually been discussed how these exploits were found and exactly what is being done by the industry to find workarounds to these hardware issues. For more information, I feel it’s best to head over to the source here (https://spectreattack.com/).

What Do You Need To Do, and How Can Ziften Help?

An essential area that Ziften aids with in case of an attack by either approach is keeping track of for data exfiltration. Since these attacks are basically taking data they should not have access to, our company believe the very first and most convenient techniques to protect yourself is to take this confidential data and remove it from these systems. This data might be passwords, login credentials or perhaps security secrets for SSH or VPN access.

Ziften checks and notifies when processes that usually do not make network connections start exhibiting this uncommon behavior. From these signals, users can quarantine systems from the network and / or kill processes connected with these circumstances. Ziften Labs is keeping an eye on the development of the attacks that are most likely to become offered in the real world related to these vulnerabilities, so we can much better safeguard our consumers.

Discover – How am I Vulnerable?

Let’s take a look at areas we can monitor for susceptible systems. Zenith, Ziften’s flagship item, can easily and rapidly discover OS’s that need to be patched. Despite the fact that these exploits are in the CPU chips themselves (Intel, AMD and ARM), the repairs that will be available will be updated to the Operating System, and in other cases, the web browser you use as well.

In Figure 1 shown below, you can see an example of how we report on the readily available patches by name, and exactly what systems have effectively installed each patch, and which have yet to install. We can likewise track patch installs that stopped working. The example shown below is not for Meltdown or Spectre, however the KB and / or patch number for the environment could be populated on this report to show the susceptible systems.

The very same holds true for internet browser updates. Zenith keeps track of for software application variations running in the environment. That data can be utilized to understand if all internet browsers are up to date once the repairs become available.

Speaking of browsers, one area that has already gained momentum in the attack circumstances is utilizing Javascript. A working copy is revealed here (https://www.react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript).

Products like Edge browsers do not utilize Javascript anymore and mitigations are available for other web browsers. Firefox has a fix readily available here (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/). A Chrome fix is coming out this week.

Fix – What Can I Do Now?

As soon as you have identified vulnerable systems in your environment you certainly need to patch and repair them very quickly. Some safeguards you have to take into account are reports of certain Anti-Virus products causing stability problems when the patches are applied. Details about these problems are here (https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/) and here (https://docs.google.com/spreadsheets/u/1/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true).

Zenith likewise has the ability to help patch systems. We can monitor for systems that need patches, and direct our solution to use those patches for you then report success / failure and the status of those still requiring patching.

Because the Zenith backend is cloud-based, we can even monitor your endpoint systems and use the required patches when and if they are not connected to your corporate network.

Monitor – How is Everything Running?

Lastly, there could be some systems that display performance destruction after the OS fixes are used. These issues seem to be restricted to high load (IO and network) systems. The Zenith platform helps both security and functional teams within your environment. Exactly what we like to call SysSecOps (https://ziften.com/introducing-systems-security-operations-syssecops/).

We can assist discover problems such as application crashes or hangs, and system crashes. Plus, we monitor system usage for Memory and CPU over time. This data can be used to monitor and notify on systems that start to display high utilization compared to the duration prior to the patch was used. An example of this monitoring is shown in Figure 2 below (system names purposefully removed).

These ‘flaws’ are still brand-new to the public, and far more will be gone over and found for days / weeks / months to come. Here at Ziften, we continue to monitor the scenario and how we can best educate and safeguard our customers and partners.

SysSecOps Is Critical For Your Security And IT Operations – Charles Leaver

Written By Alan Zeichick And Presented By Charles Leaver

 

SysSecOps. That’s a neologism, still unseen by numerous IT and security administrators – however it’s being talked about within the market, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, refers to the practice of combining security teams and IT operations groups to be able to make sure the health of business technology – and having the tools to be able to respond most efficiently when problems occur.

SysSecOps focuses on taking down the information walls, interfering with the silos, that get in between security groups and IT administrators.

IT operations personnel exist to guarantee that end-users can access applications, and also vital infrastructure is operating 24 × 7. They wish to maximize access and availability, and need the data needed to do that job – like that a new staff member must be provisioned, or a hard disk drive in a RAID array has actually stopped working, that a brand-new partner needs to be provisioned with access to a secure document repository, or that an Oracle database is ready to be moved to the cloud. It’s everything about technology to drive business.

Exact Same Data, Different Use-Cases

While making use of endpoint and network monitoring info and analytics are clearly tailored to fit the diverse requirements of IT and security, it turns out that the underlying raw data is actually the same. The IT and security groups simply are looking at their own domain’s issues and situations – and doing something about it based upon those use-cases.

Yet in some cases the IT and security groups have to interact. Like provisioning that new organization partner: It needs to touch all the ideal systems, and be done safely. Or if there is an issue with a remote endpoint, such as a mobile device or a mechanism on the Industrial Internet of Things, IT and security may have to collaborate to determine exactly what’s going on. When IT and security share the exact same data sources, and have access to the exact same tools, this task becomes a lot easier – and thus SysSecOps.

Picture that an IT administrator detects that a server hard drive is nearing total capacity – and this was not expected. Perhaps the network had actually been breached, and the server is now being used to steam pirated motion pictures across the Internet. It occurs, and finding and fixing that problem is a job for both IT and security. The data collected by endpoint instrumentation, and showed through a SysSecOps-ready tracking platform, can help both sides working together more efficiently than would happen with standard, unique, IT and security tools.

SysSecOps: It’s a new term, and a brand-new idea, and it’s resonating with both IT and security groups. You can find out more about this in a brief 9 minute video, where I speak to several market professionals about this topic: “What is SysSecOps?”

Feature In Microsoft Word Can Lead To Phishing Unless You Prevent It – Charles Leaver

Written By Josh Harriman And Presented By Charles Leaver

 

A fascinating multifaceted attack has been reported in a recent blog post by Cisco’s Talos Intelligence team. I wanted to talk about the infection vector of this attack as it’s quite interesting and something that Microsoft has actually pledged not to fix, as it is a feature and not a bug. Reports are can be found about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is achieved are reported in this blog from SecureData.

Distinct Phishing Attack with Microsoft Word

Attackers continuously try to find brand-new methods to breach a company. Phishing attacks are one of the most typical as assailants are banking on the fact that someone will either open a file sent to them or go to a ‘faked’ URL. From there an exploit on a vulnerable piece of code normally provides access to begin their attack.

However in this case, the documents didn’t have a harmful object embedded in the Word doc, which is a preferred attack vector, but rather a tricky way of utilizing this function that allows the Word program to connect out to recover the real malicious files. This way they might hope or rely on a better success rate of infection as destructive Word files themselves may be scanned and deleted before reaching the recipient.

Searching for Suspicious Habits with Ziften Zenith

Here at Ziften, we wished to have the ability to notify on this behavior for our clients. Finding conditions that exhibit ‘weird’ habits such as Microsoft Word spawning a shell is interesting and not anticipated. Taking it a bit further and searching for PowerShell running from that generated shell and it gets ‘really’ fascinating. Through our Search API, we can discover these habits anytime they occurred. We do not need the system to be on at the time of the search, if they have run a program (i.e. Word) that displayed these behaviors, we can find that system. Ziften is always collecting and sending pertinent process details which is why we can find the data without depending on the system state at the time of browsing.

In our Zenith console, I looked for this condition by trying to find the following:

Process → Filepath consists of word.exe, Child Process Filepath consists of cmd.exe, Child Process commandline contains powershell

This returns the PIDs (Process ID) of the procedures we saw startup with these conditions. From there we can drill down to see the important information.

In this very first image, we can see details around the process tree (Word spawning CMD with Powershell under that) to the left, and to the right side you can see details like the System name and User, plus start time.

Listed below in the next image, we look at the CMD process and get information as to exactly what was passed to Powershell.

Most likely when the user had to address this Microsoft Word pop up dialog box, that is when the CMD shell utilized Powershell to head out and obtain some code that was hosted on the Louisiana Gov site. In the Powershell image shown below we can see more details such as Network Link details when it was connecting to the website to pull the fonts.txt file.

That IP address (206.218.181.46) remains in reality the Louisiana Gov site. Often we see intriguing data within our Network Connect information that might not match what you expect.

After producing our Saved Search, we can alert on these conditions as they happen throughout the environment. We can likewise create extensions that change a GPO policy to not permit DDE or perhaps take further action and go and discover these files and eliminate them from the system if so desired. Having the ability to discover intriguing mixes of conditions within an environment is extremely effective and we are delighted to have this feature in our product.

Prevent A Ransomware Attack By Doing These 4 Things – Charles Leaver

Written By Alan Zeichick And Presented By Charles Leaver

 

Ransomware is genuine, and is threatening individuals, organisations, schools, medical facilities, local governments – and there’s no indication that ransomware is stopping. In fact, it’s probably increasing. Why? Let’s face it: Ransomware is probably the single most reliable attack that hackers have actually ever developed. Anybody can produce ransomware using readily available tools; any cash received is most likely in untraceable Bitcoin; and if something fails with decrypting somebody’s disk drive, the hacker isn’t really affected.

A business is impacted by ransomware every forty seconds, according to some sources, and sixty percent of malware issues were ransomware. It strikes all sectors. No industry is safe. And with the increase of RaaS (Ransomware-as-a-Service) it’s going to become worse.

The good news: We can fight back. Here’s a four-step battle strategy.

Good Basic Hygiene

It starts with training workers how to manage destructive emails. There are falsified messages from service partners. There’s phishing and target spearphishing. Some will survive email spam/malware filters; staff members need to be taught not to click on links in those messages, or of course, not to permit for plugins or apps to be set up.

Nevertheless, some malware, like ransomware, will get through, frequently exploiting obsolete software or unpatched systems, just like in the Equifax breach. That’s where the next action comes in:

Ensuring that all endpoints are thoroughly patched and totally updated with the current, most safe operating systems, applications, utilities, device drivers, and code libraries. In this way, if there is an attack, the endpoint is healthy, and is able to best eradicate the infection.

Ransomware isn’t really an innovation or security problem. It’s an organization issue. And it’s a lot more than the ransom that is demanded. That’s nothing compared with loss of efficiency due to downtime, bad public relations, disgruntled customers if service is interrupted, and the expense of rebuilding lost data. (Which presumes that valuable intellectual property or protected monetary or client health data isn’t stolen.).

Exactly what else can you do? Backup, backup, backup, and secure those backups. If you don’t have safe, guaranteed backups, you cannot bring back data and core infrastructure in a prompt style. That consists of making everyday snapshots of virtual machines, databases, applications, source code, and configuration files.

Companies need tools to detect, recognize, and avoid malware like ransomware from spreading. This needs constant monitoring and reporting of what’s occurring in the environment – consisting of “zero day” attacks that have not been seen prior to this. Part of that is monitoring end points, from the mobile phone to the PC to the server to the cloud, to ensure that all end points are up-to-date and safe and secure, and that no unanticipated modifications have been made to their underlying setup. That way, if a machine is infected by ransomware or other malware, the breach can be detected rapidly, and the machine isolated and closed down pending forensics and recovery. If an end point is breached, quick containment is vital.

The Four Strategies.

Good user training. Updating systems with patches and repairs. Supporting everything as frequently as possible. And utilizing tracking tools to assist both IT and security teams discover issues, and react rapidly to those issues. When it pertains to ransomware, those are the four battle-tested strategies we have to keep our companies safe.

You can learn more about this in a short 8 minute video, where I talk with several industry experts about this concern:

Fight Zero Day Exploits And Other Attacks With Ziften And Microsoft – Charles Leaver

Written By David Shefter And Presented By Charles Leaver

 

Recently we announced a partnership with Microsoft that brings together Ziften’s Zenith ® systems and security operations platform, and Windows Defender Advanced Threat Protection (ATP) providing a cloud-based, “single pane of glass” to identify, view, examine, and respond to advanced cyber-attacks and breaches on Windows, macOS, and Linux-based devices (desktops, laptops, servers, cloud, etc).

Windows Defender ATP plus Ziften Zenith is a security service that makes it possible for business customers to spot, investigate, respond and fix innovative hazards on their networks, off-network, and in the data center and cloud.

Think of a single solution throughout all the devices in your business, supplying scalable, state of the art security in a cost-efficient and easy to use platform. Making it possible for enterprises throughout the world to secure and manage devices through this ‘single pane of glass’ delivers the guarantee of lower operational expenses with true improved security delivering real time worldwide danger defense with info collected from billions of devices worldwide.

Microsoft and Ziften Architecture

The image below supplies a summary of the service components and integration between Windows Defender ATP and Ziften Zenith.

Endpoint examination abilities let you drill down into security signals and understand the scope and nature of a possible breach. You can submit files for deep analysis, receive the results and take action without leaving the Windows Defender ATP console.

Discover and Contain Dangers

With the Windows Defender ATP and Ziften Zenith integration, organizations can readily identify and contain hazards on Windows, macOS, and Linux systems from an individual console. Windows Defender ATP and Ziften Zenith offer:

Based on behavior, cloud-powered, advanced attack detection. Discover the attacks that make it past all other defenses (after a breach has been detected).

Rich timeline for forensic examination and mitigation. Easily examine the scope of any breach or presumed habits on any machine through an abundant, 6-month device timeline.

Built in special hazard intelligence knowledge base. Risk intelligence to rapidly identify attacks based upon monitoring and data from millions of devices.

The diagram below shows much of the macOS and Linux hazard detection and response abilities now readily available with Windows Defender ATP.

Bottom line, if you’re looking to protect your end points and infrastructure, you need to take a hard look at Windows Defender ATP and Ziften Zenith.

Stop The KRACK Vulnerability By Following These Steps – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver

 

Enough media attention has been created over the Wi-Fi WPA2 defeating Key Reinsertion Attack (KRACK), that we don’t need to re-cover that again. The original discoverer’s website is an excellent location to evaluate the concerns and connect to the detailed research paper. This might be the greatest attention paid to a fundamental communications security failing since the Heartbleed attack. During that earlier attack, a patched variation of the susceptible OpenSSL code was released on the same day as the general disclosure. In this brand-new KRACK attack, comparable accountable disclosure guidelines were followed, and patches were either currently launched or soon to follow. Both wireless endpoints and wireless network devices need to be properly patched. Oh, and good luck getting that Chinese knockoff wireless security webcam bought off eBay patched anytime soon.

Here we will simply make a few points:

Take stock of your wireless devices and follow up to make sure appropriate patching. (Ziften can carry out passive network inventory, including wireless networks. For Ziften-monitored end points, the offered network interfaces along with applied patches are reported.) For business IT staff, it is patch, patch, patch each day anyway, so nothing new here. However any unmanaged wireless devices must be located and verified.

iOS and Windows end points are less vulnerable, while unpatched Android and Linux end points are extremely vulnerable. A lot of Linux end points will be servers without wireless networking, so not as much direct exposure there. But Android is another story, specifically given the balkanized state of Android upgrading throughout device producers. More than likely your enterprise’s greatest direct exposure will be IoT and Android devices, so do your threat analysis.

Avoid wireless access through unencrypted protocols such as HTTP. Stick to HTTPS or other encrypted protocols or use a safe and secure VPN, however know some default HTTPS sites enable jeopardized devices to coerce downgrade to HTTP. (Note that Ziften network monitoring reports ports and IP addresses used, so take a look at any wireless port 80 traffic on endpoints that are unpatched.).

Continue whatever wireless network hygiene practices you have been using to recognize and silence rogue access points, unapproved wireless devices, and so on. Grooming access point positioning and transmission zones to minimize signal spillage outside your physical limits is also a sensible practice, given that KRACK aggressors should exist locally within the wireless network. Don’t give them advantaged placement chances in or near your environment.

For a more wider discussion around the KRACK vulnerability, take a look at our current video on the subject:

Make Your Security Awareness Training Relevant – Charles Leaver

Written By Charles Leaver Ziften CEO

 

Reliable business cybersecurity assumes that people – your staff members – do the right thing. That they do not hand over their passwords to a caller who declares to be from the IT department doing a “qualifications audit.” That they don’t wire $10 million to an Indonesian bank account after receiving a midnight request from “the CEO”.

That they don’t install an “immediate upgrade” to Flash Player based upon a pop-up on a porn website. That they do not overshare on social media. That they don’t keep business information on file sharing services outside the firewall. That they do not connect to unsecure WiFi networks. And they don’t click links in phishing e-mails.

Our research shows that over 75% of security occurrences are triggered or helped by staff member mistakes.

Sure, you have actually set up endpoint security, e-mail filters, and anti-malware options. Those safety measures will most likely be for nothing, though, if your employees do the incorrect thing time and again when in a dangerous scenario. Our cybersecurity efforts resemble having an elegant car alarm: If you do not teach your teen to lock the automobile when it’s at the shopping mall, the alarm is worthless.

Security awareness isn’t really enough, naturally. Staff members will make mistakes, and there are some attacks that do not require a worker error. That’s why you need endpoint security, email filters, anti-malware, and so on. But let’s discuss reliable security awareness training.

Why Training Often Fails to Have an Effect

Initially – in my experience, a lot of employee training, well, is poor. That’s specifically true of online training, which is normally dreadful. However for the most parts, whether live or canned, the training does not have trustworthiness, in part since numerous IT experts are poor and unconvincing communicators. The training frequently focuses on interacting and enforcing guidelines – not changing risky habits and habits. And it’s like getting mandatory copy machine training: There’s nothing in it for the employees, so they don’t buy into it.

It’s not about implementing guidelines. While security awareness training might be “owned” by different departments, such as IT, CISO, or HR, there’s typically a lack of understanding about what a safe and secure awareness program is. To start with, it’s not a checkbox; it needs to be ongoing. The training must be given in various methods and times, with a mix of live training, newsletters, small-group conversations, lunch-and-learns, and yes, even resources online.

Safeguarding yourself is not complicated!

But a huge problem is the absence of objectives. If you do not know exactly what you’re aiming to do, you cannot see if you have actually done an excellent task in the training – and if risky behaviors actually alter.

Here are some sample objectives that can lead to reliable security awareness training:

Offer workers with the tools to recognize and manage ongoing everyday security dangers they might get online and through email.

Let staff members understand they belong to the group, and they cannot just rely on the IT/CISO teams to manage security.

Stop the cycle of “unintended lack of knowledge” about safe computing practices.

Change frame of minds toward more protected practices: “If you observe something, state something”.

Review of business rules and treatments, which are explained in actionable ways that are relevant to them.

Make it Appropriate

No matter who “owns” the program, it’s essential that there is visible executive support and management buy-in. If the execs don’t care, the workers won’t either. Effective training won’t speak about tech buzzwords; rather, it will concentrate on changing behaviors. Relate cybersecurity awareness to your workers’ personal life. (And while you’re at it, teach them the best ways to keep themselves, their household, and their house safe. Odds are they do not know and hesitate to ask).

To make security awareness training really pertinent, obtain staff member concepts and encourage feedback. Step success – such as, did the variety of external links clicked by employees decrease? How about calls to tech support stemming from security offenses? Make the training prompt and real-world by consisting of current scams in the news; unfortunately, there are numerous to choose from.

Simply put: Security awareness training isn’t enjoyable, and it’s not a silver bullet. Nevertheless, it is essential for ensuring that dangerous employee behaviors do not undermine your IT/CISO efforts to secure your network, devices, applications, and data. Make sure that you continually train your staff members, and that the training works.